Document History

VersionYearDescriptionEffective Date
1.02025Data Protection and Privacy Policy01 DEC 2025

1.0 INTRODUCTION

1.1 Boss Credit Ltd is a private limited company incorporated in Kenya (hereinafter referred to as “the Company”). Boss Credit Ltd offers short-term salary loans and related financial services to employed individuals who meet the company’s eligibility criteria.

1.2 The Company is committed to complying with the Kenya Data Protection Act, 2019, the Data Protection (General) Regulations, 2021, and all other applicable laws and regulatory guidelines. This policy outlines how Boss Credit Ltd collects, uses, stores, and protects personal data belonging to its customers and stakeholders.

2.0 DEFINITIONS

Data Subject: Any identified or identifiable individual whose personal data is collected or processed by Boss Credit Ltd.
Data Controller: Boss Credit Ltd, responsible for determining the purpose and means of processing personal data.
Data Processor: Any entity or individual engaged by Boss Credit Ltd to process personal data on its behalf.
Personal Data: Any information relating to an identified or identifiable natural person, including contact details, identification details, employment and financial information.
Consent: A clear and informed agreement by the data subject allowing the Company to process their personal data.
Legitimate Interest: A lawful basis for processing data when Boss Credit Ltd has a valid business, regulatory, or operational reason that does not compromise the data subject’s rights.
Services: Loan products and related financial services provided by Boss Credit Ltd.
Performance of Contract: Processing necessary to fulfill the obligations of a loan agreement or related services requested by the data subject.

3.0 PURPOSE

This policy outlines how Boss Credit Ltd protects personal data from misuse, unauthorized access, loss, destruction, or modification, in line with the Data Protection Act, 2019.

4.0 SCOPE

This policy applies to all employees, customers, partners, suppliers, agents, and any other individuals or entities that interact with Boss Credit Ltd and whose data is processed by the Company.

5.0 GUIDING PRINCIPLES

Lawful Purpose: Data shall only be collected and processed for a valid reason.
Data Minimization: Data collected must be relevant and limited to what is necessary.
Accuracy: The Company will strive to maintain accurate and up-to-date data.
Archiving/Removal: Personal data shall not be retained longer than necessary.
Security: Adequate measures will be implemented to safeguard personal data.

6.0 HOW DATA IS COLLECTED

Boss Credit Ltd collects personal information through:

  • Loan applications and customer onboarding forms
  • Information submitted through questionnaires, surveys, or promotions
  • Customer support interactions, call logs, and complaint records
  • Social media interactions on Boss Credit Ltd–managed platforms
  • Official documents including IDs, payslips, bank statements, and letters of authorization
  • Information from Credit Reference Bureaus (CRBs), anti-fraud databases, and regulatory registers
  • Information gathered during physical visits to company premises
  • Data collected by sales agents during onboarding
  • Digital tracking tools such as cookies, IP logs, analytics, and website interaction data
  • Anti-money laundering screenings
  • Data from partner banks, payment providers, and collections agents

7.0 WHAT DATA IS COLLECTED

The Company may collect:

  • Name, phone number, email, address, date of birth, ID number, KRA PIN, and other identifiers
  • Financial information such as bank statements and mobile money transaction records
  • Employment details including employer, job title, and salary information
  • Next of Kin information
  • Credit history and credit scores from CRBs
  • Call logs, messages, and interaction records
  • Transaction records including repayments and loan activities
  • Digital identifiers such as IP addresses, device information, and location data

8.0 SPECIFIC USE OF THE DATA COLLECTED

Personal data is used for:

  • Processing loan applications and service requests
  • Verifying customer identity in line with regulatory requirements
  • Credit scoring, credit checks, and risk assessments
  • Managing loan accounts, repayments, and communication
  • Customer support and resolving complaints
  • Compliance with legal, tax, and regulatory obligations
  • Improving service delivery, training, and quality control
  • Fraud detection, prevention, and debt recovery
  • Market research, analysis, and service improvement
  • Marketing communications (customers may opt out at any time)
  • Running and managing digital platforms and systems
  • Providing anonymized datasets for research and statistical reporting

9.0 LAWFUL BASIS FOR PROCESSING CUSTOMER INFORMATION

  • Consent
  • Performance of Contract
  • Legal Obligation
  • Vital Interest
  • Public Interest
  • Legitimate Interest

10.0 DISCLOSURE OF DATA

10.1 Boss Credit Ltd respects the confidentiality of customer data.

10.2 Any disclosure shall comply with the Data Protection Act, 2019.

10.3 Consent:
The Company will obtain explicit consent before sharing personal data unless disclosure is legally required.

10.4 Third-party disclosures may include:

  • Regulators, courts, and law-enforcement agencies
  • Business partners, payment processors, and IT service providers
  • Fraud prevention and AML agencies
  • Credit Reference Bureaus
  • Debt recovery agencies
  • Survey and research organizations
  • Any party required for legitimate and lawful business purposes

10.5 The Company will not disclose data to any party acting outside its legal mandate.

10.6 Marketing:
Customers may receive marketing updates, and they may opt out at any time.

11.0 DATA RETENTION

  • Personal data will be retained for seven (7) years from the end of the customer relationship unless required longer by law.
  • Anonymized data may be stored indefinitely.

12.0 CUSTOMER ACCESS TO OWN DATA

Customers may:

  • Request correction of inaccurate data
  • Request details of personal data held by Boss Credit Ltd
  • Submit requests through official communication channels

Verification may be required before processing requests.

13.0 DATA SECURITY MEASURES

Boss Credit Ltd implements security controls including:

  • Physical access restrictions
  • Data encryption
  • Regular data backups
  • Secure data disposal procedures
  • Malware protection and system hardening
  • Access controls, MFA, and password policies
  • Logging and monitoring of system activity
  • Network security measures
  • Third-party risk assessments
  • Employee training and disciplinary procedures for non-compliance
  • Vulnerability scanning and patch management
  • Change management procedures
  • Incident detection, response, and reporting processes
  • Compliance reviews and audits
  • Risk assessments and control evaluations

13.2 Suspected data breaches will be reported to affected customers and regulators when required.

14.0 TRANSFER OF CUSTOMER DATA OUTSIDE KENYA

14.1 Data may be transferred outside Kenya when necessary for service delivery.
14.2 Customers consent to such transfers by using the Company’s services.
14.3 Adequate safeguards will be implemented for all cross-border transfers.
14.4 Customers may request details of these safeguards from the Compliance Office.

15.0 CUSTOMER DATA RIGHTS

Customers have the right to:

  • Be informed of personal data collection
  • Access their personal data
  • Request correction of inaccurate data
  • Request deletion of their data (subject to legal exceptions)
  • Object to processing
  • Withdraw consent
  • Request restricted processing

Requests may require identity verification.

16.0 COMPLAINTS HANDLING

16.1 Customers may lodge complaints with the Office of the Data Protection Commissioner (ODPC).

16.2 Boss Credit Ltd will also attempt to resolve complaints internally through:

  • Complaint submission via email, phone, or in writing
  • Acknowledgment within 1 business day
  • Review and investigation by a trained officer
  • Regular updates during the investigation
  • Resolution communication and corrective action (if applicable)

17.0 CONSEQUENCES OF BREACH

Employees, agents, or partners who breach this policy may face disciplinary action, termination of contract, or legal consequences.

18.0 CUSTODIANSHIP

The Compliance Officer is responsible for overseeing the implementation and maintenance of this Privacy Policy.

19.0 REVIEW

This policy will be reviewed annually or earlier if necessitated by regulatory or operational changes.

20.0 APPROVAL

Approved by:
Boss Credit Ltd Management
Version 1.0 – Effective 1st December 2025