ALTUM CAPITAL
Privacy Policy
ALTUM CAPITAL Loan Management Platform
This Privacy Policy describes how Altum Capital ("we", "us", or the "Operator") collects, uses, stores, and protects personal data in connection with the Altum Capital loan management platform (the "Platform").
We are committed to processing personal data responsibly and in full compliance with the Kenya Data Protection Act 2019 (No. 24 of 2019) ("DPA 2019"), its implementing Regulations, and any guidance issued by the Office of the Data Protection Commissioner ("ODPC").
By accessing the Platform, registering as a borrower, or being processed as a client by an agent, you acknowledge that your personal data will be handled as described in this Policy. If you do not agree, you may exercise your rights as set out in Section 9 below.
The data controller responsible for personal data processed through this Platform is:
Agents who access the Platform to register clients and manage loans act as authorised data processors on behalf of the Operator. Agents have their own obligations under Section 19 of the DPA 2019 and are contractually required to comply with this Policy.
We collect only the data that is adequate, relevant, and limited to what is necessary for the loan management purpose (DPA 2019, Section 25(d)).
We do not intentionally collect sensitive personal data categories (e.g., health data, biometric data, religious or political beliefs) as defined under Section 2 of the DPA 2019.
We rely on the following lawful bases for processing personal data (DPA 2019, Section 30):
| Processing Activity | Legal Basis | DPA 2019 Reference |
|---|---|---|
| Registering a borrower and processing their loan application | Explicit consent of the data subject | Section 30(a) |
| Assessing creditworthiness and loan eligibility | Performance of a contract to which the data subject is party | Section 30(b) |
| Tracking daily repayments and loan balances | Performance of a contract | Section 30(b) |
| Maintaining audit logs and records of platform activity | Compliance with a legal obligation; legitimate interests | Section 30(c), 30(f) |
| Recovering outstanding loan balances from defaulters | Legitimate interests of the Operator (debt recovery) | Section 30(f) |
| Communicating repayment reminders to borrowers | Consent; performance of contract | Section 30(a), 30(b) |
Where consent is relied upon, it is obtained through the mandatory DPA declaration checkboxes in the loan application workflow. Consent may be withdrawn at any time, subject to the limitations described in Section 9.
Personal data is used only for the specific purposes for which it was collected (DPA 2019, Section 25(c)). These include:
We will not use personal data for marketing, profiling, or any purpose incompatible with the original purpose of collection without obtaining fresh consent.
We do not sell, rent, or trade personal data. Data may be shared only in the following limited circumstances:
Agents can access only the data of clients and loans they personally registered. Administrators have access to all records for oversight and compliance purposes. Strict role-based access controls enforce this separation.
We may disclose personal data to competent authorities (including the ODPC, courts, or law enforcement agencies) where required by law, court order, or regulatory obligation. We will inform the data subject of such disclosure where legally permissible.
Where third-party technical service providers (e.g., hosting providers) process data on our behalf, appropriate data processing agreements are required under Section 19(3) of the DPA 2019. Such providers are contractually prohibited from using data for any purpose other than providing the contracted service.
In cases of default, data may be shared with authorised debt recovery agents to the minimum extent necessary to recover outstanding balances. Data subjects will be informed where required by law.
We retain personal data only for as long as is reasonably necessary to fulfil the purposes for which it was collected, or as required by law (DPA 2019, Section 39).
| Data Category | Retention Period | Basis |
|---|---|---|
| Loan application and repayment records | 7 years from loan closure | Legal/financial record-keeping requirements |
| Identity documents (National ID copies, contracts) | 7 years from loan closure | Legal obligation; fraud prevention |
| Audit log entries | 5 years | Regulatory compliance; dispute resolution |
| Agent account data | 3 years after account deactivation | Legitimate interests; regulatory compliance |
| Session data | Duration of browser session only | Technical necessity |
Upon expiry of the applicable retention period, data is securely deleted or anonymised. Requests for early deletion are handled under Section 9.5 below, subject to overriding legal obligations.
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction (DPA 2019, Section 41). These include:
While we take reasonable precautions, no digital platform can guarantee absolute security. In the event of a personal data breach that poses a real risk of harm, we will notify the ODPC within 72 hours and affected data subjects within a reasonably practical period, as required under the DPA 2019 and Regulation 26 of the Data Protection (General) Regulations 2021.
"Every data controller or data processor shall implement appropriate technical and organisational measures… designed to implement the data protection principles in an effective manner." — DPA 2019, Section 41
Under Section 26 of the DPA 2019, every data subject has the following rights:
You have the right to be informed of the use to which your personal data will be put before or at the time of collection. This is fulfilled through this Policy and the agent's DPA declaration at point of loan application.
You may request a copy of the personal data we hold about you. We will respond within 21 days of receiving a valid request.
You have the right to request correction of inaccurate, out-of-date, incomplete, misleading, or unlawfully obtained personal data.
You may object to the processing of all or part of your personal data. Where the sole basis for processing is consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
You may request deletion of personal data that we are no longer authorised to retain. Note that we may be legally required to retain certain records (e.g., loan records for 7 years under financial regulations) and cannot delete data that is subject to an overriding legal obligation.
You have the right not to be subject to a decision based solely on automated processing that produces legal effects or significantly affects you (DPA 2019, Section 35). Where automated tools assist loan assessments, a human agent or administrator reviews and makes the final decision.
To exercise any of the above rights, please submit a request through our Data Subject Rights Portal or contact us directly at [email protected]. We will acknowledge your request within 7 days and respond fully within 21 days. If you are dissatisfied with our response, you have the right to lodge a complaint with the ODPC at www.odpc.go.ke.
This Platform uses automated tools to assist loan calculations (interest, daily installments, repayment schedules) and to display missed payment indicators. However, all decisions to approve or reject loan applications are made by a human administrator. No automated decision-making system produces legally binding outcomes without human review.
If we introduce purely automated credit decision systems in the future, we will update this Policy and comply with Section 35 of the DPA 2019, including providing data subjects with the right to request human review of any automated decision.
This Platform is intended for use within Kenya. Personal data is stored on systems that may be hosted by third-party cloud providers whose infrastructure may be located outside Kenya. Where data is transferred outside Kenya, we ensure that:
Sensitive personal data (including National ID copies and signed loan contracts) will not be transferred to countries without adequate protection without the explicit consent of the data subject.
This Platform uses browser session storage (not persistent cookies) to maintain login sessions. Session data is automatically deleted when the browser tab or window is closed. No tracking cookies, advertising cookies, or third-party analytics cookies are used.
CDN-hosted resources (fonts, icons) may result in requests to third-party servers; these services have their own privacy policies and we do not control the data they collect.
This Platform is intended for adults aged 18 and over. We do not knowingly collect personal data from persons under 18 years of age. Loan agreements are legally binding contracts that require legal capacity, which minors in Kenya generally do not possess. If we become aware that a child's data has been collected without appropriate parental or guardian consent, we will take prompt steps to delete that data.
Agents who access this Platform are authorised data processors acting on behalf of the Operator. Each agent bears independent legal obligations under the DPA 2019 with respect to data they personally collect and handle. Specifically, agents must:
The Operator implements reasonable technical controls and audit mechanisms to support compliance but cannot guarantee compliance where agents act outside the scope of their authority or in deliberate violation of this Policy.
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or ODPC guidance. Material changes will be communicated to users by posting a prominent notice on the Platform. Continued use of the Platform after the effective date of any update constitutes acceptance of the revised Policy.
For any questions, concerns, or requests relating to this Policy or to the processing of your personal data, please contact:
If you believe your data protection rights have been violated and you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC):