The Actuarial Society of Kenya

Refreshed to align with the Kenya Data Protection Act, with explicit subject-rights, retention, and provider list. Replaces the placeholder v1.

# Privacy Policy _Effective 23 May 2026 · The Actuarial Society of Kenya_ This Privacy Policy explains what personal data we collect through the membership platform, why we collect it, who we share it with, and the rights you have under the **Data Protection Act, 2019 (Kenya)**. ## 1. Data controller The Actuarial Society of Kenya is the controller of your personal data. The Secretariat operates the platform on the Society's behalf. ## 2. What we collect We collect only what we need to run the Society: - **Identity** — name, date of birth, gender (optional), nationality, ID/passport last four (if you upload a verification document). - **Contact** — email, phone, postal address. - **Professional** — membership category, qualifications, employer, role, CPD records. - **Financial** — renewal/booking/donation records and provider references. **We do not store card numbers**; Pesapal handles them under PCI-DSS. - **Behavioural** — sign-in IP, user-agent, page-view timestamps for security and audit purposes. - **Communications** — every email/SMS/in-app we send you, retained for audit. ## 3. Why we use it - Administering your membership, renewals, and CPD compliance. - Running events, ballots, and the directory. - Issuing letters, certificates, and reports. - Securing the platform and investigating abuse. - Meeting our legal obligations (tax, audit, regulator requests). The lawful basis is **contract** (clauses 1–3 above), **legal obligation** (clause 4), and **legitimate interests** in keeping the Society running (clause 5). Where we rely on consent (e.g. marketing emails), you can withdraw it at any time from **Preferences → Notifications**. ## 4. Who we share it with - **Other members** — only fields you mark public on your profile. Directory defaults to *members-only*. - **Service providers** — payment processors (Safaricom, Pesapal), email and SMS delivery (SMTP relay, Africa's Talking), document storage (MinIO operated by the Society), error monitoring (Sentry, where enabled). Each is bound by a data-processing agreement. - **Regulators / law enforcement** — only on a valid request and only what's strictly required. We do not sell personal data, ever. ## 5. International transfers Service providers may process limited data outside Kenya (e.g. Sentry in the EU). We rely on the providers' compliance with equivalent standards and limit transfers to operational metadata, not member content. ## 6. Retention - **Active members** — retained for the duration of membership. - **Resigned / deleted accounts** — anonymised within 14 days of the deletion request. CPD records, audit log, consent log, and financial history are kept for seven (7) years as required by law. - **Application drafts** — kept for 90 days then purged if not submitted. ## 7. Your rights Under the Data Protection Act you can: - **Access** — request a copy of the data we hold about you. - **Correct** — update inaccuracies via **Profile** or by opening a support ticket. - **Delete** — initiate from **Security → Delete my account** or write to the Secretariat. Statutory retention overrides where it applies. - **Object** — to processing for marketing at any time. - **Withdraw consent** — without affecting the lawfulness of past processing. - **Lodge a complaint** — with the Office of the Data Protection Commissioner (`odpc.go.ke`). We respond within thirty (30) days. ## 8. Cookies We use only the minimum cookies needed for sign-in (a single httpOnly refresh cookie) and your theme/preferences (localStorage). We do not run third-party advertising or tracking cookies. ## 9. Security The platform is hosted on infrastructure managed by the Society. Connections are TLS-only; passwords are hashed with Argon2id and a server-side pepper; sessions can be revoked from the Security tab; we maintain a security log and run an annual review. ## 10. Contact Data Protection enquiries — `dpo@actuarieskenya.or.ke` (forwarded to the Secretariat).