PRIVACY POLICY

1. Important Information and Who We Are

Last updated: May 30th, 2023.

Please read this Privacy Policy ("Privacy Policy”) carefully before using the https://www.teleeza.africa website (the “Service”) operated by Teleeza Africa Limited of Post Office Box Number 2270 - 00621 Nairobi, Kenya.

Purpose of this Privacy Policy

This Privacy Policy aims to give you information on how Teleeza collects and processes your personal data through your use of this website, including any data you may provide through this website when you use the app.

This app is not intended for use by children, and we do not knowingly collect data relating to children.

It is important that you read this Privacy Policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements other notices and privacy policies and is not intended to override them.

Controller

Teleeza Africa Limited (“Teleeza”, “we”, “us” or “our”) is the controller and responsible for your personal data.

We have appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise data protection rights, please contact the data privacy manager using the details set out below.

Contact Details

If you have any questions about this Privacy Policy or our privacy practices, please contact our data privacy manager in the following ways:

Full name of legal entity: Teleeza Africa Limited

Email address: support@teleeza.africa, info@teleeza.africa

Telephone No: (+254) 706 122 122, (+254) 714 627 627

Changes to the Privacy Policy and your Duty to Inform us of Changes

We keep our privacy policy under regular review and we shall send you updated versions as and when changes are made.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Third-party Links

This website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

2. The Data we Collect About You

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymized or pseudonymized data).

We may collect, use, store, and transfer different kinds of personal data about you, which we have grouped together as follows:

- Identity Data includes first name, last name, username, or similar identifier, marital status, title, date of birth, and gender.

- Contact Data includes email address and telephone numbers.

- Transaction Data includes details about payments, including details received from making a reward payment to you.

- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.

- Profile Data includes your username and password, your interests, preferences, feedback, and survey responses you have provided to Teleeza.

- Usage Data includes information about how you use the application and our services.

- Marketing and Information Communications Data includes your preferences in receiving marketing information from us and our third parties and your communication preferences.

- Partners include but are not limited to the Teleeza World partners, i.e., Zuri Health, Turaco.

⦁ My Wallets are Powered by respective providers eg Vuma , M-Pesa, Airtel Money etc

⦁ Daktari Mkononi is Powered by Zuri Health

⦁ Bima is Powered by Turaco

We also collect, use, and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity.

If You Fail to Provide Personal Data

Where we need to collect personal data by law or under the terms of a contract we have with you, and you fail to provide that data when requested, we may have to disallow or discontinue your use of the Teleeza App or access to the Teleeza website.

How is Your Personal Data Collected?

We use different methods to collect data from and about you, including through:

- Direct interactions. You may give us your Identity, Contact, and Financial Data by filling in forms or by corresponding with us. This includes personal data you provide when you:

- create an account on our application or website;

- subscribe to our services;

- request marketing to be sent to you;

- enter a competition, promotion, or survey; or

- give us feedback or contact us.

- Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this personal data by using cookies, server logs, and other similar mechanisms.

We may also receive Technical Data about you if you visit other websites employing our cookies.

- Third parties or publicly available sources. We will receive personal data about you from various third parties and public sources as set out below:

Technical Data from the following parties:

(a) analytics providers;

(b) advertising networks;

(c) search information providers;

(d) Contact, Financial and Transaction Data from providers of technical, payment and

delivery services.

- Identity and Contact Data from data brokers or aggregators

- Identity and Contact Data from publicly available sources.

4. How We Use Your Personal Data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances: For a better understanding of these terms, please see the glossary of terms below.

-Where we need to enable your use of the Teleeza App or Website and our service

delivery.

- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

- Where we need to comply with a legal obligation.

For a better understanding of these terms, please see the glossary of terms below.

Purposes for Which we Will use Your Personal Data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

5. How We Use your Passport Size photo Image

We only use your passport size photo image, uploaded either as a selfie or gallery image, to display in the settings section of the Teleeza App

The same image is used to display in the todays top performers section of Teleeza World

Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest

To register you as user

⦁ Identity

⦁ National identity card particulars

⦁ Contact

Enabling our service delivery

To process and deliver your order including:

(a) Manage payments

(b) Collect and recover money owed to us

(c) Making or processing reward payments (a) Identity

(b) Contact

(c) Financial

(d) Transaction

(e) Marketing and Communications (a) Enabling our service delivery

(b) Necessary for our legitimate interests (to recover debts due to us)

To manage our relationship with you which will include:

(a) Notifying you about changes to our terms or privacy policy

(b) Asking you to leave a review or take a survey (a) Identity

(b) Contact

(c) Profile

(d) Marketing and Communications (a) Enabling our service delivery

(b) Necessary to comply with a legal obligation

(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)

To enable you to partake in a prize draw, competition or complete a survey (a) Identity

(b) Contact

(c) Profile

(d) Usage

(e) Marketing and Communications (a) Enabling our service delivery

(b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)

To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) (a) Identity

(b) Contact

(c) Technical (a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise)

(b) Necessary to comply with a legal obligation

To deliver relevant content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you (a) Identity

(b) Contact

(c) Profile

(d) Usage

(e) Marketing and Communications

(f) Technical Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)

To use data analytics to improve our website, products/services, marketing, customer relationships and experiences

(a) Technical

(b) Usage Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)

To make suggestions and recommendations to you about goods or services that may be of interest to you

(a) Identity

(b) Contact

(c) Technical

(d) Usage

(e) Profile

(f) Marketing and Communications Necessary for our legitimate interests (to develop our products/services and grow our business)

Promotional Offers from Us and Third-Party partners

We may use your Identity, Contact, Technical, Usage, and Profile Data to form a view on what we think you may want or need, or what may be of interest to you both from us and our third-party partners. This is how we decide which products, services, and offers may be relevant for you.

Cookies

You can set your browser to refuse all or some browser cookies or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that the Teleeza App or Website may not function properly.

Change of Purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions and are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Data Retention

How long will you use my personal data for?

We will only retain your personal data for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. We may retain your personal data for a longer period if required by law.

Period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

In some circumstances we will anonymize or pseudonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Your Legal Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data.

Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to

Comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above please contact us through support@teleeza.africa or info@teleeza.africa.

No Fee Usually Required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Glossary of Terms

LAWFUL BASIS

Enabling our service delivery means processing your data where it is necessary for the performance of the Teleeza App and Website and delivery of the Teleeza services and user experience.

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.

My Wallets

This Privacy Policy has been compiled to better serve those who are concerned with how their "Personally Identifiable Information" (PII) is being used online. PII, as described in Kenya Privacy law and information security, is information that can be used on its own or with other information to identify, contact or locate a single person, or to identify an individual in context. Please read our privacy policy carefully to get a clear understanding of how we collect, use, protect or otherwise handle your Personally Identifiable Information in accordance with our website.

This statement applies to all customers, suppliers, agents, merchants, dealers, and all visitors frequenting any of My Wallet's services.

Reference to:

Definitions

"You", "Your" means:

"we" or "us", "our" and "ours" means the Respective Providers.

The word "includes" means that what follows is not necessarily exhaustive and therefore the examples given are not the only things or situations included in the meaning or explanation of that text.

What personal information do we collect from the people that visit our website or app?

When ordering or registering on our site, as appropriate, you may be asked to enter your name, email address, phone number, or other details to help you with your experience.

Your transaction information when you use our My Wallets Powered by respective providers

Your preferences for a particular service, based on information provided by you or from your use of My Wallet Powered by Respective Provider (or third-party) services.

Your contact with us, such as when you: call us or interact with us through social media, our webchat, and email (we may record your conversations, social media or other interactions with us).

When do we collect information?

We collect information from you when you register on our site, fill out a form, or enter information on our site.

How do we use your information?

We may use the information we collect from you when you register, make a purchase, sign up for our newsletter, respond to a survey or marketing communication, surf the website, or use certain other site features in the following ways:

How do we protect your information?

We do not use vulnerability scanning and/or scanning to PCI standards. We only provide articles and information. We never ask for credit card numbers. We use regular Malware Scanning.

Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems and are required to keep the information confidential. In addition, all sensitive information you supply is encrypted via Secure Socket Layer (SSL) technology.

We implement a variety of security measures when a user enters, submits, or accesses their information to maintain the safety of your personal information. For your convenience, we may store your personal and crucial information kept for more than 60 days in order to automate the process.

We aim to collect only what we need, keep it up-to-date, and remove it when we no longer need it.

We take reasonable steps to ensure that the personal information we process is limited to what we require in connection with the purposes set out in this Policy; it is accurate and, where necessary, kept up to date; and it is erased or rectified without delay if it is inaccurate. From time to time, we may ask you to confirm the accuracy of your personal information.

For some of our online services, you can review or update certain account information by logging in and accessing the "Client Center" or a similar user profile section. If you cannot change the incorrect information online, or you prefer to request changes offline, please contact your Respective My Wallets Provider's agent using the contact information listed on your account statements, records, or other account materials.

We will retain copies in a form that permits identification for as long as we deem necessary in connection with the purposes set out in this Policy, unless applicable law requires a longer retention period.

Do we use 'cookies'?

We do not use cookies for tracking purposes.

You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser settings.

Your browser is a little different, look at your browser’s Help Menu to learn the correct way to modify your cookies.

If you turn cookies off.

We do not sell, trade, or otherwise transfer to outside parties your Personally Identifiable Information.

Third-party disclosure

Occasionally, at our discretion, we may include or offer third-party services on our website. These third-party sites have separate and independent privacy policies. We, therefore, have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.

How does our site handle Do Not Track signals?

We honor Do Not Track signals and Do Not Track, plant cookies, or use advertising when a Do Not Track (DNT) browser mechanism is in place.

Does our site allow third-party behavioral tracking?

It's also important to note that we allow third-party behavioral tracking.

COPPA (Children Online Privacy Protection Act)

When it comes to the collection of personal information from persons under the age of 18 years old, the Children's Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission, the United States' consumer protection agency, enforces the Act.

COPPA Rule, which spells out what operators of websites and online services must do to protect children's privacy and safety online.

We do not onboard minors (any person under 18 years of age) except where you additionally register on their behalf as their parent and/or legal guardian. If you allow a child to use our services, you should be aware that their personal information could be collected as described in this statement.

Fair Information Practices

The Fair Information Practices Principles form the backbone of privacy law in the United States, and the concepts they include have played a significant role in the development of data protection laws around the globe. Understanding the Fair Information Practice Principles and how they should be implemented is critical to comply with the various privacy laws that protect personal information.

In order to be in line with Fair Information Practices, we will take the following responsive action, should a data breach occur:

We also agree to the Individual Redress Principle, which requires that individuals have the right to legally pursue enforceable rights against data collectors and processors who fail to adhere to the law. This principle requires not only that individuals have enforceable rights against data users, but also that individuals have recourse to courts or government agencies to investigate and/or prosecute non-compliance by data processors.

International Data Transfers

From time to time, we may need to transfer your personal information outside the Republic of Kenya. Where we send your information outside Kenya, we will make sure that your information is properly protected in accordance with the applicable Data Protection Laws.

CAN SPAM Act

The CAN-SPAM Act is a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have emails stopped from being sent to them, and spells out tough penalties for violations.

We collect your email address in order to send information, respond to inquiries or other requests or questions.

To be in accordance with CAN-SPAM, we agree to the following:

If at any time you would like to unsubscribe from receiving future emails, you can email us by following the instructions at the bottom of each email, and we will promptly remove you from ALL correspondence.

Your rights

Subject to legal and contractual exceptions, you have rights under data protection laws in relation to your personal data. These are listed below:

- Right to be informed that we are collecting personal data about you;

- Right to access personal data that we hold about you and request for information about how we process it;

- Right to request that we correct your personal data where it is inaccurate or incomplete;

- Right to request that we erase your personal data noting that we may continue to retain your information if obligated by the law or entitled to do so;

- Right to object and withdraw your consent to processing of your personal data. We may continue to process if we have a legitimate or legal reason to do so;

- Right to request restricted processing of your personal data noting that we may be entitled or legally obligated to continue processing your data and refuse your request;

- Right to request transfer of your personal data in [an electronic format.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within reasonable time. Occasionally it could take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Right to Lodge Complaint

You have the right to lodge a complaint with the relevant supervisory authority that is tasked with personal data protection within the Republic of Kenya.

Non-Compliance with this Statement

We shall have the right to terminate any agreement with you for failure to comply with the provisions of this statement and reject any application for information contrary to this statement.

Amendments to this Statement

We reserve the right to amend or modify this statement at any time. If we amend this statement, you can access the most current version of the privacy statement on the Teleeza website so that you will always know how your personal information is being used or shared. Any amendment or modification to this statement will take effect from the date of notification on the Teleeza website.

Contacting Us

If there are any questions regarding this privacy policy, you may contact us using the information below:

info@teleeza.africa or support@teleeza.africa

+254 706 122 122, +254 714 627 627

Daktari Mkononi Powered by Zuri

Health

Teleeza Africa Limited and our partner Zuri Heath and its affiliates value the privacy of individuals who access our Sites and use our Services.

This privacy policy explains to you the personal information we collect, how we use and share that information, and the ways in which you can control how we use and share that information. It informs you what information the Healthcare Professionals or other member can see when you use our Sites and Services. It informs you of your rights and choices with respect to your personal information and how you can contact us should you have any questions or concerns.

DAKTARI MKONONI POWERED BY ZURI HEALTH SITES WILL BE COLLECTING AND TRANSMITTING PERSONAL, MEDICAL AND HEALTH-RELATED INFORMATION ABOUT YOU. BY USING THE SITE, YOU AGREE THAT WE CAN COLLECT AND USE YOUR PERSONAL AND OTHER INFORMATION AS DESCRIBED IN THIS SITE PRIVACY POLICY. IF YOU DO NOT AGREE, PLEASE DO NOT USE THE SITE.

Important Definitions

“Personal Information” in this Privacy Policy, means information about you that is personally identifiable to you, such as your contact information (e.g. name, address, email address, or telephone number), personally identifiable health or medical information (“Health Information”), and any other non-public information that is associated with such information.

“De-Identified Information”, means information that is neither used nor intended to be used to personally identify an individual.

Information We Receive or Collect from You

Registration Data: When you register or create an account, you provide us with certain information, which includes your email address, telephone number, date of birth, gender, and zip or postal code (the “Registration Data”), as well as a password for your account.

Payment Information: If you choose to use a fee-based Service, you will be requested to provide (at a minimum) your name and payment information including payment card information (“Payment Information“). A third-party service provider that handles payments for us will also receive your payment card information.

Information You Choose to Provide to Us: You have the ability to provide a variety of information during your interactions with us and the Zuri Health Services, such as emails you may send us, information you respond to, and emails or newsletters that you sign up to receive. Zuri Health or third parties acting on our behalf receive data from you whenever you provide us with information.

Contact Information: If you choose to participate in research studies or sign up for certain features, you may provide us, and we may collect, your contact information, including your name, mailing address, and phone number (“Contact Information”).

Feedback and Support. We love to hear from you. Whether you have an idea to make Daktari Mkononi Powered by Zuri Health better or need help, we store the emails you send us and use them to help us prioritize how to improve our product.

De-identified Data. We use de-identified data for research and development of new products or tools, to refine our algorithms and machine learning applications, and to improve the App and the services we provide. We may disclose such information publicly and to third parties, for example, in public reports about health, to partners under agreement with us, or in benchmarking information we provide to the medical community.

Information We Receive from Third Parties

Virtual Consult Summaries: At the end of every virtual visit (meaning a consultation between a doctor and a patient through our Services using text chat and/or video), the Healthcare Professional will prepare a note about the virtual visit (the "Consult Summary"), which may include health information such as symptoms, diagnosis, and treatment. These Consult Summaries will become part of your Profile. You are solely responsible for the disclosure of any personal information to a Healthcare Professional of your choice.

Social Media Accounts: We may obtain Personal Information about you from third-party social media services, such as Facebook and Twitter, if you choose to link our Services with third-party social media accounts ("Social Media Account") by either: (i) providing your Social Media Account login information to us through the Services; or (ii) allowing us to access your Social Media Account, as is permitted under the applicable terms and conditions that govern your use of the respective Social Media Account.

Information we collect via technology

Activity on the Sites: We may keep track of some of the actions you take on the Sites, such as the content of searches you perform on the Sites.

Access Device and Browser Information: When you access the Site from a computer or other device, we may collect anonymous information from that device, such as your Internet protocol address, browser type, connection speed, and access times (collectively, "Anonymous Information").

Cookies: We may use both session Cookies (which expire once you close your web browser) and persistent Cookies to make the Site and Services easier to use, to make our advertising better, and to protect both you and Daktari Mkononi Powered by Zuri Health. You can instruct your browser, by changing its options, to stop accepting Cookies or to prompt you before accepting a Cookie from the websites you visit. If you do not accept Cookies, however, you will not be able to stay logged in to the Sites. We may also use

Pixels: We use pixels to make the Sites and Services easier to use and to make our advertising better by, for example, summarizing usage patterns. We presently do not honor "Do Not Track" requests across all parts of our Sites.

Real-Time Location: Certain features of the Site use GPS technology to collect real-time information about the location of your device so that the Site can connect you to a Healthcare Professional who is licensed or authorized to provide Services in the area or jurisdiction where you are located. When accessing Google Maps services on our Sites, you are agreeing to Google's Terms of Service and Privacy Policy.

Mobile Services: We may collect non-personal information from your mobile device or computer. This information is generally used to help us deliver the most relevant information to you. Examples of information that may be collected and used include how you use the application(s) and information about the type of device or computer you use. In addition, in the event our application(s) crashes on your mobile device, we will receive information about your mobile device model, software version, and device carrier, which allows us to identify and fix bugs and otherwise improve the performance of our application(s).

How We Use Information We Receive or Collect

Generally, Daktari Mkononi Powered by Zuri Health uses the information we collect for the following purposes:

⦁ To operate, provide, maintain, improve, and enhance our Services;

⦁ To understand and analyze how you use our Services and to develop new products, services, features, and functionality;

⦁ To personalize your experience on our Services, such as by providing tailored content. For example, we use your email address to help you create, log into, and manage your

Account on our Services: This lets us personalize your experience and give you relevant information. It also powers the features that help you better understand, engage with, and track your health and to present you with personalized, relevant information.

To enable you to select a Healthcare Professional that suits your needs.

For marketing and advertising purposes, such as developing and providing promotional and advertising materials that may be relevant, valuable, or otherwise of interest to you. We also may use the information that we learn about you to assist us in advertising our Services on third-party websites. Where required under applicable law, we will only send you marketing communications with your consent.

To communicate with you via email, text messages, push notifications, and phone calls, in order to provide you with updates and other information relating to our Services, provide information that you request, respond to comments and questions, and otherwise provide customer support.

To facilitate transactions and payments.

To facilitate the connection of Social Media Accounts to our Services to provide information from Social Media Accounts to your Profile. Depending on the Social Media Accounts you choose and subject to the privacy settings that you have set in such Social Media Accounts, we will access, make available, and store (if applicable and as permitted by the social media service and authorized by you) the information in your Social Media Accounts so that it is available on and through your Profile on the Services.

For our business purposes, such as audits, for quality assurance purposes, to find and prevent fraud, and respond to trust and safety issues that may arise.

For compliance purposes, including enforcing our Terms of Use or other legal rights, or as may be required by applicable laws and regulations or requested by any judicial process or governmental agency.

For other purposes for which we provide specific notice at the time the information is collected.

To aggregate or otherwise de-identify information collected through the Services and use and disclose it for other business purposes after the data can no longer be reasonably linked to an identifiable person.

De-Identified Information: We may use de-identified information without any restrictions.

Information You Share with Third Parties: This Privacy Policy applies only to information we collect through our Sites and in email, text, and other electronic communications set through or in connection with our Sites. This Policy DOES NOT apply to information collected by any third party. When you click on links on the Site, you may leave our Site. We are not responsible for the privacy practices of other sites, and we encourage you to read their privacy statements.

How we share the Personal Information we collect:

Daktari Mkononi Powered by Zuri Health may share or otherwise disclose Personal Information in the circumstances described below.

Affiliates: We may disclose Personal Information to our affiliates or partners to provide the Services or for other purposes for which the information was collected.

Vendors and Service Providers: We may share Personal Information we receive with vendors and service providers in connection with the provision of the Services. In the event Personal Information is (a) to be used for a purpose that is materially different from the purposes for which the Personal Information was originally collected or subsequently authorized, or (b) transferred to a third party acting as a data controller, Members will be given, where practical and appropriate, an opportunity to opt out of having non-sensitive Personal Information used or transferred. For sensitive information, including health-related information, members will opt in before such use or transfer.

In some instances, Daktari Mkononi Powered by Zuri Health may retain other service providers to perform functions on our behalf, including, but not limited to, website developers and IT services providers.

Analytics Partners: We may make certain Personal Information available to third parties for analytics purposes, including: (a) for Daktari Mkononi Powered by Zuri Health business or marketing purposes, or (b) to leverage third-party tools to understand Members' interests, habits, and usage patterns, and/or functionality available through our Services. We only share your Personal Information with analytics partners to improve our own Services and/or to deliver healthcare to you. We do not sell your Personal Information to advertisers.

As Required by Law and Similar Disclosures: We may access, preserve, and disclose Personal Information if we believe doing so is required or appropriate, in our sole discretion, to: (a) comply with any applicable law, regulation, legal process, or governmental request, such as a court order or summons, or otherwise cooperate with law enforcement or governmental agencies; (b) take precautions against liability; (c) protect your, our, or others' rights, property, or safety; (d) investigate and defend ourselves against any third-party claims or allegations; and (e) protect the security or integrity of our Services and any facilities or equipment used to make our Services available.

For avoidance of doubt, the disclosure of Personal Information may occur if you post any objectionable content on or through the Services.

Social Media Services: Our Services may allow you to, upon your direction, share Personal Information with certain social media services, such as Facebook, Twitter, Pinterest, and Google Plus. Please consider any impact on your privacy and anonymity when posting content to any and all social media services. You understand and agree that the use of Personal Information by any social media services will be governed by the respective privacy policies of those social media services and your settings on their platforms. We encourage you to review their privacy policies.

Marketing: We do not rent, sell, or share Personal Information about you with nonaffiliated companies for their direct marketing purposes, unless we have your permission.

Virtual Healthcare Professional Visits: We may share Personal Information with Daktari Mkononi Powered by Zuri Health Healthcare Professionals in order to facilitate your treatment and care. Like an in-person patient-doctor interaction, Daktari Mkononi Powered by Zuri Health virtual consults are confidential, but not anonymous. When using Daktari Mkononi Powered by Zuri Health Services, your Profile information, such as your real name and health information, are visible to the Healthcare Professionals with whom you see or chat within a virtual visit. This Profile information is not visible to other Members or to Healthcare Professionals who are not providing care or services in a virtual visit.

By initiating a virtual consult, you consent to sharing your name and the health information in your Profile with Healthcare Professionals who treat you in virtual visits.

Mergers, Sales, or Other Asset Transfers: We may disclose and otherwise transfer Personal Information to service providers, advisors, potential transactional partners, or other third parties in connection with the consideration, negotiation, or completion of a transaction.

Corporate transaction: We may disclose and transfer Personal Information in the event of a corporate transaction, such as being acquired by or merged with another company, or selling, liquidating, or transferring all or a portion of our assets.

Data Security: Daktari Mkononi Powered by Zuri Health takes commercially reasonable efforts to protect Personal Information through physical and electronic safeguards designed to maintain its integrity and security. We employ precautions to protect Personal Information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. However, as no electronic transmission or storage of Personal Information can be entirely secure, we cannot guarantee its absolute security or privacy.

Data Integrity: We use the information we collect in ways that are relevant and compatible with the purpose for which it was collected or provided to us as disclosed in this policy. We take steps to ensure that all information collected, processed, and/or stored is protected from destruction, corruption, or use inconsistent with our policies or the purpose for which we received it.

Our Policy concerning Children: Daktari Mkononi Powered by Zuri Health prohibits registration by and does not knowingly collect personal information from anyone under the age of 13 years. Information relating to a child between 14 to 18 years is only collected using an account set up and managed by an adult parent or guardian. If we become aware that we have collected information from a child under the age of 13 years, we will take all necessary measures to remove such information from our servers. If you believe that we might have any personal information from a child under 13, please contact our team at support@teleeza.africa or info@teleeza.africa.

Information Retention: We retain your Personal Information for a period that is no longer than necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. When determining the retention period, we consider factors such as the type of Services provided to you, the nature and length of our relationship with you, the impact on the Services if we delete some Personal Information, and mandatory retention periods provided by law and relevant statutes of limitations.

Your Privacy Rights and Choices:

If you would like to request access to your Personal Information or limit its use or disclosure, please contact the Healthcare Professional to whom you provided the Personal Information in connection with our Services. If you reach out to us with the name of the Healthcare Professional, we will refer your request to them and assist in responding to your request.

Your Privacy Rights and Choices:

Changes to this Policy

We will regularly evaluate this policy against new technologies, business practices, changes in law, and the needs of our Members, and may make changes to the policy accordingly. Please check this page periodically for updates. If we make any material changes to this policy, we will post the updated terms on the Services and provide you with notice.

Notice of Changes:

If there are any material changes to this policy, we will provide notice to you, which may include sending an email to the email address you use to access the Services. These changes will be effective within thirty (30) calendar days following the dispatch of the email notice. For new users of the Services, the changes will be effective immediately. It is your responsibility to keep your email address updated. If the email address you provided is not valid or unable to receive the notice, our dispatch of the email will still constitute effective notice of the changes. If you do not agree with the changes and wish to discontinue the use of the Services, you must notify us before the effective date of the changes.

Governance:

Enforcement: We conduct compliance audits of our privacy practices to ensure adherence to this policy. We also conduct follow-up investigations to verify the accuracy of assertions regarding our privacy practices. If you believe there is an inaccuracy or potential violation, you can contact us using the provided contact information. We provide training to support implementation and compliance, and any employee found in violation of this policy may face disciplinary action.

Dispute Resolution: If you have any questions or concerns about our use or disclosure of information, you can reach out to our team at support@teleeza.africa or info@teleeza.africa. We will investigate and attempt to resolve any complaints or disputes.

Dispute Resolution:

Disputes regarding the use and disclosure of information in accordance with this policy will be resolved following the dispute resolution mechanisms outlined in our Terms of Use.

Support and Feedback:

If you have any questions or need further clarification about the Sites or Services, you can contact us at support@teleeza.africa or info@teleeza.africa. We value your feedback and would love to hear from you.

If you have any ideas or feedback to improve Daktari Mkononi Powered by Zuri Health, please reach out to us at support@teleeza.africa or info@teleeza.africa.

Bima Powered by Turaco:

Background:

Teleeza has partnered with Turaco to provide the services on Bima under the Teleeza Freemium Package.

Data Definition:

In this document, the term "data" refers to raw data, processed data, published data, field notes, observations, and supporting documents. It includes data generated by Turaco, its partners, underwriters, agents, and regulators for policy administration, data analytics, financial modeling, forecasting, or transformations necessary to support all business functions.

Turaco Entities:

This document covers Turaco Inc., a registered company in Delaware, USA, and its subsidiaries, including but not limited to Turaco Kenya Ltd. (Kenya), Turaco Insurance Brokers Ltd (Uganda), Turaco Inclusive Limited (Nigeria), and Ellard Insurance Agency Ltd (Kenya). Collectively, these entities are referred to as "Turaco" in this document.

The Data Management Manual:

The Data Management Manual provides information on the architecture, information, and approach to data management for Turaco Ltd and its subsidiaries. It includes details on roles and responsibilities, data activities, metadata, peer review, and standards. This manual serves as a comprehensive guide for data management within the organization.

Turaco and Partners' Data Generation and Integration:

Turaco, along with its partners, generates, integrates, and disseminates data and derived data products that assist resource managers in developing adaptation strategies in response to a changing climate and assessing risk appetite in the insurance industry.

Need for Data Management Policy and Guidance:

Data users and data managers require data management policies and guidance to ensure the use of appropriate standards, consistent guidelines, and common strategies. This promotes linkages and consistency with other similar systems while aligning with Turaco's mission and vision.

Evolution of Turaco's Data Management Policies:

Turaco's data management policies and guidance will evolve as implementation and operations progress. The Turaco Data Management and Business Intelligence working group will identify needs, set priorities, and adjust the data management strategy to meet business requirements. As changes occur, the group will update policies, guidance, and the Data Management Manual accordingly.

About Turaco:

Turaco is an insurance services company with a presence in East Africa and Nigeria. It offers a new model for managing life and health risks for emerging customers. Turaco focuses on designing nimble and customer-focused products and services in the microinsurance market. The company values simplicity, communication, and transparency, aiming to transform the insurance industry.

Turaco's Mission:

Turaco's mission is to be there for its customers in their times of greatest need by providing them with insurance designed to work for them. The company aims to protect customers from the fear of financial loss and alleviate the fear of financial shocks.

25-Year Goal:

Turaco's long-term goal is to cover 1 billion people, effectively doubling the number of insured individuals on the planet. This ambitious objective reflects the company's commitment to expanding insurance coverage and reaching a larger population.

Turaco's Values:

Turaco's core values are:

Turaco emphasizes the importance of caring for and protecting its customers. The company strives to do the right thing, both in its work and personal lives, acknowledging that mistakes may happen along the way. Turaco is committed to paying claims, listening to and understanding its customers, and maintaining a friendly and enjoyable work environment while tackling serious problems.

Purpose of Procedures:

This manual outlines the procedures and processes for obtaining, storing, and providing access to data that is useful to Turaco. Its purpose is to ensure that all department teams and stakeholders can effectively utilize the data within the organization.

Data Protection and Privacy Policy 1.0:

Introduction:

Teleeza and Turaco are dedicated to the ethical and sustainable use of personal and sensitive data within the organization. The Data Protection and Privacy Policy 1.0 specifies the essential elements for managing risks related to the processing of personal and sensitive data.

The purpose of this policy document is to outline Turaco's guidelines for data processing to ensure compliance with the General Data Protection & Regulation (GDPR) and relevant regulations in Kenya. Turaco aims to free people from the fear of financial shocks.

1.1 Objectives:

1.2 Applicability of Policy:

1.3 Scope:

This policy applies to all of Turaco's businesses.

This policy applies to all the data aggregated from the different partners, underwriters, agents, and application databases as captured by Turaco’s data creators i.e., front office, back office, finance, among others.

This policy applies to all persons employed by or under contract with Turaco

Definitions

Automated Decision-Making (ADM)

Decision made based solely on automated processing including profiling that produces legal effects or significantly affects an individual. The GDPR prohibits Automated Decision-Making unless certain conditions are met.

Profiling

Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyze or predict aspects relating to an individual's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. Profiling is an example of automated processing.

Consent

Agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data relating to them.

Data Controller

The person or organization that determines when, why and how to process personal data. It is responsible for establishing practices and policies in accordance with the GDPR.

Turaco is the Data Controller of all personal data relating to its customers and used for conducting business or research any all other purposes connected with it.

Data Processor

A company that processes personal data on behalf of the data controller.

Data Subject

A living, identified or identifiable individual about whom we hold personal data i.e. both customers and staff members.

Data Protection Impact Assessment (DPIA)

Privacy risk assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major systems or business change programs involving the processing of personal data.

Data Protection Officer (DPO)

Person appointed and responsible for advising Turaco (including its employees) on their obligations under Data Protection Law, for monitoring compliance with data protection law, as well as with Turaco’s polices, providing advice, cooperating and acting as a point of contact with any regulatory body enforcing the law.

Personal Data

Any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers, we possess or can reasonably access. Personal data includes sensitive personal data and pseudonymized personal data but excludes anonymous data or data that has had the identity of an individual permanently removed.

Personal Data

Personal data refers to information that can be used to identify or directly relate to an individual. This can include factual information such as a person's name, email address, location, or date of birth.

Data Breach

A data breach refers to any unauthorized or accidental incident where personal data is destroyed, lost, altered, disclosed, or accessed without proper authorization. A data breach poses a risk to the data subject whose information has been compromised.

Privacy by Design and Default

Privacy by Design and Default refers to the integration of privacy measures and principles into the design and development of software or systems from the beginning. It involves implementing technical measures to ensure privacy is embedded in the solution design and becomes the default setting.

Privacy Notices

Privacy notices are separate statements or notifications that provide information to data subjects when Turaco collects their personal information. These notices can take the form of general privacy statements applicable to individuals or specific stand-alone statements for processing related to a particular purpose by Turaco.

Data Processing

Data processing refers to any operation or set of operations performed on personal data, including organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also encompasses transmitting or transferring personal data to third parties. In essence, it encompasses any action taken with personal data from its creation to its destruction.

Anonymization or Pseudonymization

Anonymization or pseudonymization involves replacing information that directly or indirectly identifies an individual with artificial identifiers or pseudonyms. This process is conducted to ensure that the data can no longer be attributed to a specific individual.

Identified without the use of additional information which is meant to be kept separately and secure.

Special Category / Sensitive Data

Special category or sensitive data refers to any data that reveals:

Responsibilities

The administration and management of this policy shall be as follows:

Head of Risk and Insurance Operations

Responsibilities

The administration and management of this policy shall be as follows:

Head of Risk and Insurance Operations

Head of Engineering

Head of Internal Audit and Compliance Team

Business Intelligence Lead

Policy Statements

2.1 Data Controlling

As a Controller, Turaco shall maintain the following information:

Policy Statements

2.2 Processing of Special Category/Sensitive Data

The following policy statements pertain to the processing of special category/sensitive data:

Policy Statements

2.2 Processing of Special Category/Sensitive Data (contd.)

The processing of special categories of personal data shall satisfy at least one of the conditions highlighted below:

a) Explicit consent - the individual has given explicit consent.

b) Legal obligation related to employment - The processing is necessary for a legal obligation in the field of employment or for a collective agreement.

c) Vital interests - The processing is necessary in order to protect the vital interests of the individual or of another natural person. This is typically limited to the processing needed for medical emergencies.

d) Not-for-profit bodies - The processing is carried out in the course of the legitimate activities of a not-for-profit body and only relates to members or related persons, and the personal data is not disclosed outside that body without consent.

e) Public information - The processing relates to personal data which is manifestly made public by the data subject.

f) Legal claims - The processing is necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity.

g) Substantial public interest. The processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law.

h) Healthcare - The processing is necessary for healthcare purposes and is subject to suitable safeguards. Additionally, the health data of a data subject under the data protection act can only be processed when it is necessary for:

2.3 Processing of Personal Data Relating to Children

i. Turaco shall ensure that it processes the personal data of children in a manner that protects and advances their rights and best interests. Turaco shall incorporate appropriate mechanisms for age verification and parental consent in order to process the personal data of children in a lawful manner. Such mechanisms, as per the data protection law, shall be determined based on:

a. Volume of personal data processed

b. The proportion of such personal data is likely to be that of children

c. Possibility of harm to children arising out of the processing of personal data

2.4 Processing of personal data relating to criminal convictions and offences

i. Information about criminal convictions, offences, or related security measures shall be processed only pursuant to Union or national law or under the control of official authority.

ii. Consent from an individual shall not provide a justification to process personal data relating to criminal convictions and offences.

Turaco shall process personal data relating to criminal convictions and offences under the following conditions:

iii. a) Turaco Customers

2.5 Restriction of Processing

i. Turaco, at the request of a data subject or customer, shall restrict the processing of personal data where:

2.5 Restriction of Processing

a) Accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the data.

b) Personal data is no longer required for the purpose for which it was collected, but the data subject requires the personal data for the establishment, exercise, or defense of a legal claim.

c) Processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of its use.

d) Data subject has objected to the processing, pending verification as to whether the legitimate grounds of the data controller or data processor override those of the data subject.

2.6 Data Subject Rights

2.6.1 Right of Access by the Data Subject

i. A data subject shall have the right to obtain from the data controller confirmation as to whether personal data concerning him or her is being processed. Additional information that the data subject shall have access to includes:

a) The purposes of the processing

b) The categories of personal data concerned

c) The recipients or categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations

d) Where possible, the envisaged period for which the personal data will be stored, or if not possible, the criteria used to determine that period

2.6 Data Subject Rights

2.6.1 Right of Access by the Data Subject

i. A data subject shall have the right to obtain from the data controller confirmation as to whether personal data concerning him or her is being processed. Additional information that the data subject shall have access to includes:

a) The purposes of the processing

b) The categories of personal data concerned

c) The recipients or categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations

d) Where possible, the envisaged period for which the personal data will be stored, or if not possible, the criteria used to determine that period

e) The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing

f) The right to lodge a complaint with a supervisory authority

g) Where the personal data has not been collected from the data subject, any available information as to their source

h) The existence of automated decision-making, including profiling, referred to in Article

i) Where personal data is transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

2.6.2 The Right to Rectification

i. A data subject shall have the right to obtain from Turaco without undue delay the rectification of inaccurate personal data concerning him or her.

ii. The data subject shall have the right to have incomplete personal data completed and inaccurate data corrected.

2.6.3 Right to Erasure (‘Right to be forgotten’)

i. The data subject shall have the right to obtain from Turaco the erasure of personal data concerning him or her without undue delay.

Turaco shall have the obligation to erase personal data without undue delay where one of the following rules applies:

ii. Turaco shall have the obligation to erase personal data without undue delay where one of the following rules applies:

a) The personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed.

b) The data subject withdraws consent on which the processing is based, or where there is no other legal ground for the processing.

c) The personal data has been unlawfully processed.

d) The personal data must be erased for compliance with a legal obligation within the country to which the controller is subject.

2.6.4 Right to Restriction of Processing

i. The data subject shall have the right to obtain from Turaco restriction of processing where one of the following applies:

a) The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.

b) The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.

c) The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims.

2.6.5 Right to Data Portability

i. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller.

without hindrance from the controller to which the personal data have been provided,

where:

a) The processing is based on consent.

b) The processing is carried out by automated means.

ii. In exercising his or her right to data portability, the data subject shall have the right to

have the personal data transmitted directly from one controller to another, where

technically feasible.

2.6.6 Data Retention & Archiving

i. Turaco shall retain personal data only as long as it may be reasonably necessary to

satisfy the purpose for which it is processed unless the retention is

a) Required or authorized by law

b) Reasonably necessary for a lawful purpose

c) Authorized or consented by the data subject

d) For historical, statistical or research purposes

ii. Turaco shall delete, erase, anonymize or pseudonymize personal data not necessary to

be retained.

Turaco shall develop and maintain a data retention policy that highlights the various

iii.

h) Automated deletion or anonymization of personal data upon expiry of the storage period.

2.8 Data Protection Impact Assessments (DPIAs)

i. Turaco shall conduct data protection impact assessments for any processing that is likely to create "high risks" for customers. Activities which can be considered to involve high-risk processing, include conducting due diligence and especially enhanced due diligence in relation to any potential or existing customer as well as profiling of clients.

Profiling activities, which may lead to decisions including those by automated means, which have significant effects on data subjects, such as for example fraud scoring, are considered to create high risk and would require an impact assessment.

ii. Turaco shall conduct Data Protection Impact assessments in respect of high-risk processing as a result of new technology being employed.

A DPIA shall be conducted early into the life of a project and will run alongside the planning and development process.

A checklist shall be maintained to enable a proper assessment to be done within the project management life cycle.

iii.

iii.

A checklist shall be maintained to enable a proper assessment to be done within the project management life cycle.

⦁ Direct and Electronic Marketing

⦁ Turaco shall obtain a data subject's prior consent for electronic direct marketing, for example, by email, text, or automated calls.

⦁ The right to object to direct marketing shall explicitly be offered to the data subject in an intelligible manner so that it is clearly distinguishable from other information.

⦁ A data subject's objection to direct marketing shall be promptly honored.

⦁ If a data subject opts out at any time, their details shall be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

2.10 Reporting a Personal Data Breach

i. Any data breaches shall be reported immediately to IT security, which will have a data protection office/function.

Turaco shall report to the relevant authorities any personal data breach where there is a risk to the rights and freedoms of the data subject.

Where the Personal Data breach results in a high risk to the data subject, he/she shall...

ii.

iii.

he/she shall be notified unless subsequent steps have been taken to ensure that the risk is unlikely to materialize, such as anonymization.

iv. In the latter circumstances, a public communication shall be made, or an equally effective alternative measure shall be adopted to inform data subjects so that they themselves can take any remedial action.

Records of personal data breaches must also be kept, set out.

v.

a) The facts surrounding the breach

b) Its effects

c) The remedial action taken

2.11 Security of Processing

i. ii. Turaco shall ensure that personal data is always secure.

Turaco has and shall keep investing in security measures that shall always improve its security posture.

eas outlined below.

iii.

a) The pseudonymization and encryption of sensitive data

b) Entrenchment of confidentiality, Integrity, Availability (CIA), and resilience to all Turaco information technology systems.

c) Ensure the ability to restore availability and access to personal data in the event of a physical or technical incident.

d) Develop processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.

2.12 Processor Outsourcing

2.12.1 Choosing a processor

i. Turaco shall only use processors who have or can provide sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets world-class privacy and protection requirements. This way fundamental rights of customers shall be protected.

ii. iii. Turaco shall conduct a broader due diligence exercise when selecting a processor. Turaco as a controller shall consider whether it is necessary, or good practice, to carry out a data protection impact assessment (DPIA) before entering a major new processing arrangement.

2.12.2 Cross Border Data Transfer

i. Cross-border data transfer - as defined by transferring data to a third party outside of the jurisdiction of the Turaco entity - of customer-sensitive data shall be subjected to approvals from Turaco management.

ii. Turaco shall be expected to have a secure data lake with a copy of all data that may be sitting in a different jurisdiction.

2.12.3 Conditions of Cross Border Transfer

i. Turaco as a data controller and a data processor shall transfer personal data to another country when the following conditions are met:

a) The transfer is necessary for

⦁ The performance of a contract between the customer and Turaco’s data processor or

⦁ Implementation of pre-contractual measures taken at the customer’s request.

⦁ For the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another person

⦁ For the establishment, exercise, or defense of a legal claim

⦁ In order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

⦁ For the purpose of compelling legitimate interests pursued by Turaco which are not overridden by the interests, rights, and freedoms of the data subject

Typically, the nature of the information maintained for legitimate interest would include:

a. Fraudulent customers, where a claim is doubtful or very problematic.

b. Individuals (both customers and non-customers) who are known or suspected of having engaged in fraudulent activities. Such information would need to be supported by a police report or other reliable sources (e.g., Turaco’s security officer who would have conducted the necessary investigations).

c. Information received from IRA, OR Underwriters on fraud ratings of customers

d. The ‘Know Your Customer’ principle is particularly relevant to Turaco's business, and shall seek to have maximum knowledge of all its customers' affairs, including details of their backgrounds, means, etc. This is also necessary for Turaco to comply with the due diligence procedures which are called for under the Data processing and governance policies.

e. Claims Data (data pertaining to customer claims), for example:

● Medical reports

● Discharge forms

● 3rd party examination forms

● Policy reference letters

● Policy medical examination report