Privacy Policy

Vike Insurance Brokers Limited ("Vike Insurance", "we", "us" or "our") is an insurance broker licensed by the Insurance Regulatory Authority (IRA) of Kenya. We are committed to protecting the privacy and security of the personal data you entrust to us when you visit our website, request a quote, purchase a policy, or interact with us in any other way.

This Privacy Policy describes the categories of personal data we collect, the purposes for which we use that data, who we share it with, how long we keep it, and the rights you have as a data subject under the Kenya Data Protection Act, 2019 (the "DPA").

For the purposes of the DPA, the data controller is:

Vike Insurance Brokers Limited
2nd Floor, Krishna Centre, Woodvale Grove, Westlands, Nairobi, Kenya
Email: info@vikeinsurance.co.ke
Phone: +254 725 830 485

We collect personal data that you provide to us directly, as well as data we generate or receive from third parties. This includes:

3.1 Information you provide

• Identity data: full name, date of birth, gender, ID/passport number, KRA PIN.
• Contact data: email address, postal address, physical address, phone number.
• Quote & policy data: details of the cover you are requesting (e.g. vehicle make, model, year of manufacture, value, registration number; health declarations; property details; travel itineraries).
• Financial data: bank account or M-Pesa details used to pay premiums or receive claims.
• Claims data: information about incidents, losses, medical reports, police abstracts, and any other documents required to process a claim.
• Communications: records of correspondence with us, including emails, calls, WhatsApp messages, and chat transcripts.
• Marketing preferences: your consent to receive marketing communications and the channels you prefer.

3.2 Information collected automatically

• Device & usage data: IP address, browser type, operating system, device identifiers, pages visited, referrer URLs, and timestamps.
• Cookies & similar technologies: see Section 9 below.
• Location data: approximate location derived from your IP address.
• Derived data: signals we compute from the raw data above and from data we receive from third parties (for example, to score fraud risk or determine quote eligibility).

3.3 Information from third parties

• Underwriters and reinsurers, for the purpose of preparing quotes and binding cover.
• The National Transport and Safety Authority (NTSA), via the DMVIC register: where you provide a vehicle registration number, we verify the vehicle’s make, model, body type, and registration year so we can prepare an accurate quote.
• Credit reference bureaus, fraud prevention agencies, and public registers, where lawfully permitted.
• Partner brokers, agents, employers, or family members who refer you to us or include you on a group policy.

3.4 Your responsibilities when providing information

Providing your personal data is voluntary, but it is necessary for us to deliver the services you have requested. If you choose not to provide the information we ask for, we may be unable to prepare a quote, place cover with an underwriter, administer your policy, or process a claim.

When you give us information, you confirm that it is complete, accurate, and not misleading. Insurance is a contract of utmost good faith — providing inaccurate or incomplete information may lead an underwriter to reject a claim or cancel a policy.

Where you give us personal data about another person (for example a named driver, a beneficiary, a dependant on a medical policy, or a co-insured), you confirm that you have that person’s permission to share their data with us and that you have shared this Privacy Policy with them.

3.5 Special categories of personal data

Some of the data we process is “sensitive” or “special category” data under Sections 44 and 46 of the DPA — most commonly data concerning your health (for example when you request a medical or health insurance quote, declare a pre-existing condition, or submit a medical report in support of a claim). We may also process other sensitive data where it is relevant to the cover, such as data revealing family or dependant details.

We process this data only where the DPA permits — in most cases on the basis of your explicit consent, which you give when you ask us to arrange or administer the relevant cover, and otherwise where processing is necessary to establish, exercise, or defend a legal claim or to comply with a legal obligation. We use it only to prepare your quote, place and administer the relevant policy, and process claims, and we apply the security measures described in Section 8. You may withdraw your consent at any time by contacting our Data Protection Officer (Section 13), though doing so may mean we can no longer arrange or maintain the cover.

We process your personal data for the following purposes and on the following lawful bases:

• To prepare and provide insurance quotes and to place cover with underwriters (performance of a contract / steps prior to entering a contract).
• To administer policies and process claims, including liaising with underwriters, loss adjusters, and other intermediaries (performance of a contract).
• To verify your identity and comply with our legal obligations under the Insurance Act, the Anti-Money Laundering and Combating of Financing of Terrorism Act, and other applicable laws (legal obligation).
• To communicate with you about your quote, your policy, renewals, and service updates (performance of a contract / legitimate interests).
• To send you marketing communications about our products, offers, and educational content where you have given your consent (consent).
• To improve our website and services, including analytics and product development (legitimate interests).
• To detect and prevent fraud, money laundering, and other unlawful activity (legal obligation / legitimate interests).
• To establish, exercise, or defend legal claims (legitimate interests).

We do not sell your personal data, and we do not share it with any third party for their own marketing or advertising purposes.

We share your personal data only with parties who need it to deliver the services you have requested, or where we are legally required to do so. Recipients may include:

• Underwriters and reinsurers who provide the insurance cover.
• Service providers who help us run our business — such as IT hosting, email, SMS, payment processing, analytics, and customer support providers — bound by confidentiality and data-processing agreements.
• Loss adjusters, surveyors, lawyers, and medical professionals instructed to assess or settle a claim.
• Industry anti-fraud bodies and other insurers — including the Association of Kenya Insurers (AKI) and the Insurance Fraud Investigation Unit (IFIU) — for the purpose of detecting and preventing insurance fraud. This may involve sharing details of quotes, policies, and claims.
• Regulators and law enforcement, including the Insurance Regulatory Authority, the Office of the Data Protection Commissioner, and the Kenya Revenue Authority, where required by law.
• Professional advisers such as auditors and legal counsel.
• Successors in title if we sell or restructure our business.

Your personal data is hosted by our cloud service providers, whose primary data-centre regions may be located inside or outside Kenya. Some of our service providers (for example cloud hosting, email, and analytics providers) may also process your personal data outside Kenya. Where we transfer personal data outside Kenya, we do so in accordance with Section 48 of the DPA — including to countries with adequate protection, on the basis of appropriate safeguards, or with your explicit consent.

We keep personal data only for as long as we need it for the purposes set out in this policy, or for as long as the law requires. In practice this means:

• Quote requests that did not lead to a policy: up to 24 months from the date of the request, after which we delete or anonymise the record.
• Active policies and claims: for the duration of the policy and for at least 7 years after termination, in line with insurance and tax record-keeping obligations.
• Marketing preferences and consent records: for as long as we maintain a relationship with you, and for at least 3 years after your last interaction, to demonstrate the lawful basis of any communications sent.
• Payment data: we do not store full card numbers on our own systems. Card details and transaction tokens are held by our PCI DSS-compliant payment processor; references such as M-Pesa transaction IDs are retained by us only for as long as needed to reconcile premiums and claims and to meet our tax and audit obligations.

We have put in place appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, or disclosure. These include encrypted transmission (HTTPS), access controls, staff training, and regular review of our security practices. Payment card data is handled by a payment processor that maintains compliance with the Payment Card Industry Data Security Standard (PCI DSS). No method of transmission over the internet is 100% secure, but we work to protect your data and notify you and the Office of the Data Protection Commissioner promptly in the event of a notifiable breach.

Our website uses cookies and similar technologies to make the site work, to analyse how it is used, and to support our marketing. You can manage your preferences at any time by clicking Privacy settingsin the footer of any page. Strictly necessary cookies cannot be turned off.

Subject to certain conditions, you have the following rights under the DPA:

• Right to be informed about the collection and use of your personal data.
• Right of access to the personal data we hold about you.
• Right to rectification of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") where the data is no longer needed or you withdraw consent.
• Right to restrict or object to processing in certain circumstances.
• Right to data portability for data you provided to us under a contract or consent.
• Right to withdraw consent at any time, where processing is based on consent — including marketing.
• Right to lodge a complaint with the Office of the Data Protection Commissioner (www.odpc.go.ke).

To exercise any of these rights, please contact us using the details in Section 13. We will respond within the timelines set by the DPA. To help us verify your identity, please send your request from the email address associated with your quote, policy, or account.

Some parts of our quote and underwriting process — for example, calculating an indicative premium from the details you provide and from data we receive from third parties such as NTSA/DMVIC — involve automated processing of the information described in Section 3. These automated steps help us prepare quotes quickly and consistently; the decision to bind cover is made by the underwriter.

Under Section 35 of the DPA, where a decision that has legal or similarly significant effects on you is based solely on automated processing, you have the right to be informed about the logic involved, to express your point of view, and to request that the decision be reviewed by a human. To exercise this right, contact our Data Protection Officer using the details in Section 13.

Where you have opted in, we may contact you by email, SMS, WhatsApp, or phone with offers, news, and educational content about insurance. You can opt out at any time by clicking the unsubscribe link in any email, replying STOP to any SMS, or emailing info@vikeinsurance.co.ke. Withdrawing consent for marketing does not affect the lawfulness of any processing carried out before you withdrew it, and does not stop us contacting you about an active quote, policy, or claim.

If you have questions about this Privacy Policy, want to exercise your rights, or wish to make a complaint, please contact our Data Protection Officer:

Data Protection Officer
Vike Insurance Brokers Limited
2nd Floor, Krishna Centre, Woodvale Grove, Westlands, Nairobi, Kenya
Email: dpo@vikeinsurance.co.ke
Phone: +254 725 830 485

Our services are intended for adults aged 18 and over. We do not knowingly collect personal data from children, except where a parent or guardian provides their child’s details as part of a family or group policy (for example a dependant on a medical cover).

If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact our Data Protection Officer at dpo@vikeinsurance.co.ke and we will delete the information promptly, unless we are required by law or by an active policy or claim to retain it.

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page tells you when it was last revised. If we make material changes we will notify you by email or by posting a prominent notice on our website before the changes take effect.