1. Our commitment to privacy and personal data protection
B smart Products is committed to safeguarding your privacy and the confidentiality, integrity and security of your personal data. “Personal data” in this Policy is any information that identifies you as an individual, recorded electronically or otherwise. It includes information that you provide to us or that we collect through the methods and from the different sources described below. Personal data may include, but is not limited to, your name, ID number, date of birth, age, gender, family status, contact information such as telephone and fax numbers, postal address, email address and social media accounts.
To ensure that you make informed decisions and feel confident in entrusting us with your personal data, it is important that you read this Policy carefully so that you are aware of how and why we are using your personal data, and understand our policies and practices in this regard. This Policy should be read alongside our Personal Data Collection and Processing Statement. Moreover, this Policy complements the provisions for protection and processing of personal data contained in the various terms and conditions for the supply of our services and products.
In this Policy, the “processing” personal data refers to the operations we perform on personal data, whether or not by automated means, including (but not limited to) collection, recording, organisation, structuring, storage, retention, use, handling, transmission, provision, disclosure and erasure.
2. Scope of this Policy
This Policy outlines how we collect, store, use and disclose your personal data, and sets out the legal basis on which we do this. It also tells you how you can access and update your personal data and make certain choices or objections about how your personal data are used.
This Policy covers both our online and offline data collection activities, including personal data that we collect through our different channels, such as websites, mobile applications, social media, retail stores, contact centres, and other points of sales.
3. Legal basis
We process personal information always in strict compliance with the laws of The Republic of Kenya, and any other applicable laws and regulations relating to privacy and protection of personal data, including binding orders or guidelines issued by courts or government agencies of competent jurisdiction, such as the Office for Personal Data Protection (GPDP), and the relevant national laws (such as the Personal Information Protection Law) and international principles and rules on privacy and protection of natural persons with regard to the processing of their personal data (taken together, “applicable laws”).
Where applicable laws require in the relevant jurisdiction, we may seek your consent for processing your personal data. If you do not provide your consent where required we may be unable to continue performing our obligations or providing our services or products to you.
5. Sensitive personal data
Certain categories of personal information are considered “sensitive personal data”, including (but not limited to) political or religious beliefs, political or union affiliation, private life, racial or ethnic origin, health condition (including genetic data), biometrics, location and, in certain jurisdictions, personal information of minors under the age of fourteen.
In principle we do not process sensitive personal data. We may however process your sensitive personal data where expressly authorized or required in accordance with the applicable laws or, unless otherwise specified by applicable laws, with your explicit and separate consent (or, in case of minors, parental or guardian consent).
The content you provide, upload or post through our websites, mobile applications or social media platforms (e.g., information or photos about your social activities) may disclose sensitive personal data. You should always carefully consider whether you should disclose your sensitive personal data.
6. Personal information we collect and how we collect it
Generally, we only collect and use your personal information to the extent necessary for us to pursue our legitimate interests (where your interests and fundamental rights do not override those interests), in particular where the personal data is necessary for us to provide our products and services to you. The onus is on us to collect only the personal data that is directly related to, and necessary for, providing our products and services. We do not collect information in advance or for potential future purposes, unless required by the applicable laws.
By providing your personal data to us, you acknowledge that you have made a fully informed decision in providing such personal data.
Depending on how you interact with us (online, offline, over the phone, etc.), we may collect different types of information from you, as follows:
(i) Information to allow us to contact you, such as your name, postal address, email address, social media account or phone number.
(ii) Information required to give you access to your specific account profile, such as login ID/email address, user name, password in unrecoverable form, and/or security question and answer.
(iii) Information on your demographic or behavioural characteristics, including date of birth, age, gender, geographic location, favorite products, hobbies or interests and other lifestyle information.
(iv) Information about the computer system or mobile device you use to access our services, websites or mobile applications, such as internet protocol (IP) address used to connect your computer or mobile device to the internet, operating system, and web browser. If you access a CTM website or mobile application via a mobile device such as a smartphone or tablet, the collected information may also include, where allowed, the unique device ID, geo-location, and other similar mobile device data.
(v) Information our websites or mobile applications may process about your actions, collected by automated algorithm decision-making processes or technologies such as cookies (please refer to Section 7 below).
(vi) Information you voluntarily share with us about your experience of using our products and services.
(vii) Content you create and then share with us on social media or by uploading it to one of our websites or mobile applications, including the use of social media mobile applications.
(viii) Information you share publicly on social media platforms or information that is part of your profile on a third party social media and that you allow the third party social media to share with us.
(ix) Information we require in order to bill you or process payment for our services or products, or that you use to subscribe a service or purchase a product, such as your debit or credit card details or other accepted forms of payment. Refusal to provide such information may render us unable to handle your application or provide the service or product, or may prevent your access to certain parts of our websites or mobile applications. We handle payment and financial information always in strict compliance with applicable laws and the highest security standards within the industry.
(x) Information you provide to our Contact Centre. Calls with our Contact Centre may be recorded, in accordance with applicable laws, for operational needs (including for monitoring quality or training purposes) and, in certain cases, to archive proof of consent for direct marketing and profiling. We will inform you about such recording at the beginning of your call.
Cookies are small text files that are placed on your computer, mobile phone or other web enabled device when you visit a website. They are not harmful and do not contain any confidential information such as your home address, date of birth or credit card details. To find out more about the cookies we use and the purposes for which we use them, please see our Cookies Policy.
8. Purposes for which we process your personal data
We process your personal data to the extent permitted or required under the applicable laws, for the following purposes (not all of the purposes may be relevant to you):
(i) Verify your identity (name, gender, date of birth, age, identity card number or other personally identifiable number) to process your application and activate or deactivate services, facilitate interconnection and inter-operability with other telecommunications operators, including number portability.
(ii) Administer your account, carry out credit checks and fraud detection, in general provide you with products and services you subscribe and process your bills and payments.
(iii) Respond to your enquiries or complaints to our customer service. This typically requires the use of your contact details and information regarding the reason for your inquiry (e.g., order status, technical and service or product issues, etc.).
(iv) Include your contact details in telephone directories or directory enquiry services provided or operated by us or a contracted third party (subject to any preference or objection you may have expressed to us).
(v) Offer you rewards, discounts or other benefits and fulfil your requests or requirements in respect of our loyalty and reward programs and other similar activities.
(vi) Inform you about products or services that may be of interest to you (with your consent, where required by applicable laws). Typically, we may carry out these activities via email and postal mail, ads, SMS, social media or phone calls, to the extent permitted by applicable laws. You can unsubscribe or opt-out at any time or object to the processing of your personal data for this purpose. Please note that, even if you unsubscribe or opt-out from receiving marketing communications, you may still receive administrative communications from us, such as application or other transaction confirmations, notifications about your account, and other important announcements.
(vii) Inform you of service and security issues, prevent and detect fraud or other crimes and recover debts, conduct internal audits and determine your creditworthiness, ensure the safety and security of our properties and systems, conduct background checks against money laundering, terrorism financing, sanctions and related risks.
(viii) Carry out network monitoring, testing and maintenance of computers, mobile devices and other systems.
(ix) Develop new products and services, and personalize services we offer you, improve our services, for example by looking at usage and mobility patterns to improve your user experience.
(x) Other general purposes relevant to our business, such as analytics, internal research, security and risk management. In accordance with applicable laws, we may use your personal data for other general business purposes, such as perform market analyses and research and measuring the effectiveness of advertising campaigns.
(xi) Comply with legal and regulatory requirements, and provide assistance to courts, law enforcement and other governmental agencies in accordance with applicable laws.
(xii) If the processing of personal data is necessary to perform a mission of public interest, such as responding to a public health emergency, or to protect the life, health or property safety of individuals.
9. Sharing your personal data
For the purposes mentioned above, there are instances where we may share your personal data with the following third party organizations.
(i) Third parties service providers. As part of our normal business operations, to provide the products and services you subscribe we contract third parties service providers and agents (including telecommunications operators), such as sales agents, business partners, vendors, banks and financial institutions. Our contractors, service providers and agents are only allowed to access and use your personal data on our behalf for the specific tasks that they may have been requested to perform, based on our instructions, and are required to keep your personal data confidential and secure.
(ii) Other CTM group companies or our parent company (CITIC Telecom International Holdings Limited), as permitted under the applicable laws.
(iii) Courts of competent jurisdiction, government and regulatory authorities and law enforcement agencies, to the extent permitted or as required by the applicable laws.
Except where you have given your explicit consent, we do not license your personal data to third party organizations for their own marketing purposes.
10. Where is your personal data processed
In general, your personal data is processed in our headquarters in Macau.
If, by way of exception, your data is also required to be processed in locations outside Macau, we will scrupulously observe the applicable laws, including the statutory requirements for cross-border transfer of personal data, being it between us and our parent company, subsidiaries and other third party organizations.
In any case, we only engage in transferring personal data to places outside Macau if the recipients provide an adequate level of protection for your data, and provided that appropriate technical and organizational security measures are in place to protect your personal data against accidental or unlawful destruction, loss or alteration, unauthorized disclosure or access, and against all other unlawful forms of processing.
11. Retention period of your personal data
We will store and retain your personal data for as long as necessary to fulfill the purposes for which it have been processed. Such period of time varies depending on the purpose for which the information is processed, or to comply with applicable laws.
In the absence of specific legal requirements, we will retain your personal data only for the shortest time necessary for the purposes for which it was processed.
When your personal data is no longer needed for the purposes of processing or no longer required to be retained by applicable laws, we will remove it from our systems and/or take steps to anonymise it so that you can no longer be identified from it.
12. How do we protect your personal data
We have implemented appropriate measures to safeguard the confidentiality and security of the personal data you entrust to us, in full compliance with the applicable laws on privacy and protection of natural persons with regard to the processing of personal data.
We maintain physical, technical and security measures of the highest standards (including physical, electronic and governance measures), with respect to our offices and data storage facilities, to prevent accidental, unauthorized or unlawful access, use, disclosure, or accidental loss, destruction or damage to your personal data. Physical records containing personal data are securely stored in locked areas when not in use. Access to such physical and/or computer records is strictly controlled and requires management approval.
Apart from the statutory obligations of confidentiality, as a condition of employment our employees are required to sign a stringent confidentiality oath binding them to this responsibility, which governs their actions even after we no longer employ them.
Nonetheless, employees have access to personal data on a need-to-know basis only, in the sense that certain employees have access to personal data only to the extent necessary to accomplish the specific purpose for which the personal data have been collected.
Each employee who accesses personal data has the responsibility to use such data appropriately. Appropriate use of personal information means using it to in accordance with the relevant internal policies, such as our Personal Data Protection Policy, and only as necessary to accomplish the purposes for which it was collected (e.g., to provide a service or to determine your eligibility for a benefit).
Where required by applicable laws, we will inform you and the relevant authorities of any incidents concerning your personal data and remedial or mitigation measures taken.
13. Your statutory rights
Subject to the limitations under the applicable laws, you have the following rights with regard to the processing of your personal data.
(i) You may obtain from us information as to the categories of personal data relating to you that have been stored or are being processed, how the data were collected, and for what purposes, and the recipients to whom the data have been or will be disclosed, and the envisaged storage period.
(ii) If personal data are inaccurate or incomplete, you may request for the data to be rectified or supplemented.
(iii) You may request the erasure of your data if the processing of such data has no legal basis, or if the legal basis has ceased to apply under the applicable laws. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons.
(iv) You may object or withdraw your consent at any time to your personal data being used for purposes of direct marketing, market research, or opinion research or any other form of sales prospecting.
(v) You have the right to object or withdraw your consent (where processing is based on consent), on grounds of your legitimate interests, for reasons relating to your particular situation, at any time to the processing of your personal data by us and we may be required to no longer process your personal data. If your objection is justified we will no longer process your personal data for such purposes.
You may exercise the above rights by written request to contact person indicated in Section 15 below.
14. Changes to this Policy
If we change the way we handle your personal data, we will update this Policy. We reserve the right to make changes to our practices and this Policy at any time, and we invite you to please check back frequently to see any updates or changes to our Policy. By continuing to use our websites or mobile applications, you agree to be bound by this Policy as amended from time to time.