Who We Are — Data Controller
This Privacy Notice explains how Salaam Investment Bank Kenya Limited collects, uses, stores, shares, and protects your personal information when you visit our website, use our services, or interact with us in any way.
By using our website or engaging with SIBK, you acknowledge that you have read and understood this Privacy Notice. SIBK is committed to protecting your privacy and processing your personal data in accordance with the Data Protection Act, No. 24 of 2019 of Kenya and all subsidiary legislation and guidelines issued by the Office of the Data Protection Commissioner (ODPC).
Personal Data We Collect
Depending on how you interact with SIBK, we may collect the following categories of personal data.
- Identity data: Full name, date of birth, nationality, gender, national ID or passport number
- Contact data: Email address, telephone number, postal and residential address
- Financial data: Bank account details, income information, investment objectives, tax identification numbers, source of funds
- KYC and onboarding data: Copies of identity documents, proof of address, beneficial ownership declarations, politically exposed person (PEP) status
- Investment mandate data: Risk profile, investment preferences, portfolio instructions, and communication preferences
- Correspondence data: Emails, letters, enquiry forms, and records of telephone communications with SIBK
- Usage data: Pages visited, time spent on the website, links clicked, and browsing patterns
- Device and technical data: IP address, browser type and version, operating system, device identifiers, and screen resolution
- Cookie data: Data collected through cookies and similar tracking technologies — see Section 8 (Cookies) below
- Regulatory and compliance data: Sanctions screening results, credit reference checks, and AML/KYC verification data from licensed third-party providers
- Publicly available data: Information from public registers, company registries, regulatory filings, and published sources used for due diligence
- Referral data: Contact details provided by introducers or referring parties
SIBK does not ordinarily seek to collect sensitive personal data (as defined under the Data Protection Act, including racial or ethnic origin, health data, religious beliefs, or biometric data). Where such data is collected incidentally — for example, where it is contained in identity documents — it will be handled with additional care and processed only to the extent strictly necessary for compliance and regulatory purposes.
How & Why We Use Your Data
We process your personal data only where we have a lawful basis to do so under the Data Protection Act, 2019. The table below sets out the key purposes and their corresponding lawful basis.
Disclosure of Your Personal Data
SIBK does not sell your personal data. We may share it with the following categories of recipients, strictly on a need-to-know basis and subject to appropriate confidentiality and data protection obligations.
- Capital Markets Authority of Kenya (CMA)
- Financial Reporting Centre (FRC) for AML/CFT/CPF reporting obligations
- Retirement Benefits Authority (RBA), where applicable
- Office of the Data Protection Commissioner (ODPC)
- Kenya Revenue Authority (KRA), for tax reporting obligations
- Courts, tribunals, and law enforcement agencies, where required by law or court order
We engage carefully selected third-party service providers who process personal data on our behalf under written data processing agreements. These include:
- IT systems and cloud infrastructure providers
- KYC and AML screening technology providers
- Custodians and settlement agents
- Auditors, legal advisers, and professional consultants
- Communication and document management platforms
In the event of a merger, acquisition, restructuring, or sale of SIBK's business or assets, your personal data may be transferred to the relevant successor entity, subject to equivalent data protection protections being maintained.
We may share your data with other third parties where you have provided your express consent to such sharing.
International Data Transfers
Where it is necessary to transfer your personal data outside Kenya, SIBK will only do so in accordance with the requirements of the Data Protection Act, 2019. This means we will ensure that adequate protections are in place, including:
- Transferring to a country deemed to have adequate data protection laws by the ODPC
- Using standard contractual clauses approved by the ODPC
- Obtaining your express consent where required
SIBK will not transfer your personal data internationally in a manner that undermines your data protection rights.
How Long We Keep Your Data
We retain your personal data only for as long as necessary for the purposes for which it was collected and in compliance with applicable legal and regulatory retention requirements.
On expiry of the applicable retention period, personal data will be securely deleted or anonymised in accordance with SIBK's data policy.
Your Data Subject Rights
Under the Data Protection Act, No. 24 of 2019 of Kenya, you have the following rights in respect of your personal data. We will respond to your request within 21 days, or such other period as permitted by law.
Please note that some of your rights are not absolute and may be subject to exceptions — for example, where processing is necessary for compliance with a legal obligation, for the prevention of financial crime, or for the establishment or defence of legal claims. We will notify you if any such exception applies to your request.
To exercise any of your rights, please contact our Data Protection Officer at info@salaaminvestments.com.
How We Protect Your Personal Data
SIBK implements appropriate technical and organisational security measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction.
Encryption of personal data in transit and at rest using industry-standard protocols, ensuring data remains protected across all transmission channels.
Access controls and multi-factor authentication on all systems holding personal data, with role-based restrictions ensuring staff access only the data necessary for their role.
Data breach response procedures including mandatory notification to the ODPC upon discovery of a qualifying breach, in accordance with the Data Protection Act, 2019.
Where we engage third-party data processors, we require them to maintain equivalent security standards through contractual data processing agreements.
Children's Privacy
Our website and services are not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe that a child has provided us with personal data without appropriate consent, please contact us at info@salaaminvestments.com and we will take prompt steps to delete such data.
Marketing Communications
Where you have consented, or where we have a legitimate interest to do so, we may contact you with information about SIBK's products, services, market insights, and events. You may opt out of receiving marketing communications at any time by clicking the "unsubscribe" link in any marketing email.
Opting out of marketing communications will not affect communications that are necessary for the administration of your account or the delivery of our services.
Changes to This Privacy Notice
SIBK reserves the right to update this Privacy Notice from time to time to reflect changes in our data processing practices, applicable law, or regulatory requirements. The revised Privacy Notice will be posted on the website with an updated effective date.
We encourage you to review this Notice periodically. Where changes are material, we will endeavour to provide reasonable notice to affected individuals.
Contact Us, Complaints & Enquiries
If you have any questions about this Privacy Notice, wish to exercise your data subject rights, or have a complaint about how we have handled your personal data, please contact our Data Protection Officer in the first instance.
If you are not satisfied with our response, you have the right to lodge a complaint directly with the ODPC:
Website: www.odpc.go.ke | Email: info@odpc.go.ke | Address: Nairobi, Kenya
Salaam Investment Bank Kenya Limited is licensed and regulated by the Capital Markets Authority of Kenya (CMA Licence No. 115) and is registered with the Office of the Data Protection Commissioner as a data controller.