Peleza Privacy Notice – Peleza International Limited

This Privacy Notice explains how Peleza International Limited (“Peleza”, “we”, “our”, or “us”) collects, processes and protects personal data in compliance with Kenya’s Data Protection Act, 2019 (No. 24 of 2019) (the “Act”) and the Data Protection (General) Regulations, 2021.

1. Introduction

Peleza is an East African background-screening company based in Nairobi, Kenya. We verify individuals’ identity and credentials at the request of our client organizations. This Notice describes our data protection practices and applies to any personal data processed by Peleza in Kenya or relating to data subjects located in Kenya and all other countries of operation. Our goal is to comply with the Act and Regulations, respecting the privacy rights of individuals (data subjects) whose personal data we handle.

2. Definitions

In this Policy, unless the context otherwise requires, the following terms shall have the following meanings:

• Data Controller:means the entity which determines the purposes and means of the processing of personal data.
• Data processor: The person or entity that processes personal data on behalf of a data controller. When Peleza processes data on behalf of a client organization, Peleza acts as a data processor.
• Data subject: An identified or identifiable natural person who is the subject of personal data. This can include our clients’ potential or existing employees, candidates, customers or other individuals whose information is verified through Peleza.
• DPA: means the Data Protection Act, 2019; “Regulations” means the Data Protection (General) Regulations, 2021, and any other subsidiary legislation or regulations issued under the DPA.
• Personal data: means any information relating to an identified or identifiable natural person (a data subject), including but not limited to name, identification number, contact data, location data, online identifiers, or other factors specific to person’s identity. Any information relating to an identified or identifiable natural person (e.g. an individual’s name, identification number or other identifier).
• Policy: means this Privacy Policy Notice of Peleza.
• Processing: means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, merging, restriction, erasure or destructionAny operation performed on personal data, such as collection, recording, storage, use, disclosure or destruction.
• Sensitive personal data: means data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject Special categories of personal data revealing race, health, religion or other protected characteristics (e.g. biometric data, health or religious beliefs). Peleza does not normally process sensitive data except with explicit consent or where required by law.

3. Role and Scope of Application

Peleza acts in one or more of the following capacities, depending on the context:

• As Controller: where Peleza determines the purposes and means of processing personal data (for example, for its own internal purposes, business development, marketing, or user account management).
• As Processor: where Peleza processes personal data on behalf of a client (controller) under a written contract. Where we act as Processor, our processing shall at all times be governed by a Data Processing Agreement with the client, which implements at least the obligations imposed by the DPA (including instructions, confidentiality, security, subcontracting, audit, deletion or return of data). Where we act as Controller, the full obligations of controller under the DPA (e.g. transparency, lawfulness, accountability) apply.

This Policy applies to all processing by Peleza in either role. Where a specific clause is applicable only when Peleza acts as controller or as processor, that limitation is expressly stated.

Types of Personal Data Collected

We collect the personal data necessary to carry out verification services. This may include: identity data (e.g. full name, date of birth, government ID numbers, passport details), contact data (e.g. address, phone number, email), and employment/education data (e.g. résumé details, educational certificates, previous employment history). We may also collect limited financial or credit information and criminal-record information where required by the service requested. Any sensitive personal data (as defined above) is processed only with explicit consent and strict safeguards.

4. Purpose and Lawful Basis of Processing

1. Purpose: We process personal data to provide background-check and KYC/KYB verification services as requested by our clients. For example, we verify an individual’s identity, education, employment history or professional qualifications, in accordance with the client’s instructions. We process data only for the purposes for which it was collected and as specified to the data subject.
2. Lawful Basis: Our processing complies with the Data Protection Act lawful-basis requirements. Specifically, processing is based on one or more of the following lawful grounds:
   1. Consent: Where the individual has given explicit consent for processing their data for verification by signing a consent form. Consent is freely given, specific and informed. Where processing is based on consent, you may withdraw consent at any time, without affecting the lawfulness of prior processing. To withdraw consent, you may send a request via privacy@peleza.com.
   2. Contractual necessity: Processing is necessary to perform a contract to which the data subject is a party (e.g. conditions of employment) or to take steps requested by the individual before entering into a contract. For example, an employer may require background checks as a condition of hiring.
   3. Legal obligation: Processing is necessary to comply with a legal requirement to which Peleza or our client is subject (e.g. statutory KYC or anti-fraud obligations).
   4. Legitimate interest: Processing is necessary for Peleza’s or a client’s legitimate interests (such as preventing fraud or protecting workplace safety), provided these interests are not overridden by the individual’s interests or fundamental rights.

All processing by Peleza is carried out in a lawful, fair and transparent manner, for purposes that are specific and explicitly defined. We ensure that personal data is adequate, relevant and limited to what is necessary in relation to the processing purpose, in accordance with the Act’s data protection principles.

5. Data Minimization, Accuracy & Purpose Limitation

Peleza will only collect, store, and process personal data that is adequate, relevant and strictly necessary for the stated purposes. We will avoid collecting extraneous data. We maintain procedures to periodically review stored data and delete or anonymize data that is no longer necessary. We take reasonable steps to ensure that data is accurate, complete, and up to date, and you may request correction of inaccuracies. We will not process personal data for purposes incompatible with the original purpose(s), unless a new lawful basis is established and you are notified.

6. Sharing of Personal Data

Peleza will not share personal data with third parties except as necessary to carry out verification services. Typical recipients may include prospective or current employers (our clients), educational or professional institutions for verification, background-check partners, law enforcement agencies (when required by law), or any third party expressly requested by the data subject. Any sharing is done in accordance with the data privacy regulations. We determine the purpose and means of any data sharing and only share data for legitimate verification purposes.

Where routine sharing of data with other organizations is required (for example, pooling data among consortium members), we enter into written agreements before any such transfer. These agreements specify the purpose of sharing, retention periods and technical and organizational safeguards to prevent unauthorized access. Data is not shared beyond what is necessary for the stated purpose. In all cases, we ensure that recipients agree to keep the data confidential and secure.

7. International Data Transfers

If a verification requires transferring personal data outside Kenya (for example, checking information in another country), Peleza will do so only under strict conditions set by the Act. We ensure that any cross-border transfer meets at least one of the legal criteria specified in the data protection act: either adequate safeguards (such as contractual clauses) are in place, or the transfer is strictly necessary (e.g. for performance of a contract or for vital legitimate interests). In the absence of an adequacy decision or necessity, we will obtain the individual’s explicit informed consent before transferring their data internationally. We document the transfer, retain evidence of the safeguards, and limit transfers to the specific countries needed to fulfill contractual obligations or verification requests.

8. Data Retention

We retain personal data only for as long as legally reasonably necessary to fulfill the purpose for which it was collected. When the retention period expires or the data is no longer needed, we erase, anonymize or delete the data securely. Retention may be extended only if required by law (e.g. statutory record-keeping) or if the data is needed for a legitimate purpose (such as evidence in a legal claim). In all cases, we regularly audit our records to identify and purge any unnecessary personal data.

9. Data Subject Rights

Under the Act, data subjects have the following rights with respect to their personal data:

• to be informed about how their data is used
• to access their data in our custody
• to object to processing of all or part of their data
• to request correction or deletion of inaccurate or unlawfully held data. Specifically, individuals may request that Peleza rectify incorrect, outdated or incomplete information or erase data that is no longer necessary.
• Where technical portability is feasible, subjects also have the right to receive a copy of their data in a structured, machine-readable format and transmit it to another controller.
• Additionally, data subjects may withdraw consent at any time (without affecting processing that occurred before withdrawal). Upon receiving your withdrawal, Peleza shall cease further processing based on that consent, unless another lawful basis applies (e.g. legal obligation). We will also delete, anonymize, or block the relevant personal data, unless retention is required by law or justified business need, in which case we will limit processing to the minimum necessary.

To exercise these rights, a data subject may contact Peleza at the address or email below. We will respond without undue delay and, in any event, within the legal timeframes (typically 30 days) and without charge. If we share data with any third parties, we will inform those third parties of any valid rectification or erasure requests so they can also take appropriate action.

10. Data Security Measures

Peleza has implemented appropriate technical and organizational security measures to protect personal data against unauthorized access, loss, alteration or disclosure. These measures include secure storage systems, firewalls and encryption of sensitive data, strict access controls and authentication, regular security testing, and staff training on data privacy. We adopt a “data protection by design and by default” approach: only data necessary for a specific purpose is processed, and personal identifiers are pseudonymized or encrypted wherever possible. In the event of a data breach, Peleza will promptly take remedial action and, where required by law, notify affected individuals and the Data Protection Commissioner without undue delay.

11. Complaints

If you believe that Peleza has failed to comply with this Policy or the DPA, please contact us at info@peleza.com  with details of your complaint.

12. Contact Information

For questions about this Notice or Peleza’s privacy practices, or to exercise your data protection rights, please contact:

Peleza International Limited

Data Protection Officer (or Privacy Team)

24 St. Michael’s Road, off Church Road, Waiyaki Way, Westlands, Nairobi, Kenya

Email: info@peleza.com

Phone: +254 796 111 020

Please include “Data Protection” or “Privacy” in the subject line of any communications.

13. Notification of Changes

Peleza may update this Policy from time to time (for example, to reflect changes in law, service, or best practices). We will publish the revised version on our website, indicating the effective date and maintaining a version history. If changes are material (i.e. adversely affecting your rights or adding new processing purposes), we will notify affected data subjects (e.g. via email or in-system notice) and, where required, request renewed consent. Each version is binding only from its effective date onward and prior processing is subject to the terms in force at the time.

Last updated: October 2025.

By checking this box, you confirm that you have read and are agreeing to our terms of use regarding the storage of the data submitted through this form.