Privacy Policy


Citywalk limited are a duly registered Company in Kenya. The Company uses the data subject personal data to provide and improve the services. By using these Services, the data subject agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Data Privacy Policy, terms used in this Data Privacy Policy.


The Company is committed to protecting the data subject personal data and respecting the data subject privacy.
This privacy policy explains in detail the types of personal data the Company may collect about the data subject when the data subject interacts with us through any of our contact points with a view of requesting joining our membership, requesting for credit, savings depositing, general inquiries and membership exit.

The interaction points the data subject may have with us could be over the phone, in person, over email or indeed via our enquiry forms on our website or social media platforms. It also explains how we store and handle that data, keep it safe and tell the data subject about the privacy rights and how the law protects the data subject.

It is likely that the Company shall need to update this privacy policy from time to time. The Company shall notify the data subject of any significant changes.


The Company is data processors and controllers and is registered and regulated as such by the office of the Data protection commissioners in Kenya.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (i.e., anonymous data).
The people whose personal data the Company collects and control include:
i. Our customers and potential customers,
ii. Employees
iii. Other service providers whom the Company have a business relationship with.
iv. Next of kin details.

The Company collects personal data such as:
Name, date of birth, Identification number, tax pin, financial information such as bank account details and statements, religious belief, age, geographical information, and credit card information
The Company may also collect sensitive personal data such as sex, marital status, family details, belief, ethnic origin, biometric data etc.
We collect such data when:


a) Contractual Obligation:
In order to perform the contractual obligation entered into with our data subjects, the Company collect such personal data. For example, we provide our services based on the agreement the Company have with the data subject such processing of credit facilities for our members.
b) Consent.
The Company in specific situations collects and process the data subject data with the data subject consent. In doing so, the Company shall ensure that consent is requested from the data subject in an explicit manner.
The Company shall always make clear to the data subject, which data is necessary in connection with a particular service. All data provided by the data subject shall be used for legitimate purposes only and the organization undertakes to use such information only in connection with services offered
The Company shall also seek explicit consent when handling data pertaining to minors-children below 18 years of age from the parent, guardian or person holding responsibility of the said minor.
c) Legal Compliance.
In the conduct of our business, the Company is required to comply with the specified industry regulators which would then oblige us to collect, process and share the data subject’s information with the relevant regulators or law enforcement agencies such as Company societies regulatory authority (Sassra), credit reference bureau, Kenya revenue authority, national social security fund and any other formal requests from authorized agencies to fulfill a legal obligation.

d) Legitimate Interest
In specific situations, the Company may require the data subject’s personal data to pursue legitimate interests in a way which might reasonably and legally be expected as part of running the services and which does not materially impact the data subject rights, freedom or interests.

e) Commercial and direct marketing
The company may use personal data collected from customers to advance commercial interest through direct marketing. The data subject may opt out of receiving direct marketing communication. The company’s opt out mechanisms include:

 Replying to the direct marketing message by a single word STOP
 Unsubscribe from our direct marketing emails through the link provided.
 Inform the company about the opt out through direct calls to the company

The Company use different methods to collect data from and about the data subject, including through:
a) Physical access to any of our retail branches and head office.
b) A purchase is made on any of our products and services or accesses our websites and includes any person who accesses any of the products and services subscribed to.
c) Any supplier who has been contracted by City walk Limited and a Supplier contract
d) Closed Circuit Television (CCTV) surveillance recordings. CCTV Devices are installed at strategic locations to provide a safe and secure environment in all premises as a part of our commitment to community safety, security and crime prevention.
e) Through Automated interactions such as the Company’s website.
f) Third parties such as publicly available resources.


The Company shall only retain the data subject personal data for as long as reasonably necessary to fulfil the purpose it was collected for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.

The Company may retain personal data for a longer period in the event of a complaint or if it reasonably believes there is a prospect of litigation in respect to our relationship with the data subject.
To determine the appropriate retention period for personal data, the Company considers the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of the data subject personal data, the purposes for which the Company process the data subject personal data and whether it can achieve those purposes through other means, the need to comply with our internal policy and the applicable legal, regulatory, tax, accounting or other requirements.
Anonymized information that can no longer be associated with the data subject may be held indefinitely.
The Company may disclose the data subject information to:
a) Law-enforcement agencies, regulatory authorities, courts or other statutory authorities in response to a demand issued with the appropriate lawful mandate and where the form and scope of the demand is compliant with the law.
b) Our suppliers, associates, partners, software developers or agents who are involved in delivering services and services.
c) Fraud prevention and Anti money laundering agencies, credit-reference agencies;
d) Publicly available and/or restricted government databases to verify the data subject identity information in order to comply with regulatory requirements;
e) Debt-collection agencies or other debt-recovery organizations;
f) Any other person that the company deem legitimately necessary to share the data with
The Company does not generally transfer data beyond the Kenya jurisdiction. However, sometimes, within the conduct of business, the company may need to transfer data to another country other than Kenya. In such a case, the Company shall process the data subject personal information on necessity and appropriate data safeguard measure basis in doing so, we will make sure that your information is properly protected in accordance with the applicable Data Protection Laws.
If necessary, the Company shall ask the party to whom it transfers such personal information to agree to our privacy principles, associated policies and practices and in accordance with the applicable Data protection Laws.


Subject to applicable legal and contractual exceptions, the Kenya data protection Act 2019accords data subjects the following rights:
a) The right to be informed that the Company is collecting personal data about the data subject.
b) The right to access such personal data that the Company hold and request details on how the same is processed.
c) The right to request that the Company correct such personal data where the same is inaccurate.
d) Right to request that the Company correct the data subject personal data where it is inaccurate or incomplete;
e) Right to request that the Company erase the data subject personal data noting that the Company may continue to retain the data subject information if obligated by the law or entitled to do so;
f) Right to object and withdraw the data subject consent to processing of the data subject personal data. the Company may continue to process if the it establishes a legitimate or legal reason to do so;
g) Right to request restricted processing of the data subject personal data noting that the company may be entitled or legally obligated to continue processing the data subject data and refuse the data subject request;
h) Right to request transfer of the data subject personal data.
The data subject shall not have to pay a fee to access the data subject personal data (or to exercise any of the other rights). However, the company may charge a reasonable fee if the data subject request is clearly unfounded, repetitive or excessive. Alternatively, the Company may refuse to comply with the data subject request in these circumstances and in cases where it would be technically challenging to do so.
Verification of Identity for requesting data subject
The Company may need to request specific information from the data subject to help us confirm the data subject identity and ensure the data subject right to access the data subject personal data (or to exercise any of the data subject other rights).
This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. The Company may also contact the data subject to ask the data subject for further information in relation to the data subject request to speed up our response.
If the data subjects have authorized a third party to submit a request on the data subject behalf, The Company shall ask them to prove they have the data subject permission to act.

The Company shall respond to all legitimate requests within 30 working days. Occasionally it may take longer than a month if the data subject request is particularly complex or the data subject have made a number of requests. In this case, the Company shall notify the data subject and keep the data subject updated on the same.

Citywalk shall only use the data subject personal data for the purposes for which collected it, unless the company reasonably consider that they need to use it for another reason and that reason is compatible with the original purpose.
If the data subject wishes to obtain an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If there is need, the Company needs to use the data subject personal data for an unrelated purpose. The Company shall notify the data subject and explain the legal basis which allows us to do so.
Please note that the Company may process the data subject personal data without the data subject knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

The company shall strive to provide our data subjects with choices regarding certain personal data uses, particularly around marketing and advertising of our new or improved services. In doing so, the data subject’s Identity, contact, technical usage and profile data shall be used to form a view on what the company think may be of interest to the data subject.
The data subject may ask us to stop sending the data subject marketing messages at any time by writing to us and checking or unchecking relevant boxes to adjust the data subject marketing preferences or by following the opt-out links on any marketing message sent to the data subject or by attending to us or contacting us at any time through the provided contacts.
Where a data subject opt out of receiving these marketing messages, the opt out shall not apply to personal data provided to us as a result of a product, service already taken up, product or service experience or other transactions.

The Company may store some information (using “cookies”) on the data subject computer when the data subject visits the website. This enables us to recognize the data subject during subsequent visits. The type of information gathered is non-personal (such as: the Internet Protocol (IP) address of the data subject computer, the date and time of the data subject visit, which pages the data subject browsed and whether the pages have been delivered successfully.
The Company may also use this data in aggregate form to develop customized services – tailored to the data subject individual interests and needs. Should the data subject choose to do so, it is possible (depending on the browser the data subject are using), to be prompted before accepting any cookies, or to prevent the data subject browser from accepting any cookies at all.

The Company has put in place technical and operational measures to ensure integrity and confidentiality of the data subject data via controls around: information classification, access control, physical and environmental security and monitoring and compliance.

In case of any questions or concerns that may have not been covered, please contact our Data Protection Officer who shall be pleased to help the data subject using the details provided below:
Data Protection Officer (Insert DPO email)
City Walk Kenya LTD
Tel: 0786400202

The Company shall have the right to terminate any agreement with a contracting party for failure to comply with the provisions of this statement and reject any application for information contrary to this statement.