Privacy Policy

"We/Us/Our" refers to GTBank Company Limited and its subsidiaries as may from time to time be specified by the Insurance to you.

"Personal Data" means any information relating to an identified or identifiable natural person;

"Sensitive Data" means data revealing the natural person's race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person's children, parents, spouse or spouses, sex or the sexual orientation of the data subject

"Data Subject/You" refers to any living individual whose Personal Data is processed, including but not limited to our customers, prospective customers, former customers, agents, dealers, merchants, job applicants, employees, former employees, visitors to our premises and our website, suppliers, or service providers with whom we have contracts

"Cookies" are small text files placed on your computer or device by our website when you visit certain sections or use specific features of the site

"Data Controller" means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data

"Data Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller

"Data Protection Laws" refers to the Data Protection Act 2019 (DPA), Data Protection Regulations, and any other relevant data protection legislation that GTBank adheres to

"Processing" means any operation or sets of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as;

• collection, recording, organization, structuring;
• storage, adaptation or alteration;
• retrieval, consultation or use;
• disclosure by transmission, dissemination, or otherwise making available; or
• alignment or combination, restriction, erasure or destruction.

We may collect, use, store and transfer different kinds of personal data about you or persons connected to you which we have grouped together as follows:

• Contact information such as phone number, email address, postal address, residential address, and telephone number and social networking profile details
• Identification information such as name, date and place of birth, national identity card number, passport number, Kenya Revenue Authority personal identification number (PIN), photo, marital status, title, nationality, gender, and specimen signature
• Education and employment information such as name of the employer, position in the organization and office address
• Government and other official identification numbers such as National Identification Number, Passport Details, Driving License, Birth Certificate, KRA PIN, NSSF & NHIF details
• Financial information such as Payment card number (credit or debit card), bank account number, or other financial account number and account details, credit history, credit reference information and credit score, assets, income, and other financial information, account log-in information
• Technical data such as internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use while browsing
• Photographs and video recordings: such as closed-Circuit Television (CCTV) surveillance recordings placed in strategic areas in our premises and Images (including photographs and pictures) or video recordings created in connection with our insurance or other business activities, including for claims assessment, administration and settlement, claim disputes, or for other relevant purposes as permitted by law
• Children data such as include name, date of birth, birth certificate number, relationship with the applicant and any other information relevant for the provision of our products and services. We will only process such data where parental or legal guardian consent has been given. We will also ensure that the processing of such data will be done in a manner that protects and advances the rights and best interests of the child
• Event data: Information you provide to us for the purposes of attending meetings and events or our booths at events
• Claim Processing data: Information relevant to your insurance policy or relevant to your claim or your involvement in the matter giving rise to a claim
• Information to detect, investigate or prevent crime, including fraud and money laundering: such as information about previous dealings with policyholders and claimants
• Marketing and communications data includes your preferences in receiving marketing from us and our third parties and your communication preferences
• Communication data: Recordings of telephone calls with our representatives
• Information from other sources: We may supplement the Personal Information we collect with information obtained from other sources (for example, publicly available information from online social media services and other information resources, third-party commercial information sources, and information from our business partners). We will use any such supplemental information in accordance with applicable law (including obtaining your consent where required).

We collect your personal data in various ways, depending on how you engage with us. This can happen through:

Direct Interactions:

• When you apply for our products or services
• When you register for our products via mobile or online platforms
• When you supply goods or services to us as a supplier or contractor
• When you use our website, through cookies and similar technologies
• When you are captured by CCTV when you visit our premises
• When you use our Wi-Fi
• When you apply for a job with us
• When you attend an event hosted or sponsored by us
• When you ask GTBank for more information about a product or service or contact GTBank with a query or a complaint
• When you visit our premises and provide details like identification, device information, or vehicle information.
• Where you’ve been identified as a next of kin or beneficiary by our customer or employee

From Third Parties or Publicly Available Sources:

• From the Government of Kenya’s e-Citizen platform and the Integrated Population Registration Services
• From public records like the Companies Registry or Business Registration Service
• Correspondent banks as part of the provision of Services to you,
• From medical professionals and hospitals
• From your authorized representative
• From anyone you’ve authorized to act on your behalf
• From land registries, credit reference agencies, fraud prevention agencies, and service providers involved in payments, technical services, or deliveries
• From our vendors such as auctioneers, external advocates and valuation experts
• From former employers

How we use your personal data

We collect and use your personal data for various purposes, including:

• Contractual Obligations: To initiate, execute, and manage the contractual relationship we have with you, including fulfilling transactions and responding to your instructions
• Customer Onboarding & Identity Verification: To establish and confirm your identity, verify your age and consent (where applicable), assess your eligibility for our products and services, and comply with Know Your Customer (KYC) requirements using publicly available or government-held databases
• Product and Service Administration: To design, price, deliver, maintain, and enhance our financial products and services, as well as manage our relationship with you
• Monitoring and Analytics: To monitor your usage of our products and services, support system operations, resolve technical issues, and improve service delivery through data analysis and performance reviews
• Fraud Prevention and Risk Management: To detect, prevent, and investigate fraud, money laundering, and other financial crimes. This includes verifying identities, addresses, screening for politically exposed persons (PEPs), and checking against sanctions and anti-terrorism watchlists
• Regulatory and Legal Compliance: To comply with applicable legal and regulatory requirements, including audits, tax obligations, risk assessments, financial recordkeeping, and responding to lawful requests from authorities, courts, regulators, or financial intermediaries
• Communication and Marketing: To communicate with you regarding the status of services or products you've subscribed to, and, where permitted, to inform you about new products, services, and promotional offerings
• Call Recording and Quality Assurance: To record and monitor telephone conversations (as allowed by law) for training, security, quality assurance, and fraud prevention. These recordings remain the sole property of GTBank
• Employment and Recruitment: If you are a job applicant, we use your data for background checks and assessments. If you are an employee, we maintain employment records and monitor performance and compliance throughout your engagement.
• Supplier and Third-Party Management: If you are a supplier or service provider, we process your data for due diligence, risk evaluation, administrative management, and payments
• Third-Party Data Verification: If we receive your information through third parties, we use it to validate the data you’ve provided and mitigate risks of fraud or identity theft
• Legal Claims: To protect your interests or those of others (e.g., beneficiaries of financial products), and to defend or enforce our legal rights.

We also may disclose your personal information where required by law, to enforce other agreements, or to protect the rights, property, or safety of our business, our clients, customers, employees, or others.

We may share your personal data with the following parties, as needed with:

• Authorized Individuals: Any individual, agent, or representative you have authorized to act on your behalf, including legally appointed guardians, administrators, or signatories
• Bank Group Entities: Our subsidiaries, affiliates, branches, representative offices, and their staff, to ensure seamless service delivery and internal reporting, monitoring, and compliance
• Financial and Investment Service Providers: Trustees, custodians, fund managers, brokers, issuers of securities, depositories, clearing houses, payment processors, card networks, and other counterparties involved in providing financial services
• Government and Regulatory Bodies: Institutions such as the Central Bank of Kenya (CBK), Kenya Revenue Authority (KRA), Financial Reporting Centre (FRC), National Social Security Fund (NSSF), National Hospital Insurance Fund (NHIF), Business Registration Service (BRS), Integrated Population Registration Services (IPRS), National Transport and Safety Authority (NTSA), Anti-Counterfeit Authority, and other regulators or oversight agencies, as necessary to meet legal, regulatory, and statutory obligations
• Law Enforcement and Judicial Bodies: Any local or international law enforcement authority, court, tribunal, tax authority, or regulatory agency (whether governmental or quasi-governmental) for the purposes of crime prevention, investigation, prosecution, or enforcement of laws and regulations
• Credit Reference and Fraud Prevention Agencies: Credit reference bureaus (e.g., CRB Kenya) and anti-money laundering (AML) or fraud prevention agencies, for credit scoring, risk assessments, customer verification, and regulatory compliance
• Professional and Legal Advisors: Our appointed legal counsel, auditors, insurers, actuaries, valuers, surveyors, tax consultants, research and market agencies, and other advisors or consultants engaged under confidentiality and contractual obligations
• Service Providers and Vendors: Subcontractors, system integrators, IT service providers (including software developers, cloud hosting providers, cybersecurity firms), courier services, outsourced call centres, and document archiving services, to the extent necessary for service delivery or operational support
• Payment Ecosystem Participants: Local and international correspondent banks, SWIFT, card schemes (e.g., Visa, Mastercard), payment gateways, mobile money providers (e.g., M-Pesa), and settlement agents involved in facilitating and processing your transactions
• Third-Party Fintech and API Integrations: Technology providers, APIs, and platforms you engage with (or that we integrate with) for services like mobile banking, open banking, digital wallets, loan scoring, or financial planning tools—subject to your consent or instruction
• Insurance Providers and Claims Handlers: Insurers, reinsurers, or third-party administrators involved in policy issuance, claims processing, or beneficiary management
• Third Parties in Emergency Situations: When necessary to protect your vital interests or those of another person, such as in life-threatening situations, natural disasters, or public health emergencies.

We take appropriate technical and organizational measures to prevent loss, unauthorized access, misuse, modification or disclosure of information under our control. This may include the use of encryption, access controls and other forms of security to ensure that your data is protected. We require all parties including our staff and third-parties processing data on our behalf to comply with relevant policies and guidelines to ensure confidentiality and that information is protected in use, when stored and during transmission. Our security controls and processes are also regularly updated to meet and exceed industry standards.

Where we have provided you (or where you have chosen) a password which grants you access to specific areas on our site, you are responsible for keeping this password confidential. We request that you do not to share your password or other authentication details (e.g. token generated codes) with anyone.

The Bank may transfer personal data outside Kenya. However, prior to such transfer the Bank will ensure that valid grounds exist (as provided under section 48 of the Data Protect Act) prior to such transfer and that proper safeguards have been put in place to address the security and protection of such data.

GTBank will handle your personal information in accordance with applicable Data Protection Laws and its internal policies, including:

• To comply with any mandatory legal obligations to which GTBank is subject
• With your consent
• When processing is necessary to serve GTBank’s legitimate business interests, or those of a third party, within legal boundaries
• To fulfill a product or service contract that you are a party to
• For the establishment, exercise, or defense of a legal claim
• To protect your vital interests or those of another individual.

We retain your data for as long as is necessary for the purpose(s) that it was collected. Storage of your data is also determined by legal, regulatory, administrative or operational requirements. We only retain information that allows us to comply with legal and regulatory requests for certain data, meet business and audit requirements, respond to complaints and queries, or address disputes or claims that may arise.

Data which is not retained is securely destroyed when it is identified that is no longer needed for the purposes for which it was collected.

You have the right to:

• Be informed what personal data has been collected about you
• Access your personal data, including information on how it is processed (the reasons for processing, categories of data involved, recipients of your data, and the retention period) by sending a request to dpo@gtbank.com
• Request the deletion of your personal data. While we may not always be able to fulfil such requests, we will notify you within 7 days of receiving your request, detailing the reasons as specified in Regulation 12(4)(b) and Regulation 12(4)(e) of the Data Protection (General) Regulations, 2021. Please note that if your request to delete your data is granted, you will no longer have access to our products or services associated with that data
• Receive a copy of your personal data that you have provided to GTBank in a structured, commonly used, and readable format. This will be done free of charge upon request by contacting the Data Protection Office at dpo@gtbank.com
• Object to and/or restrict the processing of your personal data for legitimate reasons. However, please be aware that this may disrupt our ability to provide services to you
• Request the transfer of your personal data to another Data Controller
• File a complaint with us at (insert email address)
• Modify your personal data or withdraw your consent for its processing or retention at any time. You also have the right to designate a third party to whom your data may be shared after your passing, and you agree to inform that third party of their appointment
• Request corrections to your personal data. Please direct all such requests to dpo@gtbank.com. We commit to responding to any request for correction or update within 14 days of receipt, provided that the correction is necessary.

Keeping your account information accurate and up to date is very important. You have access to your account information, which includes your contact information, account balances, transactions and similar information through various means, such as account statements, mobile Banking and Internet Banking.

If you discover any inaccuracies in your personal information, please promptly notify us, via our e-channels, branch network or Contact Centre, and provide the required documentary evidence, to enable us to implement the necessary updates or changes.

GTBank uses cookies to improve your experience while on this site. We would like to let you know a few things about our cookies. Some cookies are essential to access certain areas of this site.

We use analytics cookies to help us understand how you use our site to discover what content is most useful to you

Kindly refer to our cookie policy for more information on cookies.

We may update this Privacy Policy from time to time. You can access the most current version of the privacy statement www.gtbank.co.ke/about/privacynotice and any amendment or modification to this statement will take effect from the date of notification on the GTBank Website

We have appointed a data protection officer who is responsible for overseeing questions in relation to this Privacy Policy.

If you have any concerns about the use of your personal data, questions about this Privacy Policy including any requests to exercise your legal rights under the law, please contact us using the details set out below:

Email address: dpo@gtbank.com

Postal address: P.O BOX 20613-00200

Physical address: SkyPark Plaza, Woodvale Close, Westlands