Pwani Logo
Contact us ↗
About Us
Brands
View all Brands

Loading menu...

RecipesSustainability
View all Media

Loading menu...

CareersContact us
Pwani

Quick Links

  • About Us
  • Brands
  • Recipes
  • Blogs
  • Careers
  • Food Safety Policy
  • Energy Management Policy
  • Privacy Policy

Brands

Products

    Toll Free Line

    0800 721290

    Contact

    • info@pwani.net
    • +254 709 294 100
    Mombasa, Kenya
    © Copyright 2026 | Pwani Oil Products Ltd | All rights reserved
    FacebookInstagramXWhatsApp

    Privacy Policy

    Pwani Oil Products Limited – Data Privacy Statement (2025 Edition)

    Effective Date: 1st January 2025

    Contact Person: Alisager Bharmal – Data Protection Officer

    Email:  Contact Email

    1. Introduction

    At Pwani Oil Products Limited (“POPL”), we are committed to protecting your personal data and ensuring transparency in how we collect, process, use, and store it. This privacy statement outlines how we handle personal data in accordance with the Data Protection Act, 2019 (Kenya), and its associated regulations. This statement applies to all persons whose personal data we process, including customers, suppliers, visitors, prospective employees, agents, dealers, and employees. It should be read in conjunction with any applicable contracts or platform-specific terms and conditions.

    2. Definitions

    “Personal Data” means any information relating to an identified or identifiable natural person, as defined under Section 2 of the Data Protection Act.

    “Sensitive Personal Data” includes biometric data, health data, and financial records.

    “Processing” includes collection, recording, storage, use, disclosure, and erasure.

    “Data Subject” refers to you — the individual to whom the data relates.

    “Data Controller” means POPL.

    “Data Processor” means any third-party processing data on our behalf.

    3. What Personal Data We Collect

    The data we collect depends on your interaction with us. It may include:

    A. Customers:

    Name, contact details, KYC documents, transaction records.

    Consent for marketing and credit bureau reporting (with withdrawal options).

    B. Suppliers & Agents:

    Company information, director KYC documents, bank details.

    C. Visitors:

    Name, ID number, phone number, organisation, host name, time in/out.

    CCTV footage may be recorded for security (visible but unlabeled cameras in use).

    D. Employees:

    Name, ID number, contact and next of kin details, biometrics (for attendance only), marital status, medical cover information, banking, tax identifiers, and GPS location (for sales vehicle tracking).

    E. Job Applicants:

    Personal and professional information submitted during application.

    F. How We Collect Personal Data:

    • Directly from you during onboarding, registration, visits, and transactions.
    • Indirectly through our website, sales channels, mobile agents, or third-party platforms (e.g., Oracle, Microsoft Office 365).
    • From hardcopy forms (secured under lock and key then digitized using AI tools for processing and storage).

    G. Lawful Basis for Processing:

    • Consent (Sections 32 & 33, DPA): e.g., for marketing, credit bureau sharing, recruitment.
    • Contractual necessity: e.g., employee payroll, supplier payment processing.
    • Legal obligation: e.g., statutory reporting to NSSF, NHIF, NITA.
    • Legitimate interest: e.g., visitor logging, employee location tracking (security).
    • Vital interests: e.g., medical emergencies.

    We document these bases in our internal Lawful Basis Matrix.

    H. Lawful Basis for Processing:

    • Consent (Sections 32 & 33, DPA): e.g., for marketing, credit bureau sharing, recruitment.
    • Contractual necessity: e.g., employee payroll, supplier payment processing.
    • Legal obligation: e.g., statutory reporting to NSSF, NHIF, NITA.
    • Legitimate interest: e.g., visitor logging, employee location tracking (security).
    • Vital interests: e.g., medical emergencies.

    We document these bases in our internal Lawful Basis Matrix.

    I. Data Retention:

    We retain personal data only as long as necessary for the purpose collected, in accordance with our Data Retention Policy, Records Management Policy and HR Records SOP.

    Where retention is no longer required, the data is securely disposed of or anonymized. Some anonymized data may be held indefinitely.

    J. Data Sharing and Disclosure:

    We do not sell your data. We may share it:

    • With regulatory, statutory, or enforcement bodies (on lawful demand).
    • With contracted third-party service providers under Data Processing Agreements.
    • With cloud providers (e.g., Microsoft), under Standard Contractual Clauses for international transfers.
    • With survey agencies for service improvement (on consent).
    • With licensed debt collectors or CRBs where contractually provided.

    We do not sell your data. We may share it:

    4. International Transfers

    Where personal data is transferred outside Kenya, we ensure appropriate safeguards are in place, including:

    • Secure data hosting jurisdictions
    • Contractual clauses aligned with Kenyan law
    • Oversight of third-party obligations

    A. Data Subject Rights

    You have the right to:

    • Be informed of how we process your data
    • Access your personal data
    • Request correction or deletion of your data
    • Withdraw consent
    • Object to or restrict processing

    To exercise these rights, contact theData Protection Officer. We may request proof of identity to protect your data. We aim to respond within a reasonable time.

    B. Cookies and Web Tracking:

    Our website uses cookies to enhance your experience. These store non-personal data like IP address, session timestamps, and pages visited. You can disable cookies in your browser. However, this may affect site functionality.

    You can disable cookies in your browser. However, this may affect site functionality.

    C. Use of Hyperlinks:

    Our website may contain links to third-party websites. We are not responsible for the content, privacy, or cookie policies of external sites.

    D. Security Measures

    We implement robust technical and organisational measures, including:

    • Access controls (role-based)
    • VPN access and encryption
    • Antivirus protection
    • CCTV monitoring
    • Audit trails for consent, access, and breach events
    • Staff NDAs, Departmental Data Champions, and mandatory bi-annual training

    E. Data Breach Notification:

    POPL maintains an incident response plan and breach register. If a data breach occurs that may impact you, we will notify you and the ODPC within the statutory timelines.

    F. Non-Compliance:

    Failure to comply with this policy by internal or external parties may result in:

    • Disciplinary action
    • Termination of contract
    • Rejection of access or data requests

    4. Statement Updates

    We may update this Statement from time to time. The current version will always be available at https://www.pwani.net. Material changes will be communicated through appropriate channels.

    Download Policy