CIC GROUP DATA PRIVACY STATEMENT
Version 3.0 Dated 3rd March 2026
Policy Statement
CIC Insurance Group PLC, (this includes all its subsidiaries and regional companies in Uganda, Malawi and South Sudan) is committed to protecting the fundamental human right to privacy. CIC (we, our, us) respects the personal information and data we collect from you through the different mediums.
This Privacy Statement, applies to personal data that CIC Insurance Group PLC including all its subsidiary companies (“CIC”, “we” “our” “us”, “CIC Group”) collects and handles for the purposes of maintaining and providing CIC related information to the vis. For the purposes of this Privacy Policy, “Personal data” means any information relating to an identified or identifiable natural person.
Who we are
CIC Group of P.O Box 59485-00200 is the controller in respect of personal data it processes in connection with the services provided under the relevant engagement with its customers. In certain cases, and for the purposes of performing some services, CIC and its clients may have agreed that CIC is a processor. When CIC acts as a processor, it complies with all obligations set out in the agreement concluded with its clients.
What Personal Data Do We Collect About You?
As a Data Controller and a Data Processor, CIC Group collects personal data directly from the Data Subject or indirectly through intermediaries, service providers and other third parties. We may collect the following personal information.
| Types of Information | Examples |
| Identification and Contact Information | name, address (and proof of address), other contact details (e.g., email and telephone details), gender, marital status, family details, date and place of birth, Profession/Occupation/Employer details, job title and employment history, relationship to the policyholder, insured, beneficiary or claimant. |
| Government Generated Information | National ID and ID Number, KRA PIN, Huduma Number, Passport Details, SHA & NSSF Details, National Council of Disabled Persons Details |
| Employment and Educational Information | Employment History, Educational Background including institutions attended and Professional Memberships |
| Financial Information | Bank Account, Investments, payment card number, bank account number and account details, income and other financial information |
| Credit Reference Information | Credit data: credit history and credit score details received from various credit score databases, or regulators. |
| Insured’s Risk Information | Information about the insured risk, which contains Personal Data and sensitive personal data only to the extent relevant to the risk being insured and may include: o Health data: current or former physical or mental medical conditions, health status, injury or disability information, medical procedures performed, relevant personal habits (e.g., smoking or consumption of alcohol), prescription information, medical history. o Criminal records data: criminal convictions received from law enforcement agencies. |
| Previous Claims | information about previous claims, which may include health insurance claims, previous personal insurance including criminal records data and other categories of sensitive personal data. |
| Audio-Visual Information | Photographs, Videos, Audios, Telephone Recordings |
| Online Activity Information | CIC Group automatically logs information about you and your computer or device such as the IP address, pages viewed and action on our website through Cookies and Web Beacons |
| Information relating to specific product offerings | Property Information such as cars, houses, personal household items, personal assets, travel information, business and shareholding information, claims history |
Where we collect such information directly from individuals, we will inform them of whether the information is required and the consequences of not providing it on the relevant form.
CIC Group may process personal data relating to children, such as dependents listed under insurance policies and investment accounts. When doing so, we require consent from a parent or legal guardian and apply additional safeguards to protect children’s information in accordance with the Data Protection Act and applicable regulations. We do not knowingly process children’s data without appropriate authorization.
In addition, we only collect personal data that is adequate, relevant, and limited to what is necessary for the specific purposes for which it is processed. We do not request or retain personal information that is not required for the legitimate business, legal, or regulatory purposes identified in this Privacy Statement.
Where We Collect Personal Information
We use Personal Information to carry out our business activities. The purposes for which we use your Personal Information will differ based on our relationship (i.e. Clients, Members, Employees, Business Partners, Prospective Members/Clients, etc.) including the type of communications between us and the services we provide.
We collect Personal Data from various sources, including (depending on the country you are in):
- Individuals and their family members, online or by telephone, or in written correspondence
- Individuals’ employers.
- In the event of a claim, third parties including the other party to the claim (claimant/ defendant), witnesses, experts (including medical experts), loss adjustors, lawyers and claims investigators etc.
- Other insurance market participants, such as Insurers, Reinsurers and other insurance sales Intermediaries.
- Credit reference agencies (to the extent CIC is taking any credit risk).
- Government agencies, such as motor vehicle registration authorities and tax authorities.
We obtain your personal data from sources such as;
- Application forms, Claims Forms, Proposal Forms and other forms that you fill.
- Software applications (apps) made available by us to you.
- Our Website (www.cic.co.ke).
- Meetings, Telephone conversations and other forms of communication.
- Social Media applications and/or tools.
Use of Your Personal Data
CIC may use your personal data for the following purposes;
- Know your Customer (KYC) and Customer Due Diligence (CDD)
- Communicating with customers, business partners and employees.
- Assessing and making determination on provision of financial products or services, employing persons as employees and such other business decisions.
- Enhancing and improving product and service offering including maintaining information security.
- Fulfilling regulatory requirements such as Filing Reports with various regulators such as Office of the Data Protection Commissioner (ODPC), Association of Kenya Insurers (AKI), Insurance Regulatory Authority (IRA), Financial Reporting Centre (FRC), Capital Markets Authority (CMA), Retirements Benefits Authority (RBA).
- To respond to feedback, queries and complaints that you submit through our feedback form.
- Facilitating business operations including information technology systems.
- Underwriting, risk assessment, and actuarial analysis, including evaluating the nature of the risk, pricing insurance products, and determining policy terms.
- Fraud detection and prevention, including identifying, investigating, and mitigating suspected fraudulent activities within investment, underwriting and claims processes.
- Use of Artificial Intelligence (AI) tools to improve accuracy, speed, service quality, and operational decision-making, while ensuring fairness, transparency, and human review.
- Establishing, exercising, or defending legal claims, including responding to regulatory inquiries, disputes, and litigation.
- Providing marketing information through communication channels such as email, texts, and other platforms. (here you have provided specific consent and opt-in/subscribe to receiving CIC Insurance marketing, products and services information, we will send you communication we think will be of interest to you. You can unsubscribe/opt-out from our marketing communication by clicking ‘Unsubscribe’ on the footer of a CIC Insurance marketing e-mail or any other marketing communication received.)
- To personalize and improve our services, including to provide or recommend, features, content, and advertisements. Where this is the case, we will take appropriate measures to protect your personal information in accordance with this Privacy Statement.
Automated Decision Making, Profiling and Use of Artificial Intelligence (AI)
CIC Group may use automated systems, algorithms, and Artificial Intelligence (AI) tools to support certain aspects of our operations. These technologies help us improve efficiency, strengthen risk assessment, enhance fraud detection, and deliver faster and more consistent services to our customers. All automated processing is conducted in full compliance with the Kenya Data Protection Act, 2019 and the Data Protection (General) Regulations, 2021.
Purpose of Automated Processing and AI Use
We may use automated processing and AI technologies for the following purposes:
- Assessing eligibility for insurance products, pricing, and risk scoring.
- Detecting fraud and preventing financial crime.
- Processing and verifying claims.
- Conducting internal analytics and service improvement.
- Personalizing our digital platforms and customer experience.
- Enhancing customer support through AI-powered tools or chatbots.
We ensure that all automated processes are accompanied by appropriate human oversight.
Your Rights Regarding Automated Decisions
Right Not to Be Subject to Purely Automated Decisions – You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you. You have the right to;
- Request human intervention where a decision has been made solely through automated means.
- Contest an automated decision that significantly affects you.
- Request an explanation of how an automated decision was made.
- Opt out of certain types of profiling where legally permitted.
This right does NOT apply when the automated decision is:
- Necessary for contract performance: Essential for entering into or performing your insurance contract with us.
- Authorized by law: Required or permitted by Kenyan law with appropriate safeguards for your rights.
- Based on your explicit consent: You have given clear, informed consent to automated decision-making.
Our Commitment to Responsible Use of Artificial Intelligence (AI) Systems
When we use these technologies, we do so in a transparent, fair, and responsible manner. Our commitments include:
- Transparency in Automated Decisions
We are open about when and how AI supports decision-making. If an automated decision affects you, we will clearly explain the key factors considered and how the system arrived at its conclusion.
- Fairness, Accuracy, and Ongoing Monitoring
Our AI systems are regularly tested for accuracy, audited for potential bias, and continuously improved. We take active measures to ensure that automated processing remains fair, reliable, and aligned with legal and ethical expectations.
- Human Oversight and Intervention
AI never operates without supervision. Trained staff oversee system outputs, conduct regular reviews, and can modify or override any AI-generated decision. Complex or high-impact cases always receive direct human assessment.
- Protection of Training Data
We safeguard the data used to develop and refine our AI models. Training datasets consist of anonymized or pseudonymized information, industry data, and publicly available sources. Your identifiable personal data is not used to train AI systems unless legally permitted and with appropriate safeguards. You have the right to opt out of such use.
- Strong Technical and Organizational Security
Our AI systems are protected through strict access controls, encryption, audit logs, security testing, and continuous monitoring. Any third-party AI providers we work with must meet CIC’s data protection, confidentiality, and security standards.
Ongoing Communication and Updates
As we introduce new AI capabilities or make significant changes to how automated processing affects you, we will keep you informed. Where required by law, we will provide advance notice and clearly outline any impact on your rights or your personal data.
Legal Justification for Our Use of Personal Data
The primary purpose for collecting and processing your personal data is to perform contractual and statutory tasks related to management of the financial products/solutions you have with us. We will also process your data in connection with other tasks as required by law and statutory regulations. In addition to these, personal data may be used in product and service development.
We commit to always identify and document without prejudice the lawful basis of processing your personal data for each specific purpose and put necessary security measures to ensure safeguarding of your personal data and the lawful purpose consented to always applies.
How We Store and Protect Your Data
We have put in place appropriate physical, legal, technical and organization safeguards to protect the personal data we collect in connection with our services. Such measures include but are not limited to implementing information technology security measures such as system rights, audit trails and firewalls, role-based access controls that limit staff access strictly to information necessary for their duties, strict confidentiality obligations incorporated into employment contracts and third-party agreements, and regular employee training on data protection, cyber hygiene, fraud prevention, and incident-handling procedures.
We also maintain documented incident response and breach management processes aligned with regulatory requirements, and we conduct periodic privacy impact assessments for new systems, high-risk processing activities, or major technology deployments to ensure ongoing compliance and risk mitigation.
You should be aware that the Internet is not a secure form of communication and sending and receiving information over the Internet carries with it risks including the risk of access and interference by unauthorized third parties. We do not accept responsibility or liability for the confidentiality, security or integrity of your Personal Data in connection with its transmission over the Internet.
Disclosure of Personal Data.
CIC undertakes to keep your personal data confidential and where it is necessary to satisfy the purpose for which it was collected or as may be required by law CIC will share your data with third parties.
In connection with the purposes described above we sometimes need to share your Personal Information with third parties. All third parties, service providers, and processors who handle personal data on our behalf undergo security and privacy due diligence. CIC Group requires such parties to implement appropriate technical and organizational measures, comply with applicable data protection laws, and process personal data strictly in accordance with our documented instructions. Data processing agreements are maintained to ensure accountability, confidentiality, and protection of your personal information.
Please note that in addition to the disclosures we have identified in the table below, we may disclose Personal Data for the purposes we explain in this Privacy Policy to service providers, contractors, agents and CIC Group companies that perform activities on our behalf.
| PURPOSE OF PROCESSING | LEGAL GROUNDS | DISCLOSURE |
| Establishing a client relationship, including fraud, anti-money laundering and sanctions checks |
| Anti-Fraud Database |
| Checking credit where we are taking any credit risks. | Legitimate interests of CIC (to ensure that the client is within our acceptable risk profile and to assist with the prevention of crime and fraud) | Credit Reference Agencies |
| Evaluating the risks to be covered And matching to appropriate insurer, policy and premium |
| Insurers |
| POLICY ADMINISTRATION | ||
| General client care, including communicating with client |
| Telco Providers. |
| Collection/ refunding of premiums, paying on claims, and processing and facilitating other payments |
| Insurers Banks Debt Recovery Providers |
| CLAIMS ADMINISTRATION | ||
| Managing insurance claims |
| Insurers Claims Handlers Lawyers Loss Adjustors Experts Third parties involved in handling or otherwise addressing the claim, such as health care professionals |
| Defending or prosecuting legal claims |
| Insurers Lawyers Police Experts Other insurers Anti-fraud databases Third parties involved in the investigation or prosecution, such as private investigators |
| RENEWALS | ||
| Contacting you in order to arrange the renewal of the insurance policy |
| Insurers Intermediaries |
| THROUGHOUT THE INSURANCE LIFECYCLE | ||
| Marketing analytics and direct marketing, including data anonymization. |
| Insurers Group Companies |
| General risk modelling |
| Insurers |
| Complying with our legal or regulatory obligations |
| Regulatory/Supervisory Bodies |
| OTHER FINANCIAL SERVICES | ||
| Sale of Land |
| Group Companies |
| Asset Management / Investment |
| Group Companies |
CIC Group shall not disclose your personal information to any third parties such as service providers other than with your prior consent, for a legitimate reason or for the performance of a contract.
Consent
In order to facilitate the provision of our financial solutions including asset management, investment, insurance cover, and administer insurance claims, we rely on the data subject’s consent to process personal sensitive information, such as medical records and financial information. This consent allows us to share the information with other Insurers, Intermediaries and Reinsurers that may need to process the information in order to undertake their role in the insurance market (which in turn allows for the pooling and pricing of risk in a sustainable manner).
You understand that by using our site services and our products you agree to be bound by this statement of privacy. If you agree to this statement on behalf of an entity, you represent and warrant that you have the authority to bind that entity to our privacy statement, by using our products and/or accessing our site, if you do not accept it in entirety you must inform us immediately indicating what part of our privacy statement you are not agreeable to.
The affected individual’s consent to this processing of personal information is a necessary condition for CIC to be able to provide the services the client requests. Where you are providing us with information about a person other than yourself, you agree to notify them of our use of their Personal Data and to obtain such consent for us.
Individuals may withdraw their consent to such processing at any time. However, doing so may prevent CIC from continuing to provide the services. In addition, if an individual withdraws consent to an Insurer’s or Reinsurer’s processing of their Personal Data, it may not be possible for the insurance cover to continue.
Cross-border Transmission of Your Personal Data
CIC Group complies with all cross-border transfer requirements under the Data Protection Act and the Data Protection (General) Regulations, including notification to and/or approval by the Office of the Data Protection Commissioner where required.
Your data is primarily stored in our data centers located within Kenya and some data is stored on cloud and accessed in other jurisdictions. In as much as some of these jurisdictions may not always offer the same level of protection for personal data as offered in Kenya, we will ensure an appropriate level of protection by the recipient of the data when we transmit your data outside Kenya.
If we transfer Personal Data to other countries outside Kenya, we will establish legal grounds justifying such transfer, such as individuals’ consent, or other legal grounds permitted by applicable legal requirements.
Prior to transferring personal data outside Kenya, we shall ascertain that the transfer is based on the provided legal and regulatory standards. Circumstances in which we may transfer your personal data outside are highlighted in the table below;
| Legal Basis | Example |
| There being appropriate data protection safeguards with respect to the security and protection of personal data in respect to the jurisdiction to which the data is being transferred to. | Storage of your personal data in a cloud whose data server is located in one of the European countries that has implemented the General Data Protection Regulation (GDPR). |
| An adequacy decision having being made by the Office of the Data Commissioner | Where the Data Commissioner has published a list of countries which have appropriate data protection safeguards and we decide to store your data in that jurisdiction in furtherance to our legitimate interest. |
| Necessity | When we reinsure your risk as part of our legitimate interest and the reinsurance company requests for your personal data in respect to the insurance policy |
| Consent | When following your express consent, we transfer your personal data to another jurisdiction. |
Retention of Personal Data
Personal Data is retained as long as necessary for the purpose for which it is collected and to meet legal, regulatory and operational requirements. Retention periods may differ for each insurance policy taken. At the end of the retention period, non-identifiable data is kept for management information purposes. CIC Group has also put in place Data retention policy in line with Data Protection law.
CIC Group may also retain your contact information for the purposes of inviting you to renew any of your insurance policy from time to time and may use your contact to send you notifications notifying you of our various products, renewal notice and claim updates.
You are responsible for the confidentiality of any password you have put in place to allow you to access certain products or services. Please note our customer service agents will never request you to share your password.
Your Data Protection Rights
We will collect, process and store your personal data in accordance with your rights under the Data Protection Act and attendant Regulations. Under certain circumstances, you have the following rights in relation to your personal data:
| DESCRIPTION OF RIGHT | APPLICABILITY |
| Right to object to processing of personal data – You have a right to object to the processing of their personal data. In implementation of this right, you shall use the statutory form “Request for restriction or objection to the processing of personal data” provided in our website. | The right is not an absolute right and we can reject the request where we demonstrate that we have justifiable reasons for processing that would negate your interests e.g. when we are required by a government agency exercising their legal mandate to provide your personal data against your request not to avail the same or in our defense of a legal claim. We will always inform you when we have decline your request and provide the reasons. This right is however absolute when it relates to direct marketing. |
| Right to restrict processing of personal data – You have the right to request the suspension of processing of your personal data in certain circumstances. In implementation of this right, you shall use the statutory form “Request for restriction or objection to the processing of personal data” provided in our website | This right is not an absolute right and shall be available when
|
| Right to access personal data – You have the right to access your personal data and obtain information of how the said personal data is used and processed. In implementation of this right, you shall use the statutory form “Request for access to personal data” provided in our website | You may access your personal data through our Self-Service Portals. Should you want to access your personal data in any other format, you may use the form subject to availing us available notice and other circumstances as shall be communicated by us to you. |
| Right to rectification of personal data– You have the right to request your personal data to be corrected in instances of inaccuracy or incompleteness. In implementation of this right, you shall use the statutory form “Request for rectification” provided in our website. | The right is available always subject to the discretion accorded to us to decline with reasons |
| Right to data Portability – You have the right to receive your personal data in a structured, commonly used and machine-readable format to transmit the said personal data obtained to another third party without any hindrance. In implementation of this right, you shall use the statutory form “ Request for Data Portability” provided in our website | This right is available always provided that it is technically feasible for us to provide the personal data in the required format. |
| Right to erasure – This right is sometimes referred to as “the right to be forgotten” and entitles you to request deletion or removal of your personal data from our records. In implementation of this right, you shall use the statutory form “Request for erasure of personal data “provided in our website | Right of erasure does not apply if processing of your personal data is necessary for one of the following reasons.
|
| Right to complain to the Office of the Data Commissioner | This right is available always. |
| Right to withdraw consent to processing of personal data. | This right only applies where personal data is processed based upon your consent. |
| Rights relating to automated decision making and profiling– You have a right not to be subjected to a decision based solely on our automated processing, including profiling, which legally and significantly affects you. | Where automated processing or Artificial Intelligence (AI) tools are used in decision-making, you have the right to request human intervention, obtain an explanation of the decision, contest the outcome, or opt out of such processing where legally permissible. These protections apply in line with our Responsible AI practices outlined in this Privacy Statement. This right is not applicable when a decision is:
|
In exercising your right as provided above, we may request specific information from you to help us confirm your identity. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Queries and concerns about your rights should be CIC Group Plc, CIC Plaza, Mara Rd, Upper Hill P.O Box 59485 – 00200 Nairobi or E-mail: <dataprotectionoffice@cic.co.ke
Enforcing Your Rights
If you wish to enforce any of your rights as highlighted above as provided under the Data Protection Act and attendant Regulations, then please contact us on our details in clause 16 below. You may use the various statutory forms made available by us and we will respond to your request without undue delay and within the statutory timelines.
Complaints
If you feel we have not complied with your right to privacy and other provided rights regarding your personal data, you have a right to complain to us through the provided tool available on our website or you may pay us a visit and fill the complaint form and we shall endeavor to resolve such a complain. You however have the right to contact the Office of the Data Commissioner or such other data supervisory authority in the jurisdiction we operate in.
Cookies
Cookies are small text files which are stored on your computer when you visit certain web pages. CIC Insurance Group may use cookies and similar technologies on our websites and apps, and in our emails. When you return to the website or app, or visit websites and apps that use the same cookies, they recognize these cookies and your device.
We use cookies to do many different jobs, like letting you navigate between pages efficiently, remembering your preferences, and generally improving your online experience. We also use cookies in some of our emails to help us understand how you interact with our emails, and to help us improve our future email communications. The cookies policy on our websites and apps give you more information on cookies, how and where we use them, and how you can control them.
Changes to This Data Privacy Statement
CIC Group reserves the right to change the provisions of this Privacy Statement at any time. Where the changes will have a fundamental impact on the nature of the processing of your data or your rights, we shall notify you in advance. We will let you know via email and/or a prominent notice on our Service, prior
to the change becoming effective and update the “effective date” at the top of this Privacy Statement.
Your use of the Website and applications following the posting of such revised Statement shall constitute your acceptance of any such changes. We encourage you to review our Privacy Statement whenever you visit the Website and application(s) to guarantee your understanding of how your information may be collected, processed and used.
Contact Information
If you have any queries relating to your personal data and/or this Privacy Statement, contact us through DataProtectionOffice@cic.co.ke
| ID | Title | Download |
|---|---|---|
| 1 | Request for Access to Personal Data | ⬇ Download Request for Access to Personal Data Form |
| ID | Request for Data Portability | ⬇ Download Request for Data Portability Form |
| 3 | Request for Erasure of Personal Data | ⬇ Download Request for Erasure of Personal Data Form |
| 4 | Request For Rectification of Personal Data | ⬇ Download Request for Rectification of Personal Data Form |
| 5 | Request For Restriction Or Objection To The Processing Of Personal | ⬇ Download Request for Restriction or Objection to Processing Form |
Our address for purposes of data processing is;
Data Protection Officer
The CIC Group Plc
CIC Plaza, Mara Road, Upper Hill
P.O. Box 59485 – 00200 Nairobi, Kenya
Tel 020 282 3000, 0703 099 120
