Privacy and Security Policy

Introduction
Identigate Integrated Solutions Limited (Company Number CPR/2015/211533), trading as SOJA VMS (“Identigate”, “SOJA”, “we”, “our”, or “us”), complies with the Kenya Data Protection Act No. 24 of 2019 and other applicable laws when dealing with personal information. Personal information is information about an identifiable individual (a natural person).
This policy sets out how we collect, use, disclose and protect your personal information across all SOJA products, including the SOJA VMS Visitor Management platform and the SOJA TA Time & Attendance mobile application (“SOJA TA”).
This policy does not limit or exclude any of your rights under the Kenya Data Protection Act and other applicable laws. If you wish to seek further information on the Kenya Data Protection Act see www.kenyalaw.org

Changes to This Policy
We may change this policy by uploading a revised policy onto our website (www.soja.co.ke). Unless stated otherwise, the change will apply from the date that we upload the revised policy. Material changes affecting how we use sensitive data (including biometric data) will be communicated directly to client organisations and, where applicable, to affected individuals.

What Personal Information Do We Collect
We collect, hold and process three categories of personal information:

1. Account and Marketing Data
Personal information collected in connection with the creation or administration of a customer account; when you ask to receive information about our services; when you contact us directly (e.g. by telephone, email, or through the user dashboard); or when you visit our website.
Account and Marketing Data may include company/personal names, usernames, phone numbers, email addresses, your location, billing information, information about how you use our website or Services (for example, traffic volumes, time spent on pages), your IP address and/or other device identifying data, and other information required to provide a service or information you have requested.

2. Visitor or Employee Data
Personal information about a customer’s visitors or employees that is input into the SOJA Visitor Management Service or SOJA TA (as defined in our Terms of Service). Visitor and Employee Data may include names, ID numbers, phone numbers, email addresses, locations, photographs, times of visit, employers’ names, and any other information a customer decides to capture about its visitors and employees.
We will not disclose, move, access, process or use Visitor or Employee Data except as provided in our Terms of Service, and we require our customers to comply with applicable privacy and data protection laws.

3. Biometric and Face Data (SOJA TA)

SOJA TA offers facial recognition as one of several available check-in methods for time and attendance. Face data is classified as sensitive biometric data and is handled with the highest level of care.

What face data is collected
• A mathematical facial template (a numeric vector representation of facial geometry) derived from a live camera capture at the point of check-in or enrolment.
• The raw photograph or video frame used to generate the template is not retained after the template is created.
• Facial recognition is used solely to verify that the person checking in matches the enrolled employee profile. It is not used to identify unknown individuals or for any surveillance purpose.

How face data is used
• Employee identity verification at the point of attendance check-in and check-out.
• Prevention of “buddy punching” (one employee clocking in on behalf of another).
• Ensuring the accuracy and integrity of time and attendance records generated for the client organisation.
• Face data is never used for advertising, marketing profiling, or any purpose unrelated to attendance verification.

Where face data is stored
• Facial templates are encrypted using AES-256 encryption at rest and TLS 1.2+ in transit.
• Data is stored on SOJA’s secure cloud infrastructure or on the client organisation’s private server, depending on the deployment option selected.
• Facial data is stored in an isolated, access-controlled data store, separately from other personal data.

Sharing of face data
• Face data is never sold to third parties.
• Face data is never shared with advertising networks, data brokers, or analytics providers.
• Face data may be processed by cloud infrastructure sub-processors (e.g., secure hosting providers) solely for storage purposes, under strict written data processing agreements that prohibit any independent use.

Retention of face data
• Facial templates are retained only for the duration of the employee’s active enrolment in SOJA TA.
• Upon termination of employment, unenrolment, or written request by the individual or the employing organisation, facial templates are permanently deleted within 30 days.
• Upon termination of a client organisation’s contract with SOJA VMS, all biometric data associated with that organisation is deleted within 60 days.

SOJA TA – App Distribution and Access

SOJA TA is a business-to-business (B2B) application. It is not a general consumer application. The app is made available on the Apple App Store as a distribution convenience for authorised users of client organisations.

Who can access SOJA TA
• SOJA TA is accessible to employees, contractors, and administrators of any organisation that has entered into a commercial agreement with SOJA VMS (Identigate).
• Individual users cannot self-register. User accounts are created and provisioned exclusively by the subscribing organisation’s administrator.
• The platform is not restricted to a single company or organisation. Any business, public sector body, residential estate, educational institution, or international organisation may become a SOJA client.

Account creation and fees
• Users obtain access through their employer’s SOJA account. Accounts are provisioned by the organisation’s designated administrator.
• Individual end users do not pay to access SOJA TA. Fees are paid at the organisational level under commercial licensing agreements between Identigate and the client organisation.

Why SOJA TA is on the public App Store
• Listing on the Apple App Store enables employees of client organisations worldwide to install SOJA TA conveniently on their personal or company-issued iOS devices.
• The app serves a broad and diverse range of organisations across sectors (commercial real estate, manufacturing, education, public sector, security services, international organisations, and residential estates), making public App Store distribution the appropriate channel.
• Membership of the SOJA client base is open to any qualifying organisation without restriction, consistent with App Store public distribution guidelines.

Who Do We Collect Your Personal Information From
We collect personal information about you from:
• You, when you provide that personal information to us, including via our website and the Service, through any registration process, or through any contact with us (e.g. telephone call, email, or through the user dashboard).
• Third parties where you have authorised this or the information is publicly available.
If possible, we will collect personal information from you directly.
Some provision of personal information is optional. However, if you do not provide us with certain types of personal information, you may be unable to enjoy the full functionality of our website or the Services.

How We Use Your Personal Information
We will use your personal information to:
• Verify your identity.
• Provide services and products to you.
• Market our services and products to you, including contacting you electronically (e.g. by text or email for this purpose).
• Tailor content or advertisements to you.
• Improve the services and products that we provide to you.
• Bill you and collect money that you owe us, including authorising and processing credit card transactions.
• Respond to communications from you, including any complaint.
• Conduct research and statistical analysis (on an anonymised basis).
• Protect and/or enforce our legal rights and interests, including defending any claim.
• For any other purpose authorised by you, the Kenya Data Protection Act, or other applicable law.

Disclosing Your Personal Information
We may disclose your personal information to:
• Any other company within our group for the purposes described in this policy.
• Any business that supports our services and products, including any person that hosts or maintains any underlying IT system or data centre that we use to provide the website or other services and products, or that assists us with our marketing and customer care activities.
• Other third parties (for anonymised statistical information only).
• A person who can require us to supply your personal information (e.g. a regulatory authority).
• Any other person authorised by the Kenya Data Protection Act or another law (e.g. a law enforcement agency).
• Any other person authorised by you.
• Any other company in the case of a sale, merger, consolidation, liquidation, reorganisation, or acquisition.
A business that supports our services and products may be located outside Kenya. This may mean your personal information is held and processed outside Kenya.
We may also share information about your use of our website with our trusted social media, advertising, and analytics partners through the use of cookies, pixel tags, and similar storage technologies.

Protecting Your Personal Information
We will take reasonable steps to keep your personal information safe from loss, unauthorised activity, or other misuse. Specific measures include:
• Encryption of all data in transit using TLS 1.2 or higher.
• Encryption of all data at rest using AES-256.
• Isolation of biometric and face data in a separately access-controlled data store.
• Restriction of access to personal data to authorised personnel on a least-privilege basis.
• Regular security assessments of our systems and infrastructure.

Accessing and Correcting Your Personal Information
Subject to certain grounds for refusal set out in the Kenya Data Protection Act or other applicable law, you have the right to access your readily retrievable personal information that we hold and to request a correction to your personal information. Before you exercise this right, we will need evidence to confirm that you are the individual to whom the personal information relates.
In respect of a request for correction, if we think the correction is reasonable and we are reasonably able to change the personal information, we will make the correction. If we do not make the correction, we will take reasonable steps to note on the personal information that you requested the correction.
If you want to exercise either of the above rights, email us at support@sojavms.com. Your email should provide evidence of who you are and set out the details of your request (e.g. the personal information, or the correction, that you are requesting).

Data Retention
Account and Marketing Data that we collect and process will not be kept longer than necessary for the purposes for which it is collected, or for the duration required for compliance with applicable law, whichever is longer.
Specific retention periods for SOJA TA data:
• General attendance records: Retained for the duration of the employment relationship plus any period required by applicable employment law.
• Facial/biometric templates: Retained only while the employee is actively enrolled. Deleted within 30 days of unenrolment, offboarding, or written request.
• Device and technical logs: Retained for up to 12 months for security and debugging purposes.
• All data is deleted within 60 days of termination of a client organisation’s contract with SOJA VMS.

Internet Use
While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk.
If you follow a link on our website or in the Service to another site, the owner of that site will have its own privacy policy relating to your personal information. We suggest you review that site’s privacy policy before you provide personal information.

Children
SOJA TA and SOJA VMS are intended for use by employed adults. We do not intend to collect personal data from individuals under the age of 16. If you have reason to believe that a child under the age of 16 has provided personal data to us, please contact us at support@sojavms.com.

Contact Us
If you have any questions about this privacy policy or our privacy practices, you can contact us at:
• Email: support@sojavms.com
• Website: www.sojavms.com
• Company: Identigate Integrated Solutions Limited, Company No. CPR/2015/211533

Identigate Privacy Policy – GDPR Addendum

Applies to users based in the European Union
If you are based in the European Union (EU) and use our website and/or our services, these additional terms (GDPR Addendum) form part of our privacy policy.
The General Data Protection Regulation (GDPR) regulates the collection, processing and transfer of EU individuals’ personal data. The personal information described in our privacy policy is personal data under the GDPR. We are committed to complying with the GDPR when dealing with Account and Marketing Data about our website visitors and service users based in the EU.

Data Controller Roles
• We are the data controller (as defined in the GDPR) when processing Account and Marketing Data.
• Our customers are the data controller when processing Visitor and Employee Data (as defined in this policy).
• Where biometric/face data is processed within SOJA TA on behalf of a client organisation, that organisation acts as data controller and Identigate acts as data processor, under a written Data Processing Agreement.
We will not process Visitor or Employee Data except as provided in our Terms of Service, and we require our customers to comply with applicable privacy and data protection laws.
The remainder of this GDPR Addendum applies to Account and Marketing Data only, and does not apply to Visitor or Employee Data.

Processing Personal Data
The Account and Marketing Data we may process is described in our privacy policy. This data may be processed for the purposes outlined in our privacy policy.
The legal basis for our processing of Account and Marketing Data is your consent and, for certain Account and Marketing Data, processing is necessary for the performance of a contract to which you are a party.
For biometric/face data processed within SOJA TA, the legal basis is the explicit consent of the individual employee, obtained prior to enrolment. Client organisations are responsible for ensuring that such consent is lawfully collected.
Despite the above, we may process any of your personal data where such processing is necessary for compliance with applicable laws.

Your Rights Under GDPR

• Right of access – if you ask us, we will confirm whether we are processing your personal data and provide you with a copy of that personal data.
• Right to rectification – if the personal data we hold about you is inaccurate or incomplete, you have the right to have it rectified or completed. If we have shared your personal data with any third parties, we will tell them about the rectification where possible.
• Right to erasure – we delete your personal data when it is no longer needed for the purposes for which you provided it. This includes biometric templates, which will be deleted within 30 days of a valid erasure request. If we have shared your personal data with any third parties, we will take reasonable steps to inform those third parties to delete such personal data.
• Right to withdraw consent – if the basis of our processing of your personal data is consent, you can withdraw that consent at any time. For biometric data, withdrawal will result in the deletion of your facial template and you will need to use an alternative check-in method.
• Right to restrict processing – you may request that we restrict or block the processing of your personal data in certain circumstances.
• Right to object to processing – you may request that we stop processing your personal data at any time and we will do so to the extent required by the GDPR. Where personal data is processed for direct marketing, you have the right to object, including in relation to profiling.
• Right to data portability – you may obtain your personal data from us in a commonly used, machine-readable and interoperable format. Where technically feasible and at your request, we will transmit your personal data directly to another data controller.
• Right to complain to a supervisory authority – you can report any concerns about our privacy practices to the relevant data protection supervisory authority.

To exercise any of your rights, please contact us at support@sojavms.com. If you are not satisfied with the way your query is dealt with, you may refer your query to your local data protection supervisory authority.

International Transfer of Data
The Account and Marketing Data may be transferred to, and stored in, a country operating outside the European Economic Area (EEA). We transfer personal data only where the European Commission has decided that the country ensures an adequate level of protection, or where appropriate safeguards are in place as prescribed by the GDPR.
Some of the Account and Marketing Data we collect is processed in Kenya (where our registered office is located). Kenya has a Data Protection Act in place. We rely on this in transferring personal data to Kenya.
Some of the Account and Marketing Data we collect is processed by third-party data processors in other countries, including the United States. These countries are not subject to an adequacy decision by the European Commission; in transferring your personal data to these countries, we take other appropriate safeguards as prescribed by the GDPR.

Data Retention (GDPR)
Account and Marketing Data that we collect and process will not be kept longer than necessary for the purposes for which it is collected, or for the duration required for compliance with applicable law, whichever is longer. See the Data Retention section above for specific retention periods applicable to SOJA TA biometric data.

Contact Us (GDPR Enquiries)
For GDPR-related enquiries, please contact us at support@sojavms.com or support@identigate.co.ke.