Privacy Policy

1. INTRODUCTION

This Privacy Policy (the “Policy”) explains how your personal information is collected, used, shared and processed when accessing this website or using other services provided by its operator, including any written or electronic communications and purchases performed (collectively, the “Services”) as well as the rights and choices you have associated with that information.

The Services include any services provided via this website, located at arrai.co and/or arrai.shop (the “Site”), our accounts on social media platforms (the “Social Media Accounts”) and any other websites, pages, features or content owned and operated by the Company that hyperlink to this Policy.

The company responsible for selling the products via the Site, App and providing the Services is  Arrai International LTD, a limited liability company duly incorporated in the Republic of Kenya, having its registered office at Ikigai, Peponi Rd, Westlands, Nairobi, a subsidiary of Arrai Inc., a limited liability company incorporated in the State of Delaware having its registered office at 651 N Broad ST, Suite 201, Middletown 19709 and its affiliates (hereinafter referred to as the “Company”, “we”, “us”, “our” and “Arrai”). We shall be the data controller of the information you provide to us.

Please read our Terms and Conditions and this Policy before accessing or using our Services. If you do not agree with this Policy or the Terms and Conditions, please do not access or use our Services. By using our Services, you accept our Terms and Conditions and Privacy Policy.

Right to modify this Policy: This Privacy Policy may be amended or updated from time to time to reflect changes in our practices with respect to the processing of personal data, or changes in applicable law. We encourage you to regularly check this page to review any changes we might make in accordance with the terms of this Privacy Policy. If we make significant changes that materially affect your privacy rights, we will provide advanced notice and make that clear on the Site or other Arrai services, or by some other means of contact such as email, so that you are able to review the changes before you continue to use the Services. If you do not agree with the modified Privacy Policy, please discontinue the use of the Services immediately.

2. COLLECTION OF INFORMATION

We collect personal information (used interchangeably with “personal data” in this Privacy Policy when you use our Services. Personal information is any information that identifies or makes an individual identifiable. Personal information does not include data that has been effectively and irreversibly anonymised or aggregated so that it can no longer enable us or others, whether in combination with other information or otherwise, to identify you. Your personal data is collected and used by us to support a range of different activities or business purposes.

(a)Primary data

Personal information you may provide to us through the Service or otherwise includes:

  • Contact data, personal or business contact information including your first and last name, email and mailing addresses and phone number.
  • Registration data, such as information that you provide to register for an account, including the day and month of your birth, title and security question.
  • Profile data, such as your username and password that you may set to establish an account with us and your interests and style preferences.
  • Communications, such as information you provide when you contact us with questions, feedback, survey responses, or otherwise correspond with us.
  • Marketing data, such as the email address or contact details that we use to send marketing communications and your preferences for receiving communications about our activities and contests.
  • Purchase data, including your order history and payment account information needed to process and fulfill your order, including order details, billing address and delivery address.
  • Other information that we may collect which is not specifically listed here, but which we will use in accordance with this Privacy Policy or as otherwise disclosed at the time of collection.

(b)Data from other sources

We may also collect personal information about you from:

  • Business partners such as advertising and joint marketing partners.
  • Data providers, such as information services and data licensors.
  • Public sources, such as blogs, forums or social media platforms.


(c)
Information we obtain from third-party platforms

If you choose to login to the Site via a third-party platform, including but not limited to Google or Facebook, to otherwise connect your account on the third-party platform or network to your account through the Site, we may collect information from that platform or network. You may also have the opportunity to provide us with additional information via the third-party platform or network, such as a list of your friends or connections and your email address.


(d)
Automatic collection

Together with our service providers, we may automatically log information about you, your computer or mobile device, and your activity occurring on or through the Site, such as:

  • Device data, such as your computer or mobile device operating system type and version number, manufacturer and model, browser type, screen resolution, IP address, the website you listed before browsing our Site, and general information such as city, state and geographic area.
  • Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, navigation paths between pages or screen, information about your activity on a page or screen, access times, and duration of access.


(e)
Cookies and similar technologies. Some of our automatic data collection is facilitated by cookies and similar technologies.

(f) Referrals. Users of our Services may have the opportunity to refer friends or other contacts to us. If you are an existing user, you may only submit a referral if you have permission to provide their contact information to us for purposes of contacting them.

(g) Sensitive Personal Data. We do not seek to collect or otherwise process sensitive personal data in the ordinary course of our activities. Where it becomes necessary to process your sensitive personal data, we rely on the following legal bases: (i) compliance with applicable law, (ii) detection and prevention of crime, (iii) establishment, exercise or defense of legal rights, or (iv) where we have, in accordance to applicable law, obtained your prior, express consent to processing your sensitive personal data. If you provide sensitive personal data to us, you must ensure that it is lawful for you to disclose such data to us, and you must ensure a valid legal basis applies to the processing of that sensitive personal data.


3. USE OF YOUR INFORMATION

We use your personal data for the following purposes and as otherwise described in this Privacy Policy or at the time of collection:

(a) Service Delivery. We may use your personal information to:

  • fulfill or process orders;
  • provide, operate and improve the Service, such as to enable you to make purchases of clothing and accessories that we have listed on the site;
  • establish and maintain your account on the Service;
  • communicate with you about the Service, including sending you product promotions,  announcements, updates, security alerts, support and administrative messages;
  • provide customer support and maintenance for the Service;
  • facilitate your login to the site via third party platforms, such as Google and Facebook; and
  • enable security features of the site, such as by sending you security codes via email or SMS, and remembering devices from which you have previously logged in.

(b) Direct marketing, advertising or other promotional activities. If you are an existing customer of Arrai, (for example, if you have placed an order with us), we may use the personal data you provided to send you marketing communications about Arrai products or services, where permitted by applicable law (unless you have opted out). In other cases, we ask for your consent to send you marketing information. We may use the information that you provide to us, as well as information from other Arrai products or services, such as your use of Arrai website and/or apps, to personalize communications and advertisements regarding our products and services that may be of interest to you. For registered users, this may include data collected from your interactions with our website and/or apps that are associated with your account. You will have the ability to opt-out of our marketing and promotional communications by simply clicking on the unsubscribe link in every promotional email we send.

(c) For research and development. We may use your personal information for research and development purposes, including to analyze and improve the Service and our business.

(d)To create anonymous data. We may create aggregated, de-identified or other anonymous data records from your personal information and other individuals whose personal information we collect. We make personal information into anonymous data by excluding information (such as your name) that makes the data personally identifiable to you. We may use this anonymous data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business.

(e) Internet-based advertising. We may contract with third-party advertising companies and social media companies to display ads on our Service and other sites. These companies may use cookies and similar technologies to collect information about you (including device data, online activity data and/or geolocation data) over time across our Service and other sites and services or your interaction with our emails, and use that information to serve ads that they think will interest you. These ads are known as "interest-based advertisements."

(f) To comply with laws and regulations. We use your personal information as we believe necessary or appropriate to comply with applicable laws, lawful requests, and legal process, such as to respond to discoveries or requests from government authorities.

(g) For compliance, fraud prevention and safety. We may use your personal information and disclose it to law enforcement, government authorities, and private parties as we believe necessary or appropriate to: (a) protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims); (b) audit our internal processes for compliance with legal and contractual requirements; (c) enforce the terms and conditions that govern the Service; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity, including cyber attacks and identity theft.

We will only process your personal data for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is related to the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent in compliance with your vital or public interests, where this is required or permitted by law.

4. PRINCIPLES OF DATA PROTECTION

The guiding principles of processing your personal data shall be as per Section 25 of the Data Protection Act of Kenya, 2019. We shall ensure that your personal data is:

  • Processed in accordance with your right to privacy as provided for in Article 31 of the Constitution of Kenya, 2010;
  • Collected in a lawful, fair and transparent manner;
  • Is collected for explicit, specified and legitimate purposes and not processed in a manner incompatible with the purpose stated;
  • Adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed;
  • Collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
  • Accurate and where necessary kept up to date with every reasonable step being taken to ensure that any inaccurate personal data is erased;
  • Kept in a form which identifies you for no longer than necessary for the purpose which it was collected; and
  • Not transferred out of Kenya unless there is proof of adequate data protection safeguards or consent from you.


5. DISCLOSURE OF YOUR PERSONAL INFORMATION TO THIRD PARTIES

By using our Service, you agree that we may, as necessary and appropriate for the Purposes, transfer and disclose any Customer Information and/or personal data to the following recipients globally (who may process, transfer and disclose such Customer Information for the Purposes):

(a) Within Our Corporate Organization. The Company is a part of a corporate organization that has several legal entities, business processes, management structures and technical systems. We may share your personal information with our parent company for business maintenance and personalisation continuity purposes, for instance so that you may enjoy a personalized user experience across our digital properties, to provide you with the Services, or to take actions based on your requests or preferences.

(b) Service Providers. We may share your personal information with the following type of this party service providers:

  • IT system and software service provider - web hosting services (including cloud storage), mobile app or software optimisation services, customer relationship management software, email service providers or system maintenance services.
  • Payment service provider - third-party payment processing services.
  • Marketing and advertising services - Assistance in reaching potential new customers across multiple communication channels, or sharing with affiliated companies that promote our products on their websites.
  • Order fulfillment service provider - provision of logistics, warehousing and distribution services, return and exchange services, and order status notification services for your purchased items.
  • Customer service provider - assistance with customer services and support.
  • Fraud prevention and information security service provider - identity verification, fraud prevention, or credit risk reduction services to protect our website/app and our business.
  • Other service providers selected by you - other third parties such as size recommendations and fit prediction service providers, if you have chosen us to help provide you with product recommendations.

(c) To Maintain Legal and Regulatory Compliance. We have the right to disclose your personal information as required by law, or when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, request from a regulator or any other legal process served on us. We may also disclose your information where we reasonably believe the disclosure is necessary to enforce our agreements or policies, or if we believe that disclosure will help us protect the rights, property or safety of the Company or our customers.

(d) Co-Branded Services and Features. Portions of our Services may be offered as part of co-branded services and features. We will share personal information with our co-branded partners based on your voluntary use of or participation in a co-branded service or feature. Use of your personal information by a co-branded partner will be subject to a co-branded partner’s privacy policy. If you wish to opt-out of a co-branded partner’s future use of your personal information, you will need to contact the co-branded partner directly.

(e) Consent. We may disclose your personal information for any purpose with your consent.

(f) Corporate Transactions. We may disclose your personal information - including account information, wallet balance or points information - to a buyer, prospective buyer, corporate affiliate, or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or sale or transfer of some or all of our assets, whether as a going concern or as part of a bankruptcy, liquidation or similar proceeding in which personal information held by us about our Service users is among the assets transferred. You acknowledge and agree to our assignment or transfer of rights to your personal information.


6. INTERNATIONAL TRANSFER OF PERSONAL DATA 

Because of the multi-jurisdictional nature of our operations, we may transfer personal data to our Delaware office, and to third parties, as mentioned hereinabove, in connection with the purposes set out in this Privacy Policy. For this reason, we may transfer data to countries that may have different laws and data protection compliance requirements to those that apply in Kenya.

In all cases, we will ensure that data transfers are made securely to countries deemed to have adequate security controls in place by the Office of the Data Protection Commissioner of Kenya and/or subject to appropriate safeguards and confidentiality agreements.

7. DATA SECURITY

We have implemented appropriate technical and organizational security measures designed to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized access, and other unlawful or unauthorized forms of processing, in accordance with applicable law.

Because the internet is an open system, the transmission of information via the internet is not completely secure. Although we will implement all reasonable measures to protect your personal data, we cannot guarantee the security of your data transmitted to us using the internet - any such transmission is at your own risk and you are responsible for ensuring that any personal data you send to us is sent securely.

8. DATA ACCURACY

We take every reasonable step to ensure that: (i) your personal data that we process is accurate and, where necessary, kept up to date; and (ii) if any of your personal data that we process is inaccurate (having regard to the purposes for which it is processed) is erased or rectified without delay. From time to time, we may ask you to confirm the accuracy of your data.

9. DATA MINIMISATION

We take every reasonable step to ensure that your personal data that we process is limited to the personal data reasonably necessary in connection with the purposes set out in this Privacy Policy.

10. DATA RETENTION

We take every reasonable step to ensure that your personal data is processed for the minimum period necessary for the purposes set out in this Privacy Policy, and for backup, archival, fraud prevention or detection, or audit purposes. We will also retain and use your personal information to the extent necessary to comply with our legal obligations (for example if we are required to retain your data to comply with applicable laws), resolve disputes and enforce our legal agreements and policies.

If you no longer wish to be our customer or cease using access to our Services, you can request us to close your account and delete all personal information we hold about you via customersupport@arrai.co.

If you send us correspondence, including emails, we retain such information electronically in the records of your account. We also electronically retain customer service correspondence and other correspondence to you. We retain these records to measure and improve our customer service and to investigate potential fraud and violations. We may over time, delete these records as permitted by law.

We also retain services usage data for internal analysis purposes. Usage data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our site, or we are legally obligated to retain this data for longer periods.

11. YOUR PERSONAL DATA RIGHTS

Arrai undertakes to respect the confidentiality of your personal data and guarantee your personal data, rights subject to the provisions of the Data Protection Act of Kenya, 2019, and subsisting regulations thereto. These include:

  • The Right to be Informed - You have the right to be provided with clear, transparent and easily understandable information about how we use your personal information and your rights. This is why we are providing you with the information in this Privacy Policy.
  • The Right of Access - You have the right to obtain a copy of your information that we hold and certain other information (similar to that provided in this Privacy Policy).
  • The Right of Rectification - You have the right to request the rectification of inaccurate data without undue delay. Where any request for rectification is received, and where proof of inaccuracy is given, the data shall be amended as soon as reasonably practicable, and you will be notified. Where there is a dispute as to the accuracy of data, the request and reasons for refusal shall be noted alongside the data and communicated to the individual. The individual shall be given the option of a review under the complaints procedure or an appeal directly to the Office of the Data Protection Commissioner. You also have the right to have incomplete information completed by providing the missing data, and any information submitted in this way will be updated without any undue delay.
  • The Right of Erasure - This is also known as the “right to be forgotten” and, in simple terms, enables you to request the deletion or removal of your information where your personal data is no longer necessary for the purpose for which it was collected and processed; where consent is withdrawn and there is no other legal basis for the processing; where an objection has been raised under the right to object and found to be legitimate; where personal data is unlawfully processed and where there is a legal obligation on Arrai to delete that personal data. Arrai will make a decision regarding any application for the erasure of personal data and will balance the request against the exemptions provided for in the law. Where a decision is made to erase the data, and this data has been passed to other data controllers, and/or has been made public, reasonable attempts to inform those data controllers of the request shall be made.
  • The Right to Restrict Processing - You have the right to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but may not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future. Processing of an individual’s personal data may be restricted where; the accuracy of the data has been contested, where the processing has been found to be unlawful, where the data would normally be deleted, but the individual has requested that their information be kept for the purpose of the establishment, exercise or defense of a legal claim, or where there has been an objection made pending the outcome of any decision.
  • The Right to Data Portability - If you want to send your personal data to another organization, you have a right to request that Arrai provide that information in a structured, commonly used and machine-readable format. A request for this should be made to Arrai at customersupport@arrai.co.
  • The Right to Object Processing - You have the right to object to the processing of your personal data on the grounds of pursuit of public interest or legitimate interest where you do not believe that those grounds are made out. Where such an objection is made, it must be sent to us at customersupport@arrai.co. We will assess whether there are compelling legitimate grounds to continue processing that override the interests, rights and freedoms of individuals, or whether the information is required for the establishment, exercise or defense of legal proceedings. We will be responsible for notifying you of the outcome of our assessment within Fourteen (14) Days of receipt of the objection.
  • The Right to Lodge a Complaint - You have the right to lodge a complaint about the way we handle or process your personal data with the Office of the Data Protection Commissioner of Kenya.
  • The Right to Withdraw Consent - If you have given consent to anything we do with your personal data, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your personal data with your consent up to that point is unlawful). This includes your right to withdraw consent to us using your personal data for marketing purposes.

To exercise one or more of these rights, or to ask a question about these rights or any other provision of this Privacy Policy, or about our processing of your personal data, you may reach out to us on customersupport@arrai.co and we shall revert back to you. Please note that in some cases, it will be necessary to provide evidence of your identity before we can give effect to these rights; and where your request requires the establishment of additional facts (e.g. capacity to act on behalf of a minor or a determination of whether any processing is non-compliant with applicable law) we will investigate your request promptly, before deciding on which action to take.

12. COOKIES

When you visit a site or use an app, we will typically place cookies onto your device, or read cookies already on your device, subject to always obtaining your consent, where required, in accordance to applicable law, we use cookies to record information about your device, your browser and, in some cases, your preferences and browsing habits. We process personal data through cookies in accordance with our Cookie Policy.

13. SOCIAL MEDIA ACCOUNTS

We operate accounts on different social media accounts (the “Social Media Accounts”), such as but not limited to on Facebook, Instagram, Twitter, Snapchat and Tiktok. If you visit one of our Social Media Accounts you initiate a variety of data processing operations. If you do not provide us with your personal data, certain functionalities of the social networking platforms requiring such data will not be available to you or only to a limited extent.

As the owner of a Social Media Account, we can usually only see information stored in your public profile on such social media platforms, and only insofar as you are logged into your profile while visiting our Social Media Account. In addition, we may process data that you provide to us when you contact us through one of our Social Media Accounts (e.g. if you create a post or send us a direct message). If you visit one of our Social Media Accounts, the owner of the respective social network also processes your data, regardless of whether you have a profile in the respective social network. The individual data processing operations and their scope differ depending on the operator. In addition, the respective operator of the social network provides us with anonymous usage statistics, which we use to improve the user experience.

14. CHILDREN

Our services are not directed to, and we do not knowingly collect personal information from, children under the age of Eighteen (18) Years or minors (as defined by applicable national laws). If you are a minor, please do not attempt to fill out our forms or send any personal information about yourself to us. If a minor has provided us with personal information without parental or guardian consent, the parent or guardian should contact us immediately to remove the relevant personal information and unsubscribe the minor. If we become aware that a minor has provided us with personal information, we will take steps to promptly delete such information from our files.

15. DATA BREACHES AND NOTIFICATION

(a) A data breach includes but is not limited to the following:

  • Unauthorized disclosure of personal data;
  • Loss or theft of confidential or sensitive data;
  • Loss or theft of equipment on which personal data is stored (e.g. loss of laptop, USB stick, iPad/tablet device or paper record);
  • Unauthorized use of, access to or modification of IT, data or information systems (e.g. via a hacking attack); and
  • Attempts (failed or successful) to gain unauthorized access to IT, data or information system.


(b)
If any user of our services, member of staff, or other person learns of a suspected or actual personal data breach, it must be reported to customersupport@arrai.co immediately. The report should include as many details of the incident as possible, including the date and time of the breach (if known), the nature of information concerned, and how individuals are involved. Our IT Security team will perform incident management and take appropriate remedial measures in a timely manner. An aggrieved person or staff shall report any data breach to us within Twelve (12) Hours or within Seventy-Two (72) Hours to the Office of the Data Protection Commissioner of Kenya of becoming aware of such breach.

16. CONTACT US

If you have any questions or concerns regarding your personal information or any information in this Privacy Policy, please contact us via our Customer Support Email.

Our Privacy Office may be contacted via email at info@arrai.co or at our postal address below in writing:

IKIGAI Peponi,

Westlands,

Nairobi 00606