The Services include any services provided via this website, located at arrai.co and/or arrai.shop (the “Site”), our accounts on social media platforms (the “Social Media Accounts”) and any other websites, pages, features or content owned and operated by the Company that hyperlink to this Policy.
The company responsible for selling the products via the Site, App and providing the Services is Arrai International LTD, a limited liability company duly incorporated in the Republic of Kenya, having its registered office at Ikigai, Peponi Rd, Westlands, Nairobi, a subsidiary of Arrai Inc., a limited liability company incorporated in the State of Delaware having its registered office at 651 N Broad ST, Suite 201, Middletown 19709 and its affiliates (hereinafter referred to as the “Company”, “we”, “us”, “our” and “Arrai”). We shall be the data controller of the information you provide to us.
2. COLLECTION OF INFORMATION
Personal information you may provide to us through the Service or otherwise includes:
Contact data, personal or business contact information including your first and last name, email and mailing addresses and phone number.
Registration data, such as information that you provide to register for an account, including the day and month of your birth, title and security question.
Profile data, such as your username and password that you may set to establish an account with us and your interests and style preferences.
Communications, such as information you provide when you contact us with questions, feedback, survey responses, or otherwise correspond with us.
Marketing data, such as the email address or contact details that we use to send marketing communications and your preferences for receiving communications about our activities and contests.
Purchase data, including your order history and payment account information needed to process and fulfill your order, including order details, billing address and delivery address.
(b)Data from other sources
We may also collect personal information about you from:
Business partners such as advertising and joint marketing partners.
Data providers, such as information services and data licensors.
Public sources, such as blogs, forums or social media platforms.
(c)Information we obtain from third-party platforms
If you choose to login to the Site via a third-party platform, including but not limited to Google or Facebook, to otherwise connect your account on the third-party platform or network to your account through the Site, we may collect information from that platform or network. You may also have the opportunity to provide us with additional information via the third-party platform or network, such as a list of your friends or connections and your email address.
Together with our service providers, we may automatically log information about you, your computer or mobile device, and your activity occurring on or through the Site, such as:
Device data, such as your computer or mobile device operating system type and version number, manufacturer and model, browser type, screen resolution, IP address, the website you listed before browsing our Site, and general information such as city, state and geographic area.
Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, navigation paths between pages or screen, information about your activity on a page or screen, access times, and duration of access.
(e) Cookies and similar technologies. Some of our automatic data collection is facilitated by cookies and similar technologies.
(f) Referrals. Users of our Services may have the opportunity to refer friends or other contacts to us. If you are an existing user, you may only submit a referral if you have permission to provide their contact information to us for purposes of contacting them.
(g)Sensitive Personal Data. We do not seek to collect or otherwise process sensitive personal data in the ordinary course of our activities. Where it becomes necessary to process your sensitive personal data, we rely on the following legal bases: (i) compliance with applicable law, (ii) detection and prevention of crime, (iii) establishment, exercise or defense of legal rights, or (iv) where we have, in accordance to applicable law, obtained your prior, express consent to processing your sensitive personal data. If you provide sensitive personal data to us, you must ensure that it is lawful for you to disclose such data to us, and you must ensure a valid legal basis applies to the processing of that sensitive personal data.
3. USE OF YOUR INFORMATION
(a) Service Delivery. We may use your personal information to:
fulfill or process orders;
provide, operate and improve the Service, such as to enable you to make purchases of clothing and accessories that we have listed on the site;
establish and maintain your account on the Service;
communicate with you about the Service, including sending you product promotions, announcements, updates, security alerts, support and administrative messages;
provide customer support and maintenance for the Service;
facilitate your login to the site via third party platforms, such as Google and Facebook; and
enable security features of the site, such as by sending you security codes via email or SMS, and remembering devices from which you have previously logged in.
(b) Direct marketing, advertising or other promotional activities. If you are an existing customer of Arrai, (for example, if you have placed an order with us), we may use the personal data you provided to send you marketing communications about Arrai products or services, where permitted by applicable law (unless you have opted out). In other cases, we ask for your consent to send you marketing information. We may use the information that you provide to us, as well as information from other Arrai products or services, such as your use of Arrai website and/or apps, to personalize communications and advertisements regarding our products and services that may be of interest to you. For registered users, this may include data collected from your interactions with our website and/or apps that are associated with your account. You will have the ability to opt-out of our marketing and promotional communications by simply clicking on the unsubscribe link in every promotional email we send.
(c) For research and development. We may use your personal information for research and development purposes, including to analyze and improve the Service and our business.
(d)To create anonymous data. We may create aggregated, de-identified or other anonymous data records from your personal information and other individuals whose personal information we collect. We make personal information into anonymous data by excluding information (such as your name) that makes the data personally identifiable to you. We may use this anonymous data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business.
(f) To comply with laws and regulations. We use your personal information as we believe necessary or appropriate to comply with applicable laws, lawful requests, and legal process, such as to respond to discoveries or requests from government authorities.
(g) For compliance, fraud prevention and safety. We may use your personal information and disclose it to law enforcement, government authorities, and private parties as we believe necessary or appropriate to: (a) protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims); (b) audit our internal processes for compliance with legal and contractual requirements; (c) enforce the terms and conditions that govern the Service; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity, including cyber attacks and identity theft.
We will only process your personal data for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is related to the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent in compliance with your vital or public interests, where this is required or permitted by law.
4. PRINCIPLES OF DATA PROTECTION
The guiding principles of processing your personal data shall be as per Section 25 of the Data Protection Act of Kenya, 2019. We shall ensure that your personal data is:
Processed in accordance with your right to privacy as provided for in Article 31 of the Constitution of Kenya, 2010;
Collected in a lawful, fair and transparent manner;
Is collected for explicit, specified and legitimate purposes and not processed in a manner incompatible with the purpose stated;
Adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed;
Collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
Accurate and where necessary kept up to date with every reasonable step being taken to ensure that any inaccurate personal data is erased;
Kept in a form which identifies you for no longer than necessary for the purpose which it was collected; and
Not transferred out of Kenya unless there is proof of adequate data protection safeguards or consent from you.
5. DISCLOSURE OF YOUR PERSONAL INFORMATION TO THIRD PARTIES
By using our Service, you agree that we may, as necessary and appropriate for the Purposes, transfer and disclose any Customer Information and/or personal data to the following recipients globally (who may process, transfer and disclose such Customer Information for the Purposes):
(a) Within Our Corporate Organization. The Company is a part of a corporate organization that has several legal entities, business processes, management structures and technical systems. We may share your personal information with our parent company for business maintenance and personalisation continuity purposes, for instance so that you may enjoy a personalized user experience across our digital properties, to provide you with the Services, or to take actions based on your requests or preferences.
(b) Service Providers. We may share your personal information with the following type of this party service providers:
IT system and software service provider - web hosting services (including cloud storage), mobile app or software optimisation services, customer relationship management software, email service providers or system maintenance services.
Payment service provider - third-party payment processing services.
Marketing and advertising services - Assistance in reaching potential new customers across multiple communication channels, or sharing with affiliated companies that promote our products on their websites.
Order fulfillment service provider - provision of logistics, warehousing and distribution services, return and exchange services, and order status notification services for your purchased items.
Customer service provider - assistance with customer services and support.
Fraud prevention and information security service provider - identity verification, fraud prevention, or credit risk reduction services to protect our website/app and our business.
Other service providers selected by you - other third parties such as size recommendations and fit prediction service providers, if you have chosen us to help provide you with product recommendations.
(c) To Maintain Legal and Regulatory Compliance. We have the right to disclose your personal information as required by law, or when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, request from a regulator or any other legal process served on us. We may also disclose your information where we reasonably believe the disclosure is necessary to enforce our agreements or policies, or if we believe that disclosure will help us protect the rights, property or safety of the Company or our customers.
(e) Consent. We may disclose your personal information for any purpose with your consent.
(f) Corporate Transactions. We may disclose your personal information - including account information, wallet balance or points information - to a buyer, prospective buyer, corporate affiliate, or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or sale or transfer of some or all of our assets, whether as a going concern or as part of a bankruptcy, liquidation or similar proceeding in which personal information held by us about our Service users is among the assets transferred. You acknowledge and agree to our assignment or transfer of rights to your personal information.
6. INTERNATIONAL TRANSFER OF PERSONAL DATA
In all cases, we will ensure that data transfers are made securely to countries deemed to have adequate security controls in place by the Office of the Data Protection Commissioner of Kenya and/or subject to appropriate safeguards and confidentiality agreements.
7. DATA SECURITY
We have implemented appropriate technical and organizational security measures designed to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized access, and other unlawful or unauthorized forms of processing, in accordance with applicable law.
Because the internet is an open system, the transmission of information via the internet is not completely secure. Although we will implement all reasonable measures to protect your personal data, we cannot guarantee the security of your data transmitted to us using the internet - any such transmission is at your own risk and you are responsible for ensuring that any personal data you send to us is sent securely.
8. DATA ACCURACY
We take every reasonable step to ensure that: (i) your personal data that we process is accurate and, where necessary, kept up to date; and (ii) if any of your personal data that we process is inaccurate (having regard to the purposes for which it is processed) is erased or rectified without delay. From time to time, we may ask you to confirm the accuracy of your data.
9. DATA MINIMISATION
10. DATA RETENTION
If you no longer wish to be our customer or cease using access to our Services, you can request us to close your account and delete all personal information we hold about you via email@example.com.
If you send us correspondence, including emails, we retain such information electronically in the records of your account. We also electronically retain customer service correspondence and other correspondence to you. We retain these records to measure and improve our customer service and to investigate potential fraud and violations. We may over time, delete these records as permitted by law.
We also retain services usage data for internal analysis purposes. Usage data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our site, or we are legally obligated to retain this data for longer periods.
11. YOUR PERSONAL DATA RIGHTS
Arrai undertakes to respect the confidentiality of your personal data and guarantee your personal data, rights subject to the provisions of the Data Protection Act of Kenya, 2019, and subsisting regulations thereto. These include:
The Right of Rectification - You have the right to request the rectification of inaccurate data without undue delay. Where any request for rectification is received, and where proof of inaccuracy is given, the data shall be amended as soon as reasonably practicable, and you will be notified. Where there is a dispute as to the accuracy of data, the request and reasons for refusal shall be noted alongside the data and communicated to the individual. The individual shall be given the option of a review under the complaints procedure or an appeal directly to the Office of the Data Protection Commissioner. You also have the right to have incomplete information completed by providing the missing data, and any information submitted in this way will be updated without any undue delay.
The Right of Erasure - This is also known as the “right to be forgotten” and, in simple terms, enables you to request the deletion or removal of your information where your personal data is no longer necessary for the purpose for which it was collected and processed; where consent is withdrawn and there is no other legal basis for the processing; where an objection has been raised under the right to object and found to be legitimate; where personal data is unlawfully processed and where there is a legal obligation on Arrai to delete that personal data. Arrai will make a decision regarding any application for the erasure of personal data and will balance the request against the exemptions provided for in the law. Where a decision is made to erase the data, and this data has been passed to other data controllers, and/or has been made public, reasonable attempts to inform those data controllers of the request shall be made.
The Right to Restrict Processing - You have the right to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but may not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future. Processing of an individual’s personal data may be restricted where; the accuracy of the data has been contested, where the processing has been found to be unlawful, where the data would normally be deleted, but the individual has requested that their information be kept for the purpose of the establishment, exercise or defense of a legal claim, or where there has been an objection made pending the outcome of any decision.
The Right to Data Portability - If you want to send your personal data to another organization, you have a right to request that Arrai provide that information in a structured, commonly used and machine-readable format. A request for this should be made to Arrai at firstname.lastname@example.org.
The Right to Object Processing - You have the right to object to the processing of your personal data on the grounds of pursuit of public interest or legitimate interest where you do not believe that those grounds are made out. Where such an objection is made, it must be sent to us at email@example.com. We will assess whether there are compelling legitimate grounds to continue processing that override the interests, rights and freedoms of individuals, or whether the information is required for the establishment, exercise or defense of legal proceedings. We will be responsible for notifying you of the outcome of our assessment within Fourteen (14) Days of receipt of the objection.
The Right to Lodge a Complaint - You have the right to lodge a complaint about the way we handle or process your personal data with the Office of the Data Protection Commissioner of Kenya.
The Right to Withdraw Consent - If you have given consent to anything we do with your personal data, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your personal data with your consent up to that point is unlawful). This includes your right to withdraw consent to us using your personal data for marketing purposes.
13. SOCIAL MEDIA ACCOUNTS
We operate accounts on different social media accounts (the “Social Media Accounts”), such as but not limited to on Facebook, Instagram, Twitter, Snapchat and Tiktok. If you visit one of our Social Media Accounts you initiate a variety of data processing operations. If you do not provide us with your personal data, certain functionalities of the social networking platforms requiring such data will not be available to you or only to a limited extent.
As the owner of a Social Media Account, we can usually only see information stored in your public profile on such social media platforms, and only insofar as you are logged into your profile while visiting our Social Media Account. In addition, we may process data that you provide to us when you contact us through one of our Social Media Accounts (e.g. if you create a post or send us a direct message). If you visit one of our Social Media Accounts, the owner of the respective social network also processes your data, regardless of whether you have a profile in the respective social network. The individual data processing operations and their scope differ depending on the operator. In addition, the respective operator of the social network provides us with anonymous usage statistics, which we use to improve the user experience.
Our services are not directed to, and we do not knowingly collect personal information from, children under the age of Eighteen (18) Years or minors (as defined by applicable national laws). If you are a minor, please do not attempt to fill out our forms or send any personal information about yourself to us. If a minor has provided us with personal information without parental or guardian consent, the parent or guardian should contact us immediately to remove the relevant personal information and unsubscribe the minor. If we become aware that a minor has provided us with personal information, we will take steps to promptly delete such information from our files.
15. DATA BREACHES AND NOTIFICATION
(a) A data breach includes but is not limited to the following:
Unauthorized disclosure of personal data;
Loss or theft of confidential or sensitive data;
Loss or theft of equipment on which personal data is stored (e.g. loss of laptop, USB stick, iPad/tablet device or paper record);
Unauthorized use of, access to or modification of IT, data or information systems (e.g. via a hacking attack); and
Attempts (failed or successful) to gain unauthorized access to IT, data or information system.
(b) If any user of our services, member of staff, or other person learns of a suspected or actual personal data breach, it must be reported to firstname.lastname@example.org. The report should include as many details of the incident as possible, including the date and time of the breach (if known), the nature of information concerned, and how individuals are involved. Our IT Security team will perform incident management and take appropriate remedial measures in a timely manner. An aggrieved person or staff shall report any data breach to us within Twelve (12) Hours or within Seventy-Two (72) Hours to the Office of the Data Protection Commissioner of Kenya of becoming aware of such breach.
16. CONTACT US
Our Privacy Office may be contacted via email at email@example.com or at our postal address below in writing: