Privacy Policy

Regional Autoselections Ltd (“RAS”, “we”, “us”, “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, share, and safeguard your personal data when you visit our website, submit an enquiry, or engage with our services.

This policy is issued in compliance with the Data Protection Act, 2019 (No. 24 of 2019) of the Laws of Kenya (the “DPA”) and the Data Protection (General) Regulations, 2021. RAS is registered as a Data Controller and Data Processor with the Office of the Data Protection Commissioner (ODPC) of Kenya.

1. Personal Data We Collect

We collect the following categories of personal data, which you provide to us directly or which we generate through your use of our services:

• Identity data: Full name, national identity number or passport number (collected where required for NTSA transfer and KYC compliance).
• Contact data: Email address, mobile telephone number, physical address (for delivery).
• Vehicle enquiry data: Vehicle preferences, budget range, trade-in vehicle details, financing preferences, country of origin preference for imports, and any other information you voluntarily provide in our lead forms.
• Photographs and documents: Images of your trade-in or sell-your-car submission, and supporting documents required for accessible vehicle imports (NCPWD card, PIN, disability certificate).
• Financial data: Payment confirmation references and, where applicable, employer or SACCO information provided for financing referral purposes. We do not store full bank account details or card numbers.
• Technical data: IP address, browser type, device identifiers, pages visited, and session duration, collected automatically via cookies and server logs (see our Cookie Policy).

2. Why We Collect Your Data & Legal Basis

We process your personal data on the following legal bases under the DPA:

• Performance of a contract: To process vehicle purchases, import orders, trade-ins, and financing referrals.
• Legitimate interests: To respond to enquiries, maintain customer records, improve our services, detect fraud, and comply with NTSA registration requirements.
• Legal obligation: To comply with anti-money-laundering regulations, KRA reporting, and NTSA vehicle transfer requirements.
• Consent: To send you marketing communications, vehicle availability alerts, or promotional offers. You may withdraw this consent at any time by contacting us or using the unsubscribe link in any email.

3. How We Use Your Data

Your personal data is used for the following specific purposes:

• Processing and responding to vehicle purchase and import enquiries.
• Preparing sale agreements, reservation confirmations, and invoices.
• Referring your financing application to our partner banks and SACCOs (see Section 4 for details of who we share data with).
• Facilitating NTSA vehicle title transfer and logbook processing.
• Communicating shipping updates, delivery schedules, and post-sale follow-ups.
• Sending marketing communications where you have given consent.
• Analysing website traffic and user behaviour to improve our platform (in anonymised or aggregated form where possible).

4. Who We Share Your Data With

We do not sell your personal data to third parties. We share your data only where necessary with the following categories of recipients:

• Partner financing institutions: Licensed Kenyan banks and SACCOs (including but not limited to KCB, Equity Bank, NCBA, and Co-operative Bank) where you have requested a financing referral. Data shared is limited to that required for credit assessment and includes your name, contact details, employment information, and vehicle details.
• NTSA: Identity and vehicle data as required for registration and title transfer.
• Shipping and clearing agents: Contact and consignment details shared with our logistics partners for import orders.
• Technology service providers: Our web hosting and database infrastructure is powered by Supabase (a GDPR-compliant cloud platform). Data processing agreements are in place with all technology providers.
• Legal and regulatory authorities: Where required by court order, lawful request, or applicable law.

5. Data Security

RAS implements appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction. These measures include:

• Encrypted data storage (AES-256) and encrypted data transmission (TLS 1.2+).
• Role-based access controls limiting staff access to personal data on a need-to-know basis.
• Regular security assessments and audit logging of data access events.
• Password hashing for all user accounts (bcrypt).

Despite these measures, no internet transmission is 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, RAS will notify the ODPC within 72 hours and will notify affected individuals without undue delay as required by the DPA.

6. Data Retention

We retain your personal data for as long as is necessary for the purposes for which it was collected, and in any case for a minimum of 3 years from the date of last interaction or transaction. This period accounts for potential legal claims, warranty periods, and statutory obligations.

Financial records and sale documentation are retained for 7 years in accordance with the requirements of the Income Tax Act and the Value Added Tax Act. After expiry of the applicable retention period, personal data is securely deleted or anonymised.

7. Your Data Rights

Under the Kenya Data Protection Act 2019, you have the following rights with respect to your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete personal data.
• Right to erasure: Request deletion of your personal data where there is no lawful basis for continued processing, subject to legal retention obligations.
• Right to restrict processing: Request that we limit processing of your data in certain circumstances.
• Right to object: Object to processing based on legitimate interests, including direct marketing.
• Right to data portability: Receive your personal data in a structured, commonly used format.

To exercise any of these rights, please contact us at info@regionalautoselections.com. We will respond to your request within 21 days as required by the DPA.

8. Cookies

We use cookies and similar tracking technologies on our website. For full details of the cookies we use and how to manage them, please read our Cookie Policy.

9. Complaints to the ODPC

If you are not satisfied with our handling of your personal data or our response to a rights request, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya.

ODPC contact: www.odpc.go.ke. We nonetheless encourage you to contact us first so we can attempt to resolve your concern directly.