Introduction

This privacy notice has been developed in line with the provisions of Bahrain’s Personal Data Protection Law (30/2018) Keypoint Group (Keypoint) is committed to maintaining the confidentiality, integrity, and security of personal and sensitive information collected from clients and other individuals in accordance to applicable laws.

This privacy notice defines Keypoint Group’s procedures to process personal and sensitive personal data collected and processed by Keypoint Group through all means including websites, Credit Reference Bureau, participant banks and government entities.

Keypoint Group recognizes the importance of data privacy, and treats your data in accordance to applicable data protection regulations.

This notice should be read in conjunction with any other privacy notices or fair processing notices and product terms and conditions we may provide on specific occasions when we are collecting or processing personal data.

Our privacy notice is updated frequently. You will be informed whenever there is a significant change to this policy. This privacy notice has been last updated June 2023.

This privacy notice explains how we collect, use, store and share the personal data you provide us on www.keypoint.com

By accessing and using our websites, you agree to the terms and conditions of this privacy notice.

Definitions

Data or Personal Data: Any information of any form related to an identifiable individual, or an individual who can be identified, directly or indirectly, particularly through his/her personal ID number, or one or more of his/her physical, physiological, intellectual, cultural, or economic characteristics or social identity.

To determine whether an individual can be identified, all the means used by, or that may be available to, the Data Manager or any other person, shall be taken in consideration. Personal data that we collect may include name, ID and passport numbers, date of birth, email, and address. Personal data and supporting documentation required is available in our application forms.

Sensitive Personal Data: Any personal information that reveals, directly or indirectly, the individual’s race, ethnicity, political or philosophical views, religious beliefs, union affiliation, criminal record or any data related to his/her health or sexual life.

Data Controller: The person who decides, solely or in association with others, the purposes and means of processing of certain personal data. In the events where such purposes and means are prescribed by Law, the Data Manager shall be the person who is responsible for the processing.

Data Processor: The person who processes the data for and on behalf of the Data Manager, not including whoever works for the Data Manager or Data Processor.

Direct Marketing: Any communication, by any means, through which a marketing or advertising material is directed to a specific person.

Processing: Any operation or set of operations carried out on personal data by automated or non-automated means, such as collecting, recording, organising, classifying in groups, storing, modifying, amending, retrieving, using, or revealing such data by broadcasting, publishing, transmitting, making them available to others, integrating, blocking, deleting, or destroying them.

Privacy Notice

1. What kind of personal information does Keypoint Group collect?

   As part of our legitimate business use and regulatory requirements Keypoint Group may collect the following information about our past, existing, and prospective clients (individuals and legal entities) for the purpose of providing our services.

   Data class	Indicative data elements
   Individual’s Information	Smart Card, Passport, National, Bank Statements, ID
   Legal entity’s information	CR No., Legal Structure, Partners, Constitutional Documents
   Financial information	Financial Statements, Audit Report
   Transaction Information	Bank Account, online payment
   Website and Application usage information	Domain Name, Email ID, Location

   In order to properly provide our services and to adhere to regulatory requirements, Keypoint Group collects personal data about you from the following sources:

   • Government Authorities and Regulators
   • Participants of Keypoint Group services (such as Banks and Billers)
   • If you contact us, we may keep a record of the correspondence
   • Keypoint Group’s websites
   • Correspondence with Keypoint Group
   • Participants and data providers of Keypoint Group’s Credit Reference Bureau
   • Events and marketing campaigns

   Personal data collected by Keypoint Group is restricted to the minimum information required to provide our services or as required by regulators. The consequences of not providing mandatory information may result in our inability to provide services requested by you.

   When you visit Keypoint Group’s websites and web applications, we may collect certain personal data automatically from your device such as:

   • Your IP address
   • Device type
   • Unique device identification number (such as MAC address)
   • Browser type, broad geographic location (on a country or city level)

   We also collect information about how your device has interacted with our site, including the pages accessed and links clicked. Collecting this information enables us to better understand the visitors who come to our website, where they come from and what content on our website is of interest to them. We use this information for our internal analytics purposes, and to improve the quality and relevance of our site to our visitors.

   Our site also uses various social media plugins as well as links to external websites that may collect information regarding your identifier and usage, as such, Keypoint Group will not be responsible for the data collection and content on these plugins and websites.

2. How does Keypoint Group safeguard the personal data collected?

   As the Data Manager we have a responsibility to apply technical and organizational measures capable of protecting the data against unintentional or unauthorized destruction, accidental loss, unauthorized alteration, disclosure or access, or any other form of processing.

   We have instituted adequate measures for providing an appropriate level of security aligned to the nature of the data being processed, and the risks that may arise from this processing. Our various security measures include encryption, firewalls, and access controls. Data is shared within Keypoint Group (including employees, contractors, agents, etc) on a need-to-know basis and under strict confidentiality arrangements. Notwithstanding this, despite our best efforts, we cannot absolutely guarantee the security of data against all threats. We have implemented suitable measures to identify, monitor and report any breaches to personal data in line with the requirements of the law.

   Keypoint Group limits access to personal information to its staff members, regulators, government authorities, vendors, consultants, employees, contractors, business partners or agents who require such access in connection with providing products or services to you or for other legitimate business purposes.

3. How does Keypoint process collected personal data?

   We may process your personal data for:

   1. Providing our products or services to you (as an individual and/or legal entity)
   2. Administering our relationship and maintaining contractual relations
   3. Complying with legal and regulatory requirements
   4. AML and fraud-prevention purposes
   5. Enhancement of our products and services
   6. Research, analysis, and statistical purposes
   7. Marketing of our current and/or upcoming products/services

4. To which third-parties does Keypoint Group disclose personal data?

   Keypoint Group only discloses data to third parties when explicitly requested by you, when required as per legal/regulatory requirement or to perform contractual obligations. Third-party recipients of data may include:

   1. Government authorities and regulators
   2. Members of Keypoint Group
   3. Courts, police, and law enforcements
   4. Advisors, auditors, and law firms (when required)

5. Is my data transferred out of Bahrain?

   Bahrain’s personal data protection law sets out the circumstances under which personal data can be transferred outside of Bahrain. Except in the circumstances described in “Disclosures” above, Keypoint Group will only disclose your personal data to third parties abroad that have agreed in writing to provide a sufficient level of privacy protection.

   We may need to transfer data outside Bahrain for providing uninterrupted services to you (Cloud Storage).

6. What are my rights?

   Under the provisions of the applicable laws, you are provided with the following rights in relation to the processing of your personal data. To exercise your rights under the law, you are required to authenticate yourself with adequate proof of identity.

   1. Right to enquire

      You have the right to request and obtain information on the personal data which Keypoint Group holds and processes, and the purpose for which it is maintained by Keypoint Group.

   2. Right to object

      You have the right to object to being contacted by us for direct marketing purposes.  On receipt of such objection, we will ensure that you are removed from the relevant marketing databases, as applicable.

   3. Right to Demand Rectification, Blocking or Erasure

      You may submit a request to rectify, block or erase your personal data, as the case may be, if the processing thereof is done in contravention of the provisions of the law, and in particular, if the data is incorrect, incomplete or not updated, or if the processing thereof is illegal.

   4. Right to withdraw consent

      At any time, after providing consent, you have the right to withdraw the consent provided.  Withdrawal of consent will be applicable to future use of the personal data and will not in any way impact legitimate use of the personal information prior to the withdrawal of the consent.

      Withdrawal of consent to process certain mandatory personal data related to services provided by Keypoint Group, may result in our inability to continue providing these services to you.

   5. Right to complain

      You may submit a complaint to Bahrain’s Personal Data Protection Authority, if you have reason to believe that any violation of the provisions of this privacy law has occurred or that we are processing personal data in contravention of its provisions.

      If you believe there has been a breach of privacy regarding your personal data, please contact us at:

      Email: dpg@keypoint.com
      Phone: +973 17200025/888
      Address: 24^th Floor-NBB Tower-PO Box 11718-Government Avenue-Manama-Kingdom of Bahrain

7. Will Keypoint Group use my data for direct marketing?

   Keypoint Group may use your identity, contact information, and profile data to directly market products and/or services that may be of interest to you.

   We will provide you an option to opt-to our marketing activities (including newsletters, promotions) at the time of signing-up for Keypoint Group’s services.  Existing customers who are already registered in our systems will continue to receive our marketing communications unless they opt-out.

   To opt-out of receiving direct marketing and to update your communication preferences please send an email to: dpg@keypoint.com.

   Keypoint Group does not share your personal information with third-party marketers or advertisers.

8. How long does Keypoint Group retain personal data?

   Once personal data is received by Keypoint Group, data will be stored in physical and digital formats (where applicable). Keypoint Group retains data for as long as required for the services you requested and in accordance with local regulatory and professional retention requirements.

   Keypoint Group may retain anonymized information for significant periods of time for historical, research and analysis purposes.