Client Cargo Management Portal

Customer and Third-Party Data Processing Policy

DOC REFERENCE APPROVED BY DESIGNATION
BSL/LGL/CTP-DPP2025 SOLOMON ONDEGO DEPUTY CEO
VERSION: 02 ISSUE NO. 01 ISSUE DATE: DECEMBER, 2025
BOARD AUTHOURIZATION ISSUED, DECEMBER 2025.

Table of Contents

1. INTRODUCTION

  1. This Customer & Third Party Data Processing Policy (Policy) applies to the processing of Personal Data (defined below) by Bulkstream Limited (the Company, also referred to as we, us or our in this Policy) arising from transactions or interactions between the Company and our customers, vendors, service providers, consultants, suppliers, agents, merchants, dealers, visitors and other third parties having dealings with the Company. This Policy sets out how the Company processes Personal Data relating to external parties and complies with the Data Protection Legislation (as defined below).
  2. Please review this Policy carefully to understand our practices. This Policy applies to all users (including visitors) of any of the Company’s Platform(s) (as defined below), customers, sub-contractors, agents, service providers and any other third party with respect to any Product, Service or Engagement (as defined below) as well in-person interactions with the Company or its staff.
  3. We do not knowingly collect or process Personal Data of children (persons under the age of 18 years) without verifiable parental or legal guardian consent. Where we become aware that we have collected Personal Data from a child without proper consent, we will take steps to delete such information as soon as reasonably practicable. If you are a parent or guardian and believe that your child has provided us with Personal Data without your consent, please contact us immediately using the details in Section 16 so that we can take appropriate action.

Note: This does not apply to situations where processing of a child’s data is required by law (such as for statutory reporting, child protection obligations, or other legal requirements), in which case we will process such data in compliance with applicable legal obligations.

2. TERMS

  1. For ease of reference, the terms below as used in the Policy have the following meaning:
    1. Consent, controller, processor, data subject, processing, personal data and Data Commissioner shall have the definitions ascribed to them in the Data Protection Legislation;
    2. Data Protection Legislation means the Data Protection Act (No. 24 of 2019, laws of Kenya) and any regulations issued under it, and any/all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications) and the guidance and codes of practice issued by the Data Commissioner;
    3. Engagement means any dealing, transaction or other engagement entered into with the Company;
    4. Platform or electronic platform means our websites, mobile applications and computer network (including the software, hardware, firmware, equipment, and other electronics, computer and telecommunications devices and equipment) that provides connection and information, used by us in connection with the provision of the Products and Services or Engagement;
    5. Products or Services means such products or services made available, accessed, published or otherwise offered by or to the Company; and
    6. You or your refers to any customer, supplier, vendor, agent, merchant, dealer, visitor, consultant, or third party whose Personal Data is processed by the Company with respect to any Product, Service or Engagement.
  2. Words and expressions defined in the Data Protection Legislation shall bear the same meanings ascribed to them in the Data Protection Legislation wherever used herein.

3. DATA CONTROLLER

  1. The Company is the data controller and is responsible for your Personal Data.
  2. We will process Personal Data only as permitted under this Policy or otherwise permitted or required by the Data Protection Legislation or any other applicable laws and we will comply with all applicable requirements of the Data Protection Legislation.

4. DATA COLLECTED

  1. Depending on the Products or Services you are obtaining, accessing or providing or the Engagement you have with the Company, different types of information may be collected, stored, used and transferred by us (including through the Platform).
No.DataPurpose includes:
1.Identity information such as your first name, last name, surname, username or similar identifier, nationality, date of birth, identification card or passport number.
  • To identify you and verify your identity;
  • To register you as a customer, supplier, or partner;
  • To comply with legal and regulatory obligations (including KYC, AML, and statutory reporting).
2.Contact information such as your billing address, delivery address, email address and telephone numbers, the name of your business, and/or location.
  • To communicate with you regarding services, deliveries, invoices, support, or engagements;
  • To send notices, updates, alerts, or legal/contractual communications;
  • To fulfil service delivery, logistics, and operational functions.
3.Professional information such as qualifications and/or other information relating to your business, employment and your employer.
  • To assess suitability for engagement, contracting or collaboration;
  • To conduct due diligence and verify credentials;
  • For vendor, consultant or stakeholder management purposes.
4.Financial information such as income, preferred mode of payment, bank account and/or mobile money details.
  • To process payments, refunds, payouts or disbursements;
  • To prevent fraud and verify lawful ownership of payment instruments;
  • To comply with financial reporting and audit requirements.
5.Transaction data such as details about payments to and from you and other details of Products and Services you have purchased or accessed from or supplied to the Company or other Engagements you have had with the Company.
  • To manage and record transactions, orders and service history;
  • For billing, accounting, auditing, and compliance;
  • To improve service delivery and customer experience.
6.Verification information such as government issued national identification or passport, Tax Registration Certificates, National Health Insurance Fund card, National Social Security Fund card, business registration certificates.
  • To verify identity and legal status of individuals and entities;
  • To meet statutory, regulatory, and contractual compliance requirements;
  • For due diligence, KYC/AML, and anti-fraud purposes.
7.Technical data such as internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the Platform or obtain our Services.
  • To provide, maintain, and secure the Platform and Services;
  • To troubleshoot technical issues and improve user experience;
  • To prevent fraud, detect security threats, and comply with legal obligations.
8.Usage data such as information about how you use the Platform, Services, and Products.
  • To understand customer preferences and improve services;
  • To conduct analytics and business intelligence.
  • To personalize user experience where consent is provided.
9.Marketing and communications data such as your preferences in receiving marketing from us and our third parties and your communication preferences.
  • To send you marketing communications;
  • To manage your communication preferences and respect opt-out requests;
  • To comply with anti-spam and marketing regulations.
10.Call and Meeting Recordings: Audio and/or video recordings of telephone calls, video conferences, online meetings, AI generated transcripts and minutes from recorded meetings and other communications with the Company.
  • Quality assurance and service improvement;
  • Staff training and performance evaluation;
  • Dispute resolution and evidence retention;
  • Regulatory compliance and audit requirements;
  • Security and fraud prevention;
  • Record-keeping for contractual and legal purposes.
11.Security and Access Control Data including: CCTV video recordings from cameras on Company premises; Biometric data such as fingerprints and photographs collected at entry points; Access logs and entry/exit records; Vehicle registration numbers; Visitor and contractor sign-in information.
  • To monitor and control access to Company premises, particularly customs bonded areas and restricted zones;
  • To maintain security and prevent unauthorized access, theft, or fraud or mis delivery;
  • To protect customer cargo and Company assets;
  • To verify the identity of third-party transporters, drivers, and personnel collecting cargo;
  • To maintain accurate access records for accountability and security incident investigation;
  • To comply with security requirements for customs bonded facilities;
  • To provide evidence for security incidents, disputes, or regulatory inquiries;
  • To facilitate efficient cargo collection and prevent operational congestion.
  1. We may also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your Personal Data but is not considered Personal Data in law as this data will not directly or indirectly reveal your identity.
  2. Certain categories of data we collect above, such as biometric data (fingerprints, facial recognition) and health data, are classified as Sensitive Personal Data under the Data Protection Legislation. We process this data only where strictly necessary for specific purposes (such as security access control or statutory employee benefits) and we apply enhanced security measures to protect this information.
  3. Please note that the purposes listed in this clause represent the primary purposes for collecting the personal data listed alongside it. However, this list is not exhaustive, and we may process your data for additional purposes where: (i) There is a requirement under the law to do so; (ii) The additional purpose is compatible with the original purpose for which data was collected; or (iii) You have provided specific consent for the additional purpose. Where we process your data for a new purpose, we shall do so in line with the Data Protection Legislation.

5. HOW DATA IS COLLECTED

  1. We use different methods to collect data from and about you including through:
    1. Direct interactions: You may provide your Identity, Contact, Financial, Professional, Transaction and Account Information by filling in forms or by corresponding with us by phone, email or other electronic platforms such as websites, biometric system, online portals and applications. This includes Personal Data provided when you:
      1. complete the KYC and on-boarding process;
      2. create an account on our electronic platform;
      3. use of our electronic platform;
      4. purchase, subscribe to or use our Products or Services;
      5. provide or supply Products or Services to the Company;
      6. enter into an Engagement with us;
      7. participate in telephone calls, video meetings or online meetings that are recorded;
      8. request marketing to be sent to you;
      9. voluntarily initiate contact with us for business or other purpose;
      10. enter a competition, promotion or survey; or
      11. give us feedback or contact us.
    2. Automated technologies or interactions: As you interact with our Platform, we will automatically collect technical data about the equipment, browsing actions and patterns. We collect this Personal Data by using cookies, server logs and other similar technologies. If you participate in any telephone calls or online or video meetings conducted via Zoom or Microsoft Teams or other similar platforms, these may be recorded for the purposes outlined above and recording notifications may be provided automatically by the relevant communication platform.
    3. Third parties or publicly available sources: We will receive Personal Data about you from various third parties and public sources as set out below:
      1. our agents, subcontractor, distributors, vendors, suppliers and partners;
      2. providers of technical, payment, delivery, analytics and search information services;
      3. advertising and marketing networks;
      4. parties with whom you may have entered into agreements; and
      5. any publicly available sources.
    4. We may also collect data through:
      1. CCTV cameras installed at our premises for security purposes;
      2. Biometric scanners at entry points for access control and identity verification;
      3. Access control systems that log entry and exit times.
  2. Where we collect information from third parties, some of these third parties may retain your Personal Data in accordance with their agreement with you and their data privacy policies. We are not liable for any non-compliance with the Data Protection Legislation by, or any breaches with respect to Personal Data in the possession of, these third parties.
  3. Your engagement with the Company signifies your consent to collection of your personal data and other information from third parties. You have the right to withdraw this consent at any time.

6. LAWFULNESS OF PROCESSING

  1. We will only use your Personal Data when the law allows us to. Most commonly, we will use your Personal Data in the following circumstances:
    1. Performance of Contract: Where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
    2. Legal Obligation: Where it is necessary for compliance with a legal obligation to which we are subject.
    3. Legitimate Interests: Where it is necessary for the purposes of our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Our legitimate interests include operating our business, providing services, managing customer relationships, preventing fraud, ensuring security, and complying with internal policies.

      Where we process biometric data (such as fingerprints, facial recognition, or photographs for access control purposes), this would follow an assessment that biometric verification is necessary and proportionate given the nature of our operations, and appropriate technical and organizational safeguards to protect your rights and freedoms would be in place.

    4. Consent: Where we have obtained your specific consent to process your Personal Data for a specific purpose. You have the right to withdraw consent at any time by contacting us.

7. THIRD PARTY SHARING

  1. We may share your Personal Data with the following categories of third parties:
    1. Service Providers: Third parties who provide IT, system administration, logistics, payment processing, customer service, marketing, and other services to us.
    2. Professional Advisers: Lawyers, bankers, auditors, insurers, and other professional advisers who provide consultancy, banking, legal, insurance, accounting, and auditing services.
    3. Regulatory and Law Enforcement Authorities: Government bodies, regulatory authorities, law enforcement agencies, courts, and other public authorities where required by law or to enforce our legal rights.
    4. Business Partners: Strategic partners, affiliates, subsidiaries, and other entities with whom we have commercial relationships for the purpose of providing services or products.
    5. Corporate Transactions: Third parties in connection with any merger, sale, acquisition, reorganization, or transfer of all or part of our business or assets.
  2. We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions.

8. DATA RETENTION

  1. We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.
  2. In some circumstances we will anonymize your Personal Data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

9. COOKIES

  1. Some of our websites use cookies. We use cookies in order to offer you a more tailored experience in the future, by understanding and remembering your particular browsing preferences.

  2. Where we use cookies on websites, we will obtain your consent (which you may withdraw at any time after giving it). You can set your browser to refuse all or some browser cookies, but this will make some parts of the websites inaccessible or not function properly.

10. DATA TRANSFERS

  1. We may transfer your Personal Data outside Kenya to service providers, business partners, or other third parties located in other countries. Where we transfer your Personal Data out of Kenya, we shall do so in accordance with the requirements of the Data Protection Legislation, which permit cross-border transfers on several lawful grounds. These include: (i) transfers to jurisdictions with an adequacy decision, (ii) transfers based on your consent, (iii) transfers based on necessity (e.g., performance of a contract, or pursuit of a legitimate interest), or (iv) transfers subject to appropriate safeguards, among other permitted grounds.

  2. The Company will rely on any of the lawful bases available under Kenyan data protection law and will ensure that your Personal Data continues to be handled in a manner that upholds your rights and freedoms.

11. DATA SECURITY

  1. We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures include:
    1. Technical and organizational measures such as encryption, access controls, and secure data storage;
    2. Limiting access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know;
    3. Requiring all parties with access to your Personal Data to maintain its confidentiality and security;
    4. Regular security audits, testing, and updates to our systems and procedures.
  2. We have procedures in place to deal with any suspected Personal Data breach and will notify you and the Data Commissioner of a breach as per the requirements of the Data Protection Legislation.

12. DATA SUBJECT RIGHTS

  1. Under the Data Protection Legislation, you have the following rights:
    1. Right to Access: You have the right to request access to your Personal Data and receive information about how we process it.
    2. Right to Rectification: You have the right to request that we correct any Personal Data that is inaccurate or complete any incomplete Personal Data.
    3. Right to Erasure: You have the right to request that we delete your Personal Data in certain circumstances, such as where the data is no longer necessary or where you withdraw consent.
    4. Right to Restriction of Processing: You have the right to request that we restrict the processing of your Personal Data in certain circumstances.
    5. Right to Data Portability: You have the right to receive your Personal Data in a structured, commonly used and machine-readable format and to transmit that data to another controller where technically feasible.
    6. Right to Object: You have the right to object to our processing of your Personal Data where we are relying on legitimate interests or processing for direct marketing purposes.
    7. Right to Withdraw Consent: Where we are relying on consent to process your Personal Data, you have the right to withdraw that consent at any time.
  2. To exercise any of these rights, please contact us using the details provided in Section 16 below. We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights).
  3. Please note that the rights set out above are subject to limitations and exceptions under applicable laws, including but not limited to legal obligations to retain data for tax, regulatory, employment, or other statutory purposes.

13. ACCURACY OF DATA

  1. It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us by contacting us using the details in Section 16 below.

14. COMPLAINTS AND ENFORCEMENT

  1. If you have any concerns about our use of your Personal Data, you can make a complaint to us using the contact details in Section 16 below.

15. AMENDMENTS

  1. We may update this Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal or regulatory reasons. We will notify you of any material changes by posting the updated Policy on our website or Platform and, where appropriate, by other means such as email. Your continued use of our Products, Services, or Platforms after such changes constitutes your acceptance of the updated Policy.

16. CONTACT DETAILS

  1. If you have any questions about this Policy or our privacy practices, or if you wish to exercise any of your rights under the Data Protection Legislation, please contact us at:


    Bulkstream Limited
    80469-80100, Mombasa – Kenya
    Email: compliance@bulkstream.com
    Tel: +254 (0) 703 017 229

IMPLEMENTATION OF POLICY: This Policy shall be deemed effective as of 1st January 2026.