Privacy Notice

Privacy Notice

Privacy Notice

                                    This privacy notice was last updated on 08/11/23


This Privacy Notice (the “Notice”) governs how I&M Bank Limited (hereafter, “I&M Bank”), collects, uses, and discloses personal data from and about consumers of I&M Bank services, website and web applications that link to this Notice (collectively referred to as, the “Services”). This Privacy Notice covers any products or services of our consumers have with us including accounts, loans, cards, investments and insurance, and these form part of the Services. 

Personal data in this context means information relating to an identified or identifiable natural person. 

Wherever the terms “You” or “Your” are used herein, this means you (consumer), any authorized person on your account(s) and anyone who deals with us on your behalf including attorneys under a Power of Attorney, legal executors, personal representatives, beneficiaries and trustees.

Wherever the terms “We” or “Us” are used herein, this means I&M Bank Limited, which is the primary data controller of your personal data. (The following subsidiary companies will act as data controllers where you hold a product or engage a service from them: I&M Bancassurance Intermediary Limited and I&M Capital Limited)

We advise you to read the Notice in its entirety, including the region-specific  [1]provisions in this Notice, which will apply to users in certain regions or jurisdictions.

Personal data collected through the Services

I&M Bank collects and uses certain personal data in order to operate and provide you with access to the Services, as permitted by applicable data protection laws and regulations where we operate being Kenya, Uganda, Tanzania, Rwanda and Mauritius and the links to the specific privacy notices for each country are accessible at [4][5][6][7] and [8] respectively. This includes information that you provide to us and information that we collect automatically when you visit or interact with the Services. We may also get some information that is in the public domain.

Information that you provide to us

We collect personal data that you voluntarily provide to us when you use the Services. This information includes, without limitation: your name, gender, date of birth and other personal details; your email addresses, telephone numbers, and other contact details; biographical information; audio and visual data, social media information; submissions to our customer service whether by phone, face-to-face, e-mail or other means of communication; feedback, including those of market research, on our website, web or mobile app; online preferences, such as alerts; and business information, such as your company name and industry.

Based on the data we collect from you, we shall ensure the information you provide to us is accurately maintained as collected from you. You are responsible must inform us of any changes to your data as soon as possible so that we rectify and keep your data up to date. If you give us information of another person that is required for using the Services, you will be required to inform them of how to find this Notice and ensure they agree to us using their information as provided by you.

We may also record and monitor conversations you have with us through phone calls, in-person meetings, letters, e-mails, online chats or other forms of communication in order to confirm instructions issued to us by you, improving our Services, ensure privacy and safety of your data or manage any possible risks.

Information that we collect about your use of the services

We collect information about your use of the Services and about the device you use to access the Services, including: the pages you request and visit; the posts you submit; information on your interaction with other users; information obtained in the course of maintaining or supporting the Services; information about your internet use, such as your IP address, the URLs of sites from which you arrive or leave the Services, your type of browser, your operating system, your internet service provider; and, if you access the Services via your mobile device, we may also collect information about your mobile provider, IMSI, IMEI and type of mobile device.

We (and our data processors) use different technologies to collect this information, including cookies and web beacons. Cookies are small data files stored on your hard drive or in device memory that help us improve our Services and your experience, see which areas and features of our Services are popular, and count visits. Web beacons are electronic images that may be used in our Services or emails and help deliver cookies, count visits, and understand usage and campaign effectiveness.

We may also use automated systems to assist us in taking some decisions regarding your use of the Services which include but are not limited to decisions regarding credit rating, identifying fraud or financial crime decisions, insurance pricing, or investment risks through the use of the Service.

For more information about cookies and how to disable them, please visit this-page[3]

 Online Advertising and analytics services provided by others

We may allow others to provide analytics services and serve advertisements on our behalf across the web and in mobile applications, to enhance our Services. These entities may use cookies, web beacons, device identifiers and other technologies to collect information about your use of the Services and other websites and applications, including your IP address, web browser, mobile network information, pages viewed, time spent on pages or in apps, links clicked, and conversion information. This information may be used by us and our data processors to, among other things, analyse and track data, determine the popularity of certain content, deliver advertising and content targeted to your interests on our Services and other websites, and better understand your online activity.

How personal data is used

We use the personal data we collect to provide, maintain, and improve the Services or if we have other legal reasons for using the personal data. We also use it to:

  1. Send you technical notices, general updates, goodwill messages, security alerts, and support and administrative messages (such as changes to our terms, conditions, and policies) and to respond to your comments, questions, and customer service requests;
  2. Receive and respond to your submissions on the Services such as submissions on I&M Bank website, web applications and mobile applications, social media and submissions to Customer Service Contacts;
  3. Permit you to participate in voluntary polls and surveys (we may use third parties to deliver incentives to you to participate in such polls and surveys, and you may be required to provide your contact details to the third party in order to fulfil the incentive offer);
  4. Communicate with you about products, services, and events offered by I&M Bank and others, and provide news and information we think will be of interest to you;
  5. Monitor and analyse trends, usage, and activities in connection with our Services;
  6. Develop new products and services and enhance current products and services;
  7. Detect, investigate, and prevent fraudulent transactions and other illegal activities, and protect the rights and property of I&M Bank and others (public interest);
  8. Exercise, protect and defend our legal rights;
  9. Enable us to enter into or carry out an agreement we have with you;
  10. Comply with a law, regulation or any legal obligation; and
  11. Carry out any other purpose described to you at the time of collecting information.

How personal data is shared

We may share your information with others where lawful to do so as described in this Notice and including the following:

  1. With our data processors that host, maintain, manage, or provide other services to us in relation to the Services;
  2. To co-operate with public and government authorities, courts and law enforcement, to respond to a request, or to provide information in accordance with existing laws;
  3. For other legal reasons, such as to monitor compliance with and enforce our terms and conditions, to protect our rights, privacy, safety, or property, and/or that of our affiliates, you or others, to protect against criminal activities, and for risk management purposes; and
  4. In connection with a sale or business transaction, such as to an acquiring entity or its advisors in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).
  5. To market the Services to you or others where you have given us your permission;
  6. To enable our legitimate interests including but not limited to granting credit facilities, debt recovery, provision of asset or fund management and account operations.

We may also share aggregated pseudonymised or anonymised information that cannot reasonably be used to identify you to protect your privacy rights.


All our Services provided to children align to the data protection requirements in law. These include consent provided by the child’s parent/guardian and age verification. If you have reason to believe that a child has provided personal data to us, please contact us and we will endeavour to delete that information from our databases.

Links to other websites

The Services may contain links to other websites. Please note that I&M Bank Limited is not responsible for the privacy or information security practices of other websites. You should carefully review the applicable privacy and information security policies and notices for any other websites you click through to via the Services. This Notice applies solely to your personal data collected by the Services.


We seek to use appropriate technical and organizational measures to safeguard personal data within our organization against loss, theft, breach, and unauthorized use, disclosure, or modification. We have taken measures to keep your data secure including encryption and other forms of security. We also require our employees and any third party who we engage to comply with our internal policies and to input the appropriate compliance measures as in the applicable laws and regulations, by executing confidentiality agreements, data processing agreements and other documentation for imposition of the regulatory obligations to safeguard your data.

Please refer to the content below to note your obligations in controlling your privacy and data.

Control Your Privacy & Data

Marketing communication

We may use your information to provide you with details about our Services and also other services we are promoting. We may send you requests to opt-in receiving these marketing communication by post, e-mail, telephone, text messages, social media or our web services. You can change how you wish to receive the marketing communication, or you can stop receiving the marketing communication at any time. If you no longer want to receive marketing-related communication from I&M Bank, you may opt out/unsubscribe by following the instructions contained within each such communication to you or through I&M Bank’s call centre. We will endeavour to comply with your request as soon as is reasonably practicable. 

Please note that if you opt-out of receiving marketing-related communication, we may still send you administrative messages, from which you cannot opt out or unsubscribe, such as changes to our terms and conditions, system upgrades or communication requiring regulatory compliance.


Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject browser cookies. Please note that if you choose to remove or reject cookies, this could affect the availability and functionality of our Services. For more information about cookies and how to disable them, please visit this-page[3]

Changes to this notice

From time to time, we may revise this Notice. Changes may be made for any number of reasons, including but not limited to reflect industry initiatives, changes in the law, and changes to the scope of the Services, among other reasons. You can tell when we last updated the Notice by checking the date at the beginning of the Notice. Any changes will become effective when we post the revised Notice on the Services.

Contact us

If you have any other questions concerning this Notice, please contact us through our available channels or through the link:

Legal basis for processing

When we process your personal data we will only do so in the following situations:

  1. When we need to use your personal data to perform our responsibilities under our terms and conditions accessible at [9] (e.g., to facilitate your participation in voluntary polls and surveys);
  2. When we have a legitimate interest in processing your personal data. For example, we may process your personal data to send you marketing communications, to communicate with you about changes to the Services, and to provide, secure, and improve our Services;
  3. When we find such processing is necessary to comply with our legal obligations; and
  4. When we have your consent to do so. When consent is the legal basis for our processing, you may withdraw such consent at any time, in accordance to applicable laws and regulations.

Your rights

We want to make sure you are aware of your rights in relation to the personal information we process about you.

We have described your rights and the circumstances in which they apply in the table below.

If you wish to exercise any of these rights, if you have any queries about how we use your personal information that are not answered here, or if you wish to complain regarding your rights, please contact us as provided herein.


Your Rights


It is important to note that these rights are subject to the applicable laws and regulations. 

If you would like to exercise your rights or access further information on anything detailed in this Privacy Notice you may contact our Data Protection Officer at: -

[email protected] or write to us to the following address:

Data Protection Officer,

I&M Bank Limited,

Kenyatta Avenue,

P.O. Box 30238-00100,

Nairobi, Kenya.


Alternate contacts: -

Email: [email protected] or [email protected] Phone: +254 719 088 000; +254 20 322 1000 or +254 732 100 000

Or: Visit your nearest I&M Bank Branch.








Informed – You have a right to be informed of how we use your personal data.

Access – You have a right to get access to the personal information we hold about you.

To object – You have the right to object to the processing of all or part of your personal data.

Correction of false or misleading data - You have a right to rectification of inaccurate personal information and to update incomplete personal information we hold about you.

Deletion of false or misleading data – You have a right to request us to delete false or misleading data we hold about you.

Data portability – You have a right to request us to send a copy your personal data to another organisation.

Erasure – You have a right to request that we delete your personal information.

Marketing – You have a right to object to direct marketing.

Withdraw consent – You have a right to withdraw your consent.


Data retention

We retain personal data for as long as required by applicable laws and regulations. For instance, we will keep your banking data for a period of seven years from the end of our relationship with you in compliance with legal and regulatory requirements or use it for our legitimate purposes such as managing your account and dealing with any legal disputes, fraud or financial crime, responding to regulators or other legal concerns that may arise. Where we do not need to retain your data for this period of time, we may destroy, delete or anonymise it sooner at your request or our discretion.


Data transfer

Your personal data may be stored and processed in any country where we have facilities or in which we engage data controllers or processors. Where the data is shared, we will ensure that it has an appropriate level of protection and that the transfer is lawful, in accordance with the applicable data protection laws and regulations.


If you need this information in a different format please contact us through any of our available channels or the link:


Your use of the Services signifies that you agree to the use of your personal data by I&M Bank for the specific purposes mentioned in this privacy notice.  This Privacy Notice is communicated to you via our website at [4] and you have made an informed decision to allow I&M Bank to process your personal data as set out herein .

DPO Contact Details

Telephone: +254 719 088000 / +254 732 100000 / 0203221000

Email: [email protected] 

I&M Tower,

Kenyatta Avenue,

P.O. Box 30238-00100,

Nairobi, Kenya.



They include links to the Privacy Notices of the countries we have subsidiaries at and the General Data Protection Regulations (GDPR) which applies to European Union (EU) region as below.