3.1.We process vehicle data to create a transparent market of used vehicles in order to protect used car buyers from fraud and contribute to the safety of road traffic and road users. This purpose covers our commitment to:

• 3.1.1.provide clear and understandable information about the vehicle of interest to the individual that would otherwise be costly, difficult or impossible to verify independently;
• 3.1.2.collect and control information on vehicles, and to administer/develop internal databases to provide relevant information in reports.

4.1.When collecting information about vehicles, we process the following categories of data:

• 4.1.1.vehicle identification and technical parameters of vehicles: vehicle Car Registration (licensed number plate), licence plate number, registration data, model, year of manufacture, emissions, specs and equipment;
• 4.1.2.vehicle service and event data: service, event (damage), import/export, usage purpose records also mileage, warranty, insurance, theft and accident data;
• 4.1.3.financial data on the vehicle: date (when the financing started), type (leasing, hire purchase, etc.), term of financing, etc;
• 4.1.4.other data: photos of the vehicle, data on the change of ownership (fact of change of registration), publicly available information;
• 4.1.5.data contained in CarTrust reports: vehicle records according to clauses 4.1.1 - 4.1.4 (after the expiry date of the report (30 days after the acquisition), we have no way to determine what data was provided in a specific report when it was purchased, and we process the vehicle data contained in the report in the same way as any other vehicle data).

4.2.The reports we provide are produced using an automated task solution (data aggregation), based on a query from the customer who ordered a report. We use a Car Registration (licensed number plate)-oriented data analysis approach and link the information to a specific vehicle according to its Car Registration (licensed number plate). For the preparation of reports, we select and organize information on the vehicle as an object (asset) and do not collect information on its owners or holders.

6.1.We process data from a variety of sources, such as official vehicle registers, maintenance and vehicle repair service providers, authorised repairers, vehicle dealers, insurance claims administrators, and information publicly available on the internet.

7.1.Personal data will be retained for as long as it is necessary for one of the purposes indicated in this Privacy Notice.

7.2.As a rule of thumb, data relating to vehicles shall be retained for 30 years from the date then CarTrust receives the vehicle data. This retention period is in line with the lifespan of an average vehicle.

8.1.We may use an automated data processing solution to process vehicle data, for example, to analyse or aggregate vehicle information, to ensure the quality of the reports we provide at CarTrust, or to train the artificial intelligence solution we use.

8.2.Automated decision-making means processing of personal data using a software code or algorithm, an artificial intelligence solution that does not require human intervention. We regularly review the methods we use to make such decisions to ensure that they are fair, efficient, and impartial. If a data subject objects to the results provided by an automated solution, they are evaluated by our specialists.

9.1.You have the following rights:

• 9.1.1.the right to have access to your personal data and to receive information about the processing of your personal data;
• 9.1.2.the right to rectify your personal data if it has changed or if it is inaccurate or incorrect. We may ask you to provide evidence that the information is inaccurate or incorrect;
• 9.1.3.the right to erasure (right to be forgotten) unless we are obliged to retain the data or our interests in the processing continue to prevail;
• 9.1.4.the right to restrict the processing of the data under certain conditions set out in the GDPR;
• 9.1.5.the right to object to the processing of your personal data when it is processed for legitimate interests;
• 9.1.6.the right to lodge a complaint with the data protection supervisory authority if you believe that your data is not processed properly.

9.2.If you wish to exercise the rights listed above, you can contact us by email at info@CarTrust.com or contact the Data Protection Officer at dpo@CarTrust.com.

9.3.When you make a request to exercise your data subject rights, we will ask you to provide information about your identity and relation to a particular vehicle (e.g., the vehicle registration document). We need such information as we do not collect data that allow direct identification of a data subject.

9.4.In order to better understand your request, we may ask you to fill in the relevant request form, ask you to provide a request signed with a smart or qualified electronic signature, or send your request by post.

9.5.In accordance with the Kenya Data Protection Act, 2019, we may refuse to fulfill your request to exercise certain rights—such as the rights to access, rectify, or erase your data—if such a request is not authorized under applicable Kenyan data protection law. We may also refuse your request if we determine that our legitimate interests, or those of a third party, outweigh the potential impact of the data processing on your rights, or if we are unable to identify you where such identification is necessary to fulfill your request.

9.6.We do not normally charge any fee for exercising your rights. However, the law allows us to charge a reasonable fee or to refuse to comply with your request if it is manifestly unfounded or excessive.

9.7.Upon receipt of your request, we will provide you with a response no later than 1 month from the date of the request and will carry out the actions set out in the request or inform you of our grounds for refusal to do so. If necessary, the time limit may be extended by a further 2 months depending on the complexity and number of requests. In this case, we will inform you of the extension within 1 month of receipt of your request.

9.8.If personal data is erased, we may retain copies of the information if it is necessary to protect our legitimate interests and those of others, to comply with obligations of public authorities, to resolve disputes, to identify disruptions or to comply with agreements.

10.1.You can contact us in relation to any data processing issues by email at info@kisoko.com, by contacting the Data Protection Officer at support@kisokolab.com or phone +254759323621.