Data Privacy Uganda

POWER PRIVACY POLICY

Frictionless Financial Services SMC Limited

This Privacy Policy (“Policy”) was last updated in May 2026.

  About this Policy

The Power platform is operated in Uganda by Frictionless Financial Services SMC Limited (“FFS”, “Frictionless”, “Power”, “we”, “us” and “our”), a company incorporated in Uganda and licensed by the Uganda Microfinance Regulatory Authority (UMRA) as a Tier 4 money lender. FFS is a wholly-owned subsidiary of Power Financial Wellness Inc., a company incorporated in the State of Delaware, United States of America, which is the ultimate holding company of the Power group.FFS is the legal entity responsible for deploying and operating the Power mobile application on application stores, and any related websites and channels through which the Power platform is made available in Uganda. References to “Personal Data”, “Data Subject”, “Data Controller”, “Data Processor” and other capitalised terms have the meanings given to them in this Policy or, where not defined here, the meanings given under the Data Protection and Privacy Act, 2019 (“DPPA”) and the Data Protection and Privacy Regulations, 2021 (the “Regulations”). References to “Power”, “we”, “us”, and “our” in this Privacy Policy are references to Frictionless Financial Services SMC Limited . FFS is registered with the Personal Data Protection Office (“PDPO”) as a Data Collector, Data Processor and Data Controller (Registration No. PDPO-202311-2748 ).  You are encouraged to read this Policy carefully to understand how we process your Personal Data. By accepting our terms and conditions or using our services, you acknowledge and agree to the practices described in this Policy. We may revise this Privacy Policy from time to time to reflect changes in our data processing practices or to comply with legal and regulatory developments. Where appropriate, we will notify you of material updates. This Policy should be read alongside our Terms and Conditions and any additional privacy notices or statements that we may provide at the point of data collection or processing. Such notices supplement this Policy and do not replace it.

Definitions

In this Policy, the following terms have the meanings given to them below. Terms not defined here have the meanings given under the DPPA and the Regulations.

1. “Anonymisation” means the removal of personal identifiers from Personal Data so that the Data Subject is no longer identifiable;
2. “Applicable Law” means the Constitution of the Republic of Uganda, the DPPA, the Regulations, the Tier 4 Microfinance Institutions and Money Lenders Act, 2016, the Anti-Money Laundering Act, 2013 (as amended), the Financial Institutions Act, 2004 (as amended), and all other laws, regulations, guidelines and codes of practice applicable to the Processing of Personal Data in Uganda, as amended from time to time;
3. “Authority” means the National Information Technology Authority — Uganda (NITA-U), as defined under the DPPA;
4. “Biometric Data” means Personal Data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which allows or confirms the unique identification of that person, including facial recognition data, selfie photographs processed for identity matching, fingerprint data and liveness verification data. Biometric Data forms part of Special Personal Data under the DPPA;
5.  “Child” means a person under the age of eighteen (18) years;
6. “Consent” means any freely given, specific, informed and unambiguous indication of the Data Subject’s wish, by a statement or by a clear affirmative action, signifying agreement to the collection or Processing of Personal Data relating to the Data Subject (DPPA s.2);
7. “Credit Reference Bureau (CRB)” means an entity licensed by the Bank of Uganda to collect, collate and disseminate credit information;
8. “Data” means information that (a) is processed by means of equipment operating automatically in response to instructions given for that purpose; (b) is recorded with the intention that it should be processed by such equipment; (c) is recorded as part of a relevant filing system; or (d) does not fall within paragraphs (a) to (c) but forms part of an accessible record;
9. “Data Collector” means a person who collects Personal Data, as defined under the DPPA;
10. “Data Controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes for and the manner in which Personal Data is, or is to be, processed. For the purposes of this Policy, FFS is the Data Controller unless otherwise stated;
11. “Data Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller;
12.  “Data Protection Officer (DPO)” means the officer designated by FFS pursuant to regulation 47 of the Regulations and section 6 of the DPPA, responsible for overseeing FFS’s data protection compliance;
13. “Data Subject” means an individual from whom or in respect of whom Personal Information has been requested, collected, collated, processed or stored;
14.  “DPIA” means a Data Protection Impact Assessment carried out under regulation 12 of the Regulations;
15. “Encryption” means the process of converting the content of any readable data using technical means into coded form;
16. “Explicit Consent” means Consent that is given by the Data Subject through a clear, specific, separate affirmative action or statement (such as ticking an unchecked opt-in box, or providing a written or electronic signature) and which expressly relates to a specific purpose;
17. “Filing System” means any structured set of Personal Data which is readily accessible by reference to a Data Subject or according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
18. “Group” means Power Financial Wellness Inc. and its subsidiaries and affiliates from time to time, including FFS;
19.  “KYC” means Know Your Customer — the customer due diligence processes carried out under the Anti-Money Laundering Act, 2013 (as amended), and Tier 4 Microfinance Institutions and Money Lenders regulations;
20. “Personal Data” means information about a person from which the person can be identified, that is recorded in any form, as defined under section 2 of the DPPA;
21. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
22.  “Platform” means the Power mobile application, any related website, and all digital services, products and channels through which Power provides financial wellness products and services to users in Uganda;
23.  “PDPO” means the Personal Data Protection Office established under the Regulations.
24. “Processing” means any operation which is performed upon Personal Data by automated means or otherwise, including organisation, adaptation or alteration; retrieval, consultation or use; disclosure by transmission, dissemination or otherwise making available; and alignment, combination, blocking, erasure or destruction;
25. “Profiling” means any form of automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person’s economic situation, personal preferences, interests, behaviour, location or movements;
26. “Pseudonymisation” means the Processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, where that additional information is kept separately and is subject to technical and organisational measures;
27.  “Special Personal Data” means Personal Data relating to a person’s religious or philosophical beliefs, political opinion, sexual life, financial information, health status or medical records, as defined under section 9 of the DPPA;
28. “Sub-processor” means a natural or legal person, public authority, agency or other body engaged by a Data Processor to carry out specific Processing activities on behalf of that Data Processor and/or the Data Controller;
29. “Third Party” means in relation to Personal Data, a person other than the Data Subject, the Data Collector, Data Controller, or any Data Processor or other person authorised to process data for the Data Controller or Processor (DPPA s.2);     

In this Policy, unless the context requires otherwise: (i) the singular includes the plural and vice versa; (ii) a reference to any gender includes all genders; and (iii) headings and sub-headings are for convenience only and are not to be taken into account in interpretation.

Data Protection Principles

1. 1. 1. FFS processes Personal Data in accordance with the principles of data protection set out in DPPA. In particular, we shall ensure that, in collecting, processing, holding or using Personal Data, we:
         1.  are accountable to the Data Subject for the data we collect, process, hold or use;
         2. collect and process data fairly and lawfully;
         3. collect, process, use or hold adequate, relevant and not excessive or unnecessary Personal Data (data minimisation);
         4.  retain Personal Data for the period authorised by law or for which the data is required (storage limitation);
         5. ensure the quality of information collected, processed, used or held (accuracy);
         6. ensure transparency and your participation in the collection, processing, use and holding of your Personal Data; and
         7.  observe security safeguards in respect of the data.

Personal Data we collect and hold

1. 1. 1. The Personal Data we collect about you depends on the products or services you apply for, register an interest in, or use. If you do not provide the Personal Data we reasonably request, we may not be able to deliver those products or services to you.Examples of Personal Data we may collect include:
         1. Identity Data: your name, username or similar identifier, National Identification Number (NIN), national identity card or passport number, alien identification card number, Tax Identification Number (TIN), photograph, date of birth, age, gender, marital status, title and nationality.
         2.  Contact Data: your postal address, physical address, email address and telephone numbers.
         3.  Financial Data: bank account details, mobile money account details, card payment details and other payment information.
         4.  Transaction Data: details of payments to and from you, loan disbursements, repayments and details of products and services acquired from us.
         5.  Credit Data: credit capacity, ability to be provided with credit, creditworthiness, and credit history obtained from licensed Credit Reference Bureaus.
         6. Technical Data: internet protocol (IP) address, login information, browser type and version, time zone setting, device information, operating system and platform, and other technology data from devices you use to access our Platform.
         7. Profile Data: your account information, product and service preferences, feedback, survey responses and interests.
         8.  Usage Data: information about how you use the Platform, products and services.
         9.  Communications Data: your preferences for receiving marketing and other communications from us and Third Parties, and your communication preferences generally.
         10. Biometric Data: your selfie photograph, facial geometry data and liveness verification data captured for identity verification and fraud prevention.
         11. Location Data: geolocation information collected via the Platform where you have consented to location services, used to provide and improve location-relevant features.
         12.  Employment and Income Data: information about your employer, income and earned wages, where you use earned wage access or salary advance services.
         13.  Device Data: your device ID and information about apps installed on your device, used to verify that you are using a trusted device, monitor your use of the Power app, and detect security threats.
      2. Throughout the life of the product or service, we may collect additional Personal Data about you. This includes transaction information, queries or complaints you make and, where applicable, information needed to assess an insurance claim.
      3. Some Personal Data we collect constitutes “Special Personal” in particular, your financial information, and any health-related information you provide. 
      4. We access certain features of your mobile device only with your permission and only to the extent necessary for the relevant service. If you do not provide permission, we may not be able to provide the service you have requested. The features we may access include your camera (for liveness identity verification), media (for ID document capture), location (for location-relevant features) and contacts (only for the purpose of sending payment notifications you initiate — we do not store or retain your contact list).
      5. On Apple iOS devices, we use ARKit to capture facial spatial orientation and expressions during liveness verification. This data is processed locally on your device for fraud prevention and is not submitted to any third party.
      6. From time to time we derive aggregated or anonymised data from the Personal Data we hold (for example, to analyse usage patterns or produce statistical reports). Data in this form does not identify any individual and is not Personal Data. Where we combine such data with other information so that an individual becomes identifiable, the combined data is treated as Personal Data under this Policy.

How we collect Personal Data

1. 1. 1. We collect most Personal Data directly from you.. For example, we collect Personal Data when you:
         1.  apply for, register an interest in, or enquire about a product or service;
         2.  open or operate an account on the Platform;
         3.  complete an identity verification or KYC process;
         4. provide feedback or make a complaint;
         5. request marketing communications or other information;
         6. complete a survey or take part in a promotion;
         7. visit our websites or use our mobile application; or
         8. pay using our services.
      2. Where the DPPA permits (for example, where data is in a public record, where you have consented, or where the data is necessary for the prevention or detection of an offence), we may also collect Personal Data about you from sources other than yourself. Such sources may include:
         1. publicly available registers, including the National Identification and Registration Authority (NIRA), Uganda Revenue Authority (URA), Uganda Registration Services Bureau (URSB), the Ministry of Lands and other government registries;
         2.  social media platforms, to the extent you have made your profile publicly accessible;
         3.  your nominated representatives;
         4. your employer, where you use earned wage access or salary advance services;
         5. other organisations who, jointly with us or in partnership with us, provide products or services to you, and with whom we have data sharing arrangements;
         6. service providers, such as fraud prevention and identity verification providers;
         7. insurers, lenders, mortgage insurers, re-insurers, and health care providers; and
         8.  Credit Reference Bureaus.

For what purposes do we collect, hold, use, and disclose Personal Data? 

1. 1. The main reason we collect, use, hold, and disclose Personal Data is to provide you with products and services (including, where applicable, third-party products and services) and to help us run our business. This includes: 

1. checking whether you are eligible for the product or service; 
2. assisting you where online applications are not completed; 
3. providing the product or service; 
4. helping manage the product or service; 
5. helping us develop insights and conduct data analysis to improve the delivery of products, services, enhance our customer relationships, and to effectively manage risks;
6. To carry out identity verification and Know Your Customer (KYC) checks, including liveness verification;
7. To manage risk, detect and prevent fraud, money laundering, and other financial crime, and to comply with AML/CFT obligations;
8. To administer and protect the Platform, ensure business continuity, and manage complaints and queries;
9. To use data analytics and research to understand credit risk, improve our Platform, and personalise our products and services;
10. To enforce our rights under any agreement with you, including debt recovery;
11. To send you marketing communications about our products and services (subject to your opt-out right); and
12. understanding your interests and preferences so we can tailor digital content;

1. For KYC and identity verification, we may review political affiliations to identify politically exposed persons, and may process criminal records data for fraud and money laundering prevention purposes.
2. We may also make your Personal Data anonymous, which we have collected for the purposes described in this Privacy Policy. 
3. As a result, this Privacy Policy will generally not apply to our use of anonymous information. However, we will continue to safeguard this anonymous information. Where we use anonymous information together with other information (including Personal Data), and in doing so, we are able to identify you, that information will be treated as Personal Data in accordance with this Privacy Policy and applicable Privacy Laws.
4. We will only use your Personal Data where we have a lawful basis to do so. The lawful bases for Processing under the DPPA include: (i) your consent; (ii) performance of a contract to which you are a party; (iii) compliance with a legal obligation; (iv) protection of vital interests; and (v) our legitimate interests, where not overridden by your rights and interests. 
5. We may use or disclose your information to comply with our legislative or regulatory requirements in any jurisdiction and to prevent fraud, criminal, or other activity that may cause you, us, or others harm, including in relation to products or services.

Use and Disclosure.

1. 1. 1. We will only use your Personal Data for the purposes for which we collected it as indicated in this Privacy Policy, or for reasons we give you during the collection of the data. If we need to use your Personal Data for an unrelated purpose, we will notify you and seek your consent where necessary. Please note that we may process your Personal Data without your knowledge or consent if this is required or permitted by law. 
      2. We may use your information to comply with legislative or regulatory requirements in any jurisdiction, prevent fraud, crime, or other activity that may cause harm in relation to our products or services, and help us run our business.
      3. We may also disclose your Personal Data to anyone we engage to do something on our behalf, and other organisations that assist us with our business.
      4. As a provider of financial services, we have legal obligations to disclose some Personal Data to government agencies and regulators or agencies authorized by Applicable Law and regulations. e.g., Licensed Credit Bureaus.
      5. If you fail to provide Personal Data that we require in order to provide a product or service, we may be unable to perform the contract we have with you, or may be unable to enter into a contract with you. We will notify you if this is the case at the relevant time.

How do we hold and protect your Personal Data?

1. 1. Much of the information we hold about you will be stored electronically. 
   2. We store some of your information in secure data centres and with our contracted service providers (including cloud storage providers), and some of these data centres may be located outside Uganda. 
   3. We use a range of physical, electronic, and other security measures to protect the security, confidentiality, and integrity of the Personal Data we hold. For example: 

1. access to our information systems is controlled through identity and access management controls; 
2. employees and our contracted service providers are bound by internal information security policies and are required to keep information secure;
3. data processing agreements with all Processors and Sub-processors
4. data sharing agreements with third parties
5. all employees are required to complete training about privacy and information security; and 
6. We regularly monitor and review our compliance with internal policies and industry best practice. Unfortunately, no data transmission over the Internet or data storage system can be guaranteed to be 100% secure. 

1. If you have reason to believe that your interaction with us is no longer secure, for example, if you feel that the security of any account you have with us has been compromised, please immediately contact us at [email protected]. 

Who do we disclose your Personal Data to, and why?

1. 1. We may share your Personal Data with our partners and third parties, including outsourced data processing undertaken on our behalf (some of which are located outside of Uganda), that we engage to provide products and services to you. 
   2. When information is shared, we require our service providers to keep such information under strict privacy regulations and prohibit them from disclosing such information to anyone for any other purpose 
   3. We do not share or disclose any non-public Personal Data about you to any other companies except as permitted by or required by law or for the purpose of marketing their products to you  
   4. By accepting these terms and conditions, you are providing your explicit consent to share your information with these third-party partners, some of which may be outside your local jurisdiction, if necessary for legitimate business purposes as defined in this Policy.  
   5. As a digital credit provider, we shall disclose any positive or negative information about you to credit reference bureaus licensed and approved by the  Bank of Uganda. 
   6. To protect Personal Data, we enter into contracts with our service providers and other third parties that require them to comply with applicable Privacy Laws and standards relating to data protection and information security. 
   7. These contracts, amongst other things, require our service providers to only use the Personal Data we disclose to them for the specific role we ask them to perform. 
   8. Generally, we use contracted service providers to help us in our business activities. For example, they may help us provide you with products and services, provide us with insurance, deliver technology or other support for our business systems, refer us to new customers, or assist us with marketing and data analysis. 
   9. These organisations may include: 

1. our agents, Sub-processors, contractors, and contracted service providers (for example, mailing houses, technology service providers, identity verification providers, and cloud storage providers); 
2. authorised representatives and credit representatives who sell or arrange products and services on our behalf; 
3. third parties with legal standing: including trustees, executors, persons holding a power of attorney, and joint account holders, where applicable.
4. insurers, and health care providers; 
5. payment systems operators (for example, merchants receiving card payments); 
6. other organisations, who jointly with us, provide products or services to you, or with whom we partner to provide products and services to you; 
7. other financial services organisations, including banks, CMA custodians, and contracted service providers; 
8. debt collectors; 
9. professional advisors such as our financial advisers, legal advisers, and auditors; 
10. fraud bureaus or other organisations to identify, investigate, or prevent fraud or other misconduct; 
11. regulatory bodies, government agencies, and law enforcement bodies in any jurisdiction;
12. credit reporting bodies;
13. where we are required or authorised by law, or where we have a public duty to do so; 
14. Where you may have expressly consented to the disclosure, or your consent may be reasonably inferred from the circumstances; or
15. emergency and welfare services: where disclosure is necessary to protect your vital interests or those of another person.

1. We share your Personal Data with our Group entities, including affiliates and related entities within the Power Financial Wellness Inc. group, for legitimate business purposes consistent with this Privacy Policy.
2. In the event of a merger, acquisition, restructuring, or sale of assets, Personal Data may be transferred to the acquiring entity, subject to equivalent privacy protections.

Transfer of Personal Data outside Uganda

1. 1. We may transfer your Personal Data to, or store and process it in, countries outside Uganda in the following circumstances:

1. Where you have consented to the transfer;
2. where we engage Processors or Sub-processors whose operations are conducted from outside Uganda;
3. where a cross-border transfer is necessary to fulfil a legal obligation or to perform a contract with you; or
4. where a transfer is necessary for the establishment, exercise, or defence of legal claims.

1. Where your information is transferred to affiliates of Power in other countries, we ensure that your Personal Data is protected by requiring that they follow the same rules when processing your Personal Data. 
2. When we, or our permitted third parties, transfer or store information outside Uganda, they or we will ensure that it is lawful and that it has an appropriate level of protection, including transfer to jurisdictions that have established data protection laws, and entering legally binding agreements to ensure the security of your Personal Data. 
3. Where your Personal Data is transferred to a country that does not provide an equivalent level of protection as Ugandan law, we will implement appropriate safeguards, which may include:

1. a written Data Processing Agreement incorporating standard data protection clauses;
2. binding corporate rules; or
3. such other mechanism as may be recognised as adequate under Applicable Law from time to time

Our Data Security

1. 1. 1. We have appropriate security measures in place to prevent Personal Data from being accidentally lost, used, or accessed in an unauthorised way.
      2. The following security procedures and technical and organisational measures to safeguard your Personal Data have been put in place:
         1. Pseudonymisation, encryption, and anonymisation of Personal Data in transit and at rest.
         2. In cases where Personal Data is being processed in third countries or third parties, a rigorous data protection impact assessment is being performed to ensure that your data is always secured.
         3. Our application Platform is hosted in ISO 27001-certified secure data centres.
         4. Firewalls, intrusion detection and prevention, anti-virus and anti-malware, and backup and disaster recovery are in place to prevent data loss or deletion.
         5. Our applications are engineered by following industry standards to minimise security vulnerabilities and are updated on a regular basis.
         6. Intrusion detection and prevention secures the network traffic to the servers and applications.
         7. Anti-malware and anti-virus software is deployed to all of our servers and regularly scans and updates with the latest anti-malware and virus signatures.
         8. We regularly apply critical security patches and firmware updates to operating systems and physical hardware to minimise the risk of vulnerabilities.
         9. Our employees undergo background screening and selection processes, with a restricted list of employees having access to secure areas of the applications, databases, and physical infrastructure. Access to the secure areas is logged and auditable.
         10. We will use all reasonable efforts to safeguard your Personal Data. However, you should be aware that the use of the Internet is not entirely secure, and for this reason, we cannot guarantee the security or integrity of any Personal Data that is transferred from you or to you via the Internet.
         11. We limit access to your Personal Data to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
      3. We have procedures to detect, investigate, and respond to a suspected Personal Data Breach.
      4. Where we have provided you with a password or PIN to access certain parts of our Platform, you are responsible for keeping that credential confidential and for not sharing it with any Third Party.

 Marketing Communications

1. 1. We strive to provide you with choices regarding the use of your Personal Data for marketing purposes. We may use your Identity Data, Contact Data, Technical Data, Usage Data, and Profile Data to determine what products, services, and offers may be of interest to you.
   2. You will receive marketing communications from us if you have requested information from us or used our products and services, and you have not opted out. We will not use your Personal Data for marketing purposes where you have requested that we do not.
   3. We will not share your Personal Data with Third Parties for marketing purposes without your Explicit Consent. Where you have given consent, you may withdraw it at any time.
   4. You may opt out of receiving marketing communications from us at any time by:

1. following the unsubscribe link in any marketing message sent to you;
2. adjusting your notification preferences in the Platform settings;
3. asking third parties to stop sending you marketing messages anytime by contacting them and following their opt-out process; or
4. writing to us at  [email protected]. 

1. Opting out of marketing communications does not affect Personal Data provided to us in connection with your use of our products and services, which we will continue to process on other lawful bases.

Your rights as a Data Subject

1. 1. Subject to the conditions and exceptions provided under Applicable Law, you have the following rights in relation to your Personal Data:

1. Right to be informed: the right to be informed about the collection, use, and processing of your Personal Data, including the identity and contact details of the Controller, the purposes of processing, the categories of data processed, and Third Parties with whom your data is shared.
2. Right of access: the right to obtain confirmation as to whether Personal Data concerning you is being processed and, if so, to receive a copy of that data.
3. Right to rectification: the right to request that inaccurate or incomplete Personal Data about you be corrected or completed without undue delay.
4. Right to be forgotten (erasure/ deletion): the right to request the deletion of your Personal Data where it is no longer necessary for the purposes for which it was collected, where you have withdrawn consent, and there is no other lawful basis for processing, or where the data has been unlawfully processed, subject to any overriding legal or regulatory retention obligation. Contact us at [email protected]  to request deletion, noting that we may continue to retain your information if we are entitled to do so or obliged by law.
5. Right to restriction of processing: the right to request that the Processing of your Personal Data be restricted in certain circumstances, such as where you contest the accuracy of the data or where you have objected to Processing pending verification. This includes the right not to be subject to a decision based solely on automated Processing, including profiling, that produces legal or similarly significant effects, except where such Processing is necessary for a contract, authorised by law, or based on your Explicit Consent.
6. Right to receive your Personal Data in a structured, commonly used, and machine-readable format, and to request transmission of that data to another controller where technically feasible.
7. Right to object: the right to object to the Processing of your Personal Data where Processing is based on our legitimate interests or is carried out for direct marketing purposes. We will cease such Processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
8. Right to withdraw consent: where Processing is based on your consent or Explicit Consent, you have the right to withdraw that consent at any time without affecting the lawfulness of Processing carried out prior to withdrawal.

1. Before processing any request to exercise your rights under the DPPA, we may ask you to verify your identity. This is a necessary safeguard: it protects you by ensuring that Personal Data is neither disclosed to nor acted upon at the request of a person who is not the Data Subject or their duly authorised representative. We may also request clarification of the scope of your request, where this is necessary to locate the relevant Personal Data or to determine the appropriate response.
2. We will respond to all valid requests within thirty (30) days of receipt, in accordance with regulation 10 of the Regulations. Where a request is unusually complex, involves the exercise of multiple rights simultaneously, or requires coordination with a Processor, we may extend this period by up to two further months. We will notify you of any such extension, and the reasons for it, within the initial thirty-day period, and will keep you informed of progress until the matter is resolved.

1. Complaint Handling

If you have a complaint about how we have collected, used, or otherwise processed your Personal Data, you should contact our Data Protection Officer (DPO) using the contact details provided in this Policy in the first instance. Upon receiving your complaint, our DPO will initiate an internal review process to investigate and resolve the issue. We will respond to your questions or concerns within fourteen (14) days of receipt. More complex queries may take time to resolve, and we will keep you informed if this is the case with your query.

Personal Data Breach Notification

We will report any Personal Data Breach to both the applicable regulatory bodies and the individuals or companies involved, as stipulated in the Applicable Law. If you want to report any concerns about our privacy practices or if you suspect any breach regarding your personal information, kindly notify us by sending an email to [email protected]. 

Data Retention

1. 1. We will only retain your Personal Data for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. 
   2. In determining the appropriate retention period, we consider the following factors:

1. the amount, nature, and sensitivity of the Personal Data;
2. the potential risk of harm from unauthorised use or disclosure;
3. the purposes for which we process the data and whether those purposes can be achieved by other means; and
4.  applicable legal, regulatory, tax, accounting, and other requirements.

1. By law, we have to keep basic information about our customers (including contact, identity, financial, and transaction data) for a minimum of ten (10) years after they cease being customers. 
2. We may retain your Personal Data for a longer period than stated where: (a) there is a complaint, pending claim, or litigation reasonably anticipated; (b) a regulatory investigation or audit is underway; or (c) Applicable Law requires a longer retention period.
3. In some circumstances, we will anonymize your Personal Data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you. 

Account Management, Deactivation, and Closure

1. 1. 1. You can access your Personal Data from our services when you follow our procedures for Data Subject requests. You can always modify or update your Personal Data using the applicable menus in the App.
      2. When you wish to deactivate yourself from this mobile app, you are required to send a request to us, and we shall contact you to validate the request for processing. 
      3. A deactivated account may still have transactional history kept on our systems in accordance with applicable financial laws and data retention regulations or policies in your local jurisdiction.
      4. We retain your Personal Data even after you have closed your account if reasonably necessary to comply with our legal obligations (including law enforcement requests), meet regulatory requirements, resolve disputes, maintain security, and prevent fraud.

Disclosure of Personal Data in Specific Circumstances 

1. 1. We may disclose your Personal Data without your prior consent or knowledge in the following circumstances, to the extent required or permitted by Applicable Law:

1. where required by a court order, subpoena, or other lawful legal process;
2. where required by a regulatory authority, law enforcement agency, or government body with jurisdiction over us, including for AML/CFT reporting obligations;
3. where disclosure is necessary in connection with national security, the prevention or detection of unlawful activity, or money laundering;
4. where disclosure is necessary to protect the vital interests, health, or safety of any person; or
5. where disclosure is necessary for the establishment, exercise, or defence of legal claims.

1.  We will, to the extent permitted by law, notify you of any such disclosure where we are able to do so.

Children’s Personal Data

1. 1. 1. Our Platform and services are not directed at Children. We do not knowingly collect Personal Data from any person under the age of 18 years.
      2. Where the applicable age of majority in a relevant jurisdiction is higher than 18 years, the higher age threshold applies for the purposes of this section.
      3. If a parent or legal guardian believes that a Child has provided Personal Data to us without appropriate consent, they should contact us at [email protected]  immediately. We will take steps to delete such data as promptly as practicable.
      4. Where a product or service requires verification of age, and we have reason to believe a user is a Child, we will suspend or terminate access to that product or service pending verification.

Non-compliance

We reserve the right to end the contract with you for non-fulfillment of the conditions of this Policy and deny any request for information conflicting with this Policy. 

Contact information

You may direct any queries, complaints, or requests relating to the processing of your Personal Data, including requests to exercise your  rights to us at the address below:

Tiripati Mazima, Office 263

Ggaba Road, Kampala

P.O. Box 125472

Kampala, Uganda

Email: [email protected]. 

Attn of: Data Protection Officer (DPO)