Uganda Privacy Notice
About this Privacy Notice
Chipper Technologies Uganda Limited (“Chipper” “we”) takes personal data of our data subjects that we collect seriously. We understand the need to treat such information as confidential and use the information strictly for the purpose for which they were obtained and in accordance with the applicable extant laws. We are therefore committed to treating personal data received through our product offerings, website and other platforms with due care and dedicated to safeguarding the personal data of our Data Subjects.
More importantly, we are bound by the Data Protection and Privacy Act 2019 and Data Protection and Privacy Regulations 2021 (both are herein referred to as “the law”). Therefore, in accordance with the obligations bestowed on Data Controllers and Data Processors under the law, this policy provides an overview of what personal data we gather about individuals (“you”) and how we process it.
Additionally, this policy outlines the rights available to you under the law and how you can exercise them.
1. What constitutes your consent?
By providing your personal data to us, you have signified your acceptance of our Privacy Policy and agree that we may collect, use and disclose your personal information for specified purposes as described in this Policy.
2. Who is legally responsible for handling your personal data and who can you contact about this subject?
According to the law, this responsibility rests upon the Data Controller, Processor or collector”, in this case:
Entity Name | Chipper Technologies Uganda Limited |
Registration Number | 80020001907810 |
Office Address | 1.02 SMS House, 7th Street Industrial Area P.O.Box 21015 Kampala, Uganda |
Telephone | 0200935935 |
Designated Data Protection Officer (DPO): |
If you have any general questions or concerns about this Policy as well as queries or complaints about the way in which we process your personal data, kindly contact our Data Protection Officer via the contact details above.
You also have the right to file a complaint against breach and non-compliance with the Personal Data Protection Office here.
3. What personal data do we process?
Personal data refers to any information that tells us something about you or that we can link directly to you. Typically, we will hold data about you that is relevant to the business relationship we have with you and how you interact with us.
We process any information we receive from you, including personal and financial information you provide to us in respect to on-boarding you as our customer, when you apply for a job with us, when we employ you as our staff, when you enquire about our services, register to use and/or use any of our services and when you communicate with us through our social media sites, our website or portal, e-mail, telephone or any other electronic means.
Personal Information
For Customers: We may collect your first, middle and last name; phone number; email address; home address; date of birth; account details; next of kin details; signature; an identification document such as a copy of your national identity card, international passport and other similar contact data to process your request.
Photo Capture; We may collect an image of your face captured as part of the liveness check during the identity verification process
For Employees: We may collect your first, middle and last name; phone number; email address; home address; date of birth, employment history, contacts of references, signature and other details for the fulfilment of your employment relationship with us.
For Vendors: We may collect a contact name, phone number; email address; office address, information related to the identification of the legal entity and other information necessary to fulfil your contract with us.
Credentials: When you subscribe to any of our products, particularly our e-channels products, you may be required to provide a User ID “Chipper Tag”, a password and similar security information used for authentication and account access. You may also be required or opt to use biometric identification to access your account and authenticate transactions.
Usage Data: We may collect usage data sent by your browser whenever you access our website or social media sites. When you access our services through a computer, this usage data may include information such as your computer's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our service that was visited, the time and date of the visit, the time spent on those pages, unique device identifiers and other diagnostic data. When you access our services through a mobile device, this usage data may include the following:
Geo-Location information: We may request access or permission to and track location-based information from your mobile device, either continuously or while you are using our mobile application, to provide location-based services. If you wish to change our access or permissions, you may do so in your device's settings.
Mobile Device Access: We may request access or permission to certain features from your mobile device, including your mobile device's camera for the identity verification, contacts, and other features. If you wish to change our access or permissions, you may do so in your device's settings.
Mobile Device Data: We may automatically collect device information (such as your mobile device ID, model and Manufacturer), operating system, version information, IP address and diagnostic data.
4. Why do we collect your personal data?
We collect your personal data in order to facilitate and manage our relationship with you. Specifically, we collect your personal data for at least one of the following purposes:
For the performance of a contract
In order for you to open and maintain an account with us, have access to our products and services or work with us, we will need to process your personal data. We may also need to process your personal data to take steps at your request prior to entering into a contract.
For compliance with a legal obligation or acting in the public interest
As an organisation, we are subject to a number of statutory and regulatory obligations that may require us to collect, store or disclose personal data. Such obligations might be for anti-money laundering purposes, or to respond to investigations or disclosure orders from law enforcement agencies, our regulators, and tax or other public authorities.
For the purposes of legitimate interests
Where necessary, we will process your personal data to serve our legitimate interests or those of a third party. Such applicable cases include:
Managing our overall relationship with you as our customer, employee or vendor
Facilitating cross-border transactions
Responding to your complaints and enquiries
Carrying out statistical and other analyses to identify potential markets and trends, evaluate and improve our business
Information security and building security
Managing the risks and optimising the efficiency of our operations
Recording telephone calls and monitoring electronic communications for business and compliance purposes
Prevention and detection of fraud, money laundering and other financial crimes
Evaluating, bringing or defending legal claims
Assessment of your employability with us as well as for other employee benefits-related purposes when you become our staff
Marketing of our products and services. We will not send unsolicited marketing communications to you by SMS or email if you have not opted in to receive them. Additionally, you can withdraw your consent at any time and free of charge via our customer service channels
Audit purposes
5. What are our data collection methods?
We may obtain personal data through the following methods:
Direct collection source:
Electronic means (Chipper Application platform, emails, social media sites, website, telephone)
Job application documentation
Employee engagement forms
Third party data collection source:
Individuals nominated and authorised by the data subject to engage us on his/her behalf. A copy of your consent given to the third party to transfer your data to Chipper shall suffice for our processing
Financial Institutions
Publicly available sources e.g. newspapers, websites
Government agencies
Vendors engaged to conduct screening checks on newly employed staff before confirmation of appointment
Vendors engaged to conduct screening and identification verification on customers
6. Use of cookies
We will use cookie technology on our website. Cookies are small applications that are saved on your Internet browser when you use our website. The cookie is sent to your computer or device each time you visit our websites. Cookies enable you to access our website faster and have a better experience online. We do not sell any customer or visitor data collected from our website or application.
7. Record Retention
In line with the record preservation requirement of the Anti- Money Laundering (Amendment) Act 2017 , we will retain your personal data for a minimum period of ten (10) years from the date on which the evidence of your identity was obtained, any transaction or correspondence or on which the account is closed. This is to enable us to fulfil the relevant purposes set out in this policy and to comply with our regulatory obligations. However, we may retain personal data for longer periods if it is in our legitimate business interests and required to comply with other regulatory or legal obligations. We will continue to use and disclose such personal data in accordance with this Privacy Policy.
8. Sharing your personal data
We may share information about you with a range of third parties for our business purposes or as permitted/required by law. Such third parties may include: our service providers; professional advisors; background screening providers; health maintenance organisations; financial institutions; exchanges; regulators; law enforcement agencies; courts; public authorities; and potential purchasers of elements of our business. These third parties could be located outside Uganda.
We will only disclose information about you with your consent, where necessary, and in line with the provisions of the law.
9. Transferring your data to other countries
Where necessary, in line with the purposes described in section 8 above, information relating to you may be transferred to countries outside Uganda i.e. third countries. However, if we use service providers in a third country, they will be obligated to apply the same level of protection to your data as would be required under Ugandan law. We will enforce this through the inclusion of standard data protection clauses in our agreements with them and conducting vendor security assessment. Above all, we will only transfer your personal data to a third country in a way that is permitted under the law.
We may also share your information with our affiliates. Affiliates include our parent company (Critical Ideas Inc.) and any subsidiaries, joint venture partners or other companies that we control or that are under common control with us including:
Ghana - Critical Ideas Inc. Ltd
Kenya - Chipper Technologies Kenya Ltd
Mauritius - Chipper Technologies Mauritius Ltd
Rwanda - Chipper Technologies Rwanda Ltd
Tanzania - Chipper Cash Technologies Tanzania Ltd
Uganda - Chipper Technologies Uganda Ltd
Nigeria – Voyse Technologies Nigeria Ltd
Our Binding Corporate Rules establish the approach taken by Critical Ideas Inc. to protect and manage personal information globally by Chipper Cash affiliate companies when processing and sharing personal information.
10. What are your rights?
Under the Data Protection and Privacy Act, you are entitled to the following rights:
Right to Access
You have the right to access personal data relating to you. This enables you to receive a copy of the personal data we hold about you in electronic form
Right to Correct or Delete Data
You have the right to ask us to correct or delete your personal data that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
If we have made the personal data concerned public, we will also take reasonable steps to inform other data controllers processing the data so they can seek to correct or erase links to or copies of your personal data.
Right to Object to Processing of personal data
You may, by notice in writing to Chipper, require Chipper to cease the processing or further processing of personal data where the processing or further processing is not compatible with the purpose for which the personal data was collected. Our Privacy Policy informs you when we rely on legitimate interests to process your personal data. In these cases, we will stop processing your personal data unless we can demonstrate compelling legitimate reasons for continuing the processing. We may reject your request if the processing of your personal data is needed to establish, exercise or defend legal claims.
Additionally, you have the right to object at any time if we process your personal data for direct marketing purposes. You may also object at any time to profiling supporting our direct marketing. In such cases, we will simply stop processing your personal data when we receive your objection.
Request for Portability
You have the right to ask that we transfer any personal data that you have provided to us to another third party in a commonly used electronic format. Once transferred, the other party will be responsible for safeguarding such personal data.
Request to Object to Automated Decisions
You have the right to refuse, in writing to us, to any decision producing a legal effect concerning you or which otherwise significantly affects you if this is based solely on the automated processing of your personal data. This includes automated decisions based on profiling.
We may refuse your request if the decision in question is:
Necessary to enter into a contract with you, or for the performance of your contract with us, or
Permitted by regulations
To exercise these rights, please write to the Data Protection Officer via the contact details provided in Section 2 above.
11. How do we protect your personal data?
Our security systems are designed to prevent the loss, unauthorized destruction, damage and/or access to your personal data from unauthorized third parties. Some of our security measures include physical access controls to our premises, cyber security controls, and information access authorisation controls.
We will also publish security tips and updates from time to time on our website to make sure that you benefit from our security systems and stay updated with the latest fraud scams and trends. While we are dedicated to securing our systems and services, you are responsible for securing and maintaining the privacy of your password(s) and account/profile registration information and verifying that the personal data we maintain about you is accurate and up to date.
We will duly inform you of any breaches that may threaten the security and confidentiality of your personal data.
12. Remedies for violation of the privacy policy and timeframe for remedy
In the event of a violation of this policy, our Data Protection Officer shall within 7 days redress the violation. Where the violation pertains to the disclosure of your personal data without your consent, such information shall be retracted immediately, and confirmation of the retraction sent to you within 48 hours of the redress.
13. Changes to this Privacy Policy
We may amend this Privacy Policy from time to time from time to time in order to address amendments in the law or our business operations. This will be by posting a revised version and updating the “Effective Date” above. The revised version will be effective on the “Effective Date” listed. We will provide you with reasonable prior notice of material changes in how we use your information, including by email, if you have provided one, and via notification in the Chipper Cash Application. If you disagree with these changes, you may cancel your account at any time. If you keep using our Services, you consent to any amendment of this Privacy Policy.
14. Policy Effectiveness Date - November 2023