Privacy Policy

Effective Date: 1^st January 2025  |  Version 2.4

1. PRELIMINARY PROVISIONS & SCOPE OF APPLICATION

This Privacy Policy constitutes a legally binding unilateral declaration of the Data Controller's data protection practices and shall govern the collection, Processing, storage, transfer, and disposal of all personal data obtained from Data Subjects who interact with our digital properties, including but not limited to the website located at the domain under which this policy is published, any subdomains, mobile applications, API endpoints, booking platforms, and any other digital touchpoints owned or operated by the Data Controller (hereinafter collectively referred to as the "Platform").

By accessing, browsing, or utilising the Platform, or by otherwise furnishing personal data to the Data Controller through any channel, the Data Subject hereby acknowledges having read, understood, and irrevocably consented to the practices described in this Privacy Policy. Should the Data Subject dissent from any provision herein contained, the Data Subject is enjoined to forthwith cease all use of the Platform and to refrain from submitting any personal data to the Data Controller.

This Privacy Policy shall be read and construed in pari materia with the Data Controller's Terms of Use, and any inconsistency between the two shall be resolved in favour of the interpretation that affords the greatest protection to the Data Subject's personal data, save where such interpretation would place the Data Controller in breach of applicable statutory obligations.

2. LEGAL BASIS FOR PROCESSING & JURISDICTIONAL COMPLIANCE

2.1 The Data Protection and Privacy Act, 2019 (Uganda)

The Data Controller's Processing activities are primarily governed by the Data Protection and Privacy Act, 2019 of the Republic of Uganda, and any regulations promulgated thereunder. The Data Controller shall Process personal data in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality as enshrined in the aforesaid Act.

2.2 The General Data Protection Regulation (GDPR)

Notwithstanding the Data Controller's primary establishment in Uganda, the Data Controller voluntarily extends certain protections articulated under Regulation (EU) 2016/679 (the General Data Protection Regulation) to all Data Subjects regardless of their geographic locus, including but not limited to the right of access, the right to rectification, the right to erasure ('right to be forgotten'), the right to restriction of Processing, the right to data portability, the right to object, and rights in relation to automated decision-making and profiling. The Data Controller's voluntary adherence to GDPR principles shall not be construed as an admission of extraterritorial jurisdiction, but rather as a manifestation of the Data Controller's commitment to internationally recognised data protection standards.

2.3 Lawful Bases Enumerated

The Data Controller shall only Process personal data where one or more of the following lawful bases subsist:

1. The Data Subject has given explicit, informed, and unambiguous consent to the Processing for one or more specific purposes;
2. Processing is necessary for the performance of a contract to which the Data Subject is a party, including but not limited to vehicle hire agreements, tour package bookings, and accommodation reservations;
3. Processing is necessary for compliance with a legal obligation to which the Data Controller is subject, including but not limited to taxation statutes, anti-money laundering regulations, and counter-terrorism financing laws;
4. Processing is necessary to protect the vital interests of the Data Subject or of another natural person;
5. Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject.

3. TAXONOMY OF PERSONAL DATA COLLECTED

3.1 Data Voluntarily Furnished by the Data Subject

The Data Controller collects personal data that the Data Subject voluntarily and knowingly provides when interacting with the Platform or communicating with the Data Controller through any medium. This encompasses, without limitation:

• Identity and Demographic Data: Given names, surnames, national identification numbers, passport particulars, date of birth, nationality, and gender;
• Contact Data: Electronic mail addresses, mobile telephone numbers, fixed-line telephone numbers, postal addresses, and residential addresses;
• Transactional Data: Booking histories, vehicle hire preferences, tour package selections, payment instrument details (including credit card numbers, mobile money account identifiers, and bank account information processed through PCI-DSS compliant third-party payment processors), billing addresses, and invoice records;
• Travel Documentation Data: Driving licence particulars (including licence numbers, issuing authorities, categories of entitlement, and expiry dates), international driving permits, passport copies, visa documentation, and travel insurance certificates where applicable;
• Communications Data: The content, metadata, and records of any correspondence exchanged between the Data Subject and the Data Controller, whether by electronic mail, instant messaging, telephonic communication, postal mail, or any other means of telecommunication;
• Preference Data: Vehicle type preferences, seating configurations, transmission preferences, air conditioning requirements, child seat specifications, and any other special instructions or requests voluntarily disclosed by the Data Subject.

3.2 Data Collected Through Automated Means

When the Data Subject accesses or interacts with the Platform, the Data Controller's systems automatically collect certain categories of data through server logs, cookies, web beacons, pixels, and similar tracking technologies. Such data includes:

• Technical Identifiers: Internet Protocol (IP) addresses, Media Access Control (MAC) addresses, device fingerprints, and universally unique identifiers (UUIDs);
• Browser and Device Data: Browser types and versions, operating system specifications, device manufacturer and model, screen resolution, language preferences, and time zone settings;
• Usage and Interaction Data: Uniform Resource Locators (URLs) of referring and exit pages, clickstream data, page response times, download errors, duration of page visits, interaction patterns (including scrolling behaviour, mouse movements, and keystroke dynamics), and search queries executed on the Platform;
• Geolocation Data: Approximate geographic location derived from IP address geolocation databases, and precise geolocation data where the Data Subject has explicitly granted location permissions through their browser or device settings.

3.3 Data Received from Third-Party Sources

The Data Controller may receive personal data about Data Subjects from third-party sources, including but not limited to: social media platforms where the Data Subject has elected to authenticate or link their accounts; payment processors and financial institutions; travel agencies and booking platforms through which the Data Subject has made reservations; identity verification services; and publicly available sources, including but not limited to government registries, electoral rolls, and professional licensing databases.

3.4 Special Categories of Personal Data

The Data Controller does not knowingly collect or Process special categories of personal data (also known as sensitive personal data), including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, unless: (a) the Data Subject has provided explicit consent; (b) the Processing is necessary for the establishment, exercise, or defence of legal claims; or (c) the Data Subject has manifestly made such data public.

4. PURPOSES OF PROCESSING & CORRESPONDING LAWFUL BASES

The Data Controller Processes personal data for the following enumerated purposes, each anchored to a specific lawful basis:

Purpose of Processing	Lawful Basis
To register and administer user accounts, verify identity, and authenticate access credentials	Performance of a contract; Legitimate interests
To process, confirm, and fulfil vehicle hire reservations, tour bookings, and related travel services	Performance of a contract
To process payments and maintain financial records in accordance with applicable taxation and accounting standards	Performance of a contract; Legal obligation
To communicate service-related notifications, including booking confirmations, itinerary changes, and operational alerts	Performance of a contract; Legitimate interests
To transmit marketing communications, promotional offers, and newsletters where consent has been obtained	Consent; Legitimate interests (existing customers)
To personalise the user experience and deliver targeted content and advertisements	Consent; Legitimate interests
To conduct analytics, generate aggregated statistical insights, and improve Platform functionality	Legitimate interests
To detect, prevent, and investigate fraudulent transactions, security incidents, and violations of our Terms of Use	Legal obligation; Legitimate interests
To comply with lawful requests from courts, law enforcement agencies, regulatory authorities, and other government bodies	Legal obligation

5. COOKIE POLICY & SIMILAR TRACKING TECHNOLOGIES

5.1 Definition and Function

Cookies are small text files that are deposited on the Data Subject's terminal equipment (including computers, smartphones, tablets, and other internet-enabled devices) when the Data Subject visits the Platform. Cookies perform various essential and non-essential functions, including session management, preference retention, authentication, security, and analytics.

5.2 Taxonomy of Cookies Deployed

• Strictly Necessary Cookies: These cookies are indispensable for the operation of the Platform and cannot be deactivated in our systems. They are typically set only in response to actions made by the Data Subject that constitute a request for services, such as setting privacy preferences, logging in, or completing forms.
• Performance and Analytics Cookies: These cookies collect aggregated, pseudonymised information about how Data Subjects interact with the Platform, including which pages are visited most frequently and whether error messages are received. The data collected is used solely for the purpose of improving the Platform's performance and user experience.
• Functional Cookies: These cookies enable the Platform to provide enhanced functionality and personalisation, such as remembering the Data Subject's language preferences, region selection, and previously viewed vehicles or tour packages.
• Targeting and Advertising Cookies: These cookies are deployed to deliver advertisements that are relevant to the Data Subject's inferred interests, to limit the frequency with which advertisements are displayed, and to measure the effectiveness of advertising campaigns.

5.3 Consent and Withdrawal

The Data Controller shall obtain the Data Subject's prior consent before deploying any non-essential cookies on the Data Subject's terminal equipment. The Data Subject may withdraw consent at any time by adjusting their browser settings to refuse cookies, by deleting cookies already stored, or by utilising the cookie preference management tool available on the Platform. The Data Subject is hereby notified that the deactivation of certain categories of cookies may materially impair the functionality of the Platform and may render certain features inoperative.

6. DATA RETENTION & DISPOSITION SCHEDULES

The Data Controller shall retain personal data only for such period as is necessary to fulfil the purposes for which it was collected, or as may be required by applicable law. The Data Controller adheres to the following retention criteria and periods:

• Account data shall be retained for the duration of the account's active status and for a period of seven (7) years following account closure, to comply with statutory record-keeping obligations under Ugandan commercial and taxation legislation;
• Transactional and payment records shall be retained for a period of ten (10) years from the date of the transaction, in accordance with the Limitations Act and applicable revenue authority requirements;
• Marketing consent records shall be retained indefinitely or until the Data Subject withdraws consent, whichever occurs earlier;
• Server logs and automated usage data shall be retained for a period of twenty-four (24) months from the date of collection;
• Identity verification documents (including copies of driving licences and passports) shall be retained for the duration of the applicable rental agreement and for a period of three (3) years thereafter, or as long as necessary for the establishment, exercise, or defence of legal claims;
• Cookies shall expire in accordance with their respective durational parameters, as detailed in the Cookie Policy.

Upon the expiration of the applicable retention period, personal data shall be securely and irrevocably destroyed, erased, or anonymised such that the Data Subject is no longer identifiable. The Data Controller employs industry-standard data sanitisation techniques, including cryptographic erasure, degaussing, and physical destruction of storage media where appropriate.

7. DISCLOSURE & THIRD-PARTY DATA SHARING

The Data Controller does not sell, trade, rent, or otherwise make available personal data to third parties for their independent commercial exploitation. However, the Data Controller may disclose personal data to the following categories of recipients, strictly on a need-to-know basis and subject to appropriate contractual safeguards:

• Service Providers and Processors: Third-party vendors engaged to perform functions on the Data Controller's behalf, including payment processing, cloud hosting, email delivery, customer relationship management, analytics, identity verification, and fraud prevention services;
• Travel and Tourism Partners: Vehicle fleet operators, tour guides, accommodation providers, and other service partners whose services are booked through the Platform;
• Professional Advisers: Legal counsel, auditors, accountants, and insurance brokers, where disclosure is necessary for the provision of professional services;
• Regulatory Authorities and Law Enforcement: Governmental bodies, regulatory agencies, courts, and law enforcement authorities, where the Data Controller is under a legal obligation to disclose, or where such disclosure is necessary to protect the rights, property, or safety of the Data Controller, its clients, or the public;
• Successors and Assigns: In the event of a merger, acquisition, reorganisation, or sale of all or substantially all of the Data Controller's assets, personal data may be transferred to the successor entity, subject to the Data Subject's right to object.

Where personal data is transferred to third parties, the Data Controller shall ensure, through contractual instruments including Data Processing Agreements and Standard Contractual Clauses, that such third parties provide substantially similar levels of protection as those afforded by this Privacy Policy.

8. CROSS-BORDER DATA TRANSFERS

The Data Controller's operations may necessitate the transfer of personal data to jurisdictions outside the Republic of Uganda, including to countries whose data protection laws may not provide a level of protection that is adjudged adequate by the relevant Ugandan authorities. In such circumstances, the Data Controller shall implement appropriate safeguards to ensure that the transferred data receives a level of protection that is essentially equivalent to that guaranteed under Ugandan law, including:

• The execution of legally binding and enforceable instruments between public authorities or bodies;
• The incorporation of binding corporate rules within the Data Controller's organisational structure;
• The adoption of standard data protection clauses adopted or approved by the relevant regulatory authority;
• The reliance on derogations for specific situations, including the Data Subject's explicit and informed consent, the necessity for the performance of a contract, or the establishment, exercise, or defence of legal claims.

9. DATA SUBJECT RIGHTS & MODALITIES OF EXERCISE

Data Subjects are vested with the following rights, which may be exercised by submitting a verifiable request to the Data Controller through the contact channels specified in Section 14 of this Privacy Policy:

9.1 Right of Access

The Data Subject shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her is being Processed, and, where that is the case, access to the personal data together with the following information: the purposes of the Processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed; the envisaged period for which the personal data will be stored; the existence of the right to request rectification, erasure, restriction, or objection; the right to lodge a complaint with a supervisory authority; and the source of the data where not collected directly from the Data Subject.

9.2 Right to Rectification

The Data Subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the Processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

9.3 Right to Erasure

The Data Subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay, and the Data Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise Processed; the Data Subject withdraws consent on which the Processing is based and there is no other legal ground for the Processing; the Data Subject objects to the Processing and there are no overriding legitimate grounds; the personal data has been unlawfully Processed; or the personal data must be erased for compliance with a legal obligation.

9.4 Right to Restriction of Processing

The Data Subject shall have the right to obtain from the Data Controller restriction of Processing where: the accuracy of the personal data is contested by the Data Subject; the Processing is unlawful and the Data Subject opposes the erasure and requests restriction instead; the Data Controller no longer needs the personal data but the Data Subject requires it for the establishment, exercise, or defence of legal claims; or the Data Subject has objected to Processing pending verification of whether the Data Controller's legitimate grounds override those of the Data Subject.

9.5 Right to Data Portability

The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used, and machine-readable format, and shall have the right to transmit those data to another controller without hindrance, where the Processing is based on consent or contract and is carried out by automated means. In exercising this right, the Data Subject shall have the right to have the personal data transmitted directly from the Data Controller to another controller, where technically feasible.

9.6 Right to Object

The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to Processing of personal data concerning him or her which is based on legitimate interests, including profiling. The Data Controller shall no longer Process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the Processing which override the interests, rights, and freedoms of the Data Subject, or for the establishment, exercise, or defence of legal claims. Where personal data is Processed for direct marketing purposes, the Data Subject shall have the right to object at any time to Processing for such marketing, which includes profiling to the extent that it is related to such direct marketing.

9.7 Rights in Relation to Automated Decision-Making

The Data Subject shall have the right not to be subject to a decision based solely on automated Processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except where such decision is necessary for entering into or performing a contract, is authorised by law, or is based on the Data Subject's explicit consent.

10. TECHNICAL & ORGANISATIONAL SECURITY MEASURES

The Data Controller implements and maintains appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, having regard to the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures include, without limitation:

• The pseudonymisation and encryption of personal data both in transit and at rest using industry-standard cryptographic protocols, including but not limited to Transport Layer Security (TLS) 1.3 and Advanced Encryption Standard (AES) 256-bit encryption;
• The implementation of a multi-layered network security architecture incorporating next-generation firewalls, intrusion detection and prevention systems (IDS/IPS), and distributed denial-of-service (DDoS) mitigation;
• The enforcement of strictly role-based access controls (RBAC) with the principle of least privilege, multi-factor authentication (MFA), and comprehensive audit logging;
• The conduct of periodic vulnerability assessments and penetration testing by qualified independent security researchers;
• The maintenance of a documented information security management system (ISMS) aligned with internationally recognised standards;
• The provision of regular data protection and security awareness training to all personnel with access to personal data;
• The implementation of robust business continuity and disaster recovery protocols, including geographically redundant data backups and failover mechanisms.

Notwithstanding the foregoing, the Data Subject acknowledges and accepts that no method of electronic transmission or storage is absolutely impregnable, and the Data Controller cannot guarantee with certitude that personal data will be immune from all unauthorised access, use, or disclosure. The Data Controller shall, however, in the event of a data breach that is likely to result in a high risk to the rights and freedoms of Data Subjects, notify the affected Data Subjects and the relevant supervisory authority without undue delay and in any event within the timeframes prescribed by applicable law.

11. DATA OF MINORS

The Platform is not directed to, nor does the Data Controller knowingly collect personal data from, natural persons under the age of eighteen (18) years (hereinafter "Minors"). In the event that the Data Controller becomes aware that personal data of a Minor has been collected without verifiable parental or guardian consent, the Data Controller shall take expeditious steps to delete such data from its systems. Where the Processing of a Minor's personal data is necessary for the provision of travel services (including but not limited to family tour packages and group transportation), such Processing shall only occur with the explicit, verifiable consent of the Minor's parent or legal guardian, and shall be strictly limited to data that is indispensable for the provision of the requested service.

12. AMENDMENTS & MODIFICATIONS

The Data Controller reserves the right, exercisable in its sole and absolute discretion, to amend, modify, supplement, or restate this Privacy Policy at any time and from time to time. Material amendments shall be communicated to Data Subjects through a prominent notice posted on the Platform, by electronic mail notification, or through such other means as the Data Controller deems reasonably calculated to bring the amendments to the Data Subject's attention. The Data Subject's continued use of the Platform following the effective date of any amendment shall constitute conclusive and binding acceptance of such amendment. The Data Subject is accordingly enjoined to periodically review this Privacy Policy to remain apprised of the Data Controller's current data protection practices. The date of the most recent revision shall be indicated at the foot of this policy under the legend "Last Updated."

13. DATA PROTECTION OFFICER & CONTACT PARTICULARS

For any enquiries, concerns, or complaints relating to this Privacy Policy or the Data Controller's data protection practices, or to exercise any of the rights enumerated in Section 9 hereof, the Data Subject may contact the Data Controller's designated Data Protection Officer through the following channels:

• Electronic Mail: ugxplora@gmail.com
• Telephone: +256 757 904 596
• Postal Address: Data Protection Officer, Bash Tours & Travel, Kampala, Republic of Uganda

The Data Subject shall also have the right to lodge a complaint with the Personal Data Protection Office (PDPO) of the Republic of Uganda, or with the relevant supervisory authority in the Data Subject's jurisdiction, if the Data Subject considers that the Processing of personal data infringes applicable data protection legislation.

14. SEVERABILITY & WAIVER

Should any provision of this Privacy Policy be determined by a court of competent jurisdiction to be invalid, illegal, or unenforceable, such provision shall be severed from this Privacy Policy, and the remaining provisions shall continue in full force and effect to the maximum extent permitted by law. The failure of the Data Controller to enforce any right or provision of this Privacy Policy shall not constitute a waiver of such right or provision, nor shall any single or partial exercise of any right or power hereunder preclude further exercise of that or any other right or power. No waiver shall be effective unless it is expressly stated to be a waiver and communicated to the Data Subject in writing.

15. GOVERNING LAW & DISPUTE RESOLUTION

This Privacy Policy and all matters arising out of or relating to it, including but not limited to its interpretation, construction, validity, and enforcement, shall be governed by and construed in accordance with the laws of the Republic of Uganda, without regard to its conflict of laws principles. Any dispute, controversy, or claim arising out of or in connection with this Privacy Policy, including any question regarding its existence, validity, or termination, shall first be attempted to be resolved amicably through bona fide negotiations between the parties. Should such negotiations fail to yield a resolution within thirty (30) calendar days, the dispute shall be referred to and finally resolved by the courts of the Republic of Uganda, which shall have exclusive jurisdiction.

Last Updated: 1^st January 2025  |  © Bash Tours & Travel — Powered by Ugxplora. All rights reserved. This policy may not be reproduced, distributed, or transmitted in any form or by any means without the prior written permission of the Data Controller.