Privacy Policy
Effective Date: 1st January 2025 | Version 2.4
1. PRELIMINARY PROVISIONS & SCOPE OF APPLICATION
For the purposes of this instrument, unless the context otherwise requires:
"Data Controller" shall mean Bash Tours & Travel, a travel facilitation enterprise operating under the trade aegis of Ugxplora, with its principal place of business situate in Kampala, Republic of Uganda.
"Data Subject" shall mean any identified or identifiable natural person whose personal data is Processed, including but not limited to visitors, clients, passengers, vendors, and any other natural person whose information traverses our systems by whatever means.
"Processing" shall be accorded the broadest possible construction and shall encompass any operation or set of operations which is performed upon personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
This Privacy Policy constitutes a legally binding unilateral declaration of the Data Controller's data protection practices and shall govern the collection, Processing, storage, transfer, and disposal of all personal data obtained from Data Subjects who interact with our digital properties, including but not limited to the website located at the domain under which this policy is published, any subdomains, mobile applications, API endpoints, booking platforms, and any other digital touchpoints owned or operated by the Data Controller (hereinafter collectively referred to as the "Platform").
By accessing, browsing, or utilising the Platform, or by otherwise furnishing personal data to the Data Controller through any channel, the Data Subject hereby acknowledges having read, understood, and irrevocably consented to the practices described in this Privacy Policy. Should the Data Subject dissent from any provision herein contained, the Data Subject is enjoined to forthwith cease all use of the Platform and to refrain from submitting any personal data to the Data Controller.
This Privacy Policy shall be read and construed in pari materia with the Data Controller's Terms of Use, and any inconsistency between the two shall be resolved in favour of the interpretation that affords the greatest protection to the Data Subject's personal data, save where such interpretation would place the Data Controller in breach of applicable statutory obligations.
2. LEGAL BASIS FOR PROCESSING & JURISDICTIONAL COMPLIANCE
2.1 The Data Protection and Privacy Act, 2019 (Uganda)
The Data Controller's Processing activities are primarily governed by the Data Protection and Privacy Act, 2019 of the Republic of Uganda, and any regulations promulgated thereunder.
2.2 The General Data Protection Regulation (GDPR)
Notwithstanding the Data Controller's primary establishment in Uganda, the Data Controller voluntarily extends certain protections articulated under Regulation (EU) 2016/679 (the General Data Protection Regulation) to all Data Subjects regardless of their geographic locus.
2.3 Lawful Bases Enumerated
The Data Controller shall only Process personal data where one or more of the following lawful bases subsist:
- The Data Subject has given explicit, informed, and unambiguous consent;
- Processing is necessary for the performance of a contract;
- Processing is necessary for compliance with a legal obligation;
- Processing is necessary to protect the vital interests of the Data Subject;
- Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller.
3. TAXONOMY OF PERSONAL DATA COLLECTED
3.1 Data Voluntarily Furnished by the Data Subject
The Data Controller collects personal data that the Data Subject voluntarily and knowingly provides. This encompasses, without limitation:
- Identity and Demographic Data: Given names, surnames, national identification numbers, passport particulars, date of birth, nationality, and gender;
- Contact Data: Electronic mail addresses, mobile telephone numbers, postal addresses;
- Transactional Data: Booking histories, vehicle hire preferences, payment instrument details;
- Travel Documentation Data: Driving licence particulars, international driving permits, passport copies;
- Communications Data: Content and metadata of correspondence;
- Preference Data: Vehicle type preferences, transmission preferences, special instructions.
3.2 Data Collected Through Automated Means
When the Data Subject accesses the Platform, the Data Controller's systems automatically collect certain categories of data including IP addresses, browser and device data, usage and interaction data, and geolocation data.
3.3 Data Received from Third-Party Sources
The Data Controller may receive personal data from social media platforms, payment processors, travel agencies, identity verification services, and publicly available sources.
3.4 Special Categories of Personal Data
The Data Controller does not knowingly collect or Process special categories of personal data unless the Data Subject has provided explicit consent or the Processing is necessary for legal claims.
4. PURPOSES OF PROCESSING & CORRESPONDING LAWFUL BASES
The Data Controller Processes personal data for the following enumerated purposes:
| Purpose of Processing | Lawful Basis |
|---|---|
| To register and administer user accounts, verify identity, and authenticate access credentials | Performance of a contract; Legitimate interests |
| To process, confirm, and fulfil vehicle hire reservations, tour bookings, and related travel services | Performance of a contract |
| To process payments and maintain financial records | Performance of a contract; Legal obligation |
| To communicate service-related notifications | Performance of a contract; Legitimate interests |
| To transmit marketing communications | Consent; Legitimate interests |
| To personalise the user experience | Consent; Legitimate interests |
| To conduct analytics and improve Platform functionality | Legitimate interests |
| To detect, prevent, and investigate fraudulent transactions | Legal obligation; Legitimate interests |
| To comply with lawful requests from authorities | Legal obligation |
5. COOKIE POLICY & SIMILAR TRACKING TECHNOLOGIES
5.1 Definition and Function
Cookies are small text files deposited on the Data Subject's terminal equipment when visiting the Platform.
5.2 Taxonomy of Cookies Deployed
- Strictly Necessary Cookies: Indispensable for Platform operation;
- Performance and Analytics Cookies: Collect aggregated, pseudonymised usage information;
- Functional Cookies: Enable enhanced functionality and personalisation;
- Targeting and Advertising Cookies: Deliver relevant advertisements.
5.3 Consent and Withdrawal
The Data Controller shall obtain prior consent before deploying non-essential cookies. The Data Subject may withdraw consent at any time through browser settings.
6. DATA RETENTION & DISPOSITION SCHEDULES
The Data Controller shall retain personal data only for such period as is necessary:
- Account data: seven (7) years following account closure;
- Transactional and payment records: ten (10) years;
- Marketing consent records: until consent withdrawal;
- Server logs: twenty-four (24) months;
- Identity verification documents: three (3) years after rental agreement;
- Cookies: in accordance with their respective durational parameters.
Upon expiration, personal data shall be securely and irrevocably destroyed, erased, or anonymised.
7. DISCLOSURE & THIRD-PARTY DATA SHARING
The Data Controller does not sell personal data but may disclose to:
- Service Providers and Processors: Payment processing, cloud hosting, email delivery;
- Travel and Tourism Partners: Vehicle fleet operators, tour guides, accommodation providers;
- Professional Advisers: Legal counsel, auditors, accountants;
- Regulatory Authorities and Law Enforcement: Where legally obligated;
- Successors and Assigns: In the event of merger or acquisition.
8. CROSS-BORDER DATA TRANSFERS
The Data Controller may transfer personal data to jurisdictions outside Uganda and shall implement appropriate safeguards to ensure equivalent protection.
9. DATA SUBJECT RIGHTS & MODALITIES OF EXERCISE
9.1 Right of Access
The Data Subject has the right to obtain confirmation of Processing and access to personal data.
9.2 Right to Rectification
The Data Subject has the right to rectification of inaccurate personal data.
9.3 Right to Erasure
The Data Subject has the right to obtain erasure of personal data without undue delay.
9.4 Right to Restriction of Processing
The Data Subject has the right to restrict Processing where certain conditions apply.
9.5 Right to Data Portability
The Data Subject has the right to receive personal data in a structured, machine-readable format.
9.6 Right to Object
The Data Subject has the right to object to Processing based on legitimate interests or direct marketing.
9.7 Rights in Relation to Automated Decision-Making
The Data Subject has the right not to be subject to decisions based solely on automated Processing.
10. TECHNICAL & ORGANISATIONAL SECURITY MEASURES
The Data Controller implements appropriate technical and organisational measures including encryption, firewalls, access controls, vulnerability assessments, and business continuity protocols.
11. DATA OF MINORS
The Platform is not directed to persons under eighteen (18) years. The Data Controller does not knowingly collect data from Minors without parental consent.
12. AMENDMENTS & MODIFICATIONS
The Data Controller reserves the right to amend this Privacy Policy. Material amendments shall be communicated through a prominent notice on the Platform.
13. DATA PROTECTION OFFICER & CONTACT PARTICULARS
For any enquiries:
- Electronic Mail: ugxplora@gmail.com
- Telephone: +256 703 184 944
- Postal Address: Data Protection Officer, Bash Tours & Travel, Kampala, Republic of Uganda
14. SEVERABILITY & WAIVER
Should any provision be determined invalid, such provision shall be severed and the remaining provisions shall continue in full force and effect.
15. GOVERNING LAW & DISPUTE RESOLUTION
This Privacy Policy shall be governed by the laws of the Republic of Uganda.
Last Updated: 1st January 2025 | © Bash Tours & Travel — Powered by Ugxplora. All rights reserved.