Ready to Join Us? 🎉

We're excited to have you on board! Reach out to us on WhatsApp or give us a quick call — we'd love to help you get started with the best travel experiences in Uganda.

Privacy Policy

Effective Date: 1st January 2025  |  Version 2.4

1. PRELIMINARY PROVISIONS & SCOPE OF APPLICATION

For the purposes of this instrument, unless the context otherwise requires:

"Data Controller" shall mean Bash Tours & Travel, a travel facilitation enterprise operating under the trade aegis of Ugxplora, with its principal place of business situate in Kampala, Republic of Uganda.

"Data Subject" shall mean any identified or identifiable natural person whose personal data is Processed, including but not limited to visitors, clients, passengers, vendors, and any other natural person whose information traverses our systems by whatever means.

"Processing" shall be accorded the broadest possible construction and shall encompass any operation or set of operations which is performed upon personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

This Privacy Policy constitutes a legally binding unilateral declaration of the Data Controller's data protection practices and shall govern the collection, Processing, storage, transfer, and disposal of all personal data obtained from Data Subjects who interact with our digital properties, including but not limited to the website located at the domain under which this policy is published, any subdomains, mobile applications, API endpoints, booking platforms, and any other digital touchpoints owned or operated by the Data Controller (hereinafter collectively referred to as the "Platform").

By accessing, browsing, or utilising the Platform, or by otherwise furnishing personal data to the Data Controller through any channel, the Data Subject hereby acknowledges having read, understood, and irrevocably consented to the practices described in this Privacy Policy. Should the Data Subject dissent from any provision herein contained, the Data Subject is enjoined to forthwith cease all use of the Platform and to refrain from submitting any personal data to the Data Controller.

This Privacy Policy shall be read and construed in pari materia with the Data Controller's Terms of Use, and any inconsistency between the two shall be resolved in favour of the interpretation that affords the greatest protection to the Data Subject's personal data, save where such interpretation would place the Data Controller in breach of applicable statutory obligations.

2. LEGAL BASIS FOR PROCESSING & JURISDICTIONAL COMPLIANCE

2.1 The Data Protection and Privacy Act, 2019 (Uganda)

The Data Controller's Processing activities are primarily governed by the Data Protection and Privacy Act, 2019 of the Republic of Uganda, and any regulations promulgated thereunder.

2.2 The General Data Protection Regulation (GDPR)

Notwithstanding the Data Controller's primary establishment in Uganda, the Data Controller voluntarily extends certain protections articulated under Regulation (EU) 2016/679 (the General Data Protection Regulation) to all Data Subjects regardless of their geographic locus.

2.3 Lawful Bases Enumerated

The Data Controller shall only Process personal data where one or more of the following lawful bases subsist:

  1. The Data Subject has given explicit, informed, and unambiguous consent;
  2. Processing is necessary for the performance of a contract;
  3. Processing is necessary for compliance with a legal obligation;
  4. Processing is necessary to protect the vital interests of the Data Subject;
  5. Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller.

3. TAXONOMY OF PERSONAL DATA COLLECTED

3.1 Data Voluntarily Furnished by the Data Subject

The Data Controller collects personal data that the Data Subject voluntarily and knowingly provides. This encompasses, without limitation:

  • Identity and Demographic Data: Given names, surnames, national identification numbers, passport particulars, date of birth, nationality, and gender;
  • Contact Data: Electronic mail addresses, mobile telephone numbers, postal addresses;
  • Transactional Data: Booking histories, vehicle hire preferences, payment instrument details;
  • Travel Documentation Data: Driving licence particulars, international driving permits, passport copies;
  • Communications Data: Content and metadata of correspondence;
  • Preference Data: Vehicle type preferences, transmission preferences, special instructions.

3.2 Data Collected Through Automated Means

When the Data Subject accesses the Platform, the Data Controller's systems automatically collect certain categories of data including IP addresses, browser and device data, usage and interaction data, and geolocation data.

3.3 Data Received from Third-Party Sources

The Data Controller may receive personal data from social media platforms, payment processors, travel agencies, identity verification services, and publicly available sources.

3.4 Special Categories of Personal Data

The Data Controller does not knowingly collect or Process special categories of personal data unless the Data Subject has provided explicit consent or the Processing is necessary for legal claims.

4. PURPOSES OF PROCESSING & CORRESPONDING LAWFUL BASES

The Data Controller Processes personal data for the following enumerated purposes:

Purpose of Processing Lawful Basis
To register and administer user accounts, verify identity, and authenticate access credentialsPerformance of a contract; Legitimate interests
To process, confirm, and fulfil vehicle hire reservations, tour bookings, and related travel servicesPerformance of a contract
To process payments and maintain financial recordsPerformance of a contract; Legal obligation
To communicate service-related notificationsPerformance of a contract; Legitimate interests
To transmit marketing communicationsConsent; Legitimate interests
To personalise the user experienceConsent; Legitimate interests
To conduct analytics and improve Platform functionalityLegitimate interests
To detect, prevent, and investigate fraudulent transactionsLegal obligation; Legitimate interests
To comply with lawful requests from authoritiesLegal obligation

5. COOKIE POLICY & SIMILAR TRACKING TECHNOLOGIES

5.1 Definition and Function

Cookies are small text files deposited on the Data Subject's terminal equipment when visiting the Platform.

5.2 Taxonomy of Cookies Deployed

  • Strictly Necessary Cookies: Indispensable for Platform operation;
  • Performance and Analytics Cookies: Collect aggregated, pseudonymised usage information;
  • Functional Cookies: Enable enhanced functionality and personalisation;
  • Targeting and Advertising Cookies: Deliver relevant advertisements.

5.3 Consent and Withdrawal

The Data Controller shall obtain prior consent before deploying non-essential cookies. The Data Subject may withdraw consent at any time through browser settings.

6. DATA RETENTION & DISPOSITION SCHEDULES

The Data Controller shall retain personal data only for such period as is necessary:

  • Account data: seven (7) years following account closure;
  • Transactional and payment records: ten (10) years;
  • Marketing consent records: until consent withdrawal;
  • Server logs: twenty-four (24) months;
  • Identity verification documents: three (3) years after rental agreement;
  • Cookies: in accordance with their respective durational parameters.

Upon expiration, personal data shall be securely and irrevocably destroyed, erased, or anonymised.

7. DISCLOSURE & THIRD-PARTY DATA SHARING

The Data Controller does not sell personal data but may disclose to:

  • Service Providers and Processors: Payment processing, cloud hosting, email delivery;
  • Travel and Tourism Partners: Vehicle fleet operators, tour guides, accommodation providers;
  • Professional Advisers: Legal counsel, auditors, accountants;
  • Regulatory Authorities and Law Enforcement: Where legally obligated;
  • Successors and Assigns: In the event of merger or acquisition.

8. CROSS-BORDER DATA TRANSFERS

The Data Controller may transfer personal data to jurisdictions outside Uganda and shall implement appropriate safeguards to ensure equivalent protection.

9. DATA SUBJECT RIGHTS & MODALITIES OF EXERCISE

9.1 Right of Access

The Data Subject has the right to obtain confirmation of Processing and access to personal data.

9.2 Right to Rectification

The Data Subject has the right to rectification of inaccurate personal data.

9.3 Right to Erasure

The Data Subject has the right to obtain erasure of personal data without undue delay.

9.4 Right to Restriction of Processing

The Data Subject has the right to restrict Processing where certain conditions apply.

9.5 Right to Data Portability

The Data Subject has the right to receive personal data in a structured, machine-readable format.

9.6 Right to Object

The Data Subject has the right to object to Processing based on legitimate interests or direct marketing.

9.7 Rights in Relation to Automated Decision-Making

The Data Subject has the right not to be subject to decisions based solely on automated Processing.

10. TECHNICAL & ORGANISATIONAL SECURITY MEASURES

The Data Controller implements appropriate technical and organisational measures including encryption, firewalls, access controls, vulnerability assessments, and business continuity protocols.

11. DATA OF MINORS

The Platform is not directed to persons under eighteen (18) years. The Data Controller does not knowingly collect data from Minors without parental consent.

12. AMENDMENTS & MODIFICATIONS

The Data Controller reserves the right to amend this Privacy Policy. Material amendments shall be communicated through a prominent notice on the Platform.

13. DATA PROTECTION OFFICER & CONTACT PARTICULARS

For any enquiries:

14. SEVERABILITY & WAIVER

Should any provision be determined invalid, such provision shall be severed and the remaining provisions shall continue in full force and effect.

15. GOVERNING LAW & DISPUTE RESOLUTION

This Privacy Policy shall be governed by the laws of the Republic of Uganda.

Last Updated: 1st January 2025  |  © Bash Tours & Travel — Powered by Ugxplora. All rights reserved.