Jjengo Privacy & Data Protection Policy

Jjengo Tech LTD (“we,” “our,” “us”) is committed to protecting your privacy and ensuring that your personal information is handled in a safe and responsible manner. This Privacy Policy outlines how we collect, use, disclose, and safeguard your information when you use our Android, iOS, and web applications (collectively, the “Services”). This policy is designed to comply with the requirements of the Google Play Store and Apple App Store, as well as the Personal Data Protection and Privacy Act of 2019 in Uganda and relevant international standards, including GDPR.

This policy applies to all personal data processed by Jjengo Tech Ltd, including data collected from employees, customers, partners, app users and website visitors. It covers data processing activities across all business operations, including IT solutions and fintech services.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data, whether or not by automated means.

Data Subject: An individual whose personal data is processed.

Controller: The entity that determines the purposes and means of processing personal data.

Processor: The entity that processes personal data on behalf of the controller.

We may collect and process the following types of personal data from you:

• Personal Identification Information: Name, email address, phone number, etc., provided voluntarily by you.
• Device Information: Device model, operating system, unique device identifiers, mobile network information, and other technical data.
• Usage Data: Information about how you use our Services, including interactions with our apps and preferences.
• Location Data:Your geographic location if you choose to enable location services.
• Media: Photos and videos captured through our camera feature for product images on our merchant portal and event backgrounds.
• Camera Access: Our Apps may request access to your camera for specific functionalities, including:
  • Scanning QR codes for identification or verification purposes.
  • Taking pictures for product listings on a merchant portal (if applicable).
  • Capturing backgrounds for event ticketing (if applicable). We will only use the camera for these specific purposes and with your explicit consent. Captured images will not be used for any other purpose without your further permission.
• NFC Access: Our Apps may request access to the Near Field Communication (NFC) feature solely for scanning purposes. We will not use NFC to transmit any data from your device.

We use the information we collect for the following purposes:

• To provide and maintain our Services, including customer support and troubleshooting.
• To improve and personalize our Services, ensuring a better user experience.
• To communicate with you, either directly or through our partners, regarding updates, offers, and promotional materials.
• To comply with legal obligations and resolve disputes.
• To protect against unauthorized access to or alteration of your data.

We may share your personal data with third parties in the following circumstances:

• With your consent or at your direction.
• With service providers who assist us in delivering our Services, subject to appropriate data protection agreements.
• When required by law or to protect our rights, property, or safety of others.
• To protect the rights and safety of ourselves, our users, or others.

Personal data is shared only when necessary and with appropriate safeguards in place to protect data privacy and security.

We implement technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

i. Encryption of data

Data encryption converts information into another form or code to prevent unauthorized access. It ensures privacy and security across different sectors. The process involves transforming readable data (known as plaintext) into unreadable data (known as ciphertext) using an algorithm (or cipher). Encryption helps maintain data integrity, prevents data loss, and reduces the impact of data breaches.

ii. Access controls and authentication

Access control involves identifying a user based on their credentials (authentication) and then authorizing the appropriate level of access. It ensures that only authorized individuals can access digital resources and tools. Access control can be physical (e.g., building entry) or logical (e.g., database access) and plays a crucial role in protecting organizations from cyber threats.

Authentication is the process of verifying someone’s claimed identity. It ensures that a user is who they claim to be before granting access to a system or resource.

Common authentication methods include:

• Passwords: Users provide a secret passphrase to prove their identity.
• Biometric Scans: Fingerprint, retina, or facial recognition.
• Security Tokens: Physical devices that generate one-time codes.
• Once authenticated, the user gains access to the system

iii. Regular security audits and assessments

The primary purpose of a security audit is to identify current and potential weaknesses in an organization’s security posture.

By conducting audits, organizations can proactively address vulnerabilities before they can be exploited by malicious actors. The scope includes external attacks, internal threats (such as bad actors), and data breaches

iv. Employee training on data protection

Employee training will ensure that all staff are equipped with the procedural and governance requirements on data privacy and protection.

Personal data is retained for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements.

When personal data is no longer needed, it is securely deleted or anonymized.

You have the following rights regarding your personal data:

• Access: Right to access your personal data.
• Rectification: Right to correct inaccurate or incomplete data.
• Erasure: Right to request the deletion of your data.
• Restriction: Right to restrict the processing of your data.
• Portability:Right to receive your data in a structured, commonly used format.
• Objection: Right to object to the processing of your data.

Where consent is required for data processing, we ensure that it is freely given, specific, informed, and unambiguous. Data subjects can withdraw their consent at any time.

We have appointed a Data Protection Officer (DPO) responsible for overseeing data protection strategy and implementation to ensure compliance with legal requirements. The DPO can be contacted at data[at]jjengo.com

In the event of a data breach, we will:

• Notify the relevant supervisory authority within 72 hours, if required by law.
• Inform affected data subjects without undue delay, if the breach is likely to result in a high risk to their rights and freedoms.
• Take necessary measures to mitigate the breach and prevent future occurrences.

This policy is reviewed annually and updated as necessary to reflect changes in our data processing practices or legal requirements. The latest version of the policy is always available on our website.

© 2024 Jjengo Tech LTD