Privacy Policy

Privacy and cookies policy

1. Introduction

1.1   We are committed to safeguarding the privacy of our website visitors, donors, supporters, beneficiaries, volunteers and service users. In this policy we explain how we will handle your personal data in line with Uganda’s Data Protection and Privacy Act, 2019 and the Data Protection and Privacy Regulations, 2021.

1.2   We will ask you to consent to our use of cookies in accordance with the terms of this policy when you first visit our website. The platform enables you to select whether to accept cookies on a user’s first visit to the site.

1.3   This privacy policy was last updated on 03/02/2026.

2. Credit

2.1   This policy was originally based on a template from SEQ Legal (http://www.seqlegal.com) and has been updated for Uganda.

3. How we use your personal data

3.1   In this Section 3 we have set out:

(a)   the general categories of personal data that we may process;

(b)   in the case of personal data that we did not obtain directly from you, the source and specific categories of that data;

(c)   the purposes for which we may process personal data; and

(d)   the lawful basis for the processing under applicable law.

3.2   We may process data about your use of our website and services (“usage data”). The usage data may include your IP address, approximate geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your use. The source of the usage data is our analytics and logging systems. This usage data may be processed for the purposes of analysing the use of the website and services and improving performance and security. The lawful basis for this processing is that it is necessary for our legitimate operational purposes and to provide and protect the website, and where required we will rely on your consent (for example, for certain analytics cookies).

3.3   We may process your contact or supporter data (“contact data”). The contact data may include your name, email address and telephone number. The source of the contact data is you (for example, when you contact us, donate, register interest, or sign up to updates). The contact data may be processed for the purposes of operating our website, responding to you, providing services you request, ensuring the security of our website and services, maintaining appropriate records, and communicating with you. The lawful basis for this processing is consent (where you have provided it), contractual necessity (where you have asked us to provide something), and compliance with legal obligations (for example, keeping financial records for donations where applicable).

3.4   We may process information you choose to provide about yourself (“profile data”). The profile data may include your name, address, telephone number, email address, and any other details you submit through forms on our website. The profile data may be processed for the purposes of enabling and monitoring your use of our website and services, and administering support or participation. The lawful basis for this processing is consent and/or contractual necessity (where you ask us to provide a service).

3.5   We may process personal data provided during the course of donations, fundraising, volunteering, programmes and other services (“service data”). The service data may include the details you submit through our forms or communications. This data may be processed for the purposes of delivering services, safeguarding where relevant, maintaining appropriate records, and communicating with you. The lawful basis for this processing is consent, contractual necessity, compliance with legal obligations, and protection of vital interests where relevant.

3.6   We may process information that you post for publication on our website or through our services (“publication data”). The publication data may be processed for the purposes of enabling such publication and administering our website and services. The lawful basis for this processing is consent and/or our legitimate operational purposes (for example, moderating and maintaining the website).

3.7   We may process information contained in any enquiry you submit to us (“enquiry data”). The enquiry data may be processed for the purposes of responding to your enquiry and providing information about our work, fundraising, programmes or services. The lawful basis for this processing is consent and/or our legitimate operational purposes in responding to enquiries.

3.8   We may process information relating to donations or other transactions that you enter into with us and/or through our website (“transaction data”). The transaction data may include your contact details, donation/payment details and transaction references. We do not normally store full card details on our servers where a third-party payment provider is used. The transaction data may be processed for the purpose of processing donations/payments, issuing receipts where relevant, handling refunds, and keeping proper records. The lawful basis for this processing is contractual necessity and compliance with legal obligations (including accounting and audit requirements), and our legitimate operational purposes in administering donations.

3.9   We may process information that you provide to us for the purpose of subscribing to email notifications and/or newsletters (“notification data”). The notification data may be processed for the purposes of sending you the relevant notifications and/or newsletters. The lawful basis for this processing is consent. You can withdraw consent at any time by using the unsubscribe link or contacting us.

3.10   We may process information contained in or relating to any communication that you send to us (“correspondence data”). The correspondence data may include the communication content and metadata associated with the communication. Our website may generate metadata associated with communications made using website contact forms. The correspondence data may be processed for the purposes of communicating with you and record-keeping. The lawful basis for this processing is our legitimate operational purposes and compliance with legal obligations where applicable.

3.11   We may process any of your personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The lawful basis for this processing is our legitimate interest in protecting and asserting our legal rights, and the legal rights of others.

3.12   In addition to the specific purposes set out in this Section 3, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation, or in order to protect your vital interests or the vital interests of another natural person.

3.13   Please do not supply any other person’s personal data to us, unless we prompt you to do so and you have lawful authority to share it.

4. Providing your personal data to others

4.1   We may disclose your personal data to trusted service providers and partners who help us run our website and deliver our services (for example, website hosting, IT support, email delivery, and payment processing), but only where necessary and subject to appropriate safeguards and confidentiality obligations.

4.2   We may disclose your personal data to our insurers and/or professional advisers (such as lawyers, auditors and accountants) insofar as reasonably necessary for the purposes of obtaining and maintaining insurance coverage, managing risks, obtaining professional advice, and managing legal disputes.

4.3   We may disclose relevant personal data to suppliers or subcontractors insofar as reasonably necessary to operate our website and services, and we require them to protect your data and only use it for the services they provide to us.

4.4   Financial transactions relating to our website and services are handled by payment services providers. We will share transaction data with payment services providers only to the extent necessary for the purposes of processing your payments/donations, refunding such payments, and dealing with complaints and queries. You can find information about their privacy practices on their websites, for example:

• GoCardless (Privacy Policy URL: https://gocardless.com/legal/privacy/)
•  

4.5   Your data may also be available to our website and IT service providers to enable us to deliver services, maintain security, and carry out limited analysis on usage (for example, understanding website performance and improving user experience). Where a provider processes personal data on our behalf, they will not use it for their own purposes and will not share it with other parties except as necessary to provide the agreed services or where required by law.

4.6   In addition to the specific disclosures set out in this Section 4, we may also disclose your personal data where such disclosure is necessary for compliance with a legal obligation, or in order to protect your vital interests or the vital interests of another natural person.

5. International transfers of your personal data

5.1   Some of our service providers (for example, email, cloud hosting, analytics or payment providers) may store or process personal data outside Uganda, depending on how their systems are set up.

5.2   Where personal data is transferred outside Uganda, we will take reasonable steps to ensure that appropriate safeguards are in place in line with applicable Ugandan requirements. This may include using contractual protections, security controls, and where required obtaining your consent.

5.3   You acknowledge that personal data that you submit for publication through our website or services may be available, via the internet, around the world. We cannot prevent the use or misuse of such personal data by others.

6. Retaining and deleting personal data

6.1   This Section 6 sets out our data retention approach, designed to help ensure we comply with legal obligations and do not keep personal data longer than necessary.

6.2   Personal data that we process for any purpose shall not be kept for longer than is necessary for that purpose, unless a longer period is required or permitted by law (for example, accounting, audit, safeguarding, or legal obligations).

6.3   We will retain and delete personal data as follows:

(a)   Supporter and communications data will generally be retained for as long as you remain an active supporter/donor/volunteer or continue to engage with us, and for a reasonable period thereafter to maintain records and comply with legal obligations.

(b)   Donation and transaction records will be retained for the period required by applicable accounting and audit rules and any other legal obligations.

(c)   Website logs and analytics data will be retained for a limited period appropriate to security and performance monitoring.

6.4   In some cases it is not possible to specify in advance the exact period for which personal data will be retained. In such cases, we will determine retention based on the nature of the data, the purpose for which it was collected, our legal obligations, and the need to resolve enquiries or disputes.

6.5   Notwithstanding the other provisions of this Section 6, we may retain your personal data where such retention is necessary for compliance with a legal obligation or in order to protect vital interests.

7. Amendments

7.1   We may update this policy from time to time by publishing a new version on our website.

7.2   You should check this page occasionally to ensure you are happy with any changes.

7.3   Where appropriate, we may notify you of material changes by email or another messaging method.

8. Your rights

8.1   You have rights in relation to your personal data under applicable data protection law. These may include:

(a)   the right to access your personal data and request a copy;

(b)   the right to request correction of inaccurate or incomplete data;

(c)   the right to object to certain processing (including direct marketing);

(d)   the right to request deletion of personal data in certain circumstances;

(e)   the right to withdraw consent where processing is based on consent; and

(f)   the right to complain to the relevant supervisory authority.

8.2   To exercise your rights, please contact us using the details in Section 17. We may request reasonable proof of identity to protect your information.

8.3   We will respond within a reasonable time and in line with applicable legal requirements. Where permitted, we may charge a reasonable administrative fee for additional copies or for requests that are manifestly unfounded or excessive.

8.4   Marketing: you may instruct us at any time not to process your personal data for marketing purposes. In practice, you will usually either expressly agree in advance to receive marketing, or we will provide you with an opportunity to opt out.

9. Third party websites

9.1   Our website includes hyperlinks to, and details of, third party websites.

9.2   We have no control over, and are not responsible for, the privacy policies and practices of third parties.

9.3   This privacy policy only governs our website. If you use any link on our website, we recommend you read the privacy policy of that website before sharing any personal or financial data.

9.4   We may operate social media pages (for example, Facebook, X, YouTube and Instagram). Although this policy covers how we will use any data we collect through those pages, it does not cover how social media providers use your information. Please review the platform’s privacy policy and use its privacy controls where available.

10. Personal data of children

10.1   Our website is generally intended for persons aged 16 and over. If we need to process personal data relating to a child, we will do so only with a lawful basis, and where required, with the prior consent of a parent or guardian.

10.2   If we have reason to believe that we hold personal data collected from a child without appropriate authority, we will take steps to delete it or otherwise address it as required.

11. Updating information

11.1   Please let us know if the personal information that we hold about you needs to be corrected or updated.

12. Acting as a data controller / data processor

12.1   In most cases, we act as a data controller for personal data collected through this website because we decide how and why it is processed.

12.2   In limited situations, we may act as a data processor when processing personal data strictly on instructions of another organisation (for example, a partner). Where we act as a processor, our obligations will be set out in the relevant agreement and the controller’s privacy notice may also apply.

13. About cookies

13.1   A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

13.2   Cookies may be either “persistent” cookies or “session” cookies. A persistent cookie will be stored by a web browser and will remain valid until its expiry date, unless deleted by the user before expiry. A session cookie will expire at the end of the user session when the browser is closed.

13.3   Cookies do not typically contain information that directly identifies a user. However, personal information that we store about you may be linked to information stored in and obtained from cookies.

14. Cookies that we use

14.1   We use cookies for the following purposes:

(a)   to recognise you when you visit our website and as you navigate our website;

(b)   to determine if you are logged into secure areas of the website (where applicable);

(c)   to store information about your preferences and personalise the website (where applicable);

(d)   as part of security measures used to protect user accounts and the website;

(e)   to help us analyse the use and performance of our website and services (where enabled); and

(f)   to store your preferences in relation to the use of cookies more generally.

15. Cookies used by our service providers

15.1   Our service providers may use cookies and similar technologies which may be stored on your device when you visit our website.

15.2   We may use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use by means of cookies. The information gathered relating to our website is used to create reports about the use of the website. Depending on Google’s infrastructure, data may be processed in different countries. Google’s privacy policy is available at: https://policies.google.com/privacy.

16. Managing cookies

16.1   Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can obtain up-to-date information about blocking and deleting cookies via these links:

(a)   https://support.google.com/chrome/answer/95647?hl=en (Chrome);

(b)   https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences (Firefox);

(c)   https://help.opera.com/en/latest/web-preferences/ (Opera);

(d)   https://support.microsoft.com/help/17442/windows-internet-explorer-delete-manage-cookies (Internet Explorer);

(e)   https://support.apple.com/kb/PH21411 (Safari); and

(f)   https://support.microsoft.com/microsoft-edge/view-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09 (Edge).

16.2   Blocking all cookies may have a negative impact upon the usability of many websites.

16.3   If you block cookies, you may not be able to use all the features on our website.

17. Our details

17.1   This website is owned and operated by Amigos Uganda (part of the Amigos family of organisations supporting communities in Uganda).

17.2   Postal address is displayed on our contact page

18. Data protection contact

18.1   If you have questions about this policy or how we handle personal data, please contact our privacy lead 

19. Data protection registration (Uganda)

19.1   Where required under Uganda’s data protection framework, we will register with the Personal Data Protection Office (PDPO) and comply with applicable obligations relating to personal data collection, processing and storage.

20. Complaints (Uganda)

20.1   If you have a complaint about us or the treatment of your personal data, please contact us first using the details in Section 17 and we will try to resolve the issue.

20.2   You also have the right to lodge a complaint with Uganda’s data protection regulator, the Personal Data Protection Office (PDPO) under NITA-U.

20.3   You can file a complaint via the PDPO portal: https://www.pdpo.go.ug/file-complaint.

20.4   PDPO contact details are published on their website: https://pdpo.go.ug/.