Privacy Policy
Effective Date: 1 May 2025 | Last Updated: 1 May 2025
1. Who We Are
Njoodukani ("we", "our", "us") is a digital super-app and multi-vendor e-commerce marketplace registered in Uganda, East Africa. Our platform allows customers to shop, invest, send money, arrange local delivery, and access a wide range of goods and services across the region.
Data Controller contact: privacy@njoodukani.com
2. Information We Collect
We collect information in the following ways:
a) Information You Provide Directly
- Full name, email address, phone number, and password when you register an account.
- Shipping and billing address when you place an order.
- Payment details (processed securely through our payment partners; we do not store raw card numbers).
- Government-issued ID documents submitted for KYC (Know Your Customer) verification.
- Messages, reviews, or feedback you submit on the platform.
- Vendor business details (business name, bank account information, product listings) if you register as a seller.
b) Information We Collect Automatically
- Device information: IP address, browser type, operating system, and device identifiers.
- Usage data: pages visited, search queries, clicks, time spent, and navigation paths.
- Location data: approximate location inferred from your IP address or, with your consent, GPS location for delivery services.
- Transaction history: orders placed, payments made, and wallet activity.
- Cookie and tracking data (see our Cookie Policy for details).
c) Information from Third Parties
- Payment processors (Flutterwave, Stripe, PayPal) may share transaction confirmation data with us.
- Social login providers (if used) may share your name and email.
- Delivery partners may share delivery status and driver location data.
3. How We Use Your Information
| Purpose | Legal Basis |
|---|---|
| Processing and fulfilling your orders | Contract performance |
| Creating and managing your account | Contract performance |
| Processing payments and preventing fraud | Legal obligation & legitimate interest |
| Sending order confirmations and service notifications | Contract performance |
| Verifying identity for KYC compliance | Legal obligation |
| Sending marketing communications (with your consent) | Consent |
| Improving our platform, products, and services | Legitimate interest |
| Resolving disputes and enforcing our terms | Legitimate interest & legal obligation |
4. Sharing Your Information
We do not sell your personal information. We share data only in the following circumstances:
- Vendors/Sellers: When you purchase from a vendor, we share your delivery name, address, and order details with that vendor so they can fulfil your order.
- Delivery Partners: Your name, phone number, and delivery address are shared with local drivers to complete delivery.
- Payment Processors: Transaction data is processed by Flutterwave, Stripe, PayPal, or other approved gateways operating under their own privacy policies.
- CJDropshipping: If your order contains dropshipped items, your shipping details are passed to CJDropshipping for international fulfilment.
- Legal Authorities: We may disclose data when required by law, court order, or to protect the rights and safety of our users and the public.
- Business Transfers: In the event of a merger or acquisition, your data may be transferred as part of the business assets.
5. Data Retention
We retain your personal data for as long as your account is active or as needed to provide our services. We retain transaction and financial records for a minimum of seven (7) years to meet tax and legal obligations. You may request deletion of your account at any time (see Section 7 below); however, we may retain certain records where required by law.
6. Data Security
We implement industry-standard security measures including:
- HTTPS encryption for all data in transit.
- Encrypted storage of passwords (bcrypt/PBKDF2).
- Access controls limiting employee access to personal data on a need-to-know basis.
- Regular security audits and vulnerability assessments.
No method of electronic transmission or storage is 100% secure. We encourage you to use a strong, unique password and enable two-factor authentication where available.
7. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Ask us to correct inaccurate or incomplete data.
- Erasure: Request deletion of your personal data, subject to legal obligations.
- Restriction: Ask us to restrict processing of your data in certain circumstances.
- Portability: Receive your data in a structured, machine-readable format.
- Object: Object to processing based on legitimate interest, including direct marketing.
- Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email us at privacy@njoodukani.com. We will respond within 30 days.
8. Children's Privacy
Njoodukani is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.
9. International Transfers
Your data may be transferred to and processed in countries outside Uganda, including by our cloud hosting provider and payment processors. We ensure appropriate safeguards are in place for such transfers in accordance with applicable data protection law.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page and, for material changes, notify you by email or a prominent notice on the platform.
11. Contact Us
If you have questions or concerns about this Privacy Policy, please contact our Data Protection Officer:
Njoodukani β Data Protection Officer
Email: privacy@njoodukani.com
Address: Kampala, Uganda, East Africa