Data Protection Policy

Our comprehensive data protection and privacy policy.

Data Protection Policy

Effective Date: December 17, 2025
Last Updated: December 17, 2025

1. Introduction

1.1 Purpose

This Data Protection Policy outlines how Gestlat ThinkLab ("we," "our," or "the Company") protects personal data in accordance with applicable data protection laws in Uganda and East Africa, including:

Uganda: The Data Protection and Privacy Act, 2019
Kenya: The Data Protection Act, 2019
Tanzania: Personal Data Protection Act, 2022
Rwanda: Law on the Protection of Personal Data and Privacy, 2021
Other applicable East African Community (EAC) regulations

1.2 Scope

This policy applies to:

All personal data processed by Gestlat ThinkLab
All employees, contractors, consultants, and partners
All data processing activities across our operations
Both digital and physical data processing

1.3 Commitment

We are committed to:

Protecting the privacy rights of individuals
Processing data lawfully, fairly, and transparently
Implementing appropriate technical and organizational measures
Complying with all applicable data protection regulations
Fostering a culture of privacy awareness

2. Data Protection Principles

We adhere to the following core principles:

2.1 Lawfulness, Fairness, and Transparency

Process data lawfully based on valid legal grounds
Process data fairly without deception
Communicate clearly about data processing activities
Provide accessible privacy information

2.2 Purpose Limitation

Collect data for specified, explicit, and legitimate purposes
Not process data in ways incompatible with original purposes
Obtain new consent if purposes change significantly

2.3 Data Minimization

Collect only data adequate, relevant, and necessary
Avoid excessive data collection
Regularly review data collection practices
Delete unnecessary data

2.4 Accuracy

Maintain accurate and up-to-date data
Correct inaccurate data promptly
Implement verification procedures
Allow individuals to update their information

2.5 Storage Limitation

Retain data only as long as necessary
Define clear retention periods
Securely delete data when no longer needed
Archive data where legally required

2.6 Integrity and Confidentiality (Security)

Protect data against unauthorized access, loss, or damage
Implement appropriate security measures
Train staff on data protection
Monitor and audit security practices

2.7 Accountability

Demonstrate compliance with data protection principles
Maintain documentation of processing activities
Conduct Data Protection Impact Assessments (DPIAs) where required
Appoint a Data Protection Officer (DPO) where necessary

3. Legal Basis for Processing

We process personal data based on the following legal grounds:

3.1 Consent

Clear, informed, and freely given consent from data subjects
Specific consent for each processing purpose
Easy withdrawal mechanism
Documentation of consent

Used for: Marketing communications, optional features, cookies (non-essential)

3.2 Contract Performance

Processing necessary to fulfill contractual obligations
Pre-contractual measures at data subject's request

Used for: Service delivery, software licensing, payment processing, customer support

3.3 Legal Obligation

Compliance with Ugandan and East African laws
Tax and accounting requirements
Regulatory reporting
Court orders and legal processes

Used for: Tax records, financial reporting, legal compliance, law enforcement requests

3.4 Legitimate Interests

Necessary for legitimate business interests
Not overriding data subject's rights and freedoms
Documented legitimate interest assessments (LIAs)

Used for: Fraud prevention, security, business analytics, direct marketing (where permitted)

3.5 Vital Interests

Necessary to protect life or physical integrity

Used for: Emergency situations, health and safety

3.6 Public Interest

Necessary for public interest or official authority tasks

Used for: Government-contracted services, public sector projects

4. Data Processing Activities

4.1 Types of Data We Process

Personal Data

Name, contact details, identification numbers
Demographic information
Professional information

Sensitive Personal Data (Special Categories)

We process sensitive data only with explicit consent or legal authorization:

Health data (HealthCenterOps360, clinics)
Financial data
Biometric data (if applicable)
Children's data (ESchool360 - processed on behalf of schools)

Business Data

Company information
Transaction records
Business communications
Commercial data

4.2 Data Sources

We collect data from:

Direct interactions: Forms, registrations, purchases
Automated technologies: Cookies, analytics
Third parties: Payment processors, partners
Public sources: Business registries, public records

4.3 Data Processing Activities

Collection: Via website, applications, forms
Storage: Secure servers and databases
Use: Service delivery, analytics, communications
Sharing: With processors and partners (as needed)
Transfer: Internationally (with safeguards)
Deletion: According to retention schedules

5. Data Subject Rights

Under East African data protection laws, individuals have the following rights:

5.1 Right to Information

Be informed about data processing
Access our privacy notices
Understand how data is used

5.2 Right of Access

Request confirmation of data processing
Obtain a copy of personal data
Receive information about processing

How to Exercise: Email [email protected] with ID verification

5.3 Right to Rectification

Correct inaccurate data
Complete incomplete data
Update outdated information

How to Exercise: Via account settings or email [email protected]

5.4 Right to Erasure ("Right to be Forgotten")

Request deletion of data in specific circumstances:
- No longer necessary for original purpose
- Consent withdrawn
- Objection to processing
- Unlawful processing
- Legal obligation requires deletion

Limitations: Cannot delete if needed for legal obligations, legal claims, or contractual requirements

5.5 Right to Restrict Processing

Limit how we use data while:
- Verifying accuracy
- Assessing legitimate grounds
- Processing legal claims

5.6 Right to Data Portability

Receive data in structured, machine-readable format
Transfer data to another controller (where technically feasible)

Applies to: Data processed based on consent or contract

5.7 Right to Object

Object to processing based on legitimate interests
Object to direct marketing (anytime)
Object to profiling and automated decision-making

5.8 Rights Related to Automated Decision-Making

Not be subject to solely automated decisions with legal/significant effects
Request human intervention
Contest automated decisions

5.9 Right to Withdraw Consent

Withdraw consent anytime (where processing based on consent)
Easy withdrawal mechanism
Does not affect lawfulness of prior processing

5.10 Right to Lodge a Complaint

File complaints with data protection authorities:

Uganda: Personal Data Protection Office (PDPO) - [email protected]
Kenya: Office of the Data Protection Commissioner
Tanzania: Personal Data Protection Commission
Rwanda: National Commission for the Protection of Personal Data and Privacy

6. Data Security Measures

6.1 Technical Security Measures

Encryption

Data in Transit: TLS/SSL encryption (HTTPS)
Data at Rest: AES-256 encryption for sensitive data
Database Encryption: Encrypted databases for production systems
Backup Encryption: Encrypted backup storage

Access Controls

Authentication: Strong password policies, multi-factor authentication (MFA)
Authorization: Role-based access control (RBAC)
Principle of Least Privilege: Minimum necessary access
Regular Access Reviews: Quarterly access audits

Network Security

Firewalls: Enterprise-grade firewall protection
Intrusion Detection: Real-time monitoring
DDoS Protection: Distributed denial-of-service mitigation
VPN: Secure remote access

Application Security

Secure Development: Security-by-design principles
Vulnerability Scanning: Regular security assessments
Penetration Testing: Annual third-party testing
Security Patching: Timely updates and patches

Monitoring and Logging

Activity Logs: Comprehensive logging of data access
Security Monitoring: 24/7 security operations
Anomaly Detection: Automated threat detection
Audit Trails: Immutable audit logs

6.2 Organizational Security Measures

Policies and Procedures

Information Security Policy
Incident Response Plan
Business Continuity Plan
Disaster Recovery Plan
Acceptable Use Policy

Staff Training

Mandatory data protection training for all staff
Annual security awareness training
Role-specific security training
Phishing simulation exercises

Vendor Management

Vendor security assessments
Data Processing Agreements (DPAs)
Regular vendor audits
Contractual security requirements

Physical Security

Office Access: Controlled access to premises
Server Rooms: Restricted access, surveillance
Device Security: Encrypted laptops, device management
Secure Disposal: Certified data destruction

6.3 Data Backup and Recovery

Regular Backups: Daily automated backups
Off-site Storage: Geographically distributed backups
Backup Testing: Quarterly recovery drills
Retention: 30-day backup retention

6.4 Secure Data Disposal

Digital Data: Secure deletion using industry-standard methods
Physical Media: Shredding or physical destruction
Disposal Certification: Documented destruction
End-of-Life: Secure decommissioning procedures

7. Data Breach Management

7.1 Definition of a Data Breach

A breach of security leading to accidental or unlawful:

Destruction, loss, or alteration of personal data
Unauthorized disclosure of personal data
Unauthorized access to personal data

7.2 Breach Detection and Assessment

Detection: Monitoring systems and staff reporting
Assessment: Immediate risk evaluation
Classification: Severity and impact determination
Documentation: Detailed breach records

7.3 Breach Response Procedure

Immediate Response (0-24 hours)

Containment: Stop the breach, secure systems
Assessment: Evaluate scope and impact
Team Activation: Assemble incident response team
Documentation: Begin breach log

Investigation Phase (24-72 hours)

Root Cause Analysis: Identify how breach occurred
Impact Assessment: Determine affected data and individuals
Remediation: Fix vulnerabilities
Evidence Preservation: Preserve for potential investigation

Notification Phase (Within 72 hours for high-risk breaches)

Regulatory Notification:
- Uganda PDPO: Within 72 hours
- Other applicable authorities
- Include: Nature of breach, categories of data, likely consequences, measures taken
Data Subject Notification:
- Required if high risk to rights and freedoms
- Clear, plain language
- Include: Nature of breach, likely consequences, mitigation measures, contact point
Stakeholder Notification:
- Partners, clients (if their data affected)
- Insurance providers
- Legal counsel

Post-Breach Activities

Lessons Learned: Post-incident review
Policy Updates: Revise security procedures
Training: Additional staff training
Monitoring: Enhanced monitoring

7.4 Breach Register

We maintain a register of all data breaches, including:

Date and time of breach
Nature and scope
Data subjects affected
Potential consequences
Remedial actions taken
Notifications made

8. International Data Transfers

8.1 Transfer Mechanisms

When transferring data outside East Africa, we use:

Standard Contractual Clauses (SCCs)

EU-approved standard contractual clauses
Contractual safeguards with recipients

Adequacy Decisions

Transfers to countries with adequate data protection (if applicable)

Explicit Consent

Informed consent for specific transfers (where appropriate)

Necessary Transfers

Contractually necessary transfers
Transfers in your vital interest
Public interest transfers

8.2 Transfer Safeguards

Encryption: Encrypted transmission
Access Controls: Limited recipient access
Contractual Obligations: Binding data protection terms
Audit Rights: Right to audit transfer recipients
Impact Assessments: Transfer risk assessments

8.3 Primary Transfer Destinations

Cloud Services: [Specify: AWS, Google Cloud, Azure regions]
Payment Processors: [Specify locations]
Analytics Providers: Google (USA), others

9. Data Processing Roles

9.1 As Data Controller

We act as Data Controller when:

Determining purposes and means of processing
Processing customer/user data for our business
Marketing and business development

Our Responsibilities:

Compliance with data protection laws
Implementing security measures
Responding to data subject requests
Reporting breaches

9.2 As Data Processor

We act as Data Processor when:

Providing MEAL services to NGOs/organizations
Hosting client data in our software systems
Processing data on behalf of educational institutions (ESchool360)

Our Responsibilities:

Process only on controller's instructions
Maintain Data Processing Agreements (DPAs)
Assist with data subject requests
Notify controller of breaches
Delete/return data upon request

9.3 Data Processing Agreements (DPAs)

We maintain DPAs with:

Clients (where we're the processor): Clear processing instructions
Sub-processors: Vendors processing data on our behalf
Partners: Joint processing arrangements

DPA Contents:

Subject matter and duration
Nature and purpose of processing
Type of personal data
Categories of data subjects
Rights and obligations
Security requirements
Sub-processing terms

10. Data Retention

10.1 Retention Principles

Retain only as long as necessary
Define retention periods by data type
Regular review and deletion
Legal and regulatory compliance

10.2 Retention Periods

Customer and User Data

Data Type	Retention Period	Legal Basis
Account information	Active + 7 years	Tax/legal requirements
Transaction records	7 years	Tax and accounting laws
Support tickets	3 years	Business records
Marketing consent	Until withdrawn + 1 year	Consent management
Website analytics	26 months	Business purposes
Inactive accounts	3 years inactivity, then deleted	Data minimization

Business Records

Data Type	Retention Period	Legal Basis
Contracts	7 years after expiry	Legal requirements
Financial records	7 years	Tax laws
Employee records	7 years after termination	Employment laws
Legal documents	Permanently or as required	Legal obligations

Software Product Data

Data Type	Retention Period	Legal Basis
Application data	As long as subscription active	Contract performance
Backup data	30 days	Business continuity
Logs and diagnostics	90 days	Security and performance
Deleted data	30-day recovery period	Customer service

10.3 Deletion Procedures

Automated Deletion: Scheduled automated purging
Manual Review: Quarterly data review
Secure Deletion: Industry-standard erasure methods
Verification: Deletion confirmation logs

11. Special Data Categories

11.1 Children's Data (ESchool360)

When processing data of individuals under 18:

Controller Role: Educational institutions are controllers
Processor Role: We process on their behalf
Parental Consent: Obtained by schools
Enhanced Protection: Additional security measures
Data Minimization: Only necessary educational data
Limited Access: Restricted staff access
Special DPAs: Education-specific agreements

11.2 Health Data (HealthCenterOps360, DrugStoreOps360)

When processing health data:

Explicit Consent or Legal Basis: Required
Enhanced Security: Encrypted storage and transmission
Access Controls: Strict need-to-know basis
Professional Secrecy: Healthcare confidentiality standards
Audit Trails: Complete access logging
Special Training: Staff handling health data

11.3 Financial Data

PCI DSS Compliance: For card data
Tokenization: Sensitive payment data
Limited Storage: Minimize stored financial data
Secure Transmission: Encrypted channels

12. Privacy by Design and by Default

12.1 Privacy by Design

We integrate data protection into:

Product Development: Security from inception
System Architecture: Privacy-enhancing technologies
Business Processes: Privacy considerations throughout
Procurement: Vendor privacy assessments

12.2 Privacy by Default

Minimal Data Collection: Default settings collect minimum data
Opt-in Marketing: Marketing requires active consent
Limited Access: Restrictive default permissions
Visibility Controls: User controls over data sharing

13. Data Protection Impact Assessments (DPIAs)

13.1 When Required

We conduct DPIAs for processing that:

Uses new technologies
Involves systematic monitoring
Processes sensitive data at scale
Makes automated decisions with legal effects
Presents high risk to rights and freedoms

13.2 DPIA Process

Description: Describe processing operation
Necessity Assessment: Evaluate necessity and proportionality
Risk Identification: Identify risks to data subjects
Mitigation Measures: Define safeguards
Consultation: Consult DPO and stakeholders
Approval: Document and approve
Review: Regular DPIA reviews

14. Roles and Responsibilities

14.1 Data Protection Officer (DPO)

Contact: [email protected]

Responsibilities:

Monitor compliance
Advise on data protection obligations
Train staff
Conduct audits
Liaise with regulators
Handle data subject requests

14.2 Management

Ensure compliance with policy
Allocate resources for data protection
Promote privacy culture
Review and approve policy changes

14.3 Employees and Contractors

Comply with this policy
Complete data protection training
Report suspected breaches
Handle data securely
Respect data subject rights

14.4 IT and Security Team

Implement technical measures
Monitor security
Manage access controls
Respond to incidents
Maintain security infrastructure

15. Training and Awareness

15.1 Mandatory Training

Onboarding: Data protection training for all new staff
Annual Training: Yearly refresher for all staff
Role-Specific: Additional training for roles handling data
Certification: Completion certificates required

15.2 Training Content

Data protection principles
Legal obligations
Company policies
Data subject rights
Security best practices
Breach reporting
Practical scenarios

15.3 Awareness Programs

Regular privacy tips and updates
Simulated phishing exercises
Privacy newsletters
Privacy champions program

16. Monitoring and Audits

16.1 Compliance Monitoring

Quarterly Reviews: Data processing activities
Annual Audits: Comprehensive policy compliance
Vendor Audits: Sub-processor assessments
Metrics Tracking: Compliance KPIs

16.2 Audit Scope

Data processing activities
Security measures effectiveness
Data subject request handling
Breach response procedures
Training completion
Policy adherence

17. Policy Review and Updates

17.1 Review Schedule

Annual Review: Comprehensive policy review
Regulatory Changes: Updates as laws change
Incident-Triggered: After significant breaches
Technology Changes: When introducing new systems

17.2 Version Control

Documented changes
Change approval process
Communication of updates
Staff notification

18. Contact Information

18.1 Data Protection Officer

Email: [email protected]
Phone: +256 763 414937
Address: Kampala, Kampala, Uganda

18.2 Privacy Team

Email: [email protected]
Phone: +256 763 414937

18.3 Regulatory Authorities

Uganda - Personal Data Protection Office (PDPO)

Email: [email protected]
Phone: +256 414 341 641
Website: www.privacy.go.ug

19. Related Policies and Documents

Privacy Policy
Cookie Policy
Information Security Policy
Acceptable Use Policy
Data Retention Schedule
Incident Response Plan
Business Continuity Plan
Employee Data Protection Policy
Vendor Management Policy

Acknowledgment

All employees, contractors, and consultants must acknowledge understanding and acceptance of this Data Protection Policy.

Approval

Approved by: [Name, Title]
Date: December 17, 2025
Next Review Date: [Date + 1 year]

Last Updated: December 17, 2025
Effective Date: December 17, 2025
Version: 1.0

This Data Protection Policy is available in English, French (Français), and Arabic (العربية). The English version is authoritative in case of discrepancies.