Privacy Policy

Effective Date: December 17, 2025
Last Updated: December 17, 2025

1. Introduction

Welcome to Gestlat ThinkLab ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our services, or purchase our products.

Our Contact Information:

• Company: Gestlat ThinkLab
• Address: Kampala, Kampala, Uganda
• Email: [email protected]
• Phone: +256 763 414937

By using our services, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Personal Information You Provide

We collect information that you voluntarily provide to us when you:

• Register for an account
• Purchase products or services
• Request a consultation or quote
• Subscribe to our newsletter
• Register for courses or events
• Contact customer support
• Apply for jobs or consultant partnerships
• Fill out forms on our website

This information may include:

• Identity Data: Full name, username, title, date of birth
• Contact Data: Email address, phone number, physical address
• Financial Data: Payment card details, mobile money numbers, billing address
• Account Data: Username, password, and other security credentials
• Business Data: Company name, business type, industry, tax ID
• Transaction Data: Details of purchases, licenses, and subscriptions
• Technical Support Data: Device information, error logs, support tickets
• Marketing Data: Communication preferences, survey responses

2.2 Information Automatically Collected

When you visit our website or use our services, we automatically collect:

• Usage Data: Pages visited, time spent, links clicked, navigation paths
• Device Data: IP address, browser type, operating system, device identifiers
• Location Data: General geographic location based on IP address
• Cookies and Tracking Data: Information collected through cookies and similar technologies (see our Cookie Policy)

2.3 Information from Third Parties

We may receive information about you from:

• Payment Processors: Transaction confirmation and payment status
• Social Media: If you connect your social media accounts
• Business Partners: Information shared through legitimate partnerships
• Public Sources: Publicly available business information

2.4 Information in Our Software Products

When you use our 360° business management systems (ESchool360, ShopFlow360, etc.), we may collect:

• Application Usage Data: Features used, frequency, performance metrics
• Business Data: Transaction records, inventory data, customer information (as processed by you)
• Sync Data: Data synchronized between devices
• Error and Diagnostic Data: Crash reports, performance logs

Important: Business data you enter into our systems (your customers, transactions, etc.) remains YOUR data. We process it only as necessary to provide services to you.

3. How We Use Your Information

We use your information for the following purposes:

3.1 Service Delivery

• Provide, operate, and maintain our services
• Process transactions and send transaction notifications
• Deliver software licenses and digital products
• Provide customer support and respond to inquiries
• Send service-related communications

3.2 Business Operations

• Manage your account and subscriptions
• Process payments and prevent fraud
• Verify your identity and eligibility
• Comply with legal obligations
• Enforce our terms and policies

3.3 Improvement and Development

• Analyze usage patterns to improve our services
• Develop new features and products
• Conduct research and analytics
• Test system performance and reliability

3.4 Marketing and Communications

• Send promotional materials and offers (with your consent)
• Provide personalized recommendations
• Conduct surveys and gather feedback
• Invite you to events and training programs
• Send newsletters and updates

3.5 Legal and Security

• Protect against fraud and unauthorized access
• Investigate and prevent illegal activities
• Comply with legal requirements and court orders
• Enforce our rights and protect our interests

4. Legal Basis for Processing (Uganda and East Africa)

Under applicable East African data protection laws, we process your personal information based on:

4.1 Consent

You have given clear consent for us to process your personal data for specific purposes (e.g., marketing communications).

4.2 Contract Performance

Processing is necessary to fulfill our contract with you (e.g., delivering purchased software, providing support).

4.3 Legal Obligation

Processing is necessary to comply with legal obligations under Ugandan law, East African Community regulations, or other applicable laws.

4.4 Legitimate Interests

Processing is necessary for our legitimate business interests, such as:

• Fraud prevention and security
• Network and information security
• Business analytics and improvement
• Direct marketing (where permitted)

We always balance our interests against your rights and freedoms.

5. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

5.1 Service Providers

We share information with trusted third-party service providers who assist us with:

• Payment processing (mobile money providers, card processors)
• Cloud hosting and data storage
• Email delivery and marketing platforms
• Customer support tools
• Analytics and performance monitoring

All service providers are contractually bound to protect your data and use it only for specified purposes.

5.2 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information is transferred and becomes subject to a different privacy policy.

5.3 Legal Requirements

We may disclose your information when required by law or in response to:

• Court orders or legal processes
• Government or regulatory requests
• Protection of our rights and property
• Public safety or law enforcement needs

5.4 With Your Consent

We may share your information with third parties when you have given explicit consent.

5.5 Business Partners

With your consent, we may share information with:

• Training partners for course delivery
• Hardware suppliers for product fulfillment
• Consultant network members for service delivery

6. International Data Transfers

Your information may be transferred to and processed in countries outside Uganda and East Africa, including countries that may not have the same data protection laws.

When we transfer data internationally, we ensure appropriate safeguards:

• Standard contractual clauses approved by data protection authorities
• Adequacy decisions recognizing equivalent protection
• Your explicit consent where required

Primary Data Storage: Our primary servers are located in [specify region/country].

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

7.1 Technical Measures

• Encryption of data in transit (SSL/TLS) and at rest
• Secure authentication and access controls
• Regular security testing and vulnerability assessments
• Intrusion detection and prevention systems
• Secure backup and disaster recovery procedures

7.2 Organizational Measures

• Employee training on data protection
• Limited access on a need-to-know basis
• Confidentiality agreements with staff and contractors
• Regular security policy reviews
• Incident response procedures

However, no method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Data Retention

We retain your personal information only as long as necessary for the purposes outlined in this policy:

• Account Data: Retained while your account is active and for 7 years after closure for legal/tax purposes
• Transaction Records: Retained for 7 years for accounting and tax compliance
• Marketing Data: Retained until you withdraw consent or for 3 years of inactivity
• Support Tickets: Retained for 3 years for quality assurance
• Website Analytics: Aggregated data retained indefinitely; individual data for 26 months

When information is no longer needed, we securely delete or anonymize it.

9. Your Privacy Rights

Under Ugandan and East African data protection laws, you have the following rights:

9.1 Right to Access

You can request a copy of the personal information we hold about you.

9.2 Right to Rectification

You can request correction of inaccurate or incomplete information.

9.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal information in certain circumstances.

9.4 Right to Restrict Processing

You can request that we limit how we use your information.

9.5 Right to Data Portability

You can request your data in a structured, commonly used format.

9.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing.

9.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time.

9.8 Right to Lodge a Complaint

You can file a complaint with the relevant data protection authority:

• Uganda: Personal Data Protection Office (PDPO)
• Email: [email protected]

To Exercise Your Rights:

• Email: [email protected]
• Include: Your name, contact information, and specific request
• We will respond within 30 days

10. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

Exception: Educational institutions using ESchool360 may input student data. In these cases:

• The institution (not us) is the data controller
• Parents/guardians should contact the institution regarding student data
• We process student data only as instructed by the institution

If you believe we have collected information from a child, please contact us immediately.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience. For detailed information, please see our Cookie Policy.

Quick Summary:

• Essential cookies for website functionality
• Analytics cookies to understand usage
• Marketing cookies for personalized content
• You can manage cookie preferences in your browser

12. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of these sites. We encourage you to read their privacy policies.

13. Marketing Communications

13.1 Opt-In

We will only send marketing communications if you have:

• Opted in during registration
• Signed up for our newsletter
• Purchased products/services and not opted out

13.2 Opt-Out

You can unsubscribe at any time by:

• Clicking "unsubscribe" in any marketing email
• Updating preferences in your account settings
• Emailing: [email protected]
• Contacting customer support

We will process opt-out requests within 48 hours.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be effective when posted on this page with an updated "Last Updated" date.

For Material Changes:

• We will notify you via email (if provided)
• We may display a prominent notice on our website
• Continued use after changes constitutes acceptance

We encourage you to review this policy periodically.

15. Contact Us

For questions, concerns, or to exercise your privacy rights:

Privacy Team

• Email: [email protected]
• Phone: +256 763 414937
• Address: Kampala, Kampala, Uganda
• Response Time: Within 5 business days for initial response

Data Protection Officer (if applicable):

• Name: [DPO Name]
• Email: [email protected]

16. Specific Service Privacy Notices

16.1 Software Products (360° Systems)

When you use our business management systems, additional privacy considerations apply. See product-specific privacy notices within each application.

16.2 MEAL Services

For organizations using our Realtime MEAL services, we process data as a data processor. Specific data processing agreements (DPAs) govern this processing.

16.3 Consultant Network

If you join our consultant network, additional terms regarding confidentiality and data handling apply.

Acknowledgment

By using Gestlat ThinkLab services, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.

Language Versions

This Privacy Policy is available in:

• English (authoritative version)
• French (Français)
• Arabic (العربية)

In case of discrepancies, the English version prevails.

Last Updated: December 17, 2025 Effective Date: December 17, 2025