RideLink
Get Started

© 2026 RideLink Inc.

RideLink Limited Uganda

Personal Data Protection & Privacy Policy

This policy explains how RideLink collects, processes, protects and stores personal data — in manual and electronic records — in compliance with Uganda's Data Protection and Privacy Act (2019).

Version 1 Reviewed every 3 years Data Protection & Privacy Act (2019)
Section 01

Aim & Scope of Policy

This policy applies to the processing of personal data in manual and electronic records kept by the Company. It also covers the Company's response to any data breach and other rights under the Data Protection and Privacy Act (2019).

Personal data

Information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person's name, identification number, location, or online identifier.

Special categories of personal data

Data which relates to the religious or philosophical beliefs, political opinion, sexual life, financial information, health status or medical records of an individual.

Data processing

Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The Company makes a commitment to ensuring that personal data, including special categories of personal data, is processed in compliance with the Data Protection and Privacy Act (2019) and all its employees conduct themselves in line with this, and other related policies. Where third parties process personal data on behalf of the Company, the Company will ensure that the third party takes such measures in order to maintain the Company's commitment to protecting personal data.

In line with the Data Protection and Privacy Act (2019), the Company understands that it will be accountable for the processing, management, storage and retention of all personal data held in the form of manual records and on information systems.

Section 02

Types of Data Held

Personal data is kept in personnel files and the Company's information systems. The following types of personal data may be held by the Company, as appropriate, on relevant individuals:

  • Names, address, phone numbers
  • Social media handles
  • CVs, academic information and other information gathered during recruitment
  • National Identity Numbers
  • Bank account information
  • Job title, job descriptions and pay grades
  • HR issues such as appraisal, performance evaluation, letters of concern, disciplinary proceedings
  • Terms and conditions of employment
  • Training details

Relevant individuals should refer to the Company's privacy notice for more information on the reasons for its processing activities and the lawful bases it relies on for the processing.

Data held on clients

The following types of personal data may be held by the Company during the implementation of its contracts with its clients:

  • Full names
  • Gender
  • Photo
  • Phone number
  • Age
  • Identification document
  • Location
  • E-mail address

Data held on operators

In addition, the following types of personal data may be held by the Company during the implementation of its contracts with its operators:

  • Full names
  • TIN
  • Phone number
  • Contact number
  • Payment information
Section 03

Data Protection Principles

All personal data obtained and held by the Company will:

  • Be processed fairly, lawfully and in a transparent manner
  • Be collected for specific, explicit, and legitimate purposes
  • Be adequate, relevant and limited to what is necessary for the purposes of processing
  • Be kept accurate and up to date. Every reasonable effort will be made to ensure that inaccurate data is rectified
  • Not be kept for longer than is necessary for its given purpose
  • Be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by using appropriate technical or organisational measures
  • Comply with the Data Protection and Privacy Act (2019)

In addition, personal data for staff will be processed in recognition of an individual's data protection rights, as follows:

  • The right to be informed
  • The right of access
  • The right for any inaccuracies to be corrected (rectification)
  • The right to restrict the processing of the data
  • The right to object to the inclusion of any information
  • The right to ask for information on any automated decision-making
Section 04

Procedures

The Company has taken the following steps to protect the personal data of relevant individuals, which it holds or to which it has access:

  • It appoints or employs employees with specific responsibilities for the processing and controlling of data
  • It provides information to its employees and customers on their data protection rights, how it uses their personal data, and how it protects it. The information includes the actions relevant individuals can take if they think that their data has been compromised in any way
  • It provides its employees with information and training to make them aware of the importance of protecting personal data, to teach them how to do this, and to understand how to treat information confidentially
  • It can account for all personal data it holds, where it comes from, who it is shared with and also who it might be shared with
  • It carries out risk assessments as part of its reviewing activities to identify any vulnerabilities in its personal data handling and processing, and to take measures to reduce the risks of mishandling and potential breaches of data security
  • It has the appropriate mechanisms for detecting, reporting and investigating suspected or actual personal data breaches, including security breaches. It is aware of its duty to report significant breaches that cause significant harm to the affected individuals to the Personal Data Protection Office, and is aware of the possible consequences
  • It is aware of the implications of transferring personal data internationally
Section 05

Access to Data

Relevant individuals have a right to be informed (where the Company is a data controller) whether the Company processes personal data relating to them, and to access the data that the Company holds about them. Requests for access to this data will be dealt with under the following summary guidelines:

  • The contact through which to make a subject access request
  • The Company will not charge for the supply of data unless the request is manifestly unfounded, excessive or repetitive, or unless a request is made for duplicate copies to be provided to parties other than the employee making the request
  • The Company will respond to a request without delay, subject to legally permitted provisions for confirming the identity of the requestor

Relevant individuals (where the Company is a data controller) must inform the Company immediately if they believe that the data is inaccurate, either as a result of a subject access request or otherwise. The Company will take immediate steps to rectify the information.

Section 06

Data Disclosures

The Company may be required to disclose certain data/information to any person. The circumstances leading to such disclosures include:

  • Any employee benefits operated by third parties
  • HR management and administration
  • The smooth operation of any employee insurance policies or pension plans
  • Meeting requirements from a regulator where applicable

These kinds of disclosures will only be made when strictly necessary for the purpose.

Section 07

Data Security

The Company adopts procedures designed to maintain the security of data when it is stored and transported.

In addition, employees must:

  • Ensure that all files or written information of a confidential nature are stored in a secure manner and are only accessed by people who have a need and a right to access them
  • Ensure that all files or written information of a confidential nature are not left where they can be read by unauthorised people
  • Check regularly on the accuracy of data being entered into information systems
  • Always use the passwords provided to access the information system and not abuse them by sharing or passing them on to people who should not have them

Where personal data is recorded on any such device, it should be protected by:

  • Ensuring that data is recorded on such devices only where absolutely necessary
  • Ensuring that laptops, tabs or USB drives are not left lying around where they can be stolen

Failure to follow the Company's rules on data security may be dealt with via the Company's disciplinary procedure. Appropriate sanctions include dismissal with or without notice dependent on the severity of the failure.

Section 08

International Data Transfers

The Company may use data processors outside of Uganda. Such data processors shall be located in countries that have laws similar to Uganda's Data Protection and Privacy Act.

Section 09

Artificial Intelligence (AI) Services

RideLink may provide certain features powered by artificial intelligence ("AI") to assist users with logistics operations, shipment management, customer support, route planning, document analysis, and other related services.

AI service providers

To provide AI-powered functionality, RideLink may share user inputs with trusted third-party AI service providers, including but not limited to OpenAI and other equivalent AI providers.

Information sent to AI providers

When a user interacts with AI-powered features, the following information may be transmitted to the AI provider for processing:

  • Text prompts and messages submitted by the user
  • Voice recordings and speech-to-text transcripts
  • Images, documents, or files uploaded by the user
  • Shipment information and logistics-related data provided by the user
  • Conversation history necessary to generate relevant responses
  • Language preferences and interaction metadata

Purpose of processing

The information is processed solely for the purpose of:

  • Generating AI-powered responses
  • Processing voice interactions
  • Analyzing uploaded documents and images
  • Providing shipment assistance and logistics recommendations
  • Improving the accuracy, relevance, and quality of AI-generated outputs
  • Supporting customer service and operational workflows

User consent

Before a user accesses any AI-powered feature for the first time, RideLink will provide a clear disclosure explaining what information is shared with the AI provider and request the user's consent. Users may decline consent; however, certain AI-powered features may become unavailable if consent is not provided.

Data retention

RideLink retains user information only for as long as necessary to provide services, comply with legal obligations, resolve disputes, and enforce agreements. Information processed by third-party AI providers may be retained according to the retention and privacy policies of those providers.

International data transfers

AI providers may process information on servers located outside Uganda. Where international transfers occur, RideLink will take reasonable steps to ensure that such transfers are protected by appropriate safeguards and comply with applicable data protection laws.

User rights

Users retain all rights available under applicable data protection laws, including the right to:

  • Request access to their personal data
  • Request correction of inaccurate information
  • Request deletion of personal data where legally permissible
  • Withdraw consent for AI processing where applicable
  • Object to certain forms of processing

AI limitations

AI-generated responses are provided for informational and operational assistance purposes only. While RideLink strives to ensure the reliability of AI-powered services, AI-generated content may contain inaccuracies and should not be relied upon as the sole basis for business, legal, financial, or operational decisions.

Section 10

Breach Notification

For instances where the Company is a data controller, any personal data breach will be reported to the Personal Data Protection Office as soon as the Company becomes aware of it, and may be reported in more than one instalment. The Company will use the breach notification procedure prescribed in the Data Protection and Privacy Regulations.

For instances where the Company is a data processor, any personal data breach will be reported to the client as soon as the Company becomes aware of it, and may be reported in more than one instalment. The Company will also cooperate in any follow-up investigations.

Section 11

Training

All employees, as part of their induction, receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential data breach.

All employees who need to use any information system are trained to protect individuals' private data, to ensure data security, and to understand the consequences to them as individuals and the Company of any potential lapses and breaches of the Company's policies and procedures.

Section 12

Records

The Company keeps records of its processing activities, including the purpose for the processing. These records will be kept up to date so that they reflect current processing activities.

Section 13

Data Protection Officer

The Company shall assign responsibility for a Data Protection Officer and provide the necessary resources for his/her assignment. In some circumstances, this may be outsourced to a competent consultant or firm; however, the Company retains ultimate risk ownership.

Section 14

Review

This policy will be reviewed every three years or when there is a major change in the operations of the Company.

Version: 1