Privacy Policy

1. Introduction and Scope

1.1 This Privacy Policy explains how Quest collects, uses, stores, shares, secures and otherwise processes personal data in connection with the use of the Quest safari quoting platform, related websites, applications, support channels and business operations.

1.2 For purposes of this Policy, Quest is operated by Canine Safaris Ltd. Where payment, invoicing or related financial processing is required, such activities may be undertaken by Canine Safaris LLC, a subsidiary of Canine Safaris Ltd registered in New Mexico, United States, acting strictly within the limits of applicable law and contractual arrangements.

1.3 This Policy applies to personal data relating to account holders, company representatives, staff users, prospective customers, support contacts, website visitors and other individuals whose personal data is collected or processed through Quest.

1.4 This Policy is intended to give effect to the principles of data protection and privacy recognised under Ugandan law, including accountability, fairness and lawfulness, adequacy, relevance, retention limitation, accuracy, security and transparency as reflected in section 3 of the Data Protection and Privacy Act, 2019.

2. Identity of the Data Controller

2.1 Unless otherwise stated for a specific activity, the data controller responsible for the collection and primary processing of personal data under this Policy is Canine Safaris Ltd trading as Quest.

2.2 In limited cases concerning billing, payment administration, invoicing, collections, bookkeeping support or related financial operations, Canine Safaris LLC may process relevant personal data as an affiliate service provider or joint operational entity, subject to appropriate safeguards, confidentiality obligations and lawful instructions.

2.3 Where we engage third-party processors such as hosting providers, analytics vendors, cloud storage vendors, email delivery providers, customer support tools or payment partners, such parties process personal data only for authorised purposes and subject to contractual controls.

3. Categories of Personal Data We Collect

3.1 We may collect personal data that you provide directly to us, including but not limited to; your full name, email address, telephone number, password credentials, company name, company address, tax or registration details, role or job title, and related onboarding information.

3.2 We may collect business verification information and supporting documents, including but not limited to; URSB documents, TIN details, UTB licence details, incorporation records, certificates, licences and related compliance documents submitted during onboarding or later verification.

3.3 We may collect quote and itinerary data entered into the platform including but not limited to; client names, travel dates, accommodation selections, pricing, notes, activity details, client nationalities, sales information and related business records.

3.4 We may collect communications data including but not limited to; such as emails, chat messages, support requests, call logs, feedback, complaint records and other correspondence exchanged with us.

3.5 We may automatically collect technical and usage data including but not limited to; IP address, device identifiers, browser type, operating system, cookie identifiers, pages viewed, timestamps, log files, session activity and other diagnostic information.

3.6 We may also process limited financial and transaction-related data necessary for billing and payment administration including but not limited to; payer name, billing email, invoice records, transaction references, payment status and reconciliation details. We do not intentionally store full payment card details unless processed through a compliant third-party payment provider.

4. Purposes and Legal Basis for Processing

4.1 We process personal data for lawful, specific and legitimate purposes, including account creation, authentication, business verification, user administration, quote preparation, itinerary management, customer support, service improvement, fraud prevention, legal compliance and platform security.

4.2 Under section 7 of the Data Protection and Privacy Act, 2019, personal data should not be collected or processed without the prior consent of the data subject unless another lawful ground applies. Accordingly, where consent is the appropriate legal basis, we will seek your consent in a clear and informed manner.

4.3 We may process personal data where processing is necessary for the performance of a contract, the implementation of pre-contract steps requested by the data subject, compliance with a legal obligation, protection of a legitimate interest that is not overridden by the rights of the data subject, protection of public interest, or another basis recognised under applicable Ugandan law and the Regulations.

4.4 We use account, verification and operational data to establish and manage customer relationships, verify businesses, maintain system integrity, administer user permissions and provide core platform functionality.

4.5 We use communications and service data to respond to inquiries, resolve technical issues, handle complaints, investigate misuse and provide notices about system updates, service changes, invoices and account matters.

4.6 We use technical and usage data to monitor service performance, maintain audit trails, detect unauthorised access, apply rate limits, prevent scraping or abuse, investigate incidents and improve user experience.

4.7 Where we send direct marketing or promotional communications, we will do so in accordance with applicable law, including obtaining consent where required and offering an opt-out mechanism. Ugandan law recognises a data subject's right to object to processing for direct marketing and related purposes, including under sections 25 and 26 of the Act.

5. Data Protection Principles

5.1 We are committed to processing personal data fairly, lawfully and transparently, and only for purposes that are compatible with the reason for which the data was collected.

5.2 We take reasonable steps to ensure that personal data is adequate, relevant and not excessive in relation to the purpose of processing.

5.3 We endeavour to keep personal data accurate, complete and up to date and to correct inaccuracies when identified or brought to our attention.

5.4 We retain personal data only for as long as necessary for lawful business, regulatory, contractual or evidentiary purposes, after which it is deleted, anonymised, archived or otherwise handled in accordance with applicable law.

5.5 We implement appropriate technical and organisational safeguards to preserve confidentiality, integrity, availability and resilience of personal data.

6. Cookies, Logs and Similar Technologies

6.1 We may use cookies, session identifiers, local storage, server logs and comparable technologies to keep you signed in, remember preferences, secure sessions, understand usage patterns and support analytics.

6.2 Some cookies are strictly necessary for the operation and security of the platform. Others support performance, measurement or functionality.

6.3 You may control certain cookies through your browser settings. However, disabling some cookies may affect the proper operation, security or convenience of the platform.

7. Data Subject Rights under Ugandan Law

7.1 Subject to the Act and any lawful limitations, a data subject has the right to be informed about the collection and processing of personal data and the purposes for which the data is used.

7.2 Section 24 of the Act recognises the right of access. A data subject who provides proof of identity may request confirmation whether we hold personal data about that person and may request a description or copy of such data, subject to lawful limitations.

7.3 Section 25 of the Act provides a right to prevent or object to certain processing in appropriate circumstances, including where the continued processing is not justified or where the individual withdraws consent, subject to lawful exceptions.

7.4 Section 26 of the Act addresses the use of personal data for direct marketing and related promotional activity. You may object to such communications and may opt out at any time using the unsubscribe method provided or by contacting us.

7.5 Section 28 of the Act recognises rights relating to rectification, blocking, erasure and destruction of personal data where the data is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained or retained.

7.6 To exercise your rights, you may submit a written request through the contact channels stated in this Policy. We may request proof of identity and sufficient information to verify the request, protect other persons' rights and locate the relevant records.

7.7 We will assess and respond to requests within the time required by applicable law or within thirty (30) days from the date of submission of the request, where no fixed statutory period applies, within a reasonable time taking into account the complexity and sensitivity of the request.

8. How We Share Personal Data

8.1 We do not sell personal data to third parties for their own independent marketing purposes.

8.2 We may disclose personal data to service providers and processors who assist with hosting, infrastructure, cloud storage, support, communications, analytics, document processing, billing, fraud prevention, audit, legal services or other legitimate operational needs.

8.3 We may share personal data within our corporate group, including between Canine Safaris Ltd and Canine Safaris LLC, where such sharing is reasonably necessary for customer onboarding, platform administration, support, billing, finance, compliance or internal governance and is protected by confidentiality and data protection obligations.

8.4 We may disclose personal data where required by law, court order, lawful request from a competent regulator or government authority, or where disclosure is reasonably necessary to establish, exercise or defend legal claims.

8.5 We may disclose personal data in connection with a merger, acquisition, restructuring, asset sale, insolvency process or corporate reorganisation, subject to appropriate confidentiality, due diligence and transitional safeguards.

8.6 Where disclosure is based on consent, we will seek and record that consent in a manner appropriate to the context.

8.7 Our sharing practices are intended to align with the Act, its disclosure limitations and the transparency and accountability obligations that apply to data collectors, processors and controllers.

9. Data Security Measures

9.1 We implement appropriate technical and organisational measures to protect personal data against unlawful or accidental destruction, loss, alteration, unauthorised disclosure, unauthorised access or other unlawful processing.

9.2 These measures may include encryption in transit, password hashing, role-based access control, least-privilege permissions, secure authentication, logging and monitoring, vulnerability management, backup controls, vendor due diligence, staff confidentiality obligations and incident response procedures.

9.3 Sections 20 and 21 of the Act, read together with Regulations 31 and 32 of the Data Protection and Privacy Regulations, 2021, require reasonable security safeguards and processor controls. We design our controls with those obligations in mind.

9.4 Although we apply reasonable security safeguards, no method of transmission over the internet or electronic storage is completely secure. Accordingly, we cannot guarantee absolute security, but we continuously review and improve our safeguards.

9.5 Where we believe that personal data has been unlawfully accessed or acquired by an unauthorised person, we will take steps required by law, including notification obligations that may arise under section 23 of the Act and the Regulations, as applicable.

10. Retention of Personal Data

10.1 We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, including account administration, quoting, legal compliance, tax and accounting needs, dispute resolution, fraud prevention, system security, record-keeping and enforcement of agreements.

10.2 Retention periods may vary depending on the category of data, the sensitivity of the information, operational requirements, the existence of legal claims, and applicable regulatory or statutory record-keeping duties.

10.3 When personal data is no longer required, we may securely delete it, anonymise it, aggregate it for analytics, or archive it in a restricted form where continued retention is legally required or reasonably necessary.

10.4 We will consider requests for deletion or erasure in accordance with section 28 of the Act and other applicable legal obligations, recognising that certain data may need to be retained for legal, regulatory, contractual or evidentiary purposes.

11. Cross-Border Data Transfers

11.1 Quest may use technology infrastructure, service providers or affiliates located outside Uganda. As a result, personal data may in some cases be processed or stored outside Uganda.

11.2 Section 19 of the Act permits cross-border processing or storage where the destination country provides adequate protection at least equivalent to that provided under the Act, or where the data subject has consented.

11.3 Where cross-border transfer is undertaken, we will seek to ensure appropriate safeguards, which may include vendor due diligence, contractual obligations, access restrictions, confidentiality controls, security standards and transfer governance measures.

11.4 Where required, we will inform data subjects of relevant transfer arrangements through this Policy, specific notices or contractual documentation.

12. Children and Sensitive Data

12.1 The platform is intended primarily for business and professional users and is not designed for use by children.

12.2 Where personal data relating to a child is collected or processed, this will only be done in accordance with the law, including the special protections recognised by the Act.

12.3 We do not knowingly request unnecessary sensitive data. Where special-category or sensitive information is processed, we will do so only where lawful, necessary and subject to appropriate safeguards.

13. Complaints, Internal Escalation and Regulatory Enforcement

13.1 If you have concerns about how your personal data has been handled, you should first contact us using the details in section 14 below so that we may review and address the issue.

13.2 In line with guidance published by the Personal Data Protection Office (PDPO), a complainant should ordinarily first raise the complaint with the organisation concerned. If the organisation does not respond within thirty (30) days, or if the response is unsatisfactory, the complainant may escalate the matter to the PDPO.

13.3 The PDPO is the competent Ugandan authority for oversight, registration and enforcement under the Data Protection and Privacy Act. It may receive and investigate complaints concerning infringement of data subject rights or non-compliance with the Act.

13.4 Complaints to the PDPO are ordinarily made in writing using the prescribed forms under the Regulations. Current PDPO guidance also indicates that complaints may be submitted through the PDPO complaint channels, including online and email channels designated by the Office.

13.5 Nothing in this Policy limits any right a data subject may have to seek regulatory redress, legal relief or any remedy available under Ugandan law.

14. Contact Information for the Controller and Privacy Contact

14.1 Data Controller: Canine Safaris Ltd trading as Quest.

14.2 General privacy and customer contact email: quest.admin93@gmail.com

14.3 Telephone: +256 761 678 634

14.4 WhatsApp: +256 755 156 280

14.5 Data Protection Officer (DPO) / Privacy Contact: Until a separate dedicated DPO address is published, privacy requests, data subject requests and complaints may be sent to the contact email listed above and clearly marked "Data Protection Request" or "Privacy Complaint".

14.6 If a separate Data Protection Officer is formally appointed or different contact particulars are designated, this Policy may be updated accordingly.

15. Policy Updates

15.1 We may amend this Privacy Policy from time to time to reflect legal, operational, technical or business changes.

15.2 Where changes are material, we will take reasonable steps to notify affected users, including by posting the updated version on the platform, updating the effective date, sending email notice where appropriate, or using another suitable communication channel.

15.3 Continued use of the platform after the effective date of an updated Policy may constitute acknowledgement of the updated Policy to the extent permitted by law.

16. Interpretation

16.1 This Policy should be read together with our Terms of Service, onboarding notices, cookie notices, contractual terms and any specific data collection notices presented at the point of collection.

16.2 If any part of this Policy is found to be invalid or unenforceable, the remaining provisions shall continue in full force to the extent permitted by law.

16.3 This Policy is intended as a practical privacy notice and internal compliance statement. It does not limit any mandatory duty imposed by Ugandan law.

Schedule A – Practical Request and Complaint Channels

Schedule B – Legal References (for compliance context)

1. Data Protection and Privacy Act, 2019 (Uganda).
2. Data Protection and Privacy Regulations, 2021.
3. Electronic Transactions Act, 2011, where relevant to electronic notices and records.
4. Applicable guidance and complaint procedures issued by the Personal Data Protection Office (PDPO).