Privacy Policy

Last updated: May 2024

Authors: IT & Data Manager

Next date for review: May 2025

About this policy

This is a publicly available document, intended to inform and reassure anyone interested or concerned regarding Viva! Uganda’s handling of personal data, as well as forming the basis of the organisation’s internal procedures.

The Policy covers all of Viva! Uganda’s work and activities, as far as they relate to individual people with whom we have contact. For the purposes of this document, ‘personal data’ means anything which could be used to identify a specific individual, either on its own or in conjunction with other information.

Policy overview

Viva! Uganda acknowledges that information about a person should be controlled by that person, and only used for purposes which are understood and agreed with them. We take the security of everyone’s data very seriously and do our utmost to protect it. You have the right to know what information we hold about you, to correct it if it is wrong, to ask us to delete it for any reason, and to question or object to what we do with your data (either to us directly or to our supervisory authority).

The Personal Data Protection and Privacy Act, 2013 describes a data controller as a person who alone, jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed.

Further details about your legal rights are included in Appendix 2 of this document.

If you would like to exercise any of these rights, discuss what we do with your data or request a paper copy of this policy, you can contact us here:

  • Email info@viva.ug
  • Kira Road Kyaliwajala, (Opposite Total Fuel Station) – PLOTM1493, BLOCK 222P.O. Box 116633 – Kampala, Uganda
  • Call us on +256 787 691143.

The responsible member of Viva! Uganda staff who oversees our data practices and usage is Samuel Galiwango sam@viva.ug. He can be contacted using the methods listed above.

Policy review process

Viva! Uganda’s Privacy Policy is under continuous review, and it’s formally updated at least once per year.

We assess any changes necessary in order to for us meet legal and other regulatory requirements, to reflect changes in our own activities, and to make sure that the document is as complete and easily-understood as possible.

If we need to change how we handle personal information, this published policy will be updated and the changes will be notified promptly by the most appropriate methods. This may include updates to our websites, social media notices, and in some cases personal communication by email and/or post.

What does Viva! Uganda know about you?

We only hold data about you that you have voluntarily given to us, except in very specific circumstances. This means that we collect the information you provide when you sign up to our mailing lists or websites, donate to us, sign a petition, purchase goods from us, or otherwise contact us. We also collect information if you set up a fundraising page with one of our fundraising service suppliers.

We do not solicit or obtain personal data from any other organisation, and we don’t infer or interpolate knowledge about your circumstances, location or relationships through any other source.

In addition to the data we collect, we also generate some data about you. This means that we’ll know when you’ve opened an email from us or clicked on a link in an email. We’ll also store information about donations and purchases you make, consents that you have given to us, and communications such as general enquiries and orders for resources such as leaflets.

How long do we store this data for, and how exactly do we get it?

When you give us your data, we will usually keep it for three full years from the date of your last interaction with Viva! Uganda, unless we’re legally required to keep your data for a specific reason.

These are the most common ways in which we obtain personal data:

When you make a donation: 

If you give us a one-off donation and never contact us again, your data will be kept for a maximum of ten years.

f you continue to make donations to us, maintain a regular subscription, or otherwise stay in touch with Viva! Uganda we will keep your data until you tell us not to, or until three years from your last recorded interaction with us.

When you sign a petition: 

If your only contact with Viva! Uganda is where you have signed a petition and you did not agree to further contact from us, we will delete your details after we have submitted the petition to the relevant organisation. If you also consented to further contact from us, please see ‘When you sign up to receive emails’, below.

When you sign up to receive emails: 

If you have signed up to receive email updates and newsletters from us, we will continue to send them until you tell us not to. You can opt out of this service at any time by unsubscribing or changing your preferences, or by contacting us. If you don’t open any emails from us for more than a year, we may assume that you’re no longer interested and remove your contact details from the subscriber list.

When you order information leaflets, campaign materials or other resources: 

We will keep your data for ten years following your last order (or other interaction with Viva! Uganda).

When you contact us on behalf of a child or give consent in a guardian capacity: 

We will keep details for both of you, and a record of your consent, until the child turns 18 years old (this is why we ask for a date of birth). If you are asked for consent, but do not provide it within a month, we will remove these details. Your details will not be used for any other purpose, unless you have other contact with Viva! Uganda.

When you include a bequest to Viva! Uganda in your Will: 

Information given to us about you and your legacies will be kept indefinitely. Following your death and the discharge of your instructions, we will securely store a record of your bequest unless an executor or your family members ask us to remove it.

If you are a public contact or represent an organisation: 

If you’ve given us contact details for us to make them publicly available, for example to publicise fundraising work, or as a professional to whom we can refer contacts, this information will only be released to the extent to which you’ve consented. We will also check with you periodically to make sure that you’re still happy for your details to be passed on in that way.

If you supply contact information as part of your role within another organisation or company, we will only use it for that purpose. Communications with you will be regarded as being with the organisation, rather than in a personal capacity. Email addresses, for example, will not be regarded as personal identifiers for the purposes of this policy, but will be removed on request.

When you apply for a job with us: 

We’ll keep your information for six months from the date you’re informed of the result of your application (if unsuccessful). If you come to work with us, we are legally obliged to keep your information for six years following the termination of your employment.

When we receive your information through third parties: 

We may receive information about you from one of our fundraising partners (such as Facebook) acting on our behalf, when you set up a fundraising page on their site, or when you agree to allow them to share that information with us. If you have set up a fundraising page, we may be able to access your name and address, contact details and the amount of money you have raised. If we collect your information in this way, we will contact you within a reasonable period and give you the opportunity to opt out of us storing and using your information. We may use these details to contact you about your fundraising (ie to offer helpful publicity, or to say thank you!) store them, or include them in our review of supporters’ activity. We won’t use them for any other purpose, unless you have made other contact with us directly.

When we connect with you on social media: 

If you communicate with Viva! Uganda by social media, Viva! Uganda will not record or store any information about you outside of that social media platform unless you give it to us directly (ie by passing your email address or phone number to us via direct messaging) or you give your consent. Information that you store or transfer on a social media platform is subject to each provider’s own privacy policy.

Maintaining data accuracy

We have a responsibility to ensure personal data is up-to-date and accurate, and it’s not in our interest to hold or use false information. We encourage supporters and other contacts to inform us of changes of address etc, but realise this may not be a priority or convenient in many cases.

If it’s clear that certain details we hold are incorrect, for instance an incomplete or invalid postcode, we may use publicly available tools to correct them, to maintain the integrity of your data. We’ll never use such methods to collect additional information – if you’ve chosen not to supply your address, we won’t try to find it anywhere else. We may contact you directly to verify such corrections.

We may also use internal ‘data-matching’ in some circumstances to make sure the data we hold is complete, accurate and as up-to-date as possible, and to reduce the duplication of records. For instance, if you provide name and email address which clearly matches an existing contact record, we’ll assume that you’re the same individual and update postal address or other details accordingly, rather than create a new separate record.

How do we use the personal data we hold?

We use the information we have about you to perform actions that you have requested of us (such as fulfilling an order or sending you emails), to keep track of how you interact with Viva! Uganda so that we can send you relevant communications, to record your consent to certain activities, and to review the effectiveness of our campaigning and our other charitable functions.

This means that we will review the information that you give us, and the information that we generate, so that we can decide how best to allocate our resources and to send you messages which are most relevant to you. We may use your donation history and location to send you specific communications about campaigns, or details of events in your area. If you don’t wish us to use your data this way, you can opt out at any time by contacting us.

The data that we review or generate will only be used to promote the interests of Viva! directly. We will never share this information with another organisation, including charities and pressure groups, outside of our trusted service providers, without your explicit consent.

How do we use children’s information?

You have to be at least 11 years of age to use our services directly. If you want to order materials, make a gift or sign up to information for a child under 11, we advise that you sign up on their behalf with your own contact details, and only pass on the information you believe is appropriate.

We’re keen to engage with young people but care about protecting them, and we want to ensure that what we do with their data is proportional, appropriate, and clearly understood. This means that we won’t send fundraising requests to people who we know are children. If a child you know receives content which you do not think is appropriate for their age, please get in touch with us to let us know. We may not be aware that they are under 18.

We do analyse children’s data alongside adults’ data. But this processing is only to help us work out how people are using our services and to ensure that we use our charity’s resources as efficiently as possible. No decisions or inferences will be made about the child as a result, and the processing will not materially affect them.

When a child reaches 18, we will contact them to ask if they consent to us continuing to contact them. If they no longer wish to be contacted, they have the option to have all of the information that we hold on them deleted (see Right to be Forgotten in Appendix 2).

See also Appendix 1 below, describing the lawful bases for how and why we process personal information.

How may we contact you? Will we send you post?

If you join Viva! Uganda, make regular donations or subscription payments, we have determined that we have a legitimate interest to send you post through your implied engagement and support for our charitable aims.

This post could include appeals, letters or updates about Viva! Uganda’s activities.

Will we send you emails?

At Viva! Uganda, we make a distinction between ‘marketing emails’ and ‘transactional emails’.

Marketing emails are emails that we send to you and a large group of other people, or which are automated, from our mailing list. These emails may include our regular newsletters, fundraising emails and campaign updates (among other things). We will only send these if you have asked us to, and you can withdraw your consent at any time.

Transactional emails are communications about specific actions you have taken or where we need to communicate something that is specific to you. These could include (but are not limited to): receipts for purchases or donations, order updates, queries about an order, renewal reminders or any other enquiry that specifically relates to you. Transactional emails are often required (like receipts), automatic (like delivery updates or order confirmations) or from individuals (such as a Viva! Uganda staff member) and are often sent to you by our service providers (such as payment processors) rather than directly from Viva! Uganda. In most cases, we have an obligation to send these communications – or a legitimate reason to believe you are happy to receive them.

Occasionally, we may need to send an update about this policy to a large section of our contacts who have not specifically consented to be added to our emailing list. In these cases, we will ensure that their contact details are used for this purpose only.

Will we phone you?

Viva! never do telephone fundraising and we do not employ external fundraisers to do so on our behalf. If you give us your phone number, we will only use it to contact you about specific issues with donations or purchases, or to respond to queries where you have asked us to phone you.

Do we share your information with anyone?

We share the data that you provide with our trusted suppliers only where we need to, in order to perform our work as a charity. This could include:

  • Sharing your name and address with our mailing house and delivery services, in order to send you post. This is never retained longer than necessary to carry out each particular task.
  • Sharing your email address, name and postcode with our email provider, in addition to your mailing preferences, in order to send you messages.
  • Using secure payment processors and banks to process donations (eg PayPal).
  • Using hosted accountancy software to keep financial records.
  • Sending limited signatory details for online petitions to the receiving organisation.

Some of our suppliers, such as our email provider, help us to generate information about you. Like all payment processors, ours will perform checks on payments made to detect potential fraud and analysis on the usage of their services.

We don’t share information with other organisations for their marketing or fundraising purposes, and we will never do this without publicising a change of policy and obtaining your explicit consent first.

What safeguards do we use when sharing your information?

Third party organisations who require access to personal data to carry out tasks on our behalf certify to us that they comply fully with relevant legislation and codes of practice; and declare that they will not use this information for any other purpose. We hold documentation to that effect from each of them, and this is regularly reviewed and updated as necessary in line with current regulations including GDPR.

Additionally, we only use highly reputable suppliers who demonstrate a strong focus on data security and robust security practices. Some of our suppliers may transfer information about you to countries which are not designated ‘safe’ countries for EU/EEA data (ie ‘third countries’), but always with appropriate safeguards in place (such as the EU-U.S. Privacy Shield arrangement or Model Contract Clauses) which protect individuals’ data and rights to the applicable legal standards. All of our payment processors are compliant with the PCI DSS official standard for handling payment details.

Our websites utilise a number of third-party services, including from Google and Meta (Facebook), to improve their performance, help with marketing analysis, and provide a more effective and relevant user experience. Some personal but largely technical data is collected by us and is handled according to the principles in this document. You should also be aware that those service providers will also gather and retain information about our site visitors for their own purposes, beyond our control. For further information, see Appendix 3 to this document.

How do we protect your data?

Viva! Uganda takes the care of your personal information seriously and ensures there are appropriate technical controls in place to protect them. For obvious reasons, those details aren’t disclosed publicly but include providing training for staff and volunteers who are responsible for handling your data. For electronic records, we use certified secure storage & encryption methods, Transport Layer Security (TLS) and firewalls, and a small number of carefully selected external organisations. Any paper records which include personal data are securely stored, and regularly reviewed to destroy or permanently redact those details as appropriate. Viva! Uganda holds no sensitive financial information such as banking details, and processes all card payments securely in accordance with Payment Card Industry (PCI) Security Standard legislation.

What happens when we stop holding your data?

When we no longer have good reason to retain your data according to the timescales described here, or if at any point you request us to remove or delete your data (erasure), you should be aware that it is only the information that relates to you personally, or which could be used to identify you, that will be removed. In most cases, this means thoroughly ‘anonymising’ our records rather than fully deleting them. For instance, knowing the values, dates and circumstances of donations received continues to be important to us. We have obligations regarding financial record keeping, and we need to know how particular fundraising appeals and campaigns perform over time to inform future decision-making.

In practice, this means that your ‘contact’ record and its activity history is retained, but your name, address, email, and any other identifying data is removed and replaced with ‘anonymous’ placeholders. A regular synchronising process then also updates any data backups to cleanse those as well, preventing your data being retrieved or restored in error. You will no longer be identifiable from the information Viva! Uganda holds anywhere, and it cannot be connected with you personally. If applicable, we will also delete records of correspondence and any email communications, including your request for deletion.

Note also that should you choose to re-engage with us at any point in the future, an entirely new set of data will be generated. We will have no way of linking your new activity to what you’ve done previously – this includes communication preferences or other specifics such as membership status and history.

APPENDIX 1: Lawful bases for processing

Under general data protection regulations (GDPR), we must let you know what the ‘lawful basis’ is for each way that we process your data. ‘Processing’ includes storing, sharing or analysing your data, as well as using it to contact you.

Viva! Uganda justifies processing your data using one or more of the following bases:

  • Consent
  • Legitimate Interest
  • Fulfilment of Contract
  • Legal Obligation

In addition, some parts of our processes may involve dealing with ‘Special Category Data’, which is sensitive information about you. The justifications we will use for processing this information are:

  • Consent
  • For the Purpose of Employment
  • As a Charitable Organisation
  • Where information has been made public
ActivityLawful Basis
Collecting information you give to usConsent
Storing information you give usLegitimate Interest
Allowing payment processors to process paymentsFulfilment of Contract or Legal Obligation
Sharing information with other trusted service providersLegitimate Interest
Sharing your contact details with our email provider (when you have asked us to email you)Fulfilment of Contract
Sharing your contact details with our email provider (to send you updates about this policy)Legal Obligation
Sending you items when you ‘join’Fulfilment of Contract
Sending you updates about adoptionsFulfilment of Contract
Sending you all post when you give regular donationsLegitimate Interest
Storing donation records for required periodLegal Obligation
Generating data about how you interact with usLegitimate Interest
Analysing / reviewing how you interact with usLegitimate Interest
Sharing your contact details with our mailing houseLegitimate Interest
Storing and using information about you supporting Viva! UgandaLegitimate Interest
Administering job applications and employment recordsLegal Obligation, For the Purpose of Employment
Contacting you about your data and how we use itLegal Obligation

APPENDIX 2: Your rights

You have the right to withdraw your consent at any time, to correct or view any information that we hold about you, ask us to delete that information, or to object to how we use it.

Right to be informed

You have the right to be informed about how we use your data in a concise, transparent and easily-intelligible way. We will usually provide this information to you by providing privacy notices alongside this policy, where appropriate, when you give us your data. If you would like a copy of this policy, you can either download this page or contact us to request a paper copy.

Right to access and correction

You have the right to access the data that we hold on you and to confirm that your data is being processed by us. You also have the right to have your information corrected if it is wrong. If you would like to request information from us or correct any data that we hold about you, please contact us.

Right to restrict processing

If you are unhappy about how we are processing your data, you have the right to place specific limits on how we handle the information that we hold on you, in certain circumstances. If you would like to restrict processing, please contact us.

Right to data portability

If you’d like to transfer the information that we hold on you to another organisation, or to receive it in a standardised form (‘comma-separated’ or plain text) that can be read and imported by most data systems, contact us to request a copy of your data. Please allow up to 28 days for us to fulfil such a request.
(These request results will only be issued via a previously verified means, such as a known email address. Otherwise, we may request additional proof of identity before proceeding).

Right to erasure (or to ‘be forgotten’)

You have the right to request that we delete all of the information that we hold on you, but there are some cases in which we will not be able to delete your information. This could include when you have previously given a consent for Gift Aid claims, for which our legal obligation to keep records has not expired. In these cases, we will comply with your request as far as possible, and make sure to let you know what we cannot delete.

If you would like to exercise your right to erasure, please contact us.

Right to object

You have the right to object to any processing of your information which is based on legitimate interests, direct marketing or profiling (automated decision-making). You also have the right to object to your data being processed by us for the purposes of scientific, historical or statistical research.

If you object to us using your information for the purposes of direct marketing (ie postal or email campaigns and appeals), we will ensure that we do not contact you further for those purposes.

You can also object to processing for which we have legitimate interest. If you do object to our processing of your data for this purpose, we will do our best to comply with your wishes. However, in some circumstances, we may not be able to stop the processing entirely.

If you wish to object to processing of any kind, you can contact us to let us know.

APPENDIX 3: Our Websites and Your Data

Cookies

We use cookies on our websites to help us perform actions that you have requested (such as an online purchase, saving items in your ‘cart’, making a donation or logging in), to make the site run more smoothly and to track how our sites are used. Social media websites like Facebook and Twitter also place cookies on your device when you visit our site. To find out more about cookies and to manage your preferences, visit https://viva.ug/cookie-policy/.

Google Services

When you use our websites, certain information about how you use our site, your device and general location information will be stored and tracked by our third party supplier, Google.

Although Google is our supplier in this respect, we do not have control over all the data that they collect and store about you for their own purposes, derived from your own actions on your own device. We’re presenting these details here for information only – if you’re concerned about the information that Google holds about you, you can view their privacy policy here or update your privacy settings via this page.

Google Analytics and Analytics Advertiser

Like most organisations, we use Google Analytics to find out how our website is used so that we can make improvements and track the success of campaigns. Although we can view the activity of individual users on our websites, we have no way of identifying them personally. Analytics Advertiser features help us better understand visitors’ demographics, interests and behaviour on our sites via anonymised data, in conjunction with cookies and other identifiers. This enables us to improve the overall user experience on our website.

Google AdWords

We use Google AdWords to see which pages led to our users submitting contact forms to us, allowing us to create a more effective marketing campaign and make better use of our marketing budget.

Captcha

Our websites use Google reCAPTCHA v.2 to verify genuine user activity, support security and avoid spam & automated bot processes. Such measures are a legal obligation, representing a legitimate interest. Information regarding the user’s hardware and software is collected by Google and used for integrity checks. According to Google’s Privacy Policy, it will not be used by them for personalised advertising, but tracking cookies may be created with a lifetime up to 24 months.

Google Maps

We use the mapping service Google Maps to provide users with relevant, local information (a legitimate interest under GDPR). Location details, including user IP address, are transferred to Google, who may analyse and use it for their own purposes including on their servers in the USA. Standard (GDPR) Contractual Clauses are applied to ensure adequate levels of data protection in this case.

Google Tag Manager

Our website uses Tag Manager to allow web page tracking tags to be managed through an interface (a legitimate interest). Tag Manager itself does not access your data and does not create cookies. It does however trigger other tags, which may in turn lead to Google collecting data if necessary. This may be held on their servers in the USA. Standard (GDPR) Contractual Clauses are applied to ensure adequate levels of data protection in this case.

YouTube

YouTube videos are integrated into our website, playable directly from within our pages. No data about you as a user is transmitted to YouTube unless you click to start playing them. When you do start to play a video, information is passed to YouTube via your browser, based on whether you are logged in with a Google account, and may be used to build a user profile for purposes of advertising and research (we have no control or influence over this data transfer). You have the right to object to such processing by contacting YouTube directly. Further information is available from YouTube’s published Privacy Policy.

Facebook and Meta

Facebook Pixel and Custom Audiences

Our website uses the Facebook ‘Pixel’ method and Conversions API of the Facebook social network to generate Custom Audiences for advertising purposes. This enables us to identify a relevant audience on that platform and present appropriate advertisements, on Facebook and other sites, making Viva! and our activities more interesting and engaging for more people. We can track the effectiveness of these ads for statistical and market research purposes, by identifying users who visit our website after clicking the ad.

Facebook will also record your actions, and may use the information for their own purposes including assigning data to your Facebook account, if you’re currently logged in. This processing is carried out solely within the framework of Facebook’s data policy and is beyond Viva!’s control. Further information can be found in the Facebook help area.

Our respective responsibilities regarding this joint data control under GDPR are set out in this agreement: https://www.facebook.com/legal/controller_addendum

Meta Apps

For users of our Virtual Reality services including Viva! FaceOff, no additional personal or user data is collected by Viva!. Meta may collect data for statistical analysis purposes as outlined in their Privacy Policy. Users may request deletion of any such data by contacting Meta directly.

As well as the above, please bear in mind that your chosen browser supplier, search engine, email provider etc. may gather, retain and process data relating to your online interactions with Viva!. If you have concerns about this, you should contact those organisations directly.