Privacy Policy
Contents
1. Introduction
Pangisa ("we", "us", or "our") is committed to protecting the personal data of everyone who uses our platform. This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have over it.
This policy is prepared in compliance with the Data Protection and Privacy Act, 2019 (DPPA) of Uganda and is consistent with the principles of the East African Community Framework on Cyber Laws. It applies to all users of the Pangisa platform, including landlords who register accounts and tenants who access the self-service portal.
By using Pangisa you acknowledge that you have read and understood this policy. If you do not agree with how we handle personal data, you should not use the platform.
2. Data Controller
Pangisa acts as the data controller for personal data provided by landlords during registration and for usage data generated by interaction with the platform.
For tenant data entered by a landlord, the landlord is the data controller and Pangisa acts as the data processor on the landlord's behalf. See Section 7 for details.
Contact: hello@pangisa.com · Kampala, Uganda
3. Data We Collect
We collect the following categories of personal data:
Account data (provided by you at registration):
- Full name, email address, and phone number
- National Identification Number (NIN) or passport number
- Physical address
- Mobile money number and provider (optional)
Property and tenancy data (entered by you):
- Property names, addresses, and unit details
- Tenant names, contact information, and identification numbers
- Lease terms, deposit amounts, and rent payment records
- Move-in and move-out inspection records
- Expense records related to your properties
Usage data (collected automatically):
- Login timestamps and session duration
- Features accessed and actions performed within the platform
- IP address and browser/device type
Communication data:
- Emails exchanged with our support team
- Content of any feedback or enquiries you submit
We do not collect payment card numbers. Billing is handled directly by Pesapal, which has its own privacy policy.
4. Legal Basis for Processing
Under the Data Protection and Privacy Act, 2019 (Section 14), we process your personal data on the following legal bases:
- Contract. Processing your account data and property records is necessary to provide the service you have contracted with us for.
- Consent. Where we process data beyond what is strictly necessary to deliver the service — for example, to send product updates — we rely on your explicit consent, which you may withdraw at any time.
- Legitimate interest. We process usage data and technical logs to maintain security, improve the platform, and prevent fraud, where these interests are not overridden by your fundamental rights and freedoms.
- Legal obligation. We may process or retain data where required by Ugandan law, for example in response to a lawful order from a competent authority.
5. How We Use Your Data
We use the data we collect to:
- Create and manage your Pangisa account;
- Provide, maintain, and improve the platform's features;
- Process your subscription and send billing receipts;
- Generate reports, summaries, and AI-assisted documents you request;
- Send transactional emails (password resets, receipts, account notices);
- Provide customer support;
- Detect, prevent, and investigate fraud, security incidents, and platform abuse;
- Comply with applicable Ugandan law and respond to lawful requests from public authorities; and
- With your consent, send product updates and feature announcements (you may opt out at any time).
We do not sell your personal data to third parties and we do not use your data for targeted advertising.
6. Sharing Your Data
We share personal data only in the following limited circumstances:
- Service providers. We share data with trusted third-party processors who help us operate the platform, including cloud hosting providers, email delivery services, and Pesapal for billing. All processors are contractually required to handle data in accordance with the DPPA and to process it only on our documented instructions.
- Legal requirements. We may disclose data where required by Ugandan law, a court order, or a request from a government authority with lawful jurisdiction, including the National Information Technology Authority — Uganda (NITA-U).
- Business transfer. If Pangisa is acquired or merged with another entity, your data may be transferred as part of that transaction. We will notify you before your data is subject to a different privacy policy.
We will never sell, rent, or trade your personal data with third parties for their own marketing purposes.
7. Tenant Data
Personal data that landlords enter about their tenants is processed by Pangisa solely on the landlord's instructions. Landlords are the data controllers for this information and are responsible for ensuring they have a lawful basis for collecting it and that tenants are informed of how their data is managed.
Tenant self-service portals are accessed via a private, token-based URL. We do not require tenants to create accounts or submit personal data directly to us. Tenants may contact the landlord to exercise their rights under the DPPA.
If we receive a direct rights request from a tenant (for example, a request for erasure), we will forward it to the relevant landlord for action.
8. Data Retention
We retain your personal data for as long as your account is active. If you close your account, we will delete or anonymise your personal data within 30 days, subject to the following exceptions:
- Billing and transaction records, which we retain for 7 years in accordance with Ugandan tax and financial record-keeping requirements;
- Data we are required to retain by a court order or applicable law; and
- Anonymised, aggregated usage statistics that do not identify any individual.
You may request the deletion of specific data at any time (see Section 9), and we will comply unless a legal retention obligation applies.
9. Your Rights
Under the Data Protection and Privacy Act, 2019, you have the following rights regarding your personal data:
- Right of access. You may request a copy of the personal data we hold about you.
- Right to rectification. You may request that we correct inaccurate or incomplete data.
- Right to erasure. You may request that we delete your personal data, subject to legal retention requirements.
- Right to data portability. You may request your data in a structured, commonly used, machine-readable format.
- Right to object. You may object to processing based on legitimate interest or to receiving marketing communications.
- Right to withdraw consent. Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right to restrict processing. You may request that we limit how we use your data in certain circumstances.
To exercise any of these rights, contact us at hello@pangisa.com. We will respond within 21 days as required by the DPPA. We may ask you to verify your identity before processing your request.
You also have the right to lodge a complaint with the National Information Technology Authority — Uganda (NITA-U), the designated data protection authority in Uganda.
10. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include encrypted data transmission (HTTPS), access controls, and regular security reviews.
No method of transmission over the internet is completely secure. While we use commercially reasonable measures to protect your data, we cannot guarantee absolute security. In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify you and NITA-U within the timeframe required by the DPPA.
11. Cookies
Pangisa uses session cookies that are strictly necessary to keep you logged in and to protect forms against cross-site request forgery (CSRF). These cookies are not used for tracking or advertising.
We do not use third-party analytics cookies or advertising pixels. If this changes, we will update this policy and seek your consent where required.
12. Children
Pangisa is not directed at persons under the age of 18. We do not knowingly collect personal data from children. If we become aware that we hold data about a child without verifiable parental consent, we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice within the platform at least 14 days before the changes take effect. The "Effective date" at the top of this page indicates when the policy was last revised. Your continued use of Pangisa after the effective date constitutes your acceptance of the updated policy.
14. Contact and Complaints
For any questions or requests regarding this Privacy Policy or your personal data:
- Email: hello@pangisa.com
- Address: Kampala, Uganda
If you believe your data protection rights have been violated and we have not resolved your concern to your satisfaction, you may lodge a complaint with:
- National Information Technology Authority — Uganda (NITA-U)
Data Protection Office, Kampala, Uganda
Website: nita.go.ug