Privacy Policy
This Privacy Policy describes how we collect, use, store, and disclose personal data gathered through the Mcash eKYC Field Data Collection Application (the "Application"). This Application is designed for authorised field agents and officers who collect Know Your Customer (KYC) data on behalf of the Organisation.
By installing and using the Application, you (as a field agent or data subject) acknowledge and accept the practices described in this Privacy Policy. If you are a data subject whose information is being collected, you have specific rights described in this document.
Table of Contents
- 1. Interpretation and Definitions
- 2. Who This Policy Applies To
- 3. Data We Collect
- 4. Legal Basis for Processing
- 5. How We Use Collected Data
- 6. Sharing and Disclosure of Personal Data
- 7. Data Retention
- 8. Data Security
- 9. Cross-Border Data Transfers
- 10. Rights of Data Subjects
- 11. Field Agent Responsibilities
- 12. Children's Data
- 13. Changes to This Privacy Policy
- 14. Contact Us
- Schedule A — Data Categories and Retention Summary
1. Interpretation and Definitions
1.1 Interpretation
Capitalised terms have specific meanings as defined below. These definitions apply regardless of whether they appear in singular or plural form.
1.2 Definitions
- Application refers to the KYC Field Data Collection mobile application operated by the Organisation.
- Data Subject means any individual whose personal data is collected through the Application, including prospective customers, customers, or any person undergoing a KYC verification process.
- Field Agent means any authorised employee, contractor, or representative of the Organisation who uses the Application to collect data in the field.
- KYC (Know Your Customer) refers to the process of verifying the identity of clients and assessing potential risks of illegal intentions for business relationships.
- Organisation refers to the entity that owns and operates the Application, its affiliates, and authorised service providers.
- Personal Data means any information relating to an identified or identifiable natural person, including biometric data, photographs, identification documents, and location data.
- Sensitive Personal Data includes biometric data, photographs of individuals, copies of identity documents, and precise location data.
- Device means the mobile phone, tablet, or other hardware used by a Field Agent to operate the Application.
- Metadata means technical data automatically generated by or about a Device or user session, including device identifiers, OS version, timestamps, and network information.
- Usage Data refers to data automatically collected about how the Application is accessed and used.
2. Who This Policy Applies To
This Privacy Policy applies to:
- Field Agents who install and use the Application to collect data on behalf of the Organisation.
- Data Subjects whose personal information, photographs, documents, and location data are captured through the Application.
- Supervisors and administrators who access or review collected data through back-end systems.
Field Agents are responsible for informing Data Subjects of this Privacy Policy and obtaining appropriate consent before collecting any personal data.
3. Data We Collect
The Application collects the following categories of data during KYC field operations:
3.1 Personal Identification Data
- Full legal name
- Date of birth
- Nationality and country of residence
- National identification number, passport number, or other government-issued ID numbers
- Tax identification number (where applicable)
- Phone number and email address
- Physical address and residential details
3.2 Photographic and Biometric Data
- Photographs of the Data Subject's face (portrait/selfie)
- Photographs of government-issued identity documents (e.g. national ID, passport, driver's licence)
- Photographs of supporting documents (e.g. utility bills, bank statements, proof of address)
- Any other images captured as part of the KYC verification process
Note: Photographs of faces may constitute biometric data under applicable law. Such data is treated with the highest level of care and subject to additional safeguards.
3.3 Location Data
- Precise GPS coordinates at the time of each data capture event
- Address or place name associated with the capture location
- Timestamp of the location capture
- Background location may be collected while the Application is active to verify Field Agent presence and ensure geofenced compliance requirements are met
Location data is used to verify that KYC collection occurs at approved or declared locations, to prevent fraudulent remote submissions, and to maintain an accurate audit trail. You may disable location services at the device level; however, this may prevent the Application from functioning correctly.
3.4 Device and Session Metadata
The Application automatically collects the following metadata from the Field Agent's device:
- Device make, model, and operating system version
- Unique device identifier (DeviceID, UDID, or equivalent)
- Application version number
- Network type (Wi-Fi, mobile data) and IP address at time of submission
- Date, time, and duration of each data collection session
- Field Agent user account identifier and session token
- Battery level and connectivity status at time of submission (for audit integrity purposes)
3.5 Field Agent Usage Data
- Log of actions performed within the Application (e.g. form submissions, photo captures, edits)
- Error logs and crash reports
- Number and type of KYC records created, edited, or submitted per session
3.6 Textual and Form Data
- All text entered into KYC forms, including responses to due diligence questions
- Field notes or comments added by the Field Agent
- Risk categorisation or assessment inputs made during the collection process
4. Legal Basis for Processing
We process personal data on one or more of the following legal bases:
- Legal Obligation: KYC data collection is mandated by applicable anti-money laundering (AML), counter-terrorism financing (CTF), and financial regulation laws. We are legally required to collect and retain this data.
- Legitimate Interests: We collect Device metadata and location data to maintain security, prevent fraud, and ensure the integrity of field data collection operations.
- Consent: Where required by law, we obtain explicit consent from Data Subjects prior to collecting sensitive personal data, including photographs and biometric information. Field Agents are required to present consent disclosures before initiating data capture.
- Performance of a Contract: Where the KYC process forms part of an onboarding or contractual relationship with the Data Subject.
5. How We Use Collected Data
Personal data collected through the Application is used for the following purposes:
5.1 KYC Verification and Compliance
- Verifying the identity of prospective or existing customers
- Assessing compliance with AML, CTF, and applicable regulatory requirements
- Generating and maintaining KYC records as required by law
- Screening against sanctions lists, politically exposed persons (PEP) databases, and adverse media
5.2 Fraud Prevention and Security
- Cross-referencing location metadata with declared collection points to detect anomalies
- Verifying the authenticity of identity documents using automated and manual review
- Detecting and investigating suspicious patterns in data submissions
5.3 Audit and Record-Keeping
- Maintaining a complete, timestamped audit trail of all data collection events
- Recording Field Agent activity for quality assurance and supervisory review
- Supporting regulatory inspections and reporting obligations
5.4 Service Improvement and Quality Assurance
- Analysing Application performance and identifying technical issues
- Training and evaluating Field Agents based on data quality metrics
- Improving the Application's data collection workflows
6. Sharing and Disclosure of Personal Data
We do not sell personal data. We may share data in the following circumstances:
6.1 Regulatory and Government Authorities
We may disclose personal data to regulators, law enforcement agencies, financial intelligence units, or courts where required to do so by law, court order, or regulatory directive.
6.2 Authorised Service Providers
We may engage third-party processors (e.g. cloud storage providers, document verification services) who process data solely on our behalf and under strict data processing agreements. These providers are prohibited from using the data for their own purposes.
6.3 Within the Organisation
Collected data is accessible to authorised internal personnel, including compliance officers, risk analysts, supervisors, and IT administrators, on a need-to-know basis.
6.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. Affected Data Subjects will be notified as required by applicable law.
6.5 With Data Subject Consent
We may share personal data with third parties for purposes beyond those stated above where the Data Subject has given explicit, informed consent.
7. Data Retention
We retain personal data for as long as necessary to fulfil the purposes described in this Policy and to comply with applicable legal and regulatory requirements. This includes, among others, KYC records (including photographs and document images), location and session metadata (for audit and fraud prevention purposes), device metadata and usage logs, and Field Agent activity logs.
Specific retention periods for each category of personal data are set out in Schedule A (Data Retention Schedule) to this Policy and are determined in accordance with applicable laws, including the National Payment Systems Act, 2020, the Data Protection and Privacy Act, 2019, KYC and AML requirements, and our internal data retention policies.
8. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:
- End-to-end encryption of data transmitted from the Application to our servers
- Encryption of data stored on the Device while awaiting upload
- Role-based access controls limiting who can view and process collected data
- Mandatory authentication (PIN, biometric, or multi-factor) for Field Agent login
- Automatic session timeouts and remote wipe capability for lost or stolen devices
- Regular security audits and penetration testing of the application infrastructure
- Secure deletion protocols for data removal upon retention expiry
No method of transmission over the internet or electronic storage is completely secure. While we strive to use commercially reasonable means to protect your data, we cannot guarantee absolute security. Any suspected data breach will be reported to the relevant supervisory authority and affected individuals as required by applicable law.
9. Cross-Border Data Transfers
Personal data collected through the Application may be transferred to and processed in countries other than the country of collection. Such transfers will only take place where:
- The destination country provides an adequate level of data protection as recognised by applicable law
- Appropriate safeguards are in place, such as standard contractual clauses or binding corporate rules
- The transfer is necessary for the performance of a contract or compliance with a legal obligation
10. Rights of Data Subjects
Where permitted by applicable law, Data Subjects have the following rights regarding their personal data:
- Right of Access: to request a copy of the personal data we hold about you
- Right to Rectification: to request correction of inaccurate or incomplete data
- Right to Erasure: to request deletion of your personal data, subject to our legal retention obligations
- Right to Restriction: to request that we limit how we use your data in certain circumstances
- Right to Object: to object to processing based on legitimate interests
- Right to Data Portability: to receive your personal data in a structured, commonly used, machine-readable format
- Right to Withdraw Consent: where processing is based on consent, to withdraw consent at any time without affecting the lawfulness of prior processing
To exercise any of these rights, please contact us using the details in Section 14. We will respond to all requests within thirty (30) days. Certain rights may be limited where we have overriding legal obligations to retain or process the data.
11. Field Agent Responsibilities
Field Agents using the Application are required to:
- Inform Data Subjects of the purpose of data collection and their rights before capturing any data
- Obtain and record explicit consent from Data Subjects prior to photographing them or their documents
- Only collect data that is relevant and necessary for the KYC process
- Not use the Application for personal purposes or share login credentials
- Report any suspected data breach, device loss, or security incident to the Organisation immediately
- Comply with all applicable data protection laws and the Organisation's internal data handling policies
- Not retain copies of KYC data outside of the Application or approved systems
Failure to comply with these obligations may result in disciplinary action and/or legal consequences.
12. Children's Data
The Application is not intended to be used to collect the personal data of individuals under the age of 18 without the consent of a parent or legal guardian. Where the KYC process requires the collection of data involving a minor, Field Agents must obtain written consent from the minor's parent or guardian and record this within the Application before proceeding.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The updated Policy will be published within the Application and on our website. Where changes are material, we will notify Field Agents through in-app notification and notify affected Data Subjects as required by law. The date at the top of this document reflects when the Policy was last revised.
Continued use of the Application after an updated Policy is published constitutes acceptance of the revised terms.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our Data Protection Officer:
- Email: info@mcash.ug
- Phone: +256 414233799
- Address: M-Cash Uganda Limited, Plot 7 Lourdel Road, Nakasero, Kampala, Uganda
Data subjects who believe their rights have not been adequately addressed may lodge a complaint with our data protection officer using the details provided above.
Schedule A — Data Categories and Retention Summary
| Data Category | Purpose | Retention Period |
|---|---|---|
| Personal ID Data | KYC verification, compliance | 10 years |
| Photographs & Documents | Identity verification, audit | 10 years |
| Location Data | Fraud prevention, audit trail | 10 years |
| Device Metadata | Security, session integrity | 10 years |
| Agent Usage Logs | Audit, quality assurance | 10 years |
| Textual Form Data | KYC assessment, compliance | 10 years |
This document is intended for internal and regulatory purposes. Unauthorised reproduction or distribution is prohibited.