1. “Ecobank,” “We,” “our,” “ours,” and “us,” means Ecobank Uganda Limited

2. “Personal data” or “personal information” means: Information about you or information that identifies you as a unique individual, such as your name/s and surname combined with your physical address, contact details and/or passport/identity number.

3. “Processing”  collectively means handling, collecting, using, altering, merging, linking, organizing, disseminating, storing, protecting, retrieving, disclosing, erasing, archiving, destroying, or disposing of your personal information.

4. “Sensitive personal information” includes data revealing your race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including details of your children, parents, spouse or spouses, sex or sexual orientation.

5. “You” means:

• i. Customer/client – (which includes personal representatives and assigns) operating an Account held with us and includes (where appropriate) any person you authorize to give us instructions, the person who uses any of our products and services or accesses our websites. “Customer” shall include both the masculine and the feminine gender as well as juristic person.
• ii. Any agent, dealer and/or merchants who has signed an agreement with us and is recognized as a merchant or agent in accordance with any applicable laws or Regulations.
• iii. Employee- (An individual who works for Ecobank Uganda Limited, typically under a contract of employment, in exchange for wages or salary).
• iv. Any visitor that is a person (including contractors/subcontractors or any third parties) who gains access to any of our premises.
• v. Any supplier/ service provider who has been contracted by us.
• vi. Any external lawyer who has tendered his/her application and/or signed a service level agreement with us.
• vii. Any valuer or auctioneer who has signed an agreement with us.
• viii. Director (member of the bank’s board of directors)

The terms "includes" or "such as" indicate that the examples provided are not exhaustive, meaning they are not the only things or situations encompassed within the meaning or explanation of the text.

We will only collect, transfer, process and store your personal information with your express permission unless legally required to do so and will only use such information for the lawful purpose for which it is required. We will disclose the specific purpose for which we use, request, and store your personal information. We will also keep a record of that personal information and the specific purpose for which we collect it. We will not use your personal information for any other purpose, other than that which we disclosed to you, unless you give us your express consent to do so, or unless we are permitted to do so by law.

Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. However, we will normally collect personal information from you only.

• i. Where we have your consent to do so
• ii. Where we need the personal information to perform a contract with you (provide you with a product/service you have applied for)
• iii. Where the processing is in our legitimate interests and not overridden by your rights.
• iv. In some cases, we may also have a legal obligation to collect personal information from you.
• v. Where processing is necessary to perform a task carried out in the public interest or in the exercise of official authority vested in us.
• vi. Where processing your personal data may be necessary to establish, exercise, or defend legal claims.
• vii. We may process your personal information when it is necessary to protect your life or the life of another person.

The personal data we collect or intend to collect from/process on you is:

We will gather your personal data only to the extent necessary to fulfill the objectives outlined in this privacy statement. Your personal information is collected with your awareness and consent, except in situations where obtaining prior consent is impractical and the data processing is legally permissible. The scenarios where we may collect your personal data include:

• i. We may collect information from you when you register on our various platforms which include Internet banking portal, Mobile App, Rapid Transfer, Personal banking channels, WhatsApp.
• ii. We may collect information from you when you register on our Internet Banking portal.
• iii. We may collect information from you when you open an account with us, visit out banking premises or get contracted with us.
• iv. We collect information about you based on your use of our products, services, or service channels (like our websites, applications, ATMs).
• v. In certain circumstances, we collect information about you whereas you do not have a direct relationship with us, for example if you are a beneficiary of transfer of funds made by our customer.
• vi. We may collect information from you when you register and use our mobile applications. It is important to note that the mobile application has been developed to offer verification via your biometrics and that the bank does not process the biometric data. The biometric data is retained in your device.
• vii. For debit card onboarding, we may collect debit card number and PIN from you and collect other personal information from our core banking system as part of your profile creation in the mobile app.
• viii. For internet banking onboarding, we collect username and password from you and collect other personal information from our core banking system as part of the profile creation.
• ix. For Xpress account onboarding we may collect your name, e‐mail address, phone number, date of birth, gender, residential address, ID number, device ID, and device location.
• x. We may collect information from you when you register on our channels.
• xi. We may collect your name, e‐mail address, phone number, date of birth, gender, residential address, ID number, device ID, and device location (when onboarding on our Xpress Account service).
• xii. We may collect information from you when you register on our Rapid transfer App.
• xiii. We may collect, amongst others, your name, e‐mail address, phone number, date of birth, nationality, gender, residential address, identity (ID) number, copy of your ID and a photograph, biometric data, device ID, device location, and details of your Debit/Credit/Prepaid Card.
• xiv. We collect information about you based on your use of our products, services, or service channels (like our websites, applications, ATMs).
• xv. To create a Rapid transfer Profile, we collect and process your Debit/Credit/Prepaid Card information such as the Card PAN, Expiry Date, Card Currency, Name on Card and Card Billing Address.
• xvi. We may collect information from you when you register on our chatbot. We may collect your name, e‐mail address, phone number, date of birth, gender, residential address, ID number, device ID, and device location.
• xvii. When onboarding on our Xpress Account service, we may also collect information about you from your social media profile.
• xviii. We may collect information identifiers and information such as IP address, browser version, operating system, and software data. When we collect information about you from your profile on social media, the privacy notice between you and the social media sites shall apply.
• xix. We collect information from devices such as mobile phones and tablets about how you interact with our services and those of our third-party partners and information that allows us to recognize and associate your activity across devices and services. This information includes device specific identifiers and information such as IP address, cookie information, mobile device and advertising identifiers, browser version, operating system type and version, mobile network information, device settings, and software data.
• xx. In certain circumstances, we collect information about you whereas you do not have a direct relationship with us, for example if you are a beneficiary of transfer of funds made by our customer.



Why Does Ecobank Need to Collect and Store Personal Data?

We need to collect your personal data for us to provide you with our services as mentioned in clause 7 below. In any event, we are committed to ensuring that the information we collect, and use is appropriate for this purpose(s) only and will in no way invade your privacy. If there is a need to use your personal data for marketing purpose, Ecobank will ensure to seek additional consent from you.

How Will Ecobank Use the Personal Data It Collects About Me?

The general purposes for which we collect and process your personal information include, but are not limited to reasons captured in the table below:

What we use your information for	The legal basis for doing so
Creating and maintaining a record of you on our system as a customer, supplier, director, next of kin, employee, supplier or visitor	We need to fulfill our obligations under our agreement with you or establish a new agreement. It is in our legitimate interests to ensure proper management of records
To provide, manage and personalize our services to you.	We need to fulfill our obligations under our agreement with you or establish a new agreement. We are required to comply with legal and regulatory obligations. It is in our legitimate interests to ensure proper management of customer accounts, deliver high-quality service, safeguard our business, and protect the interests of our customers.
To communicate with you about our product or service, for legal, regulatory and servicing purposes.	We need to fulfill our obligations under our agreement with you or establish a new agreement. We are required to comply with legal and regulatory obligations.
To assist you if you are in a vulnerable situation, which may involve adding a marker to your account to indicate the need for additional support.	It is in our legitimate interests to make sure we are providing products and services that meet customers’ needs and our regulatory obligations We have your permission If we are using sensitive personal information (such as medical information), we have your permission, or it is in the public interest.
To handle complaints, resolve issues (such as processing refunds), and respond to inquiries and thereby enhancing our service	It is necessary to keep to our agreement with you or to enter into an agreement with you We are required to comply with legal and regulatory obligations. It is in our legitimate interests to ensure thorough investigation of complaints to help prevent similar issues from occurring in the future.
To review your instructions, analyze and improve our services, assess performance, and conduct staff training. (We may monitor or record communications, including phone calls, to ensure quality and for these purposes)	We are required to comply with legal and regulatory obligations. It is in our legitimate interests to enhance our systems, train our employees, and deliver excellent service.
To enhance our products and services by analyzing your information, including incoming transactions, spending habits, and how you interact with our offerings. This includes for historical, statistical, or research purposes.	It is necessary to keep to our agreement with you or to enter into an agreement with you It is in our legitimate interests to improve our products and services to align with customer needs and preferences, ensuring we stay competitive in the industry.
To perform checks to safeguard your money and personal information, detect and prevent fraud or money laundering, and verify your identity before offering services	It is necessary to keep to our agreement with you or to enter into an agreement with you We are required to comply with legal and regulatory obligations. It is in our legitimate interests to detect, prevent and investigate fraud, money laundering and other crimes, and to check your identity to protect our business.
To understand what products and services you would like to hear about.	It is in our legitimate interests to give you information about our products and services that you may be interested in.
To check your identity and the identity of joint account holders	It is necessary to keep to our agreement with you or to enter into an agreement with you We are required to comply with legal and regulatory obligations. It is in our legitimate interests to check your identity so we can protect our business and keep to laws that apply to us
To prevent and detect fraud, money laundering, and other criminal activities. For instance, we may use CCTV in and around our premises to monitor and record video footages. Additionally, we may verify that your location matches the location of transactions by checking whether your card and mobile device are in or near the same area. This helps prevent fraud.	We are required to comply with legal and regulatory obligations. It is in our legitimate interests to prevent and investigate fraud, money laundering, and other crimes, verify your identity to protect our business. It is a requirement of the services you have asked for.
To comply with applicable laws and regulations and cooperate with regulators and law enforcement agencies, such as the police.	We are required to comply with legal and regulatory obligations. It is in our legitimate interests to protect our business
Assessing your eligibility for credit	It is necessary to keep to our agreement with you or to enter into an agreement with you It is in our legitimate interests to protect our business

Sensitive personal information

We may collect sensitive personal information, also known as special categories of data, including details related to your health (such as medical history), biometric data (like voice recognition or usage patterns on your device), and any criminal convictions or offenses. When we process sensitive personal information, we will always obtain your explicit written consent, unless the processing is required by law .In all cases, we will comply with applicable laws.

Purpose of Using Your Sensitive Personal Data	The legal basis for doing so
We use biometric data for certain purposes, such as detecting and preventing fraud and money laundering, as well as verifying your identity, as outlined in the previous table.	We have obtained your consent to do so It is in the substantial public interest.
We may use the information you've provided about your personal circumstances, including medical details, for certain purposes outlined in the previous table. These include: Resolving complaints and answering inquiries Assisting in providing, managing, and personalizing our services Applying for or obtaining quotes for insurance products	We have obtained your consent to do so It is in the substantial public interest.
To comply with applicable laws and regulations, and to cooperate with regulators and law enforcement agencies, including the police	It is in the substantial public interest.
To conduct due diligence checks (such as background checks and sanctions checks), which may disclose political opinions or information regarding criminal convictions or offenses.	It is in the substantial public interest.
We may use your medical information and details of criminal convictions to temporarily defer your debt repayments and to assist in evaluating other appropriate repayment options for you.	It is in the substantial public interest.

With whom we will share your information.

Below are some of the entities with whom we share your data with and why:

• i. Government agencies: We have a legal obligation to adhere to regulatory framework in Uganda and in some instances we may to share your data with government agencies such as Uganda Revenue Authority, Central Bank of Uganda and Financial Intelligence Authority in adherence to the legal requirements.
• ii. Your Representatives: We may share your information with your advisers, such as your lawyer, if you have authorized them to represent you. This also applies to any other person you have designated as authorized to give instructions on your behalf or to use your account, products, or services.
• iii. Our Service Providers and Agents: We may share your information with our service providers, agents, and their service providers. For example, we might share your details with a company that delivers mails/packages, our lawyers or auctioneers whenever we have a lawful basis of sharing your information with them.
• iv. Other financial institutions. If a payment is erroneously credited to your account, we may share your details and information about the incorrect payment with the bank that initiated the payment to help recover the funds and in event you ask us to deal with them to complete a transaction.
• v. Payment Service Providers and Financial Institutions: We share your information with payment-processing service providers and other businesses that assist in processing your payments. This includes financial institutions that are part of payment schemes (such as Visa) or involved in facilitating payments, where the information is required for specific payment types.
• vi. Insurance Providers and Their Support Partners: If you make an insurance claim, the information you provide to us or the insurer may be shared with third parties, such as claims handlers.
• vii. Credit Reference Bureaus: We may share your information with credit reference bureaus to assess your creditworthiness, manage your account, and comply with legal or regulatory requirements. This helps ensure accurate reporting and responsible lending practices.
• viii. Third party depositors: We may share your name with anyone making a payment into your account when necessary to confirm that the payment is directed to the correct account.
• ix. Ecobank Transnational Inc (ETI) Group Companies: Ecobank Uganda is a part of the ETI Group, and we collaborate closely with other companies within the Group. We may share specific information with these companies to deliver products or services, support marketing efforts, facilitate internal reporting, or when they provide services on our behalf.
• x. Independent third-party service providers: We may share your information with independent third-party providers at your request or the request of a third party authorized to act on your behalf. Once shared, we have no control over how these third parties use your information. It will be your responsibility (or that of the authorized third party) to agree directly with the third party on how your information is handled.
• xi. Companies you have paid from your Ecobank account: We may share your information with companies you have made payments to if they request our assistance in processing your payment (for instance, if they did not receive the necessary details when the payment was made).
• xii. Business Transfers: In case of a merger, acquisition, or sale of assets, we may share your information with the involved parties as part of the transaction.

How do we secure your information?

Ensuring the security of our systems and safeguarding our users' information is of utmost importance to Ecobank. It is fundamental to upholding the integrity of our brand and providing our customers with a secure and trustworthy experience across all our platforms, including our websites, apps, advertising services, products, and technologies. Our commitment to protecting user data is integral to maintaining the trust our customers place in us:

• i. Ecobank has technical, administrative, and physical safeguards in place to help protect against unauthorized access, use or disclosure of customer information we collect or store.
• ii. We implement a variety of security measures to maintain the safety of your personal information when you enter, submit, or access your personal information.
• iii. We offer the use of a secure transmission, processing and storage services using standardized security safeguards.
• iv. All supplied sensitive/credit information are encrypted via transaction layer security (TLS) technology during transmission to avoid misuse of your data. Card Number (PAN), CVV and expiry date of any debit, credit and prepaid cards attached to our apps are tokenized and stored on our backend systems at our data processor.

Your personal information may be accessible by those authorized with special access rights to such systems and are required to keep the information confidential. Information such as PINs and passwords are not accessible to our authorized personnel.




Your rights

At any point while Ecobank Uganda is in possession of or processing your personal data, you, the data subject, have the right to:

• i. Access the personal information we hold about you and to correct and update your information
• ii. Object to our processing your personal information, where applicable
• iii. Request that we delete your personal information where appropriate
• iv. Be notified that your personal information is being collected by us or has been accessed or acquired by an unauthorized person
• v. Object to the processing of personal information for the purposes of direct marketing
• vi. Not be subject to automated decision-making processes in respect of an application for products and/or services, except under certain circumstances
• vii. To request reasons or make a representation to us if your application for products and/or services is refused.
• viii. File a complaint against breach and non-compliance to the personal data protection office
• ix. In some instances, depending on the right, you excise, we may forward it to a third party involved in the processing of your personal data.

Under what circumstances will Ecobank Contact Me?

We do not intend to be intrusive, and we will not ask irrelevant or unnecessary questions. Moreover, we will subject the information you provide to rigorous measures and procedures to minimize the risk of unauthorized access or disclosure.

How long will Ecobank Store My Personal Data?

We keep most of your personal data for as long as you have an existing relationship with us such as an active customer or employee. Once our relationship with you has ended (For example, we generally retain customer account records for a minimum of ten (10) years after closure in line with anti-money laundering laws and financial regulations. we will only keep your personal information for a period that is appropriate for the type of information and what we hold it for.

We will only keep information that allows us to:

• i. Keep accurate business records for analysis or audit purposes.
• ii. Keep to relevant laws (for example, laws relating to preventing, detecting and investigating money laundering and funding terrorism).
• iii. Defend or take legal action.
• iv. Keep records of anyone who does not want to receive marketing from us.
• v. Deal with any future complaints about the services we have provided, or
• vi. Help with monitoring fraud.

When we have no legal basis to process your personal information, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until disposal is possible.

Automated decision making

We may use the personal data we collect to perform data analytics, including profiling and behavioral analysis, to facilitate quicker automated decisions, evaluate personal characteristics, and predict outcomes and risks in our business operations. We ensure that the rules governing such automated systems are designed to deliver fair and objective decisions.

Additionally, we may employ artificial intelligence and machine learning to enhance client communications, improve client experience, strengthen operational processes, and enable faster responses with reduced turnaround times. Examples of automated decision-making include:

• i. Client Digital Onboarding and online lending: Streamlining account opening processes through electronic know your customer validation checks, which verify scanned identification documents and photos using biometric facial recognition and liveliness detection. This will include verification of identity against the National Identification and Registration Authority (NIRA).
• ii. Client Digital Onboarding and online lending: Streamlining account opening processes through electronic know your customer validation checks, which verify scanned identification documents and photos using biometric facial recognition and liveliness detection. This will include verification of identity against the National Identification and Registration Authority (NIRA).

Direct marketing

We may sometimes, and only with your prior explicit consent in accordance with the Uganda Data Protection and Privacy Act, use your contact details to send relevant marketing communications (such as by post, email, telephone, SMS, secure messages, mobile app or social media) for direct marketing purposes. We may send the following types of communications (unless you have informed us that you do not wish to receive such communications, or you have opted-out):

• i. Details about our or relevant third-party reward, loyalty, or privileges programs, along with related products and services.
• ii. Information about products and services from third parties, including financial institutions, insurers, credit card companies, securities and investment providers, mobile wallets, and digital payment service providers.
• iii. News, offers, and promotions related to our products and services or those of the Ecobank Group.
• iv. Information about products and services offered by our co-branding partners (as specified in the application form(s) for the relevant products and services).
• v. Market research initiatives and customer satisfaction surveys.
• vi. Information about our or third-party competitions and lucky draws.
• vii. Appeals from us or third parties for charitable or non-profit donations, sponsorships, and contributions.
• viii. Updates and communication regarding our or third-party seminars, webinars, events, and other opportunities.
• Information about new employment opportunities at the Bank

 Cross-border transfers

In offering our services to you we may need to transfer your personal information to a country outside your current location.

When transferring your information abroad, we will ensure that such transfers comply with the Uganda Data Protection and Privacy Act. This includes confirming that the recipient country has adequate protection recognized by the Personal Data Protection Office or implementing contractual safeguards approved by the regulator. Where such safeguards are not in place, we will obtain your explicit consent before transferring your personal data

Protecting Children’s Privacy

Our services are for a general audience. We do not knowingly collect, use, or share information that could reasonably be used to identify person under the age of 18 without prior consent from the parent or legal guardian.

Changes to our Privacy Policies

We may update this Privacy Notice to reflect changes to our information practices, if we make any material changes, we will notify you by email (sent to the email address specified in your account) or by means of a notice on this website or via a link from your mobile application prior to the change becoming effective. We encourage you to periodically review this page for updates on our privacy practices.