Last updated July 2026.
ExploUganda respects your privacy and handles personal data with care, transparency, and accountability. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you visit our website, contact us, request a quotation, make a booking, travel with us, subscribe to updates, or otherwise engage with our services as a Uganda based tour operator.
This policy is written to reflect our obligations under the Data Protection and Privacy Act, 2019 of Uganda and related regulations, and, where applicable, the General Data Protection Regulation of the European Union and United Kingdom data protection standards for travellers located in those jurisdictions.
1. Data controller
ExploUganda is the data controller for the personal data covered by this policy. As the data controller, we decide why and how your personal data is processed for itinerary design, reservations, guest support, safety management, and related business operations.
Controller contact details: ExploUganda, Kampala, Uganda. Email: hello@explouganda.com. WhatsApp: message us.
2. Scope of this policy
This policy applies to personal data collected through our website, contact forms, email correspondence, telephone calls, social messaging used for booking support, supplier coordination, trip planning documents, payment administration, and post trip service follow up. It also applies to data we receive from a lead traveller acting on behalf of other members of a private group, from travel advisors, or from trusted partners involved in arranging your journey.
3. Lawful bases for processing
We process personal data only where we have a lawful basis to do so. Depending on the context, one or more of the following bases may apply.
Performance of a contract
We use this basis when processing is necessary to confirm and manage your booking, secure accommodation, arrange transport, reserve permits, process payments, respond to service issues, and deliver the travel services you have purchased.
Steps before entering into a contract
We use this basis when you ask us to prepare proposals, tailor an itinerary, check availability, or answer pre booking questions.
Legal obligation
We use this basis where we must comply with laws and regulations, including accounting, tax, anti fraud, immigration, health, safety, and tourism related obligations.
Legitimate interests
We use this basis where processing is necessary for the efficient and responsible operation of our business, provided your rights and interests do not override those interests. This includes customer service administration, service improvement, incident management, record keeping, website security, and defending legal claims.
Consent
We rely on consent for specific activities such as optional marketing emails and, where required, certain categories of health or accessibility information that you choose to provide so we can support your trip appropriately.
Vital interests
In limited circumstances, we may process personal data to protect your vital interests or those of another person, such as during a medical or safety emergency during travel.
4. Categories of personal data we collect
The categories of personal data we may collect depend on the services you request and the nature of your trip.
Identity and contact data
- Name, title, nationality, date of birth, gender where relevant to travel arrangements, postal address, email address, telephone number, and emergency contact details.
- Details of the lead traveller and, where a booking is made for others, information relating to the rest of the party.
Booking and travel data
- Passport details, visa status, arrival and departure information, accommodation preferences, rooming details, transport requirements, permit information, loyalty preferences, and special occasion details where relevant.
- Trip history, communications about itinerary changes, and feedback provided before, during, or after travel.
Payment and financial data
- Billing address, payment status, transaction references, bank transfer details, and limited payment related information required to reconcile your booking.
- We do not intentionally store full payment card numbers, card verification codes, or similar full card authentication data on our own systems when payments are processed by specialist providers.
Health, dietary, mobility, and accessibility data
Where relevant to your safety or the delivery of your trip, we may collect information about medical conditions, allergies, dietary needs, physical limitations, or accessibility requirements. We ask that only information relevant to the trip is shared.
Technical and website usage data
- IP address, browser type, device information, pages visited, referring page, approximate region, timestamps, and security related logs generated by our hosting or form tools.
- Cookie preference information used to remember whether you have dismissed the cookie banner.
Marketing and preference data
- Your preferences about receiving updates, promotional communications, and follow up content.
- Interests you share with us such as wildlife, gorilla trekking, birding, family travel, photography, or luxury lodge preferences.
5. How we collect data
We collect personal data directly from you when you submit an enquiry, request a proposal, book a trip, complete traveller information forms, sign waivers, subscribe to communications, or correspond with us. We may also receive personal data from a lead traveller booking on behalf of a group, from a travel advisor, or from service partners involved in your arrangements. Some technical data is collected automatically through the normal operation of our website and hosting environment.
6. Purposes of processing
We use personal data for the following purposes.
- To respond to enquiries and design bespoke itineraries.
- To confirm bookings, issue invoices, receive payments, and maintain reservation records.
- To secure park permits, lodge rooms, transport, guides, domestic flights, and other travel services.
- To communicate with you before, during, and after your trip.
- To manage dietary, accessibility, and safety related requests where reasonably possible.
- To verify compliance with eligibility rules set by third parties such as protected area authorities or accommodation partners.
- To maintain business records, meet legal and accounting obligations, and resolve disputes or claims.
- To keep our website and systems secure and reduce fraud, misuse, or unauthorised access.
- To send marketing communications where you have asked to receive them or where permitted by law and subject to your right to opt out.
- To improve our services through operational review, guest feedback, and responsible business analysis.
7. When we share personal data
We share personal data only where it is necessary, proportionate, and relevant to delivering your trip or running our business lawfully and safely. Depending on the booking, recipients may include the following parties.
Travel suppliers
Lodges, camps, transport operators, guides, domestic airlines, destination management partners, and other suppliers may receive the information they need to deliver the services in your itinerary. We aim to disclose only the minimum information needed for that purpose.
Protected area and permit authorities
Where your trip includes permits or controlled access activities, we may share personal data with the relevant authority, including the Uganda Wildlife Authority for gorilla, chimpanzee, or park related arrangements where required.
Form and communications providers
Our website enquiry and quote forms use ExploInbox, our in-site submission system. Each request receives a unique reference number. Details are stored securely in your browser and can be sent to us via email or WhatsApp using the buttons on the confirmation screen. When we configure a server endpoint, submissions will also be delivered automatically to our team.
Payment processors and financial service providers
Payments may be processed by specialist providers such as bank transfer intermediaries, card processors, or mobile money services. These providers process payment information under their own privacy and compliance obligations.
Professional advisers and compliance recipients
We may disclose information to accountants, insurers, auditors, legal advisers, regulators, law enforcement agencies, or courts where necessary to comply with legal obligations, protect rights, investigate fraud, or manage claims.
We do not sell personal data and we do not trade mailing lists. We do not use your enquiry or traveller information to build advertising profiles for unrelated third parties.
8. International transfers
Some of the service providers and technology partners we use may store or process personal data outside Uganda, including in countries that may not have identical data protection laws. This can happen, for example, when using cloud based email, form handling, reservation support, or payment infrastructure.
Where personal data is transferred internationally, we seek to use reputable providers and appropriate safeguards suitable to the context, such as contractual protections, provider security commitments, access controls, and transfer mechanisms recognised by applicable law. If you are in a jurisdiction where additional transfer rights apply, including parts of the European Economic Area or the United Kingdom, you may contact us for more information about the safeguards relevant to your booking or enquiry.
9. Data retention
We keep personal data only for as long as reasonably necessary for the purposes described in this policy, including legal, operational, accounting, safety, and dispute management needs.
- General enquiries that do not become bookings are usually retained for up to 24 months, unless a longer period is needed to handle an ongoing correspondence or legal issue.
- Booking, traveller, accounting, and supplier records are usually retained for up to 7 years after travel, or longer where required by law, audit practice, or a live complaint or claim.
- Marketing subscription records are retained until you unsubscribe or ask us to stop contacting you, after which we may keep limited suppression information so we can respect your request.
- Health or accessibility information is retained only for as long as needed to administer the relevant trip and any associated legal or insurance obligations.
10. Children's privacy
Our services are primarily directed to adults planning travel. We may collect personal data relating to children when a parent, guardian, or authorised adult includes a child in a family or private group booking. In those cases, we process the child's information only as needed to arrange the trip, support safety, or meet supplier or legal requirements.
We do not knowingly seek to market directly to children and we ask that children do not submit enquiries to us without the involvement of a parent or guardian. If you believe a child has provided personal data to us inappropriately, please contact us so we can review and, where appropriate, delete the information.
11. Security
We use reasonable technical and organisational measures to protect personal data against accidental loss, unauthorised access, misuse, alteration, and disclosure. These measures may include restricted account access, secure passwords, role based access, supplier due diligence, device protections, payment handling controls, and procedures for responding to suspected incidents.
No online transmission or storage system can be guaranteed to be completely secure. For that reason, while we work hard to protect personal data, we cannot promise absolute security. If we become aware of a serious data incident affecting your personal data, we will take appropriate steps under applicable law, including investigation, mitigation, and notification where required.
12. Your rights
Subject to applicable law and certain limits, you may have the right to request access to the personal data we hold about you, request correction of inaccurate or incomplete information, request erasure of data that is no longer needed, object to certain processing, request restriction of processing, withdraw consent where consent is the basis relied upon, and request a copy of data you provided in a portable format where such a right applies.
Under the Uganda Data Protection and Privacy Act, you may ask for information about how your personal data is being processed, request prevention of processing likely to cause unwarranted substantial damage or distress, and seek rectification, blocking, erasure, or destruction of inaccurate data where justified by law. If the GDPR or similar rules apply to you because of your location or the context of our services, you may also have rights relating to portability and certain international transfer safeguards.
To exercise your rights, please email hello@explouganda.com. We may need to verify your identity before acting on the request, and in some cases we may lawfully decline or limit a request where an exemption applies.
13. Cookies
Our website uses a limited technical cookie to remember whether you have dismissed the cookie banner. We do not use advertising cookies and we do not run analytics cookies by default. You can read more in our Cookie Policy.
14. Marketing communications
If you ask to receive updates from us, we may send occasional emails about destinations, lodges, seasonal travel opportunities, or new itineraries. You can unsubscribe at any time using the link in the email or by contacting us directly. We will not continue direct marketing to you once you have opted out, although we may still contact you about active enquiries, bookings, safety matters, or legal notices.
15. Third party websites and services
Our website or communications may link to third party websites, including supplier sites, permit authorities, or official public information pages. Once you leave our website, the privacy practices of those third parties apply. We encourage you to review their own notices before submitting personal data.
Where we refer to official travel or health information, travellers should consult the current guidance published by the relevant authority, including Uganda Immigration at immigration.go.ug, the Uganda Wildlife Authority at ugandawildlife.org, and the World Health Organization at who.int.
16. Complaints and questions
If you have a privacy concern, please contact us first with full details of the issue so we can investigate and try to resolve it promptly and fairly. We may ask for supporting information in order to verify the request and understand the concern.
If you are not satisfied with our response, you may raise the matter with the appropriate supervisory or regulatory body. In Uganda, this may include the competent authority responsible for administering personal data protection law. If you are located in the European Economic Area or the United Kingdom and the GDPR or equivalent rules apply, you may also complain to your local data protection authority.
17. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in law, our services, supplier arrangements, or website features. The latest version will always show the current update month and year on this page.