§Overview

ECADEL GROUP LIMITED (“ECADEL GROUP”, “we”, “us”, or “our”) is committed to protecting the privacy and security of personal data entrusted to us in the course of our operations. This Privacy Policy explains how we collect, process, store, share, and protect personal information across our platforms, including SafeRoad and Meridian, as well as our corporate website and any associated services.

This Policy is issued in compliance with the Uganda Data Protection and Privacy Act, 2019 (PDPA) and applicable international data protection standards. By accessing or using our services, you acknowledge that you have read and understood this Policy.

§Data Controller

The data controller responsible for your personal information is:

Legal Name	ECADEL GROUP LIMITED
Registration	Registered in Uganda
Headquarters	Kampala, Uganda
Email	privacy@ecadelgroup.com
General Contact	ecadelgroup@ecadelgroup.com

For enterprise deployments, ECADEL GROUP LIMITED may act as a data processor on behalf of a government agency, enterprise, or institutional partner who is the data controller. In such cases, data processing is governed by a separate Data Processing Agreement.

§Data We Collect

1. Data You Provide Directly

Identity data: full name, national identification number (where required by regulation)
Contact data: email address, telephone number, postal address
Account credentials: username, hashed password
Professional information: organisation name, job title, industry
Inquiry data: content of messages submitted through our contact or partnership forms

2. Data Collected Automatically (SafeRoad Platform)

Real-time GPS location and route data during active vehicle sessions
Accelerometer and gyroscope sensor data for driving behaviour analysis
Speed, braking, cornering, and acceleration event data
Vehicle identification, registration, and fleet metadata
SOS activation events, timestamps, and location at time of activation
Device identifiers (IMEI, device model, OS version)
Session start and end times, trip duration, and distance

3. Data Collected Automatically (Meridian Platform)

Institutional query data and scenario parameters submitted for analysis
Interaction logs, session identifiers, and API access records
Uploaded datasets and documents (subject to enterprise DPA)
Dashboard usage patterns and feature access logs

4. Technical & Device Data (Website & Platforms)

IP address and approximate geolocation derived from IP
Browser type, version, and operating system
Referring URLs, pages viewed, and time on site
Cookie identifiers (see our Cookie Policy)

§Purposes & Legal Basis for Processing

We process personal data only where we have a lawful basis to do so. The following table sets out our primary processing activities and their legal basis under the Uganda PDPA and applicable standards:

Purpose	Legal Basis
Provision of SafeRoad safety and fleet intelligence services	Performance of contract
Provision of Meridian consequence intelligence analytics	Performance of contract
AI-powered driver safety scoring and incident detection	Legitimate interests / Contractual necessity
Government dashboard reporting and regulatory compliance	Legal obligation / Public interest
SOS emergency response and dispatch coordination	Vital interests of data subject
Insurance partner API data provision (anonymised)	Legitimate interests / Contractual necessity
Account management and customer support	Performance of contract
Platform security, fraud detection, and abuse prevention	Legitimate interests
Analytics to improve service performance	Legitimate interests
Marketing communications (with opt-in)	Consent
Compliance with legal obligations and court orders	Legal obligation

§Data Sharing & Disclosure

We do not sell personal data. We share personal data only in the following circumstances, and only to the minimum extent necessary:

Authorised Partners & Integrations

Government road safety agencies and transport ministries: aggregated, de-identified fleet and incident data pursuant to public safety mandates
Insurance company partners: anonymised or pseudonymised driving score data via secure API, subject to data sharing agreements
Emergency response services: location data provided in real time only during active SOS events, for the sole purpose of coordinating emergency assistance
Smart city initiatives and infrastructure agencies: aggregated, non-personal analytics datasets

Service Providers (Data Processors)

Cloud infrastructure providers for secure data hosting and processing
Telecommunications partners for SMS and push notification delivery
Mapping and geospatial data providers for route visualisation
Analytics and monitoring tooling providers

All service providers are bound by data processing agreements and may not use your data for their own purposes.

Legal Requirements

We may disclose personal data to law enforcement, regulatory authorities, or courts where required by law, or where necessary to protect the vital interests of individuals or the security of our systems. We will, where legally permissible, notify affected individuals of such disclosures.

§Data Retention

We retain personal data for no longer than is necessary for the purposes for which it was collected, taking into account legal, regulatory, operational, and reporting requirements.

Active account data	For the duration of the account or contractual relationship
Trip and telemetry data (SafeRoad)	24 months from date of capture, then anonymised or deleted
Safety incident and SOS records	7 years (regulatory and insurance requirements)
Government dashboard reports	As specified in the applicable government contract
Meridian scenario and query data	Per enterprise DPA; default 12 months
Contact and inquiry data	3 years from last interaction
Website analytics data	13 months on a rolling basis
Financial and billing records	7 years (statutory accounting obligations)
Legal hold data	Until resolution of the applicable matter

§Data Security

ECADEL GROUP LIMITED implements appropriate technical and organisational measures to protect personal data against unauthorized access, accidental loss, destruction, or damage. Our security programme includes:

Encryption of data in transit using TLS 1.2 or higher across all API and web endpoints
Encryption of sensitive data fields at rest using AES-256
Role-based access controls with the principle of least privilege enforced throughout
Multi-factor authentication required for all administrative and platform access
Regular penetration testing and vulnerability assessments by qualified security practitioners
Dedicated incident response procedures with defined notification timelines
Data minimisation and pseudonymisation practices where technically feasible
Vendor security assessments for all data sub-processors

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and affected individuals without undue delay.

§Your Data Protection Rights

Subject to applicable law and certain limited exceptions, you have the following rights in relation to your personal data under the Uganda Data Protection and Privacy Act, 2019:

Right of access — to receive a copy of the personal data we hold about you
Right to rectification — to request correction of inaccurate or incomplete data
Right to erasure — to request deletion of your data where no overriding legal basis exists
Right to restriction of processing — to request that we limit how we use your data
Right to data portability — to receive your data in a structured, machine-readable format
Right to object — to object to processing based on legitimate interests or for direct marketing
Right to withdraw consent — where processing is based on consent, to withdraw it at any time without affecting prior processing
Right to lodge a complaint — with the Personal Data Protection Office of Uganda or your applicable supervisory authority

To exercise any of these rights, contact us at privacy@ecadelgroup.com. We will respond within 30 days. We may require verification of your identity before fulfilling a request.

§International Data Transfers

Where personal data is transferred outside Uganda, we ensure appropriate safeguards are in place, including contractual clauses approved by the relevant data protection authority, or transfers to jurisdictions deemed to provide an adequate level of protection. We do not transfer personal data to jurisdictions that do not provide adequate protections without explicit data subject consent or a compelling legal basis.

§Children's Privacy

Our platforms and services are directed at businesses, institutions, and adult individuals. We do not knowingly collect or process personal data from children under the age of 18 without verifiable parental or guardian consent. If you believe we have inadvertently collected data relating to a child, please contact us immediately at privacy@ecadelgroup.com.

§Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will provide notice via email to registered account holders, in-platform notification, or a prominent notice on our website, at least 14 days prior to the change taking effect. Continued use of our services after that date constitutes acceptance of the revised Policy.

§Contact Us

For all privacy-related queries, requests, or concerns, contact our Privacy Officer:

Privacy Officer	ECADEL GROUP LIMITED — Privacy Office
Email	privacy@ecadelgroup.com
General	ecadelgroup@ecadelgroup.com
Address	Kampala, Uganda