Privacy Policy
Last updated: March 2026
Kampe Operated by Xapisoft Co. Limited
Effective date: March 2026 Version: 1.0
1. Background
We respect your privacy and will only collect and use personal data in ways described here, consistent with our obligations under Uganda's Data Protection and Privacy Act, 2019.
1.1. Xapisoft Co. Limited ("Xapisoft," "we," "us," or "our") understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone who uses the Kampe platform and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the Data Protection and Privacy Act, 2019 and the Data Protection and Privacy Regulations, 2021.
1.2. Please read this Privacy Policy carefully. By using our Platform, you give your consent that you have read and accepted the terms in this Privacy Policy. If you do not accept this Privacy Policy, please stop using the Platform immediately.
2. Information about us
Kampe is operated by Xapisoft Co. Limited, a limited liability company registered in Uganda.
2.1. The Kampe platform is operated by Xapisoft Co. Limited, a limited liability company registered in Uganda.
Email: support@kampestore.com Website: https://kampestore.com
3. Definitions
Key terms used in this Policy including Account, Customer, Merchant, Personal data, Platform, and Store.
3.1. In this Policy:
"Account" means your registered account on the Kampe platform.
"Customer" means a person who purchases goods or services from a Merchant through a Store on the Platform.
"Merchant" means a person or business that uses the Platform to create and operate an online store.
"Personal data" means any information relating to an identified or identifiable natural person, as defined in the Data Protection and Privacy Act, 2019.
"Platform" means the Kampe web application at kampe.com, including the merchant dashboard, storefront builder, hosted payment pages, and related services.
"Store" means a Merchant's online storefront hosted on a subdomain of kampestore.com.
4. What does this policy cover?
4.1. This Privacy Policy applies to your use of the Kampe platform. We have no control over how your data is collected, stored, or used by other websites whose links may appear on the Platform, and we advise you to check the privacy policies of any such websites before providing any data to them.
5. What are your rights?
As a data subject under the Data Protection and Privacy Act, 2019, you have rights including access, correction, erasure, restriction, objection, portability, and rights regarding automated decisions.
5.1. As a data subject, you have the following rights under the Data Protection and Privacy Act, 2019, which we will always work to uphold:
(a) The right to be informed about our collection and use of your personal data. This Privacy Policy should tell you everything you need to know, but you can always contact us to find out more using the details in Section 15.
(b) The right to access the personal data we hold about you. All subject access requests should be made in writing to the email address in Section 15. We shall respond within thirty (30) days.
(c) The right to correction. You may request that we correct or delete personal data that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully (Section 16 of the Act).
(d) The right to be forgotten. You may ask us to delete or dispose of any of your personal data that we hold, where it is no longer necessary for the purpose it was collected or where you withdraw consent.
(e) The right to restrict processing. You may request that we stop processing your personal data where such processing causes or is likely to cause unwarranted damage or distress (Section 25 of the Act). We shall respond within fourteen (14) days.
(f) The right to object to processing of your personal data for a particular purpose.
(g) The right to prevent direct marketing. You may at any time require us to stop processing your personal data for purposes of direct marketing (Section 26 of the Act). We shall comply within fourteen (14) days.
(h) The right to data portability. Where you have provided personal data to us directly and we process it with your consent or for performance of a contract, you may request a copy of that data in a structured, commonly used format.
(i) Rights regarding automated decisions. You may require that any decision which significantly affects you is not based solely on automated processing of your personal data (Section 27 of the Act).
5.2. For more information about exercising your rights, please contact us using the details in Section 15.
5.3. If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Personal Data Protection Office (PDPO). Further information is available at www.pdpo.go.ug.
6. What data do we collect?
We collect data from Merchants (name, email, phone, business details, transaction records), from Customers (name, phone, order details, delivery address), and automatically from all users (IP, device, browser, pages visited).
6.1. Depending on your use of the Platform, we may collect some or all of the following personal data:
From Merchants (when you register and use the Platform):
(a) Full name (b) Email address (c) Phone number (d) Business name and description (e) Mobile money account details (for payouts) (f) National ID number (for identity verification) (g) Store content (product images, product descriptions, pricing) (h) Transaction records (orders, payments, payouts)
From Customers (when they visit a Store or make a purchase):
(a) Name (if provided at checkout) (b) Phone number (for payment and delivery) (c) Mobile money transaction reference (d) Order details (products purchased, amounts paid) (e) Delivery address (if applicable)
Automatically collected data (from all users):
(a) IP address (b) Device type and operating system (c) Browser type and version (d) Pages visited and time spent on the Platform
6.2. We also receive personal data indirectly in the following scenarios, in accordance with Section 11(2) of the Act:
(a) From our payment processor when transactions are processed or disputed; (b) From law enforcement or regulatory authorities, where we are required to cooperate with an investigation; and (c) Where personal data has been made publicly available.
7. How do we use your personal data?
We use your data for account management, payment processing, service provision, fraud prevention, legal compliance, and platform improvement.
7.1. We use your data for the necessary performance of a contract with you, because you have consented to the use of your personal data, or because it is in our legitimate business interests to use it. Your personal data is used for the following purposes:
(a) Creating and managing your Account; (b) Providing and managing your access to the Platform; (c) Processing payments and payouts through Mobile Money; (d) Displaying your products to Customers through your Store; (e) Communicating with you about your account, orders, and service updates; (f) Preventing fraud and enforcing our Terms of Service; (g) Complying with tax and regulatory obligations under Ugandan law; (h) For purposes of "Know Your Customer" and Customer Due Diligence under the law; (i) Improving the Platform and your user experience; and (j) Responding to legal requests from authorities.
7.2. We collect and process only personal data that is necessary and relevant to the purposes stated above, in accordance with Section 14 of the Act. We do not collect personal data that is excessive or unnecessary.
7.3. Consequences of not providing data. Providing your name, phone number, email, and Mobile Money details is required for Merchants to use the Platform. If you do not provide this data, we cannot create your account or process payments. Automatically collected data (IP address, device information) is collected by default when you access the Platform. You can limit this by adjusting browser settings, but some Platform features may not function properly.
7.4. We may use your personal data for marketing purposes, which may include contacting you by email or SMS with information and offers on our services. You will not be sent any unlawful marketing or spam. You will always have the opportunity to opt out.
8. How long will we keep your personal data?
Retention periods vary by data type: account data is kept for the duration of your account plus 12 months, transaction records for 7 years, and automatically collected data for 12 months.
8.1. We store personal data until it is no longer necessary to provide our services or until your account is deleted, whichever comes first. Our retention periods are:
| Data type | Retention period | Reason |
|---|---|---|
| Account data (name, email, phone) | Duration of account + 12 months after closure | Contract performance and legal claims |
| Transaction records | 7 years from transaction date | Tax and regulatory compliance (Income Tax Act, VAT Act) |
| Store content (images, descriptions) | Duration of account; deleted within 30 days of account closure | Service provision |
| Automatically collected data (IP, device) | 12 months from collection | Security and improvement |
| Customer order data | 7 years from transaction date | Tax compliance; dispute resolution |
8.2. Where the Anti-Money Laundering Act, 2013 or the policies of our payment processor require longer retention of transaction records, the longer period shall apply. Transaction records may be retained for up to ten (10) years from the transaction date for AML/CFT compliance purposes.
8.3. When the retention period expires, we delete or anonymise the data in a manner that prevents its reconstruction in an intelligible form, in accordance with Section 18(5) of the Act.
9. How and where do we store your personal data?
We only transfer data to countries with adequate data protection. We use encryption and data processing agreements to protect your data.
9.1. We will only store or transfer your personal data to countries that have adequate data protection standards or where you have consented to the processing or storing of personal data outside Uganda, in accordance with Section 19 of the Act.
9.2. Where your data is processed or stored outside Uganda, we ensure that the receiving country or organisation has data protection measures at least equivalent to the protection provided by the Act. We enter into data processing agreements with service providers and use encryption for data in transit and at rest.
9.3. By using the Platform, you consent to the transfer of your personal data outside Uganda for the purposes described in this Policy.
10. Do we share your personal data?
We share data with payment processors, mobile money providers, regulatory authorities, and professional advisers only where necessary. We never sell personal data.
10.1. We may share your personal data with the following third parties where necessary to provide our services:
(a) Relworx Limited, our payment processor, for processing Mobile Money payments (MTN and Airtel) and settling payouts to Merchants.
(b) MTN Mobile Money Uganda Limited and Airtel Mobile Commerce Uganda Limited, for processing Customer payments and Merchant payouts.
(c) The Uganda Revenue Authority (URA), for tax compliance purposes where required by law.
(d) The Financial Intelligence Authority (FIA), for AML/CFT compliance purposes where required by law.
(e) The Bank of Uganda, as regulator under the National Payment Systems Act, for purposes of legal compliance.
(f) Law enforcement authorities, where required by law, court order, or regulatory directive.
(g) Professional advisers (lawyers, accountants), under duties of confidentiality.
10.2. If any of your personal data is shared with a third party as described above, we take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party's obligations under the law.
10.3. We do not sell or offer for sale personal data of any person. The sale of personal data is a criminal offence under Section 37 of the Act.
11. Merchants as data controllers
Merchants are data controllers for Customer data collected through their Stores. Xapisoft processes this data on behalf of Merchants as a data processor.
11.1. When a Merchant collects personal data from Customers through their Store (for example, name, phone number, delivery address), the Merchant is the data controller for that Customer data.
11.2. Xapisoft processes Customer data on behalf of the Merchant as a data processor. We process such data only as necessary to operate the Platform and in accordance with the Merchant's instructions.
11.3. Merchants are responsible for ensuring that they have a lawful basis for collecting Customer data, informing Customers about how their data will be used, and responding to Customer data access requests.
12. Further processing limitation
12.1. In accordance with Section 17 of the Act, we shall not process your personal data for purposes other than those for which it was originally collected, unless:
(a) You consent to the further processing; (b) The data has been made publicly available; (c) Further processing is necessary for law enforcement, national security, or court proceedings; or (d) The data is used for statistical or research purposes in a form that does not reveal your identity.
13. Data security
We implement encryption, access controls, and regular security reviews. We do not store full Mobile Money account details. In case of a data breach, we follow the notification procedures under the Act.
13.1. We take the security of your personal data seriously. In accordance with Section 20 of the Act, we implement appropriate technical and organisational measures to prevent loss, damage, unauthorised destruction, and unlawful access to or unauthorised processing of personal data.
13.2. These measures include encryption of data in transit and at rest, access controls restricting who within our team can access personal data, and regular review of our security practices.
13.3. We do not store full Mobile Money account details on our servers. Payment data is handled by our payment processor.
13.4. Data breach notification (Section 23). If we believe that your personal data has been accessed or acquired by an unauthorised person, we shall immediately notify the PDPO of the unauthorised access and the remedial action taken. The PDPO shall determine whether we should notify you as the data subject. If directed to do so, we shall provide sufficient information to allow you to take protective measures.
14. Children's data
14.1. The Platform is intended for persons aged eighteen (18) years and above. We do not knowingly collect personal data from children (persons under 18 years of age).
14.2. If you become aware that a child has provided us with personal data, please contact us at support@kampestore.com. We shall take steps to delete such data promptly.
14.3. Where Merchants sell products to persons under 18 through their Stores, the Merchant is responsible for ensuring compliance with applicable laws regarding children's data, including obtaining consent from a parent or guardian where required under Section 8 of the Act.
15. How do you contact us?
15.1. If you have any questions about this Policy or wish to exercise any of your rights, you can contact us as follows:
Xapisoft Co. Limited Email: support@kampestore.com Website: https://kampestore.com
16. Changes to this Privacy Policy
We may update this Policy from time to time. Material changes will be notified at least 14 days in advance. Continued use of the Platform after changes constitutes acceptance.
16.1. We may change this Privacy Policy from time to time. This may be necessary if the law changes or if we change our business in a way that affects personal data protection.
16.2. We shall notify you of material changes by email or through the Platform at least fourteen (14) days before the changes take effect.
16.3. The most current version of this Policy is always available at kampestore.com/legal/privacy.
16.4. By your continued use of the Platform after changes are posted, you consent to the updated terms.