KampalaSnap — Privacy Policy

Effective date: 2026-05-22 Last updated: 2026-05-24 Last material change: 2026-05-24 — added Google + Apple sign-in paths (§ 2.1), guest sessions (§ 2.7), Sign-in providers third-party disclosure (§ 5.4), backup-encryption key in the keys list (§ 3.1), email field added to Tier A (§ 4). Jurisdiction: Uganda — designed to be compatible with the Uganda Data Protection and Privacy Act (2019) and the EU GDPR where applicable to non-Ugandan users.

This document describes what personal information KampalaSnap collects, how we use and protect it, how long we keep it, and the rights you have over it. It reflects the systems and protections actually deployed in production, not aspirations.

If something in this document is unclear, contact us at support@kampalasnap.com and we will respond within 7 days.

1. Who we are

KampalaSnap is a Ugandan marketplace connecting buyers, sellers, and service providers. We operate the mobile and web app, the matching escrow payments flow, and the internal admin tools.

For the purposes of data protection law, KampalaSnap is the data controller for personal information you provide to us.

2. What we collect, and why

KampalaSnap offers three ways to create an account, each collecting different information. Pick whichever you prefer; the account works the same way after signup regardless of which path you took.

Path A — Sign up with phone (SMS OTP)

What	Why
Username	Public display name and URL slug
WhatsApp phone number	Login identifier; OTP delivery
Password	Authentication (stored only as an Argon2 hash — we cannot see your password)

Path B — Sign in with Google

What	Why
Google email address	Account identifier; account linking lookups (we hash it; we store the email itself encrypted)
Google profile name	Pre-fills your display username (you can change it later)
Google profile picture URL	Pre-fills your avatar
Google's stable user ID (`sub`)	Lets us recognize you on every subsequent Google sign-in

No password is created. No phone number is captured at this stage.

Path C — Sign in with Apple (iOS only)

What	Why
Apple email (real or relay)	Same as above; relay emails like `random@privaterelay.appleid.com` are accepted normally
Apple full name	Used once at signup; not refreshed on subsequent sign-ins
Apple's stable user ID (`sub`)	Recognises you on subsequent Apple sign-ins

Apple sends email + name to us only on the very first sign-in for this app — we keep them stored after that.

Phone added later (Path B / C only)

If you started with Google or Apple and later open a shop or service, we'll ask you to verify a phone number at that point via SMS OTP. Phone verification is required for sellers so we can route payouts and support dispute resolution. Buyers who never sell are never required to give us a phone.

What	Why
Optional secondary phone	Backup contact (not used today; placeholder)

2.2 Information you give us when you sell or provide a service

What	Why
Shop or service name, bio, logo	Public profile display
Contact phone(s)	Shown to buyers on your profile
Verification contact info (email or phone)	Used by our admin to reach you during verification review
MoMo account number + holder name (saved payout methods)	Pay you for completed orders
MoMo verification number	Proves you control the destination phone before we send money there

2.3 Information you give us when you place an order

What	Why
Recipient name	Boda rider knows who to deliver to
Delivery phone number	Boda rider can call/text on arrival
Delivery address (landmark + structured location)	So the order actually reaches you
Shipping instructions	Free text you write for the seller / rider
Delivery PIN	Final-mile proof of delivery to release escrow

2.4 Information you give us when you use the app

What	Why
Orders placed and received	Order history, dispute evidence
Reviews and ratings	Public reputation for sellers and services
Posts, comments, likes	Social features in the app
Ad campaigns purchased	Your seller-side spend history
Wallet balance and transactions	Your earnings, payouts, and platform fees

2.5 Information we derive automatically

What	Why
Login timestamps, refresh tokens	Session management; revoke leaked tokens
Failed PIN attempts on an order	Brute-force protection (lock after 5 wrong tries)
Push notification token (Expo)	Send you order updates and chat messages
Order status timeline (PAID → DELIVERED → COMPLETED, etc.)	Auditable history if a dispute opens

2.6 Information we explicitly do NOT collect

Your government ID number, passport number, or national ID
Your real-time location (we use the address you type at checkout)
Your contact list, photos library, or files outside what you explicitly upload
Tracking cookies for third-party advertising

When you open the app or visit the website without signing in, we issue your device an anonymous identifier (a random UUID stored on the device). We use it to:

Remember what you browsed across app restarts, so the next time you open the app the videos and shops you looked at last time can resurface
Carry your browse history forward to your new account if you later sign up — without asking you to start over

We do NOT associate this UUID with your name, phone, or email (you haven't given us those yet). The UUID expires automatically after 90 days of inactivity. If you sign up, the UUID is linked to your account so future analytics can stitch "what they looked at as a guest" to "what they did as a user."

You can clear the UUID at any time by signing out (in the app's Settings) or by clearing the app's data via your phone's settings.

3. How we secure your information

3.1 Encryption of personal data at rest

After our May 2026 migration arc (database migrations 0006 through 0014), the database physically does not contain plaintext copies of the following personal information:

WhatsApp number
Delivery phone, recipient name, delivery landmark, delivery location, shipping instructions on every order
Secondary phone
Shop and service profile phone numbers
MoMo number on saved payout methods and on verification records
MoMo holder name on withdrawal requests
Solo-listing seller contact phones (call and WhatsApp)
Verification request contact info
Email address (received via Google or Apple OAuth, or set later)

Every column in that list is stored as one of two encrypted forms:

Fernet ciphertext (AES-128-CBC + HMAC-SHA256) for fields used only for display
HMAC-SHA256 blind index (alongside the Fernet ciphertext) for fields used for login, OTP verify, withdrawal gate, or account linking lookups

We use five separate cryptographic keys, each protecting a different category of data:

Key	Protects
PIN encryption key	Your order delivery PIN
Payout encryption key	Your saved bank/MoMo account number
PII encryption key	Every other personal field above (including email)
Blind index key	Login / OTP / withdrawal-gate / email-linking lookup hashes
Backup encryption key	The nightly off-server backup files themselves

The keys live in a server configuration file, not in the database. An attacker who copies our database but does not also obtain these keys cannot read any of the personal fields above. This is called defense in depth: a single point of compromise should not yield a total breach.

3.2 Password storage

Passwords are stored as Argon2 hashes. Argon2 is a one-way function: even with the database and all encryption keys, we cannot recover your password. If you forget it, you reset it via SMS one-time code, and we replace the hash; we never see the old password.

3.3 Network security

All client traffic uses HTTPS (TLS 1.2+)
Internal database and cache services are not exposed to the public internet
Administrative interfaces require authentication and are behind additional access controls
Rate limits apply to authentication and payment endpoints to block credential stuffing and brute-force attempts

3.4 Backups

We take daily encrypted backups of the database and store them off the application server with a third-party storage provider. The backups themselves are encrypted with a separate fourth key (not listed above) before they leave the server. An attacker who intercepts a backup file gets only ciphertext.

3.5 Audit logs

Financial events (wallet credits, debits, withdrawals, escrow releases) and order status changes are written to append-only audit tables. No application code path UPDATEs or DELETEs from these tables. This means if anyone — including an admin — tries to alter financial history, the original record remains visible.

3.6 Access controls inside the team

Only personnel directly involved in operations, support, or dispute resolution have access to administrative tools. Such access is logged. We are working on a formal audit log for admin actions (tracked in our internal roadmap as a P2 item).

4. How long we keep your information

We keep data in three tiers, each with its own retention window.

Tier A — Personal Identifying Information

WhatsApp number, secondary phone, email address, names, addresses, delivery contact details, MoMo numbers, verification contacts.

While your account is active: kept indefinitely.
After you delete your account: soft-deleted immediately, then anonymized after 30 days. The 30-day window lets us reverse accidental deletions and resolve any disputes opened just before deletion. After 30 days the encrypted PII fields are scrubbed and only non-identifying records remain.

Tier B — Financial and legal records

Transactions, wallet ledger, orders, withdrawals, payout methods, dispute records.

Kept for 7 years from the date of the record.
This is a tax and legal-compliance requirement, not a choice.
During this period, personal identifiers (name, phone, address) on these records are anonymized after the Tier A 30-day window closes — only the financial amounts, timestamps, and account pointers remain.

Tier C — Behavioral data

Kept 90–365 days, depending on the data type.
Downsampled to aggregate counts (no per-user records) before deletion where useful for product analytics.

Guest sessions (pre-account browsing)

The anonymous UUID we issue to your device before you sign up (see § 2.7) is retained for 90 days from your last visit. If you don't return within 90 days, the record and any associated browse data are hard-deleted. If you sign up, the UUID is linked to your account and survives as long as your account does.

We share information with three categories of third party, and only the minimum necessary in each case.

5.1 Payment processors

We use Pesapal to collect buyer payments and process refunds. When you check out, Pesapal sees the transaction amount, an order reference, your phone number (for receipt delivery), and your email if provided. Pesapal's privacy policy governs how they handle that information.

We process MoMo payouts (currently manually batched, automation planned) using the relevant MoMo provider's API. The provider sees the destination MoMo number, the amount, and a reference code.

5.2 SMS provider

OTPs and some transactional messages are sent via an SMS gateway provider. The provider sees the recipient phone number and the message content (the 6-digit code). We do not give the provider your name, password, or any other identifier.

5.3 Hosting and infrastructure

The application and database run on a virtual server hosted by Netcup (Germany). Backups are stored with a cloud-storage provider configured by us (provider name disclosed on request). Image and video files (product photos, profile pictures, dispute evidence) are stored with Wasabi (S3-compatible cloud storage). The hosting providers have access to the physical/virtual infrastructure but receive only encrypted ciphertext for PII fields — they cannot read the underlying data without our keys.

If you choose to sign in with Google or Apple, those providers are part of the data flow:

Provider	What they see	What we receive
Google	That you signed in to KampalaSnap on a given date with a given Google account	Your Google profile name, email address, profile picture URL, and a stable Google user ID. We never send anything back to Google.
Apple (iOS only)	Same as above for Apple ID	Your email (real or Apple's relay address), name (once, on first sign-in), and a stable Apple user ID. We never send anything back to Apple.

Google's privacy policy: https://policies.google.com/privacy Apple's privacy policy: https://www.apple.com/legal/privacy/

If you sign up with phone instead, neither Google nor Apple is part of the flow.

5.5 What we never do

Sell your personal information to advertisers
Share your contact details with sellers you haven't transacted with
Allow third-party analytics SDKs to collect identified data from the app
Hand over data to anyone except in response to a lawful order from Ugandan authorities, or as required to resolve a dispute you have opened with us

6. Your rights

You have the following rights over your personal information. None of these rights require a fee. We will respond within 30 days of a verified request.

6.1 Right to access

Request a copy of the personal information we hold about you, including your encrypted PII fields decrypted into readable form. Contact us at support@kampalasnap.com.

6.2 Right to correction

Most profile fields you can edit directly in the app (username, shop/service info, payout methods). For fields you can't edit yourself, request a correction by email.

6.3 Right to deletion

Request deletion of your account. We perform a soft-delete immediately (the account stops working, your profile becomes invisible, your username and phone-number slot become reusable by a new signup after the partial-unique-index window). Tier A PII is anonymized 30 days later. Tier B financial records are retained for the legal 7-year window, but personal identifiers on them are anonymized.

6.4 Right to portability

Receive your data in a machine-readable format (JSON). Currently this is a manual export on request; we are working on a self-service export endpoint.

You can withdraw consent at any time by deleting your account. We cannot continue to provide marketplace services to you without the data we collect (you cannot place an order without a delivery address), so withdrawing consent for any particular field generally means we cannot serve you further.

6.6 Right to object and complain

If you believe we are mishandling your data, contact us first at support@kampalasnap.com. If we cannot resolve your concern, you can lodge a complaint with the Personal Data Protection Office (Uganda) or with the data protection authority in your home country if you are outside Uganda.

7. Children

KampalaSnap is not directed at children under 18. We do not knowingly collect personal information from children. If you believe a child has signed up, contact us and we will delete the account.

8. International transfers

Our hosting infrastructure is in Germany (EU/EEA). Backups may be stored with providers outside Uganda. By using KampalaSnap you consent to your personal information being transferred to and processed in these locations. Where required by law, we rely on standard contractual clauses or equivalent transfer mechanisms.

9. Changes to this policy

We will update this policy when we change our practices. The "Last updated" date at the top reflects the most recent change. For material changes (new categories of data collected, new third-party processors, weakening of any security control) we will notify active users via the app at least 14 days before the change takes effect.

A full revision history is available in the project's git log: kampalasnap.com/privacy (this page).

10. Contact

General privacy enquiries: support@kampalasnap.com
Data access / deletion / portability requests: support@kampalasnap.com
Security issues (suspected breach, vulnerability report): support@kampalasnap.com — please include the word SECURITY in the subject line for faster routing

For internal engineering reference on how the controls in this policy are implemented, see backend/SCHEMA.md § 13 and scripts/BACKUPS.md.