# Privacy Policy **Last Updated: January 2025** **Version: 1.0** ## 1. Introduction Welcome to Carly ("we," "us," "our," or "Carly"), a motor vehicle financing platform. We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application, web portals, and related services (collectively, the "Service"). Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, do not use the Service. ## 2. Information We Collect ### 2.1 Information You Provide to Us **Account Registration Information:** - **For Consumers:** - Full name (required) - Phone number (required) - formatted as +256XXXXXXXXX - Email address (optional) - Password (encrypted and stored securely) - Profile information - **For Companies:** - Company name (required) - Owner phone number (required) - Support phone number (required, must be unique from owner's phone) - Email address (required) - Car Bond Address (required) - Operating License documentation (for KYB verification) **Identity Verification Documents (KYC/KYB):** - National ID, Driver's License, or Passport (for consumers) - Operating License (for companies) - Document numbers associated with verification documents - Scanned images or digital copies of identification documents **Financial and Transaction Information:** - Payment methods and details (Mobile Money, FinFlo, Cash) - Transaction history and records - Payment amounts and schedules - Financing agreement details - Balance information **Vehicle and Consultation Information:** - Vehicle consultation requests - Vehicle inspection requests - Vehicle preference and browsing history - Communications with companies **Communication Information:** - Messages and communications sent through the Service - Consultation requests and responses - Customer support inquiries **Other Information:** - Reviews and ratings you submit - Feedback and survey responses - Any other information you choose to provide ### 2.2 Information Automatically Collected **Device Information:** - Device type and model - Operating system version - Unique device identifiers - Mobile network information - Device language and time zone settings **Usage Information:** - App usage patterns and features accessed - Pages viewed and time spent on pages - Search queries - Click-through rates - Navigation paths through the Service **Technical Information:** - IP address - Browser type and version - Internet service provider - Network connection type - Crash reports and error logs **Location Information:** - General location data (derived from IP address) - Precise location data (only if you grant permission, currently not actively collected) **Push Notification Tokens:** - Firebase Cloud Messaging (FCM) tokens for push notifications - Device tokens for notification delivery ### 2.3 Information from Third-Party Services We may receive information about you from third-party services integrated with our Service: **Payment Processors:** - Mobile Money service providers - FinFlo payment gateway - Transaction status and confirmation data **Communication Services:** - WhatsApp API service providers - Email service providers - Delivery and read receipts **Authentication Services:** - Firebase Authentication (if used) - Google Services integration data **Analytics and Advertising:** - Google Mobile Ads and Firebase Analytics - Aggregated usage statistics - Ad performance metrics ## 3. How We Use Your Information We use the information we collect for the following purposes: ### 3.1 Service Provision and Operation - To create and manage your account - To provide, maintain, and improve the Service - To process transactions and payments - To facilitate communication between consumers and companies - To verify identity through KYC/KYB processes - To enable vehicle browsing, consultations, and financing requests - To send transaction confirmations and account notifications - To provide customer support and respond to inquiries ### 3.2 Communication - To send important account and service notifications - To send payment reminders and transaction updates - To notify you about consultation responses and financing updates - To send KYC/KYB verification status updates - To send marketing communications (with your consent, which you may withdraw at any time) - To send service updates, announcements, and policy changes ### 3.3 Security and Fraud Prevention - To verify your identity and prevent fraudulent activity - To detect, prevent, and address security issues - To protect against unauthorized access to accounts - To investigate potential violations of our Terms of Service - To comply with legal obligations and regulatory requirements ### 3.4 Legal Compliance - To comply with applicable laws, regulations, and legal processes - To respond to government requests and court orders - To enforce our Terms of Service and other agreements - To protect our rights, property, and safety, as well as that of our users ### 3.5 Analytics and Improvement - To analyze usage patterns and trends - To improve Service functionality and user experience - To develop new features and services - To conduct research and analytics - To measure Service effectiveness ### 3.6 Advertising - To display relevant advertisements through Google Mobile Ads - To measure ad performance and effectiveness - To personalize advertising content (where permitted) ## 4. How We Share Your Information We do not sell your personal information. We may share your information in the following circumstances: ### 4.1 With Companies (for Consumers) When you use the Service as a consumer, we share relevant information with companies for: - Processing consultation requests - Facilitating financing agreements - Processing vehicle sales - Managing payment transactions - Customer relationship management **Shared information may include:** - Your name and contact information - KYC verification status and documents (as necessary) - Transaction history and payment information - Consultation and inspection requests - Any other information necessary for service provision ### 4.2 With Consumers (for Companies) When companies use the Service, limited information may be visible to consumers, such as: - Company name and contact information - Vehicle listings and inventory - Consultation responses ### 4.3 With Service Providers We may share information with third-party service providers who perform services on our behalf: **Payment Processors:** - Mobile Money service providers (debit.gmpayapp.site) - FinFlo payment gateway - Information shared: Transaction details, payment amounts, phone numbers (as necessary for processing) **Communication Services:** - WhatsApp API providers (sms.swiftsend.site) - Email service providers (SMTP) - Information shared: Contact information, message content, delivery status **Cloud and Infrastructure Services:** - Firebase (Google Cloud Platform) - FCM tokens for push notifications - Analytics data - Crash reporting data - Hosting and database services - Information shared: Account data, usage data, technical information **Advertising Services:** - Google Mobile Ads - Information shared: Aggregated usage data, device identifiers, advertising IDs **Analytics Services:** - Firebase Analytics - Information shared: Usage statistics, performance metrics, crash reports All service providers are contractually obligated to: - Use information only for specified purposes - Maintain appropriate security measures - Comply with applicable privacy laws - Not use information for their own purposes without consent ### 4.4 Legal Requirements We may disclose your information if required to do so by law or in response to: - Court orders, subpoenas, or legal processes - Government requests and regulatory inquiries - Law enforcement investigations - Requests to enforce our Terms of Service - Requests to protect our rights, property, or safety ### 4.5 Business Transfers In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of such transfers and any material changes to this Privacy Policy. ### 4.6 With Your Consent We may share your information with other parties when you explicitly consent to such sharing. ## 5. Data Storage and Security ### 5.1 Data Storage - Your information is stored on secure servers located in [location/data center information] - Data is stored in accordance with applicable data protection laws - We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy - Retention periods may vary based on legal requirements and business needs ### 5.2 Security Measures We implement appropriate technical and organizational measures to protect your information: **Technical Safeguards:** - Encryption of data in transit (HTTPS/TLS) - Encryption of sensitive data at rest - Secure password hashing (bcrypt or similar) - JWT authentication for API access - Regular security assessments and updates - Firewall and intrusion detection systems **Organizational Safeguards:** - Access controls and authentication requirements - Employee training on data protection - Limited access to personal information on a need-to-know basis - Regular security audits and monitoring **Data Breach Response:** - Incident response procedures - Notification to affected users (where required by law) - Cooperation with regulatory authorities - Remediation measures However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. ### 5.3 Data Retention We retain your information for the following periods: **Account Information:** - Active accounts: Retained while your account is active - Inactive accounts: Retained for a reasonable period after account closure - Legal requirements: May be retained longer if required by law **Transaction Records:** - Financial transaction records: Retained for [X] years as required by financial regulations - Payment history: Retained for business and legal purposes **KYC/KYB Documents:** - Verification documents: Retained as required by regulatory compliance - May be retained for extended periods for fraud prevention and legal purposes **Communication Records:** - Messages and consultations: Retained for service provision and dispute resolution - Customer support records: Retained for service improvement **Analytics Data:** - Aggregated and anonymized data may be retained indefinitely - Personal identifiers are removed where possible ## 6. Your Rights and Choices Depending on your location and applicable laws, you may have certain rights regarding your personal information: ### 6.1 Access and Portability - **Access**: You may request access to the personal information we hold about you - **Portability**: You may request a copy of your data in a machine-readable format - To exercise these rights, contact us at greenondayservices@gmail.com ### 6.2 Correction and Update - You may update your account information directly through the Service - You may request correction of inaccurate or incomplete information - Note: Certain information (name, email, phone) may have restricted modification for security purposes ### 6.3 Deletion - You may request deletion of your account and associated data - We will comply with deletion requests subject to: - Legal retention requirements - Ongoing contractual obligations - Legitimate business interests - To request deletion, contact us or use account deletion features ### 6.4 Objection and Restriction - You may object to certain processing of your information - You may request restriction of processing in certain circumstances - We will evaluate requests in accordance with applicable law ### 6.5 Marketing Communications - You may opt out of marketing communications at any time - Use unsubscribe links in marketing emails - Adjust notification preferences in your account settings - You will still receive important service notifications ### 6.6 Push Notifications - You may disable push notifications through your device settings - You may adjust notification preferences in the app settings - Some notifications (transaction updates, security alerts) may be mandatory ### 6.7 Location Information - Location data is currently not actively collected - If location features are added, you will be able to control location permissions through device settings ### 6.8 Cookies and Tracking - The mobile app does not use traditional cookies - We use similar technologies for analytics and advertising - You may adjust advertising preferences where available - Note: Disabling tracking may affect Service functionality ## 7. Children's Privacy The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we become aware that we have collected information from a child under 18, we will take steps to delete such information promptly. ## 8. International Data Transfers Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your country. By using the Service, you consent to such transfers. **Key Transfer Locations:** - Uganda (primary data center) - Google Cloud Platform (Firebase) - may involve international data centers - Third-party service provider locations (as disclosed) We ensure appropriate safeguards are in place for international transfers, including: - Standard contractual clauses - Adequacy decisions - Other legally recognized transfer mechanisms ## 9. Third-Party Services and Links The Service contains links to third-party websites and integrates with third-party services. This Privacy Policy does not apply to third-party services. We encourage you to review the privacy policies of third-party services you use, including: **Payment Providers:** - Mobile Money service providers - FinFlo payment gateway **Communication Services:** - WhatsApp API providers - Email service providers **Analytics and Advertising:** - Google Mobile Ads (Privacy Policy: https://policies.google.com/privacy) - Firebase Analytics (Privacy Policy: https://firebase.google.com/support/privacy) We are not responsible for the privacy practices of third-party services. Your interactions with third-party services are subject to their respective privacy policies. ## 10. Changes to This Privacy Policy We may update this Privacy Policy from time to time to reflect: - Changes in our information practices - Legal and regulatory requirements - Service improvements and new features We will notify you of material changes by: - Posting the updated Privacy Policy on the Service - Sending notifications through the Service - Updating the "Last Updated" date - For significant changes, providing more prominent notice Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you should stop using the Service and delete your account. ## 11. Contact Us If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: **Carly Privacy Team** - Email: greenondayservices@gmail.com - Phone: +256394508256 - Address: Kazo/Nabweru South, Plot 205, Court Road **Data Protection Officer (if applicable)** - Email: greenondayservices@gmail.com **Response Times:** - We will acknowledge receipt of your inquiry within [X] business days - We will respond to your request within [X] business days, as required by applicable law - Complex requests may require additional time ## 12. Complaints If you believe we have not adequately addressed your privacy concerns, you may file a complaint with: **Ugandan Data Protection Authority (if applicable)** - Website: [Data Protection Authority Website] - Email: [Data Protection Authority Email] - Address: [Data Protection Authority Address] **Other Regulatory Bodies:** - Uganda Communications Commission (UCC) - Relevant consumer protection authorities ## 13. Specific Information for Different User Types ### 13.1 For Consumers - Your KYC documents are shared with companies only when necessary for financing processing - Your payment information is processed securely through third-party payment providers - Your consultation requests are shared with relevant companies - You can control what information is visible in your profile ### 13.2 For Companies - Your KYB documents are reviewed by super admin personnel only - Consumer information is shared with you only as necessary for service provision - You must comply with data protection obligations regarding consumer information - Subscription and transaction data is used for billing and service provision ### 13.3 For Super Admin Users - Access to user data is limited to administrative purposes - Access is logged and monitored for security - Data access is subject to strict confidentiality requirements ## 14. Special Categories of Information **KYC/KYB Documents:** - Identity documents contain sensitive personal information - We process these documents with enhanced security measures - Documents are shared only as necessary for verification and service provision - Documents are retained in accordance with regulatory requirements **Financial Information:** - Payment and transaction data is processed with PCI DSS-compliant practices (where applicable) - Financial information is encrypted and stored securely - Financial records are retained as required by financial regulations **Biometric Data:** - Currently not collected. If biometric verification is introduced, additional consent and safeguards will be implemented. ## 15. Automated Decision Making We may use automated processes for: - Fraud detection and prevention - KYC/KYB document verification (assisted by automated systems, with human review) - Payment processing - Content filtering and moderation You have the right to: - Request human review of automated decisions - Contest automated decisions that affect you - Understand the logic behind automated decision-making ## 16. Data Protection Measures for Uganda This Privacy Policy is designed to comply with: - The Data Protection and Privacy Act, 2019 (Uganda) - when fully implemented - Best practices for data protection - Industry standards for financial services - Consumer protection laws **Ugandan-Specific Provisions:** - Data is primarily stored in Uganda where possible - Transfers outside Uganda comply with applicable regulations - We respect Ugandan data protection principles - We cooperate with Ugandan regulatory authorities --- **By using Carly, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree with this policy, please do not use the Service.** **Last Updated: January 2025** **Version: 1.0**