Gusa Travels values your privacy and is committed to safeguarding your personal data. This Privacy Notice explains how we collect, use, and protect your information when you visit our website or share your details through other channels, such as phone calls. It also outlines your rights and the legal protections in place to ensure your privacy.

1. Important Information & Who We Are

Purpose of This Privacy Notice

This privacy notice explains how Gusa Travels collects and processes your personal data when you:

• Purchase travel services
• Sign up for our newsletter
• Request a brochure by post or email
• Take part in a competition or survey
• Contact us through other means

Our website is not intended for children. We only collect children’s data when a booking includes children in the travel party.

This privacy notice should be read alongside any other privacy notices we may provide at the time of collecting personal data.

Who Controls Your Data?

Gusa Travels, trading as Gusa Travels Uganda Limited, is the data controller responsible for your personal data.

Contact Details

• Company Name: Gusa Travels
• Data Privacy Manager: Kiryowa Ronald
• Email: gusatravels1@gmail.com
• Address: Plot 12 Luwum Street , City Centre Complex
• Telephone: +256393371137

Changes to This Privacy Notice

• Last updated: 10th June 2022
• Any future updates may be posted on our website without your Prior knowledge.
• If your personal data changes, please inform us so we can keep our records accurate.

Third-Party Links

Our website may include links to third-party websites. Clicking on these links may allow third parties to collect or share data about you. We are not responsible for their privacy policies and encourage you to read them.

2. The Data We Collect About You

Personal data refers to any information that can identify an individual. We may collect, use, store, and transfer various types of personal data, grouped as follows:

(A) Identity Data

• Full name (first, maiden, last)
• Marital status, title, date of birth, gender
• Passport number or national ID

(B) Contact Data

• Billing and delivery address
• Email address
• Telephone numbers

(C) Financial Data

• Bank account details
• Payment card details

(D) Transaction Data

• Payments made to/from you
• Details of services purchased

(E) Technical Data

• IP address
• Browser type and version
• Time zone and location
• Operating system and device information

(F) Usage Data

• How you use our website, products, and services

(G) Marketing & Communication Data

• Your marketing preferences
• Communication preferences

Aggregated Data

We may collect aggregated statistical data that does not directly identify you, such as website traffic analytics.

Special Categories of Personal Data

We may collect sensitive data when necessary, including:

• Dietary requirements (which may reveal religious beliefs)
• Health information (to ensure appropriate travel arrangements)

We collect and process sensitive data only with your explicit consent. If you do not provide consent, we may be unable to process your booking.

Failure to Provide Personal Data

If you do not provide required personal data, we may:

• Be unable to complete your booking
• Have to cancel your booking (cancellation policies will apply)

3. How Your Data Is Collected

We collect data in the following ways:

(A) Direct Interactions

You provide personal data when you:

• Book travel services
• Subscribe to newsletters
• Request brochures
• Enter competitions or surveys
• Provide feedback

(B) Automated Technologies

When you use our website, we automatically collect Technical Data via:

• Cookies
• Server logs
• Analytics tools (e.g., Google Analytics)

(C) Third-Party Sources

We may receive data from:

• Analytics providers (Google, Bing)
• Payment service providers
• Tour booking platforms (TourRadar, Viator)

4. How We Use Your Personal Data

We will use your data only when legally permitted, primarily under these bases:

1. Contractual Obligations – To fulfill travel bookings
2. Legitimate Interests – For business operations and marketing
3. Legal Compliance – To meet regulatory requirements
4. Consent – For marketing communications (you can withdraw consent anytime)

How We Use Your Data

5. Marketing & Communications

We may use your data to send you marketing materials based on your preferences.

• Promotional Offers: We may analyze your data to offer relevant services.
• Third-Party Marketing: We will obtain your explicit opt-in consent before sharing data with third parties.
• Opting Out: You can unsubscribe anytime via links in marketing emails or by contacting us.

6. Cookies & Tracking Technologies

You can control cookies via browser settings. However, disabling cookies may affect website functionality. See our Cookie Policy for details.

7. Data Sharing & Security

(A) Third Parties We Share Data With

We may share your data with:

• Internal staff (for booking & customer service)
• External suppliers (hotels, tour operators)
• Payment processors & fraud prevention services
• Legal authorities (if required by law)

(B) Business Changes

If we merge or sell our business, your data may be transferred to new owners under the same privacy terms.

(C) Data Security

We implement strong security measures to prevent unauthorized access, loss, or misuse of your data.

8. Your Legal Rights

You have the right to:
✔ Access your personal data
✔ Request corrections to inaccurate data
✔ Request deletion of your data
✔ Object to processing for marketing purposes
✔ Withdraw consent at any time

To exercise your rights, contact us at gusatravels1@gmail.com

International Data Transfers

We operate reservations offices outside the European Economic Area (EEA), specifically in Uganda, Rwanda, and Kenya. These offices are part of our Ugandan company and not separate entities. When you make a booking with us, some of your personal data may be processed in these locations.

Additionally, since many of our travel activities take place outside the EEA, processing your personal data often involves transferring it beyond the EEA. When you request travel arrangements in these destinations, we must share your personal data with our suppliers outside the EEA to facilitate your booking.

If we cannot rely on specific data protection safeguards, we transfer your data based on Article 49 of the GDPR, as this processing is necessary for fulfilling your travel contract. By booking with us, you acknowledge that data protection standards outside the EEA may differ from those within the region.

To ensure your data remains protected, we implement at least one of the following safeguards when transferring data outside the EEA:

• Adequacy Decision: We transfer data only to countries deemed by the European Commission to provide an adequate level of data protection.
• Standard Contractual Clauses (SCCs): When using certain service providers, we enter into contracts approved by the European Commission to ensure your data receives the same level of protection as in Europe.
• EU-US Privacy Shield (where applicable): For providers in the United States, we may transfer data only if they are part of the Privacy Shield framework, ensuring similar protection levels.

For further details about the safeguards we use, please contact us.

Data Security

We have implemented strict security measures to prevent unauthorized access, alteration, disclosure, or loss of your personal data. These measures include:

• Access Controls: Only authorized employees, agents, and contractors who need your data to perform their duties can access it. They are bound by confidentiality agreements.
• Data Breach Procedures: In case of a suspected data breach, we will take immediate action and notify you and the appropriate regulatory authorities as required by law.

 Data Retention Policy

We retain your personal data only as long as necessary to fulfill its intended purpose, including legal, accounting, and reporting requirements. Factors determining retention periods include:

• The nature and sensitivity of the data.
• Legal and regulatory obligations.
• The potential risk of harm from unauthorized use or disclosure.

By law, we must retain basic customer information (such as contact details, identity, financial, and transaction data) for seven years after a customer relationship ends for tax purposes.

In some cases, we may anonymize your personal data for research or statistical purposes, allowing us to use the information indefinitely without further notice.

You can request the deletion of your data under certain circumstances (see “Request Erasure” below).

Your Legal Rights

Under data protection laws, you have the following rights regarding your personal data:

(A) Access Your Data

Request a copy of the personal data we hold about you and confirm that we are processing it lawfully.

(B) Correct Your Data

Request corrections to incomplete or inaccurate personal data. We may need to verify the accuracy of the new data before making changes.

(C) Request Erasure (Right to Be Forgotten)

Request the deletion of your personal data when:

• It is no longer necessary for the purpose it was collected.
• You withdraw consent (where processing is based on consent).
• You successfully object to processing.
• The data has been unlawfully processed.

Exceptions: We may not always be able to comply with erasure requests due to legal obligations, which we will communicate at the time of your request.

(D) Object to Processing

You may object to processing if:

• It affects your fundamental rights and freedoms.
• Your data is used for direct marketing.

In some cases, we may demonstrate overriding legitimate grounds for processing that supersede your rights.

(E) Request Processing Restriction

You may request to suspend the processing of your data if:

• You contest its accuracy.
• You object to its use but need us to verify overriding legitimate grounds.
• It was processed unlawfully, but you prefer restriction over deletion.
• You need the data to establish or defend legal claims.

(F) Request Data Transfer (Portability Right)

Request a transfer of your personal data to yourself or another organization in a structured, machine-readable format. This applies only to automated data that you consented to provide or data processed under a contract.

(G) Withdraw Consent

If processing relies on your consent, you can withdraw it at any time. However, this will not affect processing already carried out before withdrawal. In some cases, withdrawing consent may impact the services we provide.

To exercise any of these rights, contact us at:
gusatravels1@gmail.com or info@gusatravels.com

 Fees and Response Times

• No fee required: You can exercise your rights free of charge. However, we may charge a reasonable fee for excessive, unfounded, or repetitive requests.
• Identity verification: To protect your data, we may request additional information to confirm your identity before processing requests.
• Response time: We aim to respond within one month. If your request is complex, we may extend this period and will notify you accordingly.

Key Definitions

Lawful Basis for Processing Data

• Legitimate Interest: Processing data to support our business operations while ensuring it does not negatively impact your rights.
• Performance of a Contract: Processing necessary to fulfill your travel arrangements.
• Legal or Regulatory Obligation: Processing required to comply with the law.

Third Parties with Whom We May Share Data

• Travel service suppliers (acting as processors) based in your travel destination.
• IT and administration service providers based in Uganda and Rwanda.
• Marketing service providers such as Iconic and Facebook.
• Professional advisors (lawyers, auditors, insurers) based in Uganda.
• Regulatory bodies such as Uganda’s tax authorities.

9. Contact Us

For questions about this policy, reach out to:

📍 Gusa Travels
📧 Email: info@gusatravels.com or gusatravels1@gmail.com
📞 Phone: +256393371137      Mobile: +256752344552