Register

Privacy Policy – Alliance of Muslim Entrepreneurs Network (AMEN)

Last updated: March, 2026

executive summary

AMEN is committed to protecting your privacy and personal data. We collect only the information needed to run our membership, networking, and trade support services. We use it to provide you with membership benefits, process payments, arrange events and training, and communicate with you. We will never sell your personal data. We respect Uganda’s Data Protection and Privacy Act (2019) and international standards (e.g. GDPR principles12). This policy explains what data we collect, why, how we use it, and your rights over it. In summary:

• We collect data with your consent or as needed by contract and law34.
• We inform you before collecting data 5(purpose, duration, recipients, rights) as DPPA requires.
• We use secure methods (encryption, access controls, PCI DSS for card data) to protect your data.
• You have rights to access, correct, delete your data, and to opt out of marketing or automated decisions.
• We retain data only as long as needed or required by law and then securely destroy it.

Please read the sections below for details, or contact our Data Protection Officer (DPO) if you have questions.

1. Scope and Applicability

This policy applies to all personal data collected or processed by AMEN through our website, membership portal, mobile apps, events, trade missions, training sessions, emails, and any other services (collectively, “services”). It covers data from members, applicants, website visitors, event attendees, and other contacts.

AMEN is the Data Controller for this data. Our main office is in Kampala, Uganda, but we work with global partners. Under Uganda’s Data Protection and Privacy Act (DPPA) and its Regulations, AMEN must protect any personal data collected in Uganda or related to Ugandan citizens. We also aim to meet international standards (e.g. GDPR principles) when data crosses borders.

Age Requirement: We do not knowingly collect data from anyone under 18. Membership and our services are for adults. DPPA prohibits processing a child’s data without a parent or guardian’s consent, so if you are a minor, please do not register or give us any information.

2. Definitions

• Personal Data: Any information that identifies you (e.g. name, ID number, contact details, or information linked to you).
• Special/Sensitive Data: Certain data (like religious beliefs, political views, health, sexual life) is considered “special personal data” under DPPA. We avoid collecting special data except when strictly required and with explicit consent. For example, as a Muslim entrepreneurs network we respect your religious background but do not require you to disclose religious beliefs.
• Processing: Any use of personal data (collecting, storing, using, sharing, etc.) as DPPA defines.

3. Data We Collect

We collect information that you provide to us and some data automatically:

• Identity & Business Information: name, date of birth, nationality, passport/ID number, business name, registration number, occupation, company profile, and other business details. Purpose: Verify your identity, complete registration, arrange visas or certificates (e.g. certificate of origin), and list your business in our network directory (matching you with opportunities).
• Contact Details: email address, postal address, phone number, WhatsApp. Purpose: Communicate about your membership, events, training, shipping or travel details, invoices, and reminders.
• Financial & Payment Data: bank account or mobile money details, transaction IDs, payment history (for membership fees, event tickets). Purpose: Process membership fees or refunds, comply with tax/accounting, detect fraud. (We use secure payment processors and do not store card CVVs; we follow PCI DSS standards for payment data.)
• Technical Data: IP address, browser type, device type, and usage data (pages visited, links clicked). Purpose: Ensure website security, improve site performance, and analyze usage (e.g. Google Analytics). For example, we use cookies and tracking similar to Pesapal’s approach: “to recognise you as a User … mitigate risk, prevent potential fraud”. We describe our cookie use in Section 5.
• Communications: records of your inquiries, emails, chats with support, feedback. Purpose: Respond to your questions, provide support, improve our services.
• Event and Training Data: registration information for conferences or workshops (e.g. dietary preferences, attendance lists). Purpose: Plan and manage events, comply with any host requirements.
• Third-party Data: If you give us data from other sources (e.g. supplier contacts, clearance docs), we use it only for the stated purpose (e.g. facilitating trade or visas). Purpose: Fulfil our services like import/export support.

We do not collect sensitive personal data (e.g. religious or health details) unless explicitly required (e.g. medical info for travel insurance) and with your consent. We ask for minimal data and only what is necessary for our business relationship.

Data Categories vs. Purposes

Data Catergory	Examples	Purposes
Personal Identity	Name, DOB, ID/Passport, photo	Verify identity; prepare visas/permissions; issue certificates (COO)3; include in network directory
Business Profile	Business name, sector, registration number, products	Share with partners/members for networking and market matching; trade mission planning
Contact Information	Email, phone, address	Membership communications, newsletters, event invitations; customer support
Financial/Payment Information	Bank account/Momo number, transaction records	Process membership fees and refunds; accounting and tax compliance; detect/prevent fraud146
Technical/Device Data	IP address, browser type, device ID	Secure website (firewall/anti-fraud), analytics for improving our site (see Cookies below)
Communications	Support emails, chat transcripts	Respond to your requests; improve our services; recordkeeping for disputes
Event/Registration Data	Event sign-up details, attendance	Manage and host events, workshops, trade trips; plan venue/logistics
AI/Profiling Data (optional)	Interests or preferences (from interactions)	Provide personalized recommendations and content (you can opt out of profiling – see Section 9)
Marketing Preferences	Newsletter sign-up, interest categories	Send (with consent) relevant news, offers, and updates; you can withdraw at any time

Note: All personal data collected is provided voluntarily by you (or by authorized representatives) and for legitimate purposes. We inform you upfront about each type of data we collect and why, as DPPA requires.

4. Lawful Basis for Processing and How We Use Your Data

We process your personal data only under valid legal grounds:

• Consent: You give us consent for optional uses (e.g. receiving our newsletter, marketing messages, participating in surveys or profiling). We always make this explicit and provide opt-out options.
• Contractual necessity: We use your data to perform our contract with you (e.g. managing your membership, organizing a trade mission you joined). For example, DPPA permits processing “required for the performance of a contract to which the data subject is a party”.
• Legal obligation: We may need to use or retain data to comply with laws (such as tax laws, customs regulations, or NITA-U reporting). For instance, we keep payment records to satisfy Uganda Revenue Authority requirements.
• Legitimate interests: In certain cases, we process data for AMEN’s legitimate business interests (such as preventing fraud, improving our network, or legal claims) as long as those interests do not override your rights. We balance these interests carefully.

Purposes in practice: We use your data mainly to deliver services: manage memberships, provide networking opportunities, arrange exports/imports support, facilitate visas/certificates, run events, offer training, and improve our platform. Some specific uses include:

• Membership administration: Verifying your identity and business; issuing membership cards; keeping member profiles up-to-date.
• Communications: Sending you announcements about meetings, conferences, training and business tips (only with your consent or if it’s part of your membership). You can opt out of marketing emails anytime.
• Payments: Charging and refunding membership fees or event fees via secure payment gateways. We may share necessary details (not raw card numbers) with banks or payment processors under strict confidentiality. We use industry-standard security (PCI DSS) to protect this data.
• Trade facilitation: If you request import/export support or certificates, we may use your data to prepare documents (e.g. certificates of origin), coordinate with chambers of commerce, shipping companies, or customs authorities. This might involve sharing minimal details (name, business, commodity) with third parties.
• Events and Training: Handling event registrations, scheduling travel/trade missions, special requirements (e.g. visa letters). We share only necessary info with event organizers or local hosts.
• Technical operations: Monitoring site security (to guard against attacks or fraud) and improving our website’s usability. For example, cookies help us “recognise you as a user … mitigate risk, prevent fraud”.
• Analytics and personalization: We may analyse aggregated data (without directly identifying you) to understand user trends, and we may use algorithms to suggest connections or courses. AI-driven tools provide recommendations only; you always have control and can ignore automated suggestions (see Section 9).

5. Cookies and Tracking Technologies

We use cookies, web beacons, and similar tracking tools to operate our website and improve your experience. Cookies are small files placed on your device. We use them as follows:

• Essential Cookies: Necessary for website functionality (e.g. keeping you logged in, remembering form data). Without these, core features (like secure login) won’t work.
• Analytics Cookies: To understand how you use our site. We use tools (e.g. Google Analytics) that collect anonymous data on pages visited, links clicked, etc. This helps us “measure the effectiveness of promotions and perform analytics” and improve our content.
• Preference Cookies: To remember your choices (e.g. language or region) so we can customise the site for you.
• Marketing Cookies: We may use cookies for targeted ads or affiliate tracking (for example, showing our events to people who visited our site). These might be provided by third parties (like Facebook or Google) under their privacy policies.

As Pesapal’s policy describes, cookies help us “recognize you as a user” and “promote trust and safety” on our services.

You can control cookies via your browser settings (to block or delete them). Note that blocking essential cookies may break some functions of our site. We will display a cookie notice on first visit (or you can manage preferences) and continue only with essential cookies if you do not consent to others.

Sample Cookie Consent Text: “AMEN uses cookies to personalise content and analyze site traffic. You can accept all cookies or adjust your cookie settings. Necessary cookies will remain active for core site functions.”

6. Data Sharing – Third Parties

We do not sell or rent your personal data. We only share it as needed to provide our services or as required by law, and always under confidentiality obligations:

• Service Providers: We may share data with trusted contractors who help operate AMEN. Examples include web hosting companies, email/sms delivery services, payment processors (e.g. banks, mobile money operators), event planners, freight forwarders, and IT support. We require these vendors to safeguard your data and use it only to perform their services for us. All contracts include data protection clauses (e.g., confidentiality and security measures) as DPPA mandates.
• Business Partners: When you engage in trade missions or partner introductions, we may share relevant business data (e.g. company profile, contact details) with other members or vetted international partners, but only as you approve. Similarly, if we co-host an event, basic info (name, company, email) may be shared with the event host or sponsors to facilitate networking.
• Government/Regulators: If legally required (e.g. for taxes, customs clearance, or other compliance), we may provide authorities with personal data. For example, if assisting with import/export, we might submit certain information (like your identification and shipment details) to customs or to issue official trade documents. We comply with legal requests (such as court orders or police inquiries) by disclosing only the minimum necessary.
• Marketing/Advertising: With your consent, we may share your contact info with marketing partners (for instance, when you sign up for a newsletter co-sponsored by a partner). You can opt out of such sharing at any time.
• International Transfers: We may transfer data to our affiliates or partners in other countries. Under DPPA, this is allowed only if the destination country offers “adequate” protection or if you consent. We ensure cross-border transfers use secure measures (e.g. standard contractual clauses or only to vetted companies in compliant jurisdictions

All third parties are contractually bound to protect your data, and they cannot use it for other purposes.

7. Data Retention and Deletion

We retain personal data only as long as necessary for the purposes it was collected, and as required by law. Specifically:

• We keep membership and contact data for the duration of your membership plus a reasonable period after (for example, at least a few years to resolve any disputes or provide services). Payment and transaction records are kept for at least 5 years or as mandated by tax law.
• Event registrations and communications (emails, chats) are kept for a shorter term (typically 1–3 years) for service continuity, after which they are deleted or anonymized.
• Cookies and web logs are generally kept for 1–2 years (depending on browser settings) before automatic expiry.
• If you withdraw your consent or opt out (e.g. unsubscribe), we will stop marketing communications and delete preference data, but we may still retain non-opted-out contact info for service (unless you request full deletion).
• When data is no longer needed, we securely delete or permanently anonymize it so it cannot be reconstructed. (For example, we shred paper records and overwrite digital files in line with good practice.)

Pesapal’s policy similarly notes that personal information is retained as long as “required by relevant law (e.g. tax) … or as long as is required to manage our engagement and/or relationship with you”. We apply this principle.

Retention Schedule (example)

Data Type	Retention Period
Membership Account Data	Throughout membership + ~3 years after termination
Payment and Billing Records	Minimum 5 years (per tax/accounting laws)
Event and Training Records	~2 years after event (for follow-ups)
Communication Logs (emails, chats)	~2 years (to resolve issues)
Cookie/Analytics Data	1–24 months (as per cookie expiration)
Marketing Consent/Preferences	Until withdrawal + 3 years for records of consent

These periods may be extended if required for legal compliance (e.g. responding to audits or legal claims).

8. Your Privacy Rights

You have several rights regarding your personal data under DPPA (and similar to rights under GDPR):

• Right of Access: You can request a copy of the personal data we hold about you, and information on how we use it. This includes the purpose of processing, data categories, and any third parties who have your data.
• Right to Rectification: You can ask us to correct or update inaccurate or incomplete data (for example, if your address changes).
• Right to Erasure (“Right to be Forgotten”): You may request deletion of your personal data when it is no longer needed, or if processing was based on consent that you withdraw, and no other legal basis applies.
• Right to Object/Opt-Out of Processing: You can object to processing of your data, especially for direct marketing or profiling. For example, you may tell us to stop sending marketing emails. DPPA specifically gives you the right to stop processing for direct marketing. Send a clear notice (email or letter) and we must respond within 14 days.
• Right to Data Portability: You have the right to obtain certain personal data in a structured format (like CSV) if our processing is based on consent or contract. (DPPA does not explicitly define this, but as good practice we will comply where feasible.)
• Right to Withdraw Consent: If we rely on your consent, you can withdraw it any time (for example, unsubscribe newsletters) and we will cease processing that data.
• Right not to be subject to solely Automated Decisions: If we use algorithms or AI to make decisions (like eligibility for a program), you can request human intervention. DPPA lets you ask not to be subject to automated decisions that have significant effects.

To exercise any of these rights, please contact us (see Section 16). We will verify your identity and respond within a reasonable time (DPPA suggests 14–21 days for some requests). If you have unresolved concerns, you can lodge a complaint with Uganda’s Personal Data Protection Office (PDPO/NITA-U) or another relevant authority.

Sample Data Request Language: “I request a copy of all personal data you hold about me” or “Please delete all my personal data under your control.”

9. Children’s Information

Our services and data collection are intended for adults. We do not knowingly collect information from children under 18. If a child accidentally provides us with personal data (for example, through public channels), their data will be deleted immediately. As noted above, Uganda’s DPPA prohibits processing a child’s data without parental consent, which we strictly follow.

10. Automated Decision-Making and AI Tools

We may use automated tools (algorithms or AI) to organize member profiles or suggest networking matches. However, these are only advisory recommendations. No critical decision (such as membership approval, visa support, or funding offers) is made solely by a machine without human review. You have the right to request that any automated process affecting you be reviewed by a person. In short, AI is used to help, not to decide, and DPPA entitles you to human oversight if needed.

11. Security Measures

Protecting your data is a top priority. We implement strong technical and organizational safeguards as required by Section 20 of DPPA. These include:

• Physical Security: Offices and servers (if any onsite) are in secure, access-controlled locations.
• Technical Security: We use secure SSL/TLS encryption for data in transit (e.g., website, emails) and industry-standard encryption for data at rest. We follow recognised security standards (e.g. PCI DSS for payment data). Firewalls and antivirus software help block intrusions.
• Access Controls: Only authorized staff have access to personal data, on a need-to-know basis. All staff are trained on privacy responsibilities.
• Periodic Audits: We regularly test our security measures and update them to address new threats. For example, our systems identify risks, maintain safeguards against them, and verify the effectiveness of those safeguards.
• Third-Party Security: Any vendor handling our data must use appropriate security measures. Our contracts explicitly require vendors to maintain data confidentiality and security in line with DPPA.

Despite these safeguards, no system is 100% secure. If you believe your data has been compromised, please contact us immediately (see Section 16).

12. Cross-Border Data Transfers

Because AMEN works with international partners, some personal data may be transferred outside Uganda (for example, processing in cloud servers, communicating with a training provider overseas, or shipping logistics). Under DPPA, such transfer is allowed only if the destination country has adequate protection or if you consent. In practice:

• We will only send your data to countries that provide protections equivalent to DPPA, or when you have explicitly agreed.
• All overseas transfers are governed by data-protection clauses in contracts (similar to GDPR “Model Clauses”) to ensure your data is safeguarded.
• If you object to cross-border transfers, please contact us to discuss options.

13. Breach Notification

If AMEN discovers a breach of your personal data (unauthorized access, loss, or theft), we will act quickly. Per DPPA, we will immediately notify Uganda’s Data Protection Office (NITA-PDPO) about the breach, describing what happened and our remedial steps. If NITA-PDPO determines that affected data subjects must be informed, we will notify you through one or more of the following: email to your last known address, postal mail, a notice on our website, or media as required. Our notification will describe the breach and advise you on protective measures. We will also take steps to contain and resolve the breach, such as resetting passwords or compensating losses.

We maintain a Breach Response Plan: an incident team, investigative procedures, and a communications plan. We will log any breach (successful or attempted) and report annually to PDPO as required.

14. Your Consent and Choices

By providing data or using our services, you agree to this Privacy Policy. For certain uses (like newsletters or tracking cookies), we will seek your explicit consent. Whenever you sign up for marketing (email/SMS), you can withdraw consent at any time by clicking “unsubscribe” or contacting us (see Section 16). Similarly, our cookie banner (or notice) lets you accept all cookies or adjust settings.

Sample Opt-Out (Marketing): “I agree to receive business news and offers from AMEN via email or SMS. I understand I can unsubscribe at any time by clicking the link in such communications or contacting the DPO.”

Sample Cookie Notice: “AMEN uses cookies to improve your experience and analyze site traffic. You can accept all cookies or change your preferences in your browser. Essential cookies are required for site functionality.”

If you choose not to provide certain personal data (for example, if data was marked mandatory for membership), you may not be able to use some features or complete certain processes. We will inform you of any such consequences beforehand.

15. Governing Law and Dispute Resolution

This Privacy Policy and any data-related obligations are governed by the laws of Uganda (especially the Data Protection and Privacy Act, 2019). Any disputes relating to your data should be addressed first to AMEN, and if unresolved, you may seek remedy through Uganda’s Personal Data Protection Office or courts.

16. Contact Information and Data Protection Officer (DPO)

For questions about this policy or to exercise your rights, contact:

• Email: dpo@amen.international
• Address: Acacia Placce, Acacia Avenue, PO Box, Kampala, Uganda
• Phone: +256-793805905

You may also contact our General Manager at [email protected] for any privacy issues. We will respond to you within 30 days.

If you have privacy concerns that remain unresolved with AMEN, you have the right to complain to the Personal Data Protection Office of Uganda (PDPO/NITA-U) or another supervisory authority under Ugandan law.

17. Changes to this Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements (for example, new regulations or services). When we do, we will revise the “Last updated” date above and notify members via email or our website as appropriate. We encourage you to review this page periodically.

Appendix: Compliance and Operational Recommendations

To ensure AMEN complies fully with DPPA and best practices, we will implement the following measures:

• Data Register: Maintain records of all processing activities. Register with PDPO/NITA as a data collector (DPPA mandates registration for controllers/processors).
• Data Protection Officer: We have appointed a DPO to oversee compliance, conduct audits, and respond to requests.
• Data Protection Impact Assessments (DPIAs): For any new high-risk processing (e.g. profiling, large-scale data collection), perform DPIAs to identify and mitigate privacy risks.
• Vendor Contracts: Ensure all third-party service agreements include DPPA-compliant data clauses (security obligations, breach reporting).
• Breach Plan: Keep a documented incident response plan (with roles, timelines, notification procedures). Conduct regular drills or reviews. Log and report breaches to PDPO as required.
• Retention Policy: Implement the data retention schedule above in practice. Regularly purge or archive old data per policy. Ensure secure disposal methods.
• Staff Training: Train all staff on privacy principles, data handling procedures, and breach reporting. Make privacy part of routine operations.
• Diligence: Vet partners and processes for data protection. Use only secure systems (password policies, encrypted backups, firewalled servers, SSL certificates).
• Review: Audit our compliance annually, including verifying consent records and security measures. Update policy and practices as laws evolve.

By following these steps and this Privacy Policy, AMEN will protect our members’ data and maintain trust as we grow a vibrant business community.

Sources: Uganda’s Data Protection and Privacy Act, 2019 (DPPA) and Regulations (via DLA Piper); Pesapal Privacy Policy (Uganda); GDPR principles; Payment Card Industry Data Security Standard (PCI DSS). These guide our commitments above.