Maduuka Software Privacy Policy

1. Who Is Responsible for Personal Data

For account registration, billing, subscription management, website use, support, security, product improvement, and direct communications with Maduuka customers, Maduuka acts as the data controller because it decides why and how that data is processed.

For business records entered by a subscribed business into its tenant environment, the subscribed business is normally the data controller and Maduuka acts as a data processor or service provider. This includes data about the business's customers, suppliers, staff, guests, patients, sales, payments, reservations, payroll, prescriptions, and other operational records. In those cases, the business is responsible for ensuring that it has a lawful basis to collect and use the data in Maduuka.

2. Personal Data We Collect

Maduuka may collect and process the following categories of personal data, depending on the modules and features used:

• Account and user data: names, usernames, email addresses, phone numbers, roles, permissions, login status, branch or franchise assignment, authentication settings, and account activity.
• Business profile data: business name, trading location, branch details, tax settings, contact details, subscription plan, billing status, and administrative contacts.
• Customer and supplier data: names, phone numbers, email addresses, addresses, account balances, credit records, purchase history, invoices, payments, delivery information, and related notes.
• Staff and HR data: staff names, contact details, job roles, salary information, leave records, payroll records, staff debts, fines, penalties, incident records, ID card data, and attendance or operational records where enabled.
• Sales, inventory, and finance data: invoices, receipts, stock movements, purchase orders, supplier invoices, expenses, deposits, withdrawals, account transfers, reconciliations, audit logs, and financial reports.
• Restaurant data: table assignments, server records, reservations, orders, kitchen tickets, discounts, delivery records, billing history, and shift records.
• Pharmacy data: patient profiles, prescription details, dispensing records, medicine sales, batch and expiry records, compliance records, and pharmacy billing information.
• Hotel data: guest profiles, identity or stay details entered by the business, reservations, check-in and checkout records, folios, room assignments, deposits, city ledger records, housekeeping status, and guest service records.
• Uploaded files and documents: receipts, logos, documents, images, reports, exports, or other files uploaded into the platform.
• Payment and transaction metadata: payment method, amount, currency, status, reference number, gateway response, mobile money or bank reference, and reconciliation information. Maduuka does not intentionally store raw payment card numbers or card security codes.
• Device, usage, and security data: IP address, browser or device type, session identifiers, login attempts, security events, API activity, error logs, diagnostic logs, timestamps, and audit trail entries.
• Support and communication data: support messages, implementation notes, training communications, feedback, call or meeting notes where applicable, and email delivery records.

Maduuka does not require users to enter unnecessary sensitive personal data. However, some modules, especially pharmacy, hotel, HR, payroll, and compliance workflows, may involve sensitive or regulated information because the subscribed business chooses to use those features.

3. How We Collect Personal Data

We collect personal data when:

• a business registers for Maduuka or subscribes to a plan;
• an administrator creates users, staff records, branches, customers, suppliers, or module records;
• users process sales, payments, stock, expenses, payroll, reservations, prescriptions, reports, or other transactions;
• users upload files or generate exports;
• users contact support, request onboarding, or communicate with Maduuka;
• users access the website, web application, mobile application, or APIs;
• payment gateways, SMS providers, email providers, tax systems, or other integrated services return transaction or delivery information.

4. Why We Use Personal Data

Maduuka uses personal data for the following purposes:

• to create, authenticate, secure, and manage user accounts;
• to provide POS, inventory, finance, HR, restaurant, pharmacy, hotel, reporting, subscription, and mobile app functionality;
• to process transactions, invoices, receipts, payments, refunds, reconciliations, and business reports;
• to support tenant isolation, role-based access control, permissions, audit logs, fraud prevention, and incident investigation;
• to provide support, onboarding, training, maintenance, backups, troubleshooting, and service notices;
• to send administrative, billing, security, product, and service communications;
• to maintain platform reliability, improve performance, fix defects, and understand feature usage;
• to comply with legal, tax, accounting, regulatory, law enforcement, and contractual obligations;
• to enforce agreements, protect the rights and safety of users and businesses, and prevent misuse of the platform.

5. Lawful Basis for Processing

Where applicable, Maduuka processes personal data under one or more lawful bases, including:

• performance of a contract with the business or user;
• compliance with legal, tax, accounting, employment, regulatory, or security obligations;
• legitimate interests in providing, securing, improving, and administering the service;
• consent, where consent is required for a specific activity;
• medical, health, or compliance purposes where a pharmacy or health-related customer uses Maduuka for permitted pharmacy workflows;
• instructions from a subscribed business where Maduuka acts as processor for that business.

If processing is based on consent, the data subject may withdraw consent where the law allows. Withdrawal does not affect processing already completed before withdrawal.

6. How We Share Personal Data

Maduuka does not sell personal data. We may share personal data only where necessary and appropriate, including with:

• the subscribed business and its authorised users, based on the business's tenant, roles, and permissions;
• hosting, infrastructure, backup, monitoring, email, SMS, payment, analytics, and support providers that help operate Maduuka;
• payment gateways, banks, mobile money providers, tax systems, fiscal receipt systems, or other integrations selected or required by the business;
• accountants, auditors, lawyers, insurers, consultants, or professional advisers where necessary;
• regulators, courts, law enforcement, tax authorities, or public bodies where required by law or lawful process;
• another organisation involved in a merger, acquisition, restructuring, financing, or transfer of business assets, subject to appropriate confidentiality and data protection safeguards.

Service providers are expected to process personal data only for authorised purposes and to apply reasonable confidentiality and security controls.

7. Tenant Isolation and Authorised Access

Maduuka is designed as a multi-tenant platform. Each business tenant, commonly represented as a franchise, has its own users, branches, warehouses, products, customers, suppliers, subscriptions, module access, reports, and operational records. Maduuka uses tenant identifiers, role-based permissions, authentication controls, and audit logs to restrict access to the correct tenant and authorised users.

Each subscribed business is responsible for managing its users, assigning appropriate roles, disabling accounts that should no longer have access, and ensuring that its staff use Maduuka lawfully and securely.

8. Security

Maduuka applies administrative, technical, and organisational safeguards intended to protect personal data against unauthorised access, alteration, disclosure, loss, or misuse. These safeguards may include HTTPS/TLS transport security, password controls, two-factor authentication where enabled, role-based access control, tenant isolation, audit logs, backups, server access controls, and operational monitoring.

No software service can guarantee absolute security. Users and businesses must protect their login credentials, use strong passwords, limit access to authorised staff, keep devices secure, and report suspected account compromise promptly.

9. International Hosting and Transfers

Maduuka and its service providers may process or store personal data in countries outside the user's country or outside Uganda. Where cross-border processing occurs, Maduuka will take reasonable steps to use providers, contracts, and safeguards intended to protect personal data in a manner consistent with applicable data protection requirements.

Businesses that use Maduuka are responsible for ensuring that their own use of the platform, including any cross-border processing of their business records, is lawful for the data subjects and jurisdictions involved.

10. Data Retention

Maduuka retains personal data for as long as necessary to provide the service, operate the tenant account, comply with legal and accounting requirements, resolve disputes, enforce agreements, maintain audit trails, preserve backups, and support legitimate business purposes.

Retention periods may vary by data type and module. Sales, accounting, tax, payroll, pharmacy, hotel, audit, and compliance records may need to be kept for longer periods because of legal, regulatory, accounting, or operational obligations. Backup copies may remain for a limited period after deletion from active systems.

When personal data is no longer required, Maduuka will delete, anonymise, archive, or restrict it using reasonable processes, subject to legal and operational requirements.

11. Data Subject Rights

Depending on applicable law, a data subject may have rights to:

• request access to personal data held about them;
• request correction of inaccurate or incomplete data;
• request deletion of personal data, where deletion is legally and operationally permitted;
• object to or restrict certain processing;
• withdraw consent where processing is based on consent;
• request information about how personal data is used or shared;
• lodge a complaint with the relevant data protection authority.

Where Maduuka processes data on behalf of a subscribed business, requests about business records should normally be sent first to that business. Maduuka will assist the business with reasonable data subject requests where required by law or contract.

12. Cookies and Similar Technologies

Maduuka may use cookies, session storage, local storage, and similar technologies to keep users signed in, protect sessions, remember preferences, secure the service, measure usage, and improve performance. Some cookies or storage technologies are necessary for the application to function.

Users can control some cookies through browser settings. Blocking necessary cookies may prevent login or cause parts of Maduuka to stop working correctly.

13. Mobile Applications and Offline Use

Where Maduuka mobile applications or offline-capable features are used, some business data may be temporarily stored on the user's device to support authentication, caching, offline workflows, or synchronisation. Users and businesses are responsible for protecting devices with appropriate screen locks, operating system updates, and access controls.

If a device is lost, stolen, or assigned to another staff member, the business should revoke or rotate access promptly.

14. Third-Party Integrations

Maduuka may integrate with payment gateways, SMS providers, email providers, tax systems, fiscal receipt systems, analytics tools, hosting providers, and other services. These third parties may process personal data according to their own terms and privacy policies.

When a subscribed business enables or requests an integration, the business is responsible for confirming that the integration is appropriate for its operations and that it has authority to share the relevant data.

15. Children's Data

Maduuka is a business software platform and is not intended for use by children as account users. Businesses should not create user accounts for children or collect children's personal data in Maduuka unless they have a lawful basis and appropriate safeguards for doing so.

16. Marketing Communications

Maduuka may send product updates, service announcements, onboarding messages, and marketing communications to business contacts where permitted by law. Recipients may opt out of marketing communications, but Maduuka may still send necessary administrative, billing, security, or transactional messages.

17. Data Breach and Incident Handling

If Maduuka becomes aware of a data security incident that affects personal data, it will assess the incident, take reasonable containment and remediation steps, and notify affected customers, regulators, or data subjects where required by applicable law or contract.

Subscribed businesses should promptly notify Maduuka if they suspect unauthorised access, account compromise, improper disclosure, or misuse of data in their tenant environment.

18. Changes to This Policy

Maduuka may update this Privacy Policy from time to time to reflect changes in the software, legal requirements, service providers, or business practices. The updated version will be posted in the Maduuka documentation or another appropriate location with a revised effective date.

Material changes may be communicated through the application, email, account notices, or other reasonable means.

19. Contact

For privacy questions, data protection requests, security disclosures, or support related to this Privacy Policy, contact:

Maduuka
Email: info@maduuka.com

If a request relates to records controlled by a subscribed business, Maduuka may direct the requester to that business or require confirmation from that business before acting on the request.