Privacy Compliance Policy

For Biko Advisory Services Ltd.

Effective Date: June 13, 2024

1. Introduction

BikoCAAS Ltd. (“Biko,” “we,” “us,” or “our”) is committed to protecting the privacy and security of the personal information of our users, clients, and employees. This Privacy Compliance Policy outlines our practices regarding collecting, using, disclosing, and protecting personal data, particularly regarding our login dialogue and application details. We adhere to applicable data protection laws and regulations, including but not limited to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Rwandan data protection laws.

2. Scope

This policy applies to all personal data collected and processed by Biko Advisory Services Ltd. through our websites, mobile applications, login portals, and other services where personal data is collected.

3. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is the one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or2 not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Data Subject: The individual to whom personal data relates.
• Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others,3 determines the purposes and means of the processing of personal data.

4. Privacy Compliance for Login Dialogue and Application Details

4.1. Data Collection

When you log in to our services or use our applications, we may collect the following types of personal data:

• Login Credentials: 
• Username/Email Address
• Password (stored securely using hashing or encryption)
• Multi-Factor Authentication (MFA) details (e.g., phone number for SMS codes, authenticator app keys)
• IP address and device information at the time of login for security purposes.
• Application Usage Details: 
  • Application name and version
  • Features accessed within the application
  • Usage patterns and statistics (e.g., frequency of use, duration of sessions)
  • Error logs and performance data
  • Input data the user provides within the application (where necessary for functionality and with user consent).
  • Device type and operating system.

4.2. Purposes of Data Processing

The personal data collected through the login dialogue and application details is processed for the following purposes:

• Authentication and Authorization: To verify your identity and grant you secure access to your account and our services.
• Service Delivery: To provide you with the functionalities of our applications and ensure their proper operation.
• Security and Fraud Prevention: To protect our systems from unauthorized access, maintain the integrity of our services, and detect and prevent fraudulent activities.
• Performance Monitoring and Improvement: To understand how our applications are used, identify areas for improvement, and optimize performance.
• Troubleshooting and Support: To diagnose and resolve technical issues and provide customer support.
• Compliance with Legal Obligations: To comply with applicable laws, regulations, and legal processes.
• Internal Analytics: For internal reporting and business analysis to inform product development and strategic decisions.

4.3. Data Minimization

We collect only the personal data that is necessary for the stated purposes. We avoid collecting superfluous information.

4.4. Lawful Basis for Processing

We process personal data based on one or more of the following lawful bases:

• Necessity for the Performance of a Contract: The processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract (e.g., providing access to our services after successful login).
• Legitimate Interests: The processing is necessary for the legitimate interests pursued by Biko or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data. (e.g., for security, fraud prevention, and service improvement).
• Consent: Where required by law, we will obtain your explicit consent for specific processing activities (e.g., for certain types of optional usage tracking).
• Legal Obligation: The processing is necessary for compliance with a legal obligation to which Biko is subject.

4.5. Data Security

We implement robust technical and organizational measures to protect personal data from unauthorized access, alteration, disclosure, or destruction.5 These measures include:

• Encryption: Using industry-standard encryption for data in transit and at rest (e.g., SSL/TLS for communication, encryption for sensitive data stored in databases).
• Access Controls: Implementing strict access controls based on the principle of least privilege, ensuring that only authorized personnel have access to personal data.
• Regular Security Audits: Conducting periodic security assessments and penetration testing to identify and address vulnerabilities.
• Employee Training: Providing regular data privacy and security training to our employees.
• Incident Response Plan: Maintaining a comprehensive incident response plan to address potential data breaches promptly and effectively.
• Secure Password Policies: Enforce strong password policies for users and internal systems.

4.6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including for legal, accounting, or reporting 9 requirements. The retention periods are determined based on the type of data, the purpose of processing, and applicable legal obligations. Login credentials and associated security logs may be retained for a longer period for security and audit purposes.

4.7. Data Sharing and Disclosure

We do not sell your data. We may share personal data with third parties only in the following circumstances:

• Service Providers: With trusted third-party service providers who assist us in operating our10 business and providing our services (e.g., cloud hosting providers, analytics providers, security vendors). These providers are contractually obligated to protect your data and only process it according to our instructions.
• Legal Compliance: When required by law, court order, or governmental regulation.
• Business Transfers: In connection with a merger, acquisition, or sale11 of all or a portion of our assets, provided that the acquiring entity agrees to adhere to the principles of this Privacy Policy.
• With Your Consent: When you have provided explicit consent for the sharing of your data.

4.8. International Data Transfers

As a company operating in Rwanda, we primarily process data within Rwanda. However, suppose personal data is transferred to countries outside of Rwanda or the economic areas with equivalent data protection laws. In that case, we will ensure appropriate safeguards are in place to protect your data, such as standard contractual clauses approved by relevant authorities or reliance on adequate country decisions.

4.9. Your Rights as a Data Subject

As a data subject, you have the following rights concerning your data, subject to applicable laws and regulations:

• Right to Access: To request access to your data that we hold.
• Right to Rectification: To request the correction of inaccurate or incomplete personal data.
• Right to Erasure (Right to be Forgotten): To request the deletion of your data under certain circumstances.
• Right to Restriction of Processing: To request the restriction of processing of your data under certain circumstances.
• Right to Data Portability: To receive your data in a structured, commonly used, and machine-readable13 format and to transmit it to another controller.
• Right to Object:  To object to the processing of your data under certain circumstances (e.g., for direct marketing).
• Right to Withdraw Consent: Where processing is based on consent, the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent15, before its withdrawal.
• Right to16 Lodge a Complaint: To complain to a supervisory authority if you believe your data protection rights have been violated.

To exercise any of these rights, please contact us using the details provided in Section 6.

5. Terms of Service for Login and Application Details

5.1. Acceptance of Terms

By logging into and using Biko Advisory Services Ltd.’s applications and services, you acknowledge that you have read, understood, and agree to be bound by these Terms of Service, as well as our Privacy18 Policy. If you do not agree with these terms, you should not access or use our services.

5.2. User Accounts and Security

• Account Creation: To access certain features of our applications, you may be required to create an account. You agree to provide accurate, current, and complete information during the registration process.
• Account Security: You are19 solely responsible for maintaining the confidentiality of your login credentials (username and password) and for all activities that occur under your account. You20 agree to notify Biko immediately of any unauthorized use of your account or any other breach of security.
• Strong Passwords: We encourage you to use strong, unique passwords and to enable multi-factor authentication where available.
• Prohibited Activities: You agree not to use our services for any unlawful or prohibited purpose, including but not limited21 to: 
  • Gaining unauthorized access to our systems or other users’ accounts.
  • Introducing viruses, malware, or other malicious code.
  • Engaging in any activity that could harm, disable, overburden, or impair our services.
  • Attempting to decipher, decompile, disassemble, or reverse engineer any of the software comprising or in any way making up a part of the Service.

5.3.22 License to Use Applications

• Limited License: Subject to these Terms of Service, Biko grants you a limited, non-exclusive, non-transferable, revocable license to access and use our applications for your internal business purposes.
• Restrictions: You may not: 
  • Copy, modify, distribute, sell, or lease any part of our applications.
  • Reverse engineer or attempt to extract the source code of our applications.
  • Use our applications to provide services to third parties without our express written consent.
  • Remove, alter, or obscure any copyright, trademark, or other proprietary rights notices from our applications.

5.4. Data Provided by User

• Accuracy of Data: You are responsible for the accuracy, quality, integrity, legality, reliability, and appropriateness of all data you input or upload into our applications.
• Ownership of Data: You retain all rights, title, and interest in and to your own data.
• Our Use of Your Data: You grant Biko a limited, non-exclusive, worldwide, royalty-free license to use your data solely for the purpose of providing, maintaining, and improving our services, and as otherwise permitted by our Privacy Compliance Policy. This includes using aggregated and anonymized data for analytical and statistical purposes.

5.5. Intellectual Property

All intellectual property rights in and to our applications, website, and services, including but not limited to copyrights, trademarks, patents, and trade secrets, are owned by Biko Advisory Services Ltd. or its licensors. These Terms of Service do not grant you any right or license to use any of Biko’s intellectual property except as expressly provided herein.

5.6. Disclaimers and Limitation of Liability

• “As Is” Basis: Our applications and services are provided on an “as is” and “as available” basis, without warranties of any kind, either express23 or implied. Biko does not warrant that our services will be uninterrupted, error-free, secure, or free from viruses or other harmful components.24
• Limitation of Liability: To the maximum extent permitted by applicable law,25 Biko Advisory Services Ltd. shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits or26 revenues, whether incurred directly or indirectly, or any loss of data, use, goodwill, or other intangible losses, resulting from (a) your access to or use of or inability to access or use the services; (b) any conduct or content of any third party on the services; or (c) unauthorized access, use, or alteration of your transmissions or content.27

5.7. Indemnification

You agree to indemnify, defend, and hold harmless Biko Advisory Services Ltd., its officers, directors, employees, agents, and affiliates, from and against any and all claims, liabilities, damages, losses, costs, expenses,28 or fees (including reasonable attorneys’ fees) arising from your violation of these29 Terms of Service or your use of our services.

5.8. Modifications to Terms

Biko reserves the right to modify these Terms of Service at any time. We will notify you of any material changes by posting the updated terms on our website30 or through other appropriate communication channels. Your continued use31 of our services after such modifications constitutes your acceptance of the revised terms.

5.9. Governing Law and Dispute Resolution

These Terms of Service shall be governed by and construed by the laws of Rwanda. Any disputes arising out of or in connection with these Terms shall be subject to the exclusive jurisdiction of the courts of Rwanda.

6. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Compliance Policy or our data practices, please contact our Corporate Compliance Manager at:

BikoCAAS LTD

KN 4 AV, MAKUZA PEACE PLAZA, TOWER B, FLOOR 9,

SUITE 9.05 Kigali, Rwanda

7. Policy Review

This Privacy Compliance Policy will be reviewed and updated periodically to ensure compliance with evolving data protection laws and best practices.

Date: June 13, 2024