Privacy Policy

1. Introduction & Scope

MO EXPEDITIONS ("the Company," "we," "us," or "our") is a licensed tour operator and transport company duly registered and operating under the laws of the Republic of Uganda, with its principal place of business at Seguku, Kampala. This Privacy Policy governs the collection, processing, storage, transfer, and protection of personal data belonging to all individuals ("you," "your," or "Data Subject") who interact with our website at www.moexpeditions.com, make a Booking for any of our Services, communicate with us via any channel, or otherwise engage in any relationship with the Company.

We recognize that the provision of personal data is an act of trust, and we do not take that trust lightly. This Policy articulates, with precision and transparency, the entire lifecycle of your data within our ecosystem — from the moment of collection to the point of permanent erasure.

2. Our Data Protection Principles

The Company's approach to data protection is founded upon seven cardinal principles. These principles are not merely aspirational statements; they are operational imperatives that govern every decision we make regarding your personal data.

3. Information We Collect

The categories of personal data we collect are dictated by the nature of your interaction with us. We do not collect data indiscriminately; every field has a defined purpose. The table below provides a comprehensive taxonomy of the data we may process:

Category	Specific Data Elements	When Collected
Identity Data	Full legal name, title, date of birth, passport number, nationality	Booking creation, gorilla permit procurement
Contact Data	Email address, telephone number, WhatsApp number, postal address	Booking creation, enquiry submission, newsletter signup
Transaction Data	Payment method, payment amount, transaction reference, partial card details	Payment processing
Travel Data	Flight details, arrival/departure times, accommodation preferences, dietary requirements, medical conditions relevant to expedition safety	Booking creation, pre-departure coordination
Technical Data	IP address, browser type and version, time zone setting, operating system, device type	Website visitation
Usage Data	Pages visited, time spent on pages, click patterns, referral source	Website visitation
Communication Data	Contents of emails, WhatsApp messages, telephone call records, enquiry form submissions	Any communication with the Company

We do not collect or process any special categories of personal data (sensitive data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a natural person's sex life or sexual orientation) unless voluntarily disclosed by you and strictly necessary for the provision of our Services — for example, a medical condition that may affect your safety during gorilla trekking. Such data is processed only with your explicit consent and is handled with heightened security protocols.

4. Purpose & Legal Basis for Processing

Every instance of data processing carried out by the Company is anchored to a specific, articulated purpose and a recognized lawful basis. The lawful bases upon which we rely include: the performance of a contract to which you are a party; compliance with a legal obligation to which we are subject; the pursuit of our legitimate interests, provided those interests are not overridden by your fundamental rights and freedoms; and your explicit, freely given consent.

• Performance of Contract: Processing necessary to fulfill your Booking — confirming reservations, procuring gorilla permits, arranging vehicle rentals, coordinating airport transfers, and communicating itinerary details.
• Legal Obligation: Processing necessary to comply with Ugandan tax law, tourism licensing requirements, and any lawful request from a competent regulatory or law enforcement authority.
• Legitimate Interests: Processing necessary for the improvement of our website and Services, fraud prevention, network and information security, and direct marketing to existing clients about similar Services (with an easy opt-out mechanism).
• Consent: Processing based on your affirmative, unambiguous indication of agreement — for example, subscribing to our newsletter or consenting to the use of non-essential cookies.

5. Consent & Withdrawal

Where processing is based on consent, you have the absolute right to withdraw that consent at any time, without detriment. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal. To withdraw consent, please contact us using the details in Clause 15. Upon receiving your withdrawal request, we shall cease the relevant processing within a reasonable timeframe, not exceeding thirty (30) calendar days.

Please note that withdrawal of consent for processing essential to the performance of your Booking may render us unable to provide the Services you have requested, and the cancellation provisions of our Terms & Conditions may apply.

6. Data Storage & Retention

Personal data is stored on secure servers and, where appropriate, in encrypted form. We apply a rigorous retention schedule calibrated to the nature and purpose of each data category:

• Booking & Transaction Data: Retained for seven (7) years following the conclusion of the expedition, in compliance with Ugandan tax and commercial record-keeping obligations.
• Identity & Contact Data (without Booking): Retained for two (2) years following the last interaction, after which it is securely anonymized or erased.
• Marketing Communications Data: Retained until you unsubscribe or withdraw consent, whichever occurs first.
• Website Technical & Usage Data: Retained for twenty-six (26) months in accordance with industry-standard analytics practices.

Upon expiry of the applicable retention period, personal data is either securely and permanently deleted using industry-standard data destruction methods or anonymized such that re-identification is rendered impossible by any reasonable means.

7. Security Measures

We employ a multi-layered security architecture designed to protect your personal data against the full spectrum of threats — from opportunistic intrusion to sophisticated, targeted attacks. Our security posture includes, but is not limited to:

• Encryption: All data transmitted between your browser and our servers is protected by Transport Layer Security (TLS) encryption. Data at rest is encrypted using AES-256 standard encryption.
• Access Control: Access to personal data is strictly limited to authorized personnel on a need-to-know basis, enforced through role-based access controls, unique user credentials, and multi-factor authentication.
• Staff Training: Every member of the MO EXPEDITIONS team receives mandatory, recurring training on data protection best practices, phishing awareness, and incident response protocols.
• Physical Security: Our premises are secured with access control systems, and physical records containing personal data are stored in locked, fire-resistant cabinets within access-restricted areas.
• Regular Audits: We conduct periodic security audits and vulnerability assessments to identify and remediate potential weaknesses before they can be exploited.

8. Data Sharing & Third Parties

The Company does not, under any circumstances, sell, rent, trade, or otherwise monetize your personal data. We share data only in the following narrowly defined circumstances:

• Service Providers: We may share data with carefully vetted third-party service providers who perform functions on our behalf — for example, accommodation providers, activity operators, and the Uganda Wildlife Authority for gorilla permit procurement. These providers are contractually bound to process data only in accordance with our instructions and to implement security measures at least as protective as our own.
• Legal Compliance: We may disclose data where required by law, court order, or governmental regulation, or where we have a good-faith belief that disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of the Company's assets, personal data may be transferred as part of the transaction. You will be notified via email and a prominent notice on our website of any change in ownership or use of your personal data.

9. Cookies & Tracking Technologies

Our website employs cookies and similar tracking technologies to enhance your browsing experience, analyze site traffic, and understand where our visitors originate. A cookie is a small text file placed on your device by your web browser at the instruction of our server. Cookies do not execute code, cannot carry viruses, and cannot access other data on your device.

We use the following categories of cookies:

• Strictly Necessary Cookies: Essential for the operation of our website — enabling navigation, form submission, and security features. These cookies do not require consent.
• Analytics Cookies: These help us understand how visitors engage with our website — which pages are most valued, how visitors arrive, and where improvements can be made. We use this information in aggregate, anonymized form.
• Functional Cookies: These remember choices you make (such as your preferred language) to provide a more personalized experience.

You may disable cookies through your browser settings at any time. However, please note that disabling strictly necessary cookies may impair the functionality of our website and your ability to use certain features, including our booking enquiry forms.

10. Your Rights

As a Data Subject, you are vested with a suite of rights concerning your personal data. The Company is committed to honouring each of these rights fully and without undue delay:

• Right of Access: You may request confirmation of whether we process your personal data and, if so, access to that data along with information about the purposes, categories, recipients, and retention period of the processing.
• Right to Rectification: You may request the correction of inaccurate personal data or the completion of incomplete personal data without undue delay.
• Right to Erasure ("Right to be Forgotten"): You may request the deletion of your personal data where: the data is no longer necessary for the purpose for which it was collected; you withdraw consent and no other lawful basis exists; or the data has been unlawfully processed. This right is not absolute and may be balanced against our legal obligations or compelling legitimate interests.
• Right to Restriction of Processing: You may request that we restrict processing where you contest the accuracy of the data, the processing is unlawful, or we no longer need the data but you require it for legal claims.
• Right to Data Portability: Where processing is based on consent or contract and is carried out by automated means, you may request your data in a structured, commonly used, machine-readable format and have it transmitted directly to another controller.
• Right to Object: You may object to processing based on our legitimate interests. We shall cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Rights Related to Automated Decision-Making: The Company does not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.

To exercise any of these rights, please contact us using the details in Clause 15. We shall respond to your request within thirty (30) calendar days. Where a request is manifestly unfounded or excessive, we reserve the right to charge a reasonable fee or decline to act.

11. Children's Privacy

Our Services are not directed to individuals under the age of eighteen (18). We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data without verifiable parental consent, we shall take immediate steps to delete such data from our systems. If you are a parent or guardian and believe your child has provided us with personal data, please contact us forthwith.

12. International Data Transfers

The Company is based in the Republic of Uganda. Personal data we collect is processed primarily within Uganda. However, certain third-party service providers may be located in other jurisdictions. Where personal data is transferred internationally, we ensure that appropriate safeguards are in place — including standard contractual clauses, binding corporate rules, or reliance on adequacy decisions where applicable — to ensure that your data receives a level of protection equivalent to that provided under Ugandan law and international data protection standards.

13. Data Breach Notification

In the unfortunate event of a personal data breach, we have established a robust incident response protocol. We shall notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach, where required by applicable law. Where the breach is likely to result in a high risk to your rights and freedoms, we shall communicate the nature of the breach to you without undue delay, along with the measures we have taken or propose to take to address the breach and mitigate its potential adverse effects.

14. Changes to This Policy

We reserve the right to update this Privacy Policy periodically to reflect changes in our data practices, legal obligations, or operational requirements. Material changes shall be communicated to you via email (where we hold your email address) and by a prominent notice on our website at least thirty (30) days prior to the change becoming effective. Continued use of our Services after the effective date constitutes acceptance of the revised Policy. We encourage you to review this page regularly.

15. Contact & Data Protection Officer

For any questions, concerns, or requests relating to this Privacy Policy or our data protection practices — including to exercise any of your rights under Clause 10 — please contact our Data Protection Officer:

You also have the right to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction if you believe that our processing of your personal data infringes applicable data protection law. We would, however, welcome the opportunity to address your concerns directly before you approach any supervisory authority.