UNOC

PRIVACY POLICY FOR OILNEXUS

Last Updated: [08-04-2026]

1. INTRODUCTION

1.1 Overview

Welcome to OilNexus (“OilNexus”, “we”, “us”, “our”, or “the Platform”). We are committed to safeguarding your privacy and ensuring the security of your personal data. This Privacy Policy sets out how we collect, use, disclose, and protect your information when you access or use our platform, website, and related services (collectively, the “Services”). It also outlines your rights and choices in relation to your personal data.

1.2 Acceptance of Privacy Policy

By accessing or using our Services, you confirm that you have read, understood, and agree to be bound by this Privacy Policy, which forms an integral part of our Terms and Conditions. If you do not agree with any part of this Privacy Policy, you should refrain from accessing or using the Services.

1.3 Scope of this Privacy Policy

This Privacy Policy applies to all users of the Platform, including:

  • Natural persons – individual human beings who create personal accounts on the Platform and interact with it directly.
  • Legal persons – companies, partnerships, and other corporate entities (including OMCs) that register accounts and operate through the Platform, whether acting through authorised representatives or automated systems.

Regardless of whether you are an individual or a representative of a corporate entity, your Personal Data is important to us and is handled in accordance with the terms of this Policy.

1.4 About Us

OilNexus is a technology platform that enables Oil Marketing Companies (“OMCs”) and other registered users, whether individuals or corporate entities, to create accounts and monitor the movement of oil shipments between Kenya and Uganda. The Platform processes orders and tracks logistics based on information submitted by its users, and interfaces with the Kenya Revenue Authority (“KRA”) customs clearance system in connection with those transactions.

2. KEY DEFINITIONS

The terms below are used throughout this Privacy Policy. Familiarity with these definitions will help you understand how we describe our data handling practices.

“OilNexus” Refers to the OilNexus Platform, its operators, and all related services, referred to in this document as “we”, “us”, “our”, or “the Platform”.
“Services” Means the OilNexus platform, including its website and related systems, through which Users may create accounts, submit and process order and shipment information, and monitor the movement of oil and petroleum products, together with any related functionalities and support provided through the Platform.
“You” / “User” Any natural person or legal person who registers for or accesses the OilNexus Platform, including OMC representatives and authorised account users.
“Personal Data” Any information that relates to an identified or identifiable individual. This includes names, identification numbers, contact details, location data, and any other data from which a person can be directly or indirectly identified.
“Processing Any operation performed on Personal Data, including collection, recording, storage, use, disclosure, transfer, and deletion.
Data Controller The entity that determines the purposes and means of processing Personal Data. OilNexus acts as Data Controller in respect of Personal Data submitted by its users.
“Data Processor” A third party that processes Personal Data on behalf of the Data Controller, such as cloud hosting providers or IT service vendors engaged by OilNexus.
“Data Subject” The individual whose Personal Data is being processed. In most cases, this means you.
“OMC” An Oil Marketing Company that places orders and monitors oil shipments through the OilNexus Platform.
“KRA” The Kenya Revenue Authority, responsible for customs clearance of goods entering or leaving Kenya.
“DPA” (Kenya) The Data Protection Act, 2019 (No. 24 of 2019) of Kenya, including the Data Protection (General) Regulations, 2021.
“PDPA” (Uganda) The Data Protection and Privacy Act, 2019 (Act No. 9 of 2019) of Uganda, including the Data Protection and Privacy Regulations, 2021.
“GDPR” The General Data Protection Regulation (EU) 2016/679, applicable where users or data subjects are located within the European Economic Area.
“Consent” A freely given, specific, informed, and unambiguous agreement by which a Data Subject signifies agreement to the processing of their Personal Data for a stated purpose.
Data Breach An accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
"Anonymisation" means the process of irreversibly altering Personal Data in such a manner that a Data Subject can no longer be identified, directly or indirectly, by any means reasonably likely to be used.

3. PERSONAL INFORMATION THAT WE COLLECT

We collect only the information that is necessary to provide you with the services, comply with our legal obligations, and continuously improve the Platform.

3.1 Information You Provide to Us Directly

When you register or interact with the OilNexus Platform, you will provide us with certain information. This happens in the following circumstances:

  • Account Registration: We collect your full name, email address, phone number, company name (if applicable), your role within the company, and the login credentials you choose to create.
  • Profile Completion: You may provide additional details such as your business registration number, the jurisdiction(s) in which you operate (Kenya, Uganda, or both), and your operational preferences on the Platform.
  • Order Submission: When placing or managing oil shipment orders, we collect the details of those orders, including product descriptions, quantities, destination information, and the associated customs entry data submitted in connection with KRA requirements.
  • Support Communications: If you contact our support team, we collect the content of your messages and any documentation you attach.

3.2 Transaction and Customs Data

Because OilNexus is purpose-built for cross-border oil shipment tracking between Kenya and Uganda, a significant portion of the data we process relates to commercial and customs transactions. This includes:

  • Customs entry numbers and clearance status as submitted to or confirmed by the Kenya Revenue Authority.
  • Order records, logistics tracking data, and transaction logs generated through your use of the Platform.
  • Billing records and payment-related information, including CWR (Customs Warehouse Receipt) charges that accrue automatically upon expiry of a customs entry, in accordance with the OilNexus Terms and Conditions.

Transaction records and logs generated by the OilNexus Platform constitute the official and binding record of all transactions conducted through it, as agreed in the OilNexus Terms and Conditions. Users are solely responsible for the accuracy and completeness of all information they submit.

3.3 Information Collected Automatically

When you access the Platform, certain technical information is collected automatically by our systems. This is a standard feature of web-based platforms and is necessary to ensure the Platform operates correctly and securely. It includes:

  • Device and browser information: your IP address, browser type and version, operating system, and device identifiers.
  • Usage data: the pages or features you access, actions you take on the Platform, and time spent on different sections.
  • Log data: the date and time of your sessions, error reports, and session duration.
  • General location information: country and city level, derived from your IP address only. We do not collect precise GPS location data.

This automatically collected information is used for security monitoring, system performance optimisation, and improving the user experience. It does not, by itself, identify you as an individual.

4. HOW WE USE YOUR INFORMATION

We use the information we collect only for purposes that are legitimate, proportionate, and consistent with the reason it was originally provided. Below is a transparent account of each purpose and why it is necessary.

4.1 To Provide and Operate the Platform

The primary reason we collect your information is to deliver the OilNexus services to you. We use your data to:

  • Create and manage your account so that you can securely access and use the Platform.
  • Process and track oil shipment orders between Kenya and Uganda in accordance with your submissions.
  • Verify the customs clearance status of entries through the KRA system, as required under the OilNexus Terms and Conditions before an order can be processed.
  • Maintain official transaction records and logs that serve as the binding record of all activities conducted through the Platform.
  • Calculate and apply applicable charges, including CWR charges that accrue automatically upon expiry of a customs entry.

4.2 To Communicate with You

We use your contact information to send you communications that are necessary for the operation of your account or required by applicable law. These include:

  • Notifications about your shipment orders, including status updates, clearance alerts, and notifications of held or suspended orders.
  • Administrative communications, such as updates to our Terms and Conditions or Privacy Policy, system maintenance notices, and security alerts.
  • Responses to your enquiries or requests submitted to our support team.

Where we wish to send you promotional or marketing communications about new features or services, we will seek your separate, informed consent and will always provide a clear and easy way for you to opt out.

4.3 For Security, Fraud Prevention, and Regulatory Compliance

We are legally and contractually obligated to protect the integrity of the Platform and the interests of all users. We use your data to:

  • Monitor for and detect suspicious, fraudulent, or unauthorised activity on the Platform or in connection with your account.
  • Verify the authenticity of information submitted, including confirming KRA clearance status before processing orders.
  • Enforce our Terms and Conditions and protect our legal rights and those of our users.
  • Comply with obligations imposed by Kenyan and Ugandan law, including responding to valid requests from regulatory authorities, government bodies, or courts of competent jurisdiction in either country.

4.4 To Improve the Platform

We analyse aggregated and, where possible, anonymised usage data to understand how the Platform is being used and how it can be improved. This includes identifying technical issues, optimising the user interface, and developing new features that better serve the needs of OMCs and other users. No individual is singled out through this analysis.

4.5 Legal Basis for Processing

Under both the Kenya DPA and the Uganda PDPA, we are required to have a recognised lawful basis for every processing activity. Depending on the specific purpose, we rely on one or more of the following bases:

  • Performance of a contract: Processing that is necessary to fulfil our obligations to you as a registered user of the Platform, including processing your orders and maintaining your account.
  • Compliance with a legal obligation: Processing required by Kenyan or Ugandan law, including compliance with tax, customs, and data protection regulations in both countries.
  • Legitimate interests: Processing necessary for our genuine business interests, such as security monitoring and Platform improvement, provided those interests do not override your fundamental rights and freedoms.
  • Consent: Where we rely on your consent, for example, for marketing communications, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

5. DISCLOSURE OF INFORMATION

We do not sell your Personal Data to any third party. We share your information only in the limited circumstances set out below, and always subject to appropriate contractual or legal safeguards.

5.1 Regulatory and Government Authorities

Because OilNexus is integral to customs-regulated oil shipment between Kenya and Uganda, certain data must necessarily be shared with or verified against official government systems. This includes:

  • The Kenya Revenue Authority (KRA), for the verification of customs entries and confirmation of clearance status, as a precondition to order processing under the OilNexus Terms and Conditions.
  • Any other competent regulatory, tax, or law enforcement authority in Kenya or Uganda where disclosure is required or permitted by applicable law.
  • Verify the customs clearance status of entries through the KRA system, as required under the OilNexus Terms and Conditions before an order can be processed.

5.2 Third-Party Service Providers

We engage reputable third-party service providers who assist us in operating and maintaining the Platform. These may include cloud infrastructure and hosting providers, IT support vendors, payment processors, and cybersecurity service providers. All such providers are contractually bound to process your Personal Data only on our instructions, only for the specific purposes for which they have been engaged, and in full compliance with applicable data protection law. They may not use your data for their own independent purposes.

5.3 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of the business or substantially all of its assets, your Personal Data may form part of the transferred assets. Where this is the case, we will notify affected users in advance and ensure that any receiving entity is bound by data protection obligations at least equivalent to those set out in this Policy.

5.4 With Your Consent

Where we wish to share your information with a third party for a purpose not already described in this Policy, we will seek your explicit and informed consent before doing so.

5.5 Aggregated and Anonymised Data

We may share aggregated, anonymised, or de-identified data with third parties for research, analytics, or industry reporting purposes. Such data cannot reasonably be used to identify any individual and is not subject to the restrictions applicable to Personal Data under this Policy or applicable law.

6. DATA RETENTION

6.1 General Principle

We retain your Personal Data only for as long as is genuinely necessary to fulfil the purposes for which it was collected, or as required by applicable law. When your data is no longer needed for a legitimate purpose, we will securely delete or anonymise it.

6.2 Specific Retention Periods

As a practical guide, the following periods generally apply to the main categories of data we hold:

  • Account data: Retained for the duration of your active account, and for up to three (3) years after account closure, to allow us to resolve any outstanding disputes or meet post-contractual obligations.
  • Transaction and customs data: Retained for a minimum of seven (7) years, in accordance with the tax and customs record-keeping requirements applicable in Kenya and Uganda.
  • Security and system log data: Retained for up to twelve (12) months, unless a longer period is required in connection with an ongoing investigation or legal proceeding.
  • Support and communications records: Retained for up to three (3) years from the date of the last communication between us.

6.3 Dormant Accounts

Accounts with no activity for a continuous period of twenty-four (24) months will be treated as dormant. We will give you advance notice before taking any action, after which we may suspend or close the account in accordance with the OilNexus Terms and Conditions.

6.4 Legal Hold

Where we are required to preserve data beyond the standard retention periods, for example, in connection with ongoing litigation, a regulatory investigation, or a statutory obligation under Kenyan or Ugandan law, the relevant data will be retained until that obligation has been fully satisfied, and then deleted in accordance with our standard procedures.

7. DATA SECURITY

7.1 Our Security Measures

Protecting your Personal Data is a fundamental responsibility we take seriously. We implement appropriate technical and organisational measures designed to safeguard your data against unauthorised access, accidental loss, alteration, or unlawful disclosure. These measures include, among others:

  • Encryption of data in transit using TLS/SSL protocols, and encryption of data at rest where applicable.
  • Role-based access controls, ensuring that Personal Data is accessible only to personnel or systems that genuinely need it for a legitimate purpose.
  • Regular security assessments, penetration testing, and vulnerability management reviews.
  • Staff training on data protection principles and information security obligations.
  • Business continuity and disaster recovery procedures to ensure the availability and integrity of Platform data.

7.2 Your Responsibility

While we implement robust measures on our end, the security of your account also depends on you. You are responsible for keeping your login credentials confidential and for ensuring that unauthorised persons do not access your account. We strongly recommend using strong, unique passwords and enabling two-factor authentication where it is offered. If you suspect that your account has been compromised, please contact us immediately so that we can take prompt action.

7.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will act without delay:

  • In Kenya: We will notify the Office of the Data Protection Commissioner (ODPC) within seventy-two (72) hours of becoming aware of the breach, as required under the Kenya Data Protection Act, 2019.
  • In Uganda: Where the breach involves the Personal Data of Ugandan data subjects, we will notify the Personal Data Protection Office (PDPO) within forty-eight (48) hours, as required under the Uganda Data Protection and Privacy Act, 2019.

We will notify affected individuals directly – by email or through a prominent Platform notice – without undue delay where the breach is likely to result in a high risk to their rights or interests.

Our breach response procedures are designed to minimise harm, comply with the notification obligations of both the Kenyan and Ugandan data protection regimes, and restore the security of affected data as quickly as possible.

8. INTERNATIONAL DATA TRANSFERS

8.1 Cross-Border Data Flows Between Kenya and Uganda

Because OilNexus operates across both Kenya and Uganda, the processing of your Personal Data inherently involves the movement of data between these two countries. For example, transaction data relating to a Kenyan customs clearance may need to be accessed by system users based in Uganda, and vice versa. Both the Kenya DPA and the Uganda PDPA contain provisions governing such cross-border transfers, and OilNexus is committed to ensuring those provisions are respected in the operation of the Platform.

8.2 Transfers to Other Countries

Where we engage third-party service providers located outside Kenya and Uganda, for example, cloud infrastructure providers hosted in other jurisdictions, we ensure that appropriate safeguards are in place before any Personal Data is transferred. Depending on the destination, such safeguards may include:

  • Standard contractual clauses or data transfer agreements approved by the relevant supervisory authority (the ODPC in Kenya or the PDPO in Uganda).
  • Transfers to countries or territories assessed as providing an adequate level of data protection under applicable law.
  • Where required by law, your explicit and informed consent to the proposed transfer, after being made aware of the nature of the transfer and any associated risks.

8.3 Transfer Impact Assessments

Before making any international transfer of Personal Data beyond Kenya and Uganda, we carry out a transfer impact assessment to evaluate the risks involved and to confirm that the safeguards in place provide an adequate level of protection for the data being transferred.

9. YOUR DATA PROTECTION RIGHTS

You have meaningful legal rights over your Personal Data. This section explains those rights plainly and tells you how to exercise them. The specific rights available to you may depend on your location and on the legal basis on which we are processing your data. We will never charge you a fee simply for making a data rights request.

9.1 Right of Access

You have the right to ask us whether we hold any Personal Data about you, and if so, to receive a copy of that data along with clear information about how and why it is being processed. This right is recognised under Section 26 of the Kenya DPA, Section 24 of the Uganda PDPA, and Article 15 of the GDPR.

9.2 Right to Rectification

If any Personal Data we hold about you is inaccurate, outdated, or incomplete, you have the right to request that we correct or complete it without undue delay. This right is recognised under Section 40 of the Kenya DPA, Section 28 of the Uganda PDPA, and Article 16 of the GDPR.

9.3 Right to Erasure (“Right to Be Forgotten”)

In certain circumstances, you have the right to request the deletion of your Personal Data for example, where the data is no longer necessary for the purpose for which it was collected, or where you withdraw your consent and there is no other lawful basis for continued processing. This right is subject to limitations where we are legally required to retain data for compliance or dispute resolution purposes. This right is recognised under Section 40 of the Kenya DPA, Section 28 of the Uganda PDPA, and Article 17 of the GDPR.

9.4 Right to Restrict Processing

You may request that we temporarily suspend the active processing of your Personal Data in certain situations – for example, while you contest the accuracy of data we hold, or where you have objected to processing and we are in the process of verifying whether our legitimate grounds override your interests.

9.5 Right to Data Portability

Where processing is based on your consent or on a contractual basis and is carried out by automated means, you have the right to receive your Personal Data in a structured, commonly used, and machine-readable format. You may also request that it be transmitted directly to another service provider where technically feasible.

9.6 Right to Object

You have the right to object to the processing of your Personal Data where we rely on legitimate interests as our lawful basis, or where your data is being used for direct marketing. If you object to direct marketing, we will immediately stop using your data for that purpose, without exception.

9.7 Rights Related to Automated Decision-Making

OilNexus does not currently make decisions about you based solely on automated processing that would produce legal effects or similarly significantly affect you. If this position changes, we will inform you in advance and ensure that appropriate safeguards are in place before any such processing begins.

9.8 Right to Withdraw Consent

Where we rely on your consent as the legal basis for any processing activity, you have the right to withdraw that consent at any time. Withdrawing your consent will not affect the lawfulness of any processing that took place before the withdrawal. To withdraw your consent, simply contact us using the details in Section 14.

9.9 Right to Lodge a Complaint

If you are not satisfied with the way we have handled your Personal Data, you have the right to lodge a formal complaint with the relevant supervisory authority:

We would, however, welcome the opportunity to address your concerns directly before you escalate to a supervisory authority. Please reach out to us first using the contact details in Section 14.

9.10 How to Exercise Your Rights

To exercise any of the rights described in this section, please submit a written request to us using the contact details in Section 13. We will acknowledge your request promptly and respond within thirty (30) days, as required by applicable law. We may ask you to verify your identity before processing your request, solely to protect against unauthorised access to your Personal Data. In complex cases, we may extend the response period by a further thirty (30) days and will notify you if this becomes necessary.

10. CHILDREN’S PRIVACY

The OilNexus Platform is designed exclusively for use by businesses and adult individuals engaged in oil marketing and cross-border logistics. Our Services are not directed at, and are not suitable for, children under the age of eighteen (18). We do not knowingly collect Personal Data from children.

If you are a parent or guardian and have reason to believe that a child has registered on the Platform or provided us with Personal Data without appropriate authorisation, please contact us immediately using the details in Section 13. We will take prompt steps to investigate and, where confirmed, to delete the relevant information from our records.

11. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our services, in applicable Kenyan or Ugandan data protection law, or in our data handling practices. When material changes are made, we will notify you by posting the updated Policy on the Platform with a revised effective date. Where the changes are significant, we will also send a notification to your registered email address.

Your continued use of the OilNexus Platform after notification of a change constitutes your acceptance of the updated Privacy Policy. If you do not agree with the revised terms, you should discontinue use of the Platform. You may also request the deletion of your account and associated Personal Data by contacting us using the details in Section 13.

12. COMPLIANCE WITH DATA PROTECTION LAW

You have meaningful legal rights over your Personal Data. This section explains those rights plainly and tells you how to exercise them. The specific rights available to you may depend on your location and on the legal basis on which we are processing your data. We will never charge you a fee simply for making a data rights request.

12.1 Kenya – Data Protection Act, 2019

OilNexus, in its capacity as a Data Controller with operations in Kenya, is committed to full compliance with the Kenya Data Protection Act, 2019 (No. 24 of 2019) and the Data Protection (General) Regulations, 2021. This includes registering with the Office of the Data Protection Commissioner (ODPC) as a Data Controller; conducting Data Protection Impact Assessments (DPIAs) where processing activities are likely to result in a high risk to data subjects; maintaining comprehensive records of processing activities; and implementing data protection by design and by default in the development and operation of the Platform.

12.2 Uganda – Data Protection and Privacy Act, 2019

To the extent that OilNexus processes Personal Data of individuals located in Uganda, or processes data in connection with activities that take place in or have effect in Uganda, we are committed to compliance with the Data Protection and Privacy Act, 2019 (Act No. 9 of 2019) of Uganda and its implementing regulations. The Uganda PDPA establishes obligations consistent with those of the Kenyan DPA, including the requirement to collect data for specified and legitimate purposes, to maintain appropriate technical and organisational security measures, and to uphold the rights of data subjects. OilNexus cooperates with the Personal Data Protection Office (PDPO) of Uganda and takes its obligations under the PDPA seriously.

12.3 Data Protection by Design and Default

OilNexus is built with data protection as a foundational principle. We embed privacy considerations into the design and development of the Platform from the outset, ensuring that Personal Data is processed only to the minimum extent necessary for each purpose, and that appropriate technical and organisational safeguards are built into our systems by default.

12.4 Records of Processing Activities

We maintain comprehensive internal records of all categories of processing activities carried out through or in connection with the Platform, in accordance with our obligations under both the Kenya DPA and the Uganda PDPA. These records are available to the relevant supervisory authorities upon request.

13. CONTACT US

If you have any questions, concerns, or requests in relation to this Privacy Policy or the way in which OilNexus handles your Personal Data, please do not hesitate to contact us. We are committed to addressing all privacy enquiries promptly and transparently.

Platform Name OilNexus
General Enquiries Email [email protected]
Phone +256312444600

14. COMPLAINTS

We hope that any privacy concern you raise with us can be resolved directly and satisfactorily. However, if you are not satisfied with the outcome of your complaint, or if you prefer to raise a concern directly with a supervisory authority, you have the right to do so. The relevant authorities are:

14.1 Kenya – Office of the Data Protection Commissioner (ODPC)

14.2 Uganda – Personal Data Protection Office (PDPO)

© 2026 Uganda National Oil Company. All rights reserved.