Privacy Policy

Till Africa is a digital commerce platform for African businesses, operated from Kampala, Uganda. Our products include TillSpace (business minisite and dashboard), TillVid (shoppable video feed), TillPay (mobile money payments), and TillBoda (last-mile delivery).

For the purpose of the DPPA 2019, Till Africa acts as both a data controller (for business owner accounts and customer data we collect directly) and a data processor (for end-customer data that business owners collect through our platform).

Contact our data protection officer: privacy@till.africa

2a. Business owner accounts

• Business name, phone number, and email address — collected at registration
• Business address, category, and operating hours — provided during onboarding
• Product and service listings — provided voluntarily
• Payment transaction records (amounts, dates, references — not card or account numbers)
• Login credentials (password stored as a bcrypt hash — never in plain text)
• TillVid content (photos and videos you upload)

2b. End customers (visitors to business minisites)

• Device type, browser, and approximate location — collected via standard HTTP headers
• Pages visited and links clicked — for minisite analytics shown to the business owner
• WhatsApp enquiries — initiated by the customer, routed to the business (we log the event, not the message content)
• TillVid video views, clicks, and shares — for feed algorithm and business analytics

2c. TillVid — specific data

• Videos and photos uploaded by businesses are stored on Cloudflare R2 (edge storage)
• All TillVid uploads are watermarked with the business's till.africa URL
• View counts, click events, and share events are logged per post
• Traffic source (Instagram, WhatsApp, direct) is captured when customers arrive via a tracked bio link

2d. What we do NOT collect

• Mobile money account numbers or bank details (payments go via MTN/Airtel APIs directly)
• National ID numbers or passport numbers
• Biometric data of any kind
• Message content of WhatsApp conversations (we see only the event — not the message)

• Contract performance — to provide the Till services you signed up for
• Legitimate interest — to improve our platform, detect fraud, and show you relevant analytics
• Legal obligation — to comply with Uganda tax law, financial regulations, and the DPPA 2019
• Consent — for marketing emails (you can unsubscribe any time)

All data is stored on Cloudflare's global infrastructure — D1 (SQLite edge database), KV (key-value cache), and R2 (object storage). Cloudflare's data centres are ISO 27001 certified.

• Data at rest: encrypted using AES-256
• Data in transit: TLS 1.3 enforced on all connections
• Passwords: bcrypt hashed with cost factor 12 — never stored in plain text
• Access tokens: short-lived JWTs (15 minutes), rotated via refresh tokens
• Employee access: limited to what is strictly necessary for support and operations
• TillVid content: stored in Cloudflare R2, served via Cloudflare CDN, not publicly indexed

We retain account data for as long as your account is active plus 90 days after deletion, unless a longer retention period is required by law. Analytics event data is retained for 24 months.

We do not sell personal data. We share data only with:

• Cloudflare Inc. — infrastructure provider (US, with EU-US Data Privacy Framework)
• MTN Uganda / Airtel Uganda — payment processing (transaction reference only)
• Google Analytics (if enabled by business owner on their minisite) — aggregated only
• Ugandan government or law enforcement — only when legally required, with valid court order

Under Uganda's Data Protection and Privacy Act 2019, you have the following rights:

• Right of access — request a copy of the data we hold about you
• Right to rectification — correct inaccurate personal data
• Right to erasure — request deletion of your data (subject to legal retention requirements)
• Right to data portability — receive your data in a machine-readable format
• Right to object — object to processing for marketing purposes
• Right to lodge a complaint — with the Personal Data Protection Office of Uganda (PDPO)

To exercise any of these rights, email privacy@till.africa. We will respond within 21 days as required by the DPPA.

• Authentication: a secure, httpOnly session cookie is set on login — essential for security
• Preferences: theme and language preferences stored in localStorage — no tracking
• Analytics: Till does not set third-party tracking cookies by default
• Business owners may add their own analytics (Google Analytics, etc.) — subject to their own privacy obligations

Till Africa services are intended for businesses and adults (18+). We do not knowingly collect personal data from children under 18. If you believe a minor has provided data, contactprivacy@till.africa immediately.

We will notify registered business owners by email at least 14 days before any material changes to this policy. Continued use of the platform after that date constitutes acceptance of the updated policy. The current version is always available at till.africa/privacy.

Till Africa · Kampala, Uganda
Data Protection Officer: privacy@till.africa
General: hello@till.africa