Privacy Policy

At Andiza, your privacy is our priority. We are committed to protecting your personal data in compliance with Law No 058/2021 of 13/10/2021 relating to the protection of personal data and privacy in Rwanda.

Last Updated: January 2025

1. Data Controller Information
Andiza is the data controller responsible for your personal information.

Legal Entity

Andiza Co. Limited

Registration Number

156009534

Business Sector

Wedding Planning & Event Management Software

Registered Address

Nyarugenge, Kigali, Rwanda

Website

www.andiza.co.rw

Contact Email

[email protected]

Data Protection Officer (DPO)

Name

INYANGE Larissa

Our Data Protection Officer is responsible for overseeing our data protection strategy and ensuring compliance with applicable data protection laws. You may contact the DPO directly regarding any questions about how we process your personal data.

2. Personal Data We Collect
We collect and process various types of personal data depending on your relationship with Andiza.

2.1 Categories of Data Subjects

  • Couples: Individuals planning their weddings using our platform
  • Vendors: Wedding service providers registered on our platform
  • Website Visitors: Anyone browsing our website
  • Employees: Staff members of Andiza Co. Limited
  • Prospects: Potential customers and business partners

2.2 Types of Personal Data

Identification Data

Full name, date of birth, national ID number, passport number, photographs

Contact Information

Email address, phone number, physical address, postal address

Demographic Information

Gender, marital status, nationality, language preferences

Professional Information

Business name, service category, business registration details, portfolio images

Financial Information

Payment details, transaction history, invoicing information, budget preferences

Technical Data

IP address, browser type, device information, cookies, usage data, login credentials

Event Information

Wedding date, guest count, venue preferences, service bookings, event notes

Important: We do not collect or process sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or data concerning sexual orientation, except where explicitly required by law and with your express consent.

3. How We Use Your Personal Data
We process your personal data for specific, explicit, and legitimate purposes.

3.1 Service Delivery

  • Creating and managing user accounts
  • Processing wedding bookings and vendor services
  • Facilitating communication between couples and vendors
  • Managing venue tours and quote requests
  • Providing wedding planning tools (checklist, budget tracker, guest list)
  • Sending booking confirmations and status updates

3.2 Business Operations

  • Processing payments and managing invoices
  • Vendor verification and quality control
  • Customer support and dispute resolution
  • Platform maintenance and improvement
  • Analytics and performance monitoring

3.3 Legal and Compliance

  • Compliance with Rwanda data protection laws
  • Know Your Customer (KYC) verification
  • Fraud prevention and security
  • Responding to legal requests and court orders
  • Enforcing our terms and conditions

3.4 Marketing and Communication

  • Sending promotional emails and newsletters (with consent)
  • Personalized service recommendations
  • Market research and surveys
  • Platform updates and announcements

3.5 Human Resources

  • Employee recruitment and onboarding
  • Payroll and benefits administration
  • Performance management
  • Training and development
4. Legal Basis for Processing
We process your personal data based on the following legal grounds as per Articles 6 and 7 of Law No 058/2021.

4.1 Consent (Article 6)

You have given clear, informed, and voluntary consent for us to process your personal data for specific purposes. You may withdraw your consent at any time.

Examples: Marketing communications, optional profile features, newsletter subscriptions

4.2 Contractual Necessity

Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into a contract.

Examples: Creating your account, processing bookings, delivering services, payment processing

4.3 Legal Obligation

Processing is necessary for compliance with legal obligations to which Andiza is subject.

Examples: Tax reporting, KYC verification, responding to lawful requests from authorities

4.4 Legitimate Interest

Processing is necessary for the legitimate interests pursued by Andiza or a third party, except where such interests are overridden by your fundamental rights and freedoms.

Examples: Fraud prevention, platform security, business analytics, improving user experience

5. Data Sharing and Recipients
We may share your personal data with the following categories of recipients.

5.1 Within Andiza

Your data may be accessed by authorized employees and contractors who need it to perform their duties, subject to strict confidentiality obligations.

5.2 Service Providers and Processors

We engage third-party service providers to perform functions on our behalf, including:

  • Cloud hosting and data storage providers
  • Payment processors (e.g., Stripe, mobile money providers)
  • Email service providers
  • Analytics and monitoring tools
  • Customer support platforms

All processors are bound by data processing agreements in accordance with Articles 48 and 49 of Law No 058/2021.

5.3 Business Partners

We may share data with vendors on our platform to facilitate bookings and service delivery. Vendors only receive information necessary to fulfill their services.

5.4 Regulatory and Legal Authorities

We may disclose your data to:

  • National Cyber Security Authority (NCSA)
  • Rwanda Revenue Authority (RRA)
  • Law enforcement agencies
  • Courts and tribunals
  • Other regulatory bodies as required by law

5.5 Professional Advisors

We may share data with lawyers, auditors, accountants, and other professional advisors who assist us in running our business.

International Transfers: Currently, all data processing occurs within Rwanda. If we transfer data outside Rwanda in the future, we will ensure adequate safeguards are in place as required by law and will notify you accordingly.

6. Your Rights Under Rwanda Law
As a data subject, you have the following rights under Law No 058/2021.

6.1 Right of Access

You have the right to obtain confirmation as to whether your personal data is being processed, and if so, to access that data and receive information about how it is being used.

6.2 Right to Rectification

You have the right to request correction of inaccurate personal data and to have incomplete data completed.

6.3 Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected, or when you withdraw consent.

6.4 Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data in certain situations, such as when you contest the accuracy of the data or object to processing.

6.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

6.6 Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

6.7 Right to Withdraw Consent (Article 8)

Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

6.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the National Cyber Security Authority (NCSA) if you believe your data protection rights have been violated.

National Cyber Security Authority (NCSA)

Website: www.dpo.gov.rw

Email: [email protected]

How to Exercise Your Rights: To exercise any of these rights, please contact our Data Protection Officer at [email protected] or use our Data Subject Rights Request Forms below. We will respond to your request within 30 days.

7. Data Security Measures (Articles 46 and 47)
We implement appropriate technical and organizational measures to protect your personal data.

7.1 Technical Security Measures

  • Encryption of data in transit (SSL/TLS) and at rest
  • Secure authentication and password hashing (bcrypt)
  • Regular security updates and patches
  • Firewall and intrusion detection systems
  • Secure backup and disaster recovery procedures
  • Regular security audits and vulnerability assessments

7.2 Organizational Security Measures

  • Access controls and role-based permissions
  • Employee training on data protection
  • Confidentiality agreements with staff and contractors
  • Data protection impact assessments (Article 38)
  • Incident response and data breach procedures (Articles 43-45)
  • Regular review and update of security policies

7.3 Data Breach Response (Articles 43, 44, and 45)

In the event of a personal data breach, we will:

  • Notify the NCSA within 72 hours of becoming aware of the breach (Article 43)
  • Maintain a register of all data breaches (Article 44)
  • Notify affected data subjects without undue delay if the breach poses a high risk to their rights and freedoms (Article 45)
  • Take immediate steps to contain and remediate the breach
  • Conduct a thorough investigation and implement preventive measures

Important: While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the confidentiality of your account credentials.

8. Data Retention Policy (Article 52)
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected.

8.1 Retention Periods

User Account Data

Retained for the duration of your account plus 2 years after account closure for legal and audit purposes.

Booking and Transaction Records

Retained for 7 years from the date of transaction to comply with tax and accounting regulations.

Marketing Communications

Retained until you withdraw consent or unsubscribe, then deleted within 30 days.

Website Analytics and Cookies

Retained for up to 26 months. See our Cookie Policy for details.

Employee Records

Retained for 10 years after employment termination as required by Rwanda labor laws.

Legal and Compliance Records

Retained as long as required by applicable laws or until legal claims are resolved.

8.2 Secure Deletion

When personal data is no longer needed, we securely delete or anonymize it using industry-standard methods to prevent unauthorized access or recovery.

8.3 Retention Schedule Review

We regularly review our data retention schedule to ensure compliance with legal requirements and best practices. Our full Data Retention Schedule is available upon request from our DPO.

9. International Data Transfers
Information about transfers of personal data outside Rwanda.

9.1 Current Status

Currently, all personal data processing and storage occurs within Rwanda using local infrastructure and service providers. We do not transfer personal data outside Rwanda.

9.2 Future Transfers

If we need to transfer personal data outside Rwanda in the future, we will:

  • Ensure the receiving country has adequate data protection laws
  • Implement appropriate safeguards such as Standard Contractual Clauses
  • Obtain authorization from the NCSA where required
  • Notify affected data subjects and obtain consent where necessary

9.3 Third-Party Services

Some of our service providers (e.g., cloud hosting, email services) may have servers located outside Rwanda. We ensure these providers comply with Rwanda data protection standards through contractual agreements and regular audits.

10. Data Subject Consent and Forms
Access forms and documents related to your data protection rights.

10.1 Data Subject Consent (Articles 6 and 7)

When you create an account or use our services, you provide consent for us to process your personal data. Your consent is:

  • Freely given: You have a genuine choice and control
  • Specific: Separate consent for different processing purposes
  • Informed: You understand what you're consenting to
  • Unambiguous: Clear affirmative action required

Download Forms:

10.2 Consent Withdrawal (Article 8)

You have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal. To withdraw consent:

  • Use the unsubscribe link in marketing emails
  • Update your preferences in account settings
  • Submit a Consent Withdrawal Form
  • Contact our DPO at [email protected]

Download Forms:

10.3 Parental Consent (Articles 9 and 8)

Our services are intended for individuals aged 18 and above. If you are under 18, you must have parental or guardian consent to use our platform. Parents/guardians can:

  • Provide consent for minors to use our services
  • Access and manage their child's data
  • Request deletion of their child's data
  • Withdraw consent at any time

Download Forms:

10.4 Data Subject Rights Request Forms

Use these forms to exercise your data protection rights:

11. Inventory of Processing Activities (Article 17)
Overview of our data processing operations.

In compliance with Article 17 of Law No 058/2021, we maintain a comprehensive inventory of all processing activities. This includes:

Processing Activity: User Account Management

Purpose: Account creation and authentication
Legal Basis: Contractual necessity
Data Categories: Identification, contact, credentials
Recipients: Internal staff, cloud hosting provider
Retention: Account lifetime + 2 years
Security: Encryption, access controls

Processing Activity: Booking Management

Purpose: Service bookings and vendor coordination
Legal Basis: Contractual necessity
Data Categories: Contact, event details, financial
Recipients: Vendors, payment processors
Retention: 7 years (tax compliance)
Security: Encryption, secure transmission

Processing Activity: Marketing Communications

Purpose: Newsletters and promotional emails
Legal Basis: Consent
Data Categories: Contact, preferences
Recipients: Email service provider
Retention: Until consent withdrawal
Security: Secure API, encryption

Processing Activity: Website Analytics

Purpose: Platform improvement and user experience
Legal Basis: Legitimate interest
Data Categories: Technical data, usage patterns
Recipients: Analytics service provider
Retention: 26 months
Security: Anonymization, aggregation

Full Inventory: A complete inventory of all processing activities is maintained internally and is available for inspection by the NCSA upon request. Data subjects may request a copy by contacting our DPO.

12. Privacy Notice (Article 42)
Information provided to data subjects at the point of data collection.

In accordance with Article 42, we provide clear and transparent information about data processing at the point of collection. Our privacy notices include:

1

Identity of the Data Controller

Andiza Co. Limited and contact details

2

Purpose of Processing

Specific purposes for which data is collected

3

Legal Basis

Lawful grounds for processing (consent, contract, etc.)

4

Recipients of Data

Who will have access to your personal data

5

Retention Period

How long we will keep your data

6

Your Rights

Rights to access, rectify, erase, and object

7

Right to Complain

How to lodge a complaint with NCSA

Where to Find Privacy Notices: Privacy notices are displayed at account registration, booking forms, newsletter signup, and other data collection points throughout our platform.

13. Contact Information and Policy Updates
How to reach us and stay informed about policy changes.

13.1 Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data protection practices:

General Inquiries

Email: [email protected]

Website: www.andiza.co.rw

Data Protection Officer

Name: INYANGE Larissa

Email: [email protected]

13.2 Policy Updates

We may update this Privacy Policy periodically. Material changes will be communicated via email and website notice. We encourage regular review of this policy.

Contact UsCookie PolicyBack to Home