Privacy Policy — Ufulu Bakery

📌

This Privacy Policy explains how Ufulu Bakery ("we", "us", "our"), operating at Plot 1344/45 Buntungwa Street, Industrial Area, Kabwe, Central Province Zambia and through www.ufulubakery.shop, collects, uses, and protects your personal data. It is prepared in compliance with the Data Protection Act No. 3 of 2021 of the Republic of Zambia and its accompanying regulations.

Section 01

Who We Are

Ufulu Bakery is a registered bakery business operating in Kabwe, Central Province, Zambia. We sell artisan bread, cakes, pastries, and baked goods through our physical premises and via our online platform at www.ufulubakery.shop.

For the purposes of the Zambia Data Protection Act No. 3 of 2021, Ufulu Bakery acts as the Data Controller in respect of personal data collected through this website, our WhatsApp ordering channels, and any other customer interaction channels.

Detail	Information
Business Name	Ufulu Bakery
Physical Address	Plot 1344/45 Buntungwa Street, Industrial Area, Kabwe, Central Province Zambia
Website	www.ufulubakery.shop
Email	info@ufulubakery.shop
Privacy / Data Enquiries (Phone & WhatsApp)	+260 977402658
Data Controller Role	Ufulu Bakery (Primary)

Section 02

Legal Framework

This Privacy Policy is governed by and constructed in accordance with the following Zambian legislation:

Data Protection Act No. 3 of 2021 — the primary law regulating the collection, processing, storage and transfer of personal data in Zambia, commencing 1 April 2021.
Electronic Communications and Transactions Act No. 4 of 2021 — governing electronic transactions and digital communications.
Cyber Security and Cyber Crimes Act No. 2 of 2021 — addressing cybersecurity obligations for online platforms.
Information and Communications Technologies Act No. 15 of 2009 — supplementary regulatory framework for ICT services.
Consumer Protection Act (as applicable) — governing fair dealings and rights of consumers in Zambia.

🏛️

The Data Protection Commission of Zambia (formerly the Office of the Data Protection Commissioner under the Ministry of Communications) is the statutory body responsible for overseeing enforcement of the Data Protection Act. Active enforcement commenced in March 2025. Ufulu Bakery is committed to full compliance.

Section 03

Data We Collect

We collect only the personal data that is necessary, relevant, and proportionate to the purposes for which it is collected, in accordance with Section 3 of the Data Protection Act No. 3 of 2021 (the "Act").

3.1 Data You Provide to Us Directly:

Identity data: first name, last name when placing orders or contacting us.
Contact data: phone number, email address, delivery address, WhatsApp number.
Order data: products ordered, quantities, special instructions, delivery date preferences, and payment method selected.
Communication data: messages sent through our contact form, WhatsApp conversations, or email correspondence.
Newsletter data: email address provided when subscribing to our newsletter.

3.2 Data Collected Automatically:

Technical data: IP address, browser type and version, device type, operating system, and time zone setting.
Usage data: pages visited, links clicked, time spent on pages, and referring website.
Cookie data: see Section 10 for full details on cookies.

3.3 Data We Do Not Collect:

✅

We do not collect sensitive personal data as defined under Section 14 of the Act, including racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or financial account details. We do not process payment card data directly — all card transactions are handled by certified third-party payment processors.

Section 04

How We Use Your Data

We use your personal data only for the specific, legitimate purposes for which it was collected. We will not process your data in a manner incompatible with those stated purposes.

Purpose	Data Used	Legal Basis
Processing and fulfilling your orders	Identity, contact, order data	Contract performance
Communicating about your order	Phone, email, WhatsApp	Contract performance
Arranging delivery to your address	Name, address, phone	Contract performance
Sending newsletters and promotions	Email address	Consent (opt-in)
Responding to enquiries and complaints	Name, contact, message	Legitimate interest
Improving our website and services	Technical, usage data	Legitimate interest
Complying with legal obligations	As required by law	Legal obligation
Fraud prevention and security	Technical, order data	Legitimate interest / legal obligation

Section 05

Legal Basis for Processing

Under Section 15 of the Data Protection Act No. 3 of 2021, we may only process personal data where a lawful justification exists. We rely on the following lawful bases:

Consent (Section 15(1)(a)): Where you have provided freely-given, specific, informed, and unambiguous consent — for example, when subscribing to our newsletter. You may withdraw consent at any time without detriment.
Contract Performance (Section 15(1)(b)): Where processing is necessary to fulfil a contract with you — specifically, to process and deliver your orders.
Legal Obligation (Section 15(1)(c)): Where we are required to process data to comply with Zambian law, tax obligations, or court orders.
Legitimate Interests (Section 15(1)(f)): Where processing is necessary for our legitimate business interests, provided those interests do not override your rights and freedoms — for example, website analytics and fraud prevention.

Section 06

Sharing Your Data

We do not sell, rent, or trade your personal data to any third party. We may share your data only in the following limited circumstances:

Delivery partners: Where we use third-party delivery agents, we share your name, address, and contact number to fulfil delivery of your order.
Payment processors: Where electronic payments are processed through a licensed third-party payment gateway operating in Zambia, limited transaction data is shared.
IT and hosting providers: Our website is hosted on Hostinger. Relevant technical data is processed by them under appropriate data processing agreements.
Legal and regulatory authorities: We may disclose data where required to comply with a court order, legal process, or lawful request from the Data Protection Commission of Zambia or other competent Zambian authority.
Business successors: In the event of a merger, acquisition, or business transfer, your data may be transferred to the successor entity, subject to the same protections.

⚠️

We require all third parties who process personal data on our behalf to maintain adequate security measures and to use your data only for the specified purpose. We do not permit third-party processors to use your personal data for their own commercial purposes.

Section 07

Data Retention

In accordance with the Data Protection Act No. 3 of 2021, we retain personal data only for as long as it is necessary for the purpose for which it was collected, and for a period of one (1) year after that purpose has been fulfilled, unless a longer retention period is required by Zambian law.

Data Type	Retention Period
Order records (name, address, items ordered)	7 years (tax and accounting obligations under Zambia Revenue Authority requirements)
Contact form messages	2 years from last contact
Newsletter subscriptions	Until you unsubscribe + 6 months
Website analytics / technical data	13 months from collection
WhatsApp / phone communication records	1 year from last interaction

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised in a manner that prevents re-identification.

Section 08

Cross-Border Data Transfers

Under Sections 70–71 of the Data Protection Act No. 3 of 2021, personal data may only be transferred outside the Republic of Zambia where:

The data subject has given explicit written consent for the specific cross-border transfer;
The transfer is made to a country that has data protection laws that are, at a minimum, as strong as Zambia's;
The transfer has been approved by the Data Protection Commissioner of Zambia; or
The transfer is made subject to standard contracts or intra-group schemes approved by the Commissioner.

Our website is hosted on servers that may be located outside Zambia (Hostinger infrastructure). Where such hosting involves the processing of personal data, we ensure that adequate contractual protections are in place. Sensitive personal data will not be transferred outside Zambia without your explicit consent.

Section 09

Your Rights

Under the Data Protection Act No. 3 of 2021, you have the following rights as a data subject. You may exercise these rights by contacting us using the details in Section 14.

👁

Right to Access

Request a copy of the personal data we hold about you and information on how it is being processed.

✏️

Right to Rectification

Request correction of any inaccurate or incomplete personal data we hold about you.

🗑

Right to Erasure

Request deletion of your personal data where it is no longer necessary for the purpose collected, or where you withdraw consent.

⏸

Right to Restrict Processing

Request that we limit how we use your data in certain circumstances while a complaint or objection is being resolved.

🚫

Right to Object

Object to processing based on legitimate interests, including direct marketing and profiling.

📦

Right to Portability

Receive your data in a structured, commonly-used format and transfer it to another controller.

↩️

Right to Withdraw Consent

Withdraw consent for processing at any time. Withdrawal does not affect the lawfulness of prior processing.

⚖️

Right to Lodge a Complaint

Lodge a complaint with the Data Protection Commission of Zambia if you believe we have mishandled your data.

We will respond to all valid rights requests within 30 days of receipt. We may extend this period by a further 30 days for complex requests, in which case we will notify you. We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive.

Section 10

Cookies & Tracking

Our website uses cookies — small text files placed on your device — to improve your browsing experience and to help us understand how the site is used.

Cookie Type	Purpose	Duration
Strictly Necessary	Essential for the website to function — shopping cart, session management	Session
Analytics	Google Analytics — understand how visitors use the site (anonymised)	13 months
Preference	Remember your language and location settings	1 year
Marketing	Third-party social sharing buttons (WhatsApp, Facebook) — only with consent	Varies

Non-essential cookies are only placed on your device with your prior consent. You may withdraw cookie consent at any time by adjusting your browser settings or using our cookie preference tool. Note that disabling certain cookies may affect site functionality.

Section 11

Children's Privacy

In accordance with Section 17 of the Data Protection Act No. 3 of 2021, we apply additional protections to the personal data of children and vulnerable persons.

Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children without verifiable parental or guardian consent. If you believe a child has provided us with personal data without appropriate consent, please contact us immediately at info@ufulubakery.shop and we will promptly delete such data.

Where a data subject is a child or a vulnerable person, their data protection rights under the Act may be exercised on their behalf by a parent, legal guardian, or authorised representative.

Section 12

Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction, in accordance with the security obligations under the Data Protection Act No. 3 of 2021.

Our website operates over HTTPS with SSL/TLS encryption for all data in transit.
Access to personal data is restricted to authorised staff on a need-to-know basis.
Our database and server infrastructure are protected by firewall and access controls.
Passwords stored in our systems are hashed using industry-standard algorithms (bcrypt).
We conduct periodic security reviews and promptly patch known vulnerabilities.

⚠️

No data transmission over the internet or electronic storage system is completely secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the Data Protection Commission of Zambia in accordance with the Act.

Section 13

Complaints & Regulator

If you have concerns about how we handle your personal data, we encourage you to first contact us directly (see Section 14) so we can address your concerns promptly.

If you are not satisfied with our response, you have the right to lodge a formal complaint with the Data Protection Commission of Zambia, the statutory authority responsible for enforcement of the Data Protection Act No. 3 of 2021:

📞 Data Protection Commission of Zambia

Website: www.dataprotection.gov.zm

Ministry: Ministry of Technology and Science, Republic of Zambia

Authority: Data Protection Commissioner of Zambia

Section 14

Contact Us

To exercise any of your data subject rights, to ask questions about this Privacy Policy, or to report a privacy concern, please contact our data protection point of contact:

🍞 Ufulu Bakery — Data & Privacy

📍

Address: Plot 1344/45 Buntungwa Street, Industrial Area, Kabwe, Central Province Zambia

✉️

Email: info@ufulubakery.shop (Subject: "Privacy Request")

📞

Phone (privacy & data enquiries): +260 977402658

📱

WhatsApp (privacy & data enquiries): +260 977402658

🌐

Website: www.ufulubakery.shop

We may update this Privacy Policy from time to time to reflect changes in our practices or in Zambian data protection law. The current version will always be published on this page with the effective date shown at the top. Where changes are material, we will notify you by email or via a prominent notice on our website.