Privacy Policy

Effective Date: May 2026 • Version 1.0
Pico Financial Services Uganda Limited • Licensed and regulated by UMRA • Registered with the Personal Data Protection Office (PDPO)
This policy complies with the Uganda Data Protection and Privacy Act, 2019 (DPPA) and applicable regulations issued by the Personal Data Protection Office (PDPO).

1. Introduction

Pico Financial Services Uganda Limited ("Pico," "we," "us," or "our") is committed to protecting the privacy and personal data of every individual who interacts with us. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the rights you have over your data.

This Policy applies to all personal data processed by Pico in connection with:

Applications for loan products and financial services
Use of our website and online enquiry forms
Communications with our staff, loan officers, and agents
Our compliance obligations as a regulated non-bank institution

By submitting a loan application or using our website, you acknowledge that you have read and understood this Privacy Policy. Where we rely on consent as a legal basis, your consent is voluntary and may be withdrawn at any time.

2. Data We Collect

We collect and process the following categories of personal data:

Identity data: Full name, date of birth, National Identification Number (NIN), passport number, photograph
Contact data: Phone number, email address, physical address, next of kin details
Financial data: Income details, payslips, bank account information, bank statements, credit bureau reports, existing debts and liabilities
Employment data: Employer name, position, employment status, payroll number (for civil servants)
Business data (SME and invoice applicants): Business name, registration number, turnover, invoices, and business bank statements
Transaction data: Loan disbursements, repayment records, payment history
Device and usage data: IP address, browser type, pages visited, and session duration when you use our website

We do not collect sensitive personal data (such as health data, racial or ethnic origin, or religious beliefs) except where expressly required by law or with your explicit consent.

3. How We Collect Your Data

We collect personal data through the following means:

Directly from you: When you complete a loan enquiry or application form, call our contact centre, visit our office, or correspond with us by email or WhatsApp
Know Your Customer (KYC) verification: Identity documents submitted as part of our regulatory compliance process
Payroll and employer partners: Employment and salary information shared by your employer or government ministry as part of payroll-deducted loan products
Credit bureaus: Credit history and financial risk information from licensed credit reference bureaus in Uganda
Our website: Cookies and server logs that record technical information about your visit (see Section 11)

4. Lawful Basis for Processing

Pico processes your personal data only where we have a lawful basis to do so, in accordance with Section 14 of the Uganda Data Protection and Privacy Act, 2019. The lawful bases we rely on are:

Contract performance: Processing necessary to assess your loan application, disburse funds, manage repayments, and administer your loan Agreement
Legal obligation: Processing required to comply with AML/CFT obligations, UMRA reporting requirements, tax regulations, court orders, and other applicable Ugandan law
Legitimate interests: Processing for fraud prevention, risk management, credit assessment, and improvement of our services, where these interests are not overridden by your rights
Consent: Where we send you marketing communications about new Pico products or promotions, we rely on your consent, which you may withdraw at any time by contacting us

5. How We Use Your Data

We use your personal data for the following purposes:

Assessing your creditworthiness and eligibility for a loan product
Processing and disbursing approved loans
Managing loan repayments and your account
Communicating with you about your application or loan status
Complying with our AML/CFT, KYC, and regulatory reporting obligations
Preventing and detecting fraud, money laundering, and financial crime
Resolving complaints and disputes
Improving our products, services, and internal processes
Sending you information about Pico products and promotions, where you have consented

We will not use your data for any purpose incompatible with the purposes for which it was collected.

6. Data Sharing

We do not sell your personal data. We share your data only where necessary and with appropriate safeguards, as follows:

Credit reference bureaus: We submit repayment performance data to licensed credit bureaus in Uganda as required by regulation. This may affect your credit profile.
Payroll and ministry partners: For payroll-deducted products, we share necessary loan details with your employer or government ministry payroll office
Regulators and authorities: UMRA, the Uganda Revenue Authority, the Financial Intelligence Authority, the Personal Data Protection Office, and law enforcement agencies, where required by law
Service providers: Trusted third parties who process data on our behalf (e.g., IT systems, verification services, debt collection agents) under written Data Processing Agreements that bind them to confidentiality and DPPA-compliant standards
Legal and professional advisers: Lawyers, auditors, and insurers acting in connection with our business, under strict confidentiality obligations

All third parties with whom we share data are required to handle it securely and use it only for the purpose for which it was shared.

7. International Data Transfers

Where it is necessary to transfer your personal data outside Uganda, we will ensure that such transfers occur only to countries that provide adequate levels of data protection, or that appropriate contractual safeguards (such as data transfer agreements) are in place to protect your rights, in accordance with the DPPA 2019.

We will not transfer your data to any country or organisation that does not meet the required standards of protection.

8. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, and in accordance with our legal obligations:

Loan records and transaction data: 7 years from the date the loan is fully settled or closed, in compliance with the Anti-Money Laundering Act, 2013
Unsuccessful application data: 12 months from the date of application, after which it is securely deleted
Marketing consent records: Until you withdraw your consent
Website usage logs: 12 months, unless extended for security investigation purposes

After the applicable retention period, personal data is securely deleted or anonymised in a manner that prevents re-identification.

9. Your Rights Under the DPPA 2019

Under the Uganda Data Protection and Privacy Act, 2019 (Sections 22â€“28), you have the following rights regarding your personal data:

Right of access: Request a copy of the personal data we hold about you
Right to correction: Request that inaccurate or incomplete data be corrected
Right to deletion: Request deletion of your data where it is no longer necessary, subject to our legal retention obligations
Right to data portability: Receive your data in a structured, commonly used format
Right to object: Object to processing based on legitimate interests or for direct marketing
Right to withdraw consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing

To exercise any of these rights, contact our Data Protection Officer (see Section 12). We will respond to your request within 21 days. Where we are unable to fulfil a request, we will explain the reason.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or disclosure. Our security measures include:

Encryption of data in transit using industry-standard protocols
Access controls limiting data access to authorised staff only
Regular staff training on data protection and confidentiality obligations
Physical security measures at our offices
Periodic review of our data security practices

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Personal Data Protection Office (PDPO) within 72 hours of becoming aware of the breach, as required by Section 34 of the DPPA 2019. Where the breach poses a high risk to you directly, we will also notify you without undue delay.

11. Cookies

Our website uses cookies â€” small text files stored on your device â€” to enable the website to function correctly and improve your experience. We use the following types of cookies:

Strictly necessary cookies: Required for the website to operate. These cannot be disabled.
Analytics cookies: Used to understand how visitors use our site, such as which pages are most visited. These are only placed with your consent.

We do not use cookies for cross-site tracking, advertising profiling, or to share your browsing behaviour with third parties. You can control cookie preferences through your browser settings. Disabling strictly necessary cookies may affect the functionality of the website.

12. Contact and Complaints

If you have any questions about this Privacy Policy, wish to exercise your data rights, or wish to make a complaint about how Pico handles your personal data, please contact our Data Protection Officer:

Data Protection Officer: Pico Financial Services Uganda Limited
Email: info@pfsug.com
Phone: +256 772 362 199
Address: Apartment 2B, 2nd Floor, Rovis Building, Salim Bay Road, Kampala, Uganda

If you are not satisfied with our response, you have the right to lodge a complaint with the Personal Data Protection Office (PDPO) of Uganda:

PDPO Website: pdpo.go.ug
PDPO Phone: +256 417 719 600
PDPO Email: pdpo@niira.go.ug

We take all privacy complaints seriously and will investigate and respond to each one promptly.