Privacy Policy

Introduction

Umurimo Global is committed to protecting your privacy and ensuring transparency in how we handle your personal data. This Privacy Policy explains our practices regarding data collection, use, and protection in compliance with Rwanda's Law No. 058/2021 and international best practices.

Scope and Applicability

This Privacy Policy applies to:

• Job candidates and individuals applying for positions through our recruitment services
• Employees of our clients who are managed through our EOR services
• Clients and business partners who use our services
• Website visitors who interact with our digital properties
• Any individual whose personal data we collect, process, or maintain in connection with our operations

How We Collect Your Information

Information Provided Directly by You

We collect personal information that you voluntarily provide, including:

• Employment and Recruitment Information: Full name, contact information, date of birth, employment history, educational background, professional qualifications, references, identification documents (national ID, passport, work permits), emergency contacts, banking details for salary payments, tax identification numbers, and social security information
• Health and Sensitive Information: Health insurance information, disability status (to accommodate workplace needs), occupational health and safety records, and insurance/benefits enrollment data
• Communications Data: Email addresses, phone numbers, messaging records, correspondence, survey responses, and feedback

Information Collected Automatically

When you access our website or use our digital services, we automatically collect:

• Technical Information: IP addresses, device identifiers, browser type, operating system, pages visited, time spent on site, navigation patterns, cookies, login and authentication data, and system logs
• Location Information: General geographic location (if enabled) and work location data for scheduling and compliance purposes

Information from Third Parties

We may collect personal information from:

• Background check providers (with your consent)
• Previous employers or educational institutions (for verification)
• Government agencies (for employment authorization and tax compliance)
• Financial institutions (for payroll processing and verification)
• Third-party service providers we engage to support our services
• Publicly available sources (LinkedIn, professional databases)

Legal Basis

Our data protection practices are governed by:

• Rwanda Law No. 058/2021 — Law Relating to Personal Data Protection, which is the primary data protection legislation in Rwanda. This law establishes the rights of data subjects and the obligations of data processors and controllers.
• General Data Protection Principles — We follow international best practices aligned with global data protection standards.
• Rwanda's National Data Protection Authority — The regulatory body responsible for overseeing compliance with data protection regulations.

We ensure our data processing activities comply with all applicable legal requirements under Rwanda Law No. 058/2021, including obtaining valid consent, maintaining records, and protecting individual rights.

Data Processing

Legal Basis for Data Processing

We process personal data based on the following lawful bases, consistent with Rwanda Law No. 058/2021:

• Contract Performance: Processing necessary to execute employment contracts and provide EOR services, including payroll processing and benefits administration
• Legal Compliance: Compliance with Rwanda's labor laws, tax and social security administration and reporting, and government agency requests
• Legitimate Business Interests: Recruitment and talent acquisition, business development, fraud prevention, quality assurance, and service improvement
• Explicit Consent: Marketing communications, processing of sensitive personal data beyond employment requirements, and background checks
• Vital Interests: Protection of health, safety, and wellbeing of individuals during emergency response
• Employment Necessity: Processing necessary for employment administration and compliance with contractual or legal obligations

How We Use Your Information

We process personal data for the following purposes:

• Primary EOR Services: Recruiting and hiring candidates, employee administration, payroll processing, tax and statutory benefit administration, compliance with employment laws, performance management, and termination processing
• Service Delivery: Providing customer support, communicating service updates and policy changes, resolving disputes and complaints, and conducting employee surveys
• Compliance and Legal Obligations: Meeting government reporting requirements, maintaining employment records, conducting audits, managing workplace health and safety, investigating workplace violations, and managing legal claims
• Business Operations: Analyzing service usage, improving our offerings, conducting research, creating anonymized statistical data, training and quality assurance, system maintenance, and fraud detection
• Marketing and Communications: Sending newsletters and service updates (with consent), notifying of new services, conducting market research, and promoting relevant services
• Data Analytics: Understanding market trends in Rwanda, benchmarking compensation and benefits practices, and generating industry insights (in aggregated, anonymized form)

Data Retention

We retain personal data only as long as necessary to fulfill the purposes for which it was collected or as required by law. Retention periods vary depending on the type of data and the legal requirements applicable to the specific service provided. For employment records, we typically retain data for a minimum of seven years as required by Rwandan employment and tax regulations.

Data Sharing and Disclosure

Service Providers and Processors

We may share your personal data with third-party service providers who process data on our behalf:

• Payroll and HR software providers – for payment processing and records management
• Background check agencies – for employment verification services
• Banking and financial institutions – for salary payments and tax administration
• Government agencies (RRA, RSSB, RAMA) – for tax, social security, and employment compliance
• Cybersecurity and IT service providers – for system maintenance and data security
• Audit firms and consultants – for compliance and regulatory reviews
• Legal and professional advisors – for counsel on employment matters

All service providers are bound by data protection agreements and are prohibited from using your data except as necessary to provide contracted services.

Legal Requirements and Compliance

We may disclose your personal data when required by law or legitimate government request, including responding to subpoenas, court orders, regulatory investigations, tax authorities, employment verification requests, and workplace health and safety regulatory obligations.

Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your personal data may be transferred as part of that transaction. We will provide notice and obtain consent where required by law.

With Your Consent

We may share your personal data with third parties when you explicitly consent to such disclosure for specific purposes (e.g., reference checks, industry associations, professional networks).

Restrictions on Data Sharing

We do NOT:

• Sell or rent your personal data to marketing lists or third parties
• Share your data with unaffiliated companies for their direct marketing purposes
• Disclose sensitive health information except where legally required for employment purposes
• Share your banking information beyond what is necessary for payroll processing

Cookies and Tracking Technologies

Cookie Usage

Umurimo Global uses cookies and similar tracking technologies to remember your preferences and login information, analyze website usage and performance, provide personalized user experiences, detect and prevent fraud, and measure marketing campaign effectiveness.

Types of Cookies

• Essential Cookies: Required for website functionality and security; automatically used and cannot be disabled
• Performance Cookies: Track website analytics and usage patterns; help us improve service quality
• Marketing Cookies: Used for targeted advertising and promotional content; require your explicit consent

Cookie Consent and Your Choices

We obtain your explicit consent before using non-essential cookies and tracking technologies. You can accept all cookies through our consent banner, opt out of specific cookie categories, modify cookie preferences in your browser settings, or withdraw consent at any time. Third-party services on our website (analytics, advertising) may set their own cookies. We encourage you to review their privacy policies.

Data Security

We implement comprehensive security measures to protect your personal data:

• Encryption — Data is encrypted during transmission and at rest using industry-standard protocols.
• Access Controls — Only authorized personnel with a legitimate business need have access to personal data.
• Physical Security — Data storage facilities are protected with appropriate physical security measures.
• System Monitoring — We maintain systems to detect and respond to unauthorized access attempts.
• Secure Practices — Our staff receive regular training on data protection and information security best practices.
• Third-Party Security — We work only with service providers who maintain equivalent security standards.

While we implement robust security measures, no system is entirely risk-free. We are committed to continuously improving our security infrastructure to protect your data.

Your Rights and How to Exercise Them

Under Rwanda Law No. 058/2021 (Articles 26–30), you have the following rights regarding your personal data:

Right of Access

You have the right to request access to your personal data held by us. We will provide your data in a clear, understandable format within 30 days of your verified request.

Right of Rectification

You can request correction of inaccurate or incomplete personal data. We will verify the correction and update your records within 10-15 business days. Where you dispute accuracy but evidence is unclear, you may request addition of a disputed correction statement attached to your data.

Right of Erasure

In certain circumstances, you may request deletion of your personal data, particularly where the data is no longer necessary for the original purpose, you have withdrawn consent, or the data has been unlawfully processed. We may retain data where required by law (tax, employment records) or where necessary to fulfill contractual obligations.

Right to Data Portability

You can request that we provide your personal data in a structured, commonly-used, portable format (such as CSV or JSON) and transmit that data to another organization without hindrance. This data will be provided in electronic format within 30 days at no cost.

Right to Object

You may object to processing of your personal data based on legitimate business interests, including for direct marketing purposes. Upon receipt of your objection, we will cease processing unless we can demonstrate compelling legitimate reasons to continue.

Right to Restrict Processing

You may request that we restrict (limit) processing of your data while we resolve a dispute about accuracy, processing legality, or other concerns. Restricted data will be retained securely but not actively processed.

Right to Withdraw Consent

Where we process data based on your explicit consent, you may withdraw that consent at any time. Withdrawal does not affect processing that occurred before withdrawal. You can withdraw consent by contacting our Data Protection Officer.

Exercising Your Rights

To exercise any of these rights:

1. Contact our Data Protection Officer at privacy@umurimoglobal.com
2. Provide sufficient information to identify your records
3. Specify which right(s) you are exercising
4. We will respond within 30 days (may be extended to 60 days for complex requests)
5. No charge will apply unless your requests are excessive or manifestly unfounded

Appeal and Escalation

If you are not satisfied with our response to a data rights request or privacy concern:

• Request escalation to our Data Protection Officer and senior management within 10 business days
• We will review your appeal and provide a written response within 10 business days
• If you remain unsatisfied, you may file a complaint with Rwanda's Data Protection Authority
• You may also pursue legal action through Rwanda's courts

Breach Response

In the event of a data breach that compromises the security or integrity of personal data, we are committed to:

Immediate Response

• Rapid Detection: Our security systems continuously monitor for unauthorized access or anomalies
• Prompt Investigation: We immediately investigate suspected breaches to determine scope, impact, and affected individuals
• Swift Containment: We take immediate action to stop the breach and prevent further access

Notification Procedures

• Individual Notification: We will inform affected individuals in a timely manner (best practice: 30-72 hours from discovery) with details about the breach, data involved, and recommended protective measures
• Regulatory Notification: We will notify Rwanda's Data Protection Authority and other appropriate regulatory authorities as required by law
• Media Notification: For breaches affecting more than 100 individuals or involving highly sensitive data, we will notify relevant media where appropriate or required

Notification Content

Our breach notifications include:

• Description of what happened and when it occurred
• Categories of individuals and data affected
• Potential risks and likely consequences
• Protective measures we have implemented
• Recommended steps to protect themselves
• Contact information for additional information

Remediation and Support

• Corrective Measures: We will implement corrective measures to prevent similar incidents
• Credit Protection: For breaches involving financial data, we may provide free credit monitoring services
• Documentation: We maintain detailed records of all breaches and our response actions
• Post-Incident Review: We conduct thorough review to identify root causes and process improvements

Our breach response procedures comply with Articles 33–35 of Rwanda Law No. 058/2021.

Cross-Border Transfers

We may need to transfer personal data outside of Rwanda in limited circumstances, such as when required to provide services or comply with legal obligations. Any cross-border data transfers are conducted with appropriate safeguards, including:

• Standard Contractual Clauses — We use legally binding data transfer agreements with recipients in other jurisdictions.
• Adequacy Assessment — We assess whether recipient countries provide adequate data protection levels.
• Explicit Consent — Where required, we obtain your explicit consent before transferring data internationally.
• Legal Requirements — All international transfers are governed by Article 25 of Rwanda Law No. 058/2021 and applicable international data protection standards.

Notices for Specific Audiences

For Job Candidates

When you apply for positions through our recruitment services, we collect information to assess your qualifications and suitability. Your recruitment data is retained for 1-2 years, or longer with your consent if you are hired. We will not share your information with non-relevant employers without your consent, and you may request that your application be deleted after 12 months of inactivity. We use your data only for recruitment and HR compliance purposes.

For Employees of Client Companies

As an employee managed through our EOR platform, your data is held securely and processed according to Rwanda's employment laws. Your employer (the client company) and Umurimo Global share responsibility for your data protection. You retain all rights to access, correct, delete, or restrict processing of your personal information. Your data will not be used for purposes beyond employment administration, and special protections apply to sensitive health and personal information.

For Client Companies

When you engage Umurimo Global for EOR services, we process personal data of your employees on your behalf as a data processor. We will execute a Data Processing Agreement governing our relationship and specifying data security measures. Your company retains control over lawful bases and purposes for processing, and you retain responsibility for employee privacy rights and notifications. We implement security measures as specified in our agreement.

For Website Visitors

When you visit our website without registering, we collect only technical and anonymized data through cookies and tracking technologies (used only with your consent). We do not require personal information for general browsing. Your privacy is protected even if you do not use our services, and you can manage cookie preferences through your browser settings.

Contact Information