1.0. PRIVACY NOTICE

At Tropical Bank Limited, we are committed to safeguarding your personal information and ensuring your privacy. This Privacy Notice explains how we collect, use, store, disclose, and protect your personal data across all channels, including when you:
• Visit our website and use our online services;
• Engage with us in person at our banking halls via physical forms and documents;
• Interact with our authorized agents in the field or at other service points.

Whether your data is collected digitally or physically, this Notice applies and ensures your personal information is managed in accordance with the Uganda Data Protection and Privacy Act, 2019.
2.0. GENERAL PRINCIPLE

This Notice relates to the privacy of your information at Tropical Bank Limited across all service channels, including:
• Our website, internet banking, and mobile banking applications;

• Online advertisements and all official social media channels;
Limitation of Control Over Social Media Platforms: Tropical Bank maintains official social media handles on platforms such as Facebook, X (formerly Twitter), LinkedIn, and others. While the Bank moderates its official pages, the processing of personal data shared via these platforms is governed by the privacy policies of the respective social media companies. The Bank does not control how these third parties collect or use data. Users are encouraged to review the privacy settings and terms of use of each platform before engaging.

• Data collected through physical forms and interactions in our banking halls;
Personal data gathered via physical documents, deposit or withdrawal slips, and in-person interactions is handled with the same strict confidentiality and security standards as online data. Tropical Bank ensures that all physical data collection processes comply fully with the Uganda Data Protection and Privacy Act, 2019, safeguarding your information throughout its lifecycle.

• Information gathered by our authorized agents when providing banking services in the field or at agent locations.
Personal data collected by these agents is protected under the same legal and security standards as the Bank’s own operations. Agents are contractually bound to comply with Tropical Bank’s Data Protection Policy and the Uganda Data Protection and Privacy Act, 2019. You are required to always verify an agent’s identity before sharing personal information.

We are committed to keeping your information private and secure, including any information about you that you provide directly or that third parties supply to us on your behalf, regardless of how or where it is collected.

3.0. PERSONAL DATA WE COLLECT

We collect personal data directly from you when you:
• Open an account or apply for our products and services
• Use our online banking services
• Contact us via our website, email, branch, or phone

We may collect the following types of personal data about you. In this privacy notice, “You” refers to you as an individual, as relevant if you are:
• a consumer banking client;
• a representative of, or an individual directly or indirectly related to or associated with: (i) a company, business or organisation that is our consumer banking client; or (ii) a person or a company, business or organisation that has a relationship with our personal banking client; or
• a representative of, or an individual directly or indirectly related to or associated with: (i) a company, business or organisation that is our business or corporate banking client; or (ii) a person or a company, business or organisation that has a relationship with our business or corporate banking client.

In the context of our business and corporate client relationships, the personal data we collect is primarily limited to the information necessary to fulfil our legal and operational obligations. This may include details relating to directors and officers, employees, authorised signatories, direct and indirect beneficial owners, and other individuals we interact with to facilitate the provision of our products and services. Typical information includes due diligence documentation, signatory details, and contact information.
If you provide us with another individual’s personal data, you are responsible for ensuring that you have their consent to do so and that they are informed of how we will use their information. We reserve the right to request proof that such consent has been obtained.
Subject to relevance and applicable laws, we may collect the following categories of personal data:
• Identification data – information that identifies (uniquely or semi uniquely) you. For example, your name, your date of birth, your gender, your photographs, CCTV and video recordings of you and other identifiers, including official/ government identifiers such as national identification number, passport number and tax identification number.
• Contact data – information that allows addressing, sending or communicating a message to you. For example, your email address, your phone or mobile number and your residential or business address.
• Professional data – information about your educational or professional background.
• Geo-location data – information that provides or contains a device’s location. For example, your internet protocol (IP) address or your cookies identifier.
• Behavioural data – analytics information that describes your behavioural characteristics relating to your use of our products and services. For example, usual transactional activities, browsing behaviour on our websites and how you interact as a user of our products and services, or those provided by third-party organisations, such as our advertising partners and social media platform providers.
• Personal relationship data – information about associations or close connections between individuals or entities that can determine your identity. For example, spouse, next of kin or employer relationships
• Communications data – information relating to you contained in voice, messaging, email, live chats and other communications we have with you. For example, service requests.

Sensitive Personal Data
In certain circumstances, we may need to collect more sensitive types of personal data about you. We will only do so when it is necessary and either with your explicit consent or where permitted or required by law.
• Racial or ethnic origin data – information which reveals your racial or ethnic origin.
• Biometric data – information that identifies you physically. For example, facial recognition information, your fingerprint or voice recognition information.
• Health data – information relating to your health status. For example, disability information relevant to accessibility.
• Financial and commercial data – your account and transaction information or information that identifies your financial position and background, status and history as necessary to provide relevant products and services. For example, your debit or credit card details, your source of funds, your financial and credit rating history.
• Criminal convictions, proceedings or allegations data – information about criminal convictions or related information that we identify in relation to our financial crime prevention obligations, for example, details about any criminal convictions or related information. This includes details of offences or alleged offences or convictions.
• Sexual Orientation
• Marital Status - e.g., whether you are single, married, divorced, or widowed, when relevant to the product or service.

We typically collect your personal data directly from you. However, depending on the specific products and services we provide, we may also obtain your personal data from other sources when necessary, including;
• People you know – such as:
• Parents or guardians of minors: If you are a minor (typically under 18 years of age, although this may vary depending on local laws), we will obtain consent from your parent or guardian before collecting, using, or sharing your personal data.
• Joint account holders: We may receive your personal data from individuals with whom you hold a joint account.
• Referees: Personal data may be provided by individuals you have listed as referees.
• Authorised representatives: This includes individuals you have appointed to act on your behalf, such as legal representatives, agents, or proxies.

• Businesses and other organisations– such as:
 Your employer or affiliated organisation: This includes your employer, or any company, business, or organisation you represent or are otherwise connected to, where relevant to the services we provide.
 Other financial institutions and service providers: Such as banks, insurers, payment service providers, and other entities involved in processing financial transactions or delivering related financial services.
 Strategic referral partners: This includes business alliances, co-branding partners, or other companies and organisations with whom Tropical Bank Limited collaborates under contractual arrangements or joint ventures to offer relevant third-party products and services.
 Service providers: Such as advertising agencies, market research firms, and social media platform providers that support our business operations and outreach efforts.
 Credit reference and fraud prevention agencies: We may share or obtain personal data to assess creditworthiness, prevent fraud, or comply with financial due diligence obligations.
 Regulatory and authorised bodies: Including tax authorities, law enforcement agencies, and other governmental or regulatory entities with jurisdiction over Tropical Bank Limited, including those responsible for enforcing financial sanctions.

• Our corporate, SME and consumer clients – where you receive the benefit of our services in relation to our contract with the company, business or organisation you interact with. For example, processing salary payments on behalf of your employer or managing loan facilities arranged through your organization.
• Publicly available resources – such as online registers or directories or online publications, social media posts and other information that is publicly available.
• Cookies and Tracking Technologies: - A Cookie is small pieces of text that is saved on your internet browser when you use our websites. Our website uses cookies to enhance user experience and support essential site functionality. Cookies used on our platforms may include:
 Strictly Necessary Cookies: Essential for the operation of the site (e.g., secure login, session management).
 Performance Cookies: Help us understand how visitors interact with the site (e.g., analytics).
 Functionality Cookies: Remember preferences like language or location.
 Marketing Cookies: May be used to deliver targeted advertisements based on browsing behavior.
  A cookie consent prompt appears on our website upon your first visit, allowing you to accept or manage your preferences. Only essential cookies are required for the site to function and cannot be disabled.

You can stop your browser from accepting cookies, but if you do, some parts of our websites or online services may not work. We recommend that you allow cookies.

4.0. WHY WE COLLECT YOUR PERSONAL DATA

We collect your personal data to provide our products and services, manage our client relationships, and run our business operations. This is necessary both when you hold an account with us directly and when you represent, or are connected to, other individuals, companies, businesses, or organisations that bank with us. For example, this may include situations where you act as a guarantor, employee, shareholder, director, officer, agent, next of kin, referee or an authorised person.
If you hold more than one account with Tropical Bank Limited, or are associated with multiple accounts, we may link your accounts and personal data to give us a comprehensive view of our relationship with you.

We process your personal data primarily with your consent, where required by law, or where permitted or required by applicable laws. This processing may include the following lawful reasons:

• Legal Obligation – when we’re required to comply with laws and regulations
• Contract – when we’re performing contractual obligations
• Legitimate Interest – when it’s within our legitimate interests for the purpose of processing.

What we use your personal data for is often referred to as our purposes of processing and these are detailed below. We may not be able to offer or provide our products and services if you do not provide us with the necessary personal data or do not want us to process the personal data that we consider is necessary and/or is required to meet our legal and regulatory obligations.

Purposes of Processing
We process your personal data for the following purposes, as necessary, to provide relevant products and services. This depends on whether you hold an account with us directly or represent, or are associated with, other individuals, companies, businesses, or organisations that bank with us.
Assessing and providing products and services to our clients (Legal basis: Contract, Legal Obligation, or Legitimate Interest)

This includes:
• Assessing eligibility, merits, and suitability of product and service applications for clients; we may retain a record of the application if eligibility criteria are not met.
• Assessing suitability of individuals as guarantors.
• Conducting due diligence and Know Your Customer (KYC) checks as required by applicable laws.
• Performing credit checks and financial assessments in accordance with relevant laws and regulations.
• Setting credit limits for clients based on assessments.
• Obtaining quotations, assisting with applications, and engaging with strategic referral partners for co-branding and third-party products and services, such as insurance and wealth management.
• Opening accounts for clients.

Managing banking relationships and administering client accounts (Legal basis: Contract, Legal Obligation or Legitimate Interest)
This includes:
• Establishing, continuing, and managing client banking relationships and accounts with Tropical Bank Limited, or, where applicable, any associated entities.
• Providing clients with appropriate access to our products and services, such as our online and mobile banking platforms.
• Operating, providing, reviewing, and evaluating products and services offered by or through Tropical Bank Limited or any related entities, to fulfil our contractual obligations with clients.
• Processing and verifying transactions and acting on instructions or requests, such as transferring funds between accounts and making payments to third parties for clients.
• Maintaining up-to-date records of authorised persons and signature lists.
• Maintaining statements detailing the amount of indebtedness owed by you to us and by us to you.
• Administering credit facilities or loans for clients, including processing applications and managing account terms.
• Maintaining contact information for ongoing communication and account management.
• Responding to inquiries or managing complaints, including monitoring social media to identify relevant conversations, sentiments, and feedback about Tropical Bank Limited.
• Issuing notifications about changes to the terms and conditions of our products and services.
• Recording communications for record-keeping and evidential purposes, including online messages, emails, and telephone calls.
• Contacting clients regarding the products and services we are providing, including updates or account-related information.

Operating our business (Legal basis: Contract, Legal Obligation or Legitimate Interest)

This includes:
• Managing authentication and user access controls for clients, including for online and mobile banking platforms.
• Conducting audits of our business operations to ensure compliance and effectiveness.
• Developing and maintaining credit scoring models related to client assessments.
• Carrying out credit management activities, such as maintaining client credit histories for current and future reference, updating credit bureaus and credit reference agencies, and conducting ongoing creditworthiness assessments and checks.
• Assisting other banks and third parties in recovering funds that have been mistakenly credited to client accounts due to erroneous payments.
• Managing business operations, which includes administrative functions related to our products and services, monitoring and reporting on our financial portfolio, performing risk management, conducting audits, maintaining secure communication and processing systems, and supporting systems development, testing, business planning, and decision-making.

Improving our products and services to our clients (Legal basis: Legitimate Interest or Consent)
This includes:
• Developing, testing, and analysing our systems, products, and services to improve performance and user experience.
• Monitoring and recording communications with you—such as phone calls—for training, quality assurance, and compliance purposes.
• Conducting market research and customer satisfaction surveys to better understand your needs and expectations.
• Designing and enhancing products and services to suit your needs, such as credit cards and other banking solutions.
• Conducting demographic analysis and generating insights by aggregating data—such as behavioural patterns from your use of our products, services, and applications—to offer more personalised and relevant solutions.

For further information on direct marketing, please refer to ‘When do we conduct direct marketing?’ section of this privacy notice.
Keeping you and our people safe (Legal basis: Legal Obligation or Legitimate Interest)
This includes:
• Conducting identity verification and security checks for access to our buildings and facilities.
• Using CCTV surveillance recordings at our branches, premises, and ATMs to prevent and detect fraud or other criminal activities, such as theft.
• Investigating and reporting incidents or emergencies that occur on our properties or premises.
• Ensuring the security of our systems and networks to safeguard your data and maintain confidentiality.
• Complying with health and safety requirements and related regulatory obligations.
• Monitoring social media activity to help protect clients from unintentionally sharing personal information that could be exploited for fraud.

Detecting, investigating and preventing financial crimes (Legal basis: Contract, Legal Obligation or Legitimate Interest)
This includes:
• Complying with Tropical Bank Limited’s internal policies and procedures, including the identification of individuals and implementation of investigative measures or arrangements for the secure sharing of data and information within Tropical Bank Limited and its affiliated entities.
• Using data and information in line with the bank-wide compliance programmes, particularly those related to sanctions enforcement, anti-money laundering (AML), counter-terrorist financing (CTF), Counter Proliferation Financing (CPF) and the prevention or detection of other unlawful activities.
• Conducting identity verification and security checks against government and other official centralised databases, as required by applicable laws and regulations.
• Monitoring and recording voice and electronic communications, and screening applications and transactions to detect and prevent actual or suspected fraud, financial crime, or other criminal activities such as identifying unusual transaction patterns or behaviours.
• Recording and monitoring communications, where permitted by law, to ensure compliance with legal and regulatory obligations as well as internal policies and procedures.
• Conducting checks against government and non-government databases maintained by fraud prevention and financial crime prevention agencies, in order to combat money laundering, terrorism, fraud, and other financial crimes. A record of any identified fraud or money laundering risk may be retained by these agencies and could affect your ability to access financial services or employment in the future.

Complying with applicable laws, regulations and other requirements (Legal basis: Legal Obligation or Legitimate Interest)
This includes:
• Complying with Tropical Bank Limited’s internal policies and procedures, including identifying individuals and undertaking investigative measures, and implementing arrangements for the secure sharing of data and information within Tropical Bank Limited and its affiliated entities.
• Meeting obligations under applicable local and international laws, including regulations, directives, court orders, sanctions, embargoes, reporting requirements, or demands issued by legal, tax, law enforcement, regulatory, or supervisory authorities—whether domestic or foreign. For example, we may be required to share personal data related to your bank account with local tax authorities under applicable laws. In some cases, such authorities may further share this information with foreign tax authorities under international agreements or laws governing the automatic exchange of financial account information. To comply, we may need to request additional information from you.
• Following voluntary codes, industry guidelines, or best practices issued by legal, regulatory, governmental, tax, or law enforcement bodies, as well as by self-regulatory or financial industry associations in any jurisdiction where Tropical Bank Limited operates or has compliance obligations.

5.0. WHERE WE SHARE YOUR PERSONAL DATA

Your personal data may be processed, stored, shared, transferred, or disclosed by Tropical Bank Limited to third parties, corresponding banks and Money transfer services, or within our affiliated entities for the purposes outlined in this Privacy Notice. This is done to operate efficiently and securely, facilitate transactions, deliver our products and services, enhance our business processes, and comply with applicable legal and regulatory obligations.

If we transfer your personal data outside Uganda, we shall ensure that the destination country provides an adequate level of data protection or that we have implemented appropriate safeguards, such as binding corporate rules or standard contractual clauses.

6.0. OUR DATA PROTECTION OFFICER

We have appointed a Data Protection Officer (DPO) responsible for overseeing our data protection practices and ensuring compliance with applicable laws. You can contact our DPO at dpo@trobank.com for any privacy-related inquiries.

7.0. CHANGES TO THIS PRIVACY NOTICE

We may update our “Privacy Notice” from time to time accordingly, you are advised to review this page periodically for any changes. Any changes made may be notified to you. These changes take effect immediately after they are posted on this page.

8.0. HOW WE PROTECT YOUR PERSONAL DATA

At Tropical Bank Limited, we take the privacy and security of your personal data very seriously. We have implemented a range of appropriate technical, physical, and organisational measures to protect your data and maintain its confidentiality. For example, we include data protection, confidentiality, and security provisions in our contracts with third parties who handle personal data on our behalf.
Tropical Bank Limited has established robust information security and data privacy policies, including incident management and reporting procedures, technical safeguards, and operational rules to protect personal data and ensure compliance with legal and regulatory requirements.
We also train and require our employees who access your personal data to follow strict data privacy and security protocols. Similarly, we expect our service providers and any third parties we work with to uphold equivalent standards of confidentiality, data protection, and information security when accessing, handling, or processing your personal data.

9.0. RETENTION PERIOD FOR YOUR PERSONAL DATA

We retain your personal data for as long as necessary (minimum 10 years) to fulfill the purposes outlined in this privacy notice, including for business operations and legal or regulatory compliance, while you continue to engage with us. After your relationship with us ends, we may continue to retain certain personal data for a defined period, depending on the nature of the data and our legal obligations, in accordance with our data retention policy and applicable laws and regulations.
Once personal data is no longer required for these purposes, we will securely delete, anonymise, or destroy it, or otherwise ensure it is no longer used in a manner that identifies you.

10.0. YOUR RIGHTS REGARDING YOUR PERSONAL DATA

We respect your personal data, and you have the following rights about how we use your information:
• Right to Access Your Data – You have the right to confirm whether we hold personal data about you. You may also request a copy of this data, along with information on how we have used it.
• Right to Correct Your Data – If your personal information has changed or you believe we hold incorrect or outdated data about you, you can request that we update or correct it.
• Right to Delete Your Data – You may ask us to delete your personal data. Please note, however, that certain personal information may be necessary for us to deliver our products or services to you.
• Right to Know Third Parties – You can request that we disclose the identity of any third party who has had or currently has access to your personal data.
• Right to Restrict or Object to Processing – You can ask us to stop processing your data or to change the way we use it. However, some data may be essential for us to interact with you or provide certain services.
• Right to Object to Automated Decision-Making – If a decision that affects you is made solely through automated processing, you have the right to request a review of that decision.
• Right to Data Portability – You may request that we transfer your personal data to another organisation in a format that is structured, commonly used, and machine-readable.
• Right to Withhold or Withdraw Consent – From time to time, we may request your consent to process your personal data. You have the right to withhold consent or to withdraw any previously given consent at any time. However, this may affect our ability to provide certain services or engage with you effectively.
• Right to Withdraw from Direct Marketing – You can withdraw your consent at any time and request that we stop sending you marketing communications or invitations to participate in surveys.
We will respond to your requests to exercise any of your data rights in accordance with applicable laws. To protect your privacy, we may ask you to verify your identity before processing your request. If you have any questions about your rights or how to exercise them, please contact us using the details provided in the “Reach Out to Us” section below.

11.0. REACH OUT TO US

Tropical Bank Limited, with the address below, is the legal entity acting as the data controller of your personal data in Uganda:
Tropical Bank Limited, Main Building
Plot 27 Kampala Road
P.O. Box 9485
Kampala, Uganda

To lodge a complaint regarding the handling of your personal data, you may contact our Data Protection Office directly in writing at the address above, by phone at 0800205510, or via email dpo@trobank.com Your complaint will be acknowledged and addressed in accordance with applicable data protection laws.