Privacy Policy
Last updated: 21 February 2026
1. Introduction and Who We Are
This Privacy Policy explains how Centre for Governance and Environmental Research (CEGER) Ltd (“we”, “our”, “us”) collects, uses, stores, and protects your personal information when you visit our website at https://ceger.org.
CEGER Ltd is a Ugandan-based consultancy firm specialising in governance, environmental research, public health policy, climate change, and monitoring and evaluation. We are registered in Uganda and operate from Suite D13, 3rd Floor, Nansana Business Centre, P.O. Box 35305, Kampala, Uganda.
Our website is hosted on Amazon Lightsail servers located in London, United Kingdom. As a result, this policy is drafted in compliance with both the United Kingdom General Data Protection Regulation (UK GDPR) and the Uganda Data Protection and Privacy Act, 2019 (DPPA).
For the purposes of UK GDPR, CEGER Ltd is the data controller responsible for your personal data. For the purposes of the Uganda DPPA, CEGER Ltd is the data collector and data processor.
2. What Information We Collect
We collect and process the following categories of personal data depending on how you interact with our website:
2.1 Information You Provide Directly
When you use our contact form (powered by WPForms), we collect:
- Your full name
- Your email address
- Your phone number (if provided)
- The content of your message
This information is collected only when you voluntarily submit it through the form.
2.2 Information Collected Automatically
When you browse our website, certain technical data is collected automatically:
Analytics data (via Google Analytics 4):
- Pages visited and time spent on each page
- Referring website or search engine
- General geographic location (city/country level, not precise location)
- Device type, browser type, operating system, and screen resolution
- Language preferences
Google Analytics 4 uses cookieless measurement where possible and does not collect personally identifiable information such as your name or email address.
Security data (via Wordfence):
- IP addresses
- Login attempts and timestamps
- Browser user-agent strings
- Requests made to the website (for firewall and malware protection)
Performance data (via WP Super Cache):
- Cached page data to improve website loading speed
- This data is technical in nature and is not used to identify individual visitors
2.3 Governance Map Data
Our website features interactive governance maps (Uganda Governance Map and Africa Governance Map) that display publicly available data about governance events, electoral issues, and related information. These maps are powered by custom plugins with public REST API endpoints. The governance data displayed on these maps is public information and does not contain personal data of website visitors. No personal data is collected from you when you view or interact with the maps.
2.4 Information We Do Not Collect
We want to be clear about what we do not do:
- We do not require user registration or visitor accounts
- We do not operate an e-commerce platform or process payments
- We do not use marketing or advertising cookies
- We do not collect sensitive or special category data (such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data)
3. How We Use Your Information
We use the personal data we collect for specific, limited purposes. Below we set out each purpose alongside the legal basis under UK GDPR and the corresponding principle under the Uganda DPPA.
| Purpose | Data Used | Legal Basis (UK GDPR) | Uganda DPPA Basis |
|---|---|---|---|
| Responding to your enquiries submitted through our contact form | Name, email, phone number, message content | Legitimate interest (Article 6(1)(f)) — to respond to communications you have initiated | Consent — you voluntarily provide the data by submitting the form |
| Understanding how visitors use our website so we can improve content and user experience | Analytics data (pages visited, device type, general location) | Legitimate interest (Article 6(1)(f)) — to maintain and improve our website | Legitimate interest of the data collector |
| Protecting our website from security threats, malicious attacks, and unauthorised access | IP addresses, login attempts, user-agent strings, request data | Legitimate interest (Article 6(1)(f)) — to ensure the security of our website and systems | Legitimate interest of the data collector; compliance with security obligations |
| Improving website performance and page load times | Cached page data | Legitimate interest (Article 6(1)(f)) — to provide a fast and reliable website experience | Legitimate interest of the data collector |
| Complying with legal obligations where applicable | Any data as required | Legal obligation (Article 6(1)(c)) | Compliance with Ugandan law |
Where we rely on legitimate interest as our legal basis, we have conducted a balancing assessment and determined that the processing is necessary for the stated purpose, that the purpose cannot reasonably be achieved by less intrusive means, and that your rights and freedoms are not overridden by our interest.
4. Cookies
Our website uses a limited number of cookies to function properly, analyse website traffic, and protect against security threats. We do not use any marketing or advertising cookies.
The cookies used on our website fall into the following categories:
- Strictly necessary cookies — required for the website to function (e.g., WordPress session cookies, WP Super Cache cookies)
- Analytics cookies — used by Google Analytics 4 to understand visitor behaviour in aggregate
- Security cookies — used by Wordfence to identify and block malicious traffic
For a full breakdown of the specific cookies we use, their purposes, and their durations, please refer to our Cookie Policy.
5. Data Sharing and Third Parties
We do not sell, rent, or trade your personal data to any third party. We share data only with the following service providers who process it on our behalf and under our instructions:
| Service Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Amazon Web Services (Lightsail) | Website hosting | All data processed by the website passes through AWS infrastructure | London, United Kingdom |
| Google LLC (Google Analytics 4) | Website analytics | Anonymised usage data, device information, general location | United States (with EU/UK data processing safeguards) |
| Wordfence (Defiant Inc.) | Website security | IP addresses, request data, user-agent strings | United States |
Each of these third parties is contractually bound to process your data only for the purposes described above and in accordance with applicable data protection law. We have ensured appropriate safeguards are in place where data is transferred outside the UK (see Section 6 below).
We may also disclose your personal data if required to do so by law, regulation, legal process, or enforceable governmental request from authorities in either the United Kingdom or Uganda.
6. International Data Transfers
CEGER Ltd is based in Uganda, and our website is hosted in the United Kingdom. Some of the third-party services we use (Google Analytics, Wordfence) are operated by companies based in the United States. This means your data may be transferred to and processed in countries outside your country of residence.
Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place in accordance with UK GDPR, including:
- Transfers to countries recognised by the UK Government as providing an adequate level of data protection
- Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office
- The service provider’s participation in recognised data protection frameworks
Under the Uganda DPPA, we ensure that any cross-border transfer of personal data complies with Section 19 of the Act, which requires adequate levels of protection for personal data transferred outside Uganda.
7. Data Retention
We keep your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:
| Data Type | Retention Period | Reason |
|---|---|---|
| Contact form submissions | 24 months from the date of submission | To allow reasonable time to respond and follow up on enquiries |
| Google Analytics data | 14 months (configured in GA4) | To analyse website usage trends over a meaningful period |
| Wordfence security logs | 90 days | To investigate and respond to security incidents |
| WP Super Cache data | Cleared periodically (typically within hours to days) | Cache data is temporary and is regularly purged |
When the retention period expires, we securely delete or anonymise the data so that it can no longer be associated with you.
8. Your Rights
Depending on the laws that apply to you, you have a number of rights regarding your personal data. We are committed to honouring these rights and making it straightforward for you to exercise them.
8.1 Rights Under UK GDPR
If UK data protection law applies to the processing of your data (for example, because your data is processed on our UK-based server), you have the following rights:
- Right of access — You can request a copy of the personal data we hold about you.
- Right to rectification — You can ask us to correct any inaccurate or incomplete personal data.
- Right to erasure — You can ask us to delete your personal data where there is no compelling reason for us to continue processing it.
- Right to restrict processing — You can ask us to temporarily suspend the processing of your personal data in certain circumstances.
- Right to data portability — Where processing is based on consent or contract and is carried out by automated means, you can request your data in a structured, machine-readable format.
- Right to object — You can object to processing based on legitimate interest. We will stop processing your data unless we can demonstrate compelling legitimate grounds.
- Rights related to automated decision-making — We do not carry out any automated decision-making or profiling using your personal data.
8.2 Rights Under the Uganda Data Protection and Privacy Act, 2019
If the Uganda DPPA applies to the processing of your data, you have the following rights under Part V of the Act:
- Right to access — You can request confirmation of whether we hold your personal data and obtain a copy of it.
- Right to correction — You can request correction of false or misleading personal data.
- Right to deletion — You can request deletion of personal data that is no longer necessary for the purpose for which it was collected.
- Right to object — You can object to the processing of your personal data in certain circumstances.
8.3 How to Exercise Your Rights
To exercise any of the rights described above, please contact us using the details provided in Section 11 below. We will respond to your request within one calendar month. In exceptional circumstances, we may extend this period by a further two months, but we will inform you of any such extension and the reason for it within the initial one-month period.
We will not charge a fee for handling your request unless the request is manifestly unfounded or excessive. We may ask you to verify your identity before processing your request to protect your data from unauthorised access.
9. Children’s Privacy
Our website is not directed at children under the age of 16, and we do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has submitted personal data to us through our contact form, please contact us using the details in Section 11, and we will promptly delete the information.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, changes in the law, or for other operational, legal, or regulatory reasons. When we make changes, we will update the “Last updated” date at the top of this page.
We encourage you to review this page periodically to stay informed about how we protect your personal data. For significant changes that materially affect your rights, we will make reasonable efforts to notify visitors through a prominent notice on our website.
11. How to Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a concern about how we handle your personal data, please contact us:
Centre for Governance and Environmental Research (CEGER) Ltd
Suite D13, 3rd Floor, Nansana Business Centre
P.O. Box 35305, Kampala, Uganda
Email: cegerlimited@gmail.com
Phone: +256 200 932200 / +256 782 602 957
Website: https://ceger.org
Complaints
We take all complaints about our handling of personal data seriously and will work to resolve any concerns you raise. However, if you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:
For matters related to UK data protection (hosting jurisdiction):
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
Website: https://ico.org.uk
Helpline: +44 303 123 1113
For matters related to Ugandan data protection (entity jurisdiction):
Personal Data Protection Office (PDPO)
National Information Technology Authority – Uganda (NITA-U)
Statistics House, 9 Colville Street, P.O. Box 33151, Kampala, Uganda
Website: https://pdpo.go.ug