Back to home
Legal

Privacy Policy

How Ayolla collects, uses, and protects your personal information in line with Rwandan law — in particular Law No. 058/2021 of 15/10/2021 relating to the protection of personal data and privacy.

Last updated: 21 March 2026

1. Introduction

Ayolla Ltd. ("Ayolla," "we," "us") respects your privacy. This Privacy Policy explains how we process personal data when you use our website, contact us, or engage our call center and related services. We are committed to processing personal data lawfully, fairly, and transparently, in accordance with applicable Rwandan legislation.

This document is provided for transparency and general compliance purposes. It does not constitute legal advice. You may wish to obtain independent legal counsel to adapt this policy to your specific operations.

2. Data controller

For personal data collected through this website and initial business enquiries, the data controller is:

3. Scope and governing law

This Policy applies to processing carried out in connection with our website and pre-contractual contact. Where we provide services to your organisation under a separate agreement, additional or different terms may apply and will be identified in that agreement.

We comply with Law No. 058/2021 of 15/10/2021 Relating to the Protection of Personal Data and Privacy(the "DPP Law") and related guidance issued by Rwandan authorities, including the National Cyber Security Authority (NCSA) where relevant to data protection supervision and complaints.

4. Personal data we collect

Depending on how you interact with us, we may process:

  • Identity and contact data: name, email address, phone number, company name, job title (if provided).
  • Communication data: messages you send via our contact form, email, or phone, including the subject and content of your enquiry.
  • Technical data (website): IP address, browser type, device type, approximate location derived from IP, pages visited, and timestamps — typically collected through cookies or similar technologies where enabled.
  • Service-related data: if you become a client, we may process additional categories of data necessary to deliver call center and BPO services, as described in your service agreement or separate privacy notice.

We do not knowingly collect special categories of personal data (e.g. health, biometric data used to uniquely identify you, or data revealing racial or ethnic origin, political opinions, religious beliefs, or similar) through this website unless you voluntarily include such information in a message. If you do so, we will process it only where permitted under the DPP Law and for the purpose you provided it.

5. Purposes and legal bases

We process personal data for purposes that are specific, explicit, and legitimate, including:

  • Responding to enquiries — to communicate with you about our services (legal basis: performance of steps prior to a contract at your request, and/or our legitimate interests in operating our business, balanced against your rights).
  • Providing services — where you or your organisation contract with us (legal basis: contract; legal obligation where applicable).
  • Website operation and security — to maintain the site, prevent fraud, and protect our systems (legal basis: legitimate interests and/or legal obligation).
  • Compliance — to meet legal, regulatory, or tax requirements applicable in Rwanda (legal basis: legal obligation).
  • Marketing — only where permitted by law and, where required, with your consent; you may object to direct marketing at any time.

Where processing is based on consent (for example, certain cookies or optional marketing), you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

6. Sharing and processors

We may share personal data with trusted third parties who process data on our instructions ("processors"), such as:

  • Email delivery providers (e.g. EmailJS or similar) that transmit messages submitted through our website contact form.
  • Hosting and IT providers that host our website or provide security and analytics tools.
  • Professional advisers where required (e.g. lawyers, auditors), under confidentiality obligations.

We require processors to implement appropriate technical and organisational measures and to process personal data only as instructed. We do not sell your personal data.

We may disclose personal data if required by law, court order, or a competent authority in Rwanda, or to protect our legal rights.

7. International transfers

Some service providers may be located outside Rwanda or process data on infrastructure outside Rwanda. Where personal data is transferred to another country, we take steps consistent with the DPP Law — such as ensuring adequate safeguards, your consent where required, or other grounds permitted by law — and we will provide further information on request where applicable.

8. Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Enquiry data is typically retained for a limited period after our last interaction unless a longer period is required for ongoing business or legal reasons. When data is no longer needed, we delete or anonymise it in line with our internal policies.

9. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction, taking into account the nature of the processing and the risks involved. No method of transmission over the internet is completely secure; we encourage you to use secure channels when sending sensitive information.

10. Your rights (Rwanda)

Under the DPP Law, you have rights in respect of your personal data, which typically include (where applicable):

  • Right to be informed — transparent information about processing (as in this Policy).
  • Right of access — to obtain confirmation of processing and, in many cases, a copy of your personal data.
  • Right to rectification — to have inaccurate data corrected.
  • Right to erasure — in certain circumstances, to have data deleted.
  • Right to restrict processing — in certain circumstances, to limit how we use your data.
  • Right to object — including to processing based on legitimate interests (where applicable) and to direct marketing.
  • Right to data portability — where processing is automated and based on consent or contract, to receive your data in a structured, commonly used format.
  • Right to withdraw consent — where processing is based on consent.

To exercise these rights, contact us using the details in section 14. We will respond within a reasonable period as required or permitted by law. If you are not satisfied with our response, you may lodge a complaint with the National Cyber Security Authority (NCSA) or other competent authority in Rwanda, in accordance with applicable procedures and time limits.

11. Cookies and similar technologies

Our website may use cookies or similar technologies to improve functionality, analytics, or preferences. Where required by law, we will obtain your consent before using non-essential cookies. You can control cookies through your browser settings.

12. Children

Our website and services are directed at businesses and adults. We do not knowingly collect personal data from children without appropriate parental authority or consent as required by law. If you believe we have collected data from a child in error, please contact us and we will take steps to delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect legal, technical, or business changes. The "Last updated" date at the top will be revised, and where appropriate we will notify you through the website or other reasonable means. We encourage you to review this page periodically.

14. Contact & complaints

For any questions about this Policy or to exercise your data protection rights, please contact us:

For complaints to the supervisory authority in Rwanda, contact the National Cyber Security Authority (NCSA) for current guidance on data protection complaints and procedures.

Return to homepage