Sector Analysis
e-Commerce
39%
SECTOR PERFORMANCE
36
COMPANIES ASSESSED
Overview of the Sector & Data Collectors Evaluated
E-commerce across East, West, and Southern Africa continues to grow rapidly, driven by increased internet access, widespread smartphone use, expanding digital payment systems, and changing consumer behaviour. This growth has made e-commerce a key economic driver while significantly increasing the volume and sensitivity of personal data collected by online platforms.
The assessment covers a diverse set of markets, including Kenya, Uganda, Rwanda, Tanzania, Mauritius, Zimbabwe, and newly assessed countries — Nigeria, Ghana, and Botswana. Kenya remains a regional leader in digital innovation and online marketplaces, while Uganda and Tanzania show steady growth in mobile commerce. Rwanda continues to advance through strong government-led digital transformation, and Mauritius benefits from mature digital infrastructure and cross-border e-commerce activity. Despite economic constraints, Zimbabwe's e-commerce sector continues to expand, particularly through social-commerce models. Nigeria, as Africa's largest digital market, plays a critical role in shaping regional e-commerce practices, while Ghana and Botswana reflect emerging but steadily growing online retail ecosystems.
The data collectors evaluated include regional and national e-commerce platforms, digital retailers, and service providers that process large volumes of personal data, including identity, contact, payment, location, and behavioural information. As e-commerce expands, the analysis examines how these actors comply with national data protection laws, focusing on transparency, user rights, data security, and accountability in the handling of personal data.
Analysis of Compliance With Each Criterion
This section analyses data from 36 e-commerce platforms, with four (4) platforms assessed in each country. The platforms reviewed include Jumia Nigeria, Konga, Juji Nigeria, and Kara Nigeria in Nigeria; Jumia Ghana, Tonaton Ghana, Melcom Ghana, and Kikuu Ghana in Ghana; Your Mart, Ubuy Botswana, iStore Botswana, and Apex Mart in Botswana; Murukali, Vuba Vuba, Kikuu Rwanda, and Ubuy Rwanda in Rwanda; Kikuu Tanzania, Jiji Tanzania, Inalipa, and Kupatana in Tanzania; PriceGuru, Temu Mauritius, Marideal, and Woolworths Mauritius Online in Mauritius; Ubuy Zimbabwe, Shumba Africa, Raines Africa, and Tengai Online in Zimbabwe; Jumia Kenya, Glovo Kenya, Jiji Kenya, and Kilimali in Kenya; and Jumia Uganda, Glovo Uganda, Jiji Uganda, and Kikuu Uganda in Uganda. Each of these platforms was evaluated against the assessment criteria, and their respective performance outcomes are presented below.
Findings - eCommerce Sector
e-Commerce Sector - Nigeria
Jumia Nigeria, Konga, Juji Nigeria and Kara Nigeria in Nigeria
The assessment of Nigeria's e-commerce platforms reveals uneven compliance with national data protection obligations, with significant disparities in regulatory engagement, transparency, and accountability. Jiji Nigeria was the only platform found to be registered with the national data protection regulator, achieving a perfect score of 100%. No publicly available evidence of registration was identified for Jumia Nigeria, Konga, or Kara Nigeria, indicating potential non-compliance with mandatory registration requirements and gaps in formal regulatory oversight under Nigeria's data protection laws.
All assessed companies demonstrated efforts to maintain accessible privacy policies, reflecting a general recognition of transparency obligations. Jiji Nigeria again led with 100%, followed by Jumia Nigeria and Kara Nigeria (88% each), and Konga (75%). However, the variation in scores reflects differences in clarity, accessibility, technical functionality, and the overall comprehensiveness of privacy disclosures.
With respect to data subject rights, performance was uneven. Jiji Nigeria ranked highest at 68%, followed by Jumia Nigeria at 59%, while Konga and Kara Nigeria scored below 50%. This suggests that several platforms do not fully enable users to exercise their statutory rights to access, correct, or delete personal data, as required under Nigeria's Data Protection Regulation (NDPR).
All platforms reported sharing personal data with third parties, yet compliance in this area was particularly weak. Konga, which led this indicator, scored only 36%, while Jumia Nigeria scored 14%. Limited transparency regarding the identities of third parties, the types of data shared, and the purposes of sharing increases the risk of unlawful processing and exposes users to potential misuse of their personal information.
Efforts to ensure data security were observed across all platforms, with Jiji Nigeria leading at 94%, followed by Konga (72%), Jumia Nigeria (61%), and Kara Nigeria (56%).
While these scores indicate a degree of commitment to safeguarding personal data, gaps remain, particularly among mid-performing platforms, leaving users vulnerable to security breaches and undermining full compliance with data protection principles. None of the platforms published transparency reports, and all recorded very low compliance with internal data breach resolution mechanisms. Konga led marginally with 33%, while Jiji Nigeria and Jumia Nigeria scored 17% each. The absence of clear procedures for breach detection, investigation, notification, and remediation highlights a systemic accountability gap that undermines both regulatory compliance and user trust.
Jiji Nigeria emerged as the strongest performer in the sector, demonstrating the closest alignment with Nigeria's data protection laws. Its privacy policy reflects a sophisticated understanding of online marketplace privacy risks, providing detailed contact information and clearly outlining extensive categories of personal data collected, including seller and buyer information, transaction records, communication logs, and behavioral analytics. The policy transparently explains purposes for data collection such as marketplace operations, fraud prevention, customer support, and service improvement, and includes specific retention commitments, such as 90 days for facial verification data, enabling users to understand data lifecycle management. Jiji also demonstrates strong transparency around third-party data sharing, explicitly naming payment processors (Flutterwave, Paystack), cloud service providers (Amazon Web Services, DigitalOcean), and identity verification services, alongside safeguards. Comprehensive procedures for exercising data subject rights and clear conditions for lawful law enforcement access further strengthen its compliance posture.
Konga demonstrates moderate compliance, addressing most foundational privacy requirements but with limited depth. Its policy provides basic contact information, outlines general categories of data collected, and explains broad purposes such as order fulfilment, customer service, and marketing. While Konga implements standard data subject rights and acknowledges third-party sharing, the lack of procedural detail and specificity reduces practical accountability.
Jumia Nigeria faces significant compliance challenges due to a misalignment between its core business operations and privacy disclosures. Although it operates one of Nigeria's largest consumer e-commerce platforms, the most readily accessible privacy information focuses primarily on recruitment and job applicant data rather than consumer-facing marketplace activities. This disconnect limits customer understanding of how shopping, browsing, and transaction data are collected and used, creating transparency gaps and compliance risks under the NDPR.
Kara Nigeria records the lowest performance, largely due to technical and accessibility barriers that restrict user access to privacy information. Website functionality issues and access limitations prevented comprehensive evaluation of its privacy practices, undermining transparency and raising concerns under NDPA requirements that privacy information be easily accessible.
Overall, Jiji Nigeria sets a strong benchmark for privacy governance and compliance within Nigeria's e-commerce sector. Other platforms show partial progress, particularly in publishing privacy policies and implementing baseline security measures, but exhibit significant compliance gaps in regulatory registration, third-party data governance, and breach accountability. These weaknesses expose companies to legal and reputational risks while limiting users' ability to exercise their rights and protect their personal data, underscoring the need for stronger enforcement and improved corporate privacy governance across the sector.
The assessment of Nigeria's e-commerce platforms reveals uneven compliance with national data protection obligations, with significant disparities in regulatory engagement, transparency, and accountability. Jiji Nigeria was the only platform found to be registered with the national data protection regulator, achieving a perfect score of 100%. No publicly available evidence of registration was identified for Jumia Nigeria, Konga, or Kara Nigeria, indicating potential non-compliance with mandatory registration requirements and gaps in formal regulatory oversight under Nigeria's data protection laws.
All assessed companies demonstrated efforts to maintain accessible privacy policies, reflecting a general recognition of transparency obligations. Jiji Nigeria again led with 100%, followed by Jumia Nigeria and Kara Nigeria (88% each), and Konga (75%). However, the variation in scores reflects differences in clarity, accessibility, technical functionality, and the overall comprehensiveness of privacy disclosures.
With respect to data subject rights, performance was uneven. Jiji Nigeria ranked highest at 68%, followed by Jumia Nigeria at 59%, while Konga and Kara Nigeria scored below 50%. This suggests that several platforms do not fully enable users to exercise their statutory rights to access, correct, or delete personal data, as required under Nigeria's Data Protection Regulation (NDPR).
All platforms reported sharing personal data with third parties, yet compliance in this area was particularly weak. Konga, which led this indicator, scored only 36%, while Jumia Nigeria scored 14%. Limited transparency regarding the identities of third parties, the types of data shared, and the purposes of sharing increases the risk of unlawful processing and exposes users to potential misuse of their personal information.
Efforts to ensure data security were observed across all platforms, with Jiji Nigeria leading at 94%, followed by Konga (72%), Jumia Nigeria (61%), and Kara Nigeria (56%).
While these scores indicate a degree of commitment to safeguarding personal data, gaps remain, particularly among mid-performing platforms, leaving users vulnerable to security breaches and undermining full compliance with data protection principles. None of the platforms published transparency reports, and all recorded very low compliance with internal data breach resolution mechanisms. Konga led marginally with 33%, while Jiji Nigeria and Jumia Nigeria scored 17% each. The absence of clear procedures for breach detection, investigation, notification, and remediation highlights a systemic accountability gap that undermines both regulatory compliance and user trust.
Jiji Nigeria emerged as the strongest performer in the sector, demonstrating the closest alignment with Nigeria's data protection laws. Its privacy policy reflects a sophisticated understanding of online marketplace privacy risks, providing detailed contact information and clearly outlining extensive categories of personal data collected, including seller and buyer information, transaction records, communication logs, and behavioral analytics. The policy transparently explains purposes for data collection such as marketplace operations, fraud prevention, customer support, and service improvement, and includes specific retention commitments, such as 90 days for facial verification data, enabling users to understand data lifecycle management. Jiji also demonstrates strong transparency around third-party data sharing, explicitly naming payment processors (Flutterwave, Paystack), cloud service providers (Amazon Web Services, DigitalOcean), and identity verification services, alongside safeguards. Comprehensive procedures for exercising data subject rights and clear conditions for lawful law enforcement access further strengthen its compliance posture.
Konga demonstrates moderate compliance, addressing most foundational privacy requirements but with limited depth. Its policy provides basic contact information, outlines general categories of data collected, and explains broad purposes such as order fulfilment, customer service, and marketing. While Konga implements standard data subject rights and acknowledges third-party sharing, the lack of procedural detail and specificity reduces practical accountability.
Jumia Nigeria faces significant compliance challenges due to a misalignment between its core business operations and privacy disclosures. Although it operates one of Nigeria's largest consumer e-commerce platforms, the most readily accessible privacy information focuses primarily on recruitment and job applicant data rather than consumer-facing marketplace activities. This disconnect limits customer understanding of how shopping, browsing, and transaction data are collected and used, creating transparency gaps and compliance risks under the NDPR.
Kara Nigeria records the lowest performance, largely due to technical and accessibility barriers that restrict user access to privacy information. Website functionality issues and access limitations prevented comprehensive evaluation of its privacy practices, undermining transparency and raising concerns under NDPA requirements that privacy information be easily accessible.
Overall, Jiji Nigeria sets a strong benchmark for privacy governance and compliance within Nigeria's e-commerce sector. Other platforms show partial progress, particularly in publishing privacy policies and implementing baseline security measures, but exhibit significant compliance gaps in regulatory registration, third-party data governance, and breach accountability. These weaknesses expose companies to legal and reputational risks while limiting users' ability to exercise their rights and protect their personal data, underscoring the need for stronger enforcement and improved corporate privacy governance across the sector.
e-Commerce Sector - Ghana
Jumia Ghana, Tonaton Ghana, Melcom Ghana and Kikuu Ghana in Ghana
The assessment of Ghana's e-commerce sector reveals consistently weak compliance with national data protection obligations, despite the widespread publication of privacy policies. While all platforms demonstrate a baseline awareness of transparency requirements, substantive compliance with Ghana's Data Protection Act remains limited, particularly in regulatory registration, third-party data governance, and accountability mechanisms.
None of the four e-commerce platforms assessed currently maintains active registration with Ghana's Data Protection Commission. Jumia Ghana, Tonaton Ghana, and Kikuu Ghana are unregistered, while Melcom Ghana, although previously registered, allowed its certification to expire in September 2021 and has not renewed it. This widespread non-registration reflects weak regulatory engagement and places all platforms in breach of statutory registration obligations, undermining lawful data processing and regulatory oversight.
All assessed companies have publicly accessible privacy policies, indicating a foundational level of transparency. Tonaton Ghana performed strongest in this category, scoring 100% due to clearer structure and language, while Jumia Ghana, Melcom Ghana, and Kikuu Ghana each scored 88%. Readability scores (Hemingway grades 8–11) suggest moderate accessibility, and word counts ranged from 616 to over 2,200 words. While publication and visibility are strong across the sector, variations in clarity and completeness affect the practical usefulness of these policies for users.
Performance on data subject rights was mixed. Jumia Ghana and Tonaton Ghana led with scores of 62%, reflecting clearer explanations of data collection purposes, broader categories of data processed, and the inclusion of user rights such as access, correction, deletion, and complaint mechanisms. However, both fall short on specifying data retention periods and providing unconditional user control. In contrast, Melcom Ghana scored 23%, offering vague disclosures that focus primarily on cookies, omit clear user rights and complaint channels, and provide limited transparency on data sharing. Kikuu Ghana performed slightly better at 41%, but still lacked clarity on collection purposes, offered conditional user rights, and provided only partial contact details. These disparities indicate uneven implementation of statutory obligations to uphold data subject rights, with significant gaps in user empowerment and legal compliance.
All platforms share personal data with third parties, yet compliance in this area remains consistently weak. Melcom Ghana scored highest at 24%, followed by Jumia Ghana and Kikuu Ghana (20%), and Tonaton Ghana (16%). Jumia and Tonaton permit data sharing for transactions, advertising, analytics, and law enforcement requests but fail to identify specific entities or the types of data shared. Tonaton explicitly references partners such as Facebook and Google but still lacks detailed disclosures. Melcom limits identifiable data sharing to trusted service providers under confidentiality obligations, while Kikuu allows sharing for order fulfilment and marketing support without naming recipients. Across the sector, the absence of specificity and reporting mechanisms increases the risk of unlawful processing and weakens accountability under the DPA.
All companies demonstrate some level of technical security, particularly through SSL implementation, but overall practices remain inconsistent. Tonaton Ghana and Melcom Ghana performed best at 72%, followed by Jumia Ghana (61%) and Kikuu Ghana (39%). Strong SSL ratings are undermined by weak or failing security headers and vague policy disclosures regarding implementation. This inconsistency suggests partial compliance with data security obligations, leaving users exposed to avoidable risks.
None of the companies has published a transparency report since 2024, resulting in a 0% score across the sector. The absence of disclosures on government requests, third-party access, or content moderation significantly limits public oversight and undermines accountability.
Internal breach management remains a critical weakness. Jumia Ghana and Kikuu Ghana scored 17%, as both mention user notification only in broad terms without outlining investigation procedures, timelines, or reporting channels. Tonaton Ghana and Melcom Ghana provide no information on breach detection, notification, or resolution, scoring 0%. These gaps indicate non-compliance with accountability and risk-management requirements under the DPA.
Overall, the findings indicate that Ghanaian e-commerce platforms have made surface-level efforts toward transparency, primarily through publishing privacy policies, but fall short on substantive compliance with national data protection laws. Persistent deficiencies in regulatory registration, third-party data governance, breach accountability, and the full implementation of data subject rights expose users to privacy risks and leave companies vulnerable to legal sanctions and reputational harm. Without stronger enforcement and improved internal governance, user trust in Ghana's e-commerce sector remains fragile.
The assessment of Ghana's e-commerce sector reveals consistently weak compliance with national data protection obligations, despite the widespread publication of privacy policies. While all platforms demonstrate a baseline awareness of transparency requirements, substantive compliance with Ghana's Data Protection Act remains limited, particularly in regulatory registration, third-party data governance, and accountability mechanisms.
None of the four e-commerce platforms assessed currently maintains active registration with Ghana's Data Protection Commission. Jumia Ghana, Tonaton Ghana, and Kikuu Ghana are unregistered, while Melcom Ghana, although previously registered, allowed its certification to expire in September 2021 and has not renewed it. This widespread non-registration reflects weak regulatory engagement and places all platforms in breach of statutory registration obligations, undermining lawful data processing and regulatory oversight.
All assessed companies have publicly accessible privacy policies, indicating a foundational level of transparency. Tonaton Ghana performed strongest in this category, scoring 100% due to clearer structure and language, while Jumia Ghana, Melcom Ghana, and Kikuu Ghana each scored 88%. Readability scores (Hemingway grades 8–11) suggest moderate accessibility, and word counts ranged from 616 to over 2,200 words. While publication and visibility are strong across the sector, variations in clarity and completeness affect the practical usefulness of these policies for users.
Performance on data subject rights was mixed. Jumia Ghana and Tonaton Ghana led with scores of 62%, reflecting clearer explanations of data collection purposes, broader categories of data processed, and the inclusion of user rights such as access, correction, deletion, and complaint mechanisms. However, both fall short on specifying data retention periods and providing unconditional user control. In contrast, Melcom Ghana scored 23%, offering vague disclosures that focus primarily on cookies, omit clear user rights and complaint channels, and provide limited transparency on data sharing. Kikuu Ghana performed slightly better at 41%, but still lacked clarity on collection purposes, offered conditional user rights, and provided only partial contact details. These disparities indicate uneven implementation of statutory obligations to uphold data subject rights, with significant gaps in user empowerment and legal compliance.
All platforms share personal data with third parties, yet compliance in this area remains consistently weak. Melcom Ghana scored highest at 24%, followed by Jumia Ghana and Kikuu Ghana (20%), and Tonaton Ghana (16%). Jumia and Tonaton permit data sharing for transactions, advertising, analytics, and law enforcement requests but fail to identify specific entities or the types of data shared. Tonaton explicitly references partners such as Facebook and Google but still lacks detailed disclosures. Melcom limits identifiable data sharing to trusted service providers under confidentiality obligations, while Kikuu allows sharing for order fulfilment and marketing support without naming recipients. Across the sector, the absence of specificity and reporting mechanisms increases the risk of unlawful processing and weakens accountability under the DPA.
All companies demonstrate some level of technical security, particularly through SSL implementation, but overall practices remain inconsistent. Tonaton Ghana and Melcom Ghana performed best at 72%, followed by Jumia Ghana (61%) and Kikuu Ghana (39%). Strong SSL ratings are undermined by weak or failing security headers and vague policy disclosures regarding implementation. This inconsistency suggests partial compliance with data security obligations, leaving users exposed to avoidable risks.
None of the companies has published a transparency report since 2024, resulting in a 0% score across the sector. The absence of disclosures on government requests, third-party access, or content moderation significantly limits public oversight and undermines accountability.
Internal breach management remains a critical weakness. Jumia Ghana and Kikuu Ghana scored 17%, as both mention user notification only in broad terms without outlining investigation procedures, timelines, or reporting channels. Tonaton Ghana and Melcom Ghana provide no information on breach detection, notification, or resolution, scoring 0%. These gaps indicate non-compliance with accountability and risk-management requirements under the DPA.
Overall, the findings indicate that Ghanaian e-commerce platforms have made surface-level efforts toward transparency, primarily through publishing privacy policies, but fall short on substantive compliance with national data protection laws. Persistent deficiencies in regulatory registration, third-party data governance, breach accountability, and the full implementation of data subject rights expose users to privacy risks and leave companies vulnerable to legal sanctions and reputational harm. Without stronger enforcement and improved internal governance, user trust in Ghana's e-commerce sector remains fragile.
e-Commerce Sector - Botswana
Your Mart, Ubuy Botswana, iStore Botswana and Apex Mart in Botswana
The assessment of Botswana's e-commerce sector reveals uneven privacy and data protection practices across the four companies evaluated, reflecting varying levels of compliance with national data protection obligations. Only three companies (Your Mart, iStore Botswana, and Ubuy Botswana) had accessible privacy policies in place. Your Mart and iStore Botswana led in this category with perfect scores (100%), while Ubuy Botswana scored 88%. These same companies were also the only ones to demonstrate efforts to support data subject rights, though overall performance remained modest. iStore Botswana performed best at 51%, followed by Ubuy Botswana (48%) and Your Mart (28%), indicating partial but incomplete alignment with legal requirements to enable users to access, control, or challenge the use of their personal data.
All four companies share personal data with third parties, but compliance in this area varied significantly. iStore Botswana led with a relatively strong score of 80%, reflecting clearer restrictions on third-party data transfers, while the remaining companies recorded very low or no compliance (0%), highlighting substantial transparency and accountability gaps. These weaknesses increase the risk of unlawful data disclosures and undermine users' ability to understand how their data is used.
All companies demonstrated visible efforts to secure personal data, though performance again varied. Ubuy Botswana led with a high score of 94%, followed by iStore Botswana (72%), Your Mart (50%), and Apex Mart (39%). While these scores suggest some commitment to safeguarding user data, uneven implementation of security measures leaves certain platforms more exposed to data breaches.
None of the companies published transparency reports or had internal data breach resolution mechanisms in place. The absence of procedures for breach detection, investigation, notification, and remediation represents a critical sector-wide weakness, significantly undermining compliance with accountability and risk management obligations under data protection law.
At the company level, Your Mart demonstrated a strong commitment to transparency through a privacy policy that was clearly visible, easy to read, and detailed. The policy explained the purposes of data collection and outlined categories of personal data processed. However, it permitted data sharing with advertisers without identifying the specific third parties or the types of data shared. Additionally, the policy did not address internal data breach handling, investigation timelines, or user notification. Despite its length (over 1,200 words) and level of detail, these omissions limit its effectiveness in ensuring accountability.
Ubuy Botswana performed strongest on data security, outlining specific measures such as malware scanning, SSL encryption, and restricted staff access to personal data. Its policy also described data categories and retention practices, though retention was framed vaguely as "as long as required by law." While Ubuy acknowledged third-party data sharing, particularly with payment and shipping providers, it failed to provide a comprehensive list of recipients. The lack of internal breach resolution mechanisms and user complaint channels further weakens its compliance posture.
iStore Botswana stood out as the only company to explicitly restrict third-party data sharing, stating that personal data would not be shared without user consent or a court order. This reflects stronger safeguards against unauthorized disclosure. However, its security provisions were broadly framed and lacked technical detail, and the policy did not include any mechanisms for managing or reporting data breaches, limiting its operational accountability.
Apex Mart ranked lowest across all indicators due to the complete absence of a privacy policy. Without any publicly available information on data collection, processing, or sharing practices, Apex Mart fails to meet even minimum transparency standards, placing users at significant risk and indicating serious non-compliance with data protection principles.
Overall, iStore Botswana emerged strongest on limiting third-party data transfers, Ubuy Botswana led in data security practices, and Your Mart excelled in policy accessibility and clarity but fell short on accountability. Apex Mart failed to meet baseline privacy requirements. Across the sector, the lack of transparency reporting and internal breach resolution mechanisms represents a critical compliance gap, exposing users to heightened privacy risks and highlighting the need for stronger enforcement and corporate accountability within Botswana's e-commerce ecosystem.
The assessment of Botswana's e-commerce sector reveals uneven privacy and data protection practices across the four companies evaluated, reflecting varying levels of compliance with national data protection obligations. Only three companies (Your Mart, iStore Botswana, and Ubuy Botswana) had accessible privacy policies in place. Your Mart and iStore Botswana led in this category with perfect scores (100%), while Ubuy Botswana scored 88%. These same companies were also the only ones to demonstrate efforts to support data subject rights, though overall performance remained modest. iStore Botswana performed best at 51%, followed by Ubuy Botswana (48%) and Your Mart (28%), indicating partial but incomplete alignment with legal requirements to enable users to access, control, or challenge the use of their personal data.
All four companies share personal data with third parties, but compliance in this area varied significantly. iStore Botswana led with a relatively strong score of 80%, reflecting clearer restrictions on third-party data transfers, while the remaining companies recorded very low or no compliance (0%), highlighting substantial transparency and accountability gaps. These weaknesses increase the risk of unlawful data disclosures and undermine users' ability to understand how their data is used.
All companies demonstrated visible efforts to secure personal data, though performance again varied. Ubuy Botswana led with a high score of 94%, followed by iStore Botswana (72%), Your Mart (50%), and Apex Mart (39%). While these scores suggest some commitment to safeguarding user data, uneven implementation of security measures leaves certain platforms more exposed to data breaches.
None of the companies published transparency reports or had internal data breach resolution mechanisms in place. The absence of procedures for breach detection, investigation, notification, and remediation represents a critical sector-wide weakness, significantly undermining compliance with accountability and risk management obligations under data protection law.
At the company level, Your Mart demonstrated a strong commitment to transparency through a privacy policy that was clearly visible, easy to read, and detailed. The policy explained the purposes of data collection and outlined categories of personal data processed. However, it permitted data sharing with advertisers without identifying the specific third parties or the types of data shared. Additionally, the policy did not address internal data breach handling, investigation timelines, or user notification. Despite its length (over 1,200 words) and level of detail, these omissions limit its effectiveness in ensuring accountability.
Ubuy Botswana performed strongest on data security, outlining specific measures such as malware scanning, SSL encryption, and restricted staff access to personal data. Its policy also described data categories and retention practices, though retention was framed vaguely as "as long as required by law." While Ubuy acknowledged third-party data sharing, particularly with payment and shipping providers, it failed to provide a comprehensive list of recipients. The lack of internal breach resolution mechanisms and user complaint channels further weakens its compliance posture.
iStore Botswana stood out as the only company to explicitly restrict third-party data sharing, stating that personal data would not be shared without user consent or a court order. This reflects stronger safeguards against unauthorized disclosure. However, its security provisions were broadly framed and lacked technical detail, and the policy did not include any mechanisms for managing or reporting data breaches, limiting its operational accountability.
Apex Mart ranked lowest across all indicators due to the complete absence of a privacy policy. Without any publicly available information on data collection, processing, or sharing practices, Apex Mart fails to meet even minimum transparency standards, placing users at significant risk and indicating serious non-compliance with data protection principles.
Overall, iStore Botswana emerged strongest on limiting third-party data transfers, Ubuy Botswana led in data security practices, and Your Mart excelled in policy accessibility and clarity but fell short on accountability. Apex Mart failed to meet baseline privacy requirements. Across the sector, the lack of transparency reporting and internal breach resolution mechanisms represents a critical compliance gap, exposing users to heightened privacy risks and highlighting the need for stronger enforcement and corporate accountability within Botswana's e-commerce ecosystem.
e-Commerce Sector - Rwanda
MTN Rwanda, Airtel Rwanda and Liquid Telecom Rwanda in Rwanda
The assessment of Rwanda's e-commerce platforms (Murukali, Vuba Vuba, Kikuu Rwanda, and Ubuy Rwanda) shows a pattern of formal transparency without substantive accountability, largely consistent with last year's findings, though with some incremental improvements and notable regressions.
As in the previous assessment, all companies maintained publicly accessible privacy policies, demonstrating baseline compliance with transparency obligations. Vuba Vuba again led with a perfect score (100%), supported by strong readability (Hemingway grade 9) and concise drafting (478 words). Murukali, Kikuu Rwanda, and Ubuy Rwanda each scored 88%, mirroring last year's performance, though their policies were longer (918–1,761 words) and less user-friendly. While continued availability of privacy policies reflects sustained awareness of legal requirements, accessibility alone has not translated into meaningful user protection.
Performance on data subject rights remains weak across the sector and, in some cases, has deteriorated since last year. All companies scored below 50%, indicating persistent non-compliance with statutory obligations to enable user control over personal data.
As in last year's analysis, third-party data transfer remains a critical weakness. All companies share personal data with third parties, yet compliance levels remain extremely low.
Internal breach management remains severely underdeveloped, with only marginal progress.
Compared with last year, the Rwandan e-commerce sector shows incremental improvement in isolated areas, notably Kikuu's gains in user rights and Ubuy's strengthened security, but no structural shift toward full compliance. Some platforms, particularly Murukali and Vuba Vuba, have regressed on key indicators. Overall, formal compliance (privacy policies and SSL adoption) continues to mask substantive deficiencies in user rights enforcement, third-party data governance, breach accountability, and transparency reporting. These gaps expose users to privacy risks, undermine trust, and leave companies vulnerable to regulatory sanctions. Without stronger enforcement and more deliberate investment in privacy governance, Rwanda's e-commerce sector risks entrenching a model of compliance that is largely procedural rather than rights-protective.
The assessment of Rwanda's e-commerce platforms (Murukali, Vuba Vuba, Kikuu Rwanda, and Ubuy Rwanda) shows a pattern of formal transparency without substantive accountability, largely consistent with last year's findings, though with some incremental improvements and notable regressions.
As in the previous assessment, all companies maintained publicly accessible privacy policies, demonstrating baseline compliance with transparency obligations. Vuba Vuba again led with a perfect score (100%), supported by strong readability (Hemingway grade 9) and concise drafting (478 words). Murukali, Kikuu Rwanda, and Ubuy Rwanda each scored 88%, mirroring last year's performance, though their policies were longer (918–1,761 words) and less user-friendly. While continued availability of privacy policies reflects sustained awareness of legal requirements, accessibility alone has not translated into meaningful user protection.
Performance on data subject rights remains weak across the sector and, in some cases, has deteriorated since last year. All companies scored below 50%, indicating persistent non-compliance with statutory obligations to enable user control over personal data.
- Ubuy Rwanda led with 45%, a modest improvement from 41%, reflecting clearer articulation of data categories and purposes, but still lacking specific retention timelines, full third-party disclosure, and clear complaint mechanisms.
- Murukali declined sharply to 39% from 53%, primarily due to restrictions on rights to European residents, missing contact details, and vague treatment of complaints and law enforcement access.
- Kikuu Rwanda improved to 35% from 18%, suggesting incremental progress, though key gaps remain around retention, complaints, and third-party clarity.
- Vuba Vuba recorded a dramatic drop to 3% from 19%, offering almost no meaningful information on user rights, retention, or complaint avenues.
As in last year's analysis, third-party data transfer remains a critical weakness. All companies share personal data with third parties, yet compliance levels remain extremely low.
- Murukali led marginally with 20% (up from 10%), allowing sharing with advertisers and analytics services such as Shopify and Google Analytics, but without specifying data types or providing breach-reporting channels.
- Kikuu Rwanda improved slightly to 10% (from 0%), though disclosures remain vague.
- Vuba Vuba and Ubuy Rwanda again scored 0%, providing little to no information on third-party recipients, purposes, or safeguards.
- Ubuy Rwanda strengthened its lead, scoring 94% (up from 89%), supported by strong SSL (A+), robust security headers (A), and detailed policy disclosures on encryption, access controls, malware scanning, and secure transactions.
- Murukali maintained its 56% score, with strong SSL and headers but no policy-level discussion of personal data security.
- Kikuu Rwanda remained unchanged at 39%, combining weak technical indicators with vague policy statements.
- Vuba Vuba declined significantly to 28% from 50%, due to failing security headers and the continued absence of security disclosures in its policy.
Internal breach management remains severely underdeveloped, with only marginal progress.
- Kikuu Rwanda improved to 17% (from 0%), referencing breach notification when legally required but lacking detail on procedures, timelines, or reporting channels.
- Murukali, Vuba Vuba, and Ubuy Rwanda all scored 0%, offering no guidance on breach detection, investigation, user notification, or redress.
Compared with last year, the Rwandan e-commerce sector shows incremental improvement in isolated areas, notably Kikuu's gains in user rights and Ubuy's strengthened security, but no structural shift toward full compliance. Some platforms, particularly Murukali and Vuba Vuba, have regressed on key indicators. Overall, formal compliance (privacy policies and SSL adoption) continues to mask substantive deficiencies in user rights enforcement, third-party data governance, breach accountability, and transparency reporting. These gaps expose users to privacy risks, undermine trust, and leave companies vulnerable to regulatory sanctions. Without stronger enforcement and more deliberate investment in privacy governance, Rwanda's e-commerce sector risks entrenching a model of compliance that is largely procedural rather than rights-protective.
e-Commerce Sector - Tanzania
Kikuu Tanzania, Jiji Tanzania, Inalipa and Kupatana in Tanzania
The assessment of e-commerce platforms in Tanzania — Jiji Tanzania, Kupatana, Kikuu Tanzania, and Inalipa — shows consistent performance in formal transparency measures, alongside persistent weaknesses in accountability, third-party data governance, and breach management. Overall, the findings suggest incremental improvement in user-facing disclosures but limited substantive compliance with national data protection obligations.
All assessed companies made efforts to maintain accessible and publicly available privacy policies, reflecting baseline compliance with transparency requirements. Jiji Tanzania and Kupatana again led the sector with perfect scores (100%), maintaining their positions from last year. Kikuu Tanzania and Inalipa also sustained strong performance, each scoring 88%, consistent with the previous assessment. Jiji Tanzania's policy is prominently displayed on its website, highly readable (Hemingway grade 8), and comprehensive, with a word count of 4,080 words. Similarly, Kupatana's policy is clearly noticeable, well-structured, and accessible, with an impressive readability grade of 9 and a word count of 3,086 words. These characteristics enhance user awareness and understanding of data practices, an essential component of transparency under data protection law.
All companies demonstrated improved efforts to enable data subject rights, marking one of the more positive trends in this year's assessment.
Jiji Tanzania led with 72%, a significant improvement from 56% last year, followed by Kupatana (63%), which remained relatively stable, Inalipa (57%), up from 23%, and Kikuu Tanzania (53%), up from 47%. Despite these gains, gaps remain. Jiji Tanzania and Kupatana, while leading, do not fully disclose company contact details, limiting users' ability to exercise rights or lodge complaints. Jiji Tanzania lists only a physical address, while Kupatana omits a full physical address and does not provide an email or phone contact. These omissions weaken practical compliance with user-rights provisions under Tanzania's data protection framework.
All companies reported sharing personal data with third parties, but compliance in this area remains consistently low, with no platform scoring above 36%. Kikuu Tanzania led with 36% (up from 22%), followed by Jiji Tanzania (26%), Inalipa (20%), and Kupatana (20%), the latter two showing only marginal changes from last year. The low scores reflect insufficient transparency and justification for third-party data sharing, including the absence of clear consent mechanisms, limited disclosure of recipient entities, and lack of legal bases for transfers. These practices pose risks to data subject rights and raise concerns about compliance with Tanzanian data protection laws governing lawful processing and disclosure.
All companies exhibited some effort to implement technical data security measures. Jiji Tanzania performed best in this category, scoring 78%, supported by an A+ SSL rating from Qualys SSL Labs. However, despite strong technical indicators, Jiji's privacy policy lacks detailed explanations of security safeguards, limiting transparency. The remaining companies demonstrated moderate to weak performance, indicating that while basic security controls may exist, they are not consistently documented or communicated to users. This gap undermines accountability and weakens user confidence in how personal data is protected.
None of the assessed companies has published a transparency report since 2024. The absence of such reports means users have no insight into government requests, third-party data access, or internal compliance practices. This lack of reporting significantly limits public accountability and falls short of best practices for transparency under data protection regimes.
All companies recorded very poor performance in internal data breach resolution mechanisms. Jiji Tanzania and Kikuu Tanzania led marginally with scores of 25%, while Kupatana and Inalipa scored 0%. The limited disclosures provided do not specify internal procedures, reporting timelines, investigation processes, or user notification mechanisms. This represents a critical compliance gap, as effective breach management is central to accountability and risk mitigation under data protection law.
Overall, Tanzania's e-commerce sector demonstrates strong performance in policy accessibility and improving recognition of data subject rights, but continues to struggle with substantive compliance in third-party data governance, breach accountability, and transparency reporting. While incremental improvements are evident compared to last year, particularly in user-rights provisions, persistent weaknesses expose users to privacy risks and leave companies vulnerable to regulatory scrutiny and reputational harm. Without clearer disclosures, stronger accountability mechanisms, and robust enforcement, compliance with Tanzania's data protection framework remains largely procedural rather than rights-protective.
The assessment of e-commerce platforms in Tanzania — Jiji Tanzania, Kupatana, Kikuu Tanzania, and Inalipa — shows consistent performance in formal transparency measures, alongside persistent weaknesses in accountability, third-party data governance, and breach management. Overall, the findings suggest incremental improvement in user-facing disclosures but limited substantive compliance with national data protection obligations.
All assessed companies made efforts to maintain accessible and publicly available privacy policies, reflecting baseline compliance with transparency requirements. Jiji Tanzania and Kupatana again led the sector with perfect scores (100%), maintaining their positions from last year. Kikuu Tanzania and Inalipa also sustained strong performance, each scoring 88%, consistent with the previous assessment. Jiji Tanzania's policy is prominently displayed on its website, highly readable (Hemingway grade 8), and comprehensive, with a word count of 4,080 words. Similarly, Kupatana's policy is clearly noticeable, well-structured, and accessible, with an impressive readability grade of 9 and a word count of 3,086 words. These characteristics enhance user awareness and understanding of data practices, an essential component of transparency under data protection law.
All companies demonstrated improved efforts to enable data subject rights, marking one of the more positive trends in this year's assessment.
Jiji Tanzania led with 72%, a significant improvement from 56% last year, followed by Kupatana (63%), which remained relatively stable, Inalipa (57%), up from 23%, and Kikuu Tanzania (53%), up from 47%. Despite these gains, gaps remain. Jiji Tanzania and Kupatana, while leading, do not fully disclose company contact details, limiting users' ability to exercise rights or lodge complaints. Jiji Tanzania lists only a physical address, while Kupatana omits a full physical address and does not provide an email or phone contact. These omissions weaken practical compliance with user-rights provisions under Tanzania's data protection framework.
All companies reported sharing personal data with third parties, but compliance in this area remains consistently low, with no platform scoring above 36%. Kikuu Tanzania led with 36% (up from 22%), followed by Jiji Tanzania (26%), Inalipa (20%), and Kupatana (20%), the latter two showing only marginal changes from last year. The low scores reflect insufficient transparency and justification for third-party data sharing, including the absence of clear consent mechanisms, limited disclosure of recipient entities, and lack of legal bases for transfers. These practices pose risks to data subject rights and raise concerns about compliance with Tanzanian data protection laws governing lawful processing and disclosure.
All companies exhibited some effort to implement technical data security measures. Jiji Tanzania performed best in this category, scoring 78%, supported by an A+ SSL rating from Qualys SSL Labs. However, despite strong technical indicators, Jiji's privacy policy lacks detailed explanations of security safeguards, limiting transparency. The remaining companies demonstrated moderate to weak performance, indicating that while basic security controls may exist, they are not consistently documented or communicated to users. This gap undermines accountability and weakens user confidence in how personal data is protected.
None of the assessed companies has published a transparency report since 2024. The absence of such reports means users have no insight into government requests, third-party data access, or internal compliance practices. This lack of reporting significantly limits public accountability and falls short of best practices for transparency under data protection regimes.
All companies recorded very poor performance in internal data breach resolution mechanisms. Jiji Tanzania and Kikuu Tanzania led marginally with scores of 25%, while Kupatana and Inalipa scored 0%. The limited disclosures provided do not specify internal procedures, reporting timelines, investigation processes, or user notification mechanisms. This represents a critical compliance gap, as effective breach management is central to accountability and risk mitigation under data protection law.
Overall, Tanzania's e-commerce sector demonstrates strong performance in policy accessibility and improving recognition of data subject rights, but continues to struggle with substantive compliance in third-party data governance, breach accountability, and transparency reporting. While incremental improvements are evident compared to last year, particularly in user-rights provisions, persistent weaknesses expose users to privacy risks and leave companies vulnerable to regulatory scrutiny and reputational harm. Without clearer disclosures, stronger accountability mechanisms, and robust enforcement, compliance with Tanzania's data protection framework remains largely procedural rather than rights-protective.
e-Commerce Sector- Mauritius
PriceGuru, Temu Mauritius, Marideal and Woolworths Mauritius Online in Mauritius
All companies assessed have made commendable efforts to ensure the availability of accessible privacy policies. Woolworths Mauritius Online continues to lead, as in the previous year, with a score of 88%, while PriceGuru, Temu Mauritius, and Marideal each achieved 75%. Compared to last year, PriceGuru and Marideal maintained their scores, whereas Temu Mauritius experienced a slight decline from 88%. These results suggest a baseline level of transparency across all platforms, though only Woolworths demonstrates consistently high standards in policy accessibility and clarity.
In terms of respecting data subject rights, all companies showed measurable progress. Woolworths again performed best, scoring 74%, a significant increase from 57% last year. Marideal followed with 62%, up from 53%. PriceGuru and Temu Mauritius each scored 59%, reflecting a marginal decline for PriceGuru (from 60%) and a notable improvement for Temu (from 47%). This upward trend indicates growing awareness of user rights obligations, although inconsistencies remain in how these rights are operationalised and communicated.
By contrast, compliance relating to third-party data sharing remains weak across all companies. Although all platforms disclosed that they share personal data with third parties, compliance levels were low. Temu Mauritius led with 38%, improving from 16% last year, while PriceGuru, Marideal, and Woolworths each scored only 20%. While these scores represent an improvement for PriceGuru and Marideal (from 10%), Woolworths saw a sharp decline from 70%. This highlights a significant compliance gap, particularly in relation to transparency, safeguards, and user control over onward data transfers, key requirements under modern data protection frameworks.
All companies demonstrated visible efforts to strengthen data security measures. Temu Mauritius led with 83%, up from 78%, followed by PriceGuru at 67% (up from 56%), Woolworths at 61% (up from 45%), and Marideal, which maintained its previous score of 45%. These improvements reflect increased attention to technical and organisational safeguards, although disparities suggest uneven maturity in data protection practices.
As in the previous year, all companies scored poorly on transparency reporting and internal data breach resolution mechanisms, each achieving only 8%. While this represents an improvement from 0% for PriceGuru, Temu Mauritius, and Marideal, Woolworths declined from 17%. The absence of meaningful transparency reports and clearly articulated breach response procedures raises concerns regarding accountability and preparedness, particularly given the growing regulatory emphasis on breach notification and incident management.
Under the policy indicator, PriceGuru, Temu Mauritius, and Marideal each scored 75% for accessible privacy policies, while Woolworths Mauritius Online again led with 88%. Woolworths also achieved the highest score under the pre-collection data transparency indicator, reflecting clearer communication at the point where personal data is first collected. The privacy policies of PriceGuru and Temu clearly outline the categories of personal data collected and the purposes for which they are used, primarily to support and improve service delivery. Temu's policy is broader in scope, covering data collected directly from users (such as account details, purchases, customer support interactions, reviews, and event participation), data obtained from third parties (including social media platforms, payment processors, and marketing partners), and information collected automatically through device data, usage patterns, location data, and cookies. PriceGuru adopts a similar approach, focusing on data collected during account creation, purchases, surveys, correspondence, and through cookies or server logs.
A key distinction lies in the treatment of user rights. PriceGuru explicitly sets out mechanisms for accessing, correcting, erasing, or restricting personal data and explains how users can submit such requests. Temu, while providing detailed explanations of data categories and purposes, does not articulate procedures for exercising user rights with the same level of clarity, potentially limiting the practical enforceability of those rights.
Both policies permit sharing of personal data with third parties. PriceGuru restricts disclosure to service providers, advisors, government authorities, corporate transactions, and third parties where explicit consent has been obtained. Temu allows a broader range of disclosures, including to affiliates, advertising and analytics partners, business partners, merchandise partners, regulators, and even other users. While both policies emphasise safeguards and necessity, Temu places greater emphasis on user control in peer-to-peer data sharing contexts, whereas PriceGuru explicitly disclaims responsibility for external websites, underscoring the fragmented nature of privacy protections once data leaves its platform.
Marideal's privacy policy closely mirrors those of PriceGuru and Temu. It covers standard categories of personal data collected during account creation, purchases, and website use, and permits account creation through third-party platforms such as Google or Facebook, involving the transfer of profile data. Its storage and security provisions follow the same general framework, referencing encryption and technical safeguards while disclaiming absolute security, a cautious stance consistent with the other platforms.
Marideal's permitted uses of data align with common e-commerce practices, including account management, order fulfilment, customer communication, and service improvement. Like PriceGuru, it prohibits the sale or rental of personal data and, like Temu, permits marketing communications subject to user consent. It also provides for disclosure in compliance with legal obligations and, notably, in the context of corporate restructuring, a provision shared with Temu but absent from PriceGuru's policy.
Where Marideal stands out is in its recognition of user rights. In addition to access, correction, and erasure, it explicitly grants users the right to delete their accounts entirely, aligning more closely with GDPR principles of user control and data minimisation. It also provides users with options to manage cookie preferences.
Woolworths' privacy policy is more formal and compliance-oriented in tone. It explicitly references the Mauritius Data Protection Act 2017 and frames data processing within a legal and accountability-driven context. The policy clearly sets out what data is collected, how it is used in everyday transactions, and the safeguards applied when data is shared, including cross-border transfers.
Unlike Temu and Marideal, Woolworths integrates its privacy notice into its terms and conditions, making it part of the contractual relationship with users. It recognises a broader range of user rights, including the right to object to processing, opt out of direct marketing, and request deletion, subject to legal requirements. While it shares common ground with the other platforms in terms of data categories collected and the use of cookies and analytics, it distinguishes itself by explicitly acknowledging technological risks and committing to inform users in the event of a data breach.
Overall, PriceGuru, Temu, and Marideal adopt broadly similar, disclosure-focused approaches to personal data processing, with variations in the scope of user rights and third-party sharing practices. Woolworths stands apart for its stronger emphasis on legal compliance, accountability, and user protections.
The findings suggest that while baseline transparency and security measures are improving across the sector, significant gaps remain in third-party data sharing compliance, breach response mechanisms, and transparency reporting. These weaknesses pose potential risks under data protection laws such as the Mauritius Data Protection Act 2017 and GDPR-aligned standards, particularly regarding accountability, lawful processing, and user empowerment.
To strengthen compliance, companies should move beyond policy disclosure toward demonstrable practices, including clearer procedures for exercising data subject rights, stricter controls and transparency around third-party data sharing, and robust, well-documented breach response and reporting mechanisms. Without these improvements, companies risk not only regulatory exposure but also erosion of user trust in an increasingly privacy-conscious digital marketplace.
All companies assessed have made commendable efforts to ensure the availability of accessible privacy policies. Woolworths Mauritius Online continues to lead, as in the previous year, with a score of 88%, while PriceGuru, Temu Mauritius, and Marideal each achieved 75%. Compared to last year, PriceGuru and Marideal maintained their scores, whereas Temu Mauritius experienced a slight decline from 88%. These results suggest a baseline level of transparency across all platforms, though only Woolworths demonstrates consistently high standards in policy accessibility and clarity.
In terms of respecting data subject rights, all companies showed measurable progress. Woolworths again performed best, scoring 74%, a significant increase from 57% last year. Marideal followed with 62%, up from 53%. PriceGuru and Temu Mauritius each scored 59%, reflecting a marginal decline for PriceGuru (from 60%) and a notable improvement for Temu (from 47%). This upward trend indicates growing awareness of user rights obligations, although inconsistencies remain in how these rights are operationalised and communicated.
By contrast, compliance relating to third-party data sharing remains weak across all companies. Although all platforms disclosed that they share personal data with third parties, compliance levels were low. Temu Mauritius led with 38%, improving from 16% last year, while PriceGuru, Marideal, and Woolworths each scored only 20%. While these scores represent an improvement for PriceGuru and Marideal (from 10%), Woolworths saw a sharp decline from 70%. This highlights a significant compliance gap, particularly in relation to transparency, safeguards, and user control over onward data transfers, key requirements under modern data protection frameworks.
All companies demonstrated visible efforts to strengthen data security measures. Temu Mauritius led with 83%, up from 78%, followed by PriceGuru at 67% (up from 56%), Woolworths at 61% (up from 45%), and Marideal, which maintained its previous score of 45%. These improvements reflect increased attention to technical and organisational safeguards, although disparities suggest uneven maturity in data protection practices.
As in the previous year, all companies scored poorly on transparency reporting and internal data breach resolution mechanisms, each achieving only 8%. While this represents an improvement from 0% for PriceGuru, Temu Mauritius, and Marideal, Woolworths declined from 17%. The absence of meaningful transparency reports and clearly articulated breach response procedures raises concerns regarding accountability and preparedness, particularly given the growing regulatory emphasis on breach notification and incident management.
Under the policy indicator, PriceGuru, Temu Mauritius, and Marideal each scored 75% for accessible privacy policies, while Woolworths Mauritius Online again led with 88%. Woolworths also achieved the highest score under the pre-collection data transparency indicator, reflecting clearer communication at the point where personal data is first collected. The privacy policies of PriceGuru and Temu clearly outline the categories of personal data collected and the purposes for which they are used, primarily to support and improve service delivery. Temu's policy is broader in scope, covering data collected directly from users (such as account details, purchases, customer support interactions, reviews, and event participation), data obtained from third parties (including social media platforms, payment processors, and marketing partners), and information collected automatically through device data, usage patterns, location data, and cookies. PriceGuru adopts a similar approach, focusing on data collected during account creation, purchases, surveys, correspondence, and through cookies or server logs.
A key distinction lies in the treatment of user rights. PriceGuru explicitly sets out mechanisms for accessing, correcting, erasing, or restricting personal data and explains how users can submit such requests. Temu, while providing detailed explanations of data categories and purposes, does not articulate procedures for exercising user rights with the same level of clarity, potentially limiting the practical enforceability of those rights.
Both policies permit sharing of personal data with third parties. PriceGuru restricts disclosure to service providers, advisors, government authorities, corporate transactions, and third parties where explicit consent has been obtained. Temu allows a broader range of disclosures, including to affiliates, advertising and analytics partners, business partners, merchandise partners, regulators, and even other users. While both policies emphasise safeguards and necessity, Temu places greater emphasis on user control in peer-to-peer data sharing contexts, whereas PriceGuru explicitly disclaims responsibility for external websites, underscoring the fragmented nature of privacy protections once data leaves its platform.
Marideal's privacy policy closely mirrors those of PriceGuru and Temu. It covers standard categories of personal data collected during account creation, purchases, and website use, and permits account creation through third-party platforms such as Google or Facebook, involving the transfer of profile data. Its storage and security provisions follow the same general framework, referencing encryption and technical safeguards while disclaiming absolute security, a cautious stance consistent with the other platforms.
Marideal's permitted uses of data align with common e-commerce practices, including account management, order fulfilment, customer communication, and service improvement. Like PriceGuru, it prohibits the sale or rental of personal data and, like Temu, permits marketing communications subject to user consent. It also provides for disclosure in compliance with legal obligations and, notably, in the context of corporate restructuring, a provision shared with Temu but absent from PriceGuru's policy.
Where Marideal stands out is in its recognition of user rights. In addition to access, correction, and erasure, it explicitly grants users the right to delete their accounts entirely, aligning more closely with GDPR principles of user control and data minimisation. It also provides users with options to manage cookie preferences.
Woolworths' privacy policy is more formal and compliance-oriented in tone. It explicitly references the Mauritius Data Protection Act 2017 and frames data processing within a legal and accountability-driven context. The policy clearly sets out what data is collected, how it is used in everyday transactions, and the safeguards applied when data is shared, including cross-border transfers.
Unlike Temu and Marideal, Woolworths integrates its privacy notice into its terms and conditions, making it part of the contractual relationship with users. It recognises a broader range of user rights, including the right to object to processing, opt out of direct marketing, and request deletion, subject to legal requirements. While it shares common ground with the other platforms in terms of data categories collected and the use of cookies and analytics, it distinguishes itself by explicitly acknowledging technological risks and committing to inform users in the event of a data breach.
Overall, PriceGuru, Temu, and Marideal adopt broadly similar, disclosure-focused approaches to personal data processing, with variations in the scope of user rights and third-party sharing practices. Woolworths stands apart for its stronger emphasis on legal compliance, accountability, and user protections.
The findings suggest that while baseline transparency and security measures are improving across the sector, significant gaps remain in third-party data sharing compliance, breach response mechanisms, and transparency reporting. These weaknesses pose potential risks under data protection laws such as the Mauritius Data Protection Act 2017 and GDPR-aligned standards, particularly regarding accountability, lawful processing, and user empowerment.
To strengthen compliance, companies should move beyond policy disclosure toward demonstrable practices, including clearer procedures for exercising data subject rights, stricter controls and transparency around third-party data sharing, and robust, well-documented breach response and reporting mechanisms. Without these improvements, companies risk not only regulatory exposure but also erosion of user trust in an increasingly privacy-conscious digital marketplace.
e-Commerce Sector - Zimbabwe
Ubuy Zimbabwe, Shumba Africa, Raines Africa and Tengai Online
in Zimbabwe
All companies assessed made efforts to ensure the availability of accessible privacy policies. Shumba Africa, Raines Africa, and Tengai Online led the group with perfect scores of 100%, indicating that their privacy policies are clearly visible, easy to locate, and highly readable. Ubuy Zimbabwe followed closely with a score of 88%, reflecting a policy that is fairly readable, with a Grade 11 readability score and a word count of 1,761 as measured by the Hemingway Editor.
Compared to last year, Shumba Africa, Tengai Online, and Ubuy Zimbabwe maintained their performance, while Raines Africa showed notable improvement, increasing from 63% to 100%. These results demonstrate growing recognition of transparency as a foundational requirement of data protection compliance.
All companies also demonstrated efforts to recognise and facilitate data subject rights, although performance levels varied. Shumba Africa led with a score of 57%, a significant improvement from 36% in the previous year. Raines Africa followed with 54%, up from 29%, while Tengai Online improved to 49% from 24%. Ubuy Zimbabwe, however, recorded a decline, scoring 47% compared to 54% last year. While the upward trend for most companies suggests increasing awareness of obligations such as access, correction, and erasure, the moderate scores indicate that mechanisms for exercising these rights are still insufficiently detailed or inconsistently implemented.
Third-party data sharing remains one of the weakest areas of compliance. With the exception of Shumba Africa, which achieved a comparatively strong score of 80% (up from 24%), all companies recorded very low levels of compliance. Ubuy Zimbabwe scored only 18%, a slight improvement from 12%, while Raines Africa improved marginally to 6% from 0%. Tengai Online declined to 20% from 24%. These results indicate that while data sharing with third parties is common, transparency around such practices, the legal basis for sharing, and the safeguards applied remains inadequate. This presents heightened compliance risks under data protection laws, which require clear disclosure, purpose limitation, and accountability in third-party processing arrangements.
In relation to data security, all companies showed some level of commitment to protecting personal data. Ubuy Zimbabwe again led with a high score of 94%, reflecting the implementation of robust and proactive security measures designed to prevent unauthorised access, misuse, loss, or breaches. Shumba Africa maintained its previous score of 56%. By contrast, Raines Africa and Tengai Online both declined significantly, scoring 22%, down from 45% and 39% respectively. These declines suggest potential gaps in the consistency or updating of technical and organisational security measures, which are critical for compliance with data protection legislation.
As in the previous year, transparency reporting remains largely absent across the sector. Tengai Online and Raines Africa performed best in this category, yet still achieved only 42%, albeit an improvement from 25%. Shumba Africa scored 8%, up from 0%, while the remaining companies maintained scores of 0%. The absence of publicly available transparency reports means that data subjects have limited visibility into how their personal data is processed, shared, protected, or breached. This undermines the principles of accountability and openness that underpin modern data protection frameworks.
Under the pre-collection data transparency indicator, Shumba Africa again performed best with a score of 57%, followed by Ubuy Zimbabwe at 47%. Despite this comparatively strong performance, Shumba Africa's policy contains notable gaps: it provides only an email address as a point of contact and does not include a physical address or telephone number. More critically, it makes no reference to the right of individuals to lodge complaints with the company itself or with a regulatory authority. Such omissions weaken compliance with data protection laws, which typically require clear identification of the data controller and accessible avenues for redress.
In the area of third-party data privacy, Shumba Africa again led with 80%, but fell short of a perfect score due to the absence of clearly defined channels for reporting data breaches. Ubuy Zimbabwe, while scoring poorly on third-party transparency, demonstrated the strongest performance in terms of robust data security practices, highlighting a disconnect between technical safeguards and broader accountability and transparency obligations.
Overall, the findings indicate that companies in this sector are increasingly attentive to the visibility and readability of privacy policies, as well as to baseline security requirements. However, significant compliance gaps persist, particularly in relation to third-party data sharing, transparency reporting, and internal data breach resolution mechanisms. The lack of published transparency reports and weak breach response frameworks mean that data subjects remain largely unaware of how their data is processed in practice and what remedies are available in the event of misuse or breaches.
From a legal perspective, these shortcomings expose companies to potential non-compliance with data protection laws, including obligations relating to accountability, lawful processing, data subject rights, and breach management under the Zimbabwe Cyber and Data Protection Act and GDPR-aligned principles. To strengthen compliance and build user trust, companies should move beyond formal policy publication and focus on implementing clear, accessible rights-request mechanisms, transparent third-party data governance frameworks, and well-documented breach response and reporting procedures. Without such measures, improvements in policy accessibility and security alone will be insufficient to demonstrate full compliance or to meet the evolving expectations of regulators and data subjects in an increasingly privacy-conscious digital environment.
All companies assessed made efforts to ensure the availability of accessible privacy policies. Shumba Africa, Raines Africa, and Tengai Online led the group with perfect scores of 100%, indicating that their privacy policies are clearly visible, easy to locate, and highly readable. Ubuy Zimbabwe followed closely with a score of 88%, reflecting a policy that is fairly readable, with a Grade 11 readability score and a word count of 1,761 as measured by the Hemingway Editor.
Compared to last year, Shumba Africa, Tengai Online, and Ubuy Zimbabwe maintained their performance, while Raines Africa showed notable improvement, increasing from 63% to 100%. These results demonstrate growing recognition of transparency as a foundational requirement of data protection compliance.
All companies also demonstrated efforts to recognise and facilitate data subject rights, although performance levels varied. Shumba Africa led with a score of 57%, a significant improvement from 36% in the previous year. Raines Africa followed with 54%, up from 29%, while Tengai Online improved to 49% from 24%. Ubuy Zimbabwe, however, recorded a decline, scoring 47% compared to 54% last year. While the upward trend for most companies suggests increasing awareness of obligations such as access, correction, and erasure, the moderate scores indicate that mechanisms for exercising these rights are still insufficiently detailed or inconsistently implemented.
Third-party data sharing remains one of the weakest areas of compliance. With the exception of Shumba Africa, which achieved a comparatively strong score of 80% (up from 24%), all companies recorded very low levels of compliance. Ubuy Zimbabwe scored only 18%, a slight improvement from 12%, while Raines Africa improved marginally to 6% from 0%. Tengai Online declined to 20% from 24%. These results indicate that while data sharing with third parties is common, transparency around such practices, the legal basis for sharing, and the safeguards applied remains inadequate. This presents heightened compliance risks under data protection laws, which require clear disclosure, purpose limitation, and accountability in third-party processing arrangements.
In relation to data security, all companies showed some level of commitment to protecting personal data. Ubuy Zimbabwe again led with a high score of 94%, reflecting the implementation of robust and proactive security measures designed to prevent unauthorised access, misuse, loss, or breaches. Shumba Africa maintained its previous score of 56%. By contrast, Raines Africa and Tengai Online both declined significantly, scoring 22%, down from 45% and 39% respectively. These declines suggest potential gaps in the consistency or updating of technical and organisational security measures, which are critical for compliance with data protection legislation.
As in the previous year, transparency reporting remains largely absent across the sector. Tengai Online and Raines Africa performed best in this category, yet still achieved only 42%, albeit an improvement from 25%. Shumba Africa scored 8%, up from 0%, while the remaining companies maintained scores of 0%. The absence of publicly available transparency reports means that data subjects have limited visibility into how their personal data is processed, shared, protected, or breached. This undermines the principles of accountability and openness that underpin modern data protection frameworks.
Under the pre-collection data transparency indicator, Shumba Africa again performed best with a score of 57%, followed by Ubuy Zimbabwe at 47%. Despite this comparatively strong performance, Shumba Africa's policy contains notable gaps: it provides only an email address as a point of contact and does not include a physical address or telephone number. More critically, it makes no reference to the right of individuals to lodge complaints with the company itself or with a regulatory authority. Such omissions weaken compliance with data protection laws, which typically require clear identification of the data controller and accessible avenues for redress.
In the area of third-party data privacy, Shumba Africa again led with 80%, but fell short of a perfect score due to the absence of clearly defined channels for reporting data breaches. Ubuy Zimbabwe, while scoring poorly on third-party transparency, demonstrated the strongest performance in terms of robust data security practices, highlighting a disconnect between technical safeguards and broader accountability and transparency obligations.
Overall, the findings indicate that companies in this sector are increasingly attentive to the visibility and readability of privacy policies, as well as to baseline security requirements. However, significant compliance gaps persist, particularly in relation to third-party data sharing, transparency reporting, and internal data breach resolution mechanisms. The lack of published transparency reports and weak breach response frameworks mean that data subjects remain largely unaware of how their data is processed in practice and what remedies are available in the event of misuse or breaches.
From a legal perspective, these shortcomings expose companies to potential non-compliance with data protection laws, including obligations relating to accountability, lawful processing, data subject rights, and breach management under the Zimbabwe Cyber and Data Protection Act and GDPR-aligned principles. To strengthen compliance and build user trust, companies should move beyond formal policy publication and focus on implementing clear, accessible rights-request mechanisms, transparent third-party data governance frameworks, and well-documented breach response and reporting procedures. Without such measures, improvements in policy accessibility and security alone will be insufficient to demonstrate full compliance or to meet the evolving expectations of regulators and data subjects in an increasingly privacy-conscious digital environment.
e-Commerce Sector - Kenya
Jumia Kenya, Glovo Kenya, Jiji Kenya and Kilimali in Kenya
As in the previous year, all companies assessed maintained full compliance with registration requirements, each achieving a perfect score of 100% for registration with the national data protection regulator. This demonstrates a shared baseline awareness of statutory obligations under Kenya's data protection framework. However, registration alone does not equate to substantive compliance, and further indicators reveal varying levels of maturity in privacy practices.
All companies also made efforts to maintain accessible privacy policies. Glovo Kenya and Jiji Kenya again led with perfect scores of 100%, reflecting policies that are clearly visible, well-structured, and easy for users to understand. Jumia Kenya and Kilimall each scored 88%. Compared to last year, Jumia maintained its score, while Kilimall showed improvement from 75%. These results suggest progress in formal transparency, particularly among platforms that had previously lagged behind.
Performance in relation to data subject rights was mixed. Jiji Kenya led with a score of 71%, improving from 66%, followed closely by Glovo Kenya at 69%. While this represents a decline from Glovo's previous score of 83%, it still reflects relatively strong mechanisms for facilitating rights such as access, correction, and erasure. Jumia Kenya recorded a notable decline to 42% from 53%, while Kilimall showed only marginal improvement, scoring 40% compared to 39% last year. These results indicate that, despite the existence of privacy policies, practical mechanisms for exercising data subject rights remain inconsistently implemented, particularly among local platforms.
All companies were found to share personal data with third parties, yet compliance in this area remains critically low. Glovo Kenya performed best, but still scored only 48%, despite a significant improvement from 20% last year. Jiji Kenya followed with a low score of 16%, declining from 26%. Jumia Kenya and Kilimall both scored 0%, representing a sharp regression from last year's scores of 10% and 20%, respectively. These findings point to serious deficiencies in transparency around third-party data sharing, including inadequate disclosure of recipients, purposes, safeguards, and legal bases for such transfers, key requirements under data protection laws.
In contrast, all companies demonstrated some commitment to data security. Jiji Kenya led with a score of 78%, a notable increase from 56%, followed by Glovo Kenya, which maintained a strong score of 67%. Jumia Kenya also maintained its score of 61%, while Kilimall remained at 39%. Although these results suggest that technical and organisational security measures are receiving attention, the uneven performance highlights disparities in risk management and security governance across platforms.
As in the previous year, transparency reporting and internal data breach resolution mechanisms remain weak across the sector. Glovo Kenya again led in this category but achieved only 33%, up from 25%. Jumia Kenya, Jiji Kenya, and Kilimall each scored just 17%. Compared to last year, Jumia Kenya maintained its score, Jiji Kenya improved from 0%, while Kilimall declined significantly from 33%. The lack of published transparency reports and clearly articulated breach response procedures undermines accountability and may hinder timely notification and remediation in the event of data breaches, as required under Kenyan law.
International e-commerce platforms significantly outperform local competitors. Glovo Kenya achieved an overall compliance score of 96%, reflecting the influence of comprehensive privacy frameworks developed for European and global markets. Its privacy policy includes detailed data retention schedules ranging from three to fifteen years depending on data categories, explicit consent mechanisms for behavioural marketing, and extensive third-party sharing disclosures covering advertising partners, payment processors, and delivery service providers. This level of detail demonstrates how compliance with international regulatory regimes can elevate privacy protection standards and deliver tangible benefits to Kenyan consumers.
Jiji Kenya's strong performance, with an overall score of 92% among domestic platforms, reflects sustained investment in privacy compliance following its expansion across multiple African markets. Its policy addresses complex issues such as cross-border data transfers, automated decision-making, and a relatively comprehensive implementation of data subject rights. However, gaps remain, particularly in relation to clearly articulated complaint procedures involving the Office of the Data Protection Commissioner and transparency around law enforcement access to personal data.
Jumia Kenya's moderate overall score of 58% highlights inconsistencies in privacy protection within established e-commerce platforms. While the company provides a basic privacy policy, significant gaps persist regarding specificity of data retention periods, comprehensive disclosure of third-party data sharing, and clear procedures for exercising data subject rights. The presence of multiple third-party trackers on Jumia's website further raises concerns about transparency in advertising partnerships and the adequacy of user consent management.
Kilimall's extremely poor overall score of 4% represents a critical compliance failure requiring urgent corrective action. The platform's privacy policy is largely inaccessible, preventing meaningful evaluation of its data protection practices and falling short of fundamental transparency requirements. This situation is particularly concerning given Kilimall's processing of sensitive financial and personal data belonging to thousands of Kenyan users, exposing both the company and data subjects to significant legal and privacy risks.
Overall, the findings reveal a clear divide between international and local e-commerce platforms in terms of privacy governance and regulatory compliance. While registration and basic policy accessibility are largely in place, substantive compliance, particularly in third-party data sharing, transparency reporting, and breach management, remains uneven and, in some cases, critically deficient.
From a regulatory perspective, these shortcomings expose companies to potential enforcement action under the Kenya Data Protection Act, 2019, particularly with respect to accountability, lawful processing, user rights facilitation, and breach notification obligations. To strengthen compliance and consumer trust, companies must move beyond formal registration and policy publication toward demonstrable, operational privacy practices. This includes clearer disclosure of third-party relationships, robust consent and rights-request mechanisms, documented breach response procedures, and proactive transparency reporting.
Without such measures, improvements in security and policy visibility alone will be insufficient to meet legal requirements or to address growing consumer expectations around privacy and data protection in Kenya's digital economy.
As in the previous year, all companies assessed maintained full compliance with registration requirements, each achieving a perfect score of 100% for registration with the national data protection regulator. This demonstrates a shared baseline awareness of statutory obligations under Kenya's data protection framework. However, registration alone does not equate to substantive compliance, and further indicators reveal varying levels of maturity in privacy practices.
All companies also made efforts to maintain accessible privacy policies. Glovo Kenya and Jiji Kenya again led with perfect scores of 100%, reflecting policies that are clearly visible, well-structured, and easy for users to understand. Jumia Kenya and Kilimall each scored 88%. Compared to last year, Jumia maintained its score, while Kilimall showed improvement from 75%. These results suggest progress in formal transparency, particularly among platforms that had previously lagged behind.
Performance in relation to data subject rights was mixed. Jiji Kenya led with a score of 71%, improving from 66%, followed closely by Glovo Kenya at 69%. While this represents a decline from Glovo's previous score of 83%, it still reflects relatively strong mechanisms for facilitating rights such as access, correction, and erasure. Jumia Kenya recorded a notable decline to 42% from 53%, while Kilimall showed only marginal improvement, scoring 40% compared to 39% last year. These results indicate that, despite the existence of privacy policies, practical mechanisms for exercising data subject rights remain inconsistently implemented, particularly among local platforms.
All companies were found to share personal data with third parties, yet compliance in this area remains critically low. Glovo Kenya performed best, but still scored only 48%, despite a significant improvement from 20% last year. Jiji Kenya followed with a low score of 16%, declining from 26%. Jumia Kenya and Kilimall both scored 0%, representing a sharp regression from last year's scores of 10% and 20%, respectively. These findings point to serious deficiencies in transparency around third-party data sharing, including inadequate disclosure of recipients, purposes, safeguards, and legal bases for such transfers, key requirements under data protection laws.
In contrast, all companies demonstrated some commitment to data security. Jiji Kenya led with a score of 78%, a notable increase from 56%, followed by Glovo Kenya, which maintained a strong score of 67%. Jumia Kenya also maintained its score of 61%, while Kilimall remained at 39%. Although these results suggest that technical and organisational security measures are receiving attention, the uneven performance highlights disparities in risk management and security governance across platforms.
As in the previous year, transparency reporting and internal data breach resolution mechanisms remain weak across the sector. Glovo Kenya again led in this category but achieved only 33%, up from 25%. Jumia Kenya, Jiji Kenya, and Kilimall each scored just 17%. Compared to last year, Jumia Kenya maintained its score, Jiji Kenya improved from 0%, while Kilimall declined significantly from 33%. The lack of published transparency reports and clearly articulated breach response procedures undermines accountability and may hinder timely notification and remediation in the event of data breaches, as required under Kenyan law.
International e-commerce platforms significantly outperform local competitors. Glovo Kenya achieved an overall compliance score of 96%, reflecting the influence of comprehensive privacy frameworks developed for European and global markets. Its privacy policy includes detailed data retention schedules ranging from three to fifteen years depending on data categories, explicit consent mechanisms for behavioural marketing, and extensive third-party sharing disclosures covering advertising partners, payment processors, and delivery service providers. This level of detail demonstrates how compliance with international regulatory regimes can elevate privacy protection standards and deliver tangible benefits to Kenyan consumers.
Jiji Kenya's strong performance, with an overall score of 92% among domestic platforms, reflects sustained investment in privacy compliance following its expansion across multiple African markets. Its policy addresses complex issues such as cross-border data transfers, automated decision-making, and a relatively comprehensive implementation of data subject rights. However, gaps remain, particularly in relation to clearly articulated complaint procedures involving the Office of the Data Protection Commissioner and transparency around law enforcement access to personal data.
Jumia Kenya's moderate overall score of 58% highlights inconsistencies in privacy protection within established e-commerce platforms. While the company provides a basic privacy policy, significant gaps persist regarding specificity of data retention periods, comprehensive disclosure of third-party data sharing, and clear procedures for exercising data subject rights. The presence of multiple third-party trackers on Jumia's website further raises concerns about transparency in advertising partnerships and the adequacy of user consent management.
Kilimall's extremely poor overall score of 4% represents a critical compliance failure requiring urgent corrective action. The platform's privacy policy is largely inaccessible, preventing meaningful evaluation of its data protection practices and falling short of fundamental transparency requirements. This situation is particularly concerning given Kilimall's processing of sensitive financial and personal data belonging to thousands of Kenyan users, exposing both the company and data subjects to significant legal and privacy risks.
Overall, the findings reveal a clear divide between international and local e-commerce platforms in terms of privacy governance and regulatory compliance. While registration and basic policy accessibility are largely in place, substantive compliance, particularly in third-party data sharing, transparency reporting, and breach management, remains uneven and, in some cases, critically deficient.
From a regulatory perspective, these shortcomings expose companies to potential enforcement action under the Kenya Data Protection Act, 2019, particularly with respect to accountability, lawful processing, user rights facilitation, and breach notification obligations. To strengthen compliance and consumer trust, companies must move beyond formal registration and policy publication toward demonstrable, operational privacy practices. This includes clearer disclosure of third-party relationships, robust consent and rights-request mechanisms, documented breach response procedures, and proactive transparency reporting.
Without such measures, improvements in security and policy visibility alone will be insufficient to meet legal requirements or to address growing consumer expectations around privacy and data protection in Kenya's digital economy.
e-Commerce Sector - Uganda
Jumia Uganda, Glove Uganda, Jiji Uganda and Kikuu Uganda
Only three of the assessed companies demonstrated efforts to comply with registration requirements with the national data protection regulator. As in the previous year, Jiji Uganda remained the clear leader, maintaining a perfect compliance score of 100%. Jumia Uganda and Glovo Uganda each scored 50%, reflecting notable improvements from last year, when Jumia scored 0% and Glovo scored 32%. Despite this progress, the limited number of registered entities indicates that regulatory registration continues to be a weak point in the sector and remains largely unchanged from last year in terms of overall participation.
All companies made efforts to ensure accessible privacy policies. Jumia Uganda and Jiji Uganda again led with perfect scores of 100%, maintaining their strong performance from last year. Glovo Uganda and Kikuu Uganda each scored 88%. While Kikuu maintained its score, Glovo declined from 100% last year, suggesting a slight regression in the visibility or clarity of its policy. Nonetheless, the widespread availability of privacy policies indicates that transparency at a basic, formal level is now well established across the sector.
Efforts to observe data subject rights showed mixed results. Glovo Uganda led with a score of 71%, though this represents a decline from 77% last year. Jiji Uganda improved to 67% from 60%, while Jumia Uganda increased to 58% from 53%. Kikuu Uganda, however, maintained a low score of 31%, unchanged from last year. These results suggest incremental progress among most platforms, but also indicate that the practical facilitation of rights such as access, correction, deletion, and objection remains uneven and, in some cases, stagnant.
All companies were found to share personal data with third parties, yet compliance in this area remains consistently low, echoing last year's findings. Jumia Uganda performed best, scoring 44%, a significant improvement from 0% last year. Glovo Uganda and Jiji Uganda each scored 26%, with Glovo declining from 32% and Jiji improving from 16%. Kikuu Uganda scored only 10%, up slightly from 0%.
As noted in last year's analysis, third-party data sharing remains a major concern, as companies continue to allow access to personal data by advertisers and other partners without adequately specifying what data is shared, for what purposes, or under what safeguards. This persistent weakness indicates that the concerns raised last year remain largely unresolved.
There were visible efforts to improve data security. Jumia Uganda and Jiji Uganda led with scores of 61%, with Jumia maintaining its previous performance and Jiji improving from 56%. While this suggests moderate levels of technical and organisational protection, it also confirms last year's conclusion that security practices are inconsistently articulated and, in some cases, insufficiently detailed to meet best practice standards.
Transparency reporting shows the most significant change from last year. With the exception of Jumia Uganda, all companies continued to lack transparency reports. Jumia Uganda scored 100%, up from 0%, making it the only platform in the sector to publish a transparency report for the previous year. This represents a meaningful improvement in accountability and directly addresses a key gap identified in last year's analysis, which found that no platforms had published transparency reports since 2023.
All companies made some effort to establish internal data breach resolution mechanisms. Jiji Uganda led with 50%, improving substantially from 0% last year. Glovo Uganda maintained a score of 33%, Jumia Uganda improved to 25% from 17%, and Kikuu Uganda maintained a low score of 17%. While these results show incremental progress, the overall low scores indicate that breach response frameworks remain underdeveloped across the sector.
Within the e-commerce sector, Jumia Uganda stands out for its highly accessible privacy policy and as the only company to publish a transparency report among the assessed entities. This reflects a stronger institutional commitment to accountability and aligns more closely with the requirements of the Data Protection and Privacy Act, 2019. However, despite these strengths, Jumia continues to score poorly on third-party data transfers and breach resolution mechanisms, mirroring the sector-wide weaknesses identified last year.
Jumia's privacy policy is prominently displayed on its website and uses clear, accessible language, achieving a readability score of 9 on the Hemingway Editor. The policy outlines the purposes of data collection, including order fulfilment, surveys, service improvement, and fraud detection, and provides an exhaustive list of personal data categories collected. Data retention is tied to legal requirements, and the policy allows behavioural marketing with an opt-out option. It also recognises data subject rights, including access, correction, deletion, restriction of processing, withdrawal of consent, and the right to lodge complaints via the Data Protection Officer. Law enforcement access is permitted when reasonably requested, and the publication of a transparency report further strengthens accountability. However, the policy does not clearly specify which categories of personal data are shared with third parties, leaving a critical gap in transparency.
Kikuu Uganda, by contrast, continues to perform poorly across most indicators. While its privacy policy remains accessible (88%) and fairly readable, pre-collection transparency, third-party data transfers, security measures, and breach resolution mechanisms remain weak. Kikuu has no registration with the regulator, no transparency report, and only minimal breach resolution procedures. Its policy allows data sharing with third parties and law enforcement without clearly identifying the recipients or the categories of data involved. Personal data categories are described only in general terms, no retention timelines are provided, and access to data is granted only under limited conditions. These shortcomings are largely unchanged from last year and indicate persistent non-compliance risks.
Glovo Uganda and Jiji Uganda both present relatively accessible privacy policies but continue to lack transparency reports and exhibit weaknesses in security disclosures and third-party data governance. While Jiji has improved its registration status and breach resolution mechanisms, both platforms still fall short of best practices identified in last year's assessment.
Overall, the findings confirm that many of the issues identified in last year's analysis remain relevant and unresolved. Third-party data sharing continues to be the most significant area of concern, with insufficient disclosure and weak safeguards across all platforms. While there have been modest improvements in registration, data subject rights facilitation, and breach response mechanisms, progress remains uneven and, in some cases, minimal.
From a legal perspective, these gaps expose companies to potential non-compliance with Uganda's Data Protection and Privacy Act, 2019, particularly with respect to accountability, transparency, lawful processing, and data breach management. Jumia Uganda's publication of a transparency report demonstrates that improvement is possible and sets a benchmark for the sector. However, without broader adoption of such practices, consumer data in Uganda's growing e-commerce market remains inadequately protected.
To strengthen compliance and trust, companies must move beyond formal policy publication and address the structural weaknesses repeatedly identified in successive assessments. This includes clearly specifying third-party data sharing arrangements, improving transparency reporting, strengthening breach response mechanisms, and ensuring full regulatory registration. Without these measures, the sector risks continued regulatory exposure and erosion of consumer confidence in digital commerce platforms.
Only three of the assessed companies demonstrated efforts to comply with registration requirements with the national data protection regulator. As in the previous year, Jiji Uganda remained the clear leader, maintaining a perfect compliance score of 100%. Jumia Uganda and Glovo Uganda each scored 50%, reflecting notable improvements from last year, when Jumia scored 0% and Glovo scored 32%. Despite this progress, the limited number of registered entities indicates that regulatory registration continues to be a weak point in the sector and remains largely unchanged from last year in terms of overall participation.
All companies made efforts to ensure accessible privacy policies. Jumia Uganda and Jiji Uganda again led with perfect scores of 100%, maintaining their strong performance from last year. Glovo Uganda and Kikuu Uganda each scored 88%. While Kikuu maintained its score, Glovo declined from 100% last year, suggesting a slight regression in the visibility or clarity of its policy. Nonetheless, the widespread availability of privacy policies indicates that transparency at a basic, formal level is now well established across the sector.
Efforts to observe data subject rights showed mixed results. Glovo Uganda led with a score of 71%, though this represents a decline from 77% last year. Jiji Uganda improved to 67% from 60%, while Jumia Uganda increased to 58% from 53%. Kikuu Uganda, however, maintained a low score of 31%, unchanged from last year. These results suggest incremental progress among most platforms, but also indicate that the practical facilitation of rights such as access, correction, deletion, and objection remains uneven and, in some cases, stagnant.
All companies were found to share personal data with third parties, yet compliance in this area remains consistently low, echoing last year's findings. Jumia Uganda performed best, scoring 44%, a significant improvement from 0% last year. Glovo Uganda and Jiji Uganda each scored 26%, with Glovo declining from 32% and Jiji improving from 16%. Kikuu Uganda scored only 10%, up slightly from 0%.
As noted in last year's analysis, third-party data sharing remains a major concern, as companies continue to allow access to personal data by advertisers and other partners without adequately specifying what data is shared, for what purposes, or under what safeguards. This persistent weakness indicates that the concerns raised last year remain largely unresolved.
There were visible efforts to improve data security. Jumia Uganda and Jiji Uganda led with scores of 61%, with Jumia maintaining its previous performance and Jiji improving from 56%. While this suggests moderate levels of technical and organisational protection, it also confirms last year's conclusion that security practices are inconsistently articulated and, in some cases, insufficiently detailed to meet best practice standards.
Transparency reporting shows the most significant change from last year. With the exception of Jumia Uganda, all companies continued to lack transparency reports. Jumia Uganda scored 100%, up from 0%, making it the only platform in the sector to publish a transparency report for the previous year. This represents a meaningful improvement in accountability and directly addresses a key gap identified in last year's analysis, which found that no platforms had published transparency reports since 2023.
All companies made some effort to establish internal data breach resolution mechanisms. Jiji Uganda led with 50%, improving substantially from 0% last year. Glovo Uganda maintained a score of 33%, Jumia Uganda improved to 25% from 17%, and Kikuu Uganda maintained a low score of 17%. While these results show incremental progress, the overall low scores indicate that breach response frameworks remain underdeveloped across the sector.
Within the e-commerce sector, Jumia Uganda stands out for its highly accessible privacy policy and as the only company to publish a transparency report among the assessed entities. This reflects a stronger institutional commitment to accountability and aligns more closely with the requirements of the Data Protection and Privacy Act, 2019. However, despite these strengths, Jumia continues to score poorly on third-party data transfers and breach resolution mechanisms, mirroring the sector-wide weaknesses identified last year.
Jumia's privacy policy is prominently displayed on its website and uses clear, accessible language, achieving a readability score of 9 on the Hemingway Editor. The policy outlines the purposes of data collection, including order fulfilment, surveys, service improvement, and fraud detection, and provides an exhaustive list of personal data categories collected. Data retention is tied to legal requirements, and the policy allows behavioural marketing with an opt-out option. It also recognises data subject rights, including access, correction, deletion, restriction of processing, withdrawal of consent, and the right to lodge complaints via the Data Protection Officer. Law enforcement access is permitted when reasonably requested, and the publication of a transparency report further strengthens accountability. However, the policy does not clearly specify which categories of personal data are shared with third parties, leaving a critical gap in transparency.
Kikuu Uganda, by contrast, continues to perform poorly across most indicators. While its privacy policy remains accessible (88%) and fairly readable, pre-collection transparency, third-party data transfers, security measures, and breach resolution mechanisms remain weak. Kikuu has no registration with the regulator, no transparency report, and only minimal breach resolution procedures. Its policy allows data sharing with third parties and law enforcement without clearly identifying the recipients or the categories of data involved. Personal data categories are described only in general terms, no retention timelines are provided, and access to data is granted only under limited conditions. These shortcomings are largely unchanged from last year and indicate persistent non-compliance risks.
Glovo Uganda and Jiji Uganda both present relatively accessible privacy policies but continue to lack transparency reports and exhibit weaknesses in security disclosures and third-party data governance. While Jiji has improved its registration status and breach resolution mechanisms, both platforms still fall short of best practices identified in last year's assessment.
Overall, the findings confirm that many of the issues identified in last year's analysis remain relevant and unresolved. Third-party data sharing continues to be the most significant area of concern, with insufficient disclosure and weak safeguards across all platforms. While there have been modest improvements in registration, data subject rights facilitation, and breach response mechanisms, progress remains uneven and, in some cases, minimal.
From a legal perspective, these gaps expose companies to potential non-compliance with Uganda's Data Protection and Privacy Act, 2019, particularly with respect to accountability, transparency, lawful processing, and data breach management. Jumia Uganda's publication of a transparency report demonstrates that improvement is possible and sets a benchmark for the sector. However, without broader adoption of such practices, consumer data in Uganda's growing e-commerce market remains inadequately protected.
To strengthen compliance and trust, companies must move beyond formal policy publication and address the structural weaknesses repeatedly identified in successive assessments. This includes clearly specifying third-party data sharing arrangements, improving transparency reporting, strengthening breach response mechanisms, and ensuring full regulatory registration. Without these measures, the sector risks continued regulatory exposure and erosion of consumer confidence in digital commerce platforms.