This Privacy Notice explains who we are, how we collect, use, disclose and protect your personal data when you use our products, services, website and channels.
We may collect, use, store and transfer different types of Customer Personal Data which include but may not be limited to those we have categorized in the table below.
| Category |
Personal Data in category |
| Billing Data |
the consumption data that the Companies collect from services that they provide to their Customers in order to calculate charging as well as billing information, to the extent related to natural persons. |
| Contact Data |
first name, last name, email address, postal address and telephone numbers, job role within the Customer. |
| Support Data |
Customers service ticket information, Customer Representatives’ or End Users’ telephone recordings for incident. |
| Identity Data |
first name, last name, honorific (e.g. Ms., Mr. Dr.,), username or similar identifier, password, ID document / number. |
| Location Data |
geographic location, device location, SIM card location for mobile services. |
| Financial Data |
mobile money account number, transaction history, location of transaction, account balances, loan information. |
| Behavioral data |
Frequency and volume of transactions, types of services used, transaction patterns and time. |
| Regulatory data |
Tax identification number, source of funds declarations, beneficial ownership, suspicious activity report, transaction amount report |
| SIM and device data |
SIM card number, device IMEI |
| Marketing and Communications Data |
preferences in receiving marketing from us and/or third parties and communication preferences. |
| Technical Data |
internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, as well as other technology on the devices natural persons use to access areas of our website or other technical data generated through the use of the service. |
| Traffic / Connection Data |
data revealing a communication’s origin, destination, route, format, size, time duration, IP address, time zone setting, MAC address. |
| Hosted Data |
any categories of Customer Personal Data that may be recorded or stored (such as voicemails, call recordings, files) by Customer and which is hosted on the infrastructure provided by Orange Botswana. |
| Usage Data |
information about how customers use our products and services and website. |
| Visual Data |
photographs and other visual records we take during events hosted by the Companies or related third party entities that we process based on your consent. |
We use different methods to collect data from and about you including but not limited to through:
Your interactions with us
You may give us your personal data by filling in online forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
Automated technologies or interactions
As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies (server logs) and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies.
Third parties or publicly available sources
We may access personal data about you from various third parties (and public sources) including but not limited to the ones set out below:
Aggregated/anonymized data
We also collect, use and share aggregated and anonymized information such as statistical or demographic information as requested by mandated organizations for research purposes under the laws.
Aggregated or anonymized data could be based on Customer Personal Data but is not legally considered to be Personal Data. For example, we may aggregate or anonymize Usage Data to calculate the percentage of users accessing a specific function on our website. If we combine or link aggregated or anonymized data with any Customer Personal Data so that it can identify an individual, we treat the combined data as Personal Data which will be used in accordance with this privacy notice.
Special categories of Personal Data
Where necessary, we may process, as Processor, “special” or “sensitive” categories of Personal Data (information revealing race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning sex life or sexual orientation) relating to Customers or End Users, only if it is contained in Hosted Data. However, we do not collect it for our own purposes and we are not aware of when we are processing such Personal Data, as such, we don’t use such Personal Data outside of a data subject’s reasonable expectations.
Legal Basis for processing
The law requires us to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases:
Performance of a contract with you: Where we need to perform the contract we are about to enter into or have entered into with you.
Partner Financial Institutions: We may share your personal data with institutions that we have partnered with to provide you with value adding services such as short-term loans and bank to wallet services.
We have set out below, in a table format, a non-exhaustive list of the ways we plan to use the various categories of personal data, and which of the legal bases we rely on to do so. We have further identified what our legitimate interests are where appropriate.
| Our Activity |
Categories of Personal Data Processed |
Our Lawful Bases for Processing |
| To manage the sales and contractual relationships with our Customers |
|
Performance of a contract - Necessary to develop and manage our sales activities and the relationship with our customers, including ordering, performing transactions, billing and collection of payments |
| To build, operate and secure our network |
|
Performance of a contract - Necessary to assess the amount of data moving across at a given point in time, to manage such data Necessary to comply with legal obligations (to prevent or detect fraud and remit such information to the regulating body) |
| To assist national law enforcement/ security agencies, to respond to requests from public governmental and regulatory authorities, to comply with court orders, litigation procedures and other legal processes |
|
Necessary to comply with legal obligations we may have under applicable laws (for example to provide lawful intercept and/or data retention by national law enforcement/ security agencies) |
| To complete a survey, provide customer satisfaction feedback, take part in service improvement programs, and attend any events that we organize |
|
Necessary for our legitimate interests to study how customers use our products/ services, to try to increase and improve interaction with Customers, to find out how we can improve our services, and to develop and grow our business, to communicate about our events |
| To provide access to you, as an individual, to on-line portals for your own individual usage management |
|
Necessary for the performance of a contract – to advance interests of your organization/yourself, our Customer, to provide you with this feature to improve and facilitate your use of this service;
|
Direct Marketing
We provide Customers with choice regarding the use of Customer Personal Data around marketing and advertising. You can always ask us to stop sending you marketing messages by contacting us at any time.
You may opt out of receiving marketing and advertising messages by using the following channels:
If you opt out of receiving marketing communications, you will still receive service-related communications that are essential for administrative or customer service purposes.
We will get your express consent before we share your personal data with any third party for their own direct marketing purposes.
We may disclose your personal data to the third parties included in the below non-exhaustive list:
Service providers acting as Controllers in their own rights, in which case the processing of Customer Personal Data will be subject to these service providers’ privacy policies that are in accordance with data protection standards. For example, to provide transmission to carry traffic on our network we share Traffic/Connection Data with other regulated telecommunication providers.
Service providers acting as Processors such as providers of IT and system administration services, maintenance, expert technical support or hosting.
National authorities, agencies and regulators acting as Processors or Controllers who have the legal authority to require reporting of processing activities or disclosure of Customer Personal Data in certain circumstances.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
International Transfers of Customer Personal Data
We may transfer and process Customer Personal Data to/in countries other than the country in which the Customer Personal Data is initially collected.
We share your personal data within the Orange Group.
When we transfer Customer Personal Data to an external supplier in another country, we make sure that a similar degree of protection is afforded to the Customer Personal Data. We ensure that our external partners are held to relevant national and international data protection laws. Further, any such transfers shall be made in accordance with the exemptions captured in the Data Protection Act (2024) as may be amended from time to time.
Our data security practices
We have put in place appropriate security measures to prevent Customer Personal Data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to Customer Personal Data to those employees, agents, contractors and other third parties who have a business need to access it. They will only process Customer Personal Data on our instructions and they are subject to a duty of confidentiality.
We require all third parties to respect the security of Customer Personal Data and to treat it in accordance with applicable data protection laws.
We have put in place procedures to deal with any suspected Personal Data breach and will notify Customers and any applicable regulator of a breach where we are legally or contractually required to do so.
Our data retention policy
How long will we retain Customer Personal Data?
We retain Customer Personal Data only for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain Customer Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with our Customers.
To determine the appropriate retention period for Customer Personal Data, we consider:
In some circumstances we will anonymize your personal data, so that it can no longer be associated with you, for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Our customers, data subjects have the following rights:
• Access their personal data
• Request rectification of their data
• Request erasure of their data
• Request restriction of processing
• Request transfer of data from the Companies to another data controller (data portability)
• Object to processing of personal data
• Refuse to be the subject of a decision based solely on automated processing
• Lodge complaints with the Information and Data Protection Commissioner
We will not discriminate or retaliate against you for exercising your Personal Data protection rights.
Whom should you contact?
If you want to exercise your rights in respect of your Personal Data, you can send any enquiries to our data protection officer at this email address: dataprotectionoffice.obw@orange.com
How will the Companies deal with my request?
This will usually be done at no fee. You will not have to pay a fee to access your Personal Data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, where we have reasonable grounds, we could refuse to comply with your request in these circumstances.
What we require
We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
When we will respond
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.
Complaints
You have the right to make a complaint at any time to the Information and Data Protection Commissioner’s Office (IDPCO), the regulator for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the IDPCO so please contact us in the first instance.
Change to the Privacy Policy and your duty to inform us of changes to personal data
We keep our privacy policy under regular review. This version was last updated in August 2025.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.
