Privacy Policy

Bukra General Trading Co. Ltd · Reg. COY-ERHNNJW · TIN B20260303VWRKG2

Effective 03 May 2026 · Version 2.0

1. Who we are

Bukra General Trading Co. Ltd (“Bukra”, “we”, “us”) is a private limited company registered in the Republic of South Sudan (Reg. No. COY-ERHNNJW) operating the digital booking platform at bukra.co and via WhatsApp, USSD, and voice channels. We are the data controller for the personal data we collect through these services.

Contact: support@bukra.co · +211 926 716 118 · Central Equatoria State, Juba, South Sudan

2. Information we collect

To provide our ticket booking and cargo services, we collect:

Account	Phone number, full name, language, optional email
Identity	Government-issued ID number or photo (cargo recipients, B2B accounts, higher-value transactions) — for AML compliance
Booking	Origin, destination, date, passenger details, seat selection
Cargo	Sender and recipient name & phone, parcel weight, declared value, contents description, photos at intake
Payment	Mobile money number, transaction reference, amount, currency. We do not store card numbers; card payments are tokenised by Stripe at source
Device & usage	IP address, browser type, language, page views, anonymised analytics
Communications	SMS, WhatsApp messages, voice transcripts, support emails

3. Legal basis

Contract performance — to deliver the booking or parcel you requested
Legal obligation — to comply with AML/CFT, tax, and aviation regulations (e.g., South Sudan AML Act 2012, SSCAA permit conditions)
Legitimate interest — to operate, secure, and improve the service; to prevent fraud
Consent — for marketing communications (you can withdraw consent any time)

4. How we use your information

Create and manage your account
Process bookings, payments, and cargo collections
Deliver tickets, tracking links, and status updates by SMS, WhatsApp, voice, or email
Comply with AML/CFT obligations including sanctions and PEP screening
Detect, prevent, and investigate fraud or abuse
Provide customer support
Improve our products with anonymised analytics
Send service announcements and (with consent) marketing

5. Who we share your data with

We share data only as needed to operate the service. We do not sell your personal data.

Transport operators (Flying Horse, Goldline, Salaam Air, etc.)	Manifest, boarding, parcel delivery
Payment processors (MTN Fintech, M-Pesa, PayGate, Stripe)	Charge, refund, settle payments
Communications providers (Africa’s Talking, Meta WhatsApp, Resend)	Deliver booking confirmations, alerts, tracking
Cloud infrastructure (Supabase EU-West-2, Vercel, Railway)	Host the platform, store data
AI providers (OpenAI, ByteDance Seed — pending)	Transcribe voice bookings, fraud detection
Customs & regulators	Cross-border parcel clearance
Auditors & counsel	Statutory audit, legal advice

All third parties are bound by written agreements requiring them to process your data only for the agreed purpose and to apply appropriate security.

6. International transfers

Bukra is registered in South Sudan and incorporated in the United States (Bukra Technologies, Inc., Delaware). Your data may be processed in South Sudan, Kenya, Uganda, the European Union (eu-west-2), and the United States. Where data leaves South Sudan or Kenya we apply contractual safeguards equivalent to GDPR Standard Contractual Clauses or local equivalents.

7. How long we keep your data

KYC, transaction logs, sanctions hits, suspicious-activity reports	7 years from end of relationship or transaction date — South Sudan AML Act 2012 / FATF R.11
Booking history (passenger or parcel)	7 years
Account data (name, phone)	Until you request deletion or 7 years inactive
Marketing consent	Until withdrawn
Anonymised analytics	24 months

You may request earlier deletion, subject to records we are legally required to retain.

8. Your rights

Subject to applicable law you have the right to:

Access a copy of your personal data
Correction of inaccurate data
Deletion (limited by AML retention)
Portability in a structured, machine-readable format
Restriction & objection for certain processing
Withdraw consent for marketing
Lodge a complaint with the relevant data-protection authority

To exercise any of these rights, email support@bukra.co. We respond within 30 days.

9. Security

TLS encryption in transit, AES-256 at rest
Role-based access controls and audit logging
Phone OTP verification at customer registration
Sanctions and PEP screening for higher-value transactions
Regular dependency-vulnerability scanning and periodic third-party review
Independent penetration test planned within 12 months of full operation

No system is perfectly secure. If a breach affects your data, we will notify you and the relevant authorities without undue delay.

10. Children

Bukra is intended for adults (16+). We do not knowingly collect data from children under 13. If you believe a child’s data has been collected, contact us and we will delete it.

11. Cookies

bukra.co uses essential cookies to keep you signed in and protect against fraud. With your consent we use analytics cookies (PostHog, anonymised) to improve the product.

12. Changes to this policy

We may update this Policy from time to time. Material changes will be posted at bukra.co/privacy and, where required by law, we will notify you directly.

13. Contact

Data Protection Contact: Kuot Kiir Aluetmiir, Founder & CEO
Email: support@bukra.co · kuot@bukra.co
Phone: +211 926 716 118
Address: Central Equatoria State, Juba County – City, South Sudan

This Privacy Policy is governed by the laws of the Republic of South Sudan. For diaspora users in jurisdictions with stricter data-protection rules (EU GDPR, UK DPA, US state laws), those rules apply to the extent they offer greater protection.