(Company Registration Number: 120241012590)
Effective Date: 4 March 2026
1.1 In this Privacy Policy, the following words and expressions shall have the meanings assigned to them below:
"Account" means a registered user account created in accordance with the Terms and Conditions.
"Act" means the Data Protection Act No. 3 of 2021 of the Republic of Zambia, as amended from time to time.
"Commissioner" means the Data Protection Commissioner appointed under the Act.
"Cookies" means small text files and similar tracking technologies (including pixels, web beacons, and local storage) placed on your device when you access the Platform.
"Data Controller" means Quicklist Traders Limited, being the entity that determines the purposes and means of the processing of personal data through the Platform.
"Data Subject" means any identified or identifiable natural person whose personal data is processed by Quicklist.
"Payment Processor" means any third-party payment service provider engaged by Quicklist to facilitate transactions on the Platform.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under the Act.
"Platform" means the website located at www.quicklist.co.zm, including any associated mobile applications, APIs, and related digital services operated by Quicklist.
"Policy" means this Privacy Policy, as amended from time to time in accordance with Section 13.
"Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Quicklist", "we", "us", or "our" means Quicklist Traders Limited, a company registered in the Republic of Zambia under Company Registration Number 120241012590.
"Seller" means a User who lists Goods or Services for sale on the Platform.
"Third-Party Service Provider" means any entity engaged by Quicklist to perform services on its behalf that involve the processing of personal data.
"User", "you", or "your" means any person who accesses or uses the Platform, whether registered or unregistered.
1.2 In this Policy, unless the context indicates otherwise:
(a) headings are for convenience only and shall not affect the interpretation of this Policy;
(b) words importing the singular shall include the plural and vice versa;
(c) words importing one gender shall include all genders;
(d) a reference to a "person" includes a natural person, company, close corporation, partnership, trust, or any other legal entity;
(e) any reference to a statute, regulation, or other legislation shall include all amendments, re-enactments, or replacements thereof.
2.1 Quicklist Traders Limited is committed to protecting your privacy and ensuring that your personal data is processed lawfully, fairly, transparently, and securely.
2.2 This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you access or use the Platform, including our website, mobile applications, and related services.
2.3 Quicklist Traders Limited is the Data Controller responsible for the processing of personal data through the Platform, as defined under the Act.
2.4 By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. Where processing is based on consent, your continued use of the Platform constitutes your consent to the practices described herein.
2.5 If you do not agree with any provision of this Policy, you must immediately cease using the Platform.
2.6 This Privacy Policy is incorporated into and forms part of the Quicklist Terms and Conditions. In the event of a conflict between this Policy and the Terms and Conditions on matters relating to data protection and privacy, this Policy shall prevail.
2.7 This Privacy Policy is governed by and construed in accordance with the laws of the Republic of Zambia, including the Data Protection Act No. 3 of 2021. The courts of the Republic of Zambia shall have exclusive jurisdiction over any dispute arising out of or in connection with this Policy.
We collect and process the following categories of personal data:
3.1 Personal Information (Provided by You)
When you register on the Platform or use our services, we may collect:
(a) full name;
(b) email address;
(c) phone number;
(d) mailing or delivery address;
(e) National Registration Card (NRC) number or other government-issued identification, where required for seller verification;
(f) bank account details or mobile money information required for seller payouts; and
(g) profile photograph, if voluntarily provided.
3.2 Transactional Information
We collect information relating to transactions carried out on the Platform, including:
(a) items listed, bought, or sold;
(b) transaction amounts, dates, and statuses;
(c) seller and buyer details related to transactions; and
(d) payout records and payment reconciliation data.
Card and mobile money payments are processed by Third-Party Service Providers. Quicklist does not directly process, store, or have access to your full payment card or mobile money PIN details. We receive only the transactional data necessary to facilitate seller payouts and maintain accurate records.
3.3 Usage and Technical Data
We automatically collect certain data when you access or interact with the Platform, including:
(a) IP address;
(b) device type, operating system, and unique device identifiers;
(c) browser type and version;
(d) pages visited and navigation paths;
(e) date, time, and duration of visits;
(f) referring URLs and search terms used to reach the Platform; and
(g) click-stream data and interaction patterns.
3.4 Cookies and Tracking Technologies
We use Cookies and similar tracking technologies for the following purposes:
(a) Strictly Necessary Cookies: to enable core Platform functionality, including maintaining login sessions and security features. These cannot be disabled.
(b) Functional Cookies: to remember your preferences and settings to enhance your experience.
(c) Analytical Cookies: to collect aggregated, anonymised data to help us understand usage patterns and improve Platform performance.
(d) Marketing Cookies: to track your activity across websites to deliver relevant advertisements. These are used only with your consent.
You may manage your cookie preferences through your browser settings or through the cookie consent banner displayed upon your first visit to the Platform. Disabling certain Cookies may impair the functionality of the Platform.
3.5 Communications Data
If you contact us via email, WhatsApp, phone, or in-app messaging, we may collect and retain records of those communications for quality assurance, training, dispute resolution, and compliance purposes.
We process your personal data for the following specific purposes and on the following lawful bases:
4.1 Provision of Services
User registration, account management, processing transactions, facilitating payouts to sellers, coordinating deliveries through third-party courier services, and providing customer support.
Lawful Basis: Performance of a contract (Section 27(a) of the Act).
4.2 Identity Verification
Verifying seller identities to maintain trust and safety on the Platform.
Lawful Basis: Performance of a contract; Legitimate interests (fraud prevention).
4.3 Platform Improvement
Monitoring and analysing usage trends, conducting research, testing new features, and improving website and application functionality, performance, and user experience.
Lawful Basis: Legitimate interests (platform optimisation).
4.4 Marketing and Communications
Sending promotional communications, updates, newsletters, or special offers.
Lawful Basis: Consent (Section 27(c) of the Act). You may withdraw consent and opt out at any time by following the unsubscribe instructions in any communication or by contacting us directly.
4.5 Safety, Security, and Fraud Prevention
Detecting, investigating, and preventing fraudulent, unauthorised, or illegal activity; protecting the rights, property, and safety of Quicklist, its Users, and the public.
Lawful Basis: Legitimate interests (safety and fraud prevention); Legal obligation.
4.6 Legal and Regulatory Compliance
Complying with applicable laws, regulations, and tax obligations; responding to lawful requests from competent authorities; resolving disputes; enforcing our Terms and Conditions.
Lawful Basis: Legal obligation (Section 27(b) of the Act).
4.7 Dispute Resolution and Enforcement
Investigating complaints, resolving disputes between buyers and sellers, and enforcing our policies and agreements.
Lawful Basis: Performance of a contract; Legitimate interests.
5.1 In accordance with Section 27 of the Act, we process personal data on one or more of the following lawful grounds:
(a) Performance of a Contract. Processing is necessary for the performance of a contract to which you are a party, including when you register, buy, sell, or receive payouts through the Platform.
(b) Legal Obligation. Processing is necessary for compliance with a legal obligation to which Quicklist is subject, including tax reporting, responding to court orders, or regulatory requests.
(c) Consent. You have given clear, informed, and freely given consent to the processing of your personal data for a specific purpose, including receiving marketing communications. You have the right to withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
(d) Legitimate Interests. Processing is necessary for the purposes of legitimate interests pursued by Quicklist or a third party, except where such interests are overridden by your fundamental rights and freedoms. Our legitimate interests include:
(i) fraud prevention and detection;
(ii) platform security and integrity;
(iii) service improvement and analytics; and
(iv) enforcement of our Terms and Conditions.
5.2 Where we rely on legitimate interests, we conduct a balancing assessment to ensure that our interests do not unjustifiably override your rights.
6.1 We do not sell your personal data.
6.2 We may share personal data only in the following circumstances and with appropriate safeguards:
6.3 Third-Party Service Providers
We engage trusted Third-Party Service Providers to assist in operating the Platform, including:
(a) Payment Processors — for processing payments and facilitating seller payouts. Data shared includes transaction amounts and payer/payee details.
(b) Courier and delivery service providers — for coordinating and fulfilling deliveries. Data shared includes recipient name, delivery address, phone number, and order details.
(c) Hosting and cloud infrastructure provider (Performive, Inc.) — for secure data storage and platform hosting. All Platform data is stored in encrypted form.
(d) Analytics providers — for understanding usage patterns. Only anonymised and aggregated usage data is shared.
(e) Communication service providers — for sending transactional and marketing messages. Data shared includes email address and phone number.
6.4 All Third-Party Service Providers are contractually bound to:
(a) process personal data only on our documented instructions;
(b) maintain appropriate technical and organisational security measures;
(c) not use personal data for their own purposes; and
(d) comply with applicable data protection laws.
6.5 Other Users
In the course of facilitating transactions, certain information, including your display name, general location, and listing details, may be visible to other Users of the Platform. Delivery-related personal information, including name, address, and phone number, will be shared with buyers, sellers, or couriers only as necessary to fulfil a transaction.
6.6 Business Transfers
If Quicklist is involved in a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred as part of that transaction. We will notify you of any such transfer and ensure that the receiving entity is bound by obligations no less protective than those in this Privacy Policy.
6.7 Legal and Regulatory Disclosures
We may disclose personal data where:
(a) required by law, regulation, or court order;
(b) requested by a competent law enforcement agency, regulatory body, or court of competent jurisdiction;
(c) necessary to protect the rights, property, safety, or security of Quicklist, our Users, or the public; or
(d) we reasonably suspect fraudulent, unlawful, or abusive activity on the Platform.
In such cases, we will disclose only the minimum information necessary and, where legally permitted, notify you of the disclosure.
7.1 Data Storage
Personal data collected through the Platform is securely stored on servers provided by Performive, Inc., located in the United States of America.
7.2 Cross-Border Transfers
Where personal data is transferred outside the Republic of Zambia, we ensure compliance with Section 70 of the Act by implementing the following safeguards:
(a) Standard Contractual Clauses (SCCs): We enter into data processing agreements with cross-border recipients that include contractual commitments to maintain data protection standards equivalent to those required under Zambian law.
(b) Contractual Obligations: All international service providers are contractually required to implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or misuse.
(c) Risk Assessment: We conduct transfer impact assessments to evaluate the legal framework and data protection practices in the recipient country.
7.3 Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, subject to the following:
(a) Account and profile data: Duration of account plus five (5) years post-closure, for commercial statute of limitations, tax compliance, and regulatory obligations.
(b) Transactional and payout records: Seven (7) years from date of transaction, for tax and financial record-keeping requirements under Zambian law.
(c) Usage and technical data: Twenty-four (24) months from date of collection, for platform improvement and analytics.
(d) Marketing consent records: Duration of consent plus two (2) years after withdrawal, for demonstrating lawful basis for processing.
(e) Communications and support records: Three (3) years from date of last communication, for dispute resolution and quality assurance.
(f) Fraud investigation records: Duration of investigation plus seven (7) years or as required by legal proceedings, for legal obligation and fraud prevention.
7.4 Upon expiry of the applicable retention period, personal data will be securely deleted or irreversibly anonymised.
7.5 Where we reasonably suspect fraudulent or unlawful activity, relevant records may be preserved and retained beyond the standard period as required by applicable law, ongoing investigations, or legal proceedings.
8.1 We implement robust technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, alteration, or disclosure. These measures include, but are not limited to:
(a) Encryption: Data is encrypted in transit (TLS/SSL) and at rest using industry-standard encryption protocols.
(b) Access Controls: Access to personal data is restricted to authorised personnel on a need-to-know basis, protected by multi-factor authentication.
(c) Infrastructure Security: Our hosting provider maintains SOC 2-compliant data centres with physical security controls, including restricted access, surveillance, and environmental protections.
(d) Regular Security Assessments: We conduct periodic vulnerability assessments and security audits to identify and address potential threats.
(e) Incident Response Plan: We maintain a documented incident response plan to ensure prompt identification, containment, and resolution of data security incidents.
(f) Staff Training: All personnel with access to personal data receive regular data protection and security awareness training.
8.2 While we take data security seriously and employ reasonable safeguards, no method of electronic storage or transmission over the internet is completely secure. We cannot guarantee absolute security, and you acknowledge this inherent risk when providing personal data through the Platform.
9.1 In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
(a) notify the Office of the Data Protection Commissioner without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, in accordance with Section 59 of the Act; and
(b) notify affected data subjects without undue delay where the breach is likely to result in a high risk to your rights and freedoms, providing:
(i) a description of the nature of the breach;
(ii) the likely consequences;
(iii) the measures taken or proposed to address and mitigate the breach; and
(iv) contact details for further information.
9.2 We maintain a data breach register documenting all breaches, including those that do not meet the notification threshold, for accountability and audit purposes.
In accordance with the Act and other applicable laws, you have the following rights in relation to your personal data:
10.1 Right of Access
You have the right to request confirmation of whether we process your personal data and, if so, to obtain a copy of that data along with information about how it is processed.
10.2 Right to Rectification
You have the right to request the correction or updating of inaccurate or incomplete personal data held about you.
10.3 Right to Erasure (Right to be Forgotten)
You have the right to request the deletion of your personal data where:
(a) the data is no longer necessary for the purposes for which it was collected;
(b) you withdraw your consent, where processing was based on consent; or
(c) the data has been unlawfully processed.
This right is subject to exceptions, including where retention is required for compliance with a legal obligation, the establishment, exercise, or defence of legal claims, or ongoing fraud investigations.
10.4 Right to Data Portability
You have the right to receive your personal data — that which you provided to us and which is processed by automated means on the basis of consent or contract — in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
10.5 Right to Object
You have the right to object to the processing of your personal data where processing is based on legitimate interests. Upon receiving such an objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
10.6 Right to Restrict Processing
You have the right to request that we restrict the processing of your personal data in certain circumstances, including while we verify the accuracy of your data or assess an objection you have raised.
10.7 Right to Withdraw Consent
Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
10.8 Right Not to be Subject to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects concerning you, unless such processing is:
(a) necessary for the performance of a contract;
(b) authorised by law; or
(c) based on your explicit consent.
Quicklist does not currently employ solely automated decision-making processes that produce legal effects. Should this change, we will update this Policy and notify you accordingly.
10.9 Right to Lodge a Complaint
If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Office of the Data Protection Commissioner, Republic of Zambia.
10.10 How to Exercise Your Rights
Requests may be submitted by contacting us at the details provided in Section 14 below. We will:
(a) acknowledge your request within seven (7) days; and
(b) respond substantively within thirty (30) days of receipt.
We may request verification of your identity before processing your request to ensure the security of your personal data.
11.1 The Platform is not intended for use by individuals under the age of eighteen (18) years.
11.2 We do not knowingly collect, solicit, or process personal data from persons under the age of 18.
11.3 If we become aware that personal data has been collected from a person under 18, we will take immediate steps to delete that data and, where applicable, terminate the associated account.
11.4 If you believe that a person under 18 has provided personal data to us, please contact us immediately using the details in Section 14.
12.1 The Platform may contain links to third-party websites, applications, or services that are not owned or controlled by Quicklist.
12.2 We are not responsible for the privacy practices, content, or security of any third-party sites or services. We encourage you to review the privacy policies of any third-party sites you visit.
12.3 The inclusion of a link to a third-party site does not imply endorsement by Quicklist.
13.1 We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.
13.2 Where changes are material, we will notify you by:
(a) posting a prominent notice on the Platform;
(b) sending a notification to the email address associated with your Account; or
(c) requesting renewed consent where the changes affect processing based on consent.
13.3 The "Last Updated" date at the top of this Policy indicates when it was most recently revised.
13.4 Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.
14.1 Quicklist has designated a Data Protection Focal Point responsible for overseeing compliance with this Privacy Policy and applicable data protection laws.
14.2 For any queries, concerns, complaints, or requests relating to this Privacy Policy or our data protection practices, please contact us at:
Quicklist Traders Limited
Email: support@quicklist.co.zm
Phone/WhatsApp: +260977350043
14.3 We are committed to resolving any concerns promptly and in accordance with applicable law.
15.1 This Privacy Policy is governed by and construed in accordance with the laws of the Republic of Zambia, including the Data Protection Act No. 3 of 2021.
15.2 Any disputes arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of the Republic of Zambia.
