Privacy Policy

1. Legal Basis for Data Processing

In accordance with the Kenya Data Protection Act, 2019, we process your personal data based on:

• Consent: You have given explicit consent for us to process your personal data for specific purposes
• Contract Performance: Processing is necessary to fulfill our delivery service contract with you
• Legal Obligation: Processing is necessary to comply with Kenyan legal requirements
• Legitimate Interests: Processing is necessary for our legitimate business interests, such as fraud prevention and service improvement

2. Information We Collect

We collect only the minimum necessary personal data required to provide our services (Data Minimization Principle):

2.1 Information You Provide

• Account Information: Full name, phone number, email address, password (encrypted)
• Business Information: Company name, business registration number, tax PIN (for business accounts)
• Rider Information: National ID number, driver's license number, vehicle registration details, emergency contact information, bank account details for payments
• Delivery Information: Pickup and delivery addresses, recipient details, package descriptions

2.2 Information Collected Automatically

• Location Data: Real-time GPS coordinates (only during active delivery), location history for completed deliveries
• Device Information: Mobile device type, operating system, unique device identifiers, IP address
• Usage Data: App interactions, feature usage, delivery history, timestamps
• Transaction Data: Payment amounts, payment methods, transaction history

2.3 Information from Third Parties

• Payment Processors: M-PESA, Airtel Money transaction confirmations
• Identity Verification Services: National ID verification, KRA PIN verification
• Credit Reference Bureaus: Rider creditworthiness checks (with consent)

3. How We Use Your Information (Purpose Limitation)

We use your personal data only for specified, explicit, and legitimate purposes:

3.1 Service Delivery

• Creating and managing your account
• Processing and fulfilling delivery requests
• Matching customers with available riders
• Providing real-time delivery tracking and updates
• Calculating delivery fees and distances
• Generating delivery receipts and invoices

3.2 Payment Processing

• Processing payments through M-PESA, Airtel Money, VISA, and Mastercard
• Distributing earnings to riders
• Managing refunds and disputes
• Complying with tax and financial reporting obligations

3.3 Safety and Security

• Verifying rider identities and credentials
• Monitoring for fraudulent activities
• Resolving disputes and complaints
• Conducting background checks on riders
• Ensuring platform safety through OTP verification
• Maintaining delivery insurance records

3.4 Communication

• Sending delivery notifications and status updates via SMS and push notifications
• Providing customer support
• Sending service announcements and policy updates
• Marketing communications (only with your explicit consent, with opt-out options)

3.5 Service Improvement

• Analyzing usage patterns to improve our platform
• Conducting customer satisfaction surveys
• Developing new features and services
• Optimizing delivery routes and pricing

3.6 Legal Compliance

• Complying with Kenyan laws and regulations
• Responding to legal processes and law enforcement requests
• Protecting our legal rights and interests
• Maintaining records as required by law

4. Data Sharing and Disclosure

We share your personal data only when necessary and in compliance with the DPA:

4.1 Service Provision

• Between Users: Customer names, phone numbers, and delivery addresses are shared with assigned riders to complete deliveries
• Payment Processors: Safaricom (M-PESA), Airtel Kenya, Visa, Mastercard for payment processing
• SMS Providers: For sending delivery notifications and OTP codes
• Cloud Service Providers: AWS or similar providers for secure data storage (with data processing agreements)

4.2 Business Partners

• Insurance Providers: For processing claims related to damaged or lost deliveries
• Identity Verification Services: For verifying rider credentials
• Mapping Services: For route optimization and tracking

4.3 Legal and Regulatory

• Government Authorities: When required by Kenyan law or court order
• Law Enforcement: For investigations of illegal activities
• Kenya Revenue Authority: For tax compliance purposes
• Office of the Data Protection Commissioner: For compliance audits

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the new entity, subject to the same privacy protections and with prior notification to you.

We do NOT sell your personal information to third parties for marketing purposes.

5. Data Retention (Storage Limitation)

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

• Active Accounts: Data is retained while your account remains active
• Transaction Records: 7 years (as required by Kenyan tax and financial regulations)
• Delivery History: 2 years for customer service and dispute resolution
• Location Data: 90 days after delivery completion
• Marketing Consent: Until you withdraw consent or 2 years of inactivity
• Deleted Accounts: Personal data deleted within 30 days, except where retention is required by law

After the retention period expires, we securely delete or anonymize your personal data in accordance with data protection best practices.

6. Data Security (Integrity and Confidentiality)

We implement appropriate technical and organizational measures to protect your personal data:

6.1 Technical Measures

• End-to-end encryption for data transmission (TLS/SSL)
• Encrypted storage of sensitive data (passwords, payment information)
• Secure API authentication and authorization
• Regular security audits and vulnerability assessments
• Intrusion detection and prevention systems
• Secure backup and disaster recovery procedures

6.2 Organizational Measures

• Access controls limiting employee access to personal data (need-to-know basis)
• Confidentiality agreements with all employees and contractors
• Regular staff training on data protection and privacy
• Data breach response and notification procedures
• Data protection impact assessments for new processing activities

In the event of a data breach affecting your personal data, we will notify you and the Office of the Data Protection Commissioner within 72 hours, as required by the DPA.

7. Your Rights as a Data Subject

Under the Kenya Data Protection Act, 2019, you have the following rights:

7.1 Right to Access

You have the right to obtain confirmation of whether we process your personal data and to access that data. You can request a copy of your personal data by contacting our Data Protection Officer.

7.2 Right to Rectification

You have the right to correct inaccurate or incomplete personal data. You can update most information directly through your account settings or by contacting customer support.

7.3 Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

Note: We may retain certain data where required by Kenyan law (e.g., tax records, transaction history).

7.4 Right to Restrict Processing

You have the right to restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

7.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV) and to transmit that data to another service provider.

7.6 Right to Object

You have the right to object to:

• Processing based on legitimate interests
• Direct marketing (including profiling for marketing purposes)
• Processing for scientific or historical research purposes

7.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

7.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the Office of the Data Protection Commissioner if you believe your data protection rights have been violated:

7.9 Exercising Your Rights

To exercise any of these rights, please contact our Data Protection Officer using the contact details in Section 11. We will respond to your request within 30 days, as required by the DPA.

8. Consent and Marketing Communications

8.1 Consent Management

We obtain your explicit consent before:

• Collecting and processing your personal data
• Sending marketing communications
• Sharing your data with third parties (except as required for service delivery)
• Using location data (you can enable/disable in app settings)

8.2 Marketing Opt-Out

You can opt out of marketing communications at any time by:

• Clicking "Unsubscribe" in marketing emails
• Replying "STOP" to marketing SMS messages
• Adjusting notification preferences in your account settings
• Contacting customer support

Note: You will continue to receive transactional messages (delivery updates, receipts) even if you opt out of marketing.

9. Children's Privacy

TumaBoda services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately, and we will delete such information from our systems.

10. International Data Transfers

Your personal data is primarily processed and stored within Kenya. If we transfer data outside Kenya, we ensure:

• The destination country has adequate data protection laws (as determined by the ODPC)
• Appropriate safeguards are in place (e.g., Standard Contractual Clauses)
• You have provided explicit consent for the transfer

We will inform you if your data will be transferred internationally and obtain your consent where required.

11. Contact Information

Data Protection Officer

Customer Support

12. Updates to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or service offerings. When we make material changes:

• We will notify you via email, SMS, or in-app notification at least 30 days before the changes take effect
• We will update the "Last Updated" date at the bottom of this policy
• We will obtain your consent if required by law

Your continued use of TumaBoda services after the effective date constitutes acceptance of the updated Privacy Policy. If you do not agree with the changes, you may close your account.

13. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of Kenya, including:

• The Kenya Data Protection Act, 2019
• The Data Protection (General) Regulations, 2021
• The Constitution of Kenya, 2010 (Right to Privacy - Article 31)