Owned & Operated By: Citrus Labs Limited

Email: legal@citruslabs.co.ke

Mailing Address: P.O. Box 23983 – 00100, Nairobi, Kenya

Phone: +254 112 400 000

1. Introduction

Purpose of Policy

This Privacy Policy explains how Rideon by Citrus, owned by Citrus Labs Limited, collects, uses, and protects the personal data of its Driver Account users in compliance with Kenya's Data Protection Act (DPA) 2019 and the Kenya National Cloud Policy 2025.

Scope of Coverage

This policy applies to all drivers who use Rideon by Citrus across Kenya. It covers data collected via our web platform, mobile integrations, and related payment systems (e.g., M-Pesa).

2. Legal Compliance

Kenya DPA 2025 Compliant
  • Kenya DPA 2025 Compliance: Rideon by Citrus is fully aligned with Kenya's Data Protection Act and related regulations.
  • ODPC Registration: Citrus Labs Limited is registered with the Office of the Data Protection Commissioner (ODPC).
  • Data Protection Officer (DPO): A designated DPO oversees compliance and can be reached at legal@citruslabs.co.ke.

3. Data Collection

Types of Data Collected

  • Driver name and contact details (phone, email – optional)
  • Vehicle license plate and PSV organization details
  • Location data (manual entry or GPS)
  • Transaction and payment records
  • Device/browser information

Collection Methods

  • Directly from drivers during platform use
  • Automatically via system logs, GPS, and M-Pesa integrations

Consent Mechanisms

By using Rideon by Citrus, drivers consent to data collection for service delivery. Consent is reaffirmed during sensitive data processing (e.g., location tracking).

4. Data Usage

Usage Categories

  • Fare calculation and trip management
  • Debt tracking and settlement
  • Payment verification via M-Pesa
  • Fraud detection and compliance reporting

Automated Decision-Making

Automated Decision-Making: Fare rates and penalties may be automatically calculated based on PSV organization rules.

Profiling: Rideon does not profile drivers beyond operational requirements (e.g., debt records).

5. Data Sharing & Transfers

  • Local & Cross-Border Transfers: Data is primarily stored in Kenya, with cloud backup in regions approved under Kenya's Cloud Policy 2025.
  • Third-Party Sharing: Limited to payment processors (e.g., Safaricom M-Pesa).
  • Safeguards: Contracts and encryption protect sensitive financial and location data.

6. User Rights

Drivers have the following rights under Kenya's Data Protection Act:

Right to Access

Request access to your personal data

Right to Rectification

Correct any inaccurate information

Right to Erasure

Request deletion of your data

Right to Object

Object to certain data processing

Right to Data Portability

Export your data in portable format

Requests can be made via legal@citruslabs.co.ke

7. Data Security

Security Measures

  • 256-bit Encryption: All data encrypted at rest and in transit
  • Access Controls: Role-based permissions and authentication
  • Audit Logs: Comprehensive tracking of system activity
  • Employee Training: Regular data protection training programs

8. Cookies & Tracking

  • Cookies: Used for session management and fraud prevention.
  • Tracking: Google Maps integration may track driver location during rides.
  • Opt-Out: Drivers may disable cookies in their browser, though core functions may be limited.

9. Third-Party Services

  • Vendors: Payment processing via Safaricom M-Pesa and mapping via Google Maps.
  • Compliance: All third-party providers must comply with Kenya's Data Protection Act.

Third-Party Privacy Policies:

M-Pesa Privacy Policy Google Privacy Policy

10. Data Retention

  • Retention Periods: Ride data retained for 7 years (per transport regulations).
  • Deletion Protocols: Drivers may request earlier deletion where legally permissible.

11. Children's Data

Rideon by Citrus does not knowingly collect data from minors under 18. Compliance follows the Children's Act 2022. Parental consent is required for any accidental collection.

12. Data Breach Protocol

  • Incident Response: Breach investigated within 72 hours.
  • ODPC Notification: Reported promptly to the Office of the Data Protection Commissioner.
  • User Notification: Affected drivers will be notified via email/SMS with remediation steps.

13. Policy Updates

  • Last Updated: October 30th, 2025.
  • Notification: Updates communicated via email, SMS, or in-app notice.

14. Contact & Complaints

  • Support Contact: legal@citruslabs.co.ke | +254 112 400 000
  • Complaints to ODPC: If unresolved, drivers may lodge a complaint directly with the Office of the Data Protection Commissioner, Kenya.

In Summary

Rideon by Citrus protects drivers' personal data under Kenya's 2025 Data Protection Act, ensuring transparency, accountability, and lawful use. Drivers remain in full control of their information with clear rights to access, correct, and request deletion.