Data Policy - Route Manager Account

1. Introduction

Purpose of Policy

This Data Policy sets out how Citrus Labs Limited ensures responsible collection, processing, and handling of data for Route Managers operating within the Rideon by Citrus platform. Our commitment to data protection is aligned with the Kenya Data Protection Act (2019, amended 2025) and ensures transparency in all data handling practices.

Scope of Application

The policy applies exclusively to Route Manager Accounts, covering all interactions such as:

Fare collection and processing
Billing operations and reconciliation
Reporting functions and analytics
Compliance tracking and monitoring

Key Responsibilities

Route Manager Duties

Accurate fare reconciliation and reporting
Driver monitoring and performance tracking
Data accuracy and integrity maintenance
Timely reporting and compliance adherence
Secure handling of sensitive information

2. Legal Basis & Compliance

Processing activities strictly comply with the Kenya DPA 2025. Citrus Labs Limited is registered with the ODPC as a Data Controller and Data Processor.

DPA Compliance

Fully compliant with Kenya Data Protection Act 2025

Active

ODPC Registration

Registered Data Controller and Processor

Verified

Route Compliance

PSV and licensing requirements met

Data Protection Officer

Contact: legal@citruslabs.co.ke

Response Time: 24-48 hours

Route Compliance Status

Route License	Valid
PSV Compliance	Met
Data Handling	Compliant
Last Audit	September 2025

3. Data Collection

Types of Data Collected

Personal Identifiers

Full name
Contact details (email, phone number)
Login credentials
Route Manager ID

Operational Data

Assigned route information
Active vehicles and assignments
Driver details and performance
Transaction logs and timestamps

Financial Data

Fare records and collections
Debt settlements and tracking
M-Pesa transaction details
Penalty and fine records

Technical Data

IP addresses
Device and browser information
System activity logs
Login timestamps

Collection Methods

Data provided directly during onboarding

Data submitted by PSV Organization Admins

Automated system-generated records

Route start and end checkpoints

Fare collection and payment points

Consent Mechanisms

Consent is obtained during account creation and may be withdrawn by submitting a written request to the DPO at legal@citruslabs.co.ke.

4. Data Usage

Purpose of Processing

Account Verification

Authenticate and verify Route Manager accounts

Fare Calculation

Process fare collection, billing, and debt clearance

Performance Insights

Generate reports and analytics for PSV organizations

Alert Management

Send payment confirmations and escalation alerts

Retention Periods

Data Type	Retention Period	Legal Basis
Financial Records	7 years	Kenyan financial laws
Route Logs	7 years	Transport regulations
Technical Logs	2 years	Security monitoring
Temporary Data	30 days	Operational needs

Data will be securely deleted or anonymized after retention expires.

Automated Decision-Making

Automated Systems

Automated systems may be used for:

Penalty escalation
Payment verification
Fraud detection
Report scheduling

All automated processes are audited for fairness and accuracy.

Route Analytics Preview

Today's Fares KES 45,230

Weekly Trend 12%

Vehicle Utilization 87%

Driver Performance 4.2

5. Data Sharing & Transfers

Data Sharing with Partners

Limited data may be shared with authorized partners under strict confidentiality agreements:

Payment Processors

Safaricom/M-Pesa

Active

PSV Organizations

Route management admins

Active

Regulatory Bodies

Where legally required

As Needed

Audit Services

Compliance verification

Periodic

Cross-Border Transfers

Data Location & Transfers

All primary storage occurs within Kenya-based servers.

If international transfer is required (e.g., cloud backup), safeguards such as encryption and Standard Contractual Clauses (SCCs) are applied.

AES-256 Encryption
Access controls and authentication
Audit trails for all transfers
Kenya-based primary infrastructure

PSV Admin Access

Current Admin Access

Admin Name:	Loading...
Access Level:	Supervisor
Last Access:	Loading...
Permissions:	Read/Write

Recent Transfer Log

Date	Recipient	Type
Today	M-Pesa	Payment
Today	PSV Admin	Report
Yesterday	ODPC	Audit

6. User Rights

As a Route Manager, you have the following rights under the Kenya DPA:

Right to Access

Request copies of your personal data

Right to Rectification

Correct inaccurate or incomplete information

Right to Erasure

Request deletion of your data where lawful

Right to Object

Object to specific processing activities

Right to Data Portability

Transfer your data to another system

Right to Restrict Processing

Limit how we use your data

How to Exercise Your Rights

All rights requests can be submitted to our Data Protection Officer at:

Email: legal@citruslabs.co.ke

Response Time: We will respond within 30 days of receipt

Verification: Identity verification may be required for security purposes

Data Export Center

Export Format:

Data Range:

Categories to Include:

Personal Information Financial Records Operational Data Technical Logs

Delivery Method:

7. Data Security Measures

Comprehensive Security Framework

We implement industry-leading security measures to protect your data:

Encryption & Access Controls

Strong encryption (AES-256) and restricted access to sensitive data

Active

Audit Trails

All critical system interactions are logged for compliance

Active

Employee Training

Mandatory DPA and cybersecurity training for all staff

Current

Regular Security Audits

Periodic vulnerability assessments and penetration testing

Scheduled

Your Account Security Status

Password Strength:	Strong
Two-Factor Authentication:	Enabled
Last Login:	Loading...
Active Sessions:	1

Data Protection Status

Encryption

Access Control

Backup Status

Security Scan

Last Security Scan: All systems operational

Recent Audit Trail (Last 7 Days)

Action	Time	Result
Login	Today 09:30	Success
Data Export	Today 09:15	Success
Report Generation	Yesterday 16:45	Success

Training & Certification Records

DPA Training:	Complete
Security Training:	Complete
Platform Training:	Complete
Next Due:	March 2026

8. Cookies & Tracking Technologies

Types of Cookies Used

Impact of Cookie Settings

Essential: Required for login and core features
Analytics: Improves service quality and performance
Performance: Enables faster loading times
Note: Disabling optional cookies may limit some features

9. Third-Party Processors

All third-party vendors must demonstrate compliance with the Kenya DPA 2025. Contracts include confidentiality, processing limits, and breach response clauses.

Active Third-Party Vendors

Payment Services

Safaricom/M-Pesa

Payment processing and transactions

DPA Compliant

Mapping Services

Google Services

Route mapping and geolocation

DPA Compliant

Cloud Infrastructure

AWS Kenya

Secure data storage and backup

DPA Compliant

Analytics

Internal Systems

Platform analytics and insights

In-House

Vendor Compliance Status

Vendor	DPA Compliance	Contract Status	Last Audit
Safaricom/M-Pesa	Verified	Valid	Aug 2025
Google Services	Verified	Valid	Sept 2025
AWS Kenya	Verified	Valid	Sept 2025

Data Flow Diagram

Route Manager

Rideon Platform

M-Pesa

PSV Admin

Cloud Backup

10. Data Breach Protocol

In the unlikely event of a data breach, we have comprehensive protocols in place to protect your information and keep you informed.

Incident Response Timeline

1

Detection → Report

Immediate notification to security team

Immediate

2

Investigation

Full assessment of breach scope and impact

Within 72 hours

3

ODPC Notice

Mandatory reporting if user data affected

If Required

4

User Notification

Direct alerts to impacted users

Within 24 hours

5

Resolution

Implement fixes and preventive measures

ASAP

Your Responsibilities

Report Immediately: Contact security team as soon as you detect any suspicious activity
Preserve Evidence: Do not delete or modify any related data or logs
Don't Attempt Fixes: Wait for security team instructions before taking action
Await Instructions: Follow guidance from the incident response team
Cooperate Fully: Provide complete information during investigation

Report a Security Incident

Incident Type:

When Did This Occur:

Description:

Potentially Affected Data:

Upload Evidence (Optional):

Emergency Contacts

Security Hotline

+254 112 400 111

Available 24/7

Security Email

security@citruslabs.co.ke

Monitored 24/7

Data Protection Officer

legal@citruslabs.co.ke

Response: 24-48 hours

11. Policy Updates

Current Version Information

Version: 2.0

Released: October 30, 2025

Major Changes: Enhanced ODPC compliance

Status: Active

Version History

v2.0 October 30, 2025

Enhanced ODPC compliance measures
Updated data retention policies
Improved breach notification procedures
Enhanced user rights section

v1.5 July 15, 2025

Added Route Manager specific provisions
Updated third-party processor list
Enhanced cookie preferences

v1.0 January 11, 2025

Initial policy release
Kenya DPA 2025 baseline compliance

Update Notification Preferences

Email Notifications Receive policy updates via email

Dashboard Alerts Show notifications on platform dashboard

SMS for Critical Updates Receive SMS for major policy changes

Notification Frequency:

Policy Review Schedule

Next Scheduled Review:	April 2026
Review Cycle:	Every 6 months
Last Audit:	September 2025
Compliance Status:	Current

12. Contact & Complaints

Citrus Labs Limited Contact Information

General Support

support@citruslabs.co.ke

Available: 8am - 6pm EAT

Phone Support

+254 112 400 000

Mon-Fri: 8am - 6pm EAT

Live Chat

Instant messaging support

Available: 8am - 6pm EAT

Support Tickets

24/7 ticketing system

Response within 24 hours

Legal & Data Protection Contact

Data Protection Officer

Email: legal@citruslabs.co.ke

Mailing Address: P.O. Box 23983 - 00100, Nairobi, Kenya

Response Time: 48-72 hours for legal inquiries

File a Complaint

Issue Type:

Severity:

Description:

Desired Outcome:

Supporting Documents (Optional):

ODPC Escalation

When to Escalate to ODPC

If you are not satisfied with our response to your complaint, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC).

Escalate to ODPC if:

Your complaint remains unresolved after 30 days
You believe your data protection rights have been violated
You have concerns about our data handling practices
You experienced a data breach affecting your information

Office of the Data Protection Commissioner

Website: www.odpc.go.ke

Email: info@odpc.go.ke

Phone: +254 20 2675 100

Rideon by Citrus - Data Policy

Route Manager: Active Route Info

1. Introduction

Purpose of Policy

Scope of Application

Key Responsibilities

Route Manager Duties

2. Legal Basis & Compliance

DPA Compliance

ODPC Registration

Route Compliance

Data Protection Officer

Route Compliance Status

3. Data Collection

Types of Data Collected

Personal Identifiers

Operational Data

Financial Data

Technical Data

Collection Methods

Consent Mechanisms

4. Data Usage

Purpose of Processing

Account Verification

Fare Calculation

Performance Insights

Alert Management

Retention Periods

Automated Decision-Making

Automated Systems

Route Analytics Preview

5. Data Sharing & Transfers

Data Sharing with Partners

Payment Processors

PSV Organizations

Regulatory Bodies

Audit Services

Cross-Border Transfers

Data Location & Transfers

PSV Admin Access

Current Admin Access

Recent Transfer Log

6. User Rights

Right to Access

Right to Rectification

Right to Erasure

Right to Object

Right to Data Portability

Right to Restrict Processing

How to Exercise Your Rights

Data Export Center

7. Data Security Measures

Comprehensive Security Framework

Encryption & Access Controls

Audit Trails

Employee Training

Regular Security Audits

Your Account Security Status

Data Protection Status

Recent Audit Trail (Last 7 Days)

Training & Certification Records

8. Cookies & Tracking Technologies

Types of Cookies Used

Essential Cookies

Analytics Cookies

Performance Cookies

Preference Cookies

Manage Cookie Preferences

Impact of Cookie Settings

9. Third-Party Processors

Active Third-Party Vendors

Payment Services

Mapping Services

Cloud Infrastructure

Analytics

Vendor Compliance Status

Data Flow Diagram

10. Data Breach Protocol

Incident Response Timeline

Detection → Report