1. Introduction

Purpose Statement

Citrus Labs Limited ("we", "our", or "us") respects your right to privacy and is committed to protecting the personal information of all users of the Route Manager Account within the Rideon by Citrus platform. This Privacy Policy outlines how we collect, process, use, store, and protect your personal data in compliance with the Kenya Data Protection Act (2019, as amended in 2025) and the Kenya National Cloud Policy 2025.

Our Purpose

To provide Route Managers with clear and transparent information about how their personal data is handled throughout their interaction with the Rideon by Citrus platform.

Route Manager Scope

This Policy Applies To:

  • Fare Collection Management
  • Route Oversight Operations
  • Driver Coordination Activities
  • Billing & Settlement Processes
  • Compliance Reporting Functions

Coverage Areas

This privacy policy covers all interactions within the Rideon by Citrus platform related to your role as a Route Manager.

Routes Under Management Loading...
Geographic Coverage Loading...
Driver Count Loading...
Vehicle Count Loading...

By using Rideon by Citrus, you agree to the practices described in this Privacy Policy.

2. Legal Compliance

All processing activities comply with the Kenya Data Protection Act and directives issued by the Office of the Data Protection Commissioner (ODPC).

Kenya DPA Compliance

Fully compliant with the Kenya Data Protection Act 2019 (amended 2025)

ODPC Registration

Registered Data Controller and Processor

Kenya Cloud Policy 2025

All data stored on Kenya-based servers

Data Protection Officer

Oversees all compliance matters

Our Data Protection Officer

Citrus Labs Limited has appointed a dedicated Data Protection Officer (DPO) who oversees compliance and may be contacted at:

Email: legal@citruslabs.co.ke

Response Time: 24-48 hours

Compliance Status Overview

Item Status Last Audit Next Review
Data Controller Registration Active September 2025 September 2026
Data Processor Registration Active September 2025 September 2026
Cloud Policy Compliance Compliant October 2025 April 2026
ODPC Registration Valid N/A December 2026

3. Data Collection

We collect and process the following categories of data:

Personal Information

  • Full name and ID
  • Contact details (email, phone)
  • Identification documents (where required)
  • Route Manager ID

Operational Data

  • Assigned routes list
  • Linked drivers information
  • Active vehicles tracking
  • Schedule data
  • Performance metrics

Financial & Transactional Data

  • Fare collection records
  • M-Pesa transactions
  • Settlement history
  • Debt clearance activity
  • Commission data

System & Technical Data

  • Login activity history
  • Device/browser identifiers
  • IP addresses
  • Session duration

Collection Methods

Direct Provision

Information provided by you during onboarding and account setup

Automatic Generation

Data generated automatically by the system during usage

PSV Admin Submission

Data submitted by the PSV Organization Admin that manages your assignment

Consent Management

Your Consent

Consent is obtained during registration and can be withdrawn by contacting the DPO at legal@citruslabs.co.ke.

Data Collection Overview

Data Points Collected Loading...
Active Consent Status Active
Last Collection Loading...

4. Data Usage

We process your data for the following purposes:

Authentication

To authenticate your Route Manager account and ensure platform security

Fare Management

To facilitate fare collection, billing, and settlement processes

Route Operations

To manage route oversight, driver assignments, and vehicle tracking

Reporting

To generate compliance reports for route performance

Notifications

To send operational notifications including payment confirmations and alerts

Data Protection Commitment

We do not sell or rent personal data. Automated decision-making (e.g., penalty escalation, payment validation) is applied only where necessary and subject to audit.

Fare Data Processing

Your fare collection data is used for:

  • Real-time validation and verification
  • Automated settlement calculation
  • Debt tracking and management
  • Commission computation

Notification Preferences

5. Data Sharing & Transfers

Kenya-Based Storage

All personal data is stored on Kenya-based cloud servers in line with the Kenya Cloud Policy 2025.

Primary: Nairobi Data Center
Secondary: Mombasa Data Center
Policy: Zero International Transfer

Data Sharing Partners

Limited data may be shared with the following partners under strict contractual controls:

Payment Providers

Safaricom/M-Pesa

  • Transaction data only
  • Encrypted transfer
  • Limited retention

PSV Organization Admins

Your organization's administrators

  • Route performance data
  • Financial summaries
  • Limited personal details

Regulatory Bodies

Where legally required

  • Transport Authority
  • Tax Authority (when required)
  • ODPC (on request)

Safeguards Applied

Encryption

All data transfers use industry-standard encryption

Contractual Controls

Strict data processing agreements with all partners

Access Controls

Role-based access limits who can view your data

Audit Trails

All data sharing events are logged and monitored

6. User Rights

As a Route Manager, you are entitled to the following rights under the Kenya DPA:

Access My Data

Right to access and receive copies of your personal data

Correct Information

Right to rectification of inaccurate or incomplete data

Request Deletion

Right to erasure, subject to legal or contractual retention requirements

Object to Processing

Right to object to specific forms of processing

Export Data

Right to data portability and transfer

Manage Drivers' Privacy

Configure privacy settings for drivers under your route

How to Exercise Your Rights

All rights requests must be submitted in writing to:

Email: legal@citruslabs.co.ke

1
Submit Request

Send your request via email with clear identification

2
Verification

We verify your identity for security purposes

3
Processing

We process your request within 30 days

4
Response

You receive the requested action or information

Data Export Portal

7. Data Security

We adopt industry-standard security measures to protect your personal data:

Encryption

Encryption of sensitive data during storage and transfer

Access Controls

Role-based access controls based on assigned user roles

Audit Trails

Continuous system monitoring and comprehensive audit logs

Security Training

Staff training on data protection and confidentiality

Encryption Status

Data Storage AES-256 Active
Data Transfer TLS 1.3 Active
M-Pesa Transactions End-to-End Active
Backups AES-256 Active

Two-Factor Authentication (2FA)

Current Status: Loading...
Method: Loading...
Backup Codes: Loading...

Your Access Permissions

Data Category Access Level Actions Allowed
Route Data Full Access View, Edit, Export
Driver Data Limited View Only
Financial Data Route-Specific View, Export
System Settings Limited Personal Settings Only

Recent Audit Trail

Date & Time Action Data Accessed Status
Oct 30, 2025 10:30 Data Access Route Performance Success
Oct 30, 2025 09:15 Report Generated Financial Summary Success
Oct 29, 2025 16:45 Data Modified Contact Details Success

8. Cookies & Tracking Technologies

We use cookies and similar technologies to enhance platform performance and provide route-level analytics.

Important: Non-essential cookies may be declined; however, doing so may limit certain functionalities.

Cookie Types

Essential Cookies

Required for platform functionality and security

Required

Analytics Cookies

Track usage patterns and performance metrics

Optional

Performance Cookies

Optimize page load times and responsiveness

Optional

Marketing Cookies

Personalized content and feature suggestions

Optional

Manage Cookie Preferences

Route Analytics Configuration

Control what route analytics data is collected:

Performance Metrics Tracked

  • Page Load Times
  • Feature Usage Patterns
  • Error Rates and System Issues
  • Device and Browser Performance

9. Data Retention

We retain operational and transactional data for seven (7) years to comply with Kenyan transport and financial record-keeping laws. Upon expiry of the retention period, data will be securely deleted or anonymized.

Data Retention Schedule

Data Category Retention Period Legal Basis Disposal Method
Operational Data 7 years Transport Regulations Secure Deletion
Financial Records 7 years Tax & Accounting Laws Secure Deletion
System Logs 1 year Security Monitoring Automatic Deletion
Temporary Data 30 days Operational Needs Automatic Deletion

Archive Access Portal

Access your historical data from previous years:

2024 Data Archive
2023 Data Archive
Older Records

Upcoming Scheduled Deletions

November 15, 2025
System Log Files

Log files from November 2024

December 1, 2025
Temporary Session Data

Temporary data older than 30 days

10. Data Breach Protocol

In the event of a personal data breach:

Current Status: Secure

All systems operating normally

Last Incident: None Reported
System Health: 100%
Last Security Scan: Loading...

Incident Response Timeline

1
0-24 Hours: Detection & Containment

Immediate detection, containment, and initial assessment

2
24-72 Hours: Investigation

We will investigate and mitigate the incident within 72 hours

3
72+ Hours: ODPC Notification

The ODPC will be notified as required by law

4
User Notification

Affected Route Managers will be informed promptly with guidance

5
Resolution & Prevention

Implement fixes and preventive measures

Report a Security Issue

If you suspect a security incident, report it immediately:

Check if Your Data Was Affected

Enter an incident ID to check if your data was impacted:

Emergency Security Contacts

Security Hotline

+254 112 400 111

24/7 Available

Security Email

Monitored 24/7

11. Policy Updates

This Privacy Policy may be amended from time to time to reflect legal, operational, or technological changes. Updates will be communicated through the Rideon by Citrus platform and, where significant, via direct email.

Current Version

Version: 2.1
Released: October 30, 2025
Status: Active

Version History

v2.1 October 30, 2025
  • Enhanced Kenya Cloud Policy compliance
  • Updated data retention schedules
  • Improved breach notification procedures
v2.0 July 15, 2025
  • Major DPA 2025 amendments incorporated
  • Route Manager specific sections added
  • Enhanced user rights framework
v1.9 April 20, 2025
  • Cookie policy updates
  • Third-party processor additions

Preview Upcoming Changes

No upcoming changes scheduled at this time

When policy updates are proposed, you'll be able to preview them here and provide feedback.

Policy Acknowledgment

12. Contact & Complaints

For inquiries, requests, or complaints regarding this Privacy Policy, please contact us:

Citrus Labs Limited Contact Information

Email Legal Team

legal@citruslabs.co.ke

Privacy and legal inquiries

Phone Support

+254 112 400 000

Hours: 8am - 6pm EAT (Mon-Fri)

Mailing Address

P.O. Box 23983 - 00100

Nairobi, Kenya

File a Complaint with ODPC

If unresolved, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) in Kenya.

Before Filing with ODPC:
  1. Contact us first using the methods above
  2. Document your complaint and our response
  3. Wait 30 days for resolution
  4. If unsatisfied, escalate to ODPC
ODPC Contact Information:

Website: www.odpc.go.ke

Email: info@odpc.go.ke

Phone: +254 20 2675 100

Privacy FAQs

Find quick answers to common privacy questions:

Browse All FAQs

Send Us a Privacy Inquiry