Privacy Policy

How Cartlyf Technologies Limited protects your personal data in compliance with Kenyan Law.

Version: 2.2 (Industry Standard & DPA 2019 Compliant)

Effective Date: 11 April 2026

Data Controller: Cartlyf Technologies Limited

1. Introduction

Welcome to FLYTS, a peer-to-peer car sharing marketplace operated by Cartlyf Technologies Limited ("Cartlyf," "we," "us," or "our"). We take the privacy of our car owners ("Hosts") and renters ("Renters") seriously.

This Privacy Policy describes how we collect, use, and share your personal data when you use the FLYTS mobile application and website (the "Platform"). This document is designed to comply with the Constitution of Kenya 2010 (Article 31) and the Data Protection Act No. 24 of 2019 ("DPA 2019").

2. Information We Collect

We collect personal data that is necessary to facilitate secure car sharing transactions and comply with legal identity verification (KYC) requirements.

2.1 Personal Information

  • Profile Data: Name, email address, phone number, and profile picture.
  • Identity & Verification Data: National ID or Passport details, driver's licence number, and high-resolution photographs of these documents.
  • Sensitive Personal Data (Biometrics): As part of our KYC process, we use automated facial comparison technology to match your live selfie against your ID document. This is processed only with your explicit consent at the time of verification.

2.2 Vehicle & Trip Data

  • Vehicle Records: For Hosts, we collect registration details, insurance certificates, and maintenance records.
  • Trip Documentation: Pre-trip and post-trip photographs, odometer readings, and fuel levels to protect users against damage claims.
  • Location Data: We collect precise geolocation from your mobile device to facilitate vehicle pick-up/drop-off and to provide security tracking during active trips.

2.3 Financial Data

  • Transaction Records: We store transaction references and payment status through our payment processor, Paystack. Note: FLYTS does not store your full credit/debit card numbers or CVVs on our servers.

3. Legal Bases for Processing

Under Section 28 of the DPA 2019, we process your data based on:

  • Performance of a Contract: To manage your account and facilitate car rentals.
  • Legal Obligation: To comply with tax laws and anti-fraud regulations.
  • Legitimate Interests: To ensure Platform safety, fraud prevention, and service improvement.
  • Consent: For marketing communications and biometric verification.

4. Data Sharing and Disclosure

We share your data only with specific parties involved in the rental lifecycle:

  • Hosts & Renters: Essential contact info and profile details are shared once a booking is confirmed.
  • Drivers (Chauffeur Mode): If you book a car "With Driver," we share your name, phone number, and pick-up location with the assigned driver to facilitate the service. Conversely, we share the driver's name, photo, and rating with you for safety and identification.
  • Service Processors: We use industry-leading providers including Supabase (Database), Firebase (Auth), Paystack (Payments), and Google Maps.
  • Law Enforcement: We may disclose data to Kenyan government agencies if required by a valid legal order or for investigation of criminal activities.

5. Data Security & International Transfers

We implement robust technical and organisational measures, including 256-bit encryption and role-based access controls. Some of our processors store data on servers located outside Kenya (e.g., EU or USA).

In accordance with Section 48 of the DPA 2019, we ensure these transfers are governed by Standard Contractual Clauses (SCCs) that provide an adequate level of data protection equivalent to Kenyan law.

6. Your Rights in Kenya

Under Sections 26-34 of the DPA 2019, you have the right to:

  • Right to be informed: To know how we use your data (fulfilled by this policy).
  • Right of access: To request a copy of the data we hold about you.
  • Right to rectification: To correct inaccurate or incomplete data.
  • Right to erasure: To request deletion of your account (subject to 7-year retention for financial records).
  • Right to object: To object to processing for direct marketing.
  • Right to data portability: To receive your data in a structured, machine-readable format (JSON/CSV).

7. Data Retention

We retain data only as long as necessary:

  • Active Accounts: For the duration of your membership.
  • Financial Records: 7 years from the date of transaction to comply with Kenyan tax and accounting standards.
  • KYC Documents: For the duration of the account plus 2 years post-closure for legal protection.

8. Contact & Complaints

If you have questions or wish to exercise your rights, contact our Data Protection Officer (DPO) at dpoflyts@cartlyf.com.

If you are dissatisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at Britam Towers, Nairobi, or via www.odpc.go.ke.

© 2026 Cartlyf Technologies Limited. All Rights Reserved.

FLYTS — Peer-to-Peer Car Sharing Built for East Africa.