BebaSwift Limited
Home Services How it works Business Safety Contact
Book a parcel

Legal policy

Privacy Policy & Corporate Data Governance Charter

Data Controller & Processor: BebaSwift Limited

Company Registration No: PVT-LRU7A921

ODPC Registration Number: ODPC/DC/REG/2026/009842

Document Version: 2026.V4.2

Effective Date: May 17, 2026

Data Protection Officer: dpo@bebaswift.co.ke

Compliance Helpline: +254 207 650 000

Privacy Email: privacy@bebaswift.co.ke

1. Introduction, Executive Summary & Legal Commitment

BebaSwift Limited is a technology-enabled logistics company in Kenya offering on-demand parcel delivery, real-time shipment tracking, corporate supply chain solutions, last-mile dispatch services, and integrated digital payment systems. The ecosystem includes the Sender App, Rider App, merchant dashboard, PDA scanning terminals, APIs, and e-commerce integrations.

This Charter explains how BebaSwift collects, processes, uses, stores, protects, shares, and disposes of personal data in compliance with the Data Protection Act, 2019, the Data Protection Regulations 2021, and guidance from the Office of the Data Protection Commissioner.

Important Legal Notice: By accessing the platforms, registering an account, placing a delivery order, registering as a rider, or using BebaSwift services, you confirm that you have read and understood this Charter.

2. Categories of Personal Data Collected

Identity & Account Data

  • Full legal name, date of birth, gender, national identification number, passport details, and photographs.
  • Phone numbers, email addresses, physical addresses, landmarks, and GPS coordinates.
  • Corporate registration documents, KRA PIN, VAT certificate, authorised signatories, and tax compliance status.
  • Rider vetting documents including national ID, good conduct certificate, NTSA licence, vehicle details, training certificates, and guarantor information.

Location, Consignment, Financial & Technical Data

  • Rider GPS, speed, heading, altitude, and device telemetry while the Rider App is active.
  • Package attributes, scanning records, proof-of-delivery photographs, signatures, OTP codes, and recipient verification data.
  • M-Pesa transaction references, payment amounts, wallet balances, card gateway records, device identifiers, IP addresses, crash logs, cookies, and analytics data.

3. Purposes of Processing & Lawful Bases

Data Category Purpose Lawful Basis
Rider GPS & Telemetry Order allocation, route optimisation, live tracking, safety, fraud prevention, and payouts. Contract + Legitimate Interests
Customer PII & Contacts Account management, order fulfilment, notifications, support, and service personalisation. Contract + Consent
Corporate Tax Data eTIMS invoicing, tax reporting, and audit compliance. Legal Obligation
Proof of Delivery Dispute resolution, insurance claims, quality assurance, and audit trails. Contract + Legitimate Interests

4. Sharing, Transfers, Security & Retention

BebaSwift does not sell personal data. Data may be shared with authorised internal teams, dispatch riders, payment partners, cloud providers, regulators, law enforcement, courts, and corporate clients only where necessary and controlled by appropriate safeguards.

Core data resides in Kenya. Cross-border transfers, where necessary, comply with Section 41 of the Data Protection Act through recognised safeguards. BebaSwift uses encryption, access control, audit logs, MFA, vulnerability testing, employee confidentiality training, and incident response procedures.

Data Type Retention Period Reason
Active shipment data & POD 90 days after delivery Operations and disputes
Financial & tax records 7 years KRA and statutory requirements
Rider compliance records Contract duration + 5 years Regulatory compliance
Account deletion requests 30-day grace period then deletion/anonymisation Account closure

5. Data Subject Rights

Under Kenyan data protection law, you have the right to be informed, access your data, request rectification, request erasure subject to legal retention obligations, restrict processing, request portability, object to processing, and withdraw consent where applicable.

To exercise a right, contact dpo@bebaswift.co.ke or call +254 207 650 000. BebaSwift responds within 30 days.

Regulatory Escalation: If you are not satisfied with the response, you may lodge a complaint with the Office of the Data Protection Commissioner of Kenya.

BebaSwift Limited

Technology-enabled courier services with doorstep pickup, sorting-centre movement, and electric-bike last-mile delivery.

Company

Services How it works Business

Support

Contact Safety Prohibited items

Legal

Privacy Policy Terms of Service
© 2026 BebaSwift Limited. All rights reserved. privacy@bebaswift.co.ke    +254 207 650 000