Legal policy
Privacy Policy & Corporate Data Governance Charter
1. Introduction, Executive Summary & Legal Commitment
BebaSwift Limited is a technology-enabled logistics company in Kenya offering on-demand parcel delivery, real-time shipment tracking, corporate supply chain solutions, last-mile dispatch services, and integrated digital payment systems. The ecosystem includes the Sender App, Rider App, merchant dashboard, PDA scanning terminals, APIs, and e-commerce integrations.
This Charter explains how BebaSwift collects, processes, uses, stores, protects, shares, and disposes of personal data in compliance with the Data Protection Act, 2019, the Data Protection Regulations 2021, and guidance from the Office of the Data Protection Commissioner.
2. Categories of Personal Data Collected
Identity & Account Data
- Full legal name, date of birth, gender, national identification number, passport details, and photographs.
- Phone numbers, email addresses, physical addresses, landmarks, and GPS coordinates.
- Corporate registration documents, KRA PIN, VAT certificate, authorised signatories, and tax compliance status.
- Rider vetting documents including national ID, good conduct certificate, NTSA licence, vehicle details, training certificates, and guarantor information.
Location, Consignment, Financial & Technical Data
- Rider GPS, speed, heading, altitude, and device telemetry while the Rider App is active.
- Package attributes, scanning records, proof-of-delivery photographs, signatures, OTP codes, and recipient verification data.
- M-Pesa transaction references, payment amounts, wallet balances, card gateway records, device identifiers, IP addresses, crash logs, cookies, and analytics data.
3. Purposes of Processing & Lawful Bases
| Data Category | Purpose | Lawful Basis |
|---|---|---|
| Rider GPS & Telemetry | Order allocation, route optimisation, live tracking, safety, fraud prevention, and payouts. | Contract + Legitimate Interests |
| Customer PII & Contacts | Account management, order fulfilment, notifications, support, and service personalisation. | Contract + Consent |
| Corporate Tax Data | eTIMS invoicing, tax reporting, and audit compliance. | Legal Obligation |
| Proof of Delivery | Dispute resolution, insurance claims, quality assurance, and audit trails. | Contract + Legitimate Interests |
4. Sharing, Transfers, Security & Retention
BebaSwift does not sell personal data. Data may be shared with authorised internal teams, dispatch riders, payment partners, cloud providers, regulators, law enforcement, courts, and corporate clients only where necessary and controlled by appropriate safeguards.
Core data resides in Kenya. Cross-border transfers, where necessary, comply with Section 41 of the Data Protection Act through recognised safeguards. BebaSwift uses encryption, access control, audit logs, MFA, vulnerability testing, employee confidentiality training, and incident response procedures.
| Data Type | Retention Period | Reason |
|---|---|---|
| Active shipment data & POD | 90 days after delivery | Operations and disputes |
| Financial & tax records | 7 years | KRA and statutory requirements |
| Rider compliance records | Contract duration + 5 years | Regulatory compliance |
| Account deletion requests | 30-day grace period then deletion/anonymisation | Account closure |
5. Data Subject Rights
Under Kenyan data protection law, you have the right to be informed, access your data, request rectification, request erasure subject to legal retention obligations, restrict processing, request portability, object to processing, and withdraw consent where applicable.
To exercise a right, contact dpo@bebaswift.co.ke or call +254 207 650 000. BebaSwift responds within 30 days.