MMatatuOS← Back to Home

Privacy Policy

Last updated: March 2026

1. Introduction

MatatuOS ("we", "our", or "us") is a fleet management and SACCO operations platform built for the Kenyan public transport industry. We are committed to protecting the personal data of our clients, their crew members, and other individuals whose information passes through our systems. This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and the rights you hold under applicable Kenyan law, including the Data Protection Act, 2019.

By accessing or using MatatuOS, you agree to the practices described in this policy. If you do not agree, please discontinue use of the platform immediately and contact us to request deletion of your data.

2. Information We Collect

We collect several categories of information depending on how you interact with our platform:

2.1 Account and Identity Data

  • Full name, national ID number, and passport photo of SACCO administrators and crew members
  • Email address, phone number, and physical address
  • SACCO registration details and business documents
  • Login credentials (passwords are stored as cryptographic hashes; we never store plaintext passwords)

2.2 Fleet and Operational Data

  • Vehicle registration numbers, NTSA inspection records, insurance documents, and PSV licence data
  • Real-time and historical GPS location data for tracked vehicles
  • Route assignments, trip logs, departure and arrival times
  • Fuel consumption records, maintenance schedules, and mechanical reports
  • Accident and incident reports filed within the platform

2.3 Financial and Payment Data

  • MPESA transaction references, phone numbers used for M-PESA payments, and payment amounts
  • Daily remittance figures, driver revenue share records, and levy deductions
  • Subscription billing information including invoices and payment history
  • We do not store raw M-PESA PINs or full card numbers. Payment processing is handled by licensed payment service providers.

2.4 Crew Personal Data

  • Driver and conductor names, national ID numbers, and PSV licence details
  • Performance records, disciplinary notes, and attendance logs
  • Employment or affiliation dates with specific vehicles or SACCOs

2.5 Technical and Usage Data

  • IP addresses, device identifiers, browser type, and operating system
  • Log files, session durations, and feature usage patterns
  • Crash reports and diagnostic data submitted automatically or by users

3. How We Use Your Information

We process your data only where we have a lawful basis to do so. Our primary purposes include:

  • Service delivery: Operating the platform, managing user accounts, processing remittances, and generating reports for your SACCO.
  • Fleet safety and compliance: Tracking vehicle locations, monitoring driver hours, and flagging overdue inspections or expired licences.
  • Financial management: Processing M-PESA collections and disbursements, reconciling daily revenue, and producing auditable financial records.
  • Customer support: Responding to enquiries, troubleshooting issues, and resolving disputes related to payments or fleet data.
  • Security and fraud prevention: Detecting unauthorised access attempts, preventing fraudulent transactions, and protecting user accounts.
  • Product improvement: Analysing aggregated, anonymised usage patterns to improve platform features and performance.
  • Legal compliance: Meeting obligations under Kenyan law, including tax reporting, NTSA regulations, and data protection requirements.

4. Data Sharing

We do not sell your personal data. We share information only in the following limited circumstances:

  • Within your SACCO: Authorised administrators within your organisation can access data relevant to their role. Access is controlled by role-based permissions that your SACCO configures.
  • Payment processors: M-PESA and partner payment rails receive only the minimum transaction data required to process payments (phone number, amount, reference).
  • Cloud infrastructure providers: We use reputable cloud service providers operating under data processing agreements that include appropriate security and confidentiality obligations.
  • Regulatory authorities: We may disclose data to the Kenya Revenue Authority, NTSA, or law enforcement when required by law or a valid court order.
  • Business transfers: In the event of a merger or acquisition, data may be transferred to the successor entity, and we will notify affected users in advance.

5. Data Security

We apply industry-standard security controls to protect your data, including:

  • TLS 1.2+ encryption for all data in transit between your devices and our servers
  • AES-256 encryption for sensitive data at rest, including financial records and identity documents
  • Multi-factor authentication options for administrator accounts
  • Regular third-party security audits and penetration testing
  • Strict internal access controls — MatatuOS employees access production data only on a need-to-know basis
  • Automated anomaly detection for suspicious login activity

Despite these measures, no system is perfectly secure. We encourage users to use strong passwords, enable two-factor authentication, and report any suspected security incident to us immediately at security@matatuos.com.

6. Data Retention

We retain your data for as long as your account is active or as necessary to fulfil the purposes described in this policy. Specific retention periods include:

  • Account data: Retained for the duration of your subscription and for 90 days after account closure to allow for data export requests.
  • Financial and transaction records: Retained for 7 years in accordance with Kenyan tax and financial record-keeping requirements.
  • GPS and trip logs: Retained for up to 2 years for operational analysis and dispute resolution.
  • Crew personnel records: Retained for the period of crew affiliation plus 3 years.
  • Support communications: Retained for 2 years after ticket resolution.

After the applicable retention period, data is securely deleted or anonymised so it can no longer be linked to an individual.

7. Your Rights

Under the Kenya Data Protection Act, 2019, you have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your data where it is no longer necessary for the purpose it was collected, subject to legal retention obligations.
  • Right to data portability: Request your data in a structured, machine-readable format.
  • Right to object: Object to processing of your data for direct marketing or where processing is based on our legitimate interests.
  • Right to restriction: Request that we restrict processing of your data in certain circumstances.

To exercise any of these rights, contact us at privacy@matatuos.com. We will respond within 30 days. You may also lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya.

8. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice within the platform at least 14 days before they take effect. Your continued use of MatatuOS after the effective date constitutes acceptance of the revised policy.

9. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact our Data Protection Officer:

  • Email: privacy@matatuos.com
  • Phone: +254 700 000 000
  • Address: MatatuOS Ltd, Westlands, Nairobi, Kenya