GDPR Compliance

Last updated: June 1, 2024

1. Overview

AutoGo is committed to protecting the privacy and rights of individuals in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679. This page explains how we comply with GDPR requirements and how you can exercise your rights under the regulation.

This policy applies to all individuals located in the European Economic Area (EEA) whose personal data is processed by AutoGo.

2. Data Controller

The data controller responsible for your personal information is:

  • Company: AutoGo Kenya Ltd.
  • Email: dpo@autogo.co.ke
  • Phone: +254 116247671
  • Address: Karen Commerce Centre, Nairobi, Kenya

If you have any questions about how we handle your data, please contact our Data Protection Officer (DPO) at dpo@autogo.co.ke.

3. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

  • Contractual Necessity: Processing required to fulfill our rental agreement with you, including booking management, payment processing, and vehicle delivery.
  • Legitimate Interests: Processing for fraud prevention, network security, direct marketing (with opt-out), and service improvement.
  • Consent: Processing for non-essential cookies, marketing communications, and location services. You can withdraw consent at any time.
  • Legal Obligation: Processing required to comply with applicable laws and regulations, including tax, accounting, and anti-fraud legislation.

4. Your GDPR Rights

As a data subject in the EEA, you have the following rights under GDPR:

Right to Access (Art. 15)

You have the right to request confirmation of whether we process your data and obtain a copy of your personal information.

Right to Rectification (Art. 16)

You have the right to request correction of inaccurate or incomplete personal data.

Right to Erasure (Art. 17)

Also known as the "right to be forgotten," you can request deletion of your personal data when it is no longer necessary for the purpose it was collected.

Right to Restrict Processing (Art. 18)

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of your data.

Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object (Art. 21)

You have the right to object to processing based on legitimate interests, including profiling and direct marketing.

Rights Related to Automated Decision-Making (Art. 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal effects concerning you.

5. How to Exercise Your Rights

To exercise any of your GDPR rights, please submit a request through one of the following methods:

  1. Email: Send your request to dpo@autogo.co.ke with the subject line "GDPR Request"
  2. Account Settings: Access and update your personal data directly through your account dashboard
  3. Contact Form: Submit a request through our Contact page

We will respond to your request within 30 days, as required by GDPR. We may need to verify your identity before processing your request. There is no charge for exercising your rights, though we may charge a reasonable fee for repetitive or manifestly unfounded requests.

6. Data Retention Schedule

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

Data TypeRetention PeriodReason
Account InformationUntil account deletion + 90 daysLegal obligations, dispute resolution
Booking Records6 years after bookingTax and accounting requirements
Payment Information3 years after last transactionAnti-fraud, financial audits
Communication History2 yearsCustomer service, dispute resolution
Usage Analytics2 yearsService improvement (anonymized after 6 months)

7. Data Processing Agreements

We have Data Processing Agreements (DPAs) in place with all third-party service providers who process personal data on our behalf, including:

  • Payment processors (Stripe)
  • Cloud infrastructure providers
  • Analytics services
  • Customer support platforms
  • Communication and email services

These agreements ensure that all processors comply with GDPR requirements and implement appropriate technical and organizational measures.

8. International Data Transfers

When we transfer personal data from the EEA to countries outside the EEA, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission
  • Adequacy decisions for countries deemed to have equivalent data protection
  • Binding Corporate Rules (BCRs) where applicable

Our primary data processing infrastructure is located in the EU and Kenya. Transfers to Kenya are governed by SCCs and appropriate supplementary measures.

9. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify:

  • The relevant supervisory authority within 72 hours of becoming aware of the breach
  • Affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms

Our incident response team follows a documented breach management procedure to contain, assess, and remediate any data security incidents.

10. Complaints

If you believe that our processing of your personal data infringes GDPR, you have the right to lodge a complaint with your local data protection supervisory authority. We encourage you to contact us first so we can attempt to resolve your concerns.

For Kenya residents, you may also contact the Office of the Data Protection Commissioner (ODPC).

11. Contact Our DPO

For all GDPR-related inquiries, please contact our Data Protection Officer:

  • Email: dpo@autogo.co.ke
  • Phone: +254 116247671
  • Address: Karen Commerce Centre, Nairobi, Kenya