GDPR Compliance
Last updated: June 1, 2024
1. Overview
AutoGo is committed to protecting the privacy and rights of individuals in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679. This page explains how we comply with GDPR requirements and how you can exercise your rights under the regulation.
This policy applies to all individuals located in the European Economic Area (EEA) whose personal data is processed by AutoGo.
2. Data Controller
The data controller responsible for your personal information is:
- Company: AutoGo Kenya Ltd.
- Email: dpo@autogo.co.ke
- Phone: +254 116247671
- Address: Karen Commerce Centre, Nairobi, Kenya
If you have any questions about how we handle your data, please contact our Data Protection Officer (DPO) at dpo@autogo.co.ke.
3. Legal Basis for Processing
Under GDPR, we process your personal data based on the following legal grounds:
- Contractual Necessity: Processing required to fulfill our rental agreement with you, including booking management, payment processing, and vehicle delivery.
- Legitimate Interests: Processing for fraud prevention, network security, direct marketing (with opt-out), and service improvement.
- Consent: Processing for non-essential cookies, marketing communications, and location services. You can withdraw consent at any time.
- Legal Obligation: Processing required to comply with applicable laws and regulations, including tax, accounting, and anti-fraud legislation.
4. Your GDPR Rights
As a data subject in the EEA, you have the following rights under GDPR:
Right to Access (Art. 15)
You have the right to request confirmation of whether we process your data and obtain a copy of your personal information.
Right to Rectification (Art. 16)
You have the right to request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17)
Also known as the "right to be forgotten," you can request deletion of your personal data when it is no longer necessary for the purpose it was collected.
Right to Restrict Processing (Art. 18)
You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of your data.
Right to Data Portability (Art. 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
Right to Object (Art. 21)
You have the right to object to processing based on legitimate interests, including profiling and direct marketing.
Rights Related to Automated Decision-Making (Art. 22)
You have the right not to be subject to decisions based solely on automated processing that produce legal effects concerning you.
5. How to Exercise Your Rights
To exercise any of your GDPR rights, please submit a request through one of the following methods:
- Email: Send your request to dpo@autogo.co.ke with the subject line "GDPR Request"
- Account Settings: Access and update your personal data directly through your account dashboard
- Contact Form: Submit a request through our Contact page
We will respond to your request within 30 days, as required by GDPR. We may need to verify your identity before processing your request. There is no charge for exercising your rights, though we may charge a reasonable fee for repetitive or manifestly unfounded requests.
6. Data Retention Schedule
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Information | Until account deletion + 90 days | Legal obligations, dispute resolution |
| Booking Records | 6 years after booking | Tax and accounting requirements |
| Payment Information | 3 years after last transaction | Anti-fraud, financial audits |
| Communication History | 2 years | Customer service, dispute resolution |
| Usage Analytics | 2 years | Service improvement (anonymized after 6 months) |
7. Data Processing Agreements
We have Data Processing Agreements (DPAs) in place with all third-party service providers who process personal data on our behalf, including:
- Payment processors (Stripe)
- Cloud infrastructure providers
- Analytics services
- Customer support platforms
- Communication and email services
These agreements ensure that all processors comply with GDPR requirements and implement appropriate technical and organizational measures.
8. International Data Transfers
When we transfer personal data from the EEA to countries outside the EEA, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) adopted by the European Commission
- Adequacy decisions for countries deemed to have equivalent data protection
- Binding Corporate Rules (BCRs) where applicable
Our primary data processing infrastructure is located in the EU and Kenya. Transfers to Kenya are governed by SCCs and appropriate supplementary measures.
9. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify:
- The relevant supervisory authority within 72 hours of becoming aware of the breach
- Affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms
Our incident response team follows a documented breach management procedure to contain, assess, and remediate any data security incidents.
10. Complaints
If you believe that our processing of your personal data infringes GDPR, you have the right to lodge a complaint with your local data protection supervisory authority. We encourage you to contact us first so we can attempt to resolve your concerns.
For Kenya residents, you may also contact the Office of the Data Protection Commissioner (ODPC).
11. Contact Our DPO
For all GDPR-related inquiries, please contact our Data Protection Officer:
- Email: dpo@autogo.co.ke
- Phone: +254 116247671
- Address: Karen Commerce Centre, Nairobi, Kenya
