Legal

Privacy Policy

This Privacy Policy explains how Kora Fleet Technologies collects, uses, stores, and protects personal data in connection with the Kora Fleet Management System. We are committed to compliance with the Kenya Data Protection Act 2019 and applicable international privacy standards.

Effective 14 March 2026

1. Overview

Kora Fleet Technologies ("Kora", "we", "us", "our") operates a multi-tenant SaaS fleet management platform used by transport companies, fleet operators, and logistics businesses ("Customers") across Kenya and the East African region. In delivering our services, we process personal data relating to Customer employees, drivers, mechanics, and other personnel.

This Policy applies to all data processed through the Kora Fleet Management System, including the Workspace App, Field App (mobile PWA), Platform Console, and all associated APIs. It should be read together with our Terms of Service.

Customers who process personal data through Kora act as data controllers in respect of their personnel and operational data. Kora acts as a data processor on behalf of those Customers, and as a data controller in respect of platform-level administrative data.

2. Data Controller & Processor

2.1 Kora as Data Controller

Kora is the data controller for: account registration data for company administrators; billing and subscription records; platform usage analytics and audit logs; marketing communications and enquiry submissions; and platform-level personnel records for Kora's own staff.

2.2 Kora as Data Processor

For all Operational Data submitted by a Customer — including personnel profiles, trip records, fuel logs, maintenance records, payroll data, and driver activity — Kora acts as a data processor. The Customer is the data controller and determines the purposes and means of processing. Customers must ensure they have a lawful basis to submit their personnel's personal data to Kora and must provide adequate notices to their data subjects.

2.3 Data Processing Agreement

By accepting the Terms of Service, Customers enter into a Data Processing Agreement (DPA) with Kora, the terms of which are incorporated into this Policy. The DPA satisfies the written contract requirements of Section 43 of the Kenya Data Protection Act 2019. Customers requiring a standalone signed DPA should contact legal@korafleet.com.

3. Data We Collect

3.1 Account & Registration Data

Company name, type, and registration details provided during onboarding.
Administrator name, email address, and hashed password (via Supabase Auth).
Phone number if provided for billing communications.
Company logo if uploaded by the administrator.

3.2 Personnel Data (submitted by Customers)

Full name, date of birth, national ID number, phone number, and email address.
Role and employment status within the fleet company.
KRA PIN and bank account details where provided for payroll disbursements.
M-Pesa phone number for B2C payout transfers.
Profile photograph if uploaded by the Customer.
Emergency contact details if entered by the Customer.

3.3 Operational Data (submitted by Customers)

Vehicle registration plates, chassis/VIN numbers, make, model, and fuel type.
Trip records including origin, destination, cargo details, mileage, and timestamps.
Fuel fill records including quantity, cost, station, and odometer readings.
Maintenance job cards, parts used, and mechanic notes.
Invoice data including client details, line items, and payment status.
Advance request records and repayment schedules.
Route definitions and associated client records.

3.4 Usage & Technical Data

Browser type, operating system, and device information.
IP address, timestamps, and session identifiers (for security and audit purposes).
Feature usage patterns and page navigation data (anonymised for product analytics).
API request logs retained for 90 days for security monitoring.

3.5 Communications Data

Enquiries and messages submitted through the contact form at /contact.
Support ticket correspondence.
Email communications regarding billing, security alerts, and service notices.

4. Legal Basis for Processing

Under the Kenya Data Protection Act 2019, we process personal data on the following legal bases:

Contract performance: processing necessary to provide the Service to Customers and their authorised users under the Terms of Service.
Legitimate interests: fraud detection, security monitoring, audit trail maintenance, and product improvement through anonymised analytics — balanced against the rights of data subjects.
Legal obligation: retaining records required by Kenyan tax, labour, and financial regulation.
Consent: where we send optional marketing communications to administrators who have opted in; or where personnel data subjects have consented to specific processing by their employer-Customer.

Customers are responsible for identifying and documenting their own legal basis for processing their personnel's data on the Kora platform.

5. How We Use Personal Data

5.1 Service Delivery

We use personal data to create and maintain company accounts; authenticate and authorise users; process trip dispatch, fuel records, and maintenance workflows; generate invoices and financial reports; and send critical service notifications such as security alerts, billing reminders, and subscription status changes.

5.2 Fraud & Anomaly Detection

Kora's fuel anomaly detection engine analyses fuel fill records against vehicle specifications and historical patterns to flag potential siphoning, over-reporting, or mileage discrepancies. This processing is carried out on behalf of the Customer to protect the Customer's operational integrity. Flagged anomalies are surfaced to Customer administrators only and are not disclosed to third parties.

5.3 Billing & Payments

Subscription billing data is used to generate invoices, apply M-Pesa Paybill payments, and maintain billing history. Payroll disbursement data (M-Pesa phone numbers) is used solely to facilitate B2C transfers instructed by the Customer.

5.4 Security & Audit

We maintain audit logs of significant platform actions — account creation, data mutations, admin actions, and access events — to detect security incidents, investigate complaints, and comply with regulatory requirements. Kora staff access to Customer Operational Data is restricted to support, security incident response, and legal compliance scenarios, and is logged.

5.5 Platform Improvement

Anonymised, aggregated, and non-identifiable usage data may be used to improve platform features, optimise performance, and inform product development. No individual Customer's data is disclosed in such analytics.

7. M-Pesa & Payment Data

Kora integrates with Safaricom's M-Pesa Daraja API for two payment flows: Paybill C2B (Customer subscription payments) and B2C (Customer-instructed driver/personnel payouts). The following applies specifically to M-Pesa data handling:

Paybill payments: When a Customer pays via M-Pesa Paybill, Safaricom transmits the payer's phone number, name, and amount to Kora's webhook. This data is stored and matched to the Customer's billing account.
B2C payouts: The recipient's M-Pesa phone number is transmitted to Safaricom solely to effect the disbursement. Kora logs the transaction reference, amount, and outcome for audit purposes.
Kora does not store full M-Pesa PINs or Safaricom API secrets in Customer-accessible storage.
M-Pesa transaction data may be retained for up to 7 years to comply with Kenya Revenue Authority and Central Bank of Kenya record-keeping requirements.
Kora is not a payment service provider or mobile money operator. All M-Pesa transactions are facilitated via Safaricom's licensed infrastructure under Safaricom's own regulatory authorisations.

8. Personnel Data & Driver Rights

Drivers, mechanics, dispatchers, and other fleet personnel whose data is held on the Kora platform are data subjects. Their personal data is submitted and controlled by their employer (the Customer). Kora processes this data as a data processor under the Customer's instruction.

Personnel wishing to exercise data subject rights (access, correction, deletion, or portability) should contact their employer directly. Kora will support Customers in fulfilling valid data subject requests within 30 days of written notice.

Where a Customer's account is suspended or terminated and not renewed, personnel data is retained for 30 days for export. After that window, data is permanently deleted subject to any mandatory regulatory retention obligations.

Personnel data — including national ID numbers, phone numbers, and financial information — is stored with field-level access controls. Kora staff cannot read plaintext sensitive fields except through audited administrative tooling used solely for support and compliance purposes.

9. Data Retention & Deletion

9.1 Operational Data

Customer Operational Data (trips, fuel logs, maintenance records, payroll records) is retained for the life of the Customer's active subscription. Upon account termination, data is retained for 30 days in a read-only state for export. After 30 days, data is permanently deleted from active storage. Certain financial transaction records may be retained for up to 7 years to satisfy Kenya Revenue Authority requirements.

9.2 Audit Logs

Audit logs and activity trails are retained for a minimum of 12 months and may be retained for up to 7 years where required by applicable law. Audit logs are not accessible to Customer users but are available to Kora's compliance team and may be produced in response to lawful regulatory requests.

9.3 Account Data

Company administrator credentials and account registration data are deleted 30 days after account termination. Billing records and subscription history are retained for 7 years for accounting and tax compliance.

9.4 Requesting Deletion

Customers may request immediate deletion of their Operational Data (outside the standard 30-day post-termination window) by writing to privacy@korafleet.com. Deletion requests will be actioned within 14 days, subject to any mandatory retention obligations. A deletion confirmation will be issued in writing upon completion.

10. Security Measures

Kora implements technical and organisational security measures proportionate to the sensitivity of the data processed:

All data is transmitted over TLS 1.2 or higher. Data at rest is encrypted using AES-256 via Supabase's managed infrastructure.
Row-Level Security (RLS) is enforced at the database layer, ensuring each Customer's data is fully isolated from all other Customers.
Role-based access controls restrict data access within each Customer's account based on assigned personnel roles.
Platform Console access is restricted to Kora staff with unique credentials and is subject to administrative rate limiting and audit logging.
Authentication tokens are short-lived and rotated. Inactivity timeouts automatically sign out inactive sessions.
Security-sensitive API endpoints are rate-limited to prevent brute-force and credential stuffing attacks.
We conduct periodic internal security reviews and apply security patches on a rolling basis.

Despite these measures, no internet-based service can guarantee absolute security. In the event of a personal data breach affecting Customers, Kora will notify affected Customers without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with Section 43(3) of the Kenya Data Protection Act 2019.

11. Your Rights Under the Kenya Data Protection Act 2019

Individuals whose personal data is controlled by Kora (primarily company administrators) have the following rights under the Kenya Data Protection Act 2019:

Right of access: you may request a copy of the personal data we hold about you.
Right to rectification: you may request correction of inaccurate or incomplete personal data.
Right to erasure: you may request deletion of personal data where there is no legitimate reason for its continued processing, subject to legal retention obligations.
Right to restrict processing: you may request that we limit processing of your personal data in certain circumstances.
Right to data portability: you may request your personal data in a structured, machine-readable format.
Right to object: you may object to processing based on legitimate interests, including profiling.
Right not to be subject to automated decision-making: we do not make legally significant automated decisions based solely on your personal data.

To exercise any of these rights, contact privacy@korafleet.com. We will respond within 30 days. If you believe your rights have not been respected, you may lodge a complaint with the Office of the Data Protection Commissioner (ODPC) Kenya at www.odpc.go.ke.

Personnel wishing to exercise rights in respect of data held by their employer on the Kora platform should contact their employer directly, as the employer is the data controller for that data.

12. Cookies & Local Storage

The Kora platform uses browser storage technologies to deliver core functionality:

12.1 Essential Cookies & Session Storage

We set strictly necessary session cookies and tokens to authenticate users and maintain secure sessions. These are required for the Service to function and cannot be disabled.

12.2 Local Storage

The Workspace App uses browser localStorage to persist sidebar preferences, UI state, and onboarding completion flags. This data is stored only on your device and is never transmitted to Kora's servers. It can be cleared by clearing your browser data.

12.3 Analytics

We do not currently deploy third-party analytics tracking cookies on the platform. Anonymised usage telemetry is collected server-side. The marketing website (korafleet.com) does not use advertising cookies or cross-site tracking.

13. Cross-Border Data Transfers

Kora's infrastructure relies on cloud providers that may process data outside Kenya, including in the United States and European Union. Such transfers are subject to appropriate safeguards including Standard Contractual Clauses (SCCs) and data processing agreements with each provider as referenced in Section 6.1.

Kora takes reasonable steps to ensure that any international transfer of personal data provides a level of protection consistent with the requirements of the Kenya Data Protection Act 2019. Customers with specific data residency requirements should contact us to discuss available options before subscribing.

14. Children's Data

The Kora Service is designed for use by businesses and professional fleet operators. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor's data has been submitted to the platform, please contact privacy@korafleet.com and we will take prompt action to delete it.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, technology, or applicable law. Material changes will be communicated to company administrators by email at least 14 days before the effective date. The updated Policy will be published at korafleet.com/privacy with a revised effective date.

Continued use of the Service after the effective date of a revised Policy constitutes acceptance of the updated terms. If you do not agree to the revised Policy, you must cease using the Service and contact us to arrange data deletion.

16. Contact & Data Protection Officer

For all privacy-related enquiries, data subject rights requests, breach notifications, or DPA queries, contact our Data Protection Officer:

Email: privacy@korafleet.com
Legal notices: legal@korafleet.com
Security incidents: security@korafleet.com
Postal: Data Protection Officer, Kora Fleet Technologies, Nairobi, Kenya

If you are a Customer with a support query unrelated to data protection, contact support@korafleet.com. If you are a member of the press or a regulatory authority, contact legal@korafleet.com.

For complaints that remain unresolved after contacting us, you may refer the matter to the Office of the Data Protection Commissioner (ODPC) Kenya.

1. Overview

2. Data Controller & Processor

2.1 Kora as Data Controller

2.2 Kora as Data Processor

2.3 Data Processing Agreement

3. Data We Collect

3.1 Account & Registration Data

Company name, type, and registration details provided during onboarding.
Administrator name, email address, and hashed password (via Supabase Auth).
Phone number if provided for billing communications.
Company logo if uploaded by the administrator.

3.2 Personnel Data (submitted by Customers)

Full name, date of birth, national ID number, phone number, and email address.
Role and employment status within the fleet company.
KRA PIN and bank account details where provided for payroll disbursements.
M-Pesa phone number for B2C payout transfers.
Profile photograph if uploaded by the Customer.
Emergency contact details if entered by the Customer.

3.3 Operational Data (submitted by Customers)

Vehicle registration plates, chassis/VIN numbers, make, model, and fuel type.
Trip records including origin, destination, cargo details, mileage, and timestamps.
Fuel fill records including quantity, cost, station, and odometer readings.
Maintenance job cards, parts used, and mechanic notes.
Invoice data including client details, line items, and payment status.
Advance request records and repayment schedules.
Route definitions and associated client records.

3.4 Usage & Technical Data

Browser type, operating system, and device information.
IP address, timestamps, and session identifiers (for security and audit purposes).
Feature usage patterns and page navigation data (anonymised for product analytics).
API request logs retained for 90 days for security monitoring.

3.5 Communications Data

Enquiries and messages submitted through the contact form at /contact.
Support ticket correspondence.
Email communications regarding billing, security alerts, and service notices.

4. Legal Basis for Processing

Under the Kenya Data Protection Act 2019, we process personal data on the following legal bases:

Contract performance: processing necessary to provide the Service to Customers and their authorised users under the Terms of Service.
Legitimate interests: fraud detection, security monitoring, audit trail maintenance, and product improvement through anonymised analytics — balanced against the rights of data subjects.
Legal obligation: retaining records required by Kenyan tax, labour, and financial regulation.
Consent: where we send optional marketing communications to administrators who have opted in; or where personnel data subjects have consented to specific processing by their employer-Customer.

Customers are responsible for identifying and documenting their own legal basis for processing their personnel's data on the Kora platform.

5. How We Use Personal Data

5.1 Service Delivery

5.2 Fraud & Anomaly Detection

5.3 Billing & Payments

5.4 Security & Audit

5.5 Platform Improvement

7. M-Pesa & Payment Data

Paybill payments: When a Customer pays via M-Pesa Paybill, Safaricom transmits the payer's phone number, name, and amount to Kora's webhook. This data is stored and matched to the Customer's billing account.
B2C payouts: The recipient's M-Pesa phone number is transmitted to Safaricom solely to effect the disbursement. Kora logs the transaction reference, amount, and outcome for audit purposes.
Kora does not store full M-Pesa PINs or Safaricom API secrets in Customer-accessible storage.
M-Pesa transaction data may be retained for up to 7 years to comply with Kenya Revenue Authority and Central Bank of Kenya record-keeping requirements.
Kora is not a payment service provider or mobile money operator. All M-Pesa transactions are facilitated via Safaricom's licensed infrastructure under Safaricom's own regulatory authorisations.

8. Personnel Data & Driver Rights

9. Data Retention & Deletion

9.1 Operational Data

9.2 Audit Logs

9.3 Account Data

9.4 Requesting Deletion

10. Security Measures

Kora implements technical and organisational security measures proportionate to the sensitivity of the data processed:

All data is transmitted over TLS 1.2 or higher. Data at rest is encrypted using AES-256 via Supabase's managed infrastructure.
Row-Level Security (RLS) is enforced at the database layer, ensuring each Customer's data is fully isolated from all other Customers.
Role-based access controls restrict data access within each Customer's account based on assigned personnel roles.
Platform Console access is restricted to Kora staff with unique credentials and is subject to administrative rate limiting and audit logging.
Authentication tokens are short-lived and rotated. Inactivity timeouts automatically sign out inactive sessions.
Security-sensitive API endpoints are rate-limited to prevent brute-force and credential stuffing attacks.
We conduct periodic internal security reviews and apply security patches on a rolling basis.

11. Your Rights Under the Kenya Data Protection Act 2019

Individuals whose personal data is controlled by Kora (primarily company administrators) have the following rights under the Kenya Data Protection Act 2019:

Right of access: you may request a copy of the personal data we hold about you.
Right to rectification: you may request correction of inaccurate or incomplete personal data.
Right to erasure: you may request deletion of personal data where there is no legitimate reason for its continued processing, subject to legal retention obligations.
Right to restrict processing: you may request that we limit processing of your personal data in certain circumstances.
Right to data portability: you may request your personal data in a structured, machine-readable format.
Right to object: you may object to processing based on legitimate interests, including profiling.
Right not to be subject to automated decision-making: we do not make legally significant automated decisions based solely on your personal data.

Personnel wishing to exercise rights in respect of data held by their employer on the Kora platform should contact their employer directly, as the employer is the data controller for that data.

12. Cookies & Local Storage

The Kora platform uses browser storage technologies to deliver core functionality:

12.1 Essential Cookies & Session Storage

We set strictly necessary session cookies and tokens to authenticate users and maintain secure sessions. These are required for the Service to function and cannot be disabled.

12.2 Local Storage

12.3 Analytics

13. Cross-Border Data Transfers

14. Children's Data

15. Changes to This Policy

16. Contact & Data Protection Officer

For all privacy-related enquiries, data subject rights requests, breach notifications, or DPA queries, contact our Data Protection Officer:

Email: privacy@korafleet.com
Legal notices: legal@korafleet.com
Security incidents: security@korafleet.com
Postal: Data Protection Officer, Kora Fleet Technologies, Nairobi, Kenya

If you are a Customer with a support query unrelated to data protection, contact support@korafleet.com. If you are a member of the press or a regulatory authority, contact legal@korafleet.com.

For complaints that remain unresolved after contacting us, you may refer the matter to the Office of the Data Protection Commissioner (ODPC) Kenya.

Privacy Policy

1. Overview

2. Data Controller & Processor

3. Data We Collect

4. Legal Basis for Processing

5. How We Use Personal Data

6. Data Sharing & Third Parties

7. M-Pesa & Payment Data

8. Personnel Data & Driver Rights

9. Data Retention & Deletion

10. Security Measures

11. Your Rights Under the Kenya Data Protection Act 2019

12. Cookies & Local Storage

13. Cross-Border Data Transfers

14. Children's Data

15. Changes to This Policy

16. Contact & Data Protection Officer

Privacy Policy

1. Overview

2. Data Controller & Processor

3. Data We Collect

4. Legal Basis for Processing

5. How We Use Personal Data

6. Data Sharing & Third Parties

7. M-Pesa & Payment Data

8. Personnel Data & Driver Rights

9. Data Retention & Deletion

10. Security Measures

11. Your Rights Under the Kenya Data Protection Act 2019

12. Cookies & Local Storage

13. Cross-Border Data Transfers

14. Children's Data

15. Changes to This Policy

16. Contact & Data Protection Officer