Privacy Policy — Mr Truck
Effective date: September 24th, 2025
Last updated: September 2025
1. Introduction
This Privacy Policy explains how BSC Limited (“we”, “us”, “our”) collects, uses, stores, shares and protects personal data when you use the Mr Truck mobile application and related services (the “Service”). We are committed to protecting your privacy and processing your personal data in accordance with the Kenya Data Protection Act, 2019.
2. Data Controller & Contact
Data Controller: BSC Limited
Address: BSC Limited, Sameer Park, Mombasa Road, Nairobi, Kenya
Data Protection Officer (DPO) / Privacy contact:
support@mrtruck.co.ke
3. Data we collect
We collect personal data necessary to provide and improve the Service. Categories include:
- Identity: name, national ID / passport number, date of birth (where required for verification).
- Contact: phone number, email address, postal address.
- Location: GPS pickup/drop-off locations, route information, and live tracking while a booking is active.
- Payment & transaction: payment instrument metadata, transaction history (actual card data is processed directly by payment providers and not stored by us unless explicitly authorised).
- Device & usage: device identifiers, IP address, app logs, crash reports, cookies and analytics data.
- Communications: in-app messages, call metadata and customer support records (contents may be retained to resolve disputes).
- Proof & optional: photos, delivery signatures or documents uploaded by you for verification or proof of delivery.
4. Legal basis for processing
We rely on one or more of the following legal bases under the Data Protection Act when processing your personal data:
- Performance of a contract: to provide the Service and fulfil bookings.
- Legal obligations: to comply with statutory or regulatory requirements (e.g., tax, accounting, law enforcement requests).
- Legitimate interests: fraud prevention, service improvement, analytics and ensuring platform security (we balance these interests against your rights).
- Consent: where required (for example, marketing communications). You can withdraw consent at any time where applicable.
5. How we use your data
- To provide, operate and improve the Service (matching Customers and Drivers, routing, tracking, billing).
- To process payments, issue receipts and manage refunds or disputes.
- To verify identity and perform eligibility checks for Drivers and Customers.
- To detect and prevent fraud or misuse of the Service.
- To respond to user requests and provide customer support.
- To comply with legal obligations and to respond to lawful requests from public authorities.
- For analytics and product development (aggregated / pseudonymised where possible).
- For marketing and communications where you have given consent (you may opt out at any time).
6. Sharing & disclosure
We may share personal data with the following categories of recipients:
- Drivers: to fulfil bookings (e.g., contact and pickup/drop-off location).
- Payment processors and banks: to complete payments and refunds.
- Service providers and subprocessors: hosting, analytics, communications, identity verification, customer support and fraud prevention providers. These providers are contractually obligated to protect your data.
- Law enforcement, courts or regulators: where required by law or to protect legal rights.
- Affiliates or business partners: in accordance with this Policy and only where necessary to provide the Service.
We do not sell personal data.
7. Cross-border transfers
Personal data may be processed or stored outside Kenya (for example by cloud hosting providers). When we transfer data internationally, we require adequate protections (contracts, standard contractual clauses, or other lawful safeguards) and shall comply with the Data Protection Act and applicable regulations.
8. Data security & retention
We use administrative, technical and physical safeguards to protect personal data, including encryption in transit and at rest, access controls, network security measures and monitoring. Despite these measures, no system is 100% secure — we will notify affected users and the Office of the Data Protection Commissioner (ODPC) where required by law in the event of a personal data breach.
Retention: We retain personal data only as long as necessary for the purposes described and to meet legal, contractual, and accountancy obligations. Example retention periods (subject to legal change):
- Account registration and profile data: while the account is active and for a reasonable period after (typically up to 2 years unless required by law).
- Transaction and payment records: may be retained up to 7 years to comply with tax and regulatory obligations.
- Support and dispute records: retained for the period necessa