Logo

Menu

Book a Ride

Pepea Privacy Policy – Drivers

27th February 2026

 

Pepea Privacy Policy – Drivers

Last Updated: 09/02/2026

 

  • Introduction and Scope of this Policy

PEPEA DIGITAL COMMERCE LIMITED (“Pepea”, “we”, “us” or “our”) is committed to protecting the privacy and personal data of all individuals who use our technology platform to provide transportation services as independent driver-partners (“Drivers”, “Driver-Partners”, “you” or “your”).

This Privacy Policy explains how we collect, use, disclose, transfer, store and otherwise process your personal data when you:

  • apply to become a Driver-Partner on the Pepea platform;
  • access or use the Pepea mobile applications, Driver applications, websites and related technology and tools made available by Pepea (together, the “Pepea Platform”) for the purpose of offering transportation and related services to riders (the “Services”).

This Privacy Policy is designed to comply with the Data Protection Act, No. 24 of 2019 of the Laws of Kenya (“DPA”) and any regulations or guidelines issued under it.

By applying to drive with Pepea, creating a Driver account or using the Pepea Platform, you acknowledge that you have read and understood this Privacy Policy and agree to the processing of your personal data as described in it.

Where you provide us with personal data about another person (for example, a nominated contact person), you confirm that you have informed them of this Privacy Policy and obtained any necessary consent where required by law.

 

  • Data Protection Principles We Follow

In processing your personal data, Pepea adheres to the data protection principles set out in the DPA. We will ensure that personal data is:

  • Processed lawfully, fairly and in a transparent manner in relation to you.
  • Collected for specific, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes, unless permitted by law.
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (data minimisation).
  • Accurate and, where necessary, kept up to date, and we take reasonable steps to ensure that inaccurate personal data is erased or rectified without delay.
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed, unless a longer retention period is required or permitted by law.
  • Processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures (integrity and confidentiality).
  • Processed in accordance with your rights as a data subject under the DPA.

 

  • The Data Controller

For purposes of the DPA and this Privacy Policy, the data controller responsible for your personal data is:

PEPEA DIGITAL COMMERCE LIMITED  

P.O. Box 8635 - 00200, Nairobi, Kenya  

Two Rivers Complex, Southern Tower - 2nd Floor,  

Limuru Road, Nairobi - Kenya.

 

  • Categories of Personal Data We Collect About Drivers

We collect different types of personal data at various stages of your relationship with Pepea: when you apply, when you are onboarded as a Driver-Partner, and when you use the Pepea Platform to provide Services. Below are the main categories of data we process about you as a Driver.

  • Identification and Contact Information
  • Full name
  • National ID/passport number and copy of ID document
  • Date and place of birth
  • Nationality/citizenship (where relevant)
  • Passport-sized photos and/or selfie for identity verification
  • Residential and postal address
  • Mobile phone number (including numbers used for messaging apps)
  • Email address
  • Emergency or “trusted” contact details (name, relationship, phone number and/or email)
  • Driver Application and Onboarding Information

When you apply to become a Driver-Partner, we collect and process information and documents required to assess your suitability, verify your identity, and comply with legal and regulatory obligations, including:

  • Driving licence details (number, class, date of issue and expiry, issuing authority, any endorsements)
  • Driver badge / PSV licence details (where applicable)
  • National Transport and Safety Authority (NTSA) registration and licence information
  • Certificate of Good Conduct / police clearance
  • Kenya Revenue Authority (KRA) PIN and basic tax registration details
  • Vehicle ownership and registration information, including:
    • Vehicle logbook (owner, registration number, chassis number)
    • Vehicle make, model, year and colour
    • Registration number/licence plate
    • Roadworthiness/inspection certificates (e.g. NTSA inspection)
    • PSV or other transport licences (where applicable)
    • Motor vehicle insurance details (insurer, policy number, validity period, cover type)
  • Any additional documents requested by Pepea for compliance, safety, or partner verification purposes.
  • Driver Account and Profile Data
  • Pepea account ID
  • Username/profile name
  • Profile photo
  • Language preferences
  • Communication preferences and notification settings
  • City/region where you operate
  • Fleet affiliation or partnership details (if you drive under or for a fleet owner or another entity)
  • Status of your Driver account (e.g., active, under review, suspended, deactivated)
  • Vehicle and Operational Information
  • Vehicle type, model, year and colour
  • Licence plate number
  • Vehicle capacity (e.g., number of seats)
  • Vehicle category used on the Pepea Platform (e.g., standard, premium, other categories as may be offered)
  • Availability and dispatch preferences (e.g., areas you prefer to operate, hours of availability)
  • Information regarding additional equipment where relevant (e.g., child seat availability, bike rack, accessibility features)
  • Location, Journey and Usage Data

When you use the Pepea Platform as a Driver, we collect information relating to your trips and usage:

Precise and approximate location data from your device (GPS coordinates, Wi-Fi, cell-tower triangulation), including:

  • Location when you go online/offline in the app
  • Location at the time of accepting and completing trips
  • Pick-up and drop-off locations
  • Routes taken during trips

Trip and journey details, including:

  • Date and time of trip requests
  • Trip start and end times
  • Estimated and actual distance travelled and duration
  • Trip status (accepted, cancelled, completed, no-show, etc.)
  • Fare calculation details (base fare, distance/time components, dynamic pricing if applicable)

App and platform usage information, including:

  • App version and device type
  • Dates and times you log in and log out
  • Features used and pages viewed in the Driver app
  • Session duration, connectivity and app performance metrics
  • Crashes, errors and diagnostics information
  • Earnings, Payment and Financial Data
  • Bank account details or mobile money wallet details (e.g., M-Pesa number and related account name)
  • Payment transaction history and payout records
  • Earnings reports and statements (gross earnings, net earnings, incentives, bonuses, and adjustments)
  • Commission and fee information charged by Pepea
  • In-app or other payment method preferences (e.g., cash acceptance settings where available)
  • Tax-related information required to comply with tax laws (e.g., KRA PIN, records for tax reporting)
  • Ratings, Feedback, and Performance Data
  • Rider ratings of your services (e.g., star ratings)
  • Written feedback, compliments or complaints from riders
  • Your ratings and feedback about riders
  • Performance indicators such as:
  • Number of trips completed
  • Trip completion rate
  • Cancellation and no-show patterns
  • Acceptance and response times
  • Safety-related events or incidents recorded on the Platform
  • Safety, Security, Fraud and Compliance Data
  • Information relating to safety reports or incidents involving you, your riders or third parties (e.g., accidents, misconduct allegations, harassment, unsafe driving, road offences)
  • Audio, image or other evidence submitted to or collected by Pepea for safety or dispute resolution purposes, where lawful and applicable
  • Flags, notes or internal assessments relating to suspected fraud, misuse of the Platform, violation of Pepea terms or applicable law
  • Records of compliance checks, sanctions, warnings and account suspensions
  • Information from background checks carried out by or on behalf of Pepea, where permitted by law
  • Communications and Support Data
  • Records of your communications with Pepea, including:
  • Calls, emails, in-app chats, social media messages or web form submissions
  • Support tickets, complaints, claims and their outcomes
  • Data relating to in-app communication features used to contact riders (where applicable)
  • Copies of documents or media you share with us for support or dispute resolution
  • Marketing, Survey and Research Data
  • Your marketing preferences and consents (e.g., consent to receive marketing messages)
  • Records of your participation in promotions, referral programmes, surveys, pilot features or user research
  • Responses to surveys and interviews about your experience or satisfaction with the Pepea Platform
  • Data from Third Parties

We may receive your personal data from:

  • Regulators and authorities such as NTSA, the Kenya Police Service, and other law enforcement or regulatory bodies, in connection with licensing, verification, enforcement or investigations.
  • Background check service providers, insurance companies and risk management partners.
  • Fleet owners or business partners who register or manage Drivers on the Pepea Platform.
  • Riders or other third parties who submit feedback, complaints, safety reports or claims about a trip involving you.
  • Payment and financial service providers, including mobile money providers and banks, who facilitate payouts or resolve payment issues.

We combine this data with other information we hold about you where necessary and lawful.

 

  • Purposes and Legal Bases for Processing Driver Data

Under the DPA, Pepea must have a lawful basis to process your personal data. Depending on the specific processing activity, we rely on one or more of the following legal bases:

  • Performance of a contract with you or to take steps at your request before entering into such a contract.
  • Compliance with a legal obligation to which Pepea is subject (e.g., transport, tax, anti-money laundering, or safety regulations).
  • Legitimate interests pursued by Pepea or a third party, balanced against your interests and fundamental rights and freedoms.
  • Your consent, where required by law (e.g., for certain marketing communications or specific forms of data processing).

Below we summarise the main purposes for which we process your data and the corresponding lawful bases.

  • Onboarding, Verification and Account Management

Purpose:

  • Receiving and assessing Driver applications.
  • Verifying your identity, eligibility and driving credentials.
  • Conducting necessary background and compliance checks.
  • Creating, administering and maintaining your Driver account and profile.
  • Managing your fleet relationship where applicable.

Data involved: Identification data, contact data, driving licence and badge details, NTSA and vehicle information, Good Conduct certificate, KRA PIN and tax details, bank/mobile money details, fleet affiliation, profile data.

Legal bases:

  • Performance of a contract or steps prior to entering into a contract with you.
  • Compliance with legal obligations (e.g., transport and safety regulations, verification requirements).
  • Pepea’s legitimate interests in ensuring only suitable and verified Drivers use the Platform and in maintaining the integrity and security of the Pepea Platform.
  • Provision of the Pepea Platform and Services

Purpose:

  • Enabling you to go online, receive trip requests and provide transportation services to riders.
  • Matching Drivers and riders based on location, availability and other operational factors.
  • Displaying trip details, navigation and routing suggestions.
  • Displaying your basic details to riders (e.g., name, photo, vehicle details and location) to enable a safe and efficient pick-up and trip experience.
  • Enabling communication between you and riders through the Pepea Platform.
  • Managing trip acceptance, cancellations, completion and records.

Data involved: Location and journey data, account and profile data, vehicle data, app usage data, trip and routing data, communication data.

Legal bases:

  • Performance of a contract with you.
  • Pepea’s legitimate interests in operating an effective, safe and reliable ride-hailing platform.
  • Payments, Earnings and Financial Management

Purpose:

  • Calculating fares, commissions, incentives and fees.
  • Processing payments from riders and payouts to Drivers.
  • Issuing receipts, statements and invoices.
  • Handling repayment of commissions or other amounts owed to Pepea where applicable.
  • Maintaining appropriate accounting and financial records.
  • Complying with tax and financial reporting obligations.

Data involved: Earnings and payment data, trip and fare data, bank or mobile money details, KRA PIN and tax-related data, account and profile identifiers.

Legal bases:

  • Performance of a contract with you.
  • Compliance with legal and regulatory obligations (e.g., tax, accounting, anti-money laundering).
  • Pepea’s legitimate interests in managing its business operations and accounts.
  • Safety, Security, Fraud Prevention and Compliance

Purpose:

  • Monitoring driver performance and adherence to Pepea’s terms, policies and community guidelines.
  • Investigating safety reports, incidents, accidents or complaints involving the Services.
  • Preventing, detecting and responding to fraud, abuse, unauthorised use of accounts or payment methods, identity theft, and other unlawful or improper conduct.
  • Assessing and managing risk, and improving safety features.
  • Enforcing our terms and conditions, including disciplinary actions, suspensions or deactivations where appropriate.
  • Cooperating with law enforcement and regulatory bodies where lawfully required.

Data involved: Identification and contact data, trip and location data, ratings and feedback, safety incident information, communications, internal notes and flags, background check results, financial and transaction data.

Legal bases:

  • Pepea’s legitimate interests in ensuring the safety and security of riders, Drivers, the public and the Pepea Platform.
  • Compliance with legal obligations including responding to lawful requests from authorities and fulfilling regulatory requirements.
  • Customer Support and Dispute Resolution

Purpose:

  • Responding to your queries, complaints, requests or feedback.
  • Resolving disputes between you and riders or third parties.
  • Providing technical support and troubleshooting app or account issues.
  • Recording and managing support interactions for accountability and quality assurance.

Data involved: Identification data, contact data, account and trip information, communications and support data, any evidence or documents shared, internal notes.

Legal bases:

  • Performance of a contract with you.
  • Pepea’s legitimate interests in providing effective customer support, resolving disputes and improving service quality.
  • Service Improvement, Analytics and Product Development

Purpose:

  • Analysing app usage, trips, performance metrics and user feedback to improve the Pepea Platform.
  • Developing new features, services and partnerships relevant to Drivers.
  • Conducting data analytics, statistics, reporting and business planning.
  • Testing and piloting new functionalities or offerings.

Data involved: Aggregated and pseudonymised trip and usage data, earnings and performance data, survey responses, feedback, app and device data, cookies and similar technologies.

Legal bases:

  • Pepea’s legitimate interests in improving and developing the Pepea Platform and its services.
  • Where required and appropriate, your consent for certain types of analytics and cookies.

Where possible, we use de-identified or aggregated data for analytics to minimise privacy risks.

  • Marketing and Communications

Purpose:

  • Sending information about Pepea services, offers, incentives, promotions, updates or events that may be relevant to you as a Driver.
  • Managing referral and loyalty programmes.
  • Collecting your feedback on marketing campaigns and service changes.

Data involved: Contact details, account status, city/region of operation, participation in promotions, marketing preferences, limited analytics on engagement with communications.

Legal bases:

  • Your consent where required by law (e.g., for certain electronic direct marketing).
  • Pepea’s legitimate interests in promoting its services and maintaining a relationship with Drivers, subject to your right to object or opt out at any time.

You may opt out of marketing communications at any time by following the unsubscribe instructions provided in the message or by adjusting your preferences in the app where available. Operational or service-related communications (e.g., policy updates, security notices) are not marketing and you cannot generally opt out of receiving them while you remain a Driver.

  • Legal and Regulatory Compliance

Purpose:

  • Complying with obligations under the DPA and other applicable laws.
  • Responding to lawful requests, court orders or legal processes.
  • Cooperating with investigations or proceedings by the Office of the Data Protection Commissioner (ODPC), NTSA, tax authorities, or law enforcement.
  • Exercising or defending legal claims.

Data involved: Any data reasonably necessary for the purpose, which may include identification data, trip and location data, financial records, communications, safety and incident records and internal notes.

Legal bases:

  • Compliance with legal obligations.
  • Pepea’s legitimate interests in protecting its rights, interests, reputation and assets.

 

  • How We Share Your Personal Data

Pepea does not sell your personal data. We share your personal data only as described in this Privacy Policy, in accordance with the DPA, and subject to appropriate safeguards and contractual protections.

  • Information Shared with Riders

To enable safe and efficient trips, certain information about you as a Driver is shared with riders:

  • Your first name (and, where relevant, last initial).
  • Profile photo (if provided).
  • Vehicle make, model, colour and licence plate number.
  • Your driver rating (e.g., average star rating).
  • Approximate or real-time location when you are on the way to pick up the rider and during the trip.
  • Contact options via the Pepea Platform (e.g., in-app call or messaging), which generally do not expose your personal phone number directly to the rider.

Riders may also see a basic trip history (limited to rides they have taken with you) within their app.

  • Service Providers and Business Partners

We engage third-party service providers to support the operation of the Pepea Platform and our business. These may include:

  • Cloud hosting and data storage providers.
  • Payment processors, mobile money providers and banks.
  • Identity verification and background check providers.
  • Customer support and communication tools providers.
  • Analytics, security and fraud prevention partners.
  • Professional advisers (e.g., auditors, lawyers, tax consultants) subject to confidentiality duties.
  • Fleet management, vehicle maintenance or insurance partners, where relevant.

These service providers are only permitted to process your personal data on our behalf and under our instructions, for the purposes specified in a written data processing agreement, and must implement appropriate technical and organisational measures to protect your personal data.

  • Fleet Owners and Business Account Administrators

Where you operate under a fleet owner, company, or other business partner that manages Drivers on the Pepea Platform, we may share relevant data with that entity to enable the management of the Services and your earnings, including:

  • Identification and contact information.
  • Vehicle and trip performance data.
  • Earnings, commission and settlement information.
  • Account status (e.g., active, suspended).

The extent of such sharing will depend on the nature of the relationship and any applicable agreements, and will be limited to what is necessary for the relevant purpose.

  • Law Enforcement, Regulators and Legal Proceedings

We may disclose your personal data to third parties where we reasonably believe such disclosure is necessary to:

  • Comply with a legal or regulatory obligation, including lawful requests or orders from courts, regulators, tax authorities, NTSA, the Kenya Police Service, or the ODPC.
  • Respond to or cooperate with investigations involving alleged criminal activity, fraud, safety incidents or regulatory enforcement.
  • Protect the rights, property or safety of Pepea, our riders, Drivers, employees or the public.
  • Establish, exercise or defend legal claims.

Where permitted and appropriate, we will carefully review each request and may notify you before disclosing your data, unless we are legally prohibited from doing so.

  • Corporate Transactions

In the event of a merger, acquisition, reorganisation, sale of assets, joint venture or similar corporate transaction involving Pepea, your personal data may be transferred to the relevant third parties as part of the transaction. We will require any such parties to protect your personal data in a manner consistent with this Privacy Policy and applicable law.

  • Aggregated and De-Identified Data

We may use and share aggregated or de-identified information that does not identify you personally (for example, statistics about trip volumes or average earnings in a city) with business partners, researchers, advertisers, or the public. This information will not be used to identify any individual Driver.

 

  • International Transfers of Personal Data

Pepea’s systems and service providers may be located in or may process your personal data from countries outside Kenya.

Where we transfer your personal data outside Kenya, we will do so in compliance with the DPA and applicable regulations, which may include:

  • Ensuring that the recipient is located in a country with data protection laws offering an adequate level of protection as determined under Kenyan law; and/or
  • Putting in place appropriate safeguards such as binding contracts, data protection clauses or other instruments that provide an adequate level of data protection; and/or
  • Relying on specific exceptions or your explicit, informed consent, where permitted and appropriate.

We will take reasonable steps to ensure that any overseas recipient handles your personal data securely and in accordance with this Privacy Policy and applicable data protection requirements.

 

  • Data Security

We implement and maintain appropriate technical and organisational measures designed to protect your personal data against unauthorised or unlawful processing, and against accidental loss, destruction or damage. These measures include, as appropriate:

  • Use of encryption, access controls and authentication mechanisms.
  • Segregation of duties and role-based access to systems containing personal data.
  • Secure data storage solutions and backups.
  • Monitoring for suspicious or malicious activity.
  • Internal policies and staff training on data protection and information security.

Despite our efforts, no method of transmission over the internet or method of electronic storage is entirely secure. We cannot guarantee absolute security, but we are committed to continuously improving our safeguards in line with industry standards and legal requirements.

You also play an important role in keeping your data secure. You should:

  • Keep your account credentials (username and password) confidential.
  • Use strong, unique passwords and enable additional security features where available.
  • Immediately notify Pepea if you suspect any unauthorized access to your account or device.

 

  • Data Retention

Pepea will retain your personal data only for as long as reasonably necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting, reporting or legitimate business requirements.

When deciding how long to retain personal data, we consider:

  • The amount, nature and sensitivity of the data.
  • The potential risk of harm from unauthorised use or disclosure.
  • The purposes for which we process the data and whether we can achieve those purposes through other means.
  • Applicable legal or regulatory requirements (for example, record-keeping obligations under tax or transport laws, or limitation periods for legal claims).

We seek to avoid overpromising specific periods that may later prove inconsistent with legal developments. However, as a guide, we generally apply the following retention approach:



Category of Data

Typical Retention Period*

Driver account and profile data

For the duration of your Driver account and up to 7 years after account closure or deactivation.

Onboarding and verification documents (e.g. licence, NTSA details, logbook, Good Conduct, KRA PIN)

For the duration of your Driver relationship and generally up to 7 years after you cease driving with Pepea, subject to legal requirements.

Trip, journey and location records

Typically up to 7 years from the date of the trip, to support safety, dispute resolution, and legal obligations.

Earnings, payment and financial records

Typically up to 7 years from the end of the relevant financial year, or longer if required by tax or accounting laws.

Safety, security and fraud-related records

For as long as necessary for investigation, enforcement, legal or regulatory purposes, and generally not longer than 10 years for serious incidents, unless a longer period is legally required.

Customer support communications and dispute files

Typically up to 5 years after resolution of the issue, or longer where necessary in relation to legal claims.

Marketing preferences and consent records

For as long as you remain a Driver and for a limited period thereafter (typically up to 2 years) to evidence your preferences and consents, unless a longer period is required by law.

* These periods are indicative and may be adjusted where a longer or shorter retention period is justified or required under applicable law, internal policies or ongoing proceedings.

When personal data is no longer necessary for the purposes for which it was collected, we will either delete it or anonymise it so that it can no longer be associated with you.

 

  • Your Rights as a Data Subject

Under the Data Protection Act, 2019, and subject to certain conditions and exemptions, you have the following rights in relation to your personal data:

  • Right to be Informed   You have the right to be informed about the collection and use of your personal data, including the purposes, retention periods and who it is shared with. This Privacy Policy is part of our efforts to fulfil this right.
  • Right of Access   You may request confirmation as to whether we hold personal data about you and, if so, request access to that data and information on how it is processed.
  • Right to Rectification   You may request correction or updating of personal data that you believe is inaccurate, misleading or incomplete. Certain information can be updated directly in your Pepea Driver app.
  • Right to Erasure (Right to be Forgotten)   You may request deletion of personal data that is false, misleading, or where it is no longer necessary for the purposes for which it was collected, or where you have successfully objected to the processing, subject to our need to retain certain data for legal or legitimate business reasons.
  • Right to Object to Processing   You may object to the processing of all or part of your personal data where we rely on legitimate interests as our legal basis. We will consider your objection and, where required, stop processing unless we can demonstrate compelling legitimate grounds to continue. You may also object at any time to the use of your personal data for direct marketing.
  • Right to Restrict Processing   You may request that we restrict the processing of your personal data in certain circumstances (for example, if you contest the accuracy of the data or object to our use of it), while we consider your request.
  • Right to Data Portability   Subject to legal requirements, you may request to receive certain personal data that you have provided to us in a structured, commonly used and machine-readable format and to have that data transmitted to another controller where technically feasible.
  • Right to Withdraw Consent   Where our processing of your personal data is based on your consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing before the withdrawal.
  • Right to Lodge a Complaint   You have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) if you believe that your data protection rights have been infringed.

 

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has