This policy explains what personal information Riley Courier Ltd ("Riley", "we", "us")
collects when you use our transport management system (TMS), driver mobile app,
partner portal and customer portal, how we use it, and the choices you have. We are
based in Nairobi, Kenya and process your data in accordance with the
Data Protection Act, 2019.
1. Who this policy applies to
This policy applies to everyone who uses our products, including:
Drivers using the Riley TMS Driver Android/iOS app to receive trip assignments and record deliveries.
Partner transporters using the Partner Portal at partner.rileycourier.com to manage their fleet and settlements.
Customers using the Customer Portal at new.rileycourier.com to place and track orders.
Role (driver, dispatcher, partner administrator, customer billing contact, etc.).
For partners and customers: business name, KRA PIN, billing contacts.
Hashed password (we never store passwords in plain text) and, for drivers, a numeric login PIN.
2.2 Location information (Riley TMS Driver app only)
The driver app collects precise and approximate location
data while the app is running, including while it is in the background, in order to:
Show dispatchers and customers where assigned vehicles are during active deliveries.
Record proof-of-delivery and route history for completed trips.
Improve trip routing and ETAs.
The app shows a persistent foreground notification ("Tracking location") whenever
location tracking is active, so it is always clear when the service is running. You can
revoke the location permission at any time in your device's Settings → Apps → Riley TMS
Driver → Permissions; the app will stop sending location updates immediately, although
some app features will no longer work.
2.3 Operational data
Orders, trips, stops, photos of delivery documents, signatures and notes captured during deliveries.
Firebase Cloud Messaging (FCM) push-notification token, used solely to deliver trip and status notifications to your device.
App version, operating-system version, device model and language settings.
IP address and basic request metadata captured in our server access logs.
Audit-log entries recording sign-ins, permission checks and significant actions inside the platform (created automatically for security and compliance).
2.5 Information we do not collect
We do not knowingly collect data from children under 18. We do not access your contacts,
SMS, microphone or accelerometer. We do not use advertising identifiers and we do not run
third-party advertising SDKs in any of our apps.
3. How we use your information
Purpose
Legal basis (Kenya DPA 2019)
Operate the dispatch, delivery, tracking and settlement workflow.
Performance of a contract.
Send transactional emails and push notifications about trips, payments and account actions.
Performance of a contract.
Authenticate you and protect your account (audit logs, login alerts, failed-login throttling).
Legitimate interest in security.
Comply with tax, accounting and customer-service obligations.
Legal obligation.
Diagnose and fix crashes and bugs via Sentry error reports.
Legitimate interest in product quality.
4. Who we share information with
We do not sell your personal information. We share data only with:
Riley staff with a role-based need to see the data (dispatchers, finance, support).
Customers whose goods are being moved — they see the assigned vehicle's live location and proof-of-delivery for their own orders only.
Partners whose vehicles/drivers are assigned — they see the orders, locations and settlements relevant to their own fleet.
Service providers who process data on our behalf, bound by contract:
DigitalOcean — application hosting, managed databases and file storage (Frankfurt, EU region).
Authorities when required by law (e.g. tax authorities, court orders).
5. Data retention
We keep operational records (orders, trips, settlements, invoices) for as long as the
business relationship is active, and afterwards for the period required by Kenyan tax and
commercial-records law (currently 7 years for accounting records). Location pings older
than the retention period are aggregated or deleted. Audit log entries are retained for
at least 12 months for security purposes.
6. Security
All traffic to our web apps and APIs is encrypted with HTTPS/TLS.
Passwords are stored hashed using bcrypt; we never log or display them.
Driver app credentials are stored in the device's secure storage and are revocable from the TMS at any time.
Role- and permission-based access controls limit which staff can see which data.
Every significant action is recorded in an immutable audit log.
7. Your rights
Under the Kenya Data Protection Act, 2019 you have the right to:
Be informed of how we use your data (this policy).
Access a copy of the personal data we hold about you.
Have inaccurate data corrected.
Have your data deleted, subject to legal retention obligations.
Object to processing or restrict it.
Withdraw consent at any time (e.g. by revoking the location permission, or by closing your account).
Lodge a complaint with the Office of the Data Protection Commissioner of Kenya (odpc.go.ke).
To exercise any of these rights, contact us using the details below. We aim to respond within 30 days.
8. International transfers
Our hosting is in the European Union (Frankfurt) and our service providers operate in
the European Union and the United States. Where data is transferred outside Kenya, those
providers are bound by the safeguards required by their respective data-protection
regimes (GDPR, etc.) and by data-processing agreements with us.
9. Children
Our services are not directed at children under 18 and we do not knowingly collect
data from them. If you believe a child has provided us with personal data, contact us
and we will delete it.
10. Changes to this policy
We may update this policy from time to time. Material changes will be announced inside
the apps and on this page. The "Last updated" date at the top reflects the most recent
revision.