CuliCars Ltd ("CuliCars", "we", "our", or "us") operates the CuliCars platform at culicars.com and via our mobile application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use our Service.

This Policy is issued in accordance with the Kenya Data Protection Act, 2019 (the "KDPA") and gives effect to the rights of data subjects under that Act. By using the Service, you acknowledge that you have read and understood this Policy.

The core functions of the Service are:

• Vehicle history reports: aggregated, non-personal data records associated with a vehicle registration number or VIN, including import history, odometer readings, and publicly available transaction records.
• Stolen vehicle alerts: a registry of vehicles reported stolen, enabling buyers to conduct due diligence before purchase.
• Community Watch: a moderated feed of community-submitted alerts about vehicle-related safety incidents in specific geographic areas.

2.1 Account Information

When you create an account, we collect your name, email address, and a hashed password. If you authenticate via a third-party provider such as Google Sign-In, we receive your name and email address from that provider in accordance with their terms.

2.2 Vehicle Query Data

When you request a vehicle history report, we record the registration plate number or VIN you submit, the date and time of the query, and the credits consumed. This data is used to deliver the report, prevent fraud, and maintain audit logs.

2.3 Payment Information

Payments are processed through Apple In-App Purchase (iOS) or M-Pesa (direct). We do not store full card numbers, M-Pesa PINs, or Apple ID credentials. We retain transaction references, credit amounts, timestamps, and provider-issued transaction identifiers for accounting and dispute resolution.

2.4 Community Watch Contributions

If you submit a community watch alert, we collect the incident type, geographic location, description, and any supporting evidence you voluntarily provide. Approved alerts are visible to other registered users. Your account identifier is stored internally against your submission but is not displayed publicly.

2.5 Usage and Device Data

We automatically collect information about how you interact with the Service, including your IP address, device type, operating system version, app version, screens viewed, and request timestamps. This is used for security monitoring, debugging, and service improvement.

2.6 Location Data

With your permission, we collect your device location to provide proximity-based community watch alerts and to sort nearby incidents on the map. Location data is transmitted only while the app is in the foreground and with your explicit consent. You may revoke location permission at any time in your device settings.

We use the information we collect for the following purposes:

• To provide, operate, and maintain the Service, including generating vehicle history reports and displaying community watch alerts.
• To process transactions and manage your credit balance.
• To send transactional communications, including purchase confirmations, credit receipts, and service notices.
• To moderate community watch content and enforce our Terms of Service.
• To detect, investigate, and prevent fraudulent activity, abuse, and security incidents.
• To comply with applicable law, including the KDPA, and to respond to lawful requests from competent authorities.
• To improve the accuracy and completeness of our vehicle data.

We do not use your personal data for advertising profiling, sell it to third parties, or share it with data brokers.

CuliCars is a vehicle intelligence platform. Our reports compile data about vehicles, not about people. Specifically:

• We do not display the personal details — name, address, national ID, or phone number — of any current or previous registered vehicle owner.
• Vehicle registration numbers are government-issued public identifiers assigned to vehicles under the Traffic Act (Cap. 403, Laws of Kenya). Referencing a registration number in connection with a vehicle incident report is legally equivalent to referencing the vehicle itself.
• Community watch alerts describe observed incidents involving identified vehicles in specific locations. They are moderated before publication and are required to be factual, non-defamatory, and free of personal identifying information about individuals.
• We do not aggregate vehicle records to construct profiles of individual persons.

5.1 Service Providers

We share data with third-party service providers who assist in operating the Service, including cloud hosting (DigitalOcean), database services (Supabase), push notification infrastructure (Firebase), and payment processors. Each provider is bound by data processing agreements and is prohibited from using your data for any purpose other than providing services to CuliCars.

5.2 Regulatory and Law Enforcement Disclosure

We may disclose personal data to regulatory bodies, law enforcement agencies, or courts where required by applicable Kenyan law or pursuant to a lawful court order or statutory demand. Where legally permitted, we will notify you of such disclosure.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data may be transferred as part of the transaction. We will notify users via email or in-app notice before their data is transferred and becomes subject to a different privacy policy.

5.4 Aggregated and Anonymised Data

We may share aggregated, anonymised statistics about vehicle theft patterns, incident frequencies, and recovery rates with research institutions, government agencies, or the public. Such data does not identify any individual.

We retain personal data for as long as necessary to provide the Service and as required by applicable law:

• Account information: retained for the duration of your account and deleted within 30 days of an account deletion request.
• Vehicle query logs: retained for 12 months for fraud prevention and audit purposes, then anonymised or deleted.
• Payment records: retained for 7 years in compliance with the Kenya Income Tax Act and applicable financial regulations.
• Community watch alerts: approved alerts are retained as part of the platform dataset. Your personally identifiable contribution data is retained for the duration of your account.
• Usage and device logs: retained for 90 days.

We implement industry-standard technical and organisational security measures, including:

• Encrypted data transmission using TLS 1.2 or higher on all connections.
• Encrypted storage for passwords using industry-standard hashing algorithms.
• Role-based access controls limiting internal access to personal data.
• Regular security reviews and dependency updates.

No method of electronic transmission or storage is completely secure. While we take all reasonable precautions, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

As a data subject under the Kenya Data Protection Act, 2019, you have the following rights, exercisable by contacting us at support@culicars.com:

• Right of access: obtain confirmation of whether we hold personal data about you and receive a copy.
• Right to rectification: request correction of inaccurate or incomplete personal data.
• Right to erasure: request deletion of your personal data, subject to our legal retention obligations.
• Right to restriction: request that we limit the processing of your personal data in certain circumstances.
• Right to object: object to processing where we rely on legitimate interests as our legal basis.
• Right to data portability: receive your personal data in a structured, machine-readable format.
• Right to lodge a complaint: with the Office of the Data Protection Commissioner of Kenya at odpc.go.ke.

We will respond to all verifiable requests within 21 days as required by the KDPA. Where a request is complex, we may extend this period by a further 21 days and will notify you accordingly.

The Service is not directed to persons under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal information without parental consent, please contact us immediately at support@culicars.com and we will take steps to delete the information promptly.

The Service integrates with third-party services including Google Maps (for location display and geocoding), Firebase (for push notifications), and Apple In-App Purchase. Your use of these services is governed by their respective privacy policies. We are not responsible for the data practices of third-party services.

Our primary infrastructure is hosted within data centres that may process data outside Kenya. Where we transfer personal data internationally, we ensure appropriate safeguards are in place in accordance with the KDPA and applicable data transfer regulations.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify registered users of material changes by email or in-app notice at least 14 days before the changes take effect. The effective date at the top of this Policy will be updated accordingly. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

For privacy-related enquiries, to exercise your data subject rights, or to report a potential privacy concern: