Template — review with qualified counsel before launch. Last updated 11 June 2026.
This page summarises how Karibu protects data and meets its regulatory obligations. It complements our Privacy Policy and Terms of Use.
Regulatory framework
- Kenya: Data Protection Act, 2019 and its regulations.
- EEA / UK: GDPR and UK GDPR for relevant visitors.
- We register and cooperate with the Office of the Data Protection Commissioner where required.
Sub-processors
| Provider | Purpose | Data |
|---|---|---|
| Clerk | Authentication & identity | Name, email, auth identifiers |
| Neon | Application database | Account profile & trip data |
| Resend | Transactional email | Email address, delivery metadata |
| Sentry | Error monitoring | Technical diagnostics |
| Upstash | Rate limiting | Request counters |
| Vercel | Hosting | Request logs |
Security measures
- Encryption in transit (TLS) for all traffic.
- Per-user authorization enforced in the data-access layer — every owned-table query is scoped to the signed-in user.
- Server-only secrets are never exposed to the browser bundle; only
NEXT_PUBLIC_*values reach the client. - Open-redirect protection on post-authentication redirects.
- Least-privilege access to production systems and routine dependency review.
Data subject & deletion requests
To access, correct, export, or delete your data, email privacy@karibu.co.ke (placeholder). We respond within the timeframes set by the DPA/GDPR. Deleting your account removes your profile and associated trip data, subject to limited legal retention.
Breach notification
In the event of a personal-data breach likely to result in risk to your rights, we will notify the relevant supervisory authority and affected users without undue delay, as required by law.
Contact
Data protection point of contact: privacy@karibu.co.ke (placeholder).