Privacy Policy

Effective: Last updated:

Data Controller: MiRide Technology (Private) Limited · 7 Tweed Road, Eastlea, Harare, Zimbabwe

MiRide is a ride hailing and package delivery platform operated by MiRide Technology (Private) Limited (“MiRide”, “we”, “us”, or “our”). This Privacy Policy explains what personal data we collect when you use our mobile application and website, why we collect it, how long we keep it, who we share it with, and the rights you have over it under the Zimbabwe Data Protection Act, 2021 (Chapter 11:22) (“ZDPA”).

By creating a MiRide account or using our services you acknowledge that you have read and understood this Policy. If you do not agree, please do not use the platform.

1. Who We Are

MiRide Technology (Private) Limited is the data controller responsible for the personal data processed through the MiRide platform. Our registered office is located at:

MiRide Technology (Private) Limited
7 Tweed Road, Eastlea
Harare, Zimbabwe
Email: [email protected]

2. Data We Collect

We only collect data that is necessary to operate, secure, and improve our services. Below is a full description of every category of personal data we hold.

2.1 Identity & Account Data

Collected when you register and complete your profile:

  • Phone number — required; serves as your primary account identifier and is used for OTP authentication.
  • Full name — optional at registration; required before your first trip or delivery.
  • Email address — optional; used for receipts and account notifications if provided.
  • Profile photo — optional; stored securely on DigitalOcean Spaces.
  • Password hash — stored as a bcrypt hash; we never store your raw password.
  • Gender — optional (male / female / prefer not to say); used to match female driver only preferences.
  • Street address, city, and district — optional; collected for profile completion.
  • Google account ID — collected only if you choose Sign in with Google.
  • Firebase Cloud Messaging (FCM) token — device push notification identifier.
  • Referral code and referrer identity — recorded when you join via a referral link.
  • Preferred language — used to send communications in your language of choice.
  • Account statistics — total trips completed, average rating, loyalty (promo) points balance.

2.2 Driver KYC Documents (drivers only)

Drivers must submit identity and compliance documents before being approved to operate on the platform. These files are stored with private-only access on DigitalOcean Spaces and are accessible only via time-limited presigned URLs:

  • National ID document (image/scan)
  • Driver licence document (image/scan); driver licence number also stored as text
  • Vehicle registration document (image/scan)
  • Insurance certificate (image/scan)
  • Driver profile photo (image)

2.3 Vehicle Information (drivers only)

  • Make, model, year, colour, and licence plate number
  • Vehicle photos
  • Vehicle type (economy / comfort / premium)

2.4 Saved Payment Methods (for Wallet Top-Ups)

Rides and deliveries are paid for using only your MiRide Wallet or cash. Electronic payment methods are used exclusively to top up your Wallet. When you save a payment method for top-ups, we store only the minimum data needed to display and re-use it. Full card numbers are never stored on our servers:

  • Mobile money (EcoCash / InnBucks) — the mobile money phone number and payment type.
  • Visa / Mastercard / ZimSwitch — card last 4 digits, expiry month/year, card brand, and a tokenised reference issued by Paynow. The full card number is handled solely by Paynow.

2.5 Ride Data

  • Pickup and dropoff coordinates (latitude/longitude to 7 decimal places) and text addresses
  • Vehicle type and payment method selected
  • Estimated fare, agreed fare, final fare; actual distance and duration; surge multiplier applied
  • All state transition timestamps: matched, accepted, started, completed, or cancelled
  • Cancellation reason and any comments you provide
  • Ratings (1–5 stars), cleanliness rating, written review, tags, and tip amount exchanged between rider and driver
  • Safety feature selections: night safety PIN, female driver only preference, passenger count, baggage flag, and rider notes
  • Route deviation flag (system generated)
  • GPS coordinates at each state transition, recorded as ride events alongside the actor type (rider / driver / system)

2.6 Delivery Data

  • Package description, size, and special handling instructions
  • Package photo (uploaded by sender)
  • Pickup and dropoff coordinates and addresses
  • Recipient name and phone number
  • 4-digit pickup code (stored as a bcrypt hash; never in plain text)
  • Estimated and actual fare, distance, and duration
  • Cancellation reason; sender and courier ratings and comments
  • Delivery proof: pickup photo, delivery photo, and recipient signature — stored on DigitalOcean Spaces

2.7 Live Location & GPS Data

While a driver or courier has an active trip or is online:

  • GPS coordinates, heading, speed, and accuracy — recorded continuously
  • Session start/end times and last known online location

Rider location data is collected only for the duration of trip matching and an active trip. We do not continuously track rider location in the background.

2.8 Payment Transaction & Wallet Data

  • Amount, commission rate, driver payout, and currency for each transaction
  • Payment method used; Paynow transaction reference; failure reason if payment fails; receipt number
  • Wallet balances: cash balance, points balance, pending payout, total earned, total paid out
  • Full append-only transaction ledger with type (e.g. signup bonus, ride earnings, tip, payout, referral bonus, top-up, redemption, manual adjustment), amount, balance snapshot, description, and reference
  • Driver earnings per trip: fare amount, commission rate, commission amount, net driver payout, and tip

2.9 Safety Data

  • SOS incidents — trigger GPS coordinates, audio recording (only when you have expressly enabled audio recording in Safety Preferences; see Section 4), audio duration, and resolution notes
  • Emergency contacts — name, phone number, and relationship (provided by you)
  • Trip sharing — driver name, vehicle details, and trip pickup/dropoff information shared via a link token when you use the Share Trip feature
  • Blocked users — the identity of users you have blocked, the reason given, and the associated ride
  • Disputes — type (fare / driver / safety / other), your description, resolution outcome, and any admin notes
  • Safety preferences — auto share ride, night mode hours, PIN verification, audio recording consent, route monitoring, and female driver only preference
  • Safety event log — system generated log of safety events: SOS triggered/resolved, emergency contact notified, ride shared, route deviation detected, GPS spoofing detected, block added, night mode disabled

2.10 In-App Communications & Notifications

  • Trip chat messages — text messages exchanged between rider and driver during an active trip or delivery, including delivery and read timestamps
  • Support chat — messages between you and our support agents, including subject, category, content, and satisfaction rating
  • Push notifications — notification title and body text sent to your device; delivery and read status; channel (push / SMS / email)
  • SMS OTPs — your phone number and a one-time code are sent to our SMS providers for authentication. OTP codes are stored only in Redis and are deleted immediately after successful verification; they are never persisted to our database

2.11 Device Data

  • Firebase Cloud Messaging (FCM) device token
  • Hardware device identifier
  • Platform: Android, iOS, or web

2.12 Analytics Data

Our analytics tables contain only aggregated, anonymised metrics (trip counts, revenue totals, distance, duration, city, vehicle type, payment method, and status). These records are keyed by an opaque UUID; no name, phone number, or other directly identifying information appears in any analytics table.

3. How We Use Your Data

Service Delivery

To match riders with available drivers, process deliveries, calculate and collect fares, route drivers and couriers, display estimated arrival times, and provide all other core platform features.

Identity Verification & Driver Onboarding

To verify that drivers hold a valid licence and are insured, to complete KYC checks required by law or for platform safety, and to prevent fraud or impersonation.

Payments & Earnings

To collect payments from riders, calculate platform commission, disburse driver and courier earnings, manage wallet balances, process refunds, and generate receipts.

Safety & Security

To monitor for route deviations, respond to SOS incidents, share trip information with your nominated emergency contacts, detect GPS spoofing, enable female driver matching, enforce the night safety PIN, and maintain the platform’s block and dispute systems.

Customer Support

To investigate complaints and disputes, review ride history to resolve fare queries, and communicate with you through our support chat in the app.

Communications

To send you OTPs for authentication, push notifications about your trips and deliveries, account alerts, and service announcements. We do not send marketing messages without your consent.

Platform Improvement & Analytics

To analyse aggregated, anonymised usage patterns, identify service gaps, improve matching algorithms, and plan capacity. This analysis uses anonymised data only; no PII is held in our analytics tables.

Referral & Loyalty Programmes

To track referrals, credit referral bonuses, and manage your promo points balance.

Legal Compliance

To comply with applicable Zimbabwean law, respond to lawful requests from law enforcement or regulatory authorities, and enforce our Terms of Service.

5. Third Party Data Processors

We share personal data with the following third party processors, each engaged under a data processing agreement or equivalent contractual safeguard. We do not sell your personal data to any third party.

Processor Purpose Data Shared Privacy Policy
Paynow Payment processing (EcoCash, InnBucks, Visa, Mastercard) Transaction amount, mobile money phone number, card details at point of transaction, Paynow reference paynow.co.zw
Africa’s Talking Primary SMS OTP delivery (Sender ID: “MIRIDE”) Your phone number and OTP message text africastalking.com
eSMS Africa Fallback SMS delivery when Africa’s Talking is unavailable Your phone number and message text esmsafrica.io
Google Firebase / FCM Push notification delivery to Android and iOS devices FCM device token, notification title, body, and data payload firebase.google.com
Google OAuth Optional “Sign in with Google” authentication Standard Google profile: name, email address, and Google account ID (only if you choose this option) policies.google.com
DigitalOcean Spaces Private file storage for KYC documents, photos, and SOS audio recordings KYC documents, profile photos, vehicle photos, package photos, delivery proof photos, SOS audio recordings. All files stored with private ACL; accessed only via time-limited presigned URLs digitalocean.com
Upstash QStash Internal async message queue for service to service events Internal event payloads containing entity UUIDs only; no name, phone number, or other PII in transit upstash.com

We may also disclose personal data to law enforcement or regulatory authorities where we are legally required to do so.

6. Data Retention

We retain personal data for as long as is necessary for the purposes described in this Policy, or as required by applicable law. The following principles and specific rules apply:

Active account data

Personal data associated with an active account is retained for the lifetime of that account plus a reasonable period after closure to allow for dispute resolution, outstanding payments, or regulatory obligations (typically 5 years, in line with Zimbabwean financial record-keeping requirements).

SOS audio recordings

Audio recordings captured during an SOS incident are automatically deleted after 90 days unless an active dispute or law-enforcement request requires them to be held longer. You will be notified if a recording is held beyond the standard 90-day period.

OTP codes

One-time password codes are stored only in Redis with a short TTL (typically 5–10 minutes) and are permanently deleted upon successful verification. They are never written to our primary database.

Analytics data

Aggregated, anonymised analytics records contain no PII and are retained indefinitely for operational and planning purposes.

Deleted accounts

When you request account deletion we will erase or anonymise your personal data within 30 days, except where we are required to retain specific records (for example, completed payment transactions) to comply with financial regulations.

Trip chat messages

In-trip chat messages are retained for 90 days after the trip or delivery is completed, after which they are permanently deleted unless they are referenced in an open dispute.

7. Your Rights Under the Zimbabwe Data Protection Act

The ZDPA grants you the following rights in relation to your personal data. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days of receiving a verifiable request.

1

Right of access

You have the right to request a copy of the personal data we hold about you and information about how we process it.

2

Right to rectification

You have the right to have inaccurate personal data corrected. You can update most profile information directly in the app; for other corrections, contact us.

3

Right to erasure

You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you have withdrawn consent, or where processing is unlawful. This right is subject to our legal obligations to retain certain records.

4

Right to object

You have the right to object to processing carried out on the basis of legitimate interests, including profiling. We will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests.

5

Right to data portability

Where processing is based on your consent or a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format.

6

Right to withdraw consent

Where processing is based on your consent (for example, SOS audio recording), you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

7

Right to lodge a complaint

If you believe we have not handled your data in accordance with the ZDPA, you have the right to lodge a complaint with the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) as the designated data protection authority, or to seek relief through the Zimbabwean courts.

Note: a dedicated [email protected] mailbox will be provisioned before our public launch. Until then, all data subject requests are handled via [email protected].

8. Children

The MiRide platform is intended solely for users who are 18 years of age or older. We do not knowingly collect personal data from anyone under 18. Our registration process requires users to confirm they meet this age requirement. If we become aware that we have inadvertently collected data from a person under 18, we will delete that data promptly. If you believe a minor has created an account, please contact us at [email protected].

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. These measures include:

  • Password storage — all passwords are hashed using bcrypt with a suitable work factor; we never store or transmit plain-text passwords.
  • KYC document storage — all KYC files, profile photos, vehicle photos, delivery proof photos, and SOS audio recordings are stored on DigitalOcean Spaces with a private ACL. Files are accessible only via time-limited presigned URLs generated at the point of need; there are no public links.
  • Transport security — all data in transit between the app, our services, and third party processors is encrypted using HTTPS (TLS 1.2 or higher).
  • Authentication — all API endpoints require JSON Web Token (JWT) authentication. Tokens are short-lived and must be refreshed regularly.
  • Live location data — GPS data is accessed only by parties with a legitimate need during an active trip (the matched driver and rider); it is not made accessible to other users or the public.
  • OTP ephemeral storage — one-time passwords are stored only in Redis with a short TTL and are never persisted to our database.
  • Pickup code hashing — delivery pickup codes are stored as bcrypt hashes; the plain-text code is known only to the sender and is never logged.
  • Access controls — our internal systems apply role-based access controls so that staff can access only the data necessary for their job function.

No method of transmission over the internet or electronic storage is 100% secure. While we take commercially reasonable steps to protect your data, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant authorities as required by the ZDPA.

10. International Data Transfers

Some of the third party processors we use are based outside Zimbabwe. The following international transfers occur in the ordinary course of providing our services:

  • DigitalOcean Spaces (nyc3 region — New York, USA): KYC documents, photos, and SOS audio recordings are stored on servers located in the United States. DigitalOcean is certified under applicable data protection frameworks and implements contractual data protection safeguards.
  • Google Firebase / FCM (USA): Push notification device tokens and notification payloads are processed by Google’s Firebase infrastructure, which operates globally including in the United States.
  • Africa’s Talking (Kenya): SMS OTP messages are routed through Africa’s Talking’s platform. Your phone number and OTP text transit their infrastructure.
  • Upstash (USA): Internal event messages (containing only UUIDs, no PII) are queued through Upstash’s infrastructure.

Where personal data is transferred outside Zimbabwe, we take steps to ensure that the recipient provides an adequate level of protection through contractual safeguards, privacy framework certifications, or other appropriate mechanisms. By using the MiRide platform you acknowledge these transfers.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes we will:

  • Update the “Last updated” date at the top of this page
  • Notify you via a push notification or banner in the app where the change is significant
  • Where required by law, obtain your consent before implementing the change

We encourage you to review this Policy periodically. Your continued use of the MiRide platform after we post an updated Policy constitutes your acceptance of the changes, to the extent permitted by applicable law.

12. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or want to report a data protection concern, please contact us:

MiRide Technology (Private) Limited

7 Tweed Road, Eastlea

Harare, Zimbabwe

General enquiries: [email protected]

Support: [email protected]

We aim to respond to all data subject requests within 30 days. If your request is complex or you have submitted multiple requests, we may extend this period by up to a further 30 days, in which case we will inform you.

© 2026 MiRide Technology (Private) Limited. All rights reserved. · Terms of Service · Cookie Policy · Refund Policy