Privacy Policy — CarpoolMU
Version: DRAFT 0.1 · Last updated: [date] Data controller: [Operator Ltd], [address], Mauritius · [privacy email] Registered as a data controller with the Data Protection Office of Mauritius under registration no. [number].
DRAFT — for review by a Mauritian attorney before publication. Not legal advice.
This policy explains how we process personal data under the Data Protection Act 2017 ("DPA").
1. What we collect
| Category | Data | When |
|---|---|---|
| Account | Name, mobile number (verified by OTP), email, photo (optional), gender (optional — used only for the women-only rides filter) | Sign-up |
| Verification | NIC document, selfie, driving licence, vehicle registration/insurance documents | Only if you request a verification badge / offer rides |
| Rides | From/to areas, dates, times, seats, recurring commute pattern | When you post or search |
| Location | Approximate area for matching; precise live location only during a trip where sharing is switched on | During use |
| Chat | Messages between matched users | When you chat |
| Safety | Reports, blocks, ratings, incident records | When submitted |
| Technical | Device/browser info, IP address, usage logs | Automatically |
| Advertising | Cookie/ad identifiers (see Section 7) | With your consent choices |
We deliberately do not collect: payment details (the app has no payment feature), exact home addresses (pickup points snap to public landmarks), or background location (location is used only while the app is in use).
2. Why we process it (purposes and lawful bases)
- Provide the matching service (accounts, ride listings, matching, chat) — performance of a contract with you.
- Trust and safety (verification badges, ratings, reports, fraud prevention, enforcing our Terms) — legitimate interests / legal obligation.
- Live location sharing — your consent, given per trip, withdrawable at any time by stopping sharing.
- Communications (ride notifications, service emails) — performance of a contract; marketing only with consent.
- Advertising (free service funded by ads) — consent for personalized ads; legitimate interests for non-personalized ads.
- Legal compliance (responding to lawful requests from Mauritian authorities) — legal obligation.
3. Verification documents (NIC, licence)
- Documents are used solely to verify your identity/driver status and are stored encrypted in private storage, accessible only to authorized verification staff.
- After a verification decision, we keep the outcome (badge, document type, verification date) and delete the document images within 30 days.
- We never display your NIC number, licence number, or documents to other users.
4. Location and live sharing
- Ride matching uses approximate areas, not precise coordinates.
- If a driver turns on live location for a trip, the stream is visible only to that trip's confirmed passengers, and to any trusted contact a passenger has shared their trip link with. It starts when the driver starts it and ends automatically when the trip ends.
- Live location traces are retained for [7] days (to allow incident reports to be investigated), then deleted.
5. What other users see
- Before matching: your first name, photo, badges, rating, and the approximate from/to areas and times of your ride.
- After matching: agreed pickup point and, for passengers, the driver's vehicle make, colour, and plate number.
- Never: your phone number (chat is in-app), NIC, documents, or exact home address. You may choose to exchange phone numbers privately in chat — that is your decision.
6. Sharing with third parties
We share personal data only with:
- Service providers (hosting, database, email/SMS delivery) acting on our instructions under contract. Some are located outside Mauritius [e.g. EU/US cloud hosting]; where data leaves Mauritius we rely on the DPA's transfer provisions (appropriate safeguards / your consent where required) [attorney to confirm mechanism].
- Google (advertising) — see Section 7.
- Mauritian authorities — where required by law or a lawful request (e.g. police investigating an incident connected to a ride).
- No sale of personal data. Ever.
7. Cookies and advertising
- The service is funded by Google ads (AdSense/AdMob). Google may use cookies or device identifiers to serve ads.
- On first use you choose between personalized ads (consent) and non-personalized ads (default — these use no profiling cookies, only frequency capping/fraud prevention).
- You can change this any time in Settings → Privacy. Google's use of data is described at policies.google.com/technologies/partner-sites.
- We do not place ads on active-trip or emergency screens.
8. Retention
| Data | Kept |
|---|---|
| Account profile | Until account deletion |
| Verification document images | Deleted within 30 days of decision |
| Verification outcome/badges | Life of account |
| Ride history | [12] months, then anonymized for statistics |
| Chat messages | [6] months after last activity in the conversation |
| Live location traces | [7] days |
| Safety reports / incident records | [3] years (safety and legal defence) |
| Server logs | [90] days |
On account deletion we erase or anonymize your data within 30 days, except records we must keep (e.g. incident records, records needed for legal claims) — kept only as long as the law requires.
9. Your rights (DPA 2017)
You may: access your data; request rectification or erasure; object to processing; withdraw consent (e.g. stop live sharing, switch to non-personalized ads); and request a copy in portable form. Write to [privacy email]; we respond within one month.
If unsatisfied, you may complain to the Data Protection Commissioner, Data Protection Office, Port Louis — dataprotection.govmu.org.
10. Security
Data is encrypted in transit and at rest; verification documents live in separate private storage; staff access is role-based and logged (audit trail); we rate-limit and monitor for abuse. No system is perfectly secure — if a breach is likely to harm you, we will notify you and the Data Protection Office as the DPA requires.
11. Children
CarpoolMU is for users 18+. We do not knowingly process children's data; suspected under-age accounts are closed.
12. Changes
Material changes are notified in-app at least 14 days before they take effect.
Contact: [Operator Ltd] · [address] · [privacy email]