Last Updated: March 1, 2026 Version: 2.0
Welcome to Nobo. We are committed to being the most transparent food delivery platform in Kenya. This Privacy Policy describes how Nobo Limited (a company registered in Kenya, hereafter "Nobo", "we", "us") collects, uses, and shares your personal data.
As a registered entity with the Office of the Data Protection Commissioner (ODPC), we act as the Data Controller for users, riders, and partners.
We categorize the data we collect based on your relationship with the Nobo platform:
Registration Data: Name, email, phone number, and password.
Location Data: Precise real-time GPS coordinates to ensure delivery accuracy (even when the app is in the background, if permitted).
Transaction Data: Order history, items purchased, and preferred restaurants.
Payment Information: We use M-Pesa transaction IDs and tokenized card data. We do not store raw CVV or full card numbers.
Communication Data: Transcripts of chats with riders or Nobo support.
Identity & Legal Data: National ID/Passport, KRA Pin, and Police Clearance Certificate (Good Conduct).
Vehicle Data: Logbook details, motorbike insurance, and driving license.
Operational Data: Real-time GPS tracking (mandatory for order assignment), "on-duty" logs, and delivery performance metrics.
Business Data: Business permit, health certificates, and KRA ETR details.
Contact Data: Personal details of the business owner or manager.
Under Section 30 of the Kenya DPA, we only process data under these legal grounds:
Contractual Necessity: To process your order, pay the restaurant, and guide the rider to your door.
Legitimate Interest: To improve our App, detect "phantom" orders, and prevent fraud.
Legal Obligation: To comply with KRA tax requirements or court orders.
Consent: For marketing SMS/Emails or using your photo for your profile.
We share your data strictly on a "need-to-know" basis:
The Rider: Gets your name, phone number, and delivery location to fulfill the order.
The Restaurant: Gets your order details and first name.
Payment Providers: M-Pesa (Safaricom) or Banking partners to process payments.
Cloud Providers: We store data on secure servers (e.g., AWS or Google Cloud) which may be located outside Kenya, ensuring "Adequacy" standards under Section 48 of the Act.
Purpose: Nobo collects location data to calculate delivery fees, track the rider's progress, and notify you when the food is "around the corner."
Control: You can disable location services in your phone settings, but the app will not function for deliveries without it.
Active Accounts: We keep your data as long as your account is active.
Inactive Accounts: If you stop using Nobo, we retain data for 7 years to comply with Kenyan financial and tax laws (Limitation of Actions Act).
Safety Data: Rider background checks are kept for the duration of the partnership plus 3 years.
Under the Kenya Data Protection Act, you have the right to:
Access: Request a copy of all data Nobo holds about you.
Object: Stop us from sending you "Hungry?" marketing SMS at 8 PM.
Correction: Fix a wrong phone number or address.
Portability: Request your data in a format you can take to another service.
Erasure: "The Right to be Forgotten"—requesting we delete your account.
We use AES-256 encryption for data at rest and SSL/TLS for data in transit. We conduct regular "Data Protection Impact Assessments" (DPIA) for any new features that involve high-risk processing (like biometrics or automated profiling).
If you have a privacy concern or wish to exercise your rights, contact our Data Protection Officer:
Email: privacy@nobo.co.ke
Nairobi, Kenya.
