Privacy Policy

1. Who We Are

This Privacy Policy describes how Munwan Car Rental Ltd ("Munwan Car Rental", "we", "us") collects, uses, and protects personal data of users ("you") of our website munwancarrental.com, our booking platform, and our customer support channels.

We are registered in Kenya and committed to protecting your privacy in accordance with the Kenya Data Protection Act, 2019 and, where applicable, the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act.

2. Information We Collect

We collect only the data we genuinely need to operate our service:

Information you give us directly:

• Booking details: full name, email, phone number, pickup and return location, dates, vehicle preferences
• Identification (collected at vehicle pickup, not online): driver's licence, passport, International Driving Permit
• Payment data: card details are never stored on our servers — they are processed directly by Paystack and PayPal under their own security standards. We retain only the last 4 digits of the card and the transaction reference.
• Account information: username (your email), encrypted password, communication preferences
• Support correspondence: messages sent via our contact form, WhatsApp, or email

Information collected automatically:

• Usage data: pages visited, vehicles viewed, time spent, referrer (anonymised)
• Device data: browser type, operating system, screen resolution, IP address (truncated for analytics)
• Cookies: session cookies (essential for login and bookings), preference cookies (remembering your currency and locale), and analytics cookies (aggregate site performance via Google Analytics 4)

3. How We Use Your Information

We use your data only for the following clearly defined purposes:

• To process your booking: confirming reservations, communicating pickup details, sending receipts, and providing rental documents
• To verify identity at pickup: matching the booking to the customer, confirming licence validity, fraud prevention
• To process payments: routing your payment through Paystack, PayPal, or M-Pesa (we never see your full card number)
• To provide customer support: responding to enquiries, handling disputes, processing refunds
• To send service messages: booking reminders, vehicle changes, urgent operational notices (these are essential, not marketing)
• To improve our service: anonymous analytics on which pages are most useful, which vehicles are most popular
• To comply with the law: tax records, accident reports, regulatory enquiries from KRA, NTSA, or police

We will never use your data to send unsolicited marketing without your explicit opt-in. We do not sell your data to advertisers, ever.

4. Who We Share Your Data With

Your data is only shared with the following parties, strictly for the purposes listed:

• Paystack & PayPal: to process card payments. They handle PCI-DSS compliant card data directly, bound by their own privacy policies and Kenyan/international data protection law.
• Safaricom (M-Pesa): when you pay via M-Pesa, your phone number and amount are transmitted to Safaricom's Daraja API for the STK push.
• Insurance providers: in the event of an accident or claim, your name, licence details, and incident report may be shared with our insurance partner.
• Authorities: if legally required (police investigation, court order, KRA tax audit), we will disclose data to the extent demanded by law.
• Service providers: hosting (Hetzner via Appliku), email delivery, analytics (Google Analytics 4), error monitoring. All are bound by data processing agreements.

We do not share your data with marketing companies, ad networks, or data brokers.

5. How Long We Keep Your Data

• Booking records: kept for 7 years as required by Kenya Revenue Authority for tax purposes
• Account data: kept until you delete your account; you can delete from your account dashboard at any time
• Payment records: kept for 7 years for accounting compliance
• Support correspondence: kept for 2 years after the last interaction
• Analytics data: retained for 14 months, anonymised after 90 days
• CCTV at our offices: footage is retained for 30 days then auto-deleted

If you delete your account, we anonymise your booking history (replace name and contact details with "Former Customer") rather than deleting the booking record entirely, so that our accounting and legal records remain intact. The booking can no longer be linked to you personally.

6. How We Protect Your Data

• All data transmitted between your device and our servers is encrypted with HTTPS / TLS 1.3
• Passwords are hashed using PBKDF2 with a salt — even Munwan Car Rental staff cannot read your password
• Access to customer data is limited to authorised staff on a need-to-know basis
• Our servers are hosted in secure EU-tier data centres (Hetzner, Germany) with 24/7 physical and network security
• Database backups are encrypted at rest
• We never transmit card numbers, CVVs, or full bank details — these are handled exclusively by our PCI-DSS compliant payment processors
• Our systems are regularly tested for security vulnerabilities

If we ever discover a data breach affecting your information, we will notify you and the Kenya Office of the Data Protection Commissioner within 72 hours as required by law.

7. Your Rights

Under the Kenya Data Protection Act 2019 (and GDPR if you are an EU/UK resident), you have the right to:

• Access the personal data we hold about you
• Correct any inaccurate or outdated information
• Delete your account and personal data (subject to legal retention requirements)
• Export your data in a portable, machine-readable format
• Object to processing for direct marketing (we don't do this anyway)
• Restrict processing while a complaint is being investigated
• Withdraw consent at any time for any optional processing
• Lodge a complaint with the Kenya Office of the Data Protection Commissioner (odpc.go.ke)

To exercise any of these rights, email us at info@munwancarrental.com or message us on WhatsApp. We respond within 5 working days.

8. Cookies

We use a minimum of cookies, all categorised as follows:

• Strictly necessary: session cookie (login state), CSRF token (security), language preference. These cannot be disabled — the site won't work without them.
• Functional: remembering your preferred currency, last viewed vehicle. You can clear these at any time via your browser.
• Analytics: Google Analytics 4 tracks anonymous, aggregated usage data. We've enabled IP anonymisation, and you can opt out via your browser's "Do Not Track" setting or by installing the Google Analytics opt-out extension.

We do not use third-party advertising cookies, retargeting pixels, or social media trackers.

9. Children's Privacy

Our service is intended for adults. The minimum age to rent a vehicle from Munwan Car Rental is 23 years. We do not knowingly collect data from anyone under 18. If you become aware that a minor has provided us with personal data, please contact us and we will delete it promptly.

10. International Data Transfers

Some of our service providers (Google Analytics, payment processors) may process your data outside Kenya. We only use providers that meet international data protection standards (GDPR adequacy or equivalent). Your data is never sold or transferred to jurisdictions with weaker data protection than Kenya's.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or the law. We will post the updated policy on this page with a new "Last updated" date. For material changes, we will notify registered users by email at least 14 days before they take effect.

12. Contact Us

For any questions, complaints, or to exercise your rights:

✉️ info@munwancarrental.com
📞 +254 727 745 907 (WhatsApp & phone)
📍 Munwan Car Rental Ltd, Nairobi

For complaints we cannot resolve, you may contact the Office of the Data Protection Commissioner, Britam Tower, 9th Floor, Hospital Road, Upper Hill, Nairobi — or visit odpc.go.ke.