1. Welcome
1.1. Our Commitment to Your Privacy
At Ridesly, we understand that your privacy is incredibly important. This policy explains exactly how we collect, use, process, store, and protect your personal information when you use our ride-sharing mobile app in Eswatini. Our top priority is to comply with the Eswatini Data Protection Act 5 of 2022 1 and to earn and keep your trust.
The Eswatini Data Protection Act, which became effective on March 4, 2022, is the law that guides how we handle your data.1 For a service like Ridesly, which collects important information like your location, building your trust is essential.4 We know you’re entrusting us with your movements and personal details. Concerns about how location data might be used, including for profiling or even physical risks, are real.4 This policy directly addresses those concerns by showing you how seriously we take our responsibility to protect your data. A clear, legally compliant privacy policy helps us stand out and encourages you to use Ridesly with confidence.
1.2. Who We Are (Ridesly as Your Data Controller)
Ridesly acts as the “Data Controller” under the Eswatini Data Protection Act 5 of 2022. This means we are the ones responsible for deciding why and how your personal information is processed.6 This gives us a clear framework for handling your data responsibly.
Being a Data Controller means Ridesly has direct legal obligations for protecting your data.6 The Eswatini Communications Commission (EDPA), our National Data Protection Authority, has the power to check our compliance, investigate any issues, and impose significant penalties if rules are broken, including fines or even imprisonment in serious cases.1 This means we have strong internal controls and resources dedicated to protecting your data. This privacy policy is our public promise to you, showing our commitment to managing legal risks and setting clear expectations for how we operate.
1.3. Your Consent to This Policy
By downloading, installing, accessing, or using the Ridesly mobile application and its services, you confirm that you have read, understood, and agree to the collection and processing of your data as described in detail within this policy. Your consent is one of the main legal reasons we can process your personal information under Eswatini law.2
While some privacy policies might suggest that simply continuing to use an app means you agree, the Eswatini Data Protection Act, like other strong privacy laws, emphasizes that your consent must be informed.2 This is especially important for ride-sharing apps that collect precise location information.4 Even if location data isn’t explicitly called “sensitive,” it can reveal a lot about you. For sensitive data, or for activities beyond the app’s core functions (like certain marketing), we will get your explicit and informed consent. So, while using the app generally means you agree to this policy, Ridesly also has ways within the app to get your specific consent when needed. This clear approach helps us comply with the law and builds your trust.
2. Important Terms from Eswatini Data Protection Act, 2022
This section provides clear and accurate explanations of key terms directly from the Eswatini Data Protection Act 5 of 2022. This helps both you and regulators understand the precise meaning of the words we use throughout this policy.
2.1. Personal Information (Personal Data)
Personal information, also called personal data, is any information about an identifiable individual that is recorded in any form. This can include things like your race, nationality, religion, age, or marital status.6 Examples of personal information that might not be considered sensitive include your email address, phone number, ZIP code, date of birth, and IP address.9
2.2. Sensitive Personal Information (Sensitive Personal Data)
Sensitive personal information is a special category of data that needs extra protection. This includes genetic data, information about children, data concerning offenses, criminal sentences or security measures, and biometric data. Also, any personal information that reveals your racial or ethnic origin, political opinions, or affiliations is considered sensitive if we process it to understand what it reveals about you.6 Other examples of sensitive personal information include financial details, biometric data, and medical records.9 The Eswatini Data Protection Act generally prohibits processing sensitive personal data unless very specific and strict conditions are met.1
The Eswatini Data Protection Act’s definition of sensitive personal data, especially the part about “if it is processed for what it reveals,” is very important for a ride-sharing app. While your location data isn’t explicitly listed as “sensitive,” Ridesly collects it 4, and this data can indirectly reveal sensitive information about you. For example, frequent trips to a clinic could suggest health status, regular visits to a place of worship could reveal religious beliefs, and travel to political events might indicate your political views.4 These inferences, drawn from your location data, fall under the “processed for what it reveals” clause. Therefore, Ridesly treats location data, and any other data that could reveal sensitive attributes, with the same high level of care and requires stricter legal reasons (like your explicit consent) as explicitly defined sensitive data. This is a crucial point for our compliance and how we handle your data.
2.3. Data Subject
A data subject is simply the person whose personal information is being processed and who can be identified.6 For Ridesly, all users of our mobile application, whether you are a driver or a rider, are considered data subjects.
2.4. Data Controller
A Data Controller is a public or private organization, like Ridesly, or any other person legally designated, who, alone or with others, decides the purpose and means of processing personal information.6 This means we decide the “how and why” of your data processing.7
2.5. Data Processor
A Data Processor is a person or organization that processes personal information for and on behalf of a Data Controller, strictly following the Data Controller’s instructions.6 This definition specifically excludes people who are authorized to process data under the direct authority of a Data Controller.6
2.6. Processing
“Processing” is a very broad term that covers almost any action performed on personal information, whether automatically or not. This includes collecting, receiving, recording, organizing, storing, updating, modifying, retrieving, altering, consulting, or using data. It also covers sharing data by transmitting, distributing, or making it available in any other way, as well as combining, linking, blocking, degrading, erasing, or destroying information.6
2.7. Eswatini Data Protection Authority (EDPA)
The Eswatini Communications Commission (ECC) is officially known as the National Data Protection Authority (EDPA).6 The EDPA’s job is to regulate how personal information is handled, investigate data breaches, and resolve complaints related to privacy issues.8 The EDPA can impose penalties, including administrative fines, for violations of the Act.8 Its functions include monitoring and enforcing compliance, ensuring organizations process information correctly, protecting your privacy rights, keeping public registers, and auditing personal information held by controllers.8
The Eswatini Communications Commission (EDPA) acts as the single, powerful regulator, centralizing oversight and enforcement.6 This means all our compliance efforts and any potential disputes will go through this one body. The EDPA’s power to impose significant fines (up to E5,000,000 or 2% of annual turnover) and even recommend imprisonment for serious cases highlights the severe consequences of not complying.1 Since the EDPA monitors and audits, Ridesly cannot be passive about data protection. This privacy policy shows our active commitment to compliance, not just to avoid penalties, but also to demonstrate responsible corporate behavior. Beyond financial penalties, non-compliance can severely damage our reputation, which is crucial for a consumer-facing app like Ridesly that relies heavily on your trust.1 Therefore, this policy is vital for protecting Ridesly’s reputation.
3. Information We Collect About You
This section explains in detail the types of personal information Ridesly collects from you. We aim to collect only what is directly relevant and necessary for our services, a principle known as “data minimization”.10
3.1. Information for Account Registration and Service Use
This includes essential details needed to create and manage your Ridesly account and to use our services:
- Your first and last name, email address, date of birth, a secure password, and a mobile phone number (crucial for communication and notifications). 12
- Other details you might provide, like a postal address or a profile photograph (which helps identify you and build trust). You can also optionally provide a mini-biography and gender. 12
For payments, while Ridesly facilitates transactions, full credit or debit card numbers are typically processed directly by secure third-party payment processors and are not stored on Ridesly’s servers. Ridesly retains only necessary transaction records.13
Please note that payments and withdrawals on the Ridesly Platform will be predominantly processed using MTN Mobile Money. By using Ridesly, you consent to the processing of your payments and withdrawals through MTN Mobile Money.
The principle of data minimization means we collect only what’s “adequate, relevant and limited to what is necessary” for our purpose.10 We distinguish between data strictly needed for the app’s core functions (like your name and contact info for booking) and optional data that enhances your experience. For any optional data, we rely on your explicit consent. We will clearly inform you that providing such data is voluntary and explain its specific purpose. This approach aligns with Eswatini’s Data Protection Act’s emphasis on consent.2 This clear distinction gives you control over what information you share, building trust and ensuring our compliance.
3.2. Information Collected During Your Trips
This covers comprehensive information gathered when you actively use our ride-sharing service:
- Trip Details: This includes your exact pick-up and drop-off locations, the routes taken, journey duration, fare details, and a complete history of your bookings. 12
- Location Data: We collect real-time, precise location data from both drivers and riders during a trip. This is essential for matching users efficiently, providing accurate navigation, ensuring your safety during the ride, and constantly improving our service. This includes data from your device’s geo-location services and mobile sensing capabilities. 4
- Communication Data: Records of messages exchanged between users (e.g., in-app messages between a driver and a rider) and all your interactions with Ridesly’s customer service, which may include recorded phone calls for quality and training purposes. 12
Location data is central to a ride-sharing service, but it also raises significant privacy concerns, including potential misuse for profiling, targeted marketing, or even physical risks.4 The Eswatini Data Protection Act requires “security measures to prevent unauthorised access, loss, or misuse of data”.1 For location data, this means we go beyond general statements. Our policy clearly states the
specific, legitimate purposes for collecting real-time location data: matching, navigation, safety, and fraud prevention, thereby adhering to the “purpose limitation” principle.10 To address concerns about data abuse, Ridesly commits to anonymizing or aggregating location data for analytics where possible, implementing strict access controls so only authorized personnel can access it, limiting how long we keep it, and strictly avoiding its use for purposes not directly related to the service, such as unauthorized marketing or profiling.
Research highlights that limited governance in ride-share apps has created an “anarchic environment where riders have no way of knowing how their data is stored and who has access to it”.5 The Eswatini Data Protection Act emphasizes transparency.1 To directly counter this industry perception, Ridesly’s policy provides radical transparency. This means not only listing the data we collect but also explaining
how it’s stored, who has access to it (specifying internal roles and third parties), and detailing the robust security measures we have in place. By proactively addressing this significant industry concern, Ridesly aims to differentiate itself and build a stronger foundation of trust with you, which is essential for our long-term success.
3.3. Information You Provide Voluntarily
This includes data you choose to provide beyond what’s required for the service, such as:
- Feedback, ratings, and reviews of trips or other users. 12
- Participation in surveys or promotional offers. 12
- Details provided when submitting support requests or reporting problems with the app. 12
3.4. Information Collected Automatically
This covers information automatically sent by your device and your interactions with the app:
- Device and Usage Data: This includes your Internet Protocol (IP) address, device identifiers, operating system, browser type, app version, access times, pages viewed within the app, features used, and crash logs. This data is vital for troubleshooting and improving app performance. 12
- Cookies and Similar Technologies: Ridesly uses cookies and similar tracking technologies to collect information about your activities on the platform. These technologies help improve your experience, analyze app usage patterns, and serve security purposes. 13
While an IP address might sometimes be considered “non-personally identifiable information,” for a mobile app like Ridesly, it’s almost always combined with other identifiers like a device ID, your account information, location data, and usage patterns.9 When combined, an IP address can significantly help identify you or your activity. Therefore, Ridesly acknowledges that even automatically collected data, including IP addresses, can become personally identifiable when combined. This means we handle such data with appropriate privacy safeguards, including adhering to purpose limitation, data minimization, and strong security measures, especially if it’s used for profiling or linked to an identifiable user.
3.5. Information from Third Parties
- Social Media Authentication: If you choose to connect to Ridesly using social media (e.g., signing in with Facebook or Google), Ridesly may access certain personal data from your social media account, such as your first name, last name, profile picture, and email address, according to the terms of those platforms. 12
- Payment Processors: As mentioned, information needed to process your payments is shared with and handled by trusted third-party payment processors, including MTN Mobile Money. 13
4. How We Use Your Information (Why We Process Your Data)
This section clearly explains the specific, legitimate, and explicit reasons why Ridesly processes your personal data, strictly following the “purpose limitation” principle required by data protection laws.10 Each reason is directly linked to the core functions or legal obligations of our service.
4.1. Providing and Improving Ridesly Services
This is our main purpose, covering all activities needed to operate the ride-sharing platform. This includes efficiently matching drivers and riders, managing bookings, executing trips, accurately processing payments, providing real-time navigation and optimized routes, and continuously improving the app’s functionality, your experience, and our service offerings based on how you use the app and your feedback. 12
4.2. Safety and Security (including Fraud Prevention)
Ridesly uses your personal data to ensure the safety and security of all users and the integrity of our platform. This involves verifying user identities (e.g., through identity documents) to prevent unauthorized access or fraudulent activities, monitoring ongoing trips for safety and emergency response, investigating any reported incidents or disputes, and ensuring strict compliance with Ridesly’s community guidelines and terms of service.4 This also includes proactively detecting and preventing fraud, abuse, and other illegal activities.
Ride-sharing services face a unique challenge: balancing user safety with privacy rights.4 While using data for safety, like real-time location tracking during a trip or identity verification for fraud prevention, is a legitimate and often necessary purpose, broad data collection for safety can sometimes overstep privacy boundaries, as seen with location data concerns.4 Our policy explicitly states that while data is used for safety, this processing is done with strict privacy safeguards. This includes data minimization (collecting only what’s necessary for safety), purpose limitation (using data only for stated safety purposes), and storage limitation (keeping data only as long as needed for safety or legal reasons). For example, while identity documents are kept for fraud detection, their retention period is clearly defined and legally justified, aligning with the “storage limitation” principle.10 This shows our commitment to both your safety and strong privacy compliance.
4.3. Communication and Customer Support
We use your personal data to communicate effectively with you. This includes responding to your inquiries, providing comprehensive customer support, sending important service updates or changes, and moderating in-app communications between drivers and riders to ensure a respectful and safe environment. 12
4.4. Personalization and Marketing
Ridesly may use aggregated or anonymized usage data to tailor and personalize services and content, such as suggesting common routes or preferred drivers/riders. Ridesly may also send you promotional communications, but only with your explicit consent where required by Eswatini law.
Research raises significant concerns about companies potentially using location data to “predict future locations,” “pinpoint an individual’s interests,” and “market towards them,” leading to “traceable online profiles”.4 Industry examples, like DiDi’s ability to analyze data to determine “what times people in certain cities finish work,” further illustrate how such profiling can occur.5 While personalization can genuinely improve your experience, it must not become intrusive profiling or unwanted marketing. The Eswatini Data Protection Act’s principles of purpose limitation and data minimization are crucial here.10 Ridesly’s policy commits to
not creating comprehensive “traceable online profiles” for external marketing purposes without your explicit, granular consent. We also provide clear, easily accessible ways for you to opt out of any personalized marketing or data analysis that goes beyond improving our core service. This shows our proactive stance against a specific, identified user concern regarding privacy.
4.5. Legal Compliance and Enforcement
Ridesly processes your personal data to comply with our legal obligations. This includes responding to legitimate court orders, warrants, or government agency requests, as well as fulfilling any other legal requirements under Eswatini law.13 We also use data to enforce Ridesly’s own terms and conditions, and to protect the rights, property, or safety of Ridesly, its users, or the broader public. 13
5. Legal Reasons We Process Your Information
This section clearly states the legal grounds under the Eswatini Data Protection Act 5 of 2022 that allow Ridesly to process your data. This ensures transparency and adherence to the principle of lawfulness.
5.1. Your Consent
For specific activities where explicit consent is required by law or is the most appropriate legal basis, such as sending direct marketing communications, processing sensitive data not strictly necessary for core service provision, or for certain cross-border data transfers, Ridesly obtains your explicit consent.2 You always have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before you withdrew it.
5.2. Fulfilling Our Contract with You
We process your data when it’s necessary to fulfill the contract between Ridesly and you, or to take steps at your request before entering into a contract.2 This legal basis covers all data processing essential for providing our core ride-sharing services, including matching rides, processing payments, and managing your account.
5.3. Complying with Legal Obligations
We process your data when it’s necessary for Ridesly to comply with a legal obligation under Eswatini law.2 This includes, but is not limited to, retaining data for tax or regulatory purposes, and responding to valid court orders, warrants, or legitimate requests from law enforcement or other government agencies. 13
5.4. Our Legitimate Interests
We process your data when it’s necessary for the legitimate interests pursued by Ridesly or by a third party, as long as these interests do not override your fundamental rights and freedoms.2 Examples include improving the security of the app, preventing fraud and abuse, conducting internal analytics to enhance service quality, and ensuring network security. We carefully balance these interests against your privacy rights.
The legal basis of “legitimate interests” offers flexibility but requires careful justification, as it’s balanced against your fundamental rights.2 Without clear explanation, this basis could be seen as a catch-all. Ridesly’s policy not only states “legitimate interests” but also provides concrete examples, such as fraud prevention, service improvement, and security. Crucially, we commit to conducting a “balancing test” to ensure our legitimate interests do not override your privacy rights. This approach demonstrates a responsible and legally sound method, reducing the risk of regulatory challenge and building your confidence.
6. How We Share and Disclose Your Information
This section transparently explains when Ridesly shares or discloses your personal information with third parties, strictly following the principles of purpose limitation and transparency.
6.1. With Other Ridesly Users (Drivers/Riders)
To facilitate the ride-sharing service, we necessarily share limited personal information between drivers and riders. This typically includes the first name, profile photograph, precise pick-up and drop-off points, estimated arrival time, and a contact number for direct communication related to the trip coordination.13 This sharing is essential for providing the service you requested.
6.2. With Service Providers and Partners
Ridesly works with various trusted third-party vendors and partners who perform services on our behalf. These include, but are not limited to, payment processors (like MTN Mobile Money), cloud hosting providers, mapping services, analytics providers, customer support tools, and identity verification services.13 These partners are legally bound by contract to process personal data strictly according to Ridesly’s instructions, implement strong security measures, and comply with the Eswatini Data Protection Act.7
As the Data Controller, Ridesly remains ultimately responsible for your personal data even when third-party Data Processors handle it.6 This means any non-compliance by a processor can affect Ridesly. The Eswatini Data Protection Act, similar to GDPR, explicitly states that the controller-processor relationship “must be governed by a contract” that outlines data protection measures.7 Furthermore, the Act requires controllers to “implement security measures to prevent unauthorised access, loss, or misuse of data,” which extends to data handled by processors.1 By clearly stating that Ridesly enters into legally binding contracts with its processors, ensuring they uphold the same strict data protection standards as Ridesly itself, this policy demonstrates our proactive approach to managing third-party risk and reinforces our compliance with the Act. This commitment is vital for maintaining your trust and avoiding potential regulatory penalties.
6.3. For Legal Reasons or in Case of Disputes
Ridesly may disclose personal data when legally required, such as in response to a valid court order, search warrant, subpoena, or other legitimate requests from government agencies (e.g., for fraud prevention, criminal investigations, or national security purposes).13 Disclosure may also occur to enforce Ridesly’s terms and conditions, protect our legal rights, property, or safety, or the rights, property, or safety of our users or the general public. 13
Research highlights a critical and sensitive issue for ride-sharing companies: the potential for “authoritarian governments demand[ing] access to the data to, for example, track specific citizens or groups”.5 While Ridesly must comply with legitimate legal obligations, this policy states our commitment to carefully scrutinize all government data requests. This means we will, where legally permissible and appropriate, challenge overly broad, vague, or unlawful requests. This commitment shows our proactive stance in protecting your privacy, going beyond mere compliance to address a significant ethical and security concern. It reassures you that Ridesly will act as a guardian of your data against potential overreach.
6.4. Business Transfers
If Ridesly undergoes a merger, acquisition, or sale of all or part of its assets, your personal data may be transferred as part of that transaction. We will notify you of such a transfer and any resulting changes to this privacy policy.
6.5. Cross-Border Data Transfers
Due to the global nature of technology and service providers, personal data collected by Ridesly may be transferred to and stored in countries outside Eswatini. Specifically, Ridesly utilizes Google Cloud servers located in the Africa-South region (Johannesburg) for storing user data. This means your data may be transferred to and stored in South Africa.15
- Transfers within SADC Member States: Such transfers are permitted under certain conditions, as the Eswatini Data Protection Act aligns with regional data protection standards set by the Southern African Development Community (SADC).1 Since South Africa is a SADC member, this transfer is facilitated under these conditions.
- Transfers to Non-SADC Countries: For transfers to countries outside the SADC region, Ridesly is legally required to ensure that adequate data protection measures are in place.1 This may involve relying on legally recognized mechanisms such as Standard Contractual Clauses (SCCs) approved by relevant authorities, or ensuring the recipient country has data protection laws deemed “adequate” by Eswatini standards. In certain specific circumstances, your explicit consent may be sought for such transfers. 9
The Eswatini Data Protection Act explicitly differentiates between SADC and non-SADC data transfers.1 While transfers within SADC are relatively straightforward, transfers outside the SADC region require “adequate data protection measures.” Determining “adequacy” is a complex process that involves assessing the data protection laws of the recipient country or implementing robust contractual safeguards. For instance, Standard Contractual Clauses (SCCs) are legally binding agreements designed to ensure data protection when transferring data to jurisdictions without equivalent data protection laws.9 This implies a significant operational and legal responsibility for Ridesly to ensure that every cross-border transfer to a non-SADC country meets Eswatini’s strict standards. This policy clearly communicates this commitment, reassuring you that your data is protected even when it leaves Eswatini’s borders. This demonstrates a sophisticated understanding of the Act’s requirements and a proactive approach to global data privacy.
7. Data Security and How Long We Keep Your Data
This section details Ridesly’s strong commitment to protecting your data through robust security measures and clear data retention policies, adhering to the principles of security and storage limitation.1
7.1. How We Protect Your Data
Ridesly implements a comprehensive set of appropriate technical and organizational measures designed to protect your personal data from unauthorized access, accidental loss, misuse, alteration, or destruction.1 These measures include, but are not limited to, data encryption (both when it’s being sent and when it’s stored), strict access controls based on the principle of least privilege (meaning only those who need access get it), regular security assessments and penetration testing, employee training on data protection best practices, and a robust cyber-incident security response plan.13 Ridesly’s approach to security is risk-based, ensuring the level of protection is appropriate for the sensitivity of the data we process. 14
Simply stating that “leading technologies” are used is no longer enough in modern data protection.13 The Eswatini Data Protection Act requires specific “security measures”.1 Research provides crucial details on what constitutes appropriate security, specifically mentioning a “risk-based approach,” “technical and operational measures,” “access control,” and a “cyber-incident security response plan”.14 To effectively address the concern that “hackers can gain access” to data, Ridesly’s policy conveys a proactive and dynamic security posture.5 This means not only having measures in place but also regularly reviewing, updating, and testing them. The policy articulates this commitment by mentioning specific types of measures, such as encryption and access controls, and the underlying philosophy of a risk-based approach and continuous improvement. This reassures you and demonstrates a mature approach to compliance.
7.2. How Long We Keep Your Data
Ridesly strictly follows the principle of storage limitation, meaning your personal data will be kept only for as long as necessary to fulfill the specific purposes for which it was collected, or as required by applicable Eswatini laws and regulations.2 Once data is no longer needed for its original purpose or legal obligations, it will be securely deleted or anonymized.
The principle of storage limitation, clearly established by the Eswatini Data Protection Act, requires that data be kept “only for as long as is necessary”.10 For a dynamic service like ride-sharing, “necessary” isn’t a single, fixed period. Trip history might be needed longer for dispute resolution or safety investigations, while real-time location data is primarily relevant only during an active trip. BlaBlaCar’s varied retention periods illustrate this complexity.12 Beyond operational necessity, legal obligations, such as financial record-keeping or fraud prevention data retention for suspended accounts, also dictate retention periods.12 Our policy goes beyond a general statement to provide specific retention periods for different categories of data, showing a mature approach to data lifecycle management, crucial for compliance, and aiding justification to the EDPA.
The following table outlines the general retention periods for various categories of personal information collected by Ridesly:
Table 3: Data Retention Periods
| Category of Personal Information | Retention Period | Reason for Retention |
| Account Profile Data | Duration of account activity + 3 years | Service provision, user re-engagement, legal claims |
| Trip History Data | 7 years from trip completion | Legal compliance, dispute resolution, safety investigations, audit requirements |
| Customer Service Communications | 6 months (call recordings), 1 year (analysis documents) | Quality assurance, training, dispute resolution |
| Identity Verification Documents | 1 year | Fraud prevention, identity verification 12 |
| Logging Data | 12 months | Security monitoring, troubleshooting, audit requirements 12 |
| Payment Transaction Records | 5 years | Financial audit, tax compliance, dispute resolution |
| Suspended/Blocked Account Data | 2-10 years (depending on severity of violation) | Fraud prevention, circumvention avoidance 12 |
7.3. Data Breach Notification
In the unfortunate event of an unauthorized data security breach that poses a risk to your rights and freedoms, Ridesly is legally obligated to act swiftly. Ridesly will notify the Eswatini Communications Commission (EDPA) within 72 hours of becoming aware of the breach.1 Furthermore, affected data subjects (you) will also be notified without undue delay, unless the breach is unlikely to result in a high risk to your rights and freedoms or if specific actions have been taken to prevent harm. 1
The 72-hour notification period to the EDPA is a strict and non-negotiable requirement, demanding rapid internal detection, assessment, and reporting capabilities.17 Beyond notifying the regulator, Ridesly is also mandated to notify affected data subjects.1 This dual notification ensures transparency and allows you to take protective measures. Meeting these requirements means we have a robust Incident Response Plan, including clear procedures for identifying, containing, assessing, and reporting data breaches. The policy’s explicit mention of this commitment demonstrates our preparedness. Prompt and transparent breach notification, even if challenging, is crucial for maintaining your trust and demonstrating our accountability, particularly given the concerns about data security in ride-sharing services.5
8. Your Rights as a Data Subject (Under Eswatini Data Protection Act, 2022)
This comprehensive section clearly outlines all the rights you have as a “Data Subject” under the Eswatini Data Protection Act 5 of 2022. It also provides clear instructions on how you can exercise these rights, reinforcing Ridesly’s commitment to giving you control over your personal information.
8.1. Right to Be Informed
You have the right to be informed about how your personal data is collected and used.18 This Privacy Policy is our main way of fulfilling this fundamental right, providing you with detailed information about our data processing activities.
8.2. Right to Access Your Personal Information
You have the right to get confirmation from Ridesly about whether your personal data is being processed, and if so, to access that personal data.1 This includes information about why we’re processing it, the types of data involved, who we’ve shared it with, and how long we plan to store it. You can exercise this right free of charge. 2
8.3. Right to Rectification (Correction)
You have the right to ask Ridesly to correct any inaccurate or incomplete personal data we hold about you without unnecessary delay.1 If your data is incomplete, you have the right to have it completed, including by providing additional information. 19
8.4. Right to Erasure (Right to Be Forgotten)
You have the right to request that we delete or remove your personal data without undue delay when the data is no longer needed for the purposes it was collected for, when you withdraw your consent (and there’s no other legal reason for us to process it), when you object to the processing, or when the data has been processed unlawfully. 1
8.5. Right to Restriction of Processing
You have the right to ask us to limit the processing of your personal data under specific circumstances, such as when you challenge the accuracy of the data, when the processing is unlawful, or when Ridesly no longer needs the data for processing but you need it for legal claims. 18
8.6. Right to Object to Processing
You have the right to object, based on your specific situation, to the processing of your personal data when the processing is based on Ridesly’s legitimate interests or a task carried out in the public interest.18 Ridesly will stop processing your personal data unless we can show compelling legitimate reasons for the processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
8.7. Right to Data Portability
You have the right to receive the personal data you have provided to Ridesly in a structured, commonly used, and machine-readable format, and you have the right to transfer that data to another data controller without hindrance from Ridesly, where the processing is based on your consent or a contract and is carried out by automated means. 18
8.8. Right Not to Be Subject to Automated Decision-Making
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. 1
8.9. How to Exercise Your Rights
To exercise any of these rights, please submit a written request to Ridesly’s designated contact point for privacy matters (see Section 11). Your request should clearly state the right you are exercising and provide enough information to verify your identity. Ridesly is required to respond to such requests without undue delay and, in most cases, within one month of receiving your request. This period may be extended by two further months for complex requests, but we will notify you beforehand.18 Ridesly will not charge a fee for exercising these rights, unless your request is clearly unfounded or excessive. 18
8.10. Lodging a Complaint
Should you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Eswatini Communications Commission (EDPA), the national data protection authority in Eswatini. 8
9. Children’s Privacy
Ridesly’s services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we discover that personal information from a child has been inadvertently collected, we will take steps to promptly delete such information. While some laws might assume consent capacity for individuals over 15, organizations often need to assess capacity on a case-by-case basis for persons under 18 years of age.14 Ridesly is committed to protecting the privacy of minors in accordance with applicable laws.
10. Changes to This Privacy Policy
Ridesly may update this Privacy Policy periodically to reflect changes in our data practices, legal requirements, or service offerings. Any changes will be posted on this page, and, where appropriate, we will notify you directly. Your continued use of the Ridesly application after any such changes means you accept the revised policy.
11. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or Ridesly’s data practices, please contact Ridesly through the dedicated support channels available within the application or via the official contact information provided on Ridesly’s website.
Conclusion
This updated Privacy Policy for Ridesly has been carefully crafted to be user-friendly and to fully comply with the Eswatini Data Protection Act 5 of 2022, while also addressing the unique privacy considerations of a ride-sharing service.
We’ve clearly explained how we collect and use your data, emphasizing that your consent is key to our processing activities. We’ve also provided specific details about our use of MTN Mobile Money for payments and withdrawals, and confirmed that your data is securely stored on Google Cloud servers in the Africa-South region (Johannesburg). This policy highlights our commitment to data minimization, purpose limitation, and radical transparency in all our data handling practices, directly addressing common concerns about data security and access in the ride-sharing industry.
Furthermore, we’ve detailed our robust security measures, clear data retention periods, and our swift data breach notification protocols. Most importantly, this policy comprehensively outlines your rights as a data subject under Eswatini law, providing you with clear ways to access, correct, or control your personal information. By embracing these principles, Ridesly aims to build and maintain your trust, ensure strict compliance with Eswatini’s strong data protection framework, and establish itself as a responsible and secure ride-sharing platform in the region.