Legal
This Privacy Policy explains how Kora Fleet Technologies collects, uses, stores, shares, and protects personal data in connection with the Kora Fleet platform and related commercial services.
Effective 1 June 2026
Kora Fleet Technologies ("Kora", "we", "us", "our") operates a multi-tenant SaaS fleet management platform used by transport companies, fleet operators, and logistics businesses ("Customers") across Kenya and the East African region. In delivering our services, we process personal data relating to Customer employees, drivers, mechanics, and other personnel.
This Policy applies to all data processed through the Kora Fleet platform, including the Workspace App, Field App (mobile PWA), Platform Console, and all associated APIs. It should be read together with our Terms of Service and Cookie Policy.
Customers who process personal data through Kora act as data controllers in respect of their personnel and operational data. Kora acts as a data processor on behalf of those Customers, and as a data controller in respect of platform-level administrative data.
2.1 Kora as Data Controller
Kora is the data controller for: account registration data for company administrators; business and owner verification (KYC) documents collected to confirm a Customer's identity; billing and subscription records; platform usage analytics and audit logs; marketing communications and enquiry submissions; and platform-level personnel records for Kora's own staff.
2.2 Kora as Data Processor
For all Operational Data submitted by a Customer — including personnel profiles, trip records, fuel logs, maintenance records, driver settlement records, and driver activity — Kora acts as a data processor. The Customer is the data controller and determines the purposes and means of processing. Customers must ensure they have a lawful basis to submit their personnel's personal data to Kora and must provide adequate notices to their data subjects.
2.3 Data Processing Agreement
By accepting the Terms of Service or entering into an Order Form, Customers agree that Kora may provide a written data processing addendum or equivalent contractual data-protection terms where required for the Customer relationship. Customers requiring a standalone signed data processing agreement should contact legal@korafleet.com.
3.1 Account & Registration Data
3.2 Personnel Data (submitted by Customers)
Customers create personnel records for their own drivers, mechanics, and office staff. The profile fields collected are:
Customers also upload personnel identity and compliance document images for their own record-keeping, document-expiry reminders, and trip dispatch-readiness checks. Depending on the person's role, these may include:
These documents are uploaded and controlled by the Customer and are stored in private, access-controlled storage. Kora processes them on the Customer's behalf (as data processor) for compliance and expiry tracking; Kora does not independently verify them against government or regulatory registries. This is distinct from the business and owner verification Kora performs on the Customer itself (see 3.6).
Kora does not collect personnel date of birth, KRA PIN, bank account details, a separate mobile-money payment number, profile photographs, or emergency contacts.
3.3 Operational Data (submitted by Customers)
3.4 Usage & Technical Data
3.5 Communications Data
3.6 Business & Owner Verification (KYC)
To confirm that an account belongs to a genuine business and to identify the person who controls it, Kora collects a limited set of verification documents from the company administrator during or shortly after onboarding:
This Kora-performed verification covers only the company and its administrator. Kora does not run this verification step on the Customer's drivers, mechanics, or other field personnel — although Customers separately upload their own personnel's identity and compliance documents as described in 3.2. Verification documents are stored in private storage, are not publicly accessible, and are streamed only through Kora's access-controlled document viewer. Access is restricted to administrators of the same company and to Kora platform staff carrying out verification and compliance review. Kora is the data controller for this verification data, which it collects for its own customer-verification and fraud-prevention purposes.
Under the Kenya Data Protection Act 2019, we process personal data on the following legal bases:
Customers are responsible for identifying and documenting their own legal basis for processing their personnel's data on the Kora platform.
5.1 Service Delivery
We use personal data to create and maintain company accounts; authenticate and authorise users; process trip dispatch, fuel records, and maintenance workflows; generate invoices and financial reports; and send critical service notifications such as security alerts, billing reminders, and subscription status changes.
5.2 Fraud & Anomaly Detection
Kora's fuel anomaly detection engine analyses fuel fill records against vehicle specifications and historical patterns to flag potential siphoning, over-reporting, or mileage discrepancies. This processing is carried out on behalf of the Customer to protect the Customer's operational integrity. Flagged anomalies are surfaced to Customer administrators only and are not disclosed to third parties.
5.3 Billing & Payments
Subscription billing data is used to generate invoices, apply supported Paybill payments, and maintain billing history. Driver settlement contact data, including mobile-money phone numbers where provided, is used solely to calculate settlements and record Customer-managed payment references.
5.4 Security & Audit
We maintain audit logs of significant platform actions — account creation, data mutations, admin actions, and access events — to detect security incidents, investigate complaints, and comply with regulatory requirements. Kora staff access to Customer Operational Data is restricted to support, security incident response, and legal compliance scenarios, and is logged.
5.5 Platform Improvement
Anonymised, aggregated, and non-identifiable usage data may be used to improve platform features, optimise performance, and inform product development. No individual Customer's data is disclosed in such analytics.
Kora supports payment data handling for customer subscription payments and Customer-managed driver settlement records. The following applies specifically to that payment and reference data:
Drivers, mechanics, dispatchers, and other fleet personnel whose data is held on the Kora platform are data subjects. Their personal data is submitted and controlled by their employer (the Customer). Kora processes this data as a data processor under the Customer's instruction.
Personnel wishing to exercise data subject rights (access, correction, deletion, or portability) should contact their employer directly. Kora will support Customers in fulfilling valid data subject requests within 30 days of written notice.
Where a Customer's account is suspended or terminated and not renewed, personnel data is retained for 30 days for export. After that window, data is permanently deleted subject to any mandatory regulatory retention obligations.
Personnel data is restricted by tenant isolation, role-based access controls, and administrative permissions designed to limit access to authorised Customer users and Kora personnel with a support, security, or compliance need to know.
9.1 Operational Data
Customer Operational Data (trips, fuel logs, maintenance records, driver settlement records) is retained for the life of the Customer's active subscription. Upon account termination, data is retained for 30 days in a read-only state for export. After 30 days, data is permanently deleted from active storage. Certain financial transaction records may be retained for up to 7 years to satisfy Kenya Revenue Authority requirements.
9.2 Audit Logs
Audit logs and activity trails are retained for a minimum of 12 months and may be retained for up to 7 years where required by applicable law. Audit logs are not accessible to Customer users but are available to Kora's compliance team and may be produced in response to lawful regulatory requests.
9.3 Account Data
Company administrator credentials and account registration data are deleted 30 days after account termination. Billing records and subscription history are retained for 7 years for accounting and tax compliance.
9.4 Requesting Deletion
Customers may request immediate deletion of their Operational Data (outside the standard 30-day post-termination window) by writing to privacy@korafleet.com. Deletion requests will be actioned within 14 days, subject to any mandatory retention obligations. A deletion confirmation will be issued in writing upon completion.
9.5 Verification (KYC) Documents
Business and owner verification documents (certificate of incorporation and administrator national ID images) are retained while the account is active and for up to 30 days after account termination, after which they are deleted from active storage, subject to any mandatory regulatory retention obligation. Customers may request earlier deletion of verification documents by writing to privacy@korafleet.com, subject to Kora's ongoing fraud-prevention and legal needs.
Kora implements technical and organisational security measures proportionate to the sensitivity of the data processed:
Despite these measures, no internet-based service can guarantee absolute security. Where Kora acts as a data processor for Customer-controlled personal data, Kora will notify the affected Customer without undue delay and, where reasonably practicable, within 48 hours after becoming aware of a personal data breach affecting that data. Where Kora acts as a data controller, we will make regulator and data subject notifications as required by applicable law.
Individuals whose personal data is controlled by Kora (primarily company administrators) have the following rights under the Kenya Data Protection Act 2019:
To exercise any of these rights, contact privacy@korafleet.com. We will respond within 30 days. If you believe your rights have not been respected, you may lodge a complaint with the Office of the Data Protection Commissioner (ODPC) Kenya at www.odpc.go.ke.
Personnel wishing to exercise rights in respect of data held by their employer on the Kora platform should contact their employer directly, as the employer is the data controller for that data.
Kora's infrastructure relies on providers that may process data outside Kenya, including in the United States, the European Union, and other service regions used by our vendors. Such transfers are managed through contractual safeguards appropriate to the provider relationship, including vendor data processing terms and transfer clauses where applicable.
Kora takes reasonable steps to ensure that any international transfer of personal data provides a level of protection consistent with the requirements of the Kenya Data Protection Act 2019. Customers with specific data residency requirements should contact us to discuss available options before subscribing.
The Kora Service is designed for use by businesses and professional fleet operators. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor's data has been submitted to the platform, please contact privacy@korafleet.com and we will take prompt action to delete it.
We may update this Privacy Policy from time to time to reflect changes in our data practices, technology, or applicable law. Material changes will be communicated to company administrators by email at least 14 days before the effective date. The updated Policy will be published at korafleet.com/privacy with a revised effective date.
Continued use of the Service after the effective date of a revised Policy constitutes acceptance of the updated terms. If you do not agree to the revised Policy, you must cease using the Service and contact us to arrange data deletion.
For privacy-related enquiries, data subject rights requests, breach notifications, or DPA queries, contact:
If you are a Customer with a support query unrelated to data protection, contact support@korafleet.com. If you are a member of the press or a regulatory authority, contact legal@korafleet.com.
For complaints that remain unresolved after contacting us, you may refer the matter to the Office of the Data Protection Commissioner (ODPC) Kenya.