Privacy Policy
Last updated: 30 March 2026
Buslyft Metaride (Pty) Ltd, a subsidiary of Kavod Technologies (Pty) Ltd, ("Buslyft", "we", "us", or "our") is committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our platform, applications, and services (collectively, the "Platform").
This policy is issued in compliance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and the Consumer Protection Act 68 of 2008 ("CPA"). For detailed information on our POPIA compliance, please refer to our POPIA Compliance page.
1. Responsible Party
For the purposes of POPIA, the responsible party is:
Buslyft Metaride (Pty) Ltd
A subsidiary of Kavod Technologies (Pty) Ltd
Information Officer: privacy@buslyft.com
2. Information We Collect
2.1 Information You Provide
- Account information: Name, email address, phone number, profile photo
- Identity verification: South African ID number or passport number (for drivers), selfie verification images
- Payment information: Credit/debit card details, bank account information, Buslyft Wallet transaction records
- Driver information: Driving licence, professional driving permit (PrDP), vehicle registration, insurance documents, criminal background check consent
- Communications: Messages sent through in-app chat, support tickets, feedback, and reviews
- Business account information: Company name, registration number, VAT number, authorised representatives
2.2 Information Collected Automatically
- Location data: Real-time GPS location (when using the app), pickup and drop-off locations, route data
- Device information: Device type, operating system, unique device identifiers, IP address, browser type
- Usage data: App usage patterns, features accessed, search queries, trip history
- Sensor data: Accelerometer and gyroscope data for safety features (crash detection)
- Cookies and tracking: As described in our Cookie Policy
2.3 Information From Third Parties
- Identity and background verification services
- Payment processors and financial institutions
- Social media platforms (when you choose to log in via social accounts)
- Marketing partners and analytics providers
- Public databases and government records (for driver verification)
3. How We Use Your Information
We process your personal information for the following purposes, each with a lawful basis under POPIA:
- Service delivery: To facilitate ride bookings, deliveries, payments, and other core platform services (contractual necessity)
- Safety and security: To verify identities, detect fraud, ensure rider and driver safety, and respond to emergencies (legitimate interest and legal obligation)
- Communication: To send ride confirmations, receipts, service updates, and respond to support requests (contractual necessity)
- Improvement: To analyse usage patterns, improve our services, develop new features, and fix bugs (legitimate interest)
- Marketing: To send promotional offers, personalised recommendations, and loyalty rewards (consent)
- Legal compliance: To comply with applicable laws, regulations, legal processes, and law enforcement requests (legal obligation)
- Dispute resolution: To investigate and resolve complaints, disputes, and claims (legitimate interest)
4. How We Share Your Information
We do not sell your personal information. We share your information only in the following circumstances:
- With drivers/riders: Your name, pickup/drop-off location, and rating are shared with your matched driver or rider to facilitate the service
- With service providers: Payment processors, cloud hosting providers, identity verification services, analytics providers, and customer support tools
- With business accounts: If your trip is booked through a Buslyft for Business account, trip details may be shared with the business administrator
- For safety: With emergency services, law enforcement (when legally required), or trusted contacts (when you activate safety features)
- With affiliates: Within the Kavod Technologies group of companies for operational purposes
- Legal requirements: When required by law, court order, or governmental authority
5. Data Retention
We retain your personal information only for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required or permitted by law. General retention periods include:
- Active account data: For the duration of your account plus 2 years after closure
- Trip and transaction records: 5 years (in accordance with South African tax and financial regulations)
- Safety and incident records: 7 years
- Marketing preferences: Until you withdraw consent
- Location data: 90 days in detailed form, aggregated thereafter
6. Your Rights Under POPIA
As a data subject under POPIA, you have the following rights:
- Access: Request confirmation of whether we hold your personal information and obtain a copy
- Correction: Request correction or updating of inaccurate or incomplete personal information
- Deletion: Request deletion of your personal information where it is no longer necessary
- Objection: Object to the processing of your personal information for direct marketing
- Restriction: Request that we restrict the processing of your personal information in certain circumstances
- Data portability: Request your personal information in a structured, commonly used, machine-readable format
- Withdraw consent: Withdraw consent for processing based on consent at any time
- Complain: Lodge a complaint with the Information Regulator of South Africa
To exercise any of these rights, contact our Information Officer at privacy@buslyft.com. We will respond within 30 days as required by POPIA.
7. Data Security
We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Access controls and role-based permissions for staff
- Regular security audits and penetration testing
- Secure data centres with physical access controls
- Employee training on data protection and security
- Incident response procedures for data breaches
8. International Transfers
Your personal information may be transferred to and processed in countries outside South Africa where our service providers operate. When this occurs, we ensure that adequate safeguards are in place in accordance with POPIA section 72, including binding corporate rules, contractual clauses, or transfers to countries with adequate data protection legislation.
9. Children's Privacy
The Platform is not directed at children under 18. We do not knowingly collect personal information from children without parental consent. Our school transport service (Buslyft School Rides) processes children's data only with verified parental or guardian consent and applies enhanced safeguards in accordance with POPIA's provisions on the processing of children's information.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 14 days before they take effect. The "Last updated" date at the top of this policy indicates when it was last revised.
11. Contact Us
Buslyft Metaride (Pty) Ltd
A subsidiary of Kavod Technologies (Pty) Ltd
Information Officer: privacy@buslyft.com
Support: support@buslyft.com
Information Regulator of South Africa
complaints.IR@justice.gov.za
inforeg@justice.gov.za