VAYE Privacy Policy

Effective Date: 1 April 2026
Last Updated: 1 April 2026

Diamond Information Systems (Pty) Ltd (“Company”, “we”, “us”, or “our”) respects the privacy of every natural and juristic person whose personal information we process. This Privacy Policy explains how we collect, record, organise, store, update, use, disclose, transfer, retain, secure, and otherwise process personal information through our mobile applications, websites, portals, customer support channels, payment features, safety tools, marketplace features, and related services (collectively, the “Platform”).

This Policy has been drafted for a South Africa-based technology platform and is intended to align primarily with the Protection of Personal Information Act 4 of 2013 (“POPIA”) and, where applicable, Regulation (EU) 2016/679 (“GDPR”). It is also structured so that it can support app-store transparency disclosures for Google Play and the Apple App Store.

1. Scope and user roles

This Policy applies to all users of the Platform, including, as applicable, riders, passengers, customers, recipients, drivers, couriers, fleet partners, merchants, marketplace sellers, service providers, wallet users, payers, support requesters, and website visitors.

• The rider or customer application.
• The driver, courier, or transport-partner application.
• The merchant, vendor, or marketplace portal or application.
• Payment, payout, wallet, voucher, loyalty, and refund functionality.
• Messaging, in-app calling, customer support, safety, trust, fraud, and incident-management tools.
• Promotional, analytics, referral, campaign, and survey features.

2. Responsible Party / Controller

For purposes of POPIA, Diamond Information Systems (Pty) Ltd is the Responsible Party in relation to personal information processed through the Platform. For purposes of GDPR, where GDPR applies, Diamond Information Systems (Pty) Ltd acts as the Controller except where this Policy or a separate notice states otherwise.

3. Applicable legal framework

The Company intends to process personal information consistently with POPIA’s eight conditions for lawful processing and, where GDPR applies, GDPR’s principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.

• POPIA Condition 1 – Accountability: section 8.
• POPIA Condition 2 – Processing limitation: sections 9–12.
• POPIA Condition 3 – Purpose specification: sections 13–14.
• POPIA Condition 4 – Further processing limitation: section 15.
• POPIA Condition 5 – Information quality: section 16.
• POPIA Condition 6 – Openness: sections 17–18.
• POPIA Condition 7 – Security safeguards: sections 19–22.
• POPIA Condition 8 – Data subject participation: sections 23–25.
• POPIA direct marketing by unsolicited electronic communications: section 69.
• POPIA automated decision-making: section 71.
• POPIA cross-border transfers: section 72.
• POPIA Information Regulator: section 39.

4. Categories of personal information collected

Depending on the services used and permissions enabled, we may collect the following categories of personal information.

Identity and account data

Names, surnames, usernames, telephone numbers, email addresses, passwords or login credentials, date of birth, profile images, emergency contacts, customer profile settings, and account verification records.

Mobility and transaction data

Ride requests, booking details, origin and destination information, trip history, route and ETA data, order history, delivery status, receipts, invoice data, payout records, promotions, and loyalty or incentive records.

Location data

Precise device location, approximate location, background location where enabled and necessary for active operations, trip tracking, navigation, safety, fraud detection, dispatch continuity, and service support.

Driver, courier, and merchant data

Driver licence information, permits, vehicle records, insurance details, business registration details, merchant listings, banking details for payouts, tax and VAT information, performance metrics, service quality records, and compliance results.

Payment and financial data

Payment tokens, limited card metadata, billing addresses, wallet balances, refunds, chargebacks, transaction references, anti-fraud signals, and payout account details. Full card numbers should ordinarily be processed by regulated payment processors rather than stored by the Company.

Communications and support data

Chat content, support tickets, complaint records, incident narratives, images and documents submitted for support or verification, call metadata, and where lawful, call recordings.

Technical and device data

Device identifiers, IP addresses, mobile network details, browser type, operating system, app version, language settings, logs, diagnostics, crash reports, and analytics events.

Compliance and safety data

Identity documents, selfie or liveness checks, sanctions or fraud-screening results, safety reports, collision or misconduct reports, and records required by law or reasonably necessary to protect users and the Platform.

5. Sources of personal information

• Directly from you when you create an account, complete onboarding, request services, make payments, submit support requests, participate in surveys, or communicate through the Platform.
• Automatically from your device or browser when you use the Platform.
• From other users involved in a ride, order, delivery, support case, or dispute.
• From fleet operators, merchants, or enterprise customers sponsoring or administering accounts.
• From payment processors, mapping providers, identity-verification vendors, fraud-detection vendors, communications vendors, and analytics vendors.
• From public authorities, regulators, law-enforcement agencies, sanctions lists, public registers, or other lawful public sources where reasonably necessary and permitted by law.

6. Purpose of processing

• to create, verify, and administer user accounts and roles;
• to enable bookings, rides, deliveries, logistics, marketplace purchases, wallet functionality, and other platform services;
• to match riders, drivers, couriers, merchants, and recipients and to facilitate communications between them;
• to process payments, refunds, chargebacks, incentives, commissions, and payouts;
• to verify identity, eligibility, licensing, merchant status, or other onboarding requirements;
• to provide customer support, investigate complaints, and resolve disputes;
• to protect the safety, security, and integrity of users, the Platform, and the public;
• to prevent, detect, and investigate fraud, abuse, unlawful conduct, and policy breaches;
• to maintain records, perform analytics, improve user experience, and develop products and features;
• to comply with legal, tax, accounting, insurance, transport, and regulatory obligations;
• to send service, administrative, legal, and safety communications;
• to send direct marketing where permitted by law and subject to consent or opt-out rights as applicable.

7. Lawful grounds for processing

POPIA

Under section 11 of POPIA, processing may occur where the data subject has consented, processing is necessary to carry out actions for the conclusion or performance of a contract, processing complies with an obligation imposed by law, processing protects a legitimate interest of the data subject, or processing is necessary for pursuing the legitimate interests of the Responsible Party or of a third party to whom the information is supplied. The Company will rely on the ground most appropriate to the relevant processing activity and will not rely on consent where another lawful ground is more suitable and transparent.

GDPR

Where GDPR applies, the Company may rely on one or more lawful bases under Article 6, namely consent, contract, legal obligation, vital interests, public task where applicable, and legitimate interests. Special categories of personal data, if processed, will only be processed where an Article 9 condition also applies.

8. Special personal information and children

POPIA generally prohibits the processing of special personal information unless a lawful exception applies (sections 26–33) and similarly regulates personal information relating to children (sections 34–35). The Company does not intentionally process special personal information or children’s information except where lawful and strictly necessary, for example for identity verification, safety incident handling, accessibility or medical emergency support disclosed by the user, or lawful driver/partner screening. Where GDPR applies, any special-category data will be processed only in accordance with Article 9.

The Platform is not intended for children who may not lawfully use the relevant services. Where age limits apply, the Company may request age confirmation and may suspend or delete accounts used unlawfully by or on behalf of children.

9. Collection practices and transparency

The Company aims to collect personal information directly from the data subject where appropriate, in keeping with section 12 of POPIA, and to provide notification when personal information is collected in accordance with section 18 of POPIA and Articles 13 and 14 of the GDPR.

At or before collection, or as soon as practicable thereafter, the Company may notify the data subject of: the categories of information collected, the purpose of collection, whether supply is voluntary or mandatory, consequences of failure to provide information, recipients or categories of recipients, any planned cross-border transfers, and the data subject’s rights.

10. Direct marketing and promotional communications

The Company may send marketing and promotional communications only where permitted by law. Under POPIA section 69, the processing of personal information for direct marketing by means of unsolicited electronic communications is prohibited unless the data subject has consented or is an existing customer and the statutory conditions for customer marketing are met. Under GDPR, direct marketing must also rest on an appropriate lawful basis, and the data subject has the right to object under Article 21.

Every direct marketing communication should include a clear and practical unsubscribe or opt-out mechanism. Service messages, receipts, safety messages, fraud alerts, support updates, and legally required notices are not marketing and may still be sent even where a user has opted out of marketing.

11. Automated decision-making, profiling, matching, and pricing

The Platform may use algorithmic tools to support dispatch, route optimisation, dynamic pricing, fraud scoring, marketplace ranking, service quality measurement, duplicate-account detection, and abuse prevention. The Company does not intend to subject data subjects to solely automated decisions that produce legal effects or similarly significant effects except where lawful and appropriately safeguarded.

Where POPIA section 71 or GDPR Article 22 applies, the Company will provide additional notice and safeguards, which may include human review, an opportunity to contest the outcome, or reasonable explanations of the decision logic where required by law.

12. Sharing and disclosure

The Company may disclose personal information only to the extent reasonably necessary and lawful.

• Between users of the Platform where required to perform the service, such as sharing a rider’s first name and pickup details with a driver, or a driver’s name, vehicle details, and live trip status with a rider.
• With payment processors, banks, payout providers, fraud vendors, cloud hosting providers, identity-verification vendors, communications providers, mapping or navigation providers, customer support vendors, analytics vendors, and other operators or processors.
• With merchants, fleet operators, logistics providers, and affiliated entities where necessary to fulfil a request or manage a business relationship.
• With insurers, legal advisers, auditors, and professional advisers where reasonably necessary.
• With regulators, law-enforcement agencies, courts, supervisory authorities, tax authorities, and other competent bodies where required or permitted by law.
• With a purchaser, investor, merger partner, or successor entity in connection with a merger, restructuring, acquisition, financing, or sale of all or part of the business, subject to appropriate confidentiality and legal safeguards.
• Where another person processes personal information on behalf of the Company, the Company will seek to use operators/processors bound by appropriate contractual and security obligations, consistent with POPIA section 21 and GDPR Article 28 where applicable.

13. International and cross-border transfers

The Platform may use cloud infrastructure or service providers located outside South Africa. Personal information may therefore be stored in, accessed from, or transferred to other countries.

Under POPIA section 72, personal information may be transferred outside the Republic only where the recipient is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection, or where another lawful basis in section 72 applies. Where GDPR applies, transfers outside the EEA will be made only under a valid transfer mechanism, such as an adequacy decision, standard contractual clauses, binding corporate rules, or another lawful derogation under Articles 44–49.

The Company may implement transfer safeguards including contractual clauses, due diligence, access controls, encryption, vendor governance, and transfer impact assessments where appropriate.

14. Security safeguards

In accordance with POPIA sections 19–22 and GDPR Article 32, the Company will take appropriate, reasonable technical and organisational measures to secure the integrity and confidentiality of personal information.

• role-based access controls and least-privilege permissions;
• authentication and credential-management controls;
• encryption in transit and where appropriate at rest;
• logging, monitoring, and fraud-prevention controls;
• secure development, patching, and vulnerability management;
• vendor due diligence and contractual security obligations;
• back-up, disaster recovery, and continuity measures;
• incident response, escalation, and remediation procedures.

Where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, the Company will comply with applicable breach-notification obligations, including section 22 of POPIA and, where applicable, Articles 33 and 34 of the GDPR.

15. Retention and record restriction

Under POPIA section 14 and GDPR Article 5(1)(e), personal information should not be retained longer than necessary for achieving a lawful purpose, unless retention is required or authorised by law, reasonably required for lawful purposes related to the functions or activities of the Company, required by contract, or the data subject has consented to longer retention.

The Company may retain personal information for different periods depending on the category of data and the applicable purpose, including accounting, legal, tax, fraud, safety, insurance, dispute, and audit requirements. When retention is no longer justified, the Company will securely delete, anonymise, de-identify, or restrict the record as appropriate.

16. Data subject rights

Subject to applicable law and any lawful exceptions, data subjects may have the following rights.

• to be notified that personal information is being collected and, where applicable, that it has been unlawfully accessed or acquired;
• to request confirmation of whether the Company holds personal information about them;
• to request access to personal information held by the Company;
• to request correction, deletion, or destruction of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, unlawfully obtained, or no longer authorised to be retained;
• to object, on reasonable grounds relating to their particular situation, to processing based on legitimate interests, and to object at any time to direct marketing;
• to withdraw consent where processing is based on consent, without affecting the lawfulness of prior processing;
• where GDPR applies, to request data portability and restriction of processing in appropriate cases;
• where GDPR applies, to lodge a complaint with a supervisory authority.

POPIA data-subject participation rights are reflected principally in sections 23–25, read with the rights framework in section 5. Under GDPR, the principal rights provisions include Articles 15 to 21.

Requests may be submitted to the Company using the contact details below. The Company may require reasonable proof of identity before acting on a request and may refuse or limit a request where a lawful exemption or statutory ground applies.

17. Cookies, SDKs, tracking technologies, and mobile permissions

The Platform may use cookies, software development kits (SDKs), pixels, device identifiers, APIs, and similar technologies for authentication, fraud prevention, analytics, crash reporting, customer support, attribution, and lawful advertising or campaign measurement.

Depending on the features offered, the app may request access to permissions such as precise location, background location, camera, microphone, photos or media, contacts, Bluetooth, and notifications. The Company should request only those permissions reasonably necessary for the relevant functionality and should describe them accurately in the app and on the store listing.

Where consent is legally required for non-essential tracking or similar technologies, the Company should obtain that consent and provide appropriate preference controls.

18. Third-party services

The Platform may integrate with third-party services such as payment gateways, cloud hosting providers, mapping vendors, messaging vendors, analytics providers, identity-verification providers, customer support providers, ad-tech providers, and other specialist vendors. The Company remains responsible for its own disclosures and for ensuring, to the extent required by law, that operators/processors are bound by suitable data-protection obligations.

Users should note that third-party services may have their own privacy notices and terms, particularly where the user interacts directly with such third-party service outside the Platform’s controlled environment.

19. Complaints and regulatory contact

A data subject who believes that the Company has processed personal information unlawfully may contact the Company first so that the matter can be investigated and, where possible, resolved.

A data subject may also lodge a complaint with the Information Regulator of South Africa, which is established under section 39 of POPIA. Where GDPR applies, a data subject may also lodge a complaint with the supervisory authority in the EEA or UK having competence under applicable law.

20. Contact details

All privacy requests, objections, access requests, deletion requests, and complaints should be addressed to:

21. Changes to this Policy

The Company may amend this Privacy Policy from time to time. The latest version will be published on the Company website and, where appropriate, made available within the app. Material changes may also be communicated through in-app notices, email, or other appropriate channels.