Skip to main content

ayilar ltd privacy policy

an overview of data protection.

AYILAR CAR RENTALS – Privacy & Data Protection Policy


Effective Date: 15/01/2023


1. Identity & Contact Information


Ayilar (referred to as “we”, “us”, “our”) is the data controller. For questions or requests, contact our Data Protection Officer (DPO) at: 

Email: privacy@ayilar.net

Phone: +254 720520120

You may also lodge complaints with the Office of the Data Protection Commissioner (ODPC).


2. Categories of Personal Data Collected


We collect only the data necessary for booking and service delivery, for example:

    Identity (full name, ID/passport)

    Contact details (phone number, email)

    Payment information (e.g. M PESA or card details via secure gateway)

    Driver’s licence (if you are driving)

    Journey details (pickup/drop off, location, dates)

    Occasionally vehicle satisfaction feedback (optional)

We do not collect excessive or unrelated data and avoid sensitive categories unless strictly necessary.


3. Purpose & Legal Basis for Processing


We process your personal data for:

    Booking confirmation and payment processing (contractual necessity)

    Identification & security checks (legal obligation and protection interest)

    Customer support, communication, and service delivery (legitimate interests)

    Marketing communications, where you have explicitly consented (freely given consent)

If you withdraw consent, we cease marketing-related processing immediately, unless another lawful basis applies.


4. Consent & Its Withdrawal


    Consent is explicit, specific, freely given, and informed

    Withdrawing consent is easy: email us at the DPO address or click “unsubscribe”. This does not affect other lawful processing.


5. Data Sharing & Third Parties


We do not sell or share your data to spammers or undisclosed third parties. However, we may share with:

    Payment processors (e.g. M PESA or bank gateways)

    Insurance providers (only when needed for coverage during rental)

    Vehicle maintenance/service partners (in minimal form, like vehicle ID, not your personal details)

If any international transfer is required (e.g. off-shore payment gateway support), we ensure either:

    Proof of adequate safeguards, or

    Your explicit consent


6. Data Retention & Storage

We keep data only for as long as needed:

    Booking operational data: up to 2 years for compliance and service improvement

    Billing and financial records: typically 5 to 7 years per tax regulations

    Once retention period lapses, we securely erase or anonymise your data


 7. Security Measures

We implement technical and organizational safeguards to protect your data:

    Encryption in transit and at rest (SSL/TLS protocols)

    Access controls and password/MFA protections

    Regular audits, employee training, and vulnerability assessments

    Secure backup procedures and physical security of storage 


8. Your Rights as a Data Subject

Under the Data Protection Act you have the right to:

    Access your personal data

    Correct inaccurate or incomplete data

    Erase/de identify data where processing is no longer necessary

    Object to certain processing (e.g. marketing)

    Portability: receive your data in machine-readable form

    Not be subject to automated decisions without human oversight 

    Requests are free except fees for data portability requests are allowed. We respond promptly.


9. Data Breach Notification


In case of a personal data breach:

    We will notify the ODPC and affected individuals within 72 hours of awareness (where risk exists) 

    We will also document the incident, mitigation efforts, and future prevention steps.


10. Children & Vulnerable Groups


Ayilar does not knowingly collect data from minors (<18) without guardian consent. If data from a child is collected unintentionally, we will either delete it promptly or seek valid parental consent.


11. Complaints Mechanism


Should you have concerns or complaints, reach out to our DPO.

If unresolved, you may lodge a complaint with the ODPC, which oversees enforcement in Kenya.


12. Registration & Accountability

Ayilar is registered as a data controller with the ODPC and acknowledges liability for processing and compliance. We also establish Data Processing Agreements with any third-party processors we engage 


13. Policy Updates & Review

This policy is reviewed at least annually or when our practices change.

We notify you of material updates via email or notices on our website.