Privacy Policy

CarKro ("we", "us", "our") operates a ride-hailing and mobility platform connecting drivers and riders across Pakistan. This Privacy Policy explains how we collect, use, store, and protect personal information when you use the CarKro mobile application, web portal, or any related services.

By registering or using CarKro, you agree to the collection and use of information as described in this Policy. If you do not agree, please discontinue use of our services.

We collect information in several ways depending on how you interact with CarKro:

We use your information to provide, improve, and secure our platform. Specific uses include:

CarKro does not sell your personal data. We share data only in the following limited circumstances:

• Between Riders and Drivers: During an active ride, drivers see the rider's pickup location and first name. Riders see the driver's name, vehicle details, rating, and real-time location. Phone numbers are masked via our in-app calling feature.
• Payment Processors: Payment gateway partners (JazzCash, EasyPaisa, NayaPay, SadaPay, Stripe) receive transaction data necessary to process payments. These partners maintain their own privacy policies.
• Emergency Services: In an SOS event, anonymised location data may be shared with Pakistan emergency services (e.g., PSCA Punjab Safe Cities Authority).
• Legal Compliance: We may disclose information when required by Pakistani law, court order, or lawful government authority.
• Business Transfers: In the event of a merger or acquisition, user data may transfer to the successor entity subject to the same privacy commitments.
• Service Providers: Trusted third-party vendors (cloud hosting, push notification services, SMS providers) who process data solely on our behalf under data processing agreements.

Location is central to CarKro's service. Here is how we handle it:

• Riders: Location is accessed only when the app is open and you are booking or tracking a ride. We do not track rider location in the background.
• Drivers (Active Session): Real-time GPS is collected continuously while you are online or in an active ride to enable matching, ETA calculation, and safety monitoring. Location updates are sent every 5–15 seconds depending on battery level.
• Drivers (Offline): When you go offline, location tracking stops immediately.
• Heatmaps: Aggregate anonymised location data is used to generate demand heatmaps shown to drivers. No individual is identifiable in these heatmaps.
• Retention: Raw GPS logs are retained for 90 days for dispute resolution, then permanently deleted.

CarKro processes subscription fees for drivers via integrated payment gateways. We apply the following safeguards:

• Payment card numbers are never stored on CarKro servers. All card data is tokenised by the payment processor.
• Bank account and mobile wallet identifiers are encrypted at rest using AES-256 encryption.
• Transaction records (amount, date, subscription tier) are retained for 7 years for accounting and regulatory compliance.
• All payment API communications occur over TLS 1.3 encrypted connections.

CarKro uses Google Firebase Cloud Messaging (FCM) to deliver push notifications including ride requests, OTP codes, safety alerts, and promotional campaigns.

• Your FCM token is collected upon app installation and stored securely in our database.
• FCM tokens are rotated automatically by Firebase and updated in our system to ensure delivery.
• You may disable push notifications in your device settings. Critical safety notifications (SOS alerts) cannot be individually disabled.
• WhatsApp messages may be sent via opt-in for ride receipts and promotional campaigns. You may opt out at any time by messaging "STOP" to the CarKro WhatsApp number.

You have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Update inaccurate or incomplete information via your profile settings or by contacting support.
• Deletion: Request deletion of your account and associated data. We will comply within 30 days, subject to legal retention requirements.
• Portability: Request your ride history and account data in a machine-readable format (JSON/CSV).
• Withdraw Consent: Withdraw consent for optional data processing (e.g., marketing communications) at any time.
• Object: Object to processing of your data for certain purposes, including direct marketing.

To exercise any of these rights, contact privacy@carkro.com. We will respond within 30 days.

CarKro implements industry-standard security measures to protect your data:

• All data in transit is encrypted using TLS 1.3.
• Sensitive data at rest is encrypted with AES-256.
• Access to production systems is restricted to authorised personnel with multi-factor authentication.
• Regular security audits and vulnerability assessments are conducted.
• An automated fraud detection system monitors for suspicious account activity.
• Incident response procedures are in place; affected users will be notified within 72 hours of a confirmed data breach.

CarKro services are intended for users aged 18 and above. We do not knowingly collect personal information from individuals under 18. The School Rides feature ("Guardian" accounts) allows parents or guardians to manage rides for minors — the guardian's data is collected, not the child's.

If we become aware that a person under 18 has registered without guardian consent, we will promptly delete their account. To report such a case, contact privacy@carkro.com.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via in-app notification and/or email at least 14 days before the changes take effect. Continued use of CarKro after the effective date constitutes acceptance of the updated Policy.

The version history of this Policy is available upon request from our Data Protection Officer.

For privacy-related enquiries, data subject requests, or to reach our Data Protection Officer: