1. About This Policy
This Privacy Policy applies to all users of the CarDuka platform, including the CarDuka website (carduka.com), the CarDuka mobile applications on iOS and Android, and any other digital interface through which CarDuka is accessed (collectively, the “Platform”).
CarDuka is part of the Duka Marketplaces Ecosystem, which also includes PropertyDuka and AuctionsDuka, all operated by NCBA Leasing LLP. Where you access other Duka Marketplace platforms, the privacy policy of that specific platform will also apply.
This Policy should be read alongside our Terms and Conditions and Cookie Policy, which are available on the Platform.
2. Who We Are
CarDuka is operated by NCBA Leasing LLP, the entity responsible for the Duka Marketplaces Ecosystem.
Data Controller:NCBA Leasing LLP
Registered Office:NCBA House, Masaba Road, Upper Hill, P.O. Box 44599-00100, Nairobi, Kenya
As the Data Controller, NCBA Leasing LLP determines the purposes and means of processing your personal data collected through this Platform, as defined under the Data Protection Act, 2019 (No. 24 of 2019) of Kenya.
3. Legal Framework
This Privacy Policy is governed by and compliant with the following laws and regulations:
- (a)The Data Protection Act, 2019 (No. 24 of 2019) of Kenya;
- (b)The Data Protection (General) Regulations, 2021;
- (c)The Data Protection (Complaints Handling Procedures and Enforcement) Regulations, 2021;
- (d)The Computer Misuse and Cybercrimes Act, 2018; and
- (e)Any guidelines or orders issued by the Office of the Data Protection Commissioner (ODPC) from time to time.
Where CarDuka processes data in connection with NCBA financial products, such processing is additionally governed by the Central Bank of Kenya's Prudential Guidelines on data and consumer protection.
4. What Personal Data We Collect
We collect personal data in the following categories, depending on how you use the Platform:
4.1 Identity and Verification Data
- (a)Full name, date of birth, gender;
- (b)National ID number or passport number;
- (c)KRA Personal Identification Number (PIN);
- (d)Selfie or photograph used for identity verification; and
- (e)For Dealers and corporate users: Certificate of Incorporation, business registration number, and KRA PIN certificate.
4.2 Contact Data
- (a)Email address;
- (b)Mobile phone number; and
- (c)Physical or postal address.
4.3 Financial Data
- (a)Bank account details and M-PESA details (for payments and disbursements);
- (b)Payment history and transaction records on the Platform;
- (c)Credit assessment data, where you apply for an NCBA Bank financial product; insurance application data; and lease application data where applicable; and
- (d)Financing, insurance, lease, logbook loan, insurance premium financing, and dealership financing application information.
4.4 Vehicle and Transaction Data
- (a)Vehicle listing details including make, model, year, mileage, photographs, and VIN/chassis number;
- (b)Bid history, offer history, and purchase records;
- (c)Trade-in submissions and valuations; and
- (d)Financing, insurance, lease, and dealership financing applications submitted through the Platform.
4.6 Device and Technical Data
- (a)IP address;
- (b)Device type, operating system, and version;
- (c)Browser type and version;
- (d)Device identifiers (e.g. advertising ID, device ID);
- (e)App version and crash logs; and
- (f)Cookie data and similar tracking technologies.
4.7 Behavioural and Analytics Data
- (a)Pages viewed, listings clicked, searches performed, and time spent on the Platform;
- (b)Features used and user journey data;
- (c)AI chatbot interaction logs; and
- (d)Ratings and reviews you submit.
4.8 Communication Data
- (a)Messages exchanged between Users through the Platform's messaging features;
- (b)Support queries submitted to our helpdesk;
- (c)Responses to surveys or feedback forms; and
- (d)Records of marketing communications sent to you and your responses.
4.5 Location Data
- (a)GPS-derived location data, collected actively while you are using the CarDuka mobile application, with your permission; and
- (b)IP address-based approximate location, collected passively when you access the Platform.
Location data is used to show you relevant listings near you, display dealer locations, and improve AI-powered recommendations. You can withdraw GPS permission at any time through your device settings.
4.9 Data We Do Not Collect
We do not intentionally collect Sensitive Personal Data — including data relating to race, health conditions, ethnic origin, religion, genetic data, or sexual orientation — unless you voluntarily provide it. If you believe we have inadvertently collected such data, contact us at hello@carduka.com.
5. How We Collect Your Data
5.1 Directly From You
- (a)When you register and create an Account on the Platform;
- (b)When you submit a vehicle listing, bid, offer, or trade-in request;
- (c)When you apply for any NCBA financial product or service through the Platform;
- (d)When you contact our support team or submit a complaint;
- (e)When you complete your profile or verification process; and
- (f)When you respond to surveys, promotions, or marketing communications.
5.2 Automatically
- (a)Through cookies and tracking technologies when you browse the Platform (see Section 11);
- (b)Through Google Analytics and Firebase, which collect usage and behavioural data;
- (c)Through GPS and IP-based location services when you use the mobile application; and
- (d)Through application crash and performance logs.
5.3 From Third Parties
- (a)From the Integrated Population Registration System (IPRS) — to verify your National ID number and registered phone number;
- (b)From M-PESA and other payment processors — to confirm payment status and transaction details;
- (c)From NCBA Bank Kenya PLC, NCBA Bancassurance, or NCBA Leasing LLP — where you have applied for a financial product; and
- (d)From other Duka Marketplace platforms — where you have consented to cross-platform data sharing.
6. How We Use Your Data
We use your personal data for the following purposes, each supported by a lawful basis under Section 30 of the Data Protection Act, 2019:
6.1 To Provide Platform Services (Lawful Basis: Contract)
- (a)Creating and managing your Account;
- (b)Verifying your identity through IPRS integration;
- (c)Publishing, managing, and moderating your vehicle listings;
- (d)Facilitating transactions between Buyers and Sellers;
- (e)Processing payments and disbursements; and
- (f)Providing customer support and referring Users to NCBA financial products through the CarDuka Financial Services Hub.
6.2 To Facilitate NCBA Financial Products (Lawful Basis: Contract / Consent)
- (a)Sharing your identity, contact, and financial data with the relevant NCBA entity when you apply for an NCBA financial product;
- (b)Displaying indicative financing, lease, and insurance estimates on Listings; and
- (c)Tracking the status of your financial product application within the Platform.
6.3 To Verify Identity and Prevent Fraud (Lawful Basis: Legal Obligation / Legitimate Interest)
- (a)Validating National ID numbers and phone numbers through IPRS;
- (b)Detecting and preventing fraudulent listings, shill bidding, and account abuse;
- (c)Complying with Anti-Money Laundering (AML) obligations; and
- (d)Reporting suspicious activity to the Financial Reporting Centre (FRC) and relevant authorities where required by law.
6.5 To Power AI Features (Lawful Basis: Contract / Legitimate Interest)
- (a)Generating personalised vehicle recommendations based on your browsing history, search behaviour, and profile;
- (b)Providing AI-generated car reviews and pricing guidance;
- (c)Operating the AI chatbot assistant; and
- (d)Where AI features are powered by third-party providers, your data is processed under data processing agreements that restrict use to the stated purpose.
6.6 For Marketing Communications (Lawful Basis: Consent)
- (a)Sending you promotional emails and SMS messages about new listings, platform features, and CarDuka news, where you have given consent;
- (b)Personalising marketing content based on your preferences; and
- (c)You may withdraw your consent at any time by clicking "Unsubscribe" in any email, replying "STOP" to any SMS, or updating your Account settings.
6.7 For Legal and Regulatory Compliance (Lawful Basis: Legal Obligation)
- (a)Retaining records as required under the Income Tax Act, VAT Act, and Central Bank of Kenya regulations;
- (b)Responding to lawful requests from courts, regulators, law enforcement, NTSA, or KRA; and
- (c)Defending legal claims or enforcing our rights under the Terms and Conditions.
6.4 To Improve the Platform (Lawful Basis: Legitimate Interest)
- (a)Analysing usage patterns through Google Analytics and Firebase;
- (b)Running A/B tests and performance monitoring;
- (c)Training and improving our AI and machine learning models using aggregated and anonymised platform data; and
- (d)Generating internal analytics and business intelligence reports.
Where we use your data to train or improve AI models, we use aggregated and anonymised data wherever possible. Where identifiable data is used, it is subject to strict access controls and is not shared externally for this purpose.
7. Who We Share Your Data With
We do not sell your personal data to third parties. We share your data only in the following circumstances:
7.1 NCBA Financial Product Entities
Where you apply for an NCBA financial product, we share your identity, contact, and financial data with NCBA Bank Kenya PLC, NCBA Bancassurance, or NCBA Leasing LLP, as applicable.
7.2 Government Verification Bodies
We share the minimum necessary data with IPRS for the sole purpose of verifying your National ID number and registered phone number.
7.3 Payment Processors
We share payment-related data with M-PESA (Safaricom) and other approved payment processors to facilitate transactions on the Platform.
7.4 Cloud Hosting and Infrastructure Providers
Our cloud hosting provider(s) process your data under data processing agreements. At least one serving copy of your data is stored on servers located in Kenya at all times.
7.5 SMS and Email Communication Providers
We use third-party providers to deliver SMS and marketing emails on our behalf. These providers are prohibited from using your contact data for their own marketing purposes.
7.6 Analytics and AI Providers
We share usage and behavioural data with Google Analytics and Firebase. Where third-party AI providers process your data, they do so under data processing agreements restricting use to the stated purpose.
7.7 Other Duka Marketplace Platforms
Where you have consented to cross-platform data sharing, your profile information, verification status, and trust scores may be shared with PropertyDuka and AuctionsDuka. You can manage or withdraw this consent in your Account settings.
7.8 Law Enforcement and Regulators
We may disclose your personal data to law enforcement authorities, the Financial Reporting Centre, NTSA, KRA, or the Office of the Data Protection Commissioner where required by law.
7.9 Google AdSense (Advertising)
CarDuka displays advertisements through Google AdSense in contextual-only mode — ads are matched to page content and do not involve profiling or use of personal data to target individual users. Personalised advertising is not currently enabled.
7.10 Business Transfers
If NCBA Leasing LLP or the CarDuka platform undergoes a merger, acquisition, or sale of assets, your personal data may be transferred to the successor entity. You will be notified of any such transfer.
8. Cross-Border Data Transfers
CarDuka is primarily operated from Kenya. Your personal data may be transferred to and processed in countries outside Kenya through the use of cloud hosting, Google Analytics, Firebase, and third-party providers. Where such transfers occur, we ensure adequate safeguards are in place as required by Section 48 of the Data Protection Act, 2019, including:
- (a)Data processing agreements requiring equivalent data protection standards;
- (b)Transfer only to countries recognised as providing adequate protection by the ODPC; or
- (c)Standard contractual clauses approved by the Office of the Data Protection Commissioner.
We ensure that at least one serving copy of your personal data is stored on a server located in Kenya at all times, in accordance with Section 48(3) of the Data Protection Act, 2019.
9. How Long We Keep Your Data
We retain your personal data only for as long as necessary for the purposes for which it was collected, or as required by law:
| Data Category | Retention Period | Reason |
|---|
| Account and identity data | Duration of account + 7 years | Regulatory and AML obligations |
| Transaction records | 7 years from transaction date | Tax law (Income Tax Act, VAT Act) |
| Financial product applications | 7 years | CBK Prudential Guidelines |
| Vehicle listing data | 2 years after listing expires or is removed | Platform integrity and dispute resolution |
| Communication and support records | 3 years | Dispute resolution and legal claims |
| Marketing consent records | Until consent is withdrawn + 3 years | Proof of consent under DPA 2019 |
| Analytics and behavioural data | 26 months (Google Analytics default) | Platform improvement |
| Crash and technical logs | 12 months | Security and performance monitoring |
| IPRS verification records | Duration of account | Identity verification integrity |
10. Your Rights
Under Sections 26–35 of the Data Protection Act, 2019, you have the following rights in respect of your personal data:
10.1 Right of Access
You have the right to request a copy of the personal data we hold about you, including information on how it is used, who it has been shared with, and how long it will be retained. We will respond within thirty (30) days of receiving a valid request.
10.2 Right to Rectification
You have the right to request correction of any inaccurate or incomplete personal data. You may update most of your profile information directly through your Account settings. For data that cannot be self-corrected, contact hello@carduka.com.
10.3 Right to Erasure
You have the right to request deletion of your personal data where the data is no longer necessary, you withdraw consent, you object to processing, or the data has been unlawfully processed. Certain data may be retained where required by law.
10.4 Right to Restrict Processing
You have the right to request that we limit the processing of your personal data in certain circumstances.
10.5 Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format. Contact hello@carduka.com or dpo@ncbagroup.com to make a portability request.
10.6 Right to Object
You have the right to object to processing based on legitimate interests, or to processing for direct marketing purposes at any time without providing any reason.
10.7 Rights Related to Automated Decision-Making
Where CarDuka makes decisions through automated processing — including AI-powered recommendations, credit pre-assessments, or trust scoring — you have the right to request human review. Contact hello@carduka.com; we will respond within fourteen (14) working days.
10.8 How to Exercise Your Rights
We will acknowledge your request within three (3) working days and provide a substantive response within thirty (30) days. If dissatisfied, you may lodge a complaint with the Office of the Data Protection Commissioner at odpc.go.ke.
11. Cookies and Tracking Technologies
CarDuka uses cookies and similar tracking technologies on the Platform. We use the following types of cookies:
- (a)Strictly Necessary Cookies — Required for the Platform to function, including session management and security. These cannot be disabled.
- (b)Analytics Cookies — Used through Google Analytics and Firebase. Enabled by default but can be disabled through your cookie preferences.
- (c)Functional Cookies — Used to remember your preferences, such as saved searches and recently viewed listings.
- (d)Marketing and Targeting Cookies — Used to deliver personalised advertisements and measure marketing campaign effectiveness. These require your consent.
You can manage your cookie preferences at any time through the cookie preference centre on the Platform or through your browser settings.
12. How We Protect Your Data
We implement and maintain appropriate technical and organisational measures to protect your personal data, including:
- (a)Encryption of data in transit using Transport Layer Security (TLS) and encryption of data at rest;
- (b)Role-based access controls limiting access to authorised personnel;
- (c)Multi-factor authentication for platform administrator access;
- (d)Regular security audits and penetration testing;
- (e)Staff training on data protection and information security;
- (f)Incident response procedures for detecting, reporting, and managing personal data breaches; and
- (g)Banking-grade security standards applied across the Duka Marketplaces Ecosystem.
While we take all reasonable precautions, no digital platform can guarantee absolute security. If you suspect that your Account has been compromised, contact us immediately at hello@carduka.com.
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- (a)Notify the Office of the Data Protection Commissioner within seventy-two (72) hours of becoming aware of the breach, in accordance with Section 43 of the Data Protection Act, 2019;
- (b)Notify affected users in writing within a reasonably practicable period, where the breach poses a high risk to their rights and freedoms; and
- (c)Include in our notification: a description of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken to address the breach.
If you believe your data has been compromised, please contact hello@carduka.com or dpo@ncbagroup.com immediately.
14. Children's Privacy
CarDuka is not intended for use by individuals under the age of eighteen (18). We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an Account or submitted personal data to us, please contact us at hello@carduka.com and we will take prompt action to delete the relevant data.
15. Third-Party Links and Services
The Platform contains links to third-party websites and services, including:
- (a)The NTSA eCitizen portal for vehicle ownership verification;
- (b)Japanese mileage verification services; and
- (c)NCBA Bank Kenya PLC, NCBA Bancassurance, and NCBA Leasing LLP product application portals.
Once you leave the CarDuka Platform and access a third-party service, that service's own privacy policy applies. We encourage you to read their policies before providing any personal data.
16. Marketing Communications
With your consent, we will send you promotional emails and SMS messages about CarDuka, including new listings matching your preferences, platform updates, special offers, and automotive news.
You can withdraw your consent to marketing communications at any time by:
- (a)Clicking "Unsubscribe" in any marketing email;
- (b)Replying "STOP" to any marketing SMS;
- (c)Updating your communication preferences in Account Settings > Notifications; or
- (d)Contacting us at hello@carduka.com.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- (a)Notify you through the Platform or by email at least fourteen (14) days before the changes take effect;
- (b)Update the "Effective Date" and "Version" number at the top of this Policy; and
- (c)Where required by law, seek your consent before applying material changes to how we process your data.
We encourage you to review this Privacy Policy periodically. Continued use of the Platform after the effective date of any update constitutes acceptance of the revised Policy.