Privacy Policy

1. Who We Are

Kliya Fleet Ltd. is a Sierra Leone–registered technology company operating under the Kliya Group SL brand. We provide GPS fleet tracking and fleet intelligence services to organisations operating in Sierra Leone and the West African region. Our platform, mobile application, and backend infrastructure are operated under the domain kliyagroup.com.

Data controller contact: ops@kliyagroup.com

2. What Data We Collect

We collect the following categories of data through the platform and mobile application:

• Vehicle telemetry: GPS position, speed, heading, engine on/off events, fuel levels, CAN bus data (RPM, temperature, odometer), and geofence events. This data is collected continuously from hardware devices installed in your vehicles.
• Driver data: Name, phone number, licence number, assigned vehicle, behaviour scores derived from telematics events. Driver photos if uploaded by the client administrator.
• Account data: Name, email address, role, login timestamps, and password credentials (stored as a hashed token in Traccar; we do not store plaintext passwords).
• Incident reports: Category, description, location coordinates, and status updates submitted by drivers or managers.
• Usage data: Daily active device counts, platform access logs, alert event history.

3. How We Use Your Data

• To provide real-time and historical fleet tracking services as contracted.
• To send alert notifications (email, SMS, WhatsApp) based on rules you configure.
• To generate reports, utilisation summaries, and driver behaviour analytics.
• To calculate monthly billing based on active device count.
• To send service communications (account activation, password reset, maintenance notifications).
• To comply with lawful requests from Sierra Leone regulatory authorities.

We do not sell, rent, or share your data with third parties for marketing purposes.

4. Data Storage & Infrastructure

Your data is processed and stored on the following infrastructure:

• Primary server: DigitalOcean droplet in the Frankfurt, Germany data centre (ISO 27001 certified). This is where the Kliya Fleet platform, Traccar tracking server, and BFF API run.
• Database: DigitalOcean Managed PostgreSQL (Frankfurt). Configuration, user records, and alert history are stored here.
• Authentication database: Supabase (AWS eu-west-1, Ireland). User roles, tenant configuration, and audit logs.
• Notification services: Resend (email, EU infrastructure), Africa's Talking (SMS, Nairobi), Meta Cloud API (WhatsApp Business).

All data transmitted between your browser/app and our servers is encrypted using TLS 1.2+. Data at rest is encrypted by DigitalOcean and Supabase using AES-256.

5. Data Retention

• Vehicle position history: 12 months rolling, then deleted from Traccar.
• Alert event logs: 24 months.
• Incident reports: Duration of contract + 12 months.
• Account records: Duration of contract + 30 days after termination.
• Billing records: 7 years (statutory requirement).

6. Your Rights

As a client or data subject you have the right to:

• Access: Request an export of all data we hold about you or your fleet.
• Correction: Request correction of inaccurate personal data.
• Deletion: Request deletion of your data, subject to legal retention obligations.
• Portability: Receive your data in a machine-readable format (CSV/JSON).
• Objection: Object to specific processing activities.

To exercise these rights, contact ops@kliyagroup.com with "Data Request" in the subject line. We will respond within 30 days.

7. Cookies & Tracking

The Kliya Fleet web dashboard uses the following cookies:

• Session token (kliya_jwt): Stores your authenticated session. Essential for platform operation. Expires on logout or after 7 days.
• CSRF token: Prevents cross-site request forgery. Session-scoped.
• Map tile preference (kliya_tile): Remembers your last selected map style. Persistent, first-party.

The public landing page uses Google Analytics 4 to understand anonymous visitor behaviour (page views, session duration, referral source). No personally identifiable information is collected through analytics. You may opt out using browser-level ad blocking or the Google Analytics opt-out extension.

8. Third-Party Integrations

The platform integrates with the following third-party services. Each has its own privacy policy:

• Traccar (open-source, self-hosted on our server — no third-party data sharing)
• DigitalOcean — privacy policy
• Supabase — privacy policy
• Resend (email) — privacy policy
• Africa's Talking (SMS) — privacy policy
• Meta / WhatsApp Business API — privacy policy
• Expo (mobile push notifications) — privacy policy

9. Security

We implement the following security controls:

• TLS encryption on all endpoints; HSTS enforced.
• JWT authentication with short-lived tokens (7 days) and refresh token rotation.
• Brute-force login lockout (5 attempts, 15-minute cooldown).
• Rate limiting on all API endpoints.
• Role-based access control: admin, manager, supervisor, driver roles with distinct permissions.
• No public access to Traccar admin interface (restricted to server-local access only).
• Audit log of all configuration changes made to alert rules, geofences, and user accounts.

10. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify affected clients within 72 hours of becoming aware of the breach, in accordance with applicable data protection law.

11. Changes to This Policy

We may update this policy from time to time. The updated version will be posted at this URL with a revised "last updated" date. We will notify active clients of material changes by email.