Up to date · GDPR compliant

Privacy Policy

How we collect, use, and protect your personal data when you use our platform and services.

Version 1.0

Effective June 6, 2026

Updated June 6, 2026

01

Data Controller

The data controller responsible for your personal data is:

Kooli | Email: privacy@kooli.app

If you have any questions about how we process your data, or wish to exercise any of your rights, please contact us at the address above.

02

Data We Collect

We collect and process the following categories of personal data:

Account and Identity Data

  • Full name, email address, and password (hashed) provided at registration.
  • Profile information such as a profile photo (optional) and country of residence.
  • Account identifiers and reference numbers assigned by Kooli.

Trip and Booking Data

  • Trip details: departure and arrival cities, dates and times, available weight, price per kg.
  • Booking details: package description, weight, and associated trip reference.
  • Trip and booking status history and timestamps.

Communication Data

  • Messages exchanged between users via the in-app chat feature.
  • Chat metadata: participants, timestamps, read receipts, and chat status.

Device and Technical Data

  • Device identifiers and Firebase Cloud Messaging (FCM) tokens for push notifications.
  • App version, operating system, and platform (Android or iOS).
  • Log data including IP addresses, access times, and error reports.

Ratings and Reviews

  • Ratings and written feedback submitted by users following completed trips or bookings.

Usage Data

  • Information about how you interact with the Platform, including screens visited, features used, and session duration.

03

How We Use Your Data

We process your personal data for the following purposes and on the following legal bases:

Performance of a Contract (Art. 6(1)(b) GDPR)

  • Creating and managing your Kooli account.
  • Facilitating Trip publication, discovery, and Booking management.
  • Enabling in-app messaging between Travelers and Senders.
  • Sending transactional notifications (booking status, trip status, cancellation alerts).

Legitimate Interests (Art. 6(1)(f) GDPR)

  • Improving and securing the Platform through analysis of usage patterns and error logs.
  • Detecting and preventing fraud, abuse, and prohibited activity.
  • Maintaining and displaying user ratings to promote trust and safety.
  • Delivering push notifications via FCM for time-sensitive booking and trip updates.

Compliance with Legal Obligations (Art. 6(1)(c) GDPR)

  • Retaining records as required by applicable law.
  • Responding to lawful requests from law enforcement or regulatory authorities.

Consent (Art. 6(1)(a) GDPR)

  • Sending marketing or promotional communications, where you have opted in.
  • Processing any sensitive data categories you voluntarily provide.

04

Push Notifications and FCM Tokens

Kooli uses Firebase Cloud Messaging (FCM), a service provided by Google LLC, to deliver push notifications to your device. To do so, we store FCM tokens associated with your account.

We request permission to send push notifications contextually — for example, after you publish a Trip or submit a Booking — not automatically on app launch.

You may withdraw notification permission at any time through your device settings. Withdrawing permission does not affect your ability to use the Platform.

FCM tokens are stored securely in our database and are updated automatically when your device generates a new token. Old tokens are replaced to prevent stale delivery attempts.

05

Data Sharing and Disclosure

We do not sell your personal data. We share data only in the following limited circumstances:

With Other Users

Your display name, profile photo, trip details, and ratings are visible to other users of the Platform as necessary to facilitate matchmaking.

With Service Providers

We share data with trusted third-party providers who assist in operating the Platform, including Google Firebase / FCM (push notification delivery), cloud infrastructure providers (hosting and data storage), and email delivery services (transactional emails). All service providers are bound by data processing agreements and may only process your data on our instructions.

For Legal Reasons

We may disclose your data to law enforcement, regulatory bodies, or courts where required by applicable law or to protect the rights, property, or safety of Kooli, our users, or the public.

Business Transfers

If Kooli is involved in a merger, acquisition, or asset sale, your data may be transferred as part of that transaction. We will notify you in advance of any such transfer.

06

International Data Transfers

Kooli operates along African diaspora corridors and our users and infrastructure may be located in multiple countries, including within the European Economic Area (EEA), Africa, and North America.

Where we transfer your personal data outside the EEA to countries without an adequacy decision, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

Transfers to Google LLC (Firebase / FCM) are covered by Google's Standard Contractual Clauses and adequacy decisions where applicable.

For users in countries with national data protection frameworks (including Nigeria's NDPR, Kenya's Data Protection Act, and similar legislation in other African jurisdictions), we process your data in compliance with applicable local requirements.

07

Data Retention

We retain your personal data for as long as your account is active, or as long as necessary to provide our services and comply with legal obligations.

  • Account data: Retained for the duration of your account and deleted within 30 days of account deletion, subject to legal retention requirements.
  • Trip and Booking records: Retained for a minimum of 5 years for legal compliance purposes, even after account deletion.
  • Chat messages: Retained for 12 months from the date of the associated chat closure.
  • Log data: Retained for up to 90 days.
  • FCM tokens: Retained while associated with an active account; deleted on account closure.

When data is no longer needed, we securely delete or anonymise it.

08

Your Rights

Depending on your location, you may have the following rights in relation to your personal data:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Ask us to correct inaccurate or incomplete data.
  • Right to Erasure: Ask us to delete your personal data, subject to legal exceptions.
  • Right to Restriction: Ask us to restrict processing of your data in certain circumstances.
  • Right to Data Portability: Request your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, please contact us at privacy@kooli.app. We will respond within 30 days. We may need to verify your identity before processing your request.

If you believe we have not handled your data lawfully, you have the right to lodge a complaint with your national data protection authority. In France, this is the CNIL (www.cnil.fr).

09

Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include:

  • Encrypted data transmission (TLS/HTTPS) between the app and our servers.
  • Hashed password storage — we never store passwords in plain text.
  • JWT-based authentication for all API and WebSocket connections.
  • Access controls limiting data access to authorised personnel only.
  • Regular security reviews and updates to our infrastructure.

No system is completely secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and relevant authorities as required by law.

10

Cookies and Tracking

Kooli is a mobile application and does not use browser cookies. We may use mobile analytics tools to collect anonymised usage data for Platform improvement purposes.

Any analytics processing is carried out on the basis of our legitimate interest in understanding and improving the Platform, using aggregated and anonymised data wherever possible.

11

Children's Privacy

Kooli is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a child under 18 without parental consent, we will delete it promptly.

If you believe a child has registered on our Platform, please contact us at privacy@kooli.app.

12

Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you via in-app notification or email at least 30 days before the changes take effect.

We encourage you to review this Policy periodically. Your continued use of the Platform after any update constitutes your acceptance of the revised Policy.

13

Contact Us

For any privacy-related questions, data subject requests, or concerns, please contact us:

  • Email: privacy@kooli.app
  • Subject line: Privacy Request — [Your Name]

We are committed to resolving privacy concerns promptly and transparently. If you are not satisfied with our response, you retain the right to escalate to your national data protection authority.

Privacy Contact

privacy@kooli.app