Privacy Policy

1. Who We Are

Gerad Logistics PLC ("Gerad", "we", "us", or "our") is the data controller for personal data processed through the Gerad freight platform, including our websites, mobile applications, dashboards, support channels, Telegram tools, email, SMS, and related services. Our address is Addis Ababa, Ethiopia. For privacy requests, consent withdrawal, or data-protection questions, contact privacy@gerad.app. We process personal data in accordance with applicable Ethiopian law, including the Personal Data Protection Proclamation No. 1321/2024.

2. Scope of This Policy

This policy applies to shippers, drivers, fleet owners, fleet managers, business account users, consignee contacts, support users, website visitors, and anyone whose personal data is added to a shipment, account, ticket, payment, payout, document, message, or compliance record on Gerad. If an organization, fleet owner, or shipper gives us another person's details, they must have a lawful basis to do so and must make this policy available to that person.

3. What Data We Collect

Depending on your role and the features you use, Gerad may collect the following categories of personal data:

• Account and contact data: full name, phone number, email, password or PIN hash, role, language, city, city coordinates, company name, profile photo, referral code, acquisition source, preferences, verification status, and account status.
• Authentication and security data: Firebase UID, phone-verification status, OTP request records, security questions and hashed answers, failed-login counts, lockout timestamps, last login time, last login IP address, revoked token identifiers, and face-verification attempt logs.
• Identity, eligibility, and compliance data: national ID number or file, driver's license number or file, business license, TIN number or certificate, vehicle registration, insurance, plate or registration number, truck type, capacity, selfie or face-verification image where enabled, document metadata, reviewer decisions, expiry dates, rejection reasons, and resubmission records.
• Shipment, delivery, and proof-of-delivery data: pickup and delivery cities, addresses, coordinates, cargo type, weight, price, pickup date, notes, assigned driver, status history, release PIN, receiver name, receiver signature name and image, proof-of-delivery photo, bank-transfer proof, counter offers, shipment messages, ratings, reviews, dispute evidence, and refund records.
• Driver, fleet, and vehicle operations data: availability, current location label, GPS pings, speed, heading, accuracy, fleet membership, join requests, invite codes, roster assignments, vehicle labels, assigned drivers, fleet jobs, payroll runs, payroll items, payroll fund payments, and payroll wallet transactions.
• Business organization data: organization name, slug, type, industry, emails, phone numbers, billing and operations contacts, headquarters city, website, logo, brand settings, team size, branch count, branches, departments, cost centers, managers, budgets, contracts, purchase orders, approval workflows, templates, business partners, agreement terms, signer names, and electronic signatures.
• Payment, wallet, subscription, and payout data: gateway transaction references, checkout URLs, amounts, commissions, taxes, invoices, wallet balances and transactions, payout bank name, bank code, account number or masked account number, account holder, transfer references, failure reasons, proof uploads, refunds, reconciliation notes, subscription plans, and renewal status.
• Communications and support data: contact-form submissions, support tickets, email-ingested messages, requester name and email, ticket tags, source message or thread IDs, provider payloads, internal notes, attachments, direct-message attachments, notification events, delivery attempts, push-device tokens, Telegram chat ID, Telegram user ID, username, Telegram first and last name, link tokens, and Telegram flow-session data.
• Recruitment data: job application name, email, phone, cover letter, CV file, application status, interview time, and interview location.
• Technical, audit, and diagnostic data: IP address, user agent, device token, push provider, platform, browser, operating system, app version, route, stack trace, component stack, device model, crash fingerprint, crash details, cookies, local storage, session logs, audit and activity logs, actor IDs, entity IDs, timestamps, and administrative action details.

4. Sensitive Personal Data

Some data we process may be sensitive personal data under Ethiopian law, including biometric or face-verification data, selfie images used for verification, identity documents, health or safety information included in a dispute, crash, incident, support, or insurance record, alleged offence or fraud records, message content or metadata, electronic signatures, and authentication recovery data such as security questions and hashed answers. We process sensitive data only where a lawful condition applies, such as your specific consent, account and shipment safety, compliance with law, establishment or defense of legal claims, protection of vital interests, or another basis permitted by law. We do not use sensitive personal data for unrelated marketing.

5. How We Collect Data

We collect personal data through three channels:

• Directly from you: when you register, complete forms, upload documents, accept or post loads, request support, send messages, manage a fleet, make payments, request payouts, or use app features.
• Automatically: through app permissions, cookies, server logs, device security tools, crash reporting, and authentication systems.
• From third parties: shippers, drivers, fleet owners, consignee contacts, payment processors, banks, mobile money providers, identity-verification vendors, email providers, support vendors, analytics or security providers, regulators, courts, and law-enforcement bodies where lawful and necessary.

6. Why We Collect and Use Data

We use personal data to:

• Create and secure accounts, recover them, and prevent unauthorized access.
• Verify identity, contact details, driver eligibility, vehicle eligibility, and business authorization.
• Match shippers, drivers, and fleets, and price, dispatch, track, complete, and document shipments.
• Show active trip location to authorized shipment participants and create proof-of-delivery records.
• Administer fleets, payroll, private marketplaces, organization teams, shipment approvals, branches, cost centers, contracts, purchase orders, integrations, and business analytics.
• Process digital payments, subscriptions, refunds, payouts, invoices, commissions, wallet balances, taxes, and accounting records.
• Provide customer support, email support intake, incident response, finance review, document review, account unlocks, and dispute handling.
• Deliver in-app, push, SMS, email, and Telegram notifications, and send OTPs, account notices, safety alerts, operational messages, and requested marketing.
• Receive public contact requests and job applications.
• Prevent fraud, off-platform cash abuse, duplicate accounts, unauthorized access, and platform misuse.
• Maintain crash reporting, audit logs, activity logs, security monitoring, debugging, analytics, and service improvement.
• Comply with legal, tax, regulatory, audit, court, and law-enforcement obligations.

7. Lawful Bases

We process personal data only where a lawful basis applies. The main bases are:

• Consent: especially for optional marketing, certain device permissions, and any biometric or face-verification flow that asks for consent.
• Performance of a contract: including account registration, load matching, shipment management, payment, payout, and support.
• Compliance with legal obligations: including tax, accounting, transport, consumer-protection, anti-fraud, court, and regulator requirements.
• Vital interests and safety: where urgent action is needed to protect people, cargo, or vehicles.
• Public interest or official requests: where recognized by law.
• Legitimate operational interests: such as platform security, fraud prevention, service reliability, analytics, and enforcement of platform rules, provided those interests are not overridden by your rights and freedoms.

8. Consent and Withdrawal

Where we rely on consent, the request should be clear, specific, informed, separate from unrelated terms, and based on an active action by you. You may withdraw consent at any time by using the available app setting, disabling the relevant device permission, unsubscribing from marketing, or contacting privacy@gerad.app. Withdrawal does not affect processing that was lawful before withdrawal, and it may limit features that require that data, such as live driver tracking, optional marketing, or biometric verification. We do not make unrelated optional consent a condition for receiving the core freight service.

9. Required and Optional Data

Some information is required to provide the service, such as account contact details, role information, shipment details, verified payment details, driver and vehicle eligibility documents, and active-trip location for drivers who accept loads. If required information is not provided, we may be unable to create an account, verify a driver or fleet, post or accept a load, complete payment, release payout, resolve disputes, or comply with law. Optional information, such as certain marketing preferences, profile details, and some notification channels, can usually be refused or changed without losing access to core service features.

10. Who Receives Data

We do not sell personal data. We share data only as needed for the purposes in this policy. Recipients may include:

• Platform users: matched shippers, drivers, fleet owners, fleet managers, dispatchers, finance users, verification users, consignee contacts, business partners, and authorized organization users.
• Financial providers: payment gateways, banks, mobile money providers, payout processors, payroll processors, and reconciliation partners.
• Service providers: identity, document, face-verification, fraud-prevention, security, hosting, storage, email, SMS, push-notification, Telegram, support, analytics, map and geocoding, crash-reporting, and infrastructure providers.
• Recruitment reviewers and interview coordinators for job applications.
• Professional advisers: auditors, accountants, insurers, and lawyers.
• Authorities: regulators, courts, tax authorities, law-enforcement bodies, and the Ethiopian Communications Authority where required or permitted by law.

Each recipient should receive only the data reasonably needed for its role.

11. Fleet, Driver, and Location Data

Fleet owners and managers can view roster information, assigned loads, driver eligibility status, trip history, earnings summaries, internal fleet communications, and active-trip location for drivers enrolled in their fleet. Drivers who accept shipments share GPS location during active trips. That location may be visible to the shipper, consignee contact, authorized fleet users, and Gerad operations or support staff while needed to coordinate the shipment, confirm delivery, resolve disputes, and protect safety. Real-time shipment visibility ends when the shipment is completed or canceled, except where limited records must be retained for dispute, security, accounting, or legal reasons.

12. Payments, Payouts, and Financial Records

Gerad processes shipment payments digitally and does not accept platform cash payments. When a shipper pays, we and our payment partners process amount, reference, payer identity, gateway status, bank or mobile money details needed by the provider, receipt, refund, and dispute data. When drivers or fleets request payouts, we process payout identity, account details, settlement status, tax or accounting records, and support records. We do not ask for or store mobile money PINs. Full payment credentials handled by payment providers are subject to their security controls and legal obligations.

13. Cookies and Similar Technologies

We use cookies, local storage, session tools, and similar technologies to keep you signed in, remember preferences, protect accounts, detect abuse, measure platform performance, and improve services. Some cookies are necessary for the platform to work. Analytics or marketing cookies, where used, should be handled according to your preferences and applicable consent requirements. You can control browser cookies through your browser settings, but disabling necessary cookies may break sign-in, security, or core platform features.

14. Automated Processing

We may use automated tools to support fraud detection, identity and document review queues, duplicate-account detection, risk scoring, load matching, pricing suggestions, routing, notifications, and support prioritization. These tools help staff and users make decisions, but we do not intend to make decisions based solely on automated processing that produce legal or similarly significant effects without a lawful basis and appropriate safeguards. You may contact privacy@gerad.app to ask for human review where an automated process significantly affects your account, verification, or access to platform services.

15. Data Retention

We keep personal data only as long as needed for the purposes described in this policy, unless a longer period is required or permitted by law:

• Account and identity records: account, authentication, security-question, verification, document, driver, vehicle, organization, and fleet records are kept while the account or organization is active and for a reasonable period afterward for audit, fraud prevention, disputes, and legal claims.
• Financial and shipment records: shipment, proof-of-delivery, location-history, payment, payout, payroll, invoice, wallet, tax, subscription, refund, and dispute records are retained for statutory accounting, tax, regulatory, and claim periods.
• Communications and support: support tickets, email-ingested messages, contact requests, direct messages, attachments, incident records, and communications are retained as needed to manage requests, investigations, and rights.
• Recruitment: job applications are retained for recruitment and hiring administration.
• Operational logs: OTPs, link tokens, push devices, Telegram sessions, security logs, device logs, crash records, and audit or activity logs are retained for operational, security, troubleshooting, and accountability periods unless needed longer for investigation or legal reasons.

When data is no longer needed, we delete, anonymize, or archive it with restricted access.

16. International Transfers

Some service providers, infrastructure, communications, analytics, security, or support tools may process data outside Ethiopia. Where personal data is transferred to another jurisdiction, we use lawful transfer mechanisms and safeguards appropriate to the risk, such as contractual protections, access controls, encryption, vendor due diligence, and transfer limits. If a specific transfer requires authority approval, registration, or another safeguard under Ethiopian law, we will handle it according to that requirement before making the transfer.

17. Security and Breach Response

We use technical and organizational measures designed to protect personal data, including:

• Role-based access and authentication controls.
• Encryption where appropriate.
• Secure document storage.
• Audit logs and monitoring.
• Backup controls.
• Staff access limits and vendor controls.

No system is perfectly secure. If a personal-data breach occurs, we will investigate, mitigate harm, notify the Ethiopian Communications Authority where required, and inform affected users where the law requires or where notice is needed to protect them.

18. Your Rights

Subject to legal limits, you may request:

• Access to your personal data.
• Correction of inaccurate or incomplete data.
• Deletion where the data is no longer needed or was unlawfully processed.
• Restriction of processing.
• Objection to processing.
• Data portability for data you provided in a structured and commonly used format.
• Withdrawal of consent.
• Human review or explanation for significant automated decisions.

You also have the right to lodge a complaint with the Ethiopian Communications Authority. To exercise rights with Gerad, contact privacy@gerad.app. We may need to verify your identity before responding.

19. Children's Privacy

Gerad is not directed to children under 18. We do not knowingly create accounts for children or collect children's personal data for marketing, profiling, or profile-merging. If we learn that a child has provided personal data without lawful authorization, we will take appropriate steps to delete or restrict it.

20. Changes to This Policy

We may update this policy to reflect changes in law, platform features, data practices, providers, or security requirements. If a change is material, we will provide notice through the platform, email, app notification, or another appropriate channel before or when the change takes effect. If we want to process previously collected data for a new incompatible purpose, we will provide the required notice and, where needed, request consent.