1. Introduction
Kost Konsult & Solutions Limited (“Kost Konsult,” “we,” “us,” or “our”) operates the OYA! Platform, a digital transport ecosystem for inter-city public transport in Ghana and the wider West Africa region. The OYA! Platform comprises a family of connected services, including OYA! BusRide (passenger booking and ride management), OYA! Parcel (parcel and courier services), the OYA! Driver application (driver-facing trip management), and the operator and partner tools that support them (together, the “Services”).
This Privacy Policy explains what personal data we collect when you use the Services, why we collect it, how we use and share it, how long we keep it, and the rights and choices available to you. It applies to all users of the Services, including passengers, parcel senders and recipients, drivers, transport operators, and visitors to our websites and applications.
Kost Konsult & Solutions Limited is the data controller responsible for personal data processed through the OYA! Platform, except where this Policy states that a third party acts as an independent controller (for example, licensed payment service providers). We are committed to protecting your privacy and to handling your personal data lawfully, fairly, and transparently.
This Policy has been prepared to align with the Data Protection Act, 2012 (Act 843) of the Republic of Ghana, the principles of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) as a benchmark of international best practice, and applicable data protection laws in the other West African jurisdictions in which we operate. Where local law in a particular jurisdiction imposes stricter requirements, those requirements will apply to processing in that jurisdiction.
Please read this Policy carefully. By creating an OYA! account or otherwise using the Services, you acknowledge that you have read and understood this Policy. Where we rely on your consent to process personal data, we will ask for that consent separately and you may withdraw it at any time as described in Section 9.
2. Who We Are and How to Contact Us
If you have any questions about this Policy, wish to exercise your data protection rights, or want to make a complaint, you can contact us using the details below.
| Data controller | Kost Konsult & Solutions Limited |
| Registered office | No. 11 Mike Oquaye Street, Haatso, Accra, Ghana |
| Data Protection Officer | The Data Protection Officer, Kost Konsult & Solutions Limited |
| Privacy email | admin@kostkonsult.com |
| General support | admin@kostkonsult.com |
| Supervisory authority | Data Protection Commission, Ghana (www.dataprotection.org.gh) |
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Policy. You have the right to lodge a complaint with the Data Protection Commission of Ghana, or with the relevant supervisory authority in your jurisdiction, at any time. We would, however, appreciate the chance to address your concerns before you approach the regulator, so we encourage you to contact us first.
3. Scope of This Policy
This Policy covers personal data we process across the entire OYA! Platform ecosystem:
- OYA! BusRide — the passenger application and website used to search routes, book seats, manage trips, receive notifications, and pay fares.
- OYA! Parcel — services used to send, track, and receive parcels carried on the OYA! transport network.
- OYA! Payments — the in-app facility that lets you pay fares and parcel charges and, where applicable, supports operator settlement and loan-collection workflows.
- OYA! Driver — the driver-facing application used to manage trips, stops, manifests, and passenger pick-ups and drop-offs.
- Operator and partner tools — dashboards and back-office tools used by transport operators, station staff, and business partners.
This Policy does not apply to third-party products, websites, or services that are not operated by Kost Konsult, even where they are linked to or integrated with the Services. When you use a third-party service (such as a payment provider or a mapping provider), that third party’s own privacy policy governs its processing of your personal data. We encourage you to review those policies.
4. Information We Collect
We collect personal data in three broad categories: information you provide to us, information we collect automatically when you use the Services, and information we receive from third parties. We only collect data that is adequate, relevant, and limited to what is necessary for the purposes described in this Policy.
4.1 Identity and Contact Information
When you create an account, make a booking, send or receive a parcel, or contact us, we collect identity and contact information. This may include:
- Your full name and, where relevant, the name of a parcel sender or recipient.
- Your mobile phone number, which is used as a primary account identifier and for trip and delivery notifications.
- Your email address.
- Account credentials, such as your password (stored only in encrypted, hashed form) and security settings.
- For drivers and operators: licence and accreditation details, vehicle and route assignments, and other onboarding information required to provide the Services and to meet legal and safety obligations.
- The content of your communications with us, including support requests, feedback, and survey responses.
4.2 Location and Trip Data
Because OYA! is a transport platform, location and trip information is central to the Services. Depending on the product (e.g. driver app) and your device settings, we may collect:
- Trip details such as origin and destination, selected route, boarding stop, departure and arrival times, seat selection, manifest entries, and booking and ticket history.
- Parcel details such as pick-up and drop-off points, tracking events, and delivery status.
- Precise (GPS) location from the OYA! Driver application while a driver is on an active trip, so that we can provide live vehicle tracking, accurate arrival estimates, and trip-management features.
- Approximate or precise location from passenger devices, where you grant permission, to suggest nearby stops, improve booking accuracy, and support safety features. You can disable device location permissions at any time through your device settings; some features may then be limited.
Background location. The OYA! Driver application may collect location in the background during an active trip even when the app is not in the foreground, strictly to support live tracking and passenger safety. Background collection stops when the trip ends.
4.3 Device and Usage Analytics
When you use the Services, we automatically collect technical and usage information to keep the Services secure, reliable, and easy to use. This may include:
- Device information such as device model, operating system and version, unique device and installation identifiers, language settings, and mobile network information.
- App and service usage information such as the pages and screens you view, features you use, search queries within the app, the date and time of your activity, app version, and referral information (for example, how you arrived at an app store listing or install link).
- Log and diagnostic data such as IP address, crash reports, performance data, and error logs.
- Cookies and similar technologies on our websites and web applications, as described in Section 11.
We use this information in aggregated and de-identified form wherever possible — for example, to understand install and download trends, measure the impact of campaigns, and prioritise product improvements. Aggregated data that cannot reasonably be linked to you is not treated as personal data under this Policy.
4.4 Payment-Related Information
OYA! Payments facilitates payment for fares and parcels, but payment processing itself is carried out by licensed third-party payment service providers (for example, mobile-money operators, card processors, and banks). When you make a payment:
- We receive and store transaction records such as the amount, currency, date and time, payment method type, a transaction reference, and whether the payment succeeded or failed.
- We do not collect or store full payment credentials. Full card numbers, mobile-money PINs, bank account numbers, CVV codes, and similar sensitive financial credentials are entered directly with the payment service provider and are not retained by OYA!.
- Where the Services support operator settlement or loan-collection workflows, the process the transaction and settlement records needed to administer those arrangements.
The licensed payment service providers act as independent data controllers (or as separately regulated entities) for the payment credentials and processing they handle. Their own privacy notices and terms govern that activity. We encourage you to review them before completing a payment.
4.5 Information From Third Parties
We may receive personal data about you from:
- Transport operators and partners who use OYA! tools, where they enter or update information related to your trip, parcel, or driver assignment.
- Payment service providers, who confirm the status of your transactions.
- Analytics, attribution, and infrastructure providers, who help us understand app performance and install activity.
- Other users, for example when a parcel sender provides recipient contact details so that we can arrange delivery.
4.6 Children
The Services are not directed at children, and we do not knowingly collect personal data from children below the age of majority without the consent of a parent or guardian. Where a minor travels on the OYA! network, we expect the booking to be made and managed by a responsible adult. If you believe a child has provided us with personal data without appropriate consent, please contact us so that we can take appropriate steps to delete it.
5. How We Use Your Information
We use your personal data only for specified, explicit, and legitimate purposes. The table below summarises the main purposes for which we process personal data and the legal basis we rely on under Act 843 and, as a benchmark, the GDPR.
| Purpose | Examples | Legal basis |
|---|---|---|
| Providing the Services | Creating and managing your account; processing bookings, trips, and parcels; issuing tickets and manifests; enabling live tracking. | Performance of a contract; your consent where required. |
| Payments and settlement | Facilitating fare and parcel payments; recording transactions; supporting operator settlement and loan-collection workflows. | Performance of a contract; compliance with legal obligations. |
| Communications | Sending trip, delivery, and account notifications; responding to support requests; sending service-related messages. | Performance of a contract; legitimate interests. |
| Safety and security | Verifying users; preventing fraud and misuse; investigating incidents; protecting passengers, drivers, and assets. | Legitimate interests; compliance with legal obligations. |
| Improving the Services | Analysing usage and install trends; diagnosing errors; testing features; prioritising product improvements. | Legitimate interests; your consent for non-essential analytics. |
| Legal and regulatory | Meeting tax, transport, accounting, and data protection obligations; responding to lawful requests; enforcing our terms. | Compliance with legal obligations; legitimate interests. |
Where we rely on legitimate interests, we have assessed that those interests are not overridden by your interests or fundamental rights and freedoms. You may ask us for more information about that assessment using the contact details in Section 2. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
We will not use your personal data for a new purpose that is incompatible with those set out above unless we are required to do so by law or we notify you and, where necessary, obtain your consent.
6. How We Share Your Information
We do not sell your personal data. We share personal data only as necessary to operate the Services and as described below.
6.1 Transport Operators and Drivers
To deliver your trip or parcel, we share the relevant booking, manifest, contact, and trip information with the transport operator and driver responsible for that service. Drivers and operators are required to use this information only to provide the Services and in accordance with their obligations to us and under applicable law.
6.2 Service Providers and Processors
We engage trusted third parties to process personal data on our behalf and under our instructions, including cloud hosting and infrastructure providers, communications and notification providers, analytics and attribution providers, and customer-support tools. These processors are bound by written data processing agreements that require them to protect personal data and to process it only as instructed.
6.3 Payment Service Providers
As described in Section 4.4, payments are handled by licensed payment service providers. We share with them the limited information needed to initiate and reconcile a transaction, and we receive transaction status information in return.
6.4 Other Users
Limited information is shared between users where the Service requires it — for example, a parcel sender and recipient may see delivery status, and a driver may see the passenger manifest for a trip.
6.5 Legal, Regulatory, and Safety Disclosures
We may disclose personal data where we believe in good faith that it is necessary to comply with a legal obligation, court order, or lawful request from a public authority; to enforce our terms and agreements; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of Kost Konsult, our users, or the public.
6.6 Business Transfers
If Kost Konsult is involved in a merger, acquisition, financing, reorganisation, or sale of assets, personal data may be transferred as part of that transaction. We will require the recipient to honour the commitments in this Policy, and we will notify you of any material change to how your personal data is handled.
7. International Data Transfers
The OYA! Platform operates in Ghana and across the wider West Africa region, and some of our service providers operate internationally. As a result, your personal data may be processed, stored, or accessed in countries other than your own, including countries that may not provide the same level of data protection as your home jurisdiction.
Whenever we transfer personal data across borders, we take steps to ensure it remains protected in line with this Policy and applicable law. These steps may include transferring data only to jurisdictions recognised as providing adequate protection, putting in place contractual safeguards (such as standard contractual clauses) with the recipient, and assessing the risks associated with the transfer. You may contact our Data Protection Officer for more information about the safeguards we use.
8. How Long We Keep Your Information
We keep personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, regulatory, or reporting requirements, and to resolve disputes and enforce our agreements.
To decide how long to keep personal data, we consider its nature and sensitivity, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it, whether we can achieve those purposes by other means, and applicable legal requirements. Indicative retention periods include:
- Account information: for the life of your account and for a limited period afterwards to handle post-closure queries, disputes, and legal obligations.
- Trip, parcel, and transaction records: retained for the periods required by tax, accounting, and transport regulations.
- Precise location data from active trips: retained only for as long as needed for tracking, safety, dispute resolution, and service improvement, after which it is deleted or aggregated.
- Support communications: retained for a reasonable period to maintain a record of our interactions with you.
- Device and usage analytics: retained in identifiable form for a limited period, and thereafter retained only in aggregated or de-identified form.
When personal data is no longer required, we will securely delete it or irreversibly anonymise it so that it can no longer be associated with you.
9. Your Data Protection Rights
Subject to the conditions and exceptions set out in the Data Protection Act, 2012 (Act 843) and, where applicable, the GDPR and other relevant laws, you have the following rights in relation to your personal data:
- Right to be informed — to know what personal data we collect about you and how we use it, as set out in this Policy.
- Right of access — to request a copy of the personal data we hold about you and information about how we process it.
- Right to rectification — to ask us to correct personal data that is inaccurate or incomplete.
- Right to erasure — to ask us to delete personal data where there is no good reason for us to continue processing it.
- Right to restrict processing — to ask us to suspend the processing of your personal data in certain circumstances.
- Right to object — to object to processing based on our legitimate interests, and to object at any time to processing of your personal data for direct marketing.
- Right to data portability — to receive certain personal data in a structured, commonly used, machine-readable format, and to ask us to transmit it to another controller where technically feasible.
- Right to withdraw consent — where we rely on your consent, to withdraw that consent at any time without affecting processing carried out before withdrawal.
- Right to complain — to lodge a complaint with the Data Protection Commission of Ghana or the relevant supervisory authority in your jurisdiction.
To exercise any of these rights, please contact us using the details in Section 2. We may need to verify your identity before acting on your request. We will respond within the time limits required by applicable law. Exercising your rights is free of charge in most cases, although we may charge a reasonable fee or decline to act where a request is manifestly unfounded, excessive, or repetitive, as permitted by law.
10. How We Protect Your Information
We take the security of personal data seriously and maintain appropriate technical and organisational measures designed to protect it against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include:
- Encryption of data in transit and, where appropriate, at rest.
- Hashing of account passwords and protection of authentication credentials.
- Role-based access controls, so that staff and partners can access personal data only where they need it to perform their duties.
- Network, application, and infrastructure security controls, monitoring, and logging.
- Secure software development practices and regular review of our systems and microservices infrastructure.
- Staff confidentiality obligations and data protection training.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You also play an important role in keeping your information safe: please keep your account credentials confidential, use a strong and unique password, and notify us immediately if you suspect any unauthorised use of your account.
10.1 Data Breach Notification
We maintain a documented data breach management procedure. If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission of Ghana and, where required, affected individuals, within the timeframes and in the manner required by applicable law.
11. Cookies and Similar Technologies
Our websites and web applications use cookies and similar technologies (such as local storage and software development kits within our apps) to make the Services work, to remember your preferences, to keep the Services secure, and to understand how the Services are used.
We use strictly necessary technologies that are required for the Services to function, as well as analytics and performance technologies that help us measure and improve the Services. Where required by law, we will ask for your consent before using non-essential cookies and similar technologies, and you can change your preferences at any time. Most browsers and devices also allow you to manage or disable cookies and tracking through their settings, although some features of the Services may not work properly if you do.
12. Third-Party Links and Services
The Services may contain links to, or integrations with, third-party websites, applications, and services that we do not control. This Policy does not apply to those third parties. We are not responsible for the privacy practices or content of third-party services, and we encourage you to review the privacy policies of any third-party service you use.
13. Changes to This Policy
We may update this Policy from time to time to reflect changes in our Services, our practices, or legal requirements. When we make changes, we will revise the “Last updated” date at the top of this Policy and, where the changes are material, we will provide a more prominent notice — for example, through the Services or by other appropriate means. We encourage you to review this Policy periodically. Your continued use of the Services after an updated Policy takes effect constitutes your acknowledgement of the updated Policy, to the extent permitted by applicable law.
14. Contact Us and Complaints
If you have any questions, concerns, or complaints about this Policy or about how we handle your personal data, please contact our Data Protection Officer:
| Post | The Data Protection Officer, Kost Konsult & Solutions Limited, No. 11 Mike Oquaye Street, Haatso, Accra, Ghana |
| admin@kostkonsult.com | |
| Regulator | Data Protection Commission, Ghana — www.dataprotection.org.gh |