Privacy Policy — Karzo Driver

01 Who we are

Karzo Driver is operated by Karzo Technologies Co., Ltd. (“Karzo”, “we”, “us”), a company incorporated in Thailand with registered office at 101 True Digital Park East, Pegasus Building, 5FL, Unit 545, Sukhumvit Rd, Bang Chak, Phra Khanong, Bangkok 10260, Thailand. Karzo is the data controller for personal data processed through the Karzo Driver app.

This policy explains what personal data we collect through the app, how we use it, who we share it with, and the rights you have under Thailand’s Personal Data Protection Act, B.E. 2562 (2019) (“PDPA”). Where the European Union’s General Data Protection Regulation (“GDPR”) applies to a particular user (for example, drivers in the EU), we treat them as having the equivalent rights described in section 8 below.

02 Who this app is for

Karzo Driver is a B2B workforce app distributed to drivers who have an active driver agreement with a Karzo customer (a logistics or vehicle-services vendor) or with Karzo directly. It is not directed at the general public, and it is not directed at children — drivers using the app must be of legal working age in their jurisdiction. Sign-in is gated by a Karzo-issued invitation code; an account cannot be created without one.

03 Personal data we process

3.1 Identity and account data

Sign-in is handled by Clerk, our authentication provider. When you sign in we (via Clerk) process:

your email address;
your full name;
your profile photo, if you set one;
the LINE account identifier you sign in with (we use LINE as a federated identity provider — your LINE password is never seen by us or by Clerk);
session tokens issued by Clerk, which are stored on your device so you don’t have to sign in on every launch.

3.2 Driver profile data

Your assignment to a Karzo customer is held by our backend. When you open the app we may load and display, but do not ourselves edit:

your mobile phone number;
your driver’s licence number and validity dates;
your assigned vendor / team;
your unique driver code (used as a QR code that customers scan).

These fields are entered into the Karzo platform by your employer or by Karzo onboarding staff at the time you join the platform — the driver app itself does not contain a sign-up or profile-edit form for them.

3.3 Operational data you create through the app

As you carry out tasks the app uploads task-execution data on your behalf, including:

photos you take with the device camera (for proof-of-delivery, container documentation, vehicle inspection, and similar task-defined fields);
photos you select from your device’s photo library, when you choose to attach an existing image instead of taking a new one;
free-text notes, status changes, and field values you enter against a task — which may incidentally contain personal data of third parties (for example a recipient’s name);
scanned container or document numbers. Scanning is performed on your device using Android’s ML Kit (or, on iOS, Apple Vision); the camera frames are not uploaded for scanning — only the resulting text is, and only when you confirm it.

3.4 Device permissions and what they access

The app asks for the permissions below the first time it needs each one. You can grant or deny each permission at the time, and change your mind at any point from your device’s system settings.

Permission	Why the app needs it	Where the data goes
Camera	To take photos for proof-of-delivery, container documentation, vehicle inspection, and on-device document scanning.	Photos you take are uploaded to Karzo’s backend (see section 5). Camera frames used only for on-device scanning are not uploaded.
Photos & gallery	To let you attach an existing photo from your phone to a task or issue report, instead of retaking one.	Only the photos you explicitly select are uploaded to Karzo’s backend. The app does not browse or index your gallery.
Location	To show your live position as a blue dot on the task map, so you can see where you are relative to your stops.	Your location is read on your device for display only. The Karzo Driver app does not transmit your live location to Karzo’s backend or to any other third party. The app never asks for background location. If we add features in the future that send your location to our backend (for example, driver tracking), this policy will be updated before that ships.
Notifications	To deliver job alerts and dispatch updates from your operations team.	The text of each notification is generated by Karzo’s backend and routed through Firebase Cloud Messaging (see section 5). Granting this permission does not give us any additional access to data on your device.
Internet access	Required for any networked app; needed to talk to our backend at all.	—

The wording above applies on both Android and iOS. The exact system prompt you see when each permission is requested is provided by your operating system, not by Karzo, and may therefore look slightly different on the two platforms.

3.5 Diagnostic and device data we collect automatically

Crash reports. When the app crashes in a production build we send the stack trace and basic device context (device model, OS version, app version, language, free memory) to Firebase Crashlytics. Crash reports are not tagged with your name, email, or any other identifier we control.
Push-notification token. Firebase Cloud Messaging issues each device a token so it can be addressed by push. The app receives this token; we do not currently store it on Karzo’s servers, but we plan to in a future release for targeted dispatch alerts. This policy will be updated before that change ships.
Locale and theme preference. Your chosen app language and light/dark preference are stored in your device’s local app preferences. They are not uploaded.

We do not use any analytics SDK in the app. We do not collect advertising identifiers, attribution data, behavioural analytics, screen-recording sessions, or session replay.

04 How we use your data

To provide the app’s functionality — authenticate you, fetch your tasks, accept your task-execution submissions, deliver dispatch notifications, and display maps and your position on them.
To diagnose and fix problems — via crash reports, so we can ship reliability fixes.
To comply with our legal obligations — including responding to lawful requests from authorities, defending legal claims, and meeting recordkeeping requirements that apply to us as a Thai company.

Under the PDPA, our lawful bases for processing are:

Performance of a contract with you or with your employer — the driver agreement under which you use the app.
Legitimate interest in operating, securing, and improving the service (for diagnostic data and crash reports).
Consent — for any processing that depends on your active grant of an OS-level permission (camera, photos, location, notifications).
Legal obligation — where applicable.

05 Who we share your data with

We do not sell your personal data, and we do not share it for third-party advertising. We do share it with the following service providers, who process it on our behalf and under contract:

Provider	What they process	Why	Where
Clerk Inc.	Email, name, profile photo, LINE identity, session tokens.	Authentication and session management.	United States. clerk.com/privacy
LY Corporation (LINE)	Your LINE account identifier — only during the OAuth sign-in step.	Federated identity sign-in.	Japan. LINE Terms
Google LLC (Firebase Cloud Messaging, Crashlytics, Maps SDK, Google Fonts)	Push-notification routing, crash diagnostics, map tile rendering and current-position display, font files.	To deliver app functionality and reliability monitoring. On iOS, Firebase Cloud Messaging hands push notifications off to Apple Push Notification service (see Apple row below) for final delivery to your phone.	United States and Google’s global infrastructure. policies.google.com/privacy
Apple Inc.	On iOS only: your device’s push token and the notification payload as it transits to your phone.	Delivery of push notifications via Apple Push Notification service (APNs) — the network path Firebase Cloud Messaging uses to reach iOS devices.	United States. apple.com/legal/privacy
Cloudflare, Inc.	Network routing of traffic between your device and our backend; storage of release artefacts (build outputs — not user data).	Infrastructure for our APIs.	Global edge network. cloudflare.com/privacypolicy

We may also disclose your data to your employer or the Karzo customer who issued your driver assignment, where that disclosure is necessary to perform the underlying contract (for example: tasks you have completed, photos and notes you have submitted on tasks, the timestamps of those submissions). Where this applies, your employer is a separate data controller of that data.

We may disclose your data to courts, law-enforcement authorities, or regulators where we are legally compelled to, or where we have a good-faith basis to do so to protect the rights or safety of users or the public.

06 International data transfers

Several of the service providers above are located in countries outside Thailand — in particular the United States. Where the PDPA applies, we rely on the “adequate protection”, “appropriate safeguards” or “contractual” bases under section 28 of the PDPA for these transfers, depending on the provider. Where the GDPR applies, we rely on Standard Contractual Clauses or equivalent transfer safeguards.

07 How long we keep your data

Account and session data — for as long as your driver agreement is active. When the agreement ends, your Clerk account is deactivated and access to the app is removed.
Task-execution data (photos, notes, status changes) — retained as part of our customer’s operational record, for as long as the underlying contract requires plus any period required by Thai accounting and labour law (typically up to 10 years).
Crash reports — retained by Firebase Crashlytics under Google’s standard retention (default 90 days, with limited retention of aggregate data thereafter).
Local app preferences and Clerk session token on device — until you sign out, uninstall the app, or clear app data.

08 Your rights

Under the PDPA you have the right to:

request access to the personal data we hold about you;
request that we correct it if it is inaccurate or incomplete;
request that we erase it, where one of the PDPA grounds for erasure applies;
request that we restrict its processing or object to specific types of processing;
request that we provide it to you, or transmit it directly to another controller, in a structured machine-readable format (portability);
withdraw any consent you have given (this does not affect the lawfulness of processing carried out on the basis of that consent before withdrawal);
lodge a complaint with the Personal Data Protection Committee of Thailand (PDPC).

Where the GDPR applies to you, you have equivalent rights under it, plus the right to lodge a complaint with your local supervisory authority.

To exercise any of these rights, write to us at hello@karzopro.com. We will respond within 30 days (or such shorter period as is required by the applicable law). We may need to verify your identity before acting on the request.

09 Security

All network traffic between the app and our backend is encrypted in transit using TLS. Authentication tokens are stored in your device’s app-private storage. We restrict employee access to personal data on a need-to-know basis and review our access controls periodically. No system is perfectly secure, however, and we cannot guarantee that unauthorised access will never happen — if it does, we will notify you and the relevant authorities as required by the PDPA.

10 Changes to this policy

We may update this policy as the app changes — for example, when we introduce a new permission or a new service provider, or when we change retention periods. The “Last updated” date at the top of this page reflects when the current version took effect. Material changes will additionally be surfaced in the app the next time you open it.

11 Contact us

Questions about this policy or about how we handle your data:

Email: hello@karzopro.com
Mail: Karzo Technologies Co., Ltd., 101 True Digital Park East, Pegasus Building, 5FL, Unit 545, Sukhumvit Rd, Bang Chak, Phra Khanong, Bangkok 10260, Thailand.