Privacy Policy
Last updated: June 2026
This Privacy Policy describes how Sakay Mobility ("Sakay", "we", "us", or "our") collects, uses, discloses, retains, and protects personal data when you access or use the Sakay passenger application, the Sakay driver application, our websites, and all related services, features, and content (collectively, the "Services").
Sakay Mobility, with its registered office at [Registered office address], Republic of the Philippines, is the Personal Information Controller ("PIC") responsible for the processing of your personal data under the Data Privacy Act of 2012 (Republic Act No. 10173) ("DPA"), its Implementing Rules and Regulations, and the issuances of the National Privacy Commission ("NPC"). We are committed to processing your personal data fairly, lawfully, and transparently, and to upholding your rights as a data subject.
By creating an account, accessing, or otherwise using the Services, you acknowledge that you have read and understood this Privacy Policy. Where the law requires your consent, we will obtain it before processing. This Policy should be read together with our Terms of Service and our Account Deletion page.
Summary of key points
- We collect account, identity (driver KYC), location, trip, payment, device, usage, and safety data.
- A driver's precise location is collected while the driver is online or on a trip.
- We process data to operate the platform, match riders with drivers, process payments, and keep the community safe.
- We do not sell your personal data.
- You have rights as a data subject under the Data Privacy Act, including access, correction, objection, and erasure.
- To exercise your rights or reach our Data Protection Officer, email [email protected].
Definitions
- Personal data / personal information — any information from which the identity of an individual is or can reasonably be ascertained, as defined under the DPA.
- Sensitive personal information — information about an individual's government-issued identifiers, and other categories specially protected under the DPA.
- Processing — any operation performed on personal data, including collection, recording, organization, storage, use, consolidation, disclosure, or erasure.
- Data subject — the individual whose personal data is processed (that is, you).
- Personal Information Controller (PIC) — the entity that controls the processing of personal data (Sakay Mobility).
- Personal Information Processor (PIP) — a natural or juridical person to whom a PIC may outsource the processing of personal data.
1. Information we collect
We collect the categories of personal data described below, depending on whether you use the Services as a passenger, as a driver, or both. We collect this information directly from you, automatically through your use of the Services, and from third parties such as payment processors and mapping providers where applicable.
1.1 Account and profile information
- Your name, mobile number (your primary login identifier), email address, date of birth, and gender.
- Your profile photograph and any other details you choose to add to your profile.
- Authentication data, including one-time passcodes (OTPs) used to verify your phone number.
1.2 Driver verification and onboarding (KYC) documents
If you apply to become or operate as a driver, we additionally collect and verify:
- Government-issued identification, your driver's license, your NBI clearance, and (where provided) a selfie and medical certificate. These may constitute sensitive personal information under the DPA.
- Vehicle documents and details, including the Official Receipt and Certificate of Registration (OR/CR), plate number, make, model, year, color, insurance provider and expiry, and vehicle photographs.
- Document numbers, issue and expiry dates, and the review status of each submitted document.
1.3 Trip and location information
- Pickup, drop-off, and saved places, including addresses, landmarks, and coordinates.
- Trip records, including trip numbers, status, distance, duration, special instructions, and timestamps.
- Precise (GPS) location data. For passengers, we collect location to show nearby drivers, generate fare estimates, and enable live trip tracking and sharing. For drivers, precise location is collected continuously while you are online or on a trip, so that we can dispatch trips, navigate, track trips for safety, and calculate distances. Location breadcrumbs may be retained as part of the trip record.
1.4 Payment and financial information
- Wallet balances and the transaction ledger (top-ups, trip payments, earnings, commissions, cashouts, refunds, and promo credits).
- Tokenized payment-method references — for example, a card brand and last four digits, or an e-wallet reference. We never store full card numbers, CVV/CVC codes, or payment-provider secrets.
- For drivers, cashout destination details such as the destination type (GCash, Maya, or bank), account number, and account name.
1.5 Device, technical, and usage information
- Device model, operating-system version, application version, and unique device identifier.
- Push-notification tokens (FCM/APNs) used to deliver notifications to your device.
- Log and usage data, including in-app actions, feature usage, diagnostics, and crash reports.
1.6 Support, ratings, and safety information
- Support tickets and messages, including any attachments you submit, and related trip references.
- Ratings, compliments, tags, and comments exchanged between passengers and drivers after a trip.
- Emergency contacts you choose to save, and SOS alerts you trigger (including your location and any note at the time of the alert).
2. How we use your information and our lawful basis
We process personal data only where a lawful basis or criterion for lawful processing exists under the DPA. Depending on the activity, we rely on one or more of the following: your consent; the performance of a contract with you (our Terms of Service); compliance with a legal obligation; the protection of vital interests (life, health, and safety); and our legitimate interests (or those of a third party), provided such interests are not overridden by your fundamental rights and freedoms.
- To provide the Services (contract). To create and manage your account, match passengers with independent drivers, generate fare estimates, dispatch and complete trips, and enable live tracking.
- To process payments and money movement (contract). To process fares, wallet top-ups, driver earnings, commissions, cashouts, refunds, and promos.
- To verify drivers and maintain platform integrity (legal obligation, legitimate interests). To verify driver eligibility and documents, detect and prevent fraud, and enforce our Terms.
- To keep the community safe (vital interests, legitimate interests). To respond to SOS alerts, support safety investigations, and act on reports of unsafe or unlawful conduct.
- To provide customer support (contract, legitimate interests). To respond to tickets, resolve disputes, and improve service quality.
- To send communications (contract, consent). To send service and transactional messages, and — where permitted or with your consent — promotional updates from which you may opt out.
- To improve and secure the Services (legitimate interests). To analyze usage, develop features, troubleshoot, and protect against security threats.
- To comply with law (legal obligation). To meet tax, accounting, regulatory, and law-enforcement requirements.
3. How we share and disclose information
We share personal data only as described in this Policy. We do not sell your personal data. We may disclose personal data to the following categories of recipients:
- Between matched passengers and drivers. When a trip is booked, we share trip-relevant details between the matched passenger and driver — for example, first name, profile photo, rating, vehicle details, masked contact number, and live location during the trip — so the trip can be completed safely.
- Payment processors and financial partners. To process payments, top-ups, and cashouts, acting as our Personal Information Processors under written agreements.
- Mapping and location providers. To provide maps, routing, geocoding, and navigation.
- Service providers and processors. Cloud hosting, storage, communications (SMS/push), analytics, and customer-support vendors that process data on our behalf and under our instructions.
- Law enforcement and public authorities. Where we are legally required to do so, in response to lawful requests, or where reasonably necessary to protect the rights, property, or safety of any person — including in connection with an SOS alert or safety emergency.
- Corporate transactions. In connection with a merger, acquisition, reorganization, or sale of assets, subject to appropriate safeguards.
4. Location data
Location data is essential to a ride-hailing service. For passengers, we use location to display nearby drivers, calculate fares, navigate trips, and enable trip tracking and the "share my trip" feature. For drivers, precise location is collected while you are online or on an active trip to enable dispatch, navigation, distance calculation, and safety monitoring. You may disable location access through your device settings; however, core features of the Services will not function without it.
5. Cookies and similar technologies
Our websites and apps use cookies, software development kits (SDKs), and similar technologies for authentication, security, preference storage, performance measurement, and analytics. You can manage cookies through your browser or device settings, although some features may not work properly if you disable them.
6. Data retention and deletion
We retain personal data only for as long as your account is active or as necessary to fulfil the purposes described in this Policy, after which we securely dispose of it. We may retain certain records for longer where required to comply with legal, tax, accounting, regulatory, dispute-resolution, fraud-prevention, or safety obligations. Where records must be retained for such purposes, we may keep them in anonymized or de-identified form so that they can no longer be associated with you.
You may request deletion of your account at any time. See our Account Deletion page, or use the in-app delete-account option, which anonymizes your personal data, revokes your access tokens, and disables your account.
7. Your rights as a data subject
Under the Data Privacy Act of 2012, you are entitled to the following rights with respect to your personal data:
- Right to be informed — to know whether and how your personal data is being or will be processed.
- Right to access — to reasonable access to the personal data we hold about you and details of its processing.
- Right to object — to object to the processing of your personal data, including for direct marketing, automated processing, or profiling.
- Right to rectification (correction) — to dispute and have corrected any inaccurate or erroneous personal data.
- Right to erasure or blocking — to suspend, withdraw, or order the blocking, removal, or destruction of your personal data in the circumstances allowed by law.
- Right to damages — to be indemnified for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal data.
- Right to data portability — to obtain a copy of personal data you provided to us in a structured, commonly used, and machine-readable format, where processing is by electronic means.
- Right to lodge a complaint — to file a complaint with the National Privacy Commission.
To exercise any of these rights, email [email protected]. We may need to verify your identity before acting on your request, and we will respond within the period prescribed by applicable law. Exercising certain rights (such as erasure) may limit or prevent your continued use of the Services.
8. Data security
We implement reasonable and appropriate organizational, physical, and technical security measures intended to protect personal data against accidental or unlawful destruction, alteration, disclosure, and unauthorized access, consistent with the DPA.
- Organizational — access controls on a need-to-know basis, confidentiality obligations, staff training, written agreements with processors, and a designated Data Protection Officer.
- Physical — controlled access to facilities and equipment where data is stored or processed.
- Technical — encryption of data in transit, tokenization of payment instruments, secure authentication, role-based permissions, audit logging, and monitoring.
While we work continuously to protect your information, no method of transmission or storage is completely secure. In the event of a personal data breach that meets the notification threshold, we will notify the National Privacy Commission and affected data subjects in accordance with applicable law.
9. International and third-party transfers
Some of our service providers and infrastructure may be located outside the Philippines. Where personal data is transferred to or accessed from another jurisdiction, we remain accountable for that data and take steps to ensure it is afforded a comparable level of protection through appropriate contractual and organizational safeguards, consistent with the DPA.
10. Children
The Services are intended for individuals who are at least 18 years of age. We do not knowingly collect personal data from minors. If we learn that we have collected personal data from a person under 18 without appropriate authority, we will take steps to delete it.
11. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will revise the "Last updated" date above and, where the changes are material, provide a more prominent notice in the app or by other appropriate means. Your continued use of the Services after the changes take effect constitutes your acknowledgment of the updated Policy.
12. Contact us and our Data Protection Officer
For any questions, requests, or concerns regarding this Privacy Policy or your personal data, you may contact our Data Protection Officer:
Data Protection Officer — Sakay Mobility
Email: [email protected]
[Registered office address], Republic of the Philippines
For general support, you may also reach us at [email protected]. If you believe your data privacy rights have been violated, you may lodge a complaint with the National Privacy Commission (NPC) through its official channels at the NPC's published contact details.