TranzCare
← Back to site
Privacy Policy
This Privacy Policy explains how Tranzcare Limited (“TranzCare”, “we”, “us”, “our”) collects, uses, stores, shares and protects your personal data when you visit our website, contact our chatbot, make a booking, or use any of our services (vehicle rental, chauffeur, airport transfer, vacation rental).
We comply with the Data Protection Act, 2020 of Jamaica (“DPA”) and the standards published by the Office of the Information Commissioner (OIC).
1. Data Controller and Data Protection Officer
1.1 Data Controller
TranzCare is the data controller responsible for your personal data.
- Legal name: Tranzcare Limited
- Trading name: TranzCare Rent-A-Car
- Registered office: CSO, 3 Upper Elleston Road, Kingston, Jamaica
- Email: info@tranzcareja.com
- Phone: +1 876 356 3579 / +1 876 402 9265
1.2 Data Protection Officer (DPO)
Because we process sensitive data (driver’s licence and passport images required by Jamaica road traffic law) we have appointed a Data Protection Officer in accordance with section 20 of the Data Protection Act, 2020.
- DPO contact: dpo@tranzcareja.com (or info@tranzcareja.com with subject “DPO request”)
- The DPO is responsible for monitoring our compliance with the DPA, advising on data protection impact assessments, and acting as the point of contact for data subjects and the OIC.
2. What personal data we collect
2.1 Data you provide to us
| Category | Examples | When collected |
|---|---|---|
| Identity | Full name | Booking, chatbot conversation |
| Contact | Phone number, email | Booking, contact form |
| Identification documents | Driver’s licence, passport (photo) | Booking step 4 — required by Jamaica road traffic law for vehicle pickup |
| Booking details | Dates, vehicle, location, passenger count, service requested | Booking flow |
| Payment | Processed by PayPal — we do not store full card numbers | Deposit and balance payment |
| Communications | Messages exchanged with our chatbot, email and WhatsApp | When you contact us |
2.2 Data collected automatically
- Device & browser: IP address, user agent, language, screen size, time zone (used for security logs and analytics).
- Local storage identifier: a random anonymous identifier (UUID) stored in your browser’s local storage, used to recognise you on return visits and personalise the chatbot. It is not linked to any external advertising network.
- Cookies and service worker: functional cookies and a Progressive Web App (PWA) service worker for offline functionality. We do not use third-party advertising or tracking cookies by default.
3. Why we use your data (purposes & legal basis)
| Purpose | Data used | Legal basis (DPA s.22) |
|---|---|---|
| Process and fulfil your booking | Identity, contact, ID document, booking details, payment | Performance of a contract |
| Comply with vehicle rental obligations under Jamaica law | ID document, driver’s licence | Legal obligation |
| Customer support, communication, confirmations (Email / WhatsApp / Calendar) | Contact, booking | Performance of a contract |
| Run the conversational AI chatbot and remember your preferences across visits | Local storage UUID, chat history, preferred language, past bookings (summary) | Consent (you may opt out at any time — see Section 8) |
| Site security, fraud prevention, abuse detection | IP address, technical logs | Legitimate interest |
| Analytics and service improvement (aggregated, non-identifying) | Browser & device metadata | Legitimate interest |
4. How long we keep your data (retention)
- Active bookings: kept for the duration of the rental + the period required by Jamaica tax and accounting law (currently 7 years).
- ID documents (driver’s licence / passport): deleted within 90 days of the rental return, unless required for an open dispute, insurance claim or legal investigation.
- Chatbot conversation profile (UUID-based): automatically deleted after 12 months of inactivity, or immediately on your request.
- Marketing communications (if any): until you unsubscribe.
- Server & security logs: 90 days.
5. Who we share your data with (sub-processors)
We use the following third-party providers strictly for delivering our service. Each is bound by a written data processing agreement and processes data only on our instructions:
| Provider | Purpose | Country |
|---|---|---|
| Vercel Inc. | Web hosting and serverless functions | United States |
| Upstash Inc. (Redis) | Database storage for bookings and chatbot memory | United States / EU |
| Fireworks AI Inc. | AI inference for the chatbot (no training on your data) | United States |
| PayPal Holdings Inc. | Payment processing (their privacy policy applies to payment data) | United States / global |
| Google LLC (optional) | Calendar invites and Gmail confirmations, only if you choose those buttons | United States |
| WhatsApp / Meta Platforms (optional) | Messaging confirmations, only if you choose WhatsApp | United States / global |
We do not sell your personal data, and we do not share it with advertising networks or data brokers.
6. International data transfers
Some of our processors are located outside Jamaica (primarily in the United States and the European Union). Where this is the case, we rely on:
- Adequacy decisions where applicable, or
- Standard contractual safeguards in our processor agreements that require equivalent protection to the DPA.
7. How we protect your data
- HTTPS (TLS 1.2+) on all pages, with HSTS preload enabled.
- Strict Content Security Policy on the admin dashboard, X-Frame-Options DENY, X-Content-Type-Options nosniff.
- Admin authentication via server-issued, time-limited HMAC-signed session tokens (no plaintext credentials in the browser).
- Encrypted secrets at rest in our hosting provider’s vault.
- Principle of least privilege — only authorised staff can access booking data.
- Regular code review and security audits.
8. Data breach notification
In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the Office of the Information Commissioner (OIC) within 72 hours of becoming aware of the breach, as required by section 27 of the DPA, 2020.
- Notify affected data subjects directly (by email, SMS or WhatsApp) without undue delay, with a clear description of the nature of the breach, the likely consequences, the measures taken to mitigate it, and the contact details of our DPO.
- Document every breach internally — including those that do not require notification — for review by the OIC on request.
9. Your rights under the Data Protection Act, 2020
As a data subject, you have the following rights:
- Right of access — obtain a copy of the personal data we hold about you.
- Right of rectification — correct inaccurate or incomplete data.
- Right of erasure (“right to be forgotten”) — request deletion of your data when it is no longer necessary.
- Right to restrict processing in certain circumstances.
- Right to object to processing based on legitimate interest.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to withdraw consent at any time, where processing is based on consent (this does not affect the lawfulness of prior processing).
- Right not to be subject to automated decisions producing legal or significant effects. Our chatbot does not make any such decisions; bookings are confirmed by a human team member.
10. How to exercise your rights
Send your request by email to info@tranzcareja.com with the subject line:
- “DPA: Access request” — to receive a copy of your data
- “DPA: Rectification request” — to correct your data
- “DPA: Erasure request” — to delete your data
- “DPA: Portability request” — to receive your data in JSON format
We will verify your identity (to prevent unauthorised disclosure) and respond within 30 calendar days, free of charge. If your request is complex, we may extend by an additional 30 days and notify you.
11. Right to lodge a complaint
If you believe we have infringed your rights under the DPA, you can lodge a complaint with the supervisory authority:
Office of the Information Commissioner (Jamaica)
Website: www.oic.gov.jm
Email: info@oic.gov.jm
The OIC investigates complaints under the Data Protection Act, 2020.
12. Children
Our services are intended for users aged 18 or older (the legal age to rent a vehicle in Jamaica is 23 with at least 2 years of driving experience for most categories). We do not knowingly collect data from children under 13. If you believe a child has provided us with personal data, contact us and we will delete it.
13. Cookies and local storage
We use the minimum technical storage necessary to operate the site:
tc_uid— anonymous local-storage identifier for chatbot memory (deleted with browser data clear).- Service Worker for Progressive Web App offline support.
- Session storage for the admin dashboard authentication token.
We do not use third-party advertising cookies, analytics tracking pixels, or fingerprinting scripts by default. If we add any in future, we will update this policy and request consent.
14. Changes to this policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. The effective date at the top will indicate the most recent version. For material changes, we will notify users by a notice on the homepage and (where we hold an email address) by email.
Contact us
For any privacy-related question:
Email: info@tranzcareja.com
Phone: +1 876 356 3579 / +1 876 402 9265
Office: CSO, 3 Upper Elleston Rd., Kingston, Jamaica