Privacy Policy

Effective Date: April 1, 2026 • Version 1.0

1. Who We Are and How to Reach Us

Jimamu Inc. ("Jimamu," "we," "our," or "us") is a federally incorporated Canadian company that operates the Caro peer-to-peer delivery platform (the "Platform" or "Caro"). We are the data controller responsible for the personal information collected through the Caro mobile application, website, and related services.

Privacy Officer: Jimamu Inc.

Mailing Address: 2505 116 St NW, Canada

Email: info@thecaro.app

General Legal: info@thecaro.app

We will respond to all privacy inquiries within 30 calendar days.

2. Scope of This Policy

This Privacy Policy applies to all individuals who interact with the Caro Platform, including:

  • Customers (users who request delivery services);
  • Riders (independent contractors who fulfill delivery requests);
  • Visitors to our website or promotional pages; and
  • Any other person whose personal information we process in connection with the Platform.

This Policy covers data collected through the Caro mobile application (iOS and Android), the Caro web interface, communications with our support team, and any integrations with third-party services enabled by us. It does not govern the privacy practices of third parties whose links may appear on the Platform.

3. Legal Framework

We are committed to compliance with all applicable privacy and data protection laws, including:

  • The Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation in Canada;
  • The General Data Protection Regulation (GDPR) for users located in the European Economic Area;
  • The California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) for California residents;
  • The Lei Geral de Proteção de Dados (LGPD) for users in Brazil;
  • Any other applicable national, provincial, or territorial data protection laws in jurisdictions where the Platform operates.

We apply the highest applicable standard from the above frameworks to all users, regardless of location, as a matter of policy.

4. Personal Information We Collect

4.1 Account & Profile Information (All Users)

  • Full legal name
  • Username (chosen by user)
  • Email address
  • Phone number
  • Date of birth (to verify users are of legal age)
  • Profile photograph
  • Password (stored in hashed, salted form — never in plain text)
  • User-selected preferences and notification settings

4.2 Identity Verification Information (Riders Only)

  • Photograph of government-issued identification (Passport, Driver's License, or equivalent)
  • Selfie photograph for liveness detection and identity matching
  • Social Insurance Number (SIN) — collected solely for Canadian tax reporting obligations (T4A issuance) and stored using field-level encryption
  • Results of third-party identity verification checks

4.3 Financial Information

  • Bank account details (Transit Number, Institution Number, Account Number) for Rider earnings disbursement
  • Mobile financial service (MFS) wallet identifiers
  • Payment method details for Customers (processed and tokenized by our payment processor; we do not store raw card numbers)
  • Transaction history, earnings records, and payout logs

4.4 Package & Delivery Information

  • Item description and declared value
  • Photographs of packages (taken at pickup and delivery)
  • Package dimensions and weight
  • Pickup and drop-off addresses
  • Special handling instructions

4.5 Location Data

  • Precise GPS coordinates — collected from Riders during active delivery sessions when the app is set to "Online" status
  • Approximate location — collected from Customers to display nearby available Riders and estimate delivery timeframes
  • Route and movement data during an active delivery

Background location is collected from Riders only while their status is set to "Online." We do not collect Rider location data when the app is closed or when the Rider is set to "Offline."

4.6 Device & Technical Information

  • Device type, operating system version, and unique device identifiers
  • IP address and approximate network location
  • App version and crash/diagnostic logs
  • Browser type (for web users)

4.7 Communications Data

  • In-app messages between Customers and Riders (routed through our anonymized messaging system)
  • Support tickets and chat transcripts
  • Ratings and reviews submitted following a delivery
  • Feedback, survey responses, and reports submitted to us

5. How and Why We Use Your Information

We process personal information only for specific, legitimate purposes. For each purpose, we identify the applicable legal basis:

5.1 Providing the Platform

We use your information to create and maintain your account, match Customers with available Riders, facilitate package pickup and delivery, process payments and disburse Rider earnings, and provide in-app navigation and real-time delivery tracking.

Legal Basis: Performance of a contract with you.

5.2 Safety, Security & Fraud Prevention

We use information to verify the identity of Riders, detect and prevent fraudulent activity and abuse, monitor for prohibited items or suspicious delivery requests, and ensure the safety of both parties during a transaction.

Legal Basis: Legitimate interests; compliance with legal obligations.

5.3 Legal & Regulatory Compliance

We process financial and identity data to issue Canadian tax documents (T4A and other applicable forms), comply with anti-money-laundering (AML) and know-your-customer (KYC) obligations, respond to lawful requests from government authorities or courts, and satisfy customs and import/export reporting requirements for international deliveries.

Legal Basis: Legal obligation.

5.4 Customer Support & Dispute Resolution

We use your account data, transaction history, and package photographs to investigate and resolve disputes relating to lost, damaged, or undelivered packages, respond to support inquiries, and enforce our policies.

Legal Basis: Legitimate interests; performance of a contract.

5.5 Platform Improvement & Analytics

We use aggregated, de-identified data to understand how the Platform is used, identify technical issues, improve matching algorithms, and develop new features.

Legal Basis: Legitimate interests; consent (where required).

5.6 Marketing & Communications

With your consent, we may send promotional emails, push notifications, or in-app messages about new features, promotions, or service updates. You may opt out at any time through your account settings.

Legal Basis: Consent.

6. Information Sharing and Disclosure

Jimamu does not sell, rent, or trade your personal information to third parties for their marketing purposes. We share your information only in the following circumstances:

6.1 Between Platform Users

  • When a Rider accepts a delivery, the Customer will see the Rider's first name, profile photo, real-time location (during the delivery), and in-app rating.
  • The Rider will see the Customer's first name, pickup address, delivery address, and package description. Full contact details are shared only through our anonymized relay system.

6.2 Service Providers and Processors

We engage trusted third-party vendors under strict data processing agreements (DPAs), including payment processors, identity verification providers, cloud infrastructure providers, customer support software providers, analytics platforms (using de-identified data only), and SMS/push notification services.

6.3 Legal and Regulatory Authorities

We may disclose your information to government agencies, law enforcement, tax authorities (including the CRA), or courts when required by applicable law, to enforce our Terms, prevent imminent harm, or for customs clearance in international deliveries.

6.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal information may be transferred to the successor entity. We will provide notice before your information becomes subject to a materially different privacy policy.

6.5 With Your Consent

We may share your information for any other purpose with your explicit, prior consent.

7. International Data Transfers

Caro operates internationally. Your personal information may be transferred to, stored in, and processed in countries other than the country in which you reside, including Canada, the United States, and other jurisdictions where our service providers operate. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), adequacy decisions, binding corporate rules, or your explicit consent where no other mechanism applies.

8. Location Data in Detail

Rider Location

  • Collected only when the Rider's app status is set to "Online."
  • Shared with the matched Customer in real-time during an active delivery.
  • Retained in delivery records for dispute resolution and safety purposes.
  • Not used for advertising or sold to data brokers.

Customer Location

  • Approximate location is used to surface available Riders and estimate delivery costs.
  • Precise address is collected only when you create a delivery order.

Opting Out

You may disable location permissions through your device's operating system settings at any time. Disabling location access will prevent core delivery functionality from operating correctly.

9. Data Security

We implement administrative, technical, and physical safeguards including:

  • Transport Layer Security (TLS 1.2 or higher) for all data in transit
  • AES-256 encryption for data at rest, including databases storing financial and identity information
  • Field-level encryption for particularly sensitive data, including Social Insurance Numbers and bank account details
  • Role-based access controls limiting internal access on a strict need-to-know basis
  • Multi-factor authentication (MFA) for all internal systems and administrator accounts
  • Regular third-party penetration testing and security audits
  • Incident response procedures meeting applicable legal notification timelines (72 hours under GDPR; as soon as feasible under PIPEDA)

No method of electronic transmission or storage is 100% secure. In the event of a breach affecting your rights and freedoms, we will notify you and applicable authorities as required by law.

10. Data Retention

We retain personal information only for as long as necessary. Our retention schedule:

Data TypeRetention Period
Account data (active accounts)Duration of account relationship + 2 years
Financial records and transaction historyMinimum 7 years (Canadian tax law)
Identity verification documents (Rider IDs, SIN)Duration of Rider relationship + 7 years
Delivery records (package photos, logs)3 years for dispute resolution
Support communications2 years from date of resolution
Device logs and analytics data13 months (then aggregated/de-identified)

Upon account deletion, we will delete or anonymize your personal information within 90 days, except where retention is required by law or for outstanding disputes or legal proceedings.

11. Your Rights

Depending on your location and applicable law, you have the following rights:

  • Right of Access: Request a copy of the personal information we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data. You can update most account details directly in-app.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal information, subject to our legal obligations.
  • Right to Withdraw Consent: Withdraw consent for any processing based on consent at any time.
  • Right to Data Portability: Receive your personal information in a structured, machine-readable format.
  • Right to Object: Object to processing where we rely on legitimate interests as the legal basis.
  • Right to Restrict Processing: Request restriction of processing in certain circumstances.
  • Right Not to Be Subject to Automated Decisions: Request human review of decisions made solely through automated processing.

To exercise any of these rights, contact us at privacy@caroapp.com. We will respond within 30 days. If you are dissatisfied with our response, you have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada (www.priv.gc.ca).

12. Children's Privacy

The Caro Platform is not directed to children under the age of 18. We do not knowingly collect personal information from individuals under 18 years of age. If you believe a minor has provided us with personal information, please contact us at privacy@caroapp.com.

13. Cookies and Tracking Technologies

Our website and app may use cookies, pixel tags, SDKs, and similar tracking technologies to:

  • Maintain your session and authentication state;
  • Remember your preferences;
  • Analyze usage patterns and improve the Platform; and
  • Deliver relevant communications (with your consent).

You can manage cookie preferences through your browser settings. Our mobile application relies on SDK-level tracking, which can be managed through your device's privacy settings.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via in-app notification, email, or prominent notice on our website at least 14 days before the change takes effect. Your continued use of the Platform after the effective date constitutes acceptance of the revised Policy.

Contact Us

If you have questions about this policy or wish to exercise your rights, contact our Privacy Officer:

Email: info@thecaro.app

Privacy Requests: privacy@caroapp.com

Address: 2505 116 St NW, Canada

Response Time: Within 30 calendar days