Policy Framework · Privacy Architecture

Data Protection & Public Transparency

MTSAi is designed on a privacy-by-minimisation principle. The system collects only the data required to verify incentive-eligible behaviour and distribute rewards.

It is not designed to build commuter profiles, track individual movement continuously, or share personal data across city deployments.

The government is the data controller. MTSAi is the processor. That distinction is not a detail — it is the architecture.

Privacy by Design

Four Architectural Commitments

Data protection at MTSAi is structural, not policy. These four principles are built into the system — not written on top of it.

01

Minimisation by Design

Only the minimum data required to verify incentive-eligible behaviour is collected — no more, no less.

02

Government Control

The public authority defines what is collected, how it is used, and how long it is retained. MTSAi acts only within those parameters.

03

Consent-Based Participation

Commuters opt in to participation and can withdraw at any time. Data collection follows explicit consent, not default enrolment.

04

No Cross-City Identity

Individual identity is not correlated across city deployments. Each programme operates as a data silo.

05

Aggregated Output Only

Programme metrics shared with authorities are anonymised and aggregated — never individually attributed.

06

Public Scrutiny Ready

Programme policies and governance rules are designed to be published in plain language for civil society review.

What the System Does Not Collect

By design, the following data is outside the scope of what MTSAi collects:

No Continuous GPS Tracking

The system does not track individual commuter location continuously.

No Biometric Data

No biometric data is collected at any point in the programme.

No Cross-City Correlation

Individual identity is not correlated across city deployments.

No Commercial Data Sharing

No data sharing with third-party advertisers or commercial platforms.

Participation data is processed in anonymised, aggregated form for programme evaluation. Individual identity is not shared with third parties or across city deployments.

Key Commitment

The data minimisation principle is enforced at the architecture level — the system is not designed to collect data it does not need, and cannot be repurposed for profiling without government authorisation and contract amendment.

What the System Collects

The system collects only the minimum data required to:

  • Verify incentive-eligible travel behaviour (occupancy or off-peak timing)
  • Calculate and distribute rewards through existing digital payment infrastructure
  • Generate anonymised, aggregated programme metrics for city authorities

Data collection is consent-based. Commuters opt in to participation and can withdraw at any time.

Government as Data Controller

The city or state authority is the data controller. MTSAi operates as a data processor, acting only within the parameters set by the government authority.

The public authority defines what data is collected, how it is used, and how long it is retained. This structure is designed to align with the Digital Personal Data Protection Act and ensures accountability remains with the public authority.

Structural Safeguard

This controller-processor distinction means MTSAi cannot independently expand data scope, extend retention periods, or onboard third-party data recipients without explicit government direction — embedded in contract.

Public Transparency

Programme policies — including incentive structures, eligibility conditions, and data-governance rules — are designed to be published in plain language. Cities can make programme parameters available so commuters and civil society can understand and scrutinise how the system operates.

Audit-ready documentation is available to government authorities at any time.

Privacy Architecture

By the numbers

0
Biometric data points
The system collects no biometric data at any stage of programme operation.
100%
Consent-based enrolment
All participation is opt-in. Commuters can withdraw at any time without penalty.
1
Data controller per city
Each deployment operates under a single public authority as data controller. No cross-city correlation.

Privacy is not a compliance checkbox. It is a design constraint that shapes every decision about what data the system touches.

Review Trust Centre → Governance & Accountability Start Evaluation
Platform Status Disclosure

Pre-Deployment Status (Jan 2026)

No live city implementations are currently operational. All deployment, outcome, and operational capability references are design specifications subject to government procurement, contract execution, and implementation.

Compliance Status

All references to regulatory frameworks represent design intent and readiness posture. Final compliance is verified through government audit per contract scope.

International References

Case study outcomes cited from London, Singapore, Stockholm, and other cities are external examples from independent transportation authorities, not MTSAi deployments.