Privacy Policy

We collect the following categories of personal data:

• Identity Data: Full name, display name
• Contact Data: Email address, phone number
• Technical Data: User ID (UID), login credentials
• Booking Data: Travel dates, special requests, package preferences
• Consent Data: Marketing and commercial use preferences

Sensitive Personal Data: If you provide special requests containing health information, dietary restrictions, or accessibility needs, this is treated as Sensitive Personal Data under the DPA and is subject to additional security measures.

We process your personal data based on the following lawful bases:

• Contract Performance: Processing necessary to fulfill booking requests and provide tourism services
• Consent: For commercial/marketing purposes (you may opt-in during booking)
• Legitimate Interests: Displaying package information for website functionality
• Legal Obligation: Compliance with tax, accounting, and regulatory requirements

Under the Kenya Data Protection Act, 2019, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data ("Right to be Forgotten")
• Right to Object: Object to processing for marketing purposes
• Right to Data Portability: Receive your data in a structured format
• Right to Withdraw Consent: Withdraw marketing consent at any time

To exercise these rights, visit your Profile Page or contact our Data Protection Officer.

We use Firebase (Google Cloud Platform) for data storage and processing. Your data may be transferred to and stored on servers outside Kenya, including the United States and European Union.

We ensure appropriate safeguards are in place through:

• Google's adherence to international data protection standards
• EU-US Data Privacy Framework compliance
• Standard Contractual Clauses (SCCs) where applicable
• Robust technical and organizational security measures

We retain your personal data only for as long as necessary to:

• Fulfill the purposes for which it was collected
• Comply with legal, accounting, or regulatory requirements
• Resolve disputes and enforce our agreements

Typical retention periods:

• Active bookings: Until trip completion + 7 years (tax/legal requirements)
• Marketing data (with consent): Until consent is withdrawn
• Account data: Until account deletion is requested and processed

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit and at rest
• Role-based access control (RBAC) for admin users
• Regular security audits and updates
• Firestore and Storage security rules
• Secure authentication via Firebase Auth

In the unlikely event of a personal data breach, we will notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of the breach, as required by the DPA.

If the breach poses a high risk to your rights and freedoms, we will also notify you directly without undue delay.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

• Posting the updated policy on this page
• Updating the "Last Updated" date below
• Sending you an email notification (for significant changes)