Privacy Policy – Aadvark Africa Safaris

Privacy 1. IMPORTANT INFORMATION AND COMPANY DETAILS

Data Controller Information

Company Name: AADVARK AFRICA SAFARIS
Registration: Kenya Tourism Board Licensed Operator
Address: Visions Plaza, 3rd Floor, Room 17, P.O. Box 64, Athi River, Kenya
Contact: info@aadvarkafrica.com

Policy Scope and Application This privacy policy applies to:

All clients and prospective clients
Website visitors and online service users
Newsletter subscribers and marketing contacts
Business partners and supplier contacts
Employee and contractor data (separate policy applies)

Legal Framework Compliance

Kenya Data Protection Act 2019
General Data Protection Regulation (GDPR) for EU residents
Tourism industry best practices
International data transfer regulations

Data Protection Principles We process personal data in accordance with principles of:

Lawfulness, fairness, and transparency
Purpose limitation and data minimization
Accuracy and timely correction
Storage limitation and secure retention
Integrity, confidentiality, and security
Accountability and demonstrable compliance

Privacy 2. DATA COLLECTION PRACTICES

Categories of Personal Data Collected

Identity and Contact Information

Full name and preferred name
Email addresses (personal and business)
Telephone numbers (mobile and landline)
Postal addresses (home and billing)
Date of birth and nationality
Gender and marital status

Travel-Related Information

Passport details and visa information
Travel preferences and requirements
Dietary restrictions and allergies
Medical conditions affecting travel
Emergency contact information
Previous travel history with us

Financial Information

Payment card details (securely processed)
Billing addresses
Transaction history
Payment preferences
Credit check information (if applicable)

Technical and Usage Data

IP addresses and device identifiers
Browser type and version
Operating system and device specifications
Website usage patterns and preferences
Cookie and tracking technology data
Search queries and interaction data

Communication Records

Email correspondence
Phone call recordings (with consent)
Live chat transcripts
Feedback and survey responses
Social media interactions
Marketing preference settings

Privacy 3. METHODS OF DATA COLLECTION

Direct Collection Methods

Online Platforms

Website contact forms and booking systems
Online account creation and management
Newsletter subscriptions and preference centers
Survey and feedback form submissions
Live chat and customer service interactions

Offline Interactions

Phone conversations and bookings
Face-to-face meetings and consultations
Trade show and event interactions
Paper-based forms and applications
Referral information from partners

Indirect Collection Methods

Third-Party Sources

Travel agents and booking partners
Social media platforms (with permission)
Marketing partners and affiliates
Credit reference agencies (for payment verification)
Public sources and industry databases

Automatic Collection

Website cookies and tracking pixels
Analytics tools and user behavior tracking
Email engagement and delivery statistics
Device fingerprinting and location data
Search engine and referral source data

Privacy 4. PURPOSE AND USE OF PERSONAL DATA

Primary Service Delivery

Booking and Reservation Management

Processing travel bookings and modifications
Coordinating with suppliers and service providers
Managing payment processing and invoicing
Providing booking confirmations and travel documents
Handling cancellations and refund processing

Customer Service and Support

Responding to inquiries and providing information
Resolving issues and handling complaints
Providing travel assistance and guidance
Emergency support and communication
Post-travel follow-up and feedback collection

Communication and Marketing

Service Communications

Sending booking confirmations and updates
Providing travel information and itineraries
Notifying of changes or disruptions
Emergency communications and alerts
Post-service feedback requests

Marketing Communications

Promotional offers and special deals
Newsletter subscriptions and travel inspiration
Event invitations and webinar notifications
Customer satisfaction surveys
Loyalty program communications

Business Operations

Service Improvement

Analyzing customer preferences and behavior
Developing new products and services
Improving website functionality and user experience
Training staff and enhancing service quality
Measuring customer satisfaction and loyalty

Legal and Regulatory Compliance

Meeting tourism industry regulations
Complying with tax and financial reporting requirements
Maintaining records for legal proceedings
Preventing fraud and ensuring security
Adhering to health and safety regulations

Privacy 5. DATA DISCLOSURE AND SHARING

Service Provider Partnerships

Travel Service Suppliers

Hotels, lodges, and accommodation providers
Airlines and transportation companies
Tour operators and activity providers
Restaurant and dining service providers
Insurance companies and assistance services

Business Support Services

Payment processors and financial institutions
IT service providers and cloud storage companies
Marketing agencies and communication platforms
Legal advisors and professional consultants
Accounting and auditing firms

Legal and Regulatory Disclosures

Government Authorities

Tax authorities for financial reporting
Tourism regulatory bodies for compliance
Law enforcement agencies for legal investigations
Immigration authorities for visa processing
Health authorities for safety and security

Legal Proceedings

Court orders and legal discovery requests
Regulatory investigations and audits
Insurance claims and dispute resolution
Merger and acquisition due diligence
Debt collection and recovery proceedings

Consent-Based Sharing

Marketing Partnerships

Joint marketing campaigns with partner companies
Referral programs and affiliate arrangements
Social media integration and sharing features
Customer testimonials and case studies
Travel blogger and influencer collaborations

Privacy 6. INTERNATIONAL DATA TRANSFERS

Transfer Mechanisms and Safeguards

Adequacy Decisions

Transfers to countries with adequate data protection laws
European Commission adequacy decisions
Automatic authorization for adequate countries
Ongoing monitoring of adequacy status
Alternative mechanisms if adequacy withdrawn

Standard Contractual Clauses

European Commission-approved contract terms
Binding obligations for data protection
Audit rights and compliance monitoring
Data subject rights and remedy mechanisms
Regular review and update procedures

Certification Programs

Privacy Shield and successor frameworks
Industry-specific certification schemes
Third-party verification and monitoring
Annual compliance assessments
Transparent reporting and accountability

Transfer Impact Assessments

Risk Evaluation Process

Assessment of destination country laws
Evaluation of security measures and controls
Analysis of data sensitivity and volume
Review of recipient obligations and commitments
Documentation of safeguards and protections

Ongoing Monitoring

Regular review of transfer arrangements
Updates based on legal and regulatory changes
Incident monitoring and response procedures
Compliance audits and assessments
Stakeholder communication and transparency

Privacy 7. DATA SECURITY MEASURES

Technical Security Controls

Encryption and Cryptography

Data encryption in transit using TLS 1.3
Data encryption at rest using AES-256
End-to-end encryption for sensitive communications
Cryptographic key management and rotation
Digital signatures and certificate validation

Access Controls and Authentication

Multi-factor authentication for system access
Role-based access controls and permissions
Regular access reviews and recertification
Privileged account management and monitoring
Single sign-on and identity federation

Network and Infrastructure Security

Firewall protection and intrusion detection
Virtual private networks for remote access
Security monitoring and incident response
Regular vulnerability assessments and penetration testing
Secure software development practices

Organizational Security Measures

Personnel Security

Background checks for employees handling personal data
Security awareness training and education programs
Confidentiality agreements and code of conduct
Regular security updates and communications
Incident reporting and response procedures

Physical Security

Secure office facilities with access controls
Locked storage for physical documents
Clean desk policies and secure disposal
Visitor management and escort procedures
Environmental monitoring and protection

Vendor Management

Due diligence and security assessments
Contractual security requirements and obligations
Regular audits and performance monitoring
Incident notification and response procedures
Business continuity and disaster recovery planning

Privacy 8. DATA RETENTION POLICIES

Retention Principles and Criteria

Legal and Regulatory Requirements

Tax records: 7 years minimum retention
Payment card data: Limited retention per PCI DSS
Health and safety records: 10 years minimum
Employment records: As required by labor law
Contract and agreement records: Duration plus 6 years

Business and Operational Needs

Active client relationships: Duration of relationship plus 3 years
Inactive client data: 5 years from last interaction
Marketing communications: Until consent withdrawal
Website analytics: 26 months maximum
Customer service records: 3 years from resolution

Data Category-Specific Retention

Financial and Payment Data

Transaction records: 7 years for tax compliance
Payment card data: Minimal retention, secure deletion
Billing and invoicing: 7 years regulatory requirement
Refund and credit records: 7 years for auditing
Financial reporting data: Permanent retention

Communication and Marketing Data

Email marketing lists: Until consent withdrawal
Communication preferences: Until account closure
Customer service inquiries: 3 years maximum
Feedback and survey responses: 5 years for analysis
Social media interactions: Platform-dependent

Secure Disposal Procedures

Digital data: Cryptographic erasure and overwriting
Physical documents: Secure shredding and destruction
Storage media: Physical destruction or degaussing
Backup systems: Automated purging procedures
Third-party disposal: Certified destruction services

Privacy 9. YOUR PRIVACY RIGHTS

Information Access Rights

Right to Access

Request copies of personal data held
Information about processing purposes and legal basis
Details of data recipients and transfer locations
Retention periods and deletion criteria
Source of data if not directly collected

Right to Rectification

Correct inaccurate or incomplete personal data
Update contact information and preferences
Amend travel requirements and restrictions
Verify identity before making corrections
Notification to third parties of corrections

Data Portability and Control

Right to Data Portability

Receive personal data in structured, machine-readable format
Transfer data to another service provider
Applies to data processed by consent or contract
Technical feasibility considerations apply
Security measures maintained during transfer

Right to Erasure (Right to be Forgotten)

Request deletion of personal data when no longer necessary
Withdraw consent for consent-based processing
Object to processing for legitimate interests
Challenge unlawful or excessive processing
Legal retention requirements may override requests

Processing Restriction and Objection Rights

Right to Restrict Processing

Suspend processing while verifying data accuracy
Maintain data without active processing
Limited to storage and specific authorized uses
Notification before lifting restrictions
Alternative to deletion in certain circumstances

Right to Object

Object to processing based on legitimate interests
Opt-out of direct marketing communications
Object to profiling and automated decision-making
Compelling legitimate grounds may override objections
Immediate cessation for marketing objections

Rights Exercise Procedures

Request Submission Process

Submit requests through designated contact channels
Provide sufficient information for identity verification
Specify the rights being exercised and scope
Include relevant account or reference numbers
Allow reasonable time for processing (30 days standard)

Identity Verification Requirements

Government-issued photo identification
Account verification through security questions
Email confirmation from registered addresses
Phone verification for account holders
Additional verification for sensitive requests

Response and Appeal Process

Acknowledgment within 72 hours of receipt
Substantive response within 30 days (extendable to 90 days)
Clear explanation if request is declined
Information about complaint and appeal rights
Free of charge unless requests are excessive

Privacy 10. DEFINITIONS AND GLOSSARY

Key Privacy Terms

Personal Data Any information relating to an identified or identifiable natural person, including:

Direct identifiers (names, ID numbers, email addresses)
Indirect identifiers (IP addresses, device IDs, location data)
Special category data (health, biometric, genetic information)
Online identifiers and digital footprints
Inferred data and profiles derived from personal information

Data Processing Any operation performed on personal data, including:

Collection, recording, and storage
Organization, structuring, and retrieval
Use, analysis, and consultation
Disclosure, transmission, and sharing
Alignment, combination, and profiling
Restriction, erasure, and destruction

Legal Basis for Processing Legitimate grounds for processing personal data:

Consent: Freely given, specific, informed agreement
Contract: Necessary for contract performance
Legal Obligation: Required by law or regulation
Vital Interests: Protecting life or physical safety
Public Task: Performing official functions
Legitimate Interests: Balanced against individual rights

Data Protection Roles

Data Controller Entity determining purposes and means of processing:

AADVARK AFRICA SAFARIS for client and marketing data
Responsible for compliance and data subject rights
Determines retention periods and security measures
Liable for processing activities and violations
Must maintain records of processing activities

Data Processor Entity processing data on behalf of controller:

IT service providers and cloud storage companies
Payment processors and booking platforms
Marketing agencies and communication services
Must follow controller instructions and contracts
Limited liability for processing activities

Data Subject Individual whose personal data is being processed:

Clients, prospective clients, and website visitors
Newsletter subscribers and marketing contacts
Employees, contractors, and business partners
Has specific rights regarding their data
Can exercise rights and lodge complaints

Privacy 11. POLICY UPDATES AND AMENDMENTS

Policy Review and Update Schedule

Annual comprehensive policy review
Quarterly assessment of regulatory changes
Ad hoc updates for significant business changes
Emergency updates for security incidents
Stakeholder input and feedback integration

Change Notification Procedures

Significant Changes

Email notification to all active clients
Website banner announcements for 30 days
Social media posts and newsletter inclusions
Direct communication for material changes affecting rights
Minimum 30 days notice period before implementation

Minor Updates

Website posting with effective date
Next scheduled communication inclusion
Version control and change tracking
Archive of previous policy versions
Clear indication of modification dates

Consent and Continued Use

Continued service use constitutes acceptance
Explicit consent required for material changes
Opt-out procedures for objectionable changes
Grace period for service discontinuation
Alternative arrangements for objecting users

Privacy 12. CONSENT AND AGREEMENT

Consent Mechanisms

Booking and Registration Consent

Explicit consent checkbox during booking process
Separate consent for marketing communications
Granular consent options for different purposes
Clear explanation of consent implications
Easy withdrawal mechanisms provided

Ongoing Consent Management

Preference center for consent updates
Regular consent refresh and confirmation
Automatic consent expiration for inactive accounts
Clear records of consent history and changes
Respect for withdrawn consent immediately

Special Category Data Consent

Explicit consent for health and medical information
Clear explanation of necessity and use
Option to decline and alternative arrangements
Enhanced security and access controls
Limited retention and automatic deletion

Privacy 13. CONTACT INFORMATION

Data Protection Contacts

Primary Contact

General Privacy Inquiries: privacy@aadvarkafrica.com
Response Time: 48 hours for acknowledgment
Business Hours: Monday-Friday, 8:00 AM – 6:00 PM EAT
Mailing Address: Visions Plaza, 3rd Floor, Room 17 P.O. Box 64, Athi River, Kenya

Data Protection Officer

Email: info@aadvarkafrica.com
Responsibilities: Privacy compliance, rights requests, breach response
Availability: Monday-Friday, 9:00 AM – 5:00 PM EAT

Rights Request Processing

Dedicated Email: info@aadvarkafrica.com
Identity Verification: Required for all requests
Processing Time: 30 days standard, 90 days maximum
Appeal Process: Available for declined requests

Emergency and Breach Reporting

Breach Notification: info@aadvarkafrica.com
Response Team: Available within 2 hours
Escalation Procedures: Defined response protocols
Regulatory Notification: Within 72 hours of discovery

Address

Quick Links

Policies and Legal

Mobile

Email

Visit Us