Privacy Policy

1. Data Controller

The data controller responsible for your personal information is:

This policy is issued in compliance with the Kenya Data Protection Act, 2019 (Act No. 24 of 2019) and good practice standards aligned with international frameworks including the GDPR.

2. Information We Collect

We collect personal information through the following channels:

2.1 Inquiry Forms

When you submit an inquiry through our website or contact us directly, we collect:

• Full name
• Email address
• Phone number (optional)
• Travel preferences and dates
• Budget range and group size
• Any additional details you include in your message

2.2 Booking and Travel Data

When you make a booking, we collect:

• Full legal name as per passport
• Date of birth
• Passport number, issuing country, and expiry date
• Nationality
• Dietary requirements and accessibility needs
• Emergency contact name and phone number
• Medical information relevant to your itinerary (only where disclosed by you)
• Payment information (processed securely via our payment providers — we do not store full card numbers)

2.3 Customer Portal Accounts

If you register for a customer portal account, we additionally collect your login credentials (email and hashed password) and any profile information you choose to provide.

2.4 Website Analytics

We may collect anonymised information about how visitors use our website, including pages visited, session duration, and referring sources. This is used solely to improve our website and services.

2.5 Communications

We retain records of correspondence with you — including emails, WhatsApp messages, and call notes — to maintain continuity of service.

3. How We Use Your Information

We use your personal information for the following purposes:

• To respond to your inquiry and provide quotations, itineraries, and travel advice;
• To process and manage your booking, including communicating with airlines, accommodation providers, ground operators, and park authorities on your behalf;
• To arrange travel documentation such as tickets, vouchers, and visas where applicable;
• To process payments and issue invoices and receipts;
• To provide pre-trip and in-trip support including emergency contact procedures;
• To send service-related communications such as booking confirmations, itinerary updates, and post-trip follow-ups;
• To comply with our legal obligations, including tax record-keeping and anti-money laundering requirements;
• To improve our services through aggregated analysis of customer feedback and travel trends (no individual is identifiable in such analysis).

We do not use your information for automated decision-making or profiling.

4. Legal Basis for Processing

We process your personal information on the following lawful grounds under the Kenya Data Protection Act, 2019:

• Performance of a contract: Processing necessary to fulfil your booking or to take pre-booking steps at your request;
• Legal obligation: Processing necessary to comply with applicable laws (e.g., tax, anti-money laundering, tourism regulations);
• Legitimate interests: Processing for our legitimate business interests, including fraud prevention, service improvement, and direct marketing to existing clients — where these interests are not overridden by your rights;
• Consent: Where we process data on the basis of your consent (e.g., newsletter subscriptions), you may withdraw consent at any time.

5. Data Sharing

We share your personal information only where necessary and only with trusted parties:

• Travel suppliers: Airlines, hotels, lodges, ground transport operators, park authorities, and tour guides — to the extent required to fulfil your booking;
• Payment processors: Our payment gateway providers process payment information under their own privacy and security obligations;
• Technology providers: Secure cloud service providers who host our systems and data under contractual data protection obligations;
• Legal authorities: Where required by law, court order, or regulatory authority in Kenya.

We do not sell, rent, or trade your personal information to any third party for their own marketing purposes.

6. International Data Transfers

Some of our service providers and travel partners may be located outside Kenya. Where we transfer your personal data internationally, we ensure that appropriate safeguards are in place — including contractual protections — consistent with the requirements of the Kenya Data Protection Act, 2019.

7. Data Retention

We retain personal information only for as long as necessary for the purpose for which it was collected:

• Booking and financial records: 7 years from the date of the transaction, in accordance with Kenyan tax and accounting requirements;
• Inquiry data (non-converted leads): 2 years from the date of inquiry, after which it is securely deleted;
• Portal accounts: For the duration the account remains active, plus 1 year after last login;
• Marketing communications: Until you unsubscribe or withdraw consent.

8. Your Rights

Under the Kenya Data Protection Act, 2019, you have the following rights:

• Right to access: You may request a copy of the personal information we hold about you;
• Right to rectification: You may ask us to correct inaccurate or incomplete information;
• Right to erasure: You may ask us to delete your personal information where there is no overriding lawful basis for us to retain it;
• Right to data portability: Where technically feasible, you may request your data in a structured, machine-readable format;
• Right to object: You may object to processing based on our legitimate interests or for direct marketing purposes;
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at info@twiyoadventures.org. We will respond within 21 days. We may need to verify your identity before processing your request.

9. Cookies and Analytics

Our website may use cookies and similar tracking technologies to improve your browsing experience and to analyse site usage. Cookies are small text files stored on your device. You may configure your browser to refuse cookies, though this may affect certain site functionality.

Where we use analytics tools, data is collected in an aggregated and anonymised form. We do not use advertising cookies or share analytics data with third parties for their commercial purposes.

10. Security

We implement appropriate technical and organisational measures to protect your data, including:

• Encrypted data transmission (HTTPS/TLS) across all our web services;
• Secure, access-controlled servers and databases;
• Staff training on data protection responsibilities;
• Regular review of our data security practices.

No method of electronic transmission or storage is 100% secure. If you believe your information has been compromised, please contact us immediately.

11. Children’s Privacy

Our services are not directed at children under 18 years of age. We do not knowingly collect personal information directly from minors. Where a booking includes a minor, personal information relating to that minor is provided by their parent or legal guardian, who accepts our terms on their behalf.

12. Changes to This Policy

We may update this privacy policy periodically to reflect changes in our practices or applicable law. We will publish the revised policy on this page with an updated effective date. Material changes will be communicated to existing clients by email where appropriate.

13. Contact and Complaints

For questions about this privacy policy or how we handle your personal information:

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya:

This policy should be read alongside our Terms and Conditions.