Legal

Privacy Policy

Template — review with qualified counsel before launch. Last updated 11 June 2026.

This Privacy Policy explains how Karibu ("Karibu", "we", "us") collects, uses, shares, and protects personal data when you use our getaways discovery, booking web app, and API (the "Service"). We process personal data in line with Kenya's Data Protection Act, 2019 ("DPA") and, for visitors in the European Economic Area and the UK, the GDPR/UK GDPR.

1. Who we are

Karibu is the data controller for the personal data described here. Contact our data protection point of contact at privacy@karibu.co.ke (placeholder — replace with your verified address).

2. What we collect

3. Why we process it (lawful bases)

4. Processors and international transfers

We share data only with processors who act on our instructions: Clerk (authentication), Neon (database), Resend (email), Sentry (error monitoring), Upstash (rate limiting), and our hosting provider (Vercel). Some processors store data outside Kenya; where they do, we rely on appropriate safeguards (e.g. standard contractual clauses) as required by the DPA and GDPR.

5. Retention

We keep account and trip data for as long as your account is active, then delete or anonymise it within a reasonable period unless a longer term is required by law.

6. Your rights

Subject to applicable law, you may access, correct, delete, restrict, or object to the processing of your personal data, and request portability. To exercise any right, contact us at the address above. You may also lodge a complaint with the Office of the Data Protection Commissioner (Kenya) or your local supervisory authority.

7. Security

We use industry-standard measures including encryption in transit, scoped access controls, and per-user authorization in our data layer. No system is perfectly secure; we work to protect your data and notify you and regulators of breaches as required.

8. Changes

We will post any changes here and update the date above.