TOURLAST LIMITED PRIVACY POLICY
1. PREAMBLE AND SCOPE OF APPLICATION
1.1 Introduction
This Privacy Policy (“Policy”) constitutes a legally binding notice and describes the policies and procedures of Tourlast Limited (hereinafter referred to as “Tourlast”, “the Company”, “we”, “us”, or “our”), a limited liability company duly incorporated under the Laws of the Republic of Kenya, regarding the collection, use, processing, disclosure, retention, and protection of Personal Data.
1.2 Territorial and Material Scope
This Policy applies to all natural persons (“Data Subjects”, “you”, or “your”) who access, interact with, or utilize:
- The website located at Tourlast.com and any subdomains thereof;
- Mobile software applications developed for iOS and Android operating systems;
- Application Programming Interfaces (APIs), white-label solutions, and integrated partner portals;
(Collectively referred to as the “Platform”).
1.3 Governing Legal Frameworks
The processing activities outlined herein are governed by, and construed in accordance with, the following instruments:
- The Data Protection Act, No. 24 of 2019 (Laws of Kenya) and the subsidiary Data Protection (General) Regulations, 2021, and the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, as enforced by the Office of the Data Protection Commissioner (ODPC);
- Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR) , where applicable to Data Subjects located within the European Economic Area (EEA) or the United Kingdom;
- Other applicable data protection and privacy legislation in jurisdictions where Tourlast processes personal data.
1.4 Acknowledgment and Consent
By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by the terms of this Policy. Where processing is based on consent, such consent is freely given, specific, informed, and unambiguous.
2. IDENTITY OF DATA CONTROLLER AND DATA PROTECTION OFFICER
2.1 Data Controller
The entity determining the purpose and means of processing your Personal Data is:
Tourlast Limited
Principal Place of Business: Nairobi, Republic of Kenya.
Email for Privacy Matters: privacy@tourlast.com
Email for General Support: support@tourlast.com
Email for Legal Service of Process: legal@tourlast.com
2.2 Data Protection Officer (DPO)
Pursuant to Section 24 of the Kenya Data Protection Act and Article 37 of the GDPR, Tourlast may designate a Data Protection Officer. Enquiries regarding the exercise of data subject rights or clarification on this Policy may be directed to the above privacy email address for the attention of the DPO.
3. CATEGORIES OF PERSONAL DATA COLLECTED
We collect and process the following categories of Personal Data depending on the nature of your interaction with the Platform:
3.1 Directly Provided Identification Data
Information you voluntarily submit for the purpose of registration, inquiry, or fulfillment of a contract, including but not limited to:
- Full Legal Name (Given and Surname);
- Electronic Mail (Email) Address;
- Mobile Telephone Number;
- Government-Issued Identification Documentation (Passport Number, National ID Number, or Alien ID Number);
- Billing Address and Residential Address.
3.2 Transaction and Financial Data
In connection with the procurement of travel services, Tourlast may collect and process the following transaction-related information:
- Passenger Name Record (PNR) details for all traveling parties;
- Payment Information:
- Credit and debit card payments are securely processed by our third-party payment service provider, Paystack (a Stripe company), in compliance with the Payment Card Industry Data Security Standard (PCI DSS);
- Tourlast does not store or have direct access to full card details, including the Primary Account Number (PAN) or CVV;
- We may receive limited transaction data such as payment status, masked card details (e.g., last four digits), and authorization confirmations;
- Mobile Money Wallet Identifiers (e.g., M-PESA details), where applicable;
- Booking reference numbers and travel itineraries;
- Invoice records, payment confirmations, and remittance history.
- Tourlast does not collect, store, or process full payment card credentials and relies on PCI-DSS compliant third-party payment processors for secure handling of cardholder data.
3.3 Special Categories of Personal Data (Sensitive Data)
In limited circumstances, we may process data revealing:
- Health Data: Dietary restrictions indicating allergies or medical conditions; Accessibility requirements implying physical limitations.
- Biometric Data: Where required for identity verification with aviation or border control authorities.
Processing of this data shall only occur where explicit consent has been obtained or where processing is necessary for reasons of substantial public interest, in compliance with Section 30 of the Kenya Data Protection Act and Article 9 of the GDPR.
3.4 Automatically Collected Technical and Usage Data
Upon visiting the Platform, our servers automatically log technical data, including but not limited to:
- Internet Protocol (IP) Address and Geolocation derived therefrom;
- Device Fingerprint, Operating System, and Browser Type/Version;
- Uniform Resource Locators (URLs) of referring/exit pages;
- Clickstream Data and Session Duration;
- Crash Logs and Performance Metrics.
3.5 Geolocation Data
Subject to the permissions configured on your specific device, we may process precise geolocation data via Global Positioning System (GPS) or triangulation of Wi-Fi access points. You may revoke this permission at any time via your device's operating system settings.
3.6 Third-Party Sourced Data
We may lawfully obtain information from:
- Travel Suppliers: Airlines, Global Distribution Systems (GDS), and Accommodation Providers for booking verification.
- Identity Verification Services: For Know Your Customer (KYC) compliance checks.
- Social Media Platforms: Where you utilize "Single Sign-On" (SSO) authentication (e.g., "Sign in with Google").
4. PURPOSES AND LEGAL BASIS FOR PROCESSING
We process Personal Data strictly for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
| Processing Activity | Legal Basis (Kenya DPA & GDPR) | Legitimate Interest Assessment (if applicable) |
|---|---|---|
| Performance of a Contract (Booking facilitation, issuance of e-tickets/vouchers, account management, customer support). | Contractual Necessity (Sec. 30(1)(a) KDPA; Art. 6(1)(b) GDPR) | N/A |
| Financial Transactions (Payment facilitation, transaction confirmation, reconciliation, and chargeback handling). | Contractual Necessity & Legal Obligation (Sec. 30(1)(b) KDPA; Art. 6(1)(c) GDPR) | N/A |
| Fraud Prevention & Security (Detection of unauthorized access, identity theft, and platform misuse). | Legitimate Interest (Sec. 30(1)(c) KDPA; Art. 6(1)(f) GDPR) | Necessary to protect Tourlast and its users from financial loss and reputational harm. |
| Direct Marketing (Electronic newsletters, promotional offers regarding similar products/services). | Consent (Sec. 32 KDPA; Art. 6(1)(a) GDPR) or Legitimate Interest (for existing customers re: similar products). | Promoting services likely to be of interest to existing clientele without overriding their fundamental rights. |
| Compliance with Legal Obligations (Responding to court orders, tax audits, or ODPC/GDPR supervisory authority requests). | Legal Obligation (Sec. 30(1)(b) KDPA; Art. 6(1)(c) GDPR) | N/A |
| Service Improvement & Analytics | Legitimate Interest (Sec. 30(1)(c) KDPA; Art. 6(1)(f) GDPR) | Enhancing user interface, optimizing search algorithms, and ensuring platform stability. |
5. DISCLOSURE AND TRANSFER OF PERSONAL DATA TO THIRD PARTIES
We engage the following categories of Data Processors and Joint Controllers. We impose strict contractual obligations (Data Processing Agreements) on all recipients to ensure equivalent levels of protection.
5.1 Essential Service Providers (Processors)
- Travel Fulfillment Partners: Airlines, Hotel Aggregators, Ground Transportation Operators, and Tour Guides. Disclosure is strictly limited to data necessary for the execution of the travel reservation (e.g., PNR data).
- Payment Gateways and Merchant Acquirers: Including but not limited to Paystack (a Stripe company), card networks, banks, and mobile money operators, for the sole purpose of authorizing, processing, and settling transactions.
- Cloud Infrastructure and Cybersecurity Providers: Hosting providers and content delivery networks (CDNs) operating with ISO 27001 certification.
5.2 Regulatory and Law Enforcement Authorities
We reserve the right to disclose Personal Data to competent public authorities, regulatory bodies, or law enforcement agencies where such disclosure is mandated by law, a court order, or for the protection of vital interests, in strict compliance with Section 49 of the Kenya Data Protection Act.
6. CROSS-BORDER TRANSFERS OF PERSONAL DATA
Tourlast operates on a global infrastructure. Consequently, your Personal Data may be transferred to, and processed in, countries outside the Republic of Kenya and the European Economic Area.
6.1 Safeguards and Adequacy
In the event of such transfer, Tourlast shall implement appropriate safeguards pursuant to Section 48 of the Kenya Data Protection Act, 2019, and Chapter V of the GDPR, including:
- Adequacy Decisions: Transferring to countries deemed by the Kenyan Cabinet Secretary for ICT or the European Commission to offer an adequate level of protection.
- Standard Contractual Clauses (SCCs) : Executing the EU Commission's Model Clauses or equivalent provisions approved by the ODPC.
- Binding Corporate Rules: Applicable for intra-group transfers.
7. DATA RETENTION AND DESTRUCTION
We adhere to the data minimization and storage limitation principles.
| Data Category | Retention Period | Rationale |
|---|---|---|
| User Account Data | Duration of account activity + 12 months post-deactivation. | To allow for reactivation and resolution of post-termination queries. |
| Transactional/Booking Data | Seven (7) Years from the date of transaction completion. | To comply with the Kenyan Tax Procedures Act, 2015, and anti-money laundering legislation. |
| Marketing Consent Records | Indefinite (or until consent is affirmatively withdrawn). | To maintain a suppression list demonstrating compliance with opt-out requests. |
| System Logs & IP Addresses | 90 Days to 12 Months. | For security monitoring and forensic investigation of incidents. |
Upon expiry of the retention period, Personal Data shall be securely deleted, anonymized, or pseudonymized such that re-identification is no longer possible.
8. RIGHTS OF THE DATA SUBJECT
Tourlast is committed to facilitating the exercise of the following rights afforded to you under applicable law:
- Right of Access (Art. 15 GDPR / Sec. 26 KDPA): Confirmation of processing and a copy of the data.
- Right to Rectification (Art. 16 GDPR / Sec. 37 KDPA): Correction of inaccurate or incomplete data.
- Right to Erasure (‘Right to be Forgotten’) (Art. 17 GDPR / Sec. 40 KDPA): Deletion of data where retention is no longer necessary or lawful.
- Right to Restriction of Processing (Art. 18 GDPR / Sec. 41 KDPA): Limiting how we use your data while a complaint or verification is pending.
- Right to Data Portability (Art. 20 GDPR / Sec. 38 KDPA): Receiving your data in a structured, commonly used, and machine-readable format.
- Right to Object (Art. 21 GDPR / Sec. 39 KDPA): Objecting to processing based on legitimate interests or direct marketing.
To exercise these rights, please submit a verifiable request via email to privacy@tourlast.com. We shall respond within Fourteen (14) calendar days as stipulated by the ODPC for urgent requests, or within Thirty (30) calendar days for complex requests, subject to extension notice as permitted by law.
9. DATA SECURITY AND BREACH NOTIFICATION
We implement appropriate technical and organizational measures (TOMs) designed to ensure a level of security appropriate to the risk, including:
- Pseudonymization and Encryption of personal data (TLS 1.3 protocol).
- Confidentiality, Integrity, and Availability resilience of processing systems.
- Multi-Factor Authentication (MFA) for administrative access.
9.1 Breach Notification Procedure
In the unfortunate event of a Personal Data Breach, we shall, without undue delay and where feasible within 72 hours of becoming aware, notify the Office of the Data Protection Commissioner, Kenya, pursuant to Section 43 of the KDPA. If the breach is likely to result in a high risk to your rights and freedoms, we shall communicate the breach to you directly via email or a prominent notice on the Platform.
10. USE OF COOKIES AND SIMILAR TRACKING MECHANISMS
Our Platform utilizes cookies, pixel tags, and software development kits (SDKs) to distinguish you from other users. You may manage your cookie preferences through our Consent Management Platform (CMP) available via the "Cookie Settings" link in the footer of our website. Strictly Necessary Cookies are deployed based on legitimate interest and do not require prior consent.
11. MINORS’ DATA
Our services are directed solely at individuals who have attained the Age of Majority (18 years in Kenya). We do not knowingly collect or solicit Personal Data from anyone under the age of 18. In the event we learn that we have collected Personal Data from a minor without verification of parental consent, we will delete that information expeditiously.
12. AMENDMENTS TO THIS PRIVACY POLICY
We reserve the right to modify or amend this Policy at any time to reflect changes in our practices or for legal compliance. The date of the last revision will be identified at the top of this document. In the case of Material Changes (e.g., change in purpose of processing or controller), we shall provide you with prominent notice via email or an interstitial banner on the Platform prior to the change becoming effective. Your continued use of the Platform following such notice constitutes acceptance of the revised terms.
13. RIGHT TO LODGE A COMPLAINT
Without prejudice to any judicial remedy, you have the right to lodge a complaint with a supervisory authority. The relevant supervisory authority for Tourlast is:
The Office of the Data Protection Commissioner (ODPC)
Address: Britam Centre, 11th Floor, Hospital Road, Upper Hill, Nairobi, Kenya.
Website: www.odpc.go.ke
