Menu

Privacy Policy

 

1. Introduction

This Privacy Policy (“Policy”) sets forth the terms and conditions under which Holiday Bazaar Limited (“Holiday Bazaar,” “we,” “us,” or “our”) collects, processes, uses, protects, and discloses personal data obtained from clients, customers, users, and other individuals (“you” or “your”) in compliance with the Data Protection Act, 2019 (the “Act”), No. 24 of 2019 of the Laws of Kenya, and any other applicable laws and regulations.

By accessing our website, utilizing our services, or engaging with us in any form, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with any terms herein, you are advised to refrain from using our services or providing any personal data.

2. Definitions

For the purposes of this Policy, unless the context indicates otherwise:

  • “Personal Data” means any information relating to an identified or identifiable natural person as defined under Section 2 of the Act.
  • “Processing” refers to any operation or set of operations performed on personal data, whether or not by automated means, as detailed in Section 2 of the Act.
  • “Data Controller” means Holiday Bazaar, which determines the purposes and means of processing personal data.
  • “Data Processor” refers to any person or entity that processes personal data on behalf of the data controller.

3. Data Collection and Use

3.1. Personal Data We Collect

We may collect, store, and process various categories of personal data, including but not limited to:

  • Identification Data: Full name, date of birth, gender, nationality, passport details, national identification numbers.
  • Contact Information: Physical address, email address, telephone numbers.
  • Financial Data: Credit/debit card information, bank account details, transaction histories.
  • Travel Preferences: Accommodation choices, dietary requirements, special assistance needs.
  • Digital Data: IP addresses, browser type, access times, referring website addresses.
  • Communication Records: Emails, phone call records, chat transcripts, and other correspondence.

3.2. Methods of Collection

Personal data may be collected through various means, including:

  • Direct Interactions: When you fill out forms, make bookings, subscribe to newsletters, or communicate with us.
  • Automated Technologies: Through cookies, server logs, and other similar technologies when you interact with our website.
  • Third Parties: From airlines, hotels, travel agents, and other service providers who share information necessary for your travel arrangements.

3.3. Purposes of Processing

We process your personal data for multiple purposes, including but not limited to:

  • Service Provision: To facilitate travel bookings, issue tickets, arrange accommodations, and provide other related services.
  • Customer Support: To respond to inquiries, provide assistance, and improve customer service experiences.
  • Legal Compliance: To fulfill legal obligations, such as immigration requirements, tax laws, and anti-money laundering regulations.
  • Marketing Communications: To inform you about promotions, offers, and new services, subject to your consent where required.
  • Analytics and Improvements: To analyze usage patterns, improve our website, and enhance service offerings.

4. Legal Basis for Processing

Under Section 30 of the Act, we process your personal data based on the following lawful grounds:

  • Consent (Section 32): Where you have given clear and explicit consent for us to process your personal data for specific purposes.
  • Contractual Necessity (Section 30(1)(b)(i)): Processing is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract.
  • Legal Obligation (Section 30(1)(b)(ii)): Processing is necessary for compliance with a legal obligation to which we are subject.
  • Legitimate Interests (Section 30(1)(b)(vii)): Processing is necessary for the purposes of legitimate interests pursued by us or a third party, except where such interests are overridden by your fundamental rights and freedoms.

5. Data Sharing and Disclosure

5.1. Disclosure to Third Parties

We may disclose your personal data to selected third parties, including but not limited to:

  • Service Providers: Airlines, hotels, car rental companies, cruise lines, tour operators, and insurance companies to facilitate your travel arrangements.
  • Business Partners: Agents, consultants, and subcontractors who assist in the operation of our business.
  • Legal and Regulatory Authorities: Government agencies, regulators, and law enforcement bodies as required by law or for the purposes of legal proceedings.

All third parties are obligated to handle your personal data in accordance with contractual agreements that comply with the Act, ensuring adequate safeguards and confidentiality measures are in place.

5.2. International Data Transfers

Your personal data may be transferred to, stored, and processed in countries outside Kenya that may have different data protection standards. In accordance with Section 48 of the Act, we ensure that such international transfers are conducted with appropriate safeguards, including but not limited to:

  • Adequacy Decisions: Transferring data to countries deemed by the Data Protection Commissioner to have adequate data protection laws.
  • Standard Contractual Clauses: Implementing contractual clauses that provide legal remedies and enforceable rights for data subjects.
  • Explicit Consent: Obtaining your explicit consent after informing you of the possible risks due to the absence of appropriate safeguards.

6. Data Security

6.1. Security Measures

We have implemented robust technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, in compliance with Section 41 of the Act. These measures include but are not limited to:

  • Encryption: Utilizing SSL/TLS encryption for data transmission over the internet.
  • Access Controls: Restricting access to personal data to authorized personnel only.
  • Physical Security: Securing our premises and data centers against unauthorized access.
  • Regular Audits: Conducting periodic security assessments and vulnerability scans.

6.2. Data Breach Response

In the event of a personal data breach, we will promptly assess the risk to your rights and freedoms and, where required, notify the Data Protection Commissioner and affected individuals within 72 hours, in accordance with Section 43 of the Act.

7. Data Retention

7.1. Retention Periods

We will retain your personal data only for as long as is necessary to fulfill the purposes for which it was collected, or as required by law, whichever is longer. Factors determining retention periods include:

  • Legal Requirements: Compliance with legal, tax, and regulatory obligations.
  • Contractual Obligations: Duration of contracts and service agreements.
  • Dispute Resolution: Timeframes for handling disputes or enforcing agreements.

7.2. Data Disposal

Upon the expiration of the retention period, we will securely dispose of or anonymize your personal data to prevent unauthorized access or use, in compliance with Section 39 of the Act.

8. Your Rights as a Data Subject

Under the Act, you have the following rights regarding your personal data:

8.1. Right to Be Informed (Section 26(a))

You have the right to be informed about the collection and use of your personal data, including the purposes of processing, retention periods, and who it will be shared with.

8.2. Right of Access (Section 26(b))

You may request access to your personal data held by us, along with information about how we process it.

8.3. Right to Correction (Section 40)

You have the right to request correction of inaccurate or incomplete personal data.

8.4. Right to Erasure (Section 40(1)(b))

You may request the deletion of your personal data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.

8.5. Right to Object (Section 35)

You have the right to object to the processing of your personal data where processing is based on legitimate interests or for direct marketing purposes.

8.6. Right to Restrict Processing (Section 34)

You may request the restriction of processing your personal data under specific conditions.

8.7. Right to Data Portability (Section 38)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another data controller.

8.8. Rights Related to Automated Decision-Making (Section 37)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you.

9. Exercising Your Rights

To exercise any of your rights, please submit a written request to our Data Protection Officer at the contact details provided in Section 13. We will respond to your request within a reasonable timeframe, not exceeding 30 days, as mandated by the Act. We may require verification of your identity to process your request.

10. Cookies and Tracking Technologies

10.1. Use of Cookies

Our website utilizes cookies and similar tracking technologies to enhance user experience, analyze website traffic, and tailor marketing efforts. Cookies are small data files stored on your device when you visit a website.

10.2. Types of Cookies Used

  • Essential Cookies: Necessary for the functioning of the website.
  • Performance Cookies: Collect information about how you use our website.
  • Functional Cookies: Remember your preferences and settings.
  • Targeting Cookies: Used for delivering relevant advertisements to you.

10.3. Managing Cookies

You can control the use of cookies at the individual browser level. Please note that disabling cookies may affect the functionality and features of our website.

11. Marketing Communications

11.1. Consent to Marketing

With your explicit consent, we may use your personal data to send you promotional communications about our services, special offers, and events.

11.2. Opt-Out

You have the right to withdraw your consent to receive marketing communications at any time by clicking the “unsubscribe” link in any email or by contacting us directly.

12. Third-Party Websites

Our website may contain links to third-party websites, plugins, and applications. We do not control these third-party websites and are not responsible for their privacy practices. We encourage you to read the privacy policies of any external websites you visit.

13. Contact Information

For any inquiries, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact:

Data Protection Officer
Holiday Bazaar Limited
P.O. Box 51388-00100
Nairobi, Kenya
Email: aman@holidaybazaar.com

14. Complaints

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Office of the Data Protection Commissioner in Kenya.

15. Changes to This Privacy Policy

We reserve the right to amend or update this Privacy Policy at our sole discretion and at any time. Any changes will become effective upon posting the revised Policy on our website. Your continued use of our services following the posting of changes constitutes your acceptance of such changes.

16. Legal Disclaimer

While we strive to protect your personal data, we cannot guarantee the security of any information you transmit to us over the internet, and you do so at your own risk. We urge you to take every precaution to protect your personal data while using the internet.

17. Governing Law

This Privacy Policy and any disputes arising out of or related to it shall be governed by and construed in accordance with the laws of the Republic of Kenya.

18. Severability

If any provision of this Privacy Policy is found to be invalid or unenforceable by a court of competent jurisdiction, such provision shall be severed from the Policy, and the remaining provisions shall remain in full force and effect.

19. Entire Agreement

This Privacy Policy constitutes the entire agreement between you and Holiday Bazaar regarding the collection and processing of your personal data and supersedes any prior agreements or understandings.

By engaging with Holiday Bazaar, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.