Privacy & Refund Policy
How we collect, use and protect your personal information — and our full cancellation and refund terms.
Who We Are
This Privacy and Refund Policy ("Policy") is issued by Ideal Adventures Kenya Limited ("we", "us", "our"), a company registered in Kenya under the Companies Act, 2015 (Registration No. PVT-XXXXXXXX), duly licensed by the Kenya Tourism Board (Licence No. KTB/TO/XXXX/2024) to operate as a tour operator.
📌 Scope — What This Policy Covers
This Policy covers only: (a) how we handle your personal data, and (b) our cancellation and refund terms. It does not cover our general terms of service, booking contract, or liability clauses — those are published separately on our Terms & Conditions page.
This Policy applies to all personal data processed through:
- ▸Our website at https://idealadventureskenya.com
- ▸Our tour booking, payment, and M-Pesa processes
- ▸Email, phone, and WhatsApp communications with us
- ▸In-person interactions during tour operations in Kenya
Governing Law
This Policy is governed primarily by the Kenya Data Protection Act, 2019 (No. 24 of 2019). For visitors resident in the European Economic Area, the EU General Data Protection Regulation (GDPR) also applies. Payment-related processing is additionally subject to Safaricom's Daraja API Terms and Privacy Policy.
Data We Collect
2.1 Data You Provide Directly
- ▸Identity data: Full name, date of birth, nationality, and passport or national ID number — required for Kenya Wildlife Service (KWS) park permits and KTB regulatory compliance.
- ▸Contact data: Email address, telephone number (including your M-Pesa number), and postal address.
- ▸Booking data: Tour preferences, travel dates, number of travelers, dietary requirements, and any special requests.
- ▸Health and safety data: Medical conditions, fitness levels, or disability information you voluntarily disclose for adventure activities (e.g. altitude illness history for Mount Kenya treks). This is special category data under the Kenya DPA and GDPR, processed only with your explicit consent.
- ▸Emergency contact data: Name and phone number of a person we should contact on your behalf in an emergency during a tour.
- ▸Communications data: Content of emails, contact form submissions, and WhatsApp messages you send us.
2.2 Data Collected Automatically
- ▸Technical data: IP address, browser type, device type, operating system, and time zone — logged by our web server.
- ▸Usage data: Pages visited, time on page, referring URL, and links clicked — used solely to improve our website.
- ▸Session cookie data: A session identifier required for our booking forms and CSRF security (see Section 7 — Cookies).
2.3 Data We Do NOT Collect
- ✕Your M-Pesa PIN — entered on your handset and never transmitted to our servers.
- ✕Credit or debit card numbers.
- ✕Biometric data of any kind.
- ✕Social media login credentials.
How We Use Your Data
3.1 To Deliver Our Services (Contract Performance)
- ▸Process and confirm tour bookings and issue payment receipts.
- ▸Initiate M-Pesa STK Push payment requests via the Safaricom Daraja API and reconcile confirmed payments.
- ▸Coordinate accommodation, guide, transport, and national park permit arrangements on your behalf.
- ▸Send pre-departure information: confirmed itineraries, packing lists, meeting points, and emergency contact details.
- ▸Process amendments, cancellations, and approved refunds.
- ▸Respond to customer service and support enquiries.
3.2 To Comply With Legal Obligations
- ▸Kenya Tourism Board (KTB): Visitor records required under the Kenya Tourism Act, 2011.
- ▸Kenya Wildlife Service (KWS): Visitor identity data required for national park and conservancy entry permits.
- ▸Kenya Revenue Authority (KRA): Financial and transaction records retained for tax purposes under the Income Tax Act and VAT Act.
- ▸AMREF Flying Doctors: Emergency cover registration for participants on eligible tours.
- ▸Anti-Money Laundering (AML): Identity verification for transactions above KES 1,000,000 under the Proceeds of Crime and Anti-Money Laundering Act, 2009.
3.3 For Legitimate Business Interests
- ▸Fraud detection and payment security monitoring.
- ▸Website performance analysis and continuous improvement.
- ▸Post-tour customer satisfaction surveys (opt-out available at any time).
- ▸Booking trend analysis to improve future tour planning and availability.
3.4 With Your Consent Only
- ▸Sending marketing emails about new tours, promotions, and travel updates.
- ▸Publishing testimonials or photographs you provide to us.
- ▸Any other use of your data not described in Sections 3.1–3.3 above.
You may withdraw consent at any time by emailing privacy@idealadventureskenya.com or clicking the unsubscribe link in any marketing email. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.
Legal Basis for Processing
Under Section 30 of the Kenya Data Protection Act, 2019, and Article 6 of the GDPR for EEA residents, we process your personal data on the following lawful bases:
| Processing Activity | Lawful Basis |
|---|---|
| Processing your booking and M-Pesa payment | Performance of a contract (s.30(1)(b) Kenya DPA / GDPR Art.6(1)(b)) |
| KTB, KWS, and KRA regulatory reporting | Legal obligation (s.30(1)(c) Kenya DPA / GDPR Art.6(1)(c)) |
| AMREF Flying Doctors emergency cover registration | Legal obligation / Vital interests |
| AML identity verification | Legal obligation — POCAMLA 2009 |
| Fraud prevention and website security | Legitimate interests (s.30(1)(f) Kenya DPA / GDPR Art.6(1)(f)) |
| Post-tour satisfaction surveys | Legitimate interests |
| Booking confirmation and service emails | Performance of a contract |
| Marketing emails and promotional messages | Consent (s.30(1)(a) Kenya DPA / GDPR Art.6(1)(a)) |
| Processing health / special category data | Explicit consent (s.31(2)(a) Kenya DPA / GDPR Art.9(2)(a)) |
| Publishing testimonials or photographs | Consent |
Who We Share Data With
🔒 We never sell your personal data
We do not sell, rent, trade, or broker your personal data to any third party for their commercial purposes — under any circumstances.
5.1 Service Providers (Data Processors)
We share only the minimum data necessary with the following categories of partners, each bound by a written data processing agreement:
- ▸Lodges, camps, and hotels: Your name, travel dates, and dietary or special requirements — for your accommodation reservation.
- ▸Kenya Wildlife Service (KWS): Identity data as required for national park and conservancy entry permits.
- ▸AMREF Flying Doctors: Name, nationality, and any voluntarily disclosed medical notes — for emergency cover registration.
- ▸Ground transport providers: Name and contact number for transfer coordination.
- ▸Licensed tour guides: Participant list and confirmed itinerary details for your tour.
- ▸Transactional email service provider: Your name and email address — solely for delivery of booking confirmations and operational notifications.
5.2 Regulatory and Law Enforcement Authorities
We may disclose your personal data to government bodies, courts, or law enforcement where required by Kenyan law, a court order, or to protect the safety of tour participants or our staff. This includes the Kenya Tourism Board, Kenya Revenue Authority, Kenya Wildlife Service, and the Office of the Data Protection Commissioner (ODPC).
5.3 Business Transfers
In the event of a merger, acquisition, or sale of company assets, your data may transfer to the successor entity under equivalent privacy protections. We will notify affected customers by email at least 30 days before any such transfer takes place.
5.4 All Other Third Parties
We will not share your data with any other party without your prior, explicit, and informed written consent.
M-Pesa & Payment Privacy
📡 Safaricom Daraja API Integration
Our website uses the Safaricom Daraja API (STK Push) to request M-Pesa payment directly on your handset. All payment processing is additionally governed by Safaricom's Privacy Policy and Terms of Service.
6.1 What Payment Data We Collect
- ▸Your M-Pesa phone number — used only to initiate the STK Push request.
- ▸The M-Pesa transaction receipt number (e.g.
QJK1234XYZ) returned by Safaricom upon successful payment. - ▸Transaction timestamp, confirmed amount, and the Daraja Checkout Request ID — retained for payment reconciliation and KRA tax records.
6.2 What We Do NOT Store
- ✕Your M-Pesa PIN — entered on your handset; never transmitted to our servers.
- ✕Credit or debit card numbers.
- ✕Bank account credentials.
6.3 Payment Data Security
- ▸All communication between our servers and Safaricom's API is encrypted using TLS 1.2 or higher.
- ▸M-Pesa payment callbacks are received exclusively over verified HTTPS endpoints.
- ▸Payment logs are retained for 7 years in encrypted storage as required by the Kenya Revenue Authority.
- ▸Access to payment logs is restricted to authorised finance and compliance staff only.
6.4 Refunds to M-Pesa
Approved refunds are returned to the original M-Pesa phone number used during your booking. A refund to a different number requires a written request and identity verification to prevent fraud. Full refund timelines are set out in Section 13.
Your Rights
The Kenya Data Protection Act, 2019 (Part IV) grants you the following rights over your personal data. EEA residents have equivalent rights under GDPR Articles 15–22.
🔍 Right of Access (s.26)
Request a copy of all personal data we hold about you — provided free of charge within 21 days.
✏ Right to Rectification (s.27)
Request correction of inaccurate or incomplete personal data we hold about you.
🗑 Right to Erasure (s.38)
Request deletion of your data where it is no longer necessary for the purpose collected, or where you withdraw consent — subject to our legal retention obligations.
⏸ Right to Restriction (s.40)
Request that we pause processing your data, for example while you contest its accuracy.
📦 Right to Portability
Receive your data in a structured, commonly used, machine-readable format. Available to EEA residents under GDPR Article 20.
🚫 Right to Object (s.35)
Object to processing based on our legitimate interests, including direct marketing — which we will always honour immediately upon request.
🤖 Automated Decisions
Not be subject to solely automated decision-making that significantly affects you. We do not use such systems.
📢 Right to Complain
Lodge a complaint with the Kenya Office of the Data Protection Commissioner (ODPC) at any time without first approaching us.
How to Exercise Your Rights
Send a written request to our Data Protection Officer at privacy@idealadventureskenya.com or by post to Kimathi Street, Nairobi CBD, P.O. Box XXXXX-00100, Nairobi, Kenya. We will respond within 21 days (Kenya DPA s.26). Complex requests may take up to 30 days; we will inform you of any extension before the initial 21-day period expires.
Kenya Supervisory Authority — ODPC
If you believe we have mishandled your personal data, you may
lodge a complaint with:
Office of the Data Protection Commissioner (ODPC)
P.O. Box 30136-00100, Nairobi, Kenya
www.odpc.go.ke
How Long We Keep Data
We retain personal data only as long as necessary for the purposes for which it was collected, or as required by Kenyan law. At the end of the applicable retention period, data is securely deleted or irreversibly anonymised so it can no longer identify any individual.
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Booking and tour records | 7 years from travel date | KRA tax law; Companies Act 2015 |
| M-Pesa and payment records | 7 years | KRA tax law; AML regulations |
| Customer contact data | 3 years after last booking | Legitimate interests |
| Marketing consent records | 5 years or until consent withdrawn | Kenya DPA s.25 accountability |
| Complaint and dispute records | 6 years | Limitation of Actions Act, 2012 |
| Emergency medical notes | Tour duration + 1 year | Safety; explicit consent |
| Web server access logs | 90 days | Security and fraud prevention |
| Session cookies | Browser session end | Essential functionality only |
Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, alteration, or disclosure, as required under Section 41 of the Kenya Data Protection Act, 2019.
Technical Measures
- ▸TLS/HTTPS encryption for all data in transit between your browser and our servers.
- ▸Bcrypt password hashing (minimum cost factor 12) for all admin account credentials.
- ▸Parameterised SQL queries throughout our codebase — eliminating SQL injection vulnerabilities.
- ▸CSRF token protection on every web form to prevent cross-site request forgery.
- ▸Secure session management: HttpOnly and SameSite=Lax cookie flags; session IDs regenerated on login.
- ▸Rate limiting on login and payment API endpoints.
- ▸Directory access controls: Log files and configuration files are blocked from public web access.
Organisational Measures
- ▸Personal data access is restricted to staff who require it to perform their specific role.
- ▸Confidentiality obligations are included in all staff employment contracts.
- ▸No personal data is transmitted internally via unencrypted email.
⚠ Data Breach Notification (Kenya DPA s.43)
If we suffer a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the Kenya Office of the Data Protection Commissioner within 72 hours of becoming aware of the breach. You will be informed of the nature of the breach, the data affected, and the steps we have taken.
Children
Our services are not directed to persons under the age of 18 years. We do not knowingly collect personal data from children without verified parental or legal guardian consent.
When a booking includes child travelers, the parent or legal guardian completing the booking provides consent on behalf of each child. Health and emergency contact information collected for child travelers is used solely for safety purposes during the tour and is deleted upon tour completion, subject to any mandatory regulatory retention obligation.
If you believe we have inadvertently collected data from a child without appropriate consent, please contact us immediately at privacy@idealadventureskenya.com. We will delete the data without delay.
International Data Transfers
Your personal data is primarily stored and processed on servers located in Kenya. In limited circumstances — such as routing booking confirmation emails through an international transactional email service — your data may be processed outside Kenya.
Any international transfer of personal data is made only where one of the following applies:
- ▸The destination country has been assessed to provide an adequate level of data protection comparable to Kenya's standards; or
- ▸We have put in place appropriate safeguards recognised under the Kenya DPA (such as standard data transfer clauses); or
- ▸You have given your explicit consent to the specific transfer.
We do not transfer your data to any country without appropriate safeguards in place. EEA residents may request details of the specific transfer mechanism by contacting our DPO at privacy@idealadventureskenya.com.
Cancellation & Refund Policy
📋 This Is a Standalone Refund Policy
This Cancellation and Refund Policy governs financial remedies for cancelled bookings. It does not constitute the full contractual booking agreement — the terms of your booking contract, including liability and force majeure provisions, are set out in our separate Terms & Conditions. By completing your M-Pesa payment you confirm you have read and accepted both documents.
This policy complies with the Kenya Tourism Act, 2011, the Consumer Protection Act, 2012, and the KTB Tour Operator Code of Conduct. All amounts are in Kenya Shillings (KES) unless otherwise stated.
13.1 How to Cancel — Submission Requirements
- ▸All cancellations must be submitted in writing to info@idealadventureskenya.com.
- ▸The cancellation date is the date we receive your written request during business hours (Mon–Fri, 08:00–17:00 EAT).
- ▸Verbal cancellations by telephone or WhatsApp are not valid until confirmed in writing.
- ▸We will acknowledge your cancellation in writing within 2 business days and confirm the applicable refund amount.
13.2 Customer Cancellation — Refund Schedule
Refunds are calculated based on the number of calendar days between the date we receive your written cancellation and your confirmed departure date:
| Notice Given Before Departure | Refund Entitlement | Charge Applied |
|---|---|---|
| 30 days or more | 90% of total amount paid | 10% administration fee |
| 15 – 29 days | 70% of total amount paid | 30% cancellation charge |
| 8 – 14 days | 50% of total amount paid | 50% cancellation charge |
| 4 – 7 days | 25% of total amount paid | 75% cancellation charge |
| 48 hours to 3 days | 10% of total amount paid | 90% cancellation charge |
| Less than 48 hours | No refund | 100% of amount paid is forfeited |
| No-show (day of departure) | No refund | 100% of amount paid is forfeited |
13.3 Items That Are Non-Refundable
The following cost components are non-refundable regardless of when you cancel, because these costs are committed to third parties at the time of booking:
- ✕National park and conservancy entrance fees paid to Kenya Wildlife Service (KWS) or county governments.
- ✕AMREF Flying Doctors emergency cover fees once the cover has been activated and registered.
- ✕Trekking and climbing permits already purchased (e.g. Mount Kenya, Aberdares).
- ✕Non-refundable room rates or deposits already paid to lodges, camps, or hotels.
- ✕Domestic scheduled or charter flight tickets once issued.
- ✕Visa facilitation fees where these have been paid to a third party.
13.4 Cancellation by Ideal Adventures Kenya
We reserve the right to cancel a confirmed tour in the following circumstances:
- ▸Minimum group size not met: Where a tour requires a minimum number of participants and this is not achieved, we will notify you at least 14 days before departure and offer either a full refund or an alternative departure date at no additional charge.
- ▸Force majeure: Events beyond our reasonable control — see Section 13.6.
- ▸Safety: Where our management reasonably determines that proceeding would pose an unacceptable risk to the safety of participants or our staff.
- ▸Non-payment: Where a booking has not been paid in full by the confirmed due date.
✅ Our Cancellation = Full Refund
If we cancel your tour for any reason other than force majeure or your failure to pay, you are entitled to a 100% refund of all amounts paid to us, processed within 14 working days.
13.5 Customer-Requested Tour Amendments
- ▸Date change (14+ days before departure): Accommodated free of charge, subject to availability on your new preferred date.
- ▸Date change (less than 14 days before departure): KES 2,500 administration fee per booking, subject to availability.
- ▸Participant name change: Permitted up to 48 hours before departure at no charge. Late name changes are not guaranteed and may incur third-party supplier fees which will be passed on.
- ▸Tour upgrade: Price difference charged; subject to availability. Tour downgrade: Price difference refunded at the rate applicable to the amendment date.
13.6 Force Majeure — Effect on Refunds
Force majeure means any event beyond our reasonable control that makes performance of the tour impossible or illegal, including but not limited to: acts of God, pandemic or public health emergency declared by the WHO or Kenyan Government, civil unrest, government travel advisories advising against travel to the destination, KWS park or conservancy closures, natural disasters, volcanic activity, or extreme adverse weather.
Where we cancel due to force majeure:
- ▸We will offer a credit note valid for 18 months from the original departure date as our primary remedy.
- ▸Where a credit note is not acceptable to you, we will refund the proportion of your payment that is recoverable from our suppliers. Amounts already paid to KWS, airlines, permit authorities, or non-refundable accommodation are typically irrecoverable and will be excluded from the cash refund.
- ▸We strongly recommend all travelers purchase comprehensive travel insurance that covers cancellation due to force majeure events — our AMREF cover does not include this.
13.7 Refund Processing Methods and Timelines
| Method | Timeline After Approval | Notes |
|---|---|---|
| M-Pesa (original number) | 7 – 14 working days | Standard method. M-Pesa transaction charges are borne by us for approved full refunds. |
| M-Pesa (different number) | 7 – 14 working days | Requires written request + identity verification to prevent fraud. |
| Bank EFT transfer | 14 – 21 working days | Used where M-Pesa refund is not possible. Customer must provide bank details in writing. |
| Credit note | Issued within 5 working days | Valid 18 months from issue date. Redeemable against any tour of equal or greater value. |
13.8 Travel Insurance — Strong Recommendation
🛡 We Strongly Recommend Travel Insurance
We strongly recommend all travelers purchase comprehensive travel insurance that covers: trip cancellation for any reason, emergency medical treatment and evacuation, personal liability, and loss of personal effects. Most of our packages include AMREF Flying Doctors emergency medical evacuation cover for in-country emergencies — please confirm inclusion with us at booking. AMREF cover does not cover trip cancellation, personal liability, or loss of property.
13.9 Refund Disputes
If you disagree with a refund decision, please contact our Customer Relations Manager at info@idealadventureskenya.com in writing, explaining the basis of your dispute. We will review and respond within 10 working days.
Unresolved refund disputes may be referred to the Kenya Tourism Board Consumer Complaints Committee or the Consumer Protection Advisory Committee established under the Consumer Protection Act, 2012.
Changes to This Policy
We may update this Policy to reflect changes in our data practices, business operations, regulatory requirements, or applicable law. When we make material changes, we will:
- ▸Update the "Last Updated" date shown at the top of this page.
- ▸Notify registered customers by email at least 14 days before changes take effect.
- ▸Where changes affect your rights or require renewed consent, obtain that consent before the updated terms apply to you.
Minor corrections (typographical errors, clarifications, or changes required immediately by law) may be made without prior notice but will always be reflected in the updated date. Previous versions of this Policy are available on written request.
Your continued use of our website or services after the effective date of any changes constitutes acknowledgement of the updated Policy.
Contact & Data Protection Officer
For any questions, requests, or complaints about this Policy or how we handle your personal data, please contact our Data Protection Officer (DPO):
🏢 Ideal Adventures Kenya Limited
Kimathi Street, Nairobi CBD, P.O. Box XXXXX-00100, Nairobi, Kenya
Reg No: PVT-XXXXXXXX
KTB Licence: KTB/TO/XXXX/2024
✉ Data Protection Officer
privacy@idealadventureskenya.com
Response within 21 days as required by the Kenya Data Protection Act, 2019 (s.26)
🏛 Office of the Data Protection Commissioner
🌍 Kenya Tourism Board
Policy Version — February 2026
This Privacy and Refund Policy was prepared in compliance with the Kenya Data Protection Act, 2019 (No. 24 of 2019), the Kenya Tourism Act, 2011, the Consumer Protection Act, 2012, and the KTB Tour Operator Licensing Conditions. Nothing in this Policy limits any statutory right you hold under Kenyan consumer protection or data protection law.
This document covers privacy and refund matters only. The full contractual terms of your booking — including liability clauses, booking conditions, and intellectual property — are in our separate Terms & Conditions →