HOST PRIVACY STANDARDS

Last Updated: September 24, 2025

As a Host on the Visit Kenya Platform, you play a crucial role in protecting Guest privacy and personal information. These Host Privacy Standards outline your responsibilities when handling Guest personal information and ensure compliance with Kenyan data protection laws.

TABLE OF CONTENTS

1. Introduction

2. Handling Guest Personal Information

3. Permitted Uses of Guest Information

4. Prohibited Activities

5. Data Security Requirements

6. Third-Party Service Providers

7. Cross-Border Data Transfers

8. Guest Communication Standards

9. Record Keeping and Retention

10. Incident Reporting

11. Training and Awareness

12. Compliance and Enforcement

13. Contact Information

1. INTRODUCTION

As a Host on Visit Kenya, you will receive and use Guests’ personal information to manage your reservations and deliver your Host Services. These privacy standards are designed to help you:

• Comply with the Data Protection Act, 2019 of Kenya and other applicable privacy laws

• Protect Guest privacy and personal information

• Maintain trust within the Visit Kenya community

• Understand your responsibilities as a data controller or processor

Important: You are responsible for complying with applicable privacy laws when you handle and process personal information. Failure to comply with these standards may result in suspension or termination of your Host account.

2. HANDLING GUEST PERSONAL INFORMATION

2.1 Types of Guest Information You May Receive

As a Host, you may receive the following types of Guest personal information through the Visit Kenya Platform:

Contact Information:

• Name, phone number, email address

• Emergency contact details

Booking Information:

• Check-in and check-out dates

• Number of guests

• Special requests or accessibility needs

Payment Information:

• Limited payment details for verification purposes (last 4 digits of payment method)

Identity Verification Information:

• Government-issued ID details when required by law

• Profile photos

Communication Data:

• Messages exchanged through the Visit Kenya Platform

• Call recordings where permitted by law

2.2 Your Role as a Data Controller

When you handle Guest personal information, you typically act as a data controller under Kenyan law, which means you:

• Determine the purposes and means of processing personal data

• Are responsible for ensuring lawful, fair, and transparent processing

• Must implement appropriate security measures

• Need to respect Guest rights regarding their personal information

• Must comply with data retention requirements

3. PERMITTED USES OF GUEST INFORMATION

You may only use Guest personal information for the following purposes:

3.1 Reservation Management

• Confirming and managing bookings

• Communicating about check-in/check-out procedures

• Coordinating arrival times and access arrangements

• Managing booking modifications or cancellations

3.2 Service Delivery

• Providing agreed-upon Host Services

• Responding to Guest inquiries and requests

• Ensuring Guest safety and security

• Facilitating access to accommodations, events, restaurants, or places of interest

3.3 Legal Compliance

• Meeting obligations under Kenyan tourism regulations

• Complying with tax reporting requirements to Kenya Revenue Authority (KRA)

• Responding to lawful requests from Kenyan authorities

• Maintaining required records under applicable laws

3.4 Safety and Security

• Verifying Guest identity when required by law

• Reporting safety incidents to appropriate authorities

• Protecting your property and other Guests

• Emergency situations requiring contact with Guest emergency contacts

3.5 Quality Improvement

• Seeking feedback on your Host Services

• Improving your offerings based on Guest preferences

• Addressing complaints or issues

4. PROHIBITED ACTIVITIES

You must not:

4.1 Unauthorized Use

• Use Guest personal information for purposes unrelated to the booking or Host Service

• Share Guest information with third parties without proper authorization

• Use Guest information for direct marketing unless explicitly consented to

• Sell or monetize Guest personal information

4.2 Prohibited Requests

• Encourage or require Guests to create accounts with third-party services

• Request Guests to leave reviews on third-party platforms

• Require interaction with unapproved third-party websites or applications

• Collect personal information beyond what is necessary for your Host Service

4.3 Privacy Violations

• Install cameras or recording devices in private Guest areas without disclosure

• Monitor Guest communications without legal justification

• Access Guest personal belongings or information

• Share Guest information on social media or public platforms

4.4 Data Mishandling

• Store Guest information in unsecured systems

• Retain Guest information longer than necessary

• Process Guest information outside of Kenya without appropriate safeguards

• Fail to report data breaches or security incidents

5. DATA SECURITY REQUIREMENTS

5.1 Technical Safeguards

You must implement appropriate technical measures to protect Guest personal information:

Encryption:

• Use encrypted storage for digital Guest information

• Ensure secure transmission of Guest data

• Protect Wi-Fi networks with strong passwords

Access Controls:

• Limit access to Guest information to authorized personnel only

• Use strong, unique passwords for systems containing Guest data

• Implement two-factor authentication where available

Device Security:

• Keep devices containing Guest information secure

• Install security updates promptly

• Use reputable antivirus software

5.2 Physical Safeguards

Document Security:

• Store physical documents containing Guest information in locked cabinets

• Limit access to areas where Guest information is stored

• Properly dispose of documents containing Guest information (shredding)

Property Security:

• Secure Guest registration areas

• Ensure Guest information is not visible to unauthorized persons

• Implement check-in/check-out procedures that protect privacy

5.3 Administrative Safeguards

Staff Training:

• Train all staff who handle Guest information on privacy requirements

• Ensure staff understand their obligations under these standards

• Regularly update training on data protection practices

Policies and Procedures:

• Develop written procedures for handling Guest information

• Establish incident response procedures

• Regularly review and update privacy practices

6. THIRD-PARTY SERVICE PROVIDERS

6.1 Approved Service Providers

You may share Guest information with third-party service providers only when:

• The service provider is necessary for delivering your Host Service

• You have a written agreement with the service provider regarding data protection

• The service provider implements appropriate security measures

• The sharing is disclosed to Guests in advance

Examples of Permitted Third-Party Services:

• Professional cleaning services

• Property management companies

• Maintenance and repair services

• Security services

• Transportation providers (when arranged through your service)

6.2 Service Provider Requirements

When engaging third-party service providers, ensure they:

• Process Guest information only for the specific purpose you’ve authorized

• Implement appropriate technical and organizational security measures

• Do not use Guest information for their own marketing or business purposes

• Delete or return Guest information when the service is completed

• Notify you immediately of any data breaches or security incidents

6.3 Prohibited Third-Party Sharing

You must not share Guest information with:

• Marketing companies or data brokers

• Social media platforms (except as required for legitimate service delivery)

• Competitors or other hosts

• Family members or friends not involved in service delivery

• Any party for commercial gain unrelated to the booking

7. CROSS-BORDER DATA TRANSFERS

7.1 General Principles

When Guest personal information is transferred outside of Kenya:

• Ensure adequate protection is in place for the transferred data

• Only transfer data when necessary for service delivery

• Inform Guests of international transfers when required by law

• Implement appropriate safeguards as required by Kenyan data protection law

7.2 Permitted Transfers

Cross-border transfers are permitted when:

• The destination country has been deemed adequate by Kenyan authorities

• Appropriate safeguards are in place (such as standard contractual clauses)

• The transfer is necessary for the performance of the Host Service contract

• The Guest has given explicit consent for the transfer

7.3 Required Safeguards

When transferring data internationally, implement:

• Standard contractual clauses approved by Kenyan data protection authorities

• Encryption of data in transit and at rest

• Regular assessments of the security measures in the destination country

• Procedures for handling data subject requests across borders

8. GUEST COMMUNICATION STANDARDS

8.1 Communication Channels

Preferred Channels:

• Use the Visit Kenya Platform messaging system when possible

• Use provided contact information only for booking-related communications

• Maintain professional communication standards

Communication Records:

• Keep records of important communications with Guests

• Store communication records securely

• Delete communication records when no longer needed

8.2 Marketing Communications

Permitted Marketing:

• Follow-up communications about completed bookings (feedback requests)

• Information about additional services directly related to the current booking

• Safety or emergency communications

Prohibited Marketing:

• Unsolicited promotional messages

• Marketing for unrelated services or third parties

• Requests to contact Guests outside the Visit Kenya Platform for marketing purposes

9. RECORD KEEPING AND RETENTION

9.1 Required Records

You must maintain records of:

• Guest booking information for tax and legal compliance purposes

• Communication with Guests related to bookings

• Any incidents or safety issues involving Guests

• Third-party service provider agreements and data sharing

9.2 Retention Periods

General Retention:

• Keep Guest information only as long as necessary for the purposes collected

• Delete Guest information promptly after the booking is completed and any legal obligations are fulfilled

• Maintain tax-related records as required by Kenya Revenue Authority regulations

Specific Retention Periods:

• Booking records: 7 years for tax purposes (or as required by KRA)

• Communication records: 2 years after booking completion

• Incident reports: 7 years or as required by applicable law

• Marketing consent records: Until consent is withdrawn plus 1 year

9.3 Secure Deletion

When deleting Guest information:

• Use secure deletion methods for digital information

• Shred physical documents containing Guest information

• Ensure third-party service providers also delete Guest information

• Document the deletion process for compliance purposes

10. INCIDENT REPORTING

10.1 Types of Incidents to Report

You must report the following incidents to Visit Kenya immediately:

Data Breaches:

• Unauthorized access to Guest information

• Loss or theft of devices containing Guest information

• Accidental disclosure of Guest information

• Hacking or cyber security incidents

Privacy Violations:

• Unauthorized recording or surveillance of Guests

• Misuse of Guest information by staff or service providers

• Guest complaints about privacy violations

• Discovery of non-compliant data handling practices

10.2 Incident Response Process

Immediate Actions (within 24 hours):

1. Contain the incident to prevent further harm

2. Assess the scope and severity of the incident

3. Notify Visit Kenya through the incident reporting system

4. Document all details of the incident

Follow-up Actions (within 72 hours):

1. Conduct a thorough investigation

2. Notify affected Guests if required by law

3. Implement corrective measures

4. Report to Kenyan data protection authorities if required by law

10.3 Incident Documentation

Maintain detailed records of all incidents including:

• Date, time, and nature of the incident

• Scope of personal information affected

• Actions taken to address the incident

• Measures implemented to prevent recurrence

• Communications with authorities and affected individuals

11. TRAINING AND AWARENESS

11.1 Host Training Requirements

All Hosts must:

• Complete Visit Kenya’s privacy training modules

• Stay updated on changes to privacy requirements

• Ensure all staff handling Guest information are properly trained

• Regularly review and update privacy practices

11.2 Staff Training

If you have staff assisting with your Host Services:

• Provide privacy training to all staff who handle Guest information

• Ensure staff understand the importance of Guest privacy

• Regularly update staff training on privacy requirements

• Document training completion and competency

11.3 Ongoing Education

Stay informed about:

• Updates to Kenyan data protection laws

• Changes to Visit Kenya’s privacy requirements

• Best practices in data protection and privacy

• Emerging threats to data security

12. COMPLIANCE AND ENFORCEMENT

12.1 Monitoring and Auditing

Visit Kenya may:

• Monitor compliance with these privacy standards

• Conduct audits of Host privacy practices

• Request documentation of privacy compliance

• Investigate Guest complaints about privacy violations

12.2 Non-Compliance Consequences

Failure to comply with these standards may result in:

Initial Violations:

• Mandatory privacy training

• Temporary restrictions on hosting activities

• Required implementation of additional security measures

Serious or Repeated Violations:

• Suspension of Host account

• Permanent removal from the Visit Kenya Platform

• Reporting to Kenyan data protection authorities

• Legal action for damages or regulatory violations

12.3 Appeals Process

If you disagree with a compliance determination:

1. Submit a written appeal with supporting documentation

2. Participate in a review process with Visit Kenya’s privacy team

3. Implement any required corrective measures

4. Request reconsideration based on completed corrective actions

13. CONTACT INFORMATION

13.1 Visit Kenya Privacy Team

For questions about these Privacy Standards:

Email: hostprivacy@visitkenya.digital
Phone: [Phone number to be inserted]
Address: [Address to be inserted], Nairobi, Kenya

13.2 Data Protection Authority

For concerns about data protection compliance:

Office of the Data Protection Commissioner
Address: Kenya National Commission on Human Rights, CVS Building, Upper Hill, Nairobi, Kenya
Email: info@odpc.go.ke
Website: https://www.odpc.go.ke

13.3 Emergency Contact

For urgent privacy incidents:

24/7 Incident Hotline: [Emergency number to be inserted]
Email: privacy-emergency@visitkenya.digital

ACKNOWLEDGMENT AND AGREEMENT

By continuing to host on the Visit Kenya Platform, you acknowledge that you have read, understood, and agree to comply with these Host Privacy Standards. You further acknowledge that:

1. You understand your responsibilities regarding Guest personal information

2. You will implement appropriate security measures to protect Guest information

3. You will only use Guest information for permitted purposes

4. You will report privacy incidents promptly

5. You will participate in required privacy training and education

6. You understand the consequences of non-compliance with these standards

These Host Privacy Standards form part of your agreement with Visit Kenya and supplement the Visit Kenya Terms of Service. In case of any conflict between these standards and other Visit Kenya policies, the most protective standard for Guest privacy will apply.

These Host Privacy Standards are effective as of the date last updated above and apply to all Hosts using the Visit Kenya Platform.