Privacy Policy

1. Introduction

Mystical Vacations ("we," "our," or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

This policy complies with the General Data Protection Regulation (GDPR) and the Data Protection Act, 2019 (Kenya).

2. Information We Collect

We collect the following types of personal information:

2.1 Personal Identification Information

• Name: To process your bookings and communicate with you
• Phone Number: Required for M-Pesa payment processing and to contact you regarding your bookings
• Email Address: To send booking confirmations, updates, and important travel information

2.2 Booking Information

• Travel dates and destinations
• Accommodation preferences
• Number of travelers
• Special requests or requirements

2.3 Payment Information

We do not store your full payment card details. Payment processing is handled securely by our payment provider (PesaPal). We only receive confirmation of successful payments.

2.4 Technical Information

• IP address
• Browser type and version
• Device information
• Website usage data (cookies and similar technologies)

3. How We Use Your Information

We use your personal information for the following purposes:

• To process and manage your bookings
• To communicate with you about your travel arrangements
• To process payments through M-Pesa and card payment systems
• To send booking confirmations and travel documents
• To provide customer support and respond to inquiries
• To improve our services and website functionality
• To comply with legal obligations
• To send marketing communications (only with your consent)

4. How We Share Your Information

We share your personal information only with the following parties:

4.1 Payment Processors

We share necessary payment information with PesaPal to process M-Pesa and card transactions. PesaPal handles all payment processing securely and in accordance with their own privacy policies.

4.2 Service Providers

We share booking information with our service providers to fulfill your travel arrangements:

• Hotels and Accommodation Providers: To secure your reservations
• Standard Gauge Railway (SGR): To book train tickets
• Tour Operators and Safari Companies: To arrange your safari experiences
• Transport Providers: To organize transfers and transportation

4.3 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or to protect our rights, property, or safety, or that of our customers or others.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (SSL/TLS)
• Secure storage of data
• Regular security assessments
• Access controls and authentication
• Staff training on data protection

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law. Booking information is typically retained for 7 years for accounting and legal compliance purposes.

7. Your Rights

Under GDPR and the Data Protection Act, 2019 (Kenya), you have the following rights:

• Right to Access: Request a copy of the personal information we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete information
• Right to Erasure: Request deletion of your personal information (subject to legal obligations)
• Right to Restrict Processing: Request limitation of how we use your information
• Right to Data Portability: Request transfer of your data to another service provider
• Right to Object: Object to processing of your information for certain purposes
• Right to Withdraw Consent: Withdraw consent for marketing communications at any time

To exercise any of these rights, please contact us through our contact page. We will respond to your request within 30 days.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your browsing experience, analyze website traffic, and personalize content. You can control cookie preferences through your browser settings. For more information, please refer to our cookie policy or contact us.

9. International Data Transfers

Your information may be transferred to and processed in countries outside Kenya and Tanzania, including countries that may not have the same data protection laws. We ensure that appropriate safeguards are in place to protect your information in accordance with this Privacy Policy.

10. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. We encourage you to review this policy periodically to stay informed about how we protect your information.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through our contact page.

You also have the right to lodge a complaint with the relevant data protection authority:

• Kenya: Office of the Data Protection Commissioner
• EU: Your local data protection authority