Privacy Policy

Ubuntu Kreative Village ("we", "us", "our") is an eco lodge and living farm retreat located in Kenya. We operate the website ubuntuecolodge.com and the Moxie AI concierge system. Our contact email is hello@ubuntuecolodge.com.

We collect the following personal data when you make an enquiry, reserving, or interact with Moxie: - Full name and contact details (email, phone number) - Reservation information (dates, accommodation preference, number of guests) - Dietary requirements and allergy information - Payment references (Stripe transaction IDs and M-Pesa references — we never store card numbers) - AI conversation logs with Moxie (stored in our Audit Log for service improvement) - Cookie consent status and date - Technical data (browser type, IP address via Cloudflare)

We use your personal data only for the following purposes: - To respond to your Reservation enquiry within 24 hours - To manage your reservation, spa Reservations, and dining arrangements - To personalise your Moxie AI concierge experience during your stay - To send transactional emails (Reservation confirmations, spa reminders, pre-arrival information) - To send a post-stay review request (one email, 24 hours after checkout) - To comply with Kenya Revenue Authority financial record-keeping requirements

We process your personal data under the Kenya Data Protection Act 2019 on the following bases: - Contractual necessity — to fulfil your Reservation - Legitimate interests — to improve our services and personalise your stay - Legal obligation — to maintain financial records for tax compliance - Consent — for marketing communications (you may withdraw at any time)

We retain your personal data as follows: - Guest Reservation records: 3 years after your last stay, then anonymised - Financial records (payment references): 7 years, as required by KRA - AI conversation logs (Moxie): 12 months, then permanently deleted - Email correspondence: 2 years - Cookie consent records: 3 years After retention periods expire, your personal identifiable information (name, email, phone) is anonymised — the statistical record is kept but cannot be linked back to you.

You have the following rights regarding your personal data: - Right of Access — request a copy of all data we hold about you - Right to Rectification — request correction of inaccurate data - Right to Erasure — request deletion of your personal data (subject to legal retention obligations) - Right to Object — object to processing of your data for marketing purposes - Right to Data Portability — request your data in a machine-readable format - Right to Lodge a Complaint — with the Office of the Data Protection Commissioner of Kenya To exercise any of these rights, email us at hello@ubuntuecolodge.com with the subject line "Data Request". We will respond within 21 days.

We use the following cookies on ubuntuecolodge.com: - Essential cookies — required for the site to function (session management, security) - Preference cookies — remember your consent choice and display preferences - Analytics cookies — anonymous usage statistics to improve the site (only with your consent) We do not use advertising cookies. We do not sell your data to advertisers. You may withdraw cookie consent at any time by clearing your browser cookies.

We share your data only with the following processors, each bound by a Data Processing Agreement: - Stripe Inc. — payment processing (PCI-DSS Level 1 certified) - Safaricom PLC (M-Pesa) — mobile payment processing - OpenAI Inc. — Moxie AI concierge processing - Resend Inc. — transactional email delivery - Vercel Inc. — website hosting and infrastructure - Sentry Inc. — error monitoring (anonymised technical data only) - Amazon Web Services — long-term data backup (S3 Glacier) - Cloudflare Inc. — DDoS protection and CDN We do not share your data with any other third parties without your explicit consent.

We protect your personal data using the following measures: - All data is transmitted over HTTPS (TLS 1.3) - WordPress admin access is restricted by IP allowlist via Cloudflare - Role-based access control (RBAC) limits staff access to only the data they need - Daily automated backups to AWS S3 Glacier with 11-nines durability - JWT-based Guest Passports for secure session management - Sentry monitors all systems for security anomalies in real time

Our services are not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data about a minor, please contact us immediately at hello@ubuntuecolodge.com and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices or in Kenyan data protection law. We will notify guests of material changes by email. The date of the last update is shown at the bottom of this page. Continued use of our website after changes constitutes acceptance of the updated policy.

For any privacy-related questions or to exercise your rights: Email: hello@ubuntuecolodge.com Subject line: "Privacy / Data Request" Response time: within 21 days If you are unsatisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya (ODPC): Website: www.odpc.go.ke