GDPR & Data Processing

Last updated: March 1, 2025

1. Our Commitment to GDPR

KwaWingu is committed to compliance with the General Data Protection Regulation (GDPR). We process personal data lawfully, fairly, and transparently. This page outlines how we meet GDPR requirements for users in the European Union and European Economic Area.

2. Data Controller vs Data Processor

When you use KwaWingu as a tour operator:

  • You are the Data Controller for your guests' personal data. You determine the purposes and means of processing guest data.
  • KwaWingu is the Data Processor. We process guest data on your behalf, according to your instructions, to provide our service.

For your own account data (operator name, email, company details), KwaWingu acts as the Data Controller.

3. Legal Bases for Processing

  • Contract performance: Processing necessary to provide you with our service.
  • Legitimate interest: Analytics and service improvement, fraud prevention, security.
  • Consent: Marketing communications, non-essential cookies.
  • Legal obligation: Tax records, compliance with law enforcement requests.

4. Your Rights Under GDPR

As a data subject, you have the right to:

  • Access: Request a copy of your personal data.
  • Rectification: Correct inaccurate personal data.
  • Erasure: Request deletion of your personal data (“right to be forgotten”).
  • Restriction: Request that we limit processing of your data.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interest.
  • Withdraw consent: Withdraw previously given consent at any time.

To exercise any of these rights, contact [email protected]. We will respond within 30 days.

5. International Data Transfers

KwaWingu is based in Tanzania. When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

6. Data Processing Agreement

A Data Processing Agreement (DPA) is available for all customers who require one. The DPA covers our obligations as a data processor, including security measures, sub-processor management, breach notification procedures, and data deletion upon termination. Contact us to request a signed DPA.

7. Data Breach Notification

In the event of a personal data breach, we will notify affected data controllers within 72 hours of becoming aware of the breach, as required by GDPR Article 33. We will provide details of the breach, its likely consequences, and the measures taken to address it.

8. Sub-Processors

We use a limited number of sub-processors to deliver our service. A current list is available upon request. We will notify you before adding new sub-processors and provide you with the opportunity to object.

9. Data Protection Officer

For GDPR-related inquiries, contact our data protection team at [email protected].

10. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement.