Privacy

Privacy Policy

This policy explains how United Kenya Club collects, uses, stores, shares, and protects personal data submitted through this website.

Last updated: 7 June 2026

1. Who We Are

United Kenya Club is the data controller for personal data submitted through this website. This draft policy explains how the website handles personal data in line with Kenya's Data Protection Act, 2019 and guidance from the Office of the Data Protection Commissioner.

For privacy requests, corrections, withdrawals, or deletion requests, contact itsupport@unitedkenyaclub.com.

2. Personal Data We Collect

Reservation pages collect the information needed to create and manage an accommodation or facility reservation, including name, email address, telephone number, country, booking dates, times, room or facility details, guest or attendee counts, package selections, add-ons, special requests, payment option, and identity document details or uploads.

Membership application pages collect the information needed to assess membership applications, including membership type, name, title, gender, date of birth, nationality or country, marital status, residence, contact details, postal address, work details, family and next-of-kin details, education history, career history, proposer and seconder details, and uploaded KYC or supporting documents such as ID images, passport photos, and membership cards.

Sponsor pages collect the sponsor's role, name, membership number, email, phone number, questionnaire responses, signature date, and any uploaded past-club membership card.

Review and feedback forms collect the name, review text, rating, and category submitted by the user. Approved reviews may be displayed publicly on the website and may therefore be visible globally.

The About and Staff areas display information about board members and staff, such as names, roles, biographies, comments, departments, and profile images. This information is managed by the Club for public-facing governance and hospitality communication.

The website and backend may also receive technical information such as IP address, browser user-agent, timestamps, payment references, and request status records for security, audit, troubleshooting, and transaction management.

3. Why We Use This Data

We collect and use this data only where it is necessary for explicit Club purposes: receiving and managing reservations, confirming availability, communicating with guests, processing membership applications, carrying out KYC and identity checks, recording proposer and seconder support, handling payments, managing refunds or cancellations, publishing approved feedback, and maintaining accurate Club records.

Identity images, ID details, passport photos, and supporting membership documents are requested as KYC mechanisms so the Club can verify identity, reduce fraud, and assess eligibility. Names and contact details are kept for operational records, follow-up, audit, and Club administration.

4. How The Website Stores And Sends Data

The website uses a custom backend and database. For reservations, the database stores operational reservation records such as the reservation reference, booking details, name, contact details, country, identity-document metadata or link, price breakdown, payment status, confirmation status, IP address, user-agent, and timestamps.

For membership applications, the database stores application tracking details such as application number, applicant name, contact details, country, membership type, proposer and seconder contact summaries, status, phase, redacted upload metadata, and a redacted copy of the submitted payload. Uploaded file data URLs are redacted before database storage.

For sponsor submissions, the database stores the application number, sponsor role, sponsor name, membership number, email, phone, key questionnaire fields, form data, and timestamps so the Club can track proposer and seconder completion.

Full membership application and sponsor payloads, including uploaded document data where applicable, are sent to the authorised membership team as encrypted, compressed JSON email attachments. Decryption is handled by the Club backend using the configured local encryption key.

Reservation emails are sent to the authorised reservation team and to the guest. Where an uploaded identity document is provided as image data, it may be attached to the reservation email sent to the authorised team for verification.

Some temporary frontend state may be kept in the user's browser storage to complete a reservation, restore a pending payment flow, or retain an application reference when the backend is unavailable.

5. Payment Processing

If a user selects online payment, payment is processed through PesaPal. PesaPal receives the payment information required to initiate and confirm the transaction, such as amount, currency, reservation reference, email address, phone number, first name, and last name.

The website records payment references, tracking IDs, merchant references, amount, currency, payer contact details, payment status, confirmation details, refund flags, and timestamps. The Club does not use this website database to store full card numbers or other sensitive card payment credentials.

6. Third Parties And Processors

We do not sell personal data. We do not share website-submitted data with third parties beyond the processors needed to operate the service, unless required by law or requested by the user.

The processors used for this website include PesaPal for online payment processing, the Club's emailing service for sending reservation and membership emails to authorised teams and users, and the VPS hosting provider that hosts the website, backend, and database infrastructure.

Only concerned members of staff and authorised technical personnel are intended to access submitted data, and access is limited to what is necessary for their role.

7. Security Measures

We use practical safeguards designed to protect personal data, including input validation, rate limiting on reservation submissions, role-based access for administrative routes, encrypted membership email attachments, redaction of membership upload data before database storage, and restricted access to backend management tools.

No website or transmission method can be guaranteed to be completely secure. Users should avoid submitting unnecessary sensitive information in free-text fields such as notes, special requests, or review text.

8. Retention And Deletion

We retain personal data only for as long as it is needed for the purpose for which it was collected, including reservation management, membership review, payment reconciliation, record keeping, dispute handling, audit, and legal or operational requirements.

If you want information removed from our end, email itsupport@unitedkenyaclub.com. We will action valid removal requests within 30 days, unless we need to retain specific information for lawful, contractual, financial, audit, security, or dispute-resolution reasons.

Approved reviews or feedback may have been displayed publicly. If you ask us to remove your review or identifying details from the website, we will do so within 30 days where the request is valid and within our control.

9. Your Data Protection Rights

Subject to applicable law, you may request access to your personal data, correction of inaccurate data, deletion of data, restriction of processing, objection to processing, withdrawal of consent where processing is based on consent, and information about how your data is used.

To exercise these rights, contact itsupport@unitedkenyaclub.com and provide enough information for us to identify the relevant reservation, application, sponsor submission, review, or staff/board profile. We may need to verify your identity before acting on a request.

If you believe your data has not been handled properly, you may contact the Office of the Data Protection Commissioner in Kenya.

10. Cross-Border Access And Hosting

The website is accessible globally, and approved reviews may be viewed globally. Service providers used for hosting, email delivery, or payment processing may process or access data from locations outside Kenya depending on their infrastructure.

Where data is transferred or made accessible outside Kenya, we aim to use only what is necessary and to rely on appropriate safeguards, processor controls, contractual protections, consent, or other lawful bases recognised under Kenyan data protection law.

11. Changes To This Policy

We may update this policy as the website, Club processes, or legal requirements change. The latest version will be posted on this page with the date of update.