Last updated: 26 June 2026
This policy describes how Kerry Lotee, trading as Arrive, collects and uses personal data in connection with the Arrive platform. It applies to both hosts (those who create accounts to list accommodation) and guests (travellers who make bookings).
Arrive is committed to compliance with the Kenya Data Protection Act 2019 (DPA 2019) and the Data Protection (General) Regulations 2021.
Host account data — data you provide when creating or managing your Arrive account (name, business name, email, phone, banking details for Paystack) — is controlled by Arrive.
Guest booking data— data a guest provides when making a reservation (name, email, phone, booking dates) — is controlled by the host whose booking page the guest used. Arrive processes that data on the host’s behalf as a data processor.
Hosts: business name; contact name; email address; phone number; Paystack account details (your Paystack key, stored encrypted and never shown in plain text once saved); subscription billing records; listing content (unit descriptions, photos, pricing).
Guests: first and last name; email address; phone number (optional); booking dates, unit, and number of guests; deposit payment reference from Paystack (no card data — Paystack is PCI-DSS compliant and we receive only a transaction reference).
Usage data: IP address, browser/device type, pages visited, and booking page interactions, collected via server logs and standard Next.js telemetry. We do not use third-party advertising trackers.
Contract performance — processing necessary to provide the Arrive service to hosts and to fulfil bookings for guests.
Legal obligation — retaining transaction records as required by Kenyan tax law.
Legitimate interests — platform security, fraud prevention, service improvement. We balance these interests against your rights and will not override them where your privacy interests are stronger.
Consent — where we send marketing communications to hosts, on an opt-in basis. You may withdraw consent at any time.
We share personal data only with the following processors, all of whom are contractually bound to handle it appropriately:
We do not sell personal data to third parties. We do not share data with advertising networks.
Host account data — retained for the duration of your subscription and for seven years after account closure, as required by Kenyan tax record-keeping obligations.
Guest booking data — retained for three years from the booking date, then securely deleted, unless the host requests earlier deletion or applicable law requires longer retention.
Usage logs — retained for 90 days, then deleted.
Arrive uses session cookies set by Supabase Auth to maintain your login state. We do not use advertising cookies, profiling cookies, or third-party analytics trackers that share data with ad networks.
Vercel Edge Network may set performance cookies for CDN routing. These contain no personal data.
Under the Kenya Data Protection Act 2019 you have the right to:
To exercise any of these rights, contact us at privacy@arrive.co.ke. We will respond within 21 days as required by the DPA 2019.
If you are not satisfied with our response you may lodge a complaint with the Office of the Data Protection Commissioner (ODPC).
All data is encrypted in transit (TLS 1.2+) and at rest. Access to production data is restricted to authorised personnel. Database row-level security ensures each host can only access their own records.
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the ODPC within 72 hours of becoming aware of the breach, as required by the DPA 2019.
Arrive is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
We may update this policy from time to time. We will notify hosts by email before material changes take effect. The “last updated” date at the top of this page will always reflect the most recent revision.
Data protection enquiries: privacy@arrive.co.ke
General: hello@arrive.co.ke