← Arrive

Privacy & Data Protection

Last updated: 26 June 2026

This policy describes how Kerry Lotee, trading as Arrive, collects and uses personal data in connection with the Arrive platform. It applies to both hosts (those who create accounts to list accommodation) and guests (travellers who make bookings).

Arrive is committed to compliance with the Kenya Data Protection Act 2019 (DPA 2019) and the Data Protection (General) Regulations 2021.

1. Who controls your data

Host account data — data you provide when creating or managing your Arrive account (name, business name, email, phone, banking details for Paystack) — is controlled by Arrive.

Guest booking data— data a guest provides when making a reservation (name, email, phone, booking dates) — is controlled by the host whose booking page the guest used. Arrive processes that data on the host’s behalf as a data processor.

2. What data we collect

Hosts: business name; contact name; email address; phone number; Paystack account details (your Paystack key, stored encrypted and never shown in plain text once saved); subscription billing records; listing content (unit descriptions, photos, pricing).

Guests: first and last name; email address; phone number (optional); booking dates, unit, and number of guests; deposit payment reference from Paystack (no card data — Paystack is PCI-DSS compliant and we receive only a transaction reference).

Usage data: IP address, browser/device type, pages visited, and booking page interactions, collected via server logs and standard Next.js telemetry. We do not use third-party advertising trackers.

3. Why we process your data (legal basis)

Contract performance — processing necessary to provide the Arrive service to hosts and to fulfil bookings for guests.

Legal obligation — retaining transaction records as required by Kenyan tax law.

Legitimate interests — platform security, fraud prevention, service improvement. We balance these interests against your rights and will not override them where your privacy interests are stronger.

Consent — where we send marketing communications to hosts, on an opt-in basis. You may withdraw consent at any time.

4. Who we share data with

We share personal data only with the following processors, all of whom are contractually bound to handle it appropriately:

  • Supabase Inc. (database and auth infrastructure) — data stored on AWS in the EU (eu-west-1 region).
  • Resend Inc. (transactional email delivery) — processes email address and booking details to send booking confirmation and review request emails.
  • Cloudinary Inc. (image hosting) — hosts unit photos uploaded by hosts. No guest personal data is sent to Cloudinary.
  • Paystack Inc. (payment initiation) — receives guest name and email for the payment session. Paystack is the data controller for card and payment data.
  • Vercel Inc. (application hosting) — processes server requests. Vercel does not retain personal data beyond transient request handling.

We do not sell personal data to third parties. We do not share data with advertising networks.

5. How long we keep data

Host account data — retained for the duration of your subscription and for seven years after account closure, as required by Kenyan tax record-keeping obligations.

Guest booking data — retained for three years from the booking date, then securely deleted, unless the host requests earlier deletion or applicable law requires longer retention.

Usage logs — retained for 90 days, then deleted.

6. Cookies and tracking

Arrive uses session cookies set by Supabase Auth to maintain your login state. We do not use advertising cookies, profiling cookies, or third-party analytics trackers that share data with ad networks.

Vercel Edge Network may set performance cookies for CDN routing. These contain no personal data.

7. Your rights under the DPA 2019

Under the Kenya Data Protection Act 2019 you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to correct inaccurate data.
  • Deletion — ask us to delete your data, subject to our legal retention obligations.
  • Objection — object to processing based on legitimate interests.
  • Data portability — receive your data in a machine-readable format.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at privacy@arrive.co.ke. We will respond within 21 days as required by the DPA 2019.

If you are not satisfied with our response you may lodge a complaint with the Office of the Data Protection Commissioner (ODPC).

8. Data security

All data is encrypted in transit (TLS 1.2+) and at rest. Access to production data is restricted to authorised personnel. Database row-level security ensures each host can only access their own records.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the ODPC within 72 hours of becoming aware of the breach, as required by the DPA 2019.

9. Children

Arrive is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

10. Changes to this policy

We may update this policy from time to time. We will notify hosts by email before material changes take effect. The “last updated” date at the top of this page will always reflect the most recent revision.

11. Contact

Data protection enquiries: privacy@arrive.co.ke

General: hello@arrive.co.ke