This policy explains what personal information we collect when you use the Karibu Safari Journal app or website, why we collect it, who we share it with, and the rights you have over your data. We have written it in plain English because we want you to actually read it.
If you would prefer to read this in another language, contact us at the address below and we will send you a translated copy.
The data controller is Karibu Camps & Lodges Limited, a hospitality company registered in Tanzania. Throughout this policy "we", "us" and "Karibu" refer to that company.
If you are in the European Union and prefer to raise privacy questions with a representative in the EU, please email us first and we will direct you to the right point of contact.
We try to collect as little as we can. Here is everything:
The same as above, plus an optional caption.
The voucher code and the partner lodge it came from. We record this so we can credit your token balance and track partner sales.
Standard request metadata: your IP address, the type of device and operating system, and the URL you requested. We use this to debug problems and to detect abuse. We do not run third-party advertising trackers, and we do not sell traffic data.
When you scan a wildlife photo, the image is sent to Google Gemini Vision to identify the species. Google processes the image to return a result; under Google's terms with us, they do not use that image to train their general-purpose models. The image is also stored on our own servers so you can see it later in your journal.
We may compute a small numerical "fingerprint" (a feature vector) from the image and store it in our community species index. This helps the app suggest matches for similar species you photograph in the future. You can opt out of contributing to this community index at any time from Settings → Community Intelligence. If you opt out, your fingerprints are not added to the index and your future scans do not contribute either.
We rely on the following lawful bases for processing:
| Purpose | Lawful basis |
|---|---|
| Creating and managing your account | Contract — Article 6(1)(b) |
| Recording your sightings, photos, and trips | Contract — Article 6(1)(b) |
| AI species identification | Contract — Article 6(1)(b) |
| Voucher redemption and token accounting | Contract — Article 6(1)(b) |
| Sending you marketing emails | Consent — Article 6(1)(a). You opt in at signup; you can withdraw at any time. |
| Contributing your image fingerprints to the community index | Consent — Article 6(1)(a). You can opt out in Settings. |
| Keeping anonymous sightings after deletion | Legitimate interests — Article 6(1)(f). The legitimate interest is citizen-science contribution to wildlife distribution data. We balance this against your rights by stripping every personal identifier first. |
| Detecting abuse and securing the platform | Legitimate interests — Article 6(1)(f) |
We use a small number of trusted service providers (sub-processors). Each is bound by a data processing agreement that requires them to handle your information lawfully.
| Sub-processor | What they do | Where |
|---|---|---|
| Google LLC | AI species identification (Gemini Vision) | United States |
| Cloudflare, Inc. | CDN, DDoS protection, R2 object storage | Multiple regions; EU where possible |
| Hostinger | Server hosting | Frankfurt, Germany |
| SendGrid / Amazon SES | Transactional email | EU region |
| Apple Inc. | Sign in with Apple (if you choose it) | United States |
| Google LLC (Identity) | Sign in with Google (if you choose it) | United States |
We do not sell your personal information to any third party. A current list of our sub-processors is available on request from privacy@karibucamps.com.
Our primary servers are in Frankfurt, Germany (inside the EU). Some of our sub-processors (Google for AI, Apple and Google for sign-in) process data in the United States, and our parent company is based in Tanzania.
We rely on the European Commission's Standard Contractual Clauses (SCCs) as the legal basis for transferring personal data outside the EU. We have also assessed each transfer for additional safeguards, such as encryption in transit and at rest.
If you are in the UK we rely on the UK Addendum to the SCCs.
Under the EU and UK GDPR you have the following rights. To exercise any of them, email privacy@karibucamps.com or use the in-app controls listed below.
We respond to all rights requests within 30 days, and free of charge for the first request in a 12-month period.
You will only receive marketing emails from us if you ticked the "Send me Karibu travel updates" box during signup. Every marketing email includes a one-click unsubscribe link.
Transactional emails (verification, password reset, receipts, booking confirmations) are sent on the basis of contract and are not optional, because they are necessary to operate your account.
The app is intended for adult travellers. We do not knowingly process personal information of anyone under 16 years of age. We ask you to confirm you are 16 or older during account creation. If you are a parent and believe your child has signed up, please contact us and we will delete the account.
We use HTTPS for all traffic, encrypt account passwords with bcrypt, store voucher codes with a one-way hash, and isolate our database inside a private Docker network not reachable from the public internet. We restrict administrative access to authorized personnel, log all access, and review logs regularly.
No system is ever perfectly secure. If a breach affecting your personal information ever occurs we will notify the relevant data protection authority within 72 hours, as required by Article 33 of the GDPR, and contact you directly if there is a high risk to your rights and freedoms.
On the web version of the app we use the following:
In the native iOS app there are no cookies; the same information is stored in the app's own sandboxed storage.
For users in Tanzania, we also comply with the Personal Information Protection Act 2022. The data controller (Karibu Camps & Lodges Limited) is registered with the Personal Information Protection Commission. Tanzanian users have the rights set out in sections 25–32 of that Act, which mirror the rights described in Section 8 above.
If we make material changes we will notify you in the app and, where appropriate, by email at least 30 days before the changes take effect. The "Last updated" date at the top of this page always reflects the most recent version.
Questions, requests, or complaints:
We aim to respond within 5 working days.