← Karibu Safari Journal

Privacy Policy

Karibu Safari Journal · Operated by Karibu Camps & Lodges Limited
Effective date: 18 June 2026 · Last updated: 18 June 2026

This policy explains what personal information we collect when you use the Karibu Safari Journal app or website, why we collect it, who we share it with, and the rights you have over your data. We have written it in plain English because we want you to actually read it.

If you would prefer to read this in another language, contact us at the address below and we will send you a translated copy.

1. Who we are

The data controller is Karibu Camps & Lodges Limited, a hospitality company registered in Tanzania. Throughout this policy "we", "us" and "Karibu" refer to that company.

If you are in the European Union and prefer to raise privacy questions with a representative in the EU, please email us first and we will direct you to the right point of contact.

2. What information we collect and why

We try to collect as little as we can. Here is everything:

When you create an account

When you record a wildlife sighting

When you save a photo to your gallery

The same as above, plus an optional caption.

When you redeem a voucher

The voucher code and the partner lodge it came from. We record this so we can credit your token balance and track partner sales.

When the app talks to our server

Standard request metadata: your IP address, the type of device and operating system, and the URL you requested. We use this to debug problems and to detect abuse. We do not run third-party advertising trackers, and we do not sell traffic data.

What we do NOT collect

3. How our AI image scan works

When you scan a wildlife photo, the image is sent to Google Gemini Vision to identify the species. Google processes the image to return a result; under Google's terms with us, they do not use that image to train their general-purpose models. The image is also stored on our own servers so you can see it later in your journal.

We may compute a small numerical "fingerprint" (a feature vector) from the image and store it in our community species index. This helps the app suggest matches for similar species you photograph in the future. You can opt out of contributing to this community index at any time from Settings → Community Intelligence. If you opt out, your fingerprints are not added to the index and your future scans do not contribute either.

4. Lawful bases (UK / EU GDPR)

We rely on the following lawful bases for processing:

PurposeLawful basis
Creating and managing your accountContract — Article 6(1)(b)
Recording your sightings, photos, and tripsContract — Article 6(1)(b)
AI species identificationContract — Article 6(1)(b)
Voucher redemption and token accountingContract — Article 6(1)(b)
Sending you marketing emailsConsent — Article 6(1)(a). You opt in at signup; you can withdraw at any time.
Contributing your image fingerprints to the community indexConsent — Article 6(1)(a). You can opt out in Settings.
Keeping anonymous sightings after deletionLegitimate interests — Article 6(1)(f). The legitimate interest is citizen-science contribution to wildlife distribution data. We balance this against your rights by stripping every personal identifier first.
Detecting abuse and securing the platformLegitimate interests — Article 6(1)(f)

5. Who we share your data with

We use a small number of trusted service providers (sub-processors). Each is bound by a data processing agreement that requires them to handle your information lawfully.

Sub-processorWhat they doWhere
Google LLCAI species identification (Gemini Vision)United States
Cloudflare, Inc.CDN, DDoS protection, R2 object storageMultiple regions; EU where possible
HostingerServer hostingFrankfurt, Germany
SendGrid / Amazon SESTransactional emailEU region
Apple Inc.Sign in with Apple (if you choose it)United States
Google LLC (Identity)Sign in with Google (if you choose it)United States

We do not sell your personal information to any third party. A current list of our sub-processors is available on request from privacy@karibucamps.com.

6. International transfers

Our primary servers are in Frankfurt, Germany (inside the EU). Some of our sub-processors (Google for AI, Apple and Google for sign-in) process data in the United States, and our parent company is based in Tanzania.

We rely on the European Commission's Standard Contractual Clauses (SCCs) as the legal basis for transferring personal data outside the EU. We have also assessed each transfer for additional safeguards, such as encryption in transit and at rest.

If you are in the UK we rely on the UK Addendum to the SCCs.

7. How long we keep your data

8. Your rights

Under the EU and UK GDPR you have the following rights. To exercise any of them, email privacy@karibucamps.com or use the in-app controls listed below.

We respond to all rights requests within 30 days, and free of charge for the first request in a 12-month period.

9. Marketing communications

You will only receive marketing emails from us if you ticked the "Send me Karibu travel updates" box during signup. Every marketing email includes a one-click unsubscribe link.

Transactional emails (verification, password reset, receipts, booking confirmations) are sent on the basis of contract and are not optional, because they are necessary to operate your account.

10. Children

The app is intended for adult travellers. We do not knowingly process personal information of anyone under 16 years of age. We ask you to confirm you are 16 or older during account creation. If you are a parent and believe your child has signed up, please contact us and we will delete the account.

11. Security

We use HTTPS for all traffic, encrypt account passwords with bcrypt, store voucher codes with a one-way hash, and isolate our database inside a private Docker network not reachable from the public internet. We restrict administrative access to authorized personnel, log all access, and review logs regularly.

No system is ever perfectly secure. If a breach affecting your personal information ever occurs we will notify the relevant data protection authority within 72 hours, as required by Article 33 of the GDPR, and contact you directly if there is a high risk to your rights and freedoms.

12. Cookies and similar technologies

On the web version of the app we use the following:

In the native iOS app there are no cookies; the same information is stored in the app's own sandboxed storage.

13. Tanzania Personal Information Protection Act (PIPA 2022)

For users in Tanzania, we also comply with the Personal Information Protection Act 2022. The data controller (Karibu Camps & Lodges Limited) is registered with the Personal Information Protection Commission. Tanzanian users have the rights set out in sections 25–32 of that Act, which mirror the rights described in Section 8 above.

14. Changes to this policy

If we make material changes we will notify you in the app and, where appropriate, by email at least 30 days before the changes take effect. The "Last updated" date at the top of this page always reflects the most recent version.

15. Contact

Questions, requests, or complaints:

We aim to respond within 5 working days.

This document is in plain English on purpose. If there is anything you do not understand, write to us and we will explain it.