SafarimondoPro
Request access

Legal

Privacy

Effective 16 May 2026.

Draft. This document describes how the platform is built. It is not yet signed off by external counsel. Specific retention periods, response windows, and sub-processor commitments below are working positions, not contracts. Email legal@safarimondo.pro for the contract terms attached to your subscription.

Who we are

Safarimondo Pro is operated by Safarimondo — an entity registered in Kenya with a UK subsidiary for traveller-side payments. For your operator data, you are the data controller; we are the processor under the DPA you signed at onboarding. For Bush forum content posted by your users, we are joint controllers — see the Bush section below.

What we collect

  • Operator accounts. Name, email, role, organisation membership, and audit-log entries for every action taken in the product.
  • Inbound enquiries. The raw email, WhatsApp message, voice note, or web-form submission; the structured brief Safari AI extracted from it; and the links to the resulting itinerary.
  • Itinerary and trip data. Day plans, line items, pricing, traveller names, dietary requirements, emergency contacts. Traveller passport numbers — when entered — are encrypted at rest with per-organisation keys; nobody at Safarimondo can read them.
  • Bush forum content. Threads, posts, reactions. Visible to every verified-operator org on the network by design.

Where data lives

Supabase EU-West (Frankfurt) is the primary database. Backups stay in the EU. Raw PII never leaves our network for any AI provider — scrubForAi() runs before every prompt. The scrubbing rules are documented in SECURITY.md in our public repo. Anthropic and OpenAI see structured briefs with traveller names replaced by {Guest A}, {Guest B} placeholders.

Who sees what

  • Row-level security on every table. Operator data is scoped to your organisation at the database row level. Cross-organisation reads are technically impossible without a service-role key, which is never exposed to user-facing code paths. We re-audit RLS coverage on every schema migration.
  • Bush forum content. Visible to every verified-operator org on the network. That is the product. Author identity (name, organisation, tier badge) shows on every post. Soft-delete on confirmed abuse; otherwise content stays.
  • Public proposal pages. Accessible by token only. The token is the credential — anyone with the URL can view the proposal. Pages render via a SECURITY DEFINER Postgres function that returns only the proposal payload — no other org data leaks. Tokens are 256-bit random; the search-space is computationally infeasible to guess.

How long we keep data

  • Operator data. For the lifetime of your subscription plus 90 days for billing reconciliation. On cancellation, we delete within 90 days unless you request earlier.
  • Traveller PII. Deleted within 30 days of trip completion unless you extend retention. Passport numbers go first.
  • Bush forum content. Retained while your organisation has at least one active subscription. Your posts persist in the historical record (so threads don’t become incoherent); your authorship is preserved unless you request author-anonymisation.

Your rights

Under GDPR (for EU operators), POPIA (South Africa), and the Kenya Data Protection Act 2019, you can request access, correction, export, deletion (subject to legitimate-interest exceptions for billing and audit), and objection to processing. Email privacy@safarimondo.pro. We respond within 14 working days. For data-subject requests from your travellers, route through your own data-controller process — we’ll fulfil sub-processor obligations as defined in our DPA.

Sub-processors

  • Supabase — database, auth, storage, edge functions. Frankfurt, EU.
  • Vercel — hosting, edge compute. Frankfurt + Cape Town edges; data-plane in EU.
  • Anthropic — AI inference (Sonnet, Haiku). US — PII scrubbed before request.
  • OpenAI — embeddings (text-embedding-3-small). US — PII scrubbed before request.
  • Resend — transactional email. EU.
  • 360dialog — WhatsApp Business API. EU.
  • Cloudflare Turnstile — abuse prevention on public forms. Global; no PII.
  • Sentry — error observability. EU.
  • PostHog — product analytics, org-scoped events, no PII. EU.
  • Vercel Analytics — aggregate marketing-site analytics. EU.

We notify you 30 days before adding a new sub-processor. Material changes (new region, new data category) require renewed DPA acknowledgement.

Cookies

Strictly necessary cookies only — Supabase auth (SSR session) and one functional PostHog cookie for org-scoped analytics. No advertising cookies. No cross-site tracking. No third-party pixels.

How to talk to us

privacy@safarimondo.pro for data requests and DPA queries. legal@safarimondo.pro for contract or breach matters. security@safarimondo.pro for vulnerability reports — we run a coordinated disclosure programme; first response inside 48 hours.