Privacy Policy

Personal identification data

• Full name (first name and last name)
• Email address
• Phone number and/or WhatsApp number
• Nationality and country of residence
• Passport number and expiry date (required for park permit applications)
• Date of birth (required for Kilimanjaro KINAPA permits)

Trip and booking data

• Safari or climb package selected, dates, and duration
• Group size and composition (adults, children, ages)
• Accommodation tier preference (budget, mid-range, luxury)
• Flight arrival/departure details and airline information
• Emergency contact name and phone number
• Travel insurance provider and policy number

Health and special requirements

• Dietary requirements and food allergies (to inform lodge and camp kitchens)
• Medical conditions relevant to high-altitude trekking (voluntarily disclosed for safety)
• Accessibility requirements or mobility considerations
• Medication declarations relevant to altitude (voluntary, for guide awareness)

Payment data

• We do not store payment card numbers, CVV codes, or banking credentials on our servers
• Payments are processed through secure third-party payment gateways (Stripe, bank transfer)
• We retain records of amounts paid, payment dates, and transaction references for accounting purposes

Technical and usage data

• IP address, browser type and version, operating system
• Pages visited, time spent on pages, referral source
• Device type (desktop, mobile, tablet)
• Cookie data (see Section 9 for full details)

We collect your personal data through the following channels:

We do not purchase, rent, or obtain personal data lists from third parties. All data we hold has been provided directly by you or generated by your use of our website.

Primary purposes

• To respond to your safari, Kilimanjaro, or Zanzibar enquiry and provide a customised quote
• To arrange and confirm your booking — including lodges, park permits, vehicle, guide, and transfers
• To apply for national park permits with TANAPA, NCAA, and KINAPA on your behalf (requires passport data)
• To communicate trip logistics, itinerary changes, safety briefings, and pre-departure information
• To provide emergency contact and medical information to guides for safety during your trip
• To process payments and maintain accurate financial records
• To issue invoices, receipts, and booking confirmations

Secondary purposes

• To send post-trip review requests (one email only, opt-out available)
• To send seasonal safari newsletters and offers — only if you have subscribed or opted in
• To analyse website usage and improve content, navigation, and booking conversion (anonymised data)
• To comply with Tanzania tourism, tax, and record-keeping regulations
• To defend against legal claims or disputes where necessary

What we will never do

• Sell, rent, or trade your personal data to any third party for commercial gain
• Send you unsolicited marketing emails without your explicit consent
• Use your data for automated decision-making or profiling that produces legal effects
• Share your health or medical data with any party other than your assigned guide and lodge (for safety)
• Retain your data beyond the periods specified in Section 8

Under the GDPR (for customers in the EU/EEA/UK) and Tanzania's Personal Data Protection Act, every processing activity must have a lawful basis. Here is how our processing activities are lawfully justified:

We share your personal data only where it is strictly necessary to deliver your trip or comply with legal obligations. The parties we may share data with are:

We require all third parties who process data on our behalf to protect it using standards equivalent to our own. We do not permit our service partners to use your personal data for their own marketing purposes.

Resilience Expedition is based in Tanzania. If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with data transfer restrictions, please be aware that your personal data will be transferred to and processed in Tanzania, which may not have data protection laws equivalent to your home country.

We transfer your data internationally only where:

• The transfer is necessary to perform your safari or climb booking contract — for example, submitting your passport details to TANAPA, NCAA, or KINAPA for permit registration
• The transfer is to tools that provide adequate safeguards — Google Workspace (Google LLC), which maintains Standard Contractual Clauses (SCCs) approved by the European Commission
• You have provided explicit consent to the transfer after being informed of the risks

For EEA/UK customers, we rely on the necessity of contract performance (Article 46(2)(c) GDPR) and SCCs as the primary safeguards for international transfers. A copy of the applicable transfer mechanism is available on request by emailing tours@resilienceexpedition.com.

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. Our retention periods are:

After retention periods expire, data is permanently deleted from our systems and from all cloud services we use. If you wish to request earlier deletion, please contact us at tours@resilienceexpedition.com (see Section 10 — Your Rights).

Our website uses cookies — small text files placed on your device — to improve your browsing experience, understand how visitors use our site, and occasionally to show relevant content. Here is a breakdown of the types of cookies we use:

Managing your cookie preferences

You can control and/or delete cookies as you wish. You can delete all cookies that are already on your computer, and you can set most browsers to prevent them from being placed. However, if you do this, you may have to manually adjust some preferences every time you visit our site.

• Browser settings: All major browsers allow you to control cookies through their settings/preferences. Search your browser's help documentation for "cookies"
• Google Analytics opt-out: Install the Google Analytics Opt-out Browser Add-on at tools.google.com/dlpage/gaoptout
• Cookie banner: When you first visit our site, our cookie consent banner allows you to accept or decline optional cookies

Under applicable data protection law, you have the following rights regarding your personal data. To exercise any of these rights, email tours@resilienceexpedition.com. We will respond within 30 calendar days (or within the statutory timeframe required by applicable law).

Our website is not directed at children under the age of 16, and we do not knowingly collect personal data from children under 16 without verifiable parental or guardian consent.

When a child under 16 travels with us as part of a family group, their personal data (name, nationality, passport details, age) is collected for the sole purpose of national park permit applications (all visitors must be registered, regardless of age). This data is:

• Provided by the parent or legal guardian — not collected directly from the child
• Used only for permit applications to TANAPA, NCAA, or KINAPA
• Deleted 6 months after trip completion in line with our retention schedule
• Never used for marketing or any purpose other than the booking and trip delivery

If you believe we have inadvertently collected data relating to a child under 16 without appropriate consent, please contact us immediately at tours@resilienceexpedition.com and we will delete it promptly.

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, destruction, or alteration.

Technical safeguards

• Our website is served over HTTPS with TLS encryption on all pages
• Enquiry and booking forms transmit data over encrypted connections
• Email communications are handled through Google Workspace, which provides encryption at rest and in transit
• Payment processing is handled exclusively by PCI-DSS compliant payment processors (Stripe). We never see or store your card details
• Access to customer data within our team is restricted on a need-to-know basis
• Team accounts use two-factor authentication (2FA) where available

Organisational safeguards

• Staff are trained on data protection principles and confidentiality obligations
• Third-party service partners are contractually required to maintain equivalent security standards
• We conduct periodic reviews of our data handling practices
• Physical documents containing personal data (printed booking forms) are stored securely and shredded after use

While we implement these measures, no internet transmission is 100% secure. We cannot guarantee absolute security of data transmitted to our site, but we will notify you promptly in the event of a breach affecting your data.

Our website may contain links to external websites operated by third parties — such as national park authority websites, hotel booking platforms, review sites (TripAdvisor, Google), social media platforms (Facebook, Instagram), and payment processors.

This Privacy Policy applies only to the Resilience Expedition website and the data we process. When you click a link to an external site, you leave our jurisdiction and the third party's own privacy policy applies. We:

• Are not responsible for the privacy practices or content of any third-party websites
• Do not endorse, monitor, or control third-party privacy policies
• Recommend you read the privacy policy of any external website before submitting personal data to it

Third-party services embedded in or used alongside our website include:

• Google Analytics — usage analytics. Privacy policy: policies.google.com/privacy
• Google Maps — embedded maps. Privacy policy: policies.google.com/privacy
• Stripe — payment processing. Privacy policy: stripe.com/privacy
• WhatsApp (Meta) — customer messaging. Privacy policy: whatsapp.com/legal/privacy-policy
• Unsplash — photography sourcing. Privacy policy: unsplash.com/privacy

We reserve the right to update this Privacy Policy at any time to reflect changes in our data practices, legal requirements, or business operations. When we make material changes, we will:

• Update the "Last updated" date at the top of this page and in the hero section
• Where the change materially affects how we process your data, notify active customers by email
• Maintain the previous version of this policy, available on request from tours@resilienceexpedition.com

We encourage you to review this Privacy Policy periodically. Your continued use of our website or services after any changes constitutes acceptance of the updated policy.

Version history

If you have any questions, concerns, or complaints about this Privacy Policy or the way we handle your personal data, please contact us using the details below. We are committed to resolving any data protection concerns fairly and promptly.

If you are not satisfied with our response

If you have raised a concern with us and are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection supervisory authority:

• Tanzania: Tanzania Communications Regulatory Authority (TCRA) — tcra.go.tz — which oversees the Tanzania Personal Data Protection Act
• EU/EEA residents: Your local national Data Protection Authority (DPA). A full list is available at edpb.europa.eu
• UK residents: Information Commissioner's Office (ICO) — ico.org.uk — helpline: 0303 123 1113

We always prefer the opportunity to address your concern directly before you escalate to a supervisory authority. Please contact us first — we aim to resolve all data protection concerns within 30 calendar days.