Privacy Policy
Last updated: 27 June 2025
Kumsai LTD (doing business as "Mara Hilltop", "we", "our", "us") respects your privacy. This Policy explains how we collect, use, disclose, and protect personal data when you interact with our WhatsApp guest-concierge service and marahilltop.com (together, the "Services").
1. Who we are
Kumsai LTD
Three Bees Complex, opposite Drifield Kenya Ltd,
Maasai Road, off ICD Road, off Main Mombasa Road,
P.O. Box 18095-00500, Nairobi, Kenya
KRA PIN P051847757C
Email: nj@marahilltop.com
Tel: +254 114 505977
For EU/UK GDPR matters, we act as the data controller.
For California residents, we comply with the California Consumer Privacy Act (CCPA).
Our Data-Protection Officer can be reached at nj@marahilltop.com.
2. Information we collect
| Category | Details | Source |
|---|---|---|
| Identification | Name, phone number, nationality, age-range | You |
| Booking details | Check-in/out dates, room type, special requests | You / booking engine |
| Conversation content | Messages you send to the bot, feedback forms | You |
| Technical data | WhatsApp metadata (timestamps, device type), IP address when using our website | Automatic |
We do not knowingly collect data from children under 18 and the Services are not intended for them. If you are 15-17 and use the concierge, please obtain a parent or guardian's consent.
3. Why we process your data
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide, confirm, or modify your lodging reservation | Contract performance |
| Respond to questions / guest support | Contract performance |
| Send arrival, departure, or safety notices | Legitimate interest |
| Improve Services & prevent fraud | Legitimate interest |
| Meet legal / tax obligations | Legal obligation |
| Marketing messages only if you opt-in | Consent |
4. Sharing of data
We share necessary data with trusted processors:
- Property-management / booking-engine provider (stores your reservation)
- Cloud hosting & analytics services (secure message processing)
All processors are bound by confidentiality and data-protection agreements. We do not sell your personal information.
5. International transfers
Data may be transferred outside Kenya (e.g., EU/US). We use safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions where required.
6. Retention
Chat transcripts and booking data are kept for 12 months after check-out, then deleted or anonymised unless we must keep them longer to resolve disputes or comply with the law.
7. Your rights
EU/UK residents (GDPR)
You may access, correct, erase, restrict, object, or request portability of your data, or lodge a complaint with your supervisory authority.
California residents (CCPA/CPRA)
You have the right to know, delete, correct, and opt-out of "sharing" for cross-context advertising. We will not discriminate against you for exercising CCPA rights.
To exercise any right, email nj@marahilltop.com or write to our postal address.
8. Security
We employ TLS encryption in transit, role-based access controls, and annual penetration testing. No method is 100% secure, but we take commercially reasonable measures to protect your data.
9. Changes
We may update this Policy from time to time. Material changes will be posted 14 days before they take effect.
10. Contact
Questions? Email nj@marahilltop.com or call +254 114 505977 (Kenya).