Last updated: 27 June 2025
Kumsai LTD (doing business as "Mara Hilltop", "we", "our", "us") respects your privacy. This Policy explains how we collect, use, disclose, and protect personal data when you interact with our WhatsApp guest-concierge service and marahilltop.com (together, the "Services").
Kumsai LTD
Three Bees Complex, opposite Drifield Kenya Ltd,
Maasai Road, off ICD Road, off Main Mombasa Road,
P.O. Box 18095-00500, Nairobi, Kenya
KRA PIN P051847757C
Email: nj@marahilltop.com
Tel: +254 713 290 093
For EU/UK GDPR matters, we act as the data controller.
For California residents, we comply with the California Consumer Privacy Act (CCPA).
Our Data-Protection Officer can be reached at nj@marahilltop.com.
| Category | Details | Source |
|---|---|---|
| Identification | Name, phone number, nationality, age-range | You |
| Booking details | Check-in/out dates, room type, special requests | You / booking engine |
| Conversation content | Messages you send to the bot, feedback forms | You |
| Technical data | WhatsApp metadata (timestamps, device type), IP address when using our website | Automatic |
We do not knowingly collect data from children under 18 and the Services are not intended for them. If you are 15-17 and use the concierge, please obtain a parent or guardian's consent.
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide, confirm, or modify your lodging reservation | Contract performance |
| Respond to questions / guest support | Contract performance |
| Send arrival, departure, or safety notices | Legitimate interest |
| Improve Services & prevent fraud | Legitimate interest |
| Meet legal / tax obligations | Legal obligation |
| Marketing messages only if you opt-in | Consent |
We share necessary data with trusted processors:
All processors are bound by confidentiality and data-protection agreements. We do not sell your personal information.
Data may be transferred outside Kenya (e.g., EU/US). We use safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions where required.
Chat transcripts and booking data are kept for 12 months after check-out, then deleted or anonymised unless we must keep them longer to resolve disputes or comply with the law.
You may access, correct, erase, restrict, object, or request portability of your data, or lodge a complaint with your supervisory authority.
You have the right to know, delete, correct, and opt-out of "sharing" for cross-context advertising. We will not discriminate against you for exercising CCPA rights.
To exercise any right, email nj@marahilltop.com or write to our postal address.
We employ TLS encryption in transit, role-based access controls, and annual penetration testing. No method is 100% secure, but we take commercially reasonable measures to protect your data.
We may update this Policy from time to time. Material changes will be posted 14 days before they take effect.
Questions? Email nj@marahilltop.com or call +254 713 290 093 (Kenya).