HEMINGWAYS HOSPITALITY LTD

PRIVACY STATEMENT

April 2024

Hemingways Hospitality Limited provides this privacy statement to describe how we may collect,
use, share, and otherwise process your personal information, as an employee of one of our
corporate clients or other individual to whom we offer or provide our services – travel, meetings
and events, and related products and services — via our websites, mobile applications, email
communications or other online and offline means.

Summary of key points

What information we collect

Account Information – If you contact us, register with us or receive services from us, we collect
information about you. This may include your name, email address, phone numbers, employer,
and physical addresses. We may also require passport number, gender and date of birth. If we
book travel for your travel companions, we may collect similar information about them. Account
information goes into your guest/traveller profile, which is where we store the information
necessary to provide our services. You may choose to provide more information in your
guest/traveller profile, including frequent traveller credentials, government identifiers and
emergency contact information.

Travel Information – If you book services with us, we collect the details of your travel (such as
arrival and departure location, airline, hotel and car rental, rooming configuration) and any other
information needed to complete your bookings. We may also collect special categories of
information to provide accessibility, meal preferences or other requested services.

Payment Information – To pay for bookings and other transactions through our services, we
collect payment card information and other details necessary to process payments.

Device Data – We collect information about how you access our services, including your
computer’s IP address and information that can be derived from it (such as internet provider and
general geographic location), your device’s unique identifier and other technical information. We
also collect information about how you use our websites and mobile applications. We collect some
of this information using cookies and similar technologies, as described here.

How we use your information

Provide you with hotel accommodation and related services – We use your information to provide hotel accommodation and related services, book your travel, organize meetings and events, prepare itineraries and invoices, communicate with you about your travel or our products and services, provide customer service, and manage your account.

Provide our products and services to corporate clients – We use your information to comply
with our agreements with your employer or travel sponsor, travel agent communicate about our
products and services, and help them ensure compliance with their policies.

Process payments – We use your information to process transactions and provide you with
related customer service.

Operate websites and mobile applications – We use device data to monitor and improve the performance and content of our services, provide updates, analyze trends and usage in connection with our services, and measure whether our ads and offers are effective.– We use device data to monitor and improve the performance and content of our services, provide updates, analyze trends and usage in connection with our services, and measure whether our ads and offers are effective.

Operate and improve our business – We use your information for compliance with our company policies and procedures, for accounting and financial purposes, to detect or prevent fraud or criminal activity, to perform, analyze and improve our business and services, and otherwise as required by law.

Personal data protection principles
We adhere to the principles relating to processing of personal data set out in the Data Protection
Act of 2019 (DPA) and the Data Protection Regulations in processing your personal information.
Your information will:

(a) be processed lawfully, fairly and in a transparent manner (lawfulness, fairness, and
transparency);
(b) be collected only for specified, explicit and legitimate purposes (purpose limitation);
(c) be adequate, relevant and limited to what is necessary in relation to the purposes for which
it is processed (data minimization);
(d) be accurate and where necessary kept up to date (accuracy);
(e) not be kept in a form which permits your identification for longer than is necessary for the
purposes for which the data is being processed (storage limitation);
(f) be processed in a manner that ensures its security using appropriate technical and
organizational measures to protect against unauthorized or unlawful Processing and against
accidental loss, destruction or damage (security, integrity and confidentiality);
(g) not be transferred to another country without appropriate safeguards in place (transfer
limitation); and
(h) be made available to you and you will be allowed to exercise certain rights in relation to
your personal information (data subject’s rights and requests).

Marketing and your choices
We may use your personal information to tell you about our products and services or those from related businesses (such as restaurants, consumer products, tours, and entertainment), to help us determine whether you may be interested in new products or services, and to present advertising content that is tailored to your interests, location or itinerary (with your consent or as permitted by law). You have the right to select the category of marketing information you would like to receive and how you would prefer to receive it. We have a simplified opt out mechanism should you not want your personal information used for direct marketing.

Subject to your express consent, we may send you direct marketing on our websites or mobile applications, and through email and other channels, in accordance with applicable law and your choices. You have choices about how we market to you. If you’d like us to stop sending you marketing messages, you can follow the instructions in our communications or update your guest/traveller profile at any time by contacting us at marketing@hemingways.co.

We also send you messages that are essential for our services; for example, we communicate with you about your travel, to service your account, to fulfill your requests, or otherwise as required by law. Some of these service messages contain information presented to you as part of our service relationship with your employer or travel sponsor (for example, messages that help you comply with their travel policies).

If you opt out of marketing messages, you will continue to receive these service messages.

How we share your information

Your employer, travel sponsor or travel agent – Our services to you may be provided under the terms of service agreements with your employer, travel sponsor or travel agent. We share your information with them to allow them to manage their business travel needs and assure compliance with their company travel policies. At the request of your employer, travel sponsor or travel agent, we may also share information with their vendors.

Affiliates – We may share information within our corporate family to the extent permitted by law
to allow them to provide, analyze and improve their and our products and services.

Travel suppliers and other travel service providers – We share information with travel suppliers (for example, airlines and hotels) and travel service providers (for example, ticket distribution systems and travel application providers), and the vendors for both, as necessary to book your travel and provide travel-related services to you and your employer, travel sponsor or travel agent. We do not sell information to third parties so that they can independently market their own products or services directly to you.  

Vendors –We share information with vendors that perform functions on our behalf, such as travel agencies, meeting and event planners, visa and passport service providers, mobile application and software developers, and vendors who provide IT support, data hosting, marketing and communications services, and collections. These vendors access information only as necessary to perform their functions, as instructed in our contracts with them.

Business insights – We may combine data from many people to create aggregated statistics that do not identify you personally. We use this data to understand business trends and insights, and we may share them with third parties.

Business transfers – If we negotiate or complete a transaction involving all or part of the business (for example, a reorganization, merger, sale or acquisition), we may disclose information to third parties involved in the transaction to the extent permitted by law.

As required or permitted by law – We may disclose information to regulatory authorities, courts, and government agencies where we believe doing so would be permitted or required by law, regulation or legal process, or to defend the interests, rights or property of the Hemingways group or others.

We may also share personal information with other parties as directed by you or subject to your consent.

How we protect and store your information

We maintain reasonable administrative, technical, and physical security measures to protect your
information from unauthorized access and use.

Administratively:

1. we have created an authorization matrix that is used by authorised employees;
2. no personal data is processed beyond the intended purpose, and personal data is minimized as much as possible;
3. we have confidentiality commitments taken from our employees who may come in contact with your personal information;
4. we have ensured that the contracts we have signed with third parties, to whom data is transferred, include data security provisions; and
5. we have organised that the necessary security measures are in place in relation to the entry and exit of areas that contain personal data.

Technically:

1. we use firewalls. intrusion detection and prevention systems to secure the personal data we collect;
2. we use strong and up to date anti-virus software for detection of malware;
3. the access logs to the information systems are kept in a way that prevents any user intervention;
4. all the personal data is retained upon being backed up, and adequate security measures have been put in place;
5. we have means to limit the access rights to a specific range of data within the personal data set processed in the IT system.

We retain your information only as long as needed to provide our Services, for legitimate business purposes and in accordance with our Data Retention policy, unless we are required by law or regulation or for litigation and regulatory investigations to keep it for longer periods of time. Accordingly, we maintain a data retention policy and schedule that outlines the appropriate retention periods for different types of data in accordance with legal, regulatory, and business requirements, unless a different time period is provided under law or regulation or for litigation and/or regulatory investigations.  Our data retention practices are designed to protect individuals’ privacy rights, and mitigate risks associated with data storage in compliance with the DPA.

International transfers

We may transfer your information to jurisdictions outside of your home country, including to
countries with commensurate levels of data protection as your home country if it is necessary for
the provision of our services to you. Any such transfer of your personal data will be carried out in
compliance with applicable laws and we will take reasonable steps to ensure that there are
appropriate safeguards in place with respect to the security and protection of your personal data.
To protect the information, transfers will be made in accordance with appropriate data transfer
agreements and other protections. Regardless of where we process your information, we protect
it in the manner described in this Privacy Statement and in accordance with applicable laws.

Your rights

If you have created an online account with us and would like to update the information you have
provided to us, you can access your account to view and make changes or corrections to your
information. You also have the right to be informed of whether we are processing your information
and to access, correct, delete or object, upon request and free of charge, to our use of your
information. To exercise these rights, please contact us at: info@hemingways.co. We will try to
comply with your request as soon as reasonably practicable. Please note that we may need to
retain certain information for recordkeeping, to complete any transactions you began before your
request, or for other purposes as permitted by law.

Children’s Privacy

In compliance with the DPA and the data protection regulations, we recognize the importance of
protecting the privacy of children when processing their personal data. We will only process
personal data of children where we have obtained verifiable consent from their parent or guardian,
or where processing is otherwise permitted by the DPA and any other applicable laws.

Our data processing activities prioritize the best interests of children and adhere to the principle
of data minimization, purpose limitation and confidentiality. We provide for clear and age appropriate information regarding the processing of children’s data and also have mechanisms against unauthorized access, disclosures, alteration, or destruction. Parents and guardians may
review, update, or request the deletion of their children’s data by contacting us through the
provided channels.

We do not knowingly collect or solicit personal data from anyone under the age of 18 or knowingly
allow such persons to use our services. If you believe we have inadvertently collected personal
information from a child without the consent of their parents or guardian, please contact us, and
we will take appropriate steps to delete the information.

Changes
We may change this Privacy Statement from time to time as our business changes or legal
requirements change. If we make material changes to this Privacy Statement, we will post a
notice on our website before the changes go into effect, and notify you as otherwise required by
applicable law.

Questions

If you have questions or complaints about Hemingways Hospitality Limited and privacy, please
contact us at:

PO Box 146, 00502 Nairobi, Kenya

Tel: +254 20 2295 000

In most cases, we will ask that you put a complaint in writing. We will investigate your
complaint and will generally respond to you in writing within 30 days of receipt. If we fail to
respond or if you are otherwise dissatisfied with the response that you receive from us, you may
have the right to make a complaint to your regulator.

Cookies and similar technologies

We use session and permanent “cookies,” small data files transferred to your device, along with
similar technologies (e.g., internet tag technologies, web beacons and embedded scripts)
(collectively referred to herein as “cookies and similar technologies”) to help provide you a better,
more personalized user experience (technical cookies). These technologies are used to make the
user experience more efficient, remember your preferences (such as browsing language and
account login information) (profile cookies), and help us understand and improve how visitors use
our websites, including which of our pages and products are viewed most frequently (analytical
cookies), and to allow us to market our products and services and third-party products and
services to you (advertising cookies).

The Options/Settings section of most internet browsers and devices will tell you how to manage
the cookies and other technologies that may be transferred to your device, including how to
disable such technologies. You can disable our cookies or all cookies through your browser or
device settings, but please note that disabling cookies may impact some of the website’s features.
Other than as described above, we generally do not comply with “do track signals” sent by web
browsers.

For further information about the options of the main internet browsers, please see their websites at:

Internet Explorer: windows.microsoft.com/en-us/internet-explorer/delete-manage-cookies#ie=ie-10

FireFox: support.mozilla.org/en-US/kb/delete-cookies-remove-info-websites-stored

Chrome: support.google.com/chrome/answer/95647?hl=en

Safari: www.apple.com/legal/privacy/en-ww/cookies/