SafariRail ("we", "us", "our") operates safarirail.co.ke, an independent Madaraka Express booking assistance service. This policy explains how we collect, use, store, and protect your personal data when you use our site or booking service.
SafariRail is not affiliated with, endorsed by, or an official channel of Kenya Railways Corporation. We book tickets on your behalf through Kenya Railways' own official channels, using your name and identification.
1. Who We Are
SafariRail operates under Nexara Labs, a registered ICT and digital solutions sole proprietorship in Nairobi, Kenya. For data protection purposes, SafariRail acts as a data controller as defined under Section 2 of the Data Protection Act, No. 24 of 2019 ("the DPA"), since we determine the purpose and means of processing your personal data.
2. Legal Framework
This policy is prepared to comply with:
- The Constitution of Kenya, 2010 - Article 31(c) and (d), which guarantee every person's right to privacy, including the right not to have information relating to their family or private affairs unnecessarily required or revealed.
- The Data Protection Act, No. 24 of 2019 - Kenya's principal data protection statute, establishing the Office of the Data Protection Commissioner (ODPC) and the core principles governing lawful processing of personal data.
- The Data Protection (General) Regulations, 2021 - which elaborate on data subject rights, security safeguards, breach notification, and cross-border transfer requirements.
- The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 - which govern the registration obligations of entities processing personal data, including transport service providers.
- The Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021 - which set out how data subjects may lodge complaints with the ODPC.
- The Computer Misuse and Cybercrimes Act, 2018 - which criminalizes unauthorized access to, or interference with, computer systems and data, and informs our security practices.
3. What Data We Collect
To book your Madaraka Express ticket, we collect:
- Full name, as it appears on your ID or passport.
- National ID, passport number, or other identification document required by Kenya Railways.
- Phone number and email address.
- Payment confirmation details, including M-Pesa transaction codes, Wise, Remitly, Sendwave reference numbers, or equivalent.
- Travel details, including route, date, and class of travel.
- Communications you send us via WhatsApp, email, or our contact form.
We do not collect sensitive personal data, as defined under the DPA, including health, biometric, or ethnic origin data, unless you volunteer it in correspondence, and we do not use it for any purpose.
4. Why We Process Your Data
Consistent with the lawfulness, fairness, and purpose-limitation principles under the DPA, we process your data only to:
- Book your train ticket through Kenya Railways' official channels in your name.
- Confirm your booking and send you your ticket.
- Process refunds, rescheduling, or cancellations on your behalf.
- Respond to your enquiries.
- Meet our own record-keeping obligations, including for fraud prevention and dispute resolution.
We do not sell your data, and we do not use it for marketing without your separate consent.
5. Sharing Your Data
Your data is shared only where necessary to complete your booking:
- Kenya Railways Corporation - to purchase your ticket, since the ticket must be issued in your name and ID as required by KRC's own ticketing rules.
- Payment intermediaries, including M-Pesa/Safaricom, Wise, Remitly, Sendwave, or similar, solely to process and confirm your payment.
We do not share your data with advertisers or unrelated third parties.
6. International Data Transfers
Some payment confirmations may pass through service providers based outside Kenya, for example international remittance platforms. Where this occurs, we rely on the conditions set out in Part VI of the DPA and the General Regulations, which permit transfer outside Kenya where the recipient jurisdiction has adequate data protection safeguards, or where you have given consent to the transfer as part of completing your booking.
7. Data Retention
We retain your booking data only for as long as necessary to complete your transaction, resolve any disputes or refund requests, and meet our own legal and accounting obligations, after which it is securely deleted.
8. Your Rights as a Data Subject
Under Part IV of the DPA, you have the right to:
- Be informed of the use of your personal data.
- Access your personal data held by us.
- Request correction of inaccurate or outdated data.
- Request deletion of your data, subject to our legal retention obligations.
- Object to processing of your data.
- Lodge a complaint with the Office of the Data Protection Commissioner.
To exercise any of these rights, contact us using the details below.
9. Data Breach Notification
In line with the Data Protection (General) Regulations, 2021, if a breach affecting your personal data occurs and poses a real risk of harm, we will notify the Office of the Data Protection Commissioner and affected individuals without undue delay.
10. Security Measures
We apply reasonable technical and organisational safeguards, consistent with our obligations as a data controller under the DPA, to protect your data against unauthorized access, loss, or misuse.
11. Complaints
If you believe your data has been mishandled, you may contact us directly, or lodge a complaint with:
Office of the Data Protection Commissioner (ODPC)
Website: www.odpc.go.ke
12. Contact Us
For questions about this policy or your data:
SafariRail (Nexara Labs)
Email: support@safarirail.co.ke
WhatsApp: +254 769 869 503
This policy may be updated periodically to reflect changes in Kenyan law or our practices. Continued use of safarirail.co.ke after changes are posted constitutes acceptance of the updated policy.
Book