LEGAL · PRIVACY
Platform Privacy Policy
How Kofa Africa collects, uses, protects, and respects your personal data across every surface of the platform.
This Privacy Policy explains what personal data Kofa Africa collects, why it collects it, how it uses and protects it, and what rights you have. Please read it carefully. It applies to all users of the Platform including travelers, tour operators, platform visitors, and job applicants.
About This Policy & Our Commitment
1.1 Purpose of This Policy
This Privacy Policy describes how Kofa Africa Technologies ('Kofa Africa', 'we', 'us', 'our') collects, uses, stores, shares, and protects personal data when you use the Kofa Africa platform at https://kofa.africa and our mobile applications (iOS and Android) (collectively, the 'Platform').
This Policy applies to all users of the Platform, including travelers, tour operators and guides, platform visitors, and job applicants where applicable. It also covers personal data we process in the course of our business operations.
1.2 Our Privacy Commitment
Kofa Africa is committed to the following principles in all personal data processing activities:
- Transparency: We tell you exactly what data we collect, why, and how.
- Purpose Limitation: We only use your data for the specific purposes we describe.
- Data Minimisation: We collect only what is necessary for those purposes.
- Accuracy: We take reasonable steps to keep your data accurate and current.
- Storage Limitation: We retain data only as long as necessary.
- Security: We implement appropriate technical and organisational security measures.
- Accountability: We can demonstrate compliance with applicable data protection laws.
1.3 Interaction with Our Terms of Service
This Privacy Policy forms part of our Terms of Service (available at https://kofa.africa/terms) and should be read alongside them. By using the Platform, you agree to the terms of this Privacy Policy.
If you are under 18 years of age, please do not use the Platform or provide any personal data to us. Our Platform is intended for adults aged 18 and over.
Who We Are & Your Data Controller
2.1 Data Controller Identity
For the purposes of applicable data protection legislation, the data controller is:
| Entity | Kofa Africa Technologies |
| Website | https://kofa.africa |
| Registered Office | [Address to be inserted upon incorporation] |
| CAC Registration | [Registration Number to be inserted] |
| NDPR Registration | [NITDA Registration Number to be inserted] |
| Privacy Enquiries | info@kofa.africa |
| Data Protection Officer | info@kofa.africa |
2.2 Data Protection Officer (DPO)
Kofa Africa has appointed a Data Protection Officer (DPO) in compliance with Article 37 of the GDPR, and in line with NDPR Framework requirements. The DPO is responsible for:
- Advising on data protection obligations and monitoring compliance.
- Acting as the primary contact point for users exercising their data rights.
- Liaising with supervisory authorities including the Nigeria Data Protection Commission (NDPC) and, where applicable, EU data protection authorities.
- Conducting and reviewing Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
Contact our DPO at: info@kofa.africa
2.3 EU/UK Representative
Kofa Africa processes the personal data of individuals located in the European Economic Area (EEA) and the United Kingdom. To the extent required by applicable law, Kofa Africa will appoint an EU representative and UK representative to act on its behalf for data protection matters. Details of any such representative will be updated at https://kofa.africa/privacy as and when appointed.
2.4 NDPR Compliance
Kofa Africa is in the process of completing registration with the Nigeria Data Protection Commission (NDPC) as a data controller. Registration will be completed prior to or within 90 days of the Platform's public launch. In the interim, Kofa Africa processes all personal data in full compliance with the substantive requirements of the Nigeria Data Protection Regulation 2019 and the Nigeria Data Protection Act 2023.
Data We Collect About You
3.1 Overview
The table below sets out the categories of personal data we collect, together with specific examples, primary purpose, lawful basis, and retention period. This table constitutes Kofa Africa's public-facing Record of Processing Activities (ROPA) summary in compliance with NDPR Article 2.6 and GDPR Article 30.
A. TRAVELER DATA
| Data Category | Specific Data Points | Purpose | Lawful Basis | Retention |
|---|---|---|---|---|
| Identity Data | Full name, date of birth, profile photograph, nationality | Account creation, booking identity verification | Contract / Legitimate Interest | Account + 7 years |
| Contact Data | Mobile phone number, email address, WhatsApp contact (optional) | Authentication, booking notifications, customer support | Contract | Account + 2 years |
| Authentication Data | Hashed password, Google OAuth tokens, OTP verification records | Secure login and session management | Contract / Legal Obligation | Account + 1 year |
| Booking & Travel Data | Tour selections, departure dates, participant counts, booking history, trip completion records, destination preferences | Fulfilling bookings, personalised recommendations, trust and safety | Contract / Legitimate Interest | 7 years from booking date |
| Payment Data (tokenised) | Last 4 digits of card, card type, tokenised payment reference, Paystack/Flutterwave transaction IDs | Payment processing, fraud prevention, refund processing. Full card data never stored by Kofa Africa. | Contract / Legal Obligation | 7 years (financial records) |
| Review & UGC Data | Star ratings, written review text, operator response content | Publishing verified reviews, trust architecture, platform quality | Contract / Legitimate Interest | Account + 5 years |
| Communications Data | In-app messages, support chat logs, email correspondence | Service delivery, dispute resolution, safety monitoring | Contract / Legitimate Interest | 3 years from last communication |
| Device & Technical Data | IP address, device type, operating system, browser type, app version, crash reports | Platform security, performance monitoring, fraud detection | Legitimate Interest | 13 months |
| Usage & Behavioural Data | Pages visited, search queries, filters applied, listing views, session duration, click events | Platform improvement, personalisation, analytics | Consent (cookies) / Legitimate Interest (aggregate) | 13 months |
| Location Data | Approximate location (derived from IP), precise location (only if explicitly granted) | Destination recommendations, local tour surfacing. Precise location only with explicit consent. | Consent | Session-based; aggregated 13 months |
B. TOUR OPERATOR DATA
| Data Category | Specific Data Points | Purpose | Lawful Basis | Retention |
|---|---|---|---|---|
| Business Identity Data | Business name, CAC registration number, registered address, business type, years in operation | Operator verification, listing publication, trust signalling to Travelers | Contract / Legal Obligation | Account + 7 years |
| Personal Identity Data (owner/rep) | Full name, government-issued ID number, passport or NIN, date of birth, photograph | KYC verification, fraud prevention, regulatory compliance | Legal Obligation / Contract | Account + 7 years |
| Professional Credentials | Tour guide certification, CBN/NTDC licence numbers, professional association membership, insurance policy reference | Operator vetting and verification badge allocation | Contract / Legal Obligation | Account + 5 years |
| Financial & Payout Data | Bank account name and number, bank sort code, IBAN (where applicable), BVN (where required by payment processor) | Payout processing, financial reconciliation. BVN processed solely by payment processor; not stored by Kofa Africa. | Contract / Legal Obligation | 7 years (financial records) |
| Listing & Performance Data | Tour listing content, availability calendar, pricing data, listing view counts, booking conversion rates, average ratings | Service delivery, operator dashboard, platform quality management | Contract | Account + 3 years |
| Communications Data | In-app messages with Travelers, support logs, verification correspondence | Service delivery, dispute resolution, compliance | Contract / Legitimate Interest | 5 years from last communication |
| Tax Data | Tax Identification Number (TIN), VAT registration number (if applicable) | Tax compliance, financial reporting obligations | Legal Obligation | 7 years |
3.2 Special Categories of Data
Kofa Africa does not intentionally collect special categories of personal data (as defined under GDPR Article 9 and NDPR equivalent provisions), which include data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sexual orientation.
However, some Tour Experiences may require Travelers to disclose health-relevant information (for example, medical conditions relevant to adventure activities such as high-altitude trekking or water-based tours). Where an Operator requests such information through the Platform messaging system, that data is processed under the explicit consent of the Traveler and is used solely for the safe delivery of the Tour Experience. Kofa Africa does not process such data at a platform level.
3.3 Data We Do Not Collect
Kofa Africa explicitly does not collect:
- Full payment card numbers, CVV codes, or bank account PINs. These are processed exclusively by our payment processors (Paystack / Flutterwave) under their own PCI-DSS compliance frameworks.
- Bank Verification Numbers (BVN) at a platform level. BVN verification is handled directly by Paystack/Flutterwave as part of their KYC obligations.
- Biometric data of any kind.
- Personal data of individuals under 18 years of age.
How We Collect Your Data
4.1 Data You Provide Directly
The majority of personal data we hold is provided directly by you through:
- Account Registration: When you create a Traveler or Operator account using phone OTP, email/password, or Google OAuth.
- Booking Completion: When you select a Tour Experience, enter participant details, and complete a payment.
- Operator Verification: When an Operator submits identity documents, business credentials, and bank details during onboarding.
- Listing Creation: When an Operator creates and publishes Tour Experience listings, including photographs, itineraries, and pricing.
- Reviews: When a Traveler submits a post-trip Verified Review.
- Communications: When you contact us via in-app messaging, email, or support channels.
- Surveys and Feedback: When you participate in optional satisfaction surveys or NPS requests.
4.2 Data We Collect Automatically
When you interact with the Platform, our systems automatically collect:
- Technical Data: IP address, device identifiers, browser type and version, operating system, app version, crash and performance logs.
- Usage Data: Pages and listings viewed, search queries and filter selections, time on page, scroll depth, CTA interactions, referral source.
- Session Data: Login timestamps, session duration, authentication events.
- Location Data: Approximate location derived from IP address for destination personalisation. Precise device location is only collected if you explicitly grant location permissions in the mobile app.
4.3 Data We Receive from Third Parties
We receive personal data from third parties in the following circumstances:
- Google OAuth: When you sign in via Google, we receive your name, email address, and profile photograph from Google, subject to your Google account privacy settings.
- Payment Processors (Paystack / Flutterwave): We receive tokenised payment references, partial card details, and transaction status notifications. We do not receive full card numbers.
- Operator References and Certifications: Where an Operator's professional credentials are verifiable through a third-party body (such as the Nigerian Tourism Development Corporation or state tourism boards), we may receive verification confirmation.
- Analytics Providers: We receive aggregated and anonymised usage analytics from providers such as Google Analytics or equivalent tools.
- Fraud Prevention Services: We may receive fraud risk scores from payment processors and third-party fraud detection services.
4.4 Data from Social Media & Referrals
If you interact with Kofa Africa content on social media platforms including TikTok, Instagram, X (Twitter), or Facebook, those platforms may share engagement data with us under your privacy settings on those platforms. Kofa Africa does not control the data practices of third-party social media platforms. We encourage you to review those platforms' privacy policies.
Lawful Bases for Processing
5.1 GDPR / UK GDPR Lawful Bases
Where GDPR or UK GDPR applies, all personal data processing by Kofa Africa is based on one or more of the following lawful bases under Article 6:
| Lawful Basis | Legal Reference | How Kofa Africa Relies on It |
|---|---|---|
| Contract | GDPR Art. 6(1)(b) | Processing necessary to provide the Platform service, including booking fulfilment, account management, operator payouts, and communication between users. |
| Legal Obligation | GDPR Art. 6(1)(c) | Compliance with NDPR, GDPR, AML/CFT obligations, tax reporting requirements, and responses to lawful regulatory requests. |
| Legitimate Interests | GDPR Art. 6(1)(f) | Platform security, fraud prevention, product improvement, aggregate analytics, dispute investigation, and direct marketing to existing customers (with opt-out). Our Legitimate Interests Assessment is available on request from info@kofa.africa. |
| Consent | GDPR Art. 6(1)(a) | Non-essential cookies and tracking technologies, precise location data collection, marketing communications to non-customers, and processing of special category data. |
| Vital Interests | GDPR Art. 6(1)(d) | In emergency situations where sharing personal data may protect the life or safety of a Traveler during a Tour Experience. |
5.2 NDPR Lawful Bases
Where NDPR 2019 applies, processing is based on one or more of the following grounds:
- Consent of the Data Subject (NDPR 2.2(a)): Where Kofa Africa relies on consent as a lawful basis, consent is specific, informed, freely given, and unambiguous. Consent can be withdrawn at any time.
- Performance of a Contract (NDPR 2.2(b)): Processing necessary to perform the service contract with users of the Platform.
- Compliance with a Legal Obligation (NDPR 2.2(c)): Processing required to comply with Nigerian law, including the Companies and Allied Matters Act, Finance Act, FCCPC regulations, and EFCC/NFIU reporting obligations.
- Legitimate Interests of Kofa Africa (NDPR 2.2(e)): Where our interests in operating a safe, efficient, and fraud-free marketplace do not override the rights and interests of the data subject.
5.3 Withdrawing Consent
Where Kofa Africa relies on consent as the lawful basis for processing, you have the right to withdraw that consent at any time without detriment. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent, use the privacy controls in your account settings or contact info@kofa.africa.
How We Use Your Data — Purpose Register
The table below is Kofa Africa's Purpose Register, documenting every material use of personal data on the Platform. This register is maintained and reviewed by our DPO on a quarterly basis.
| Purpose | Data Used | Lawful Basis |
|---|---|---|
| Account Registration & Authentication | Name, email, phone number, password hash, OAuth tokens, OTP records | Contract |
| Operator Verification & Onboarding | Business identity data, personal ID, professional credentials, bank account details | Contract / Legal Obligation |
| Booking Processing & Fulfilment | Traveler identity, booking data, participant details, payment token, operator availability data | Contract |
| Payment Processing & Payouts | Tokenised payment reference, booking value, payout bank details, commission calculations | Contract / Legal Obligation |
| Sending Transactional Notifications | Email address, phone number, booking reference, trip dates, payment status | Contract |
| Customer & Operator Support | Account data, booking records, communications history, support ticket content | Contract / Legitimate Interest |
| Dispute Resolution & Investigation | Booking records, communications data, payment logs, Verified Reviews, operator credentials | Contract / Legitimate Interest / Legal Obligation |
| Verified Review Publication | First name, initial, trip date, star rating, written review text, booking completion status | Contract / Legitimate Interest |
| Fraud Prevention & Trust & Safety | Device data, IP address, login patterns, payment velocity, account behaviour anomalies | Legitimate Interest / Legal Obligation |
| Platform Analytics & Product Improvement | Usage data, search queries, listing views, booking funnel data (aggregated and pseudonymised where possible) | Legitimate Interest / Consent (for cookie-based analytics) |
| Personalisation & Recommendations | Booking history, saved preferences, location data (approximate), search history, wishlist data | Legitimate Interest / Consent (for precise location) |
| Direct Marketing to Existing Customers | Email address, name, booking history, destination preferences | Legitimate Interest (with right to opt out at any time) |
| Marketing Communications (non-customers) | Email address, name, marketing preferences (where provided) | Consent |
| Tax & Financial Reporting | Operator TIN, payout records, transaction data, booking values | Legal Obligation |
| Regulatory Compliance & Law Enforcement | All categories as required by the specific legal obligation or lawful request | Legal Obligation |
| Security Monitoring & Incident Response | Device data, IP address, access logs, authentication events | Legitimate Interest / Legal Obligation |
| DPIA & Compliance Auditing | Processing records, consent logs, retention schedules, breach records | Legal Obligation |
Kofa Africa will never sell your personal data to third parties. We will never use your personal data for purposes incompatible with those listed above without your explicit consent.
Sharing Your Data with Third Parties
7.1 We Do Not Sell Personal Data
Kofa Africa does not sell, rent, or trade personal data to third parties for their own marketing purposes. This applies globally, including as required by Section 1798.100 of the California Consumer Privacy Act (CCPA).
7.2 Sharing with Tour Operators
When a Traveler completes a Booking, Kofa Africa shares a defined subset of the Traveler's personal data with the relevant Tour Operator to enable delivery of the Tour Experience. The data shared with Operators is limited to:
- Traveler full name
- Mobile phone number (for pre-trip coordination)
- Number of participants and any participant names provided
- Booking Reference Number and trip dates
- Any pre-trip health or accessibility information provided by the Traveler through the Platform messaging system
Tour Operators are contractually prohibited from using Traveler personal data for any purpose other than delivering the booked Tour Experience. Operators may not share Traveler data with third parties, use it for their own marketing purposes, or retain it beyond 12 months following the trip completion date. Breach of this obligation constitutes grounds for account termination under our Operator Onboarding Agreement.
7.3 Service Providers & Data Processors
Kofa Africa engages trusted third-party service providers to process personal data on our behalf as data processors. All processors are bound by Data Processing Agreements (DPAs) requiring compliance with applicable data protection law, implementation of appropriate security measures, and processing data only on Kofa Africa's documented instructions.
| Category | Purpose | Examples | Data Shared |
|---|---|---|---|
| Payment Processing | Secure payment capture, tokenisation, payout processing | Paystack, Flutterwave | Tokenised payment data, bank details (operators), booking values |
| Cloud Infrastructure | Platform hosting, database management, file storage | AWS / Google Cloud (Africa/EU regions) | All platform data (encrypted at rest) |
| Communications | Email notifications, SMS OTP delivery, push notifications | SendGrid / Twilio or equivalent | Email address, phone number, notification content |
| Analytics | Platform usage analytics, funnel tracking, performance monitoring | Google Analytics / Mixpanel or equivalent | Pseudonymised usage and device data |
| Customer Support | Support ticket management, live chat infrastructure | Zendesk / Intercom or equivalent | Account data, support communications |
| Fraud Detection | Payment fraud screening, account anomaly detection | Paystack Radar / Flutterwave fraud tools | Device data, IP address, transaction patterns |
| Identity Verification | Operator KYC document verification | NIBSS / Smile ID or equivalent | Operator identity documents, NIN/BVN references |
| Legal & Compliance | Legal advice, regulatory submissions, audit support | External legal counsel, DPCO | Limited to data relevant to the specific matter |
7.4 Sharing for Legal Reasons
Kofa Africa may disclose personal data where required to:
- Comply with a court order, subpoena, or other lawful legal process issued by a Nigerian or international court of competent jurisdiction.
- Respond to a lawful request from a regulatory authority including the Nigeria Data Protection Commission (NDPC), EFCC, FCCPC, CBN, or equivalent international body.
- Protect the rights, property, or safety of Kofa Africa, our users, or the public.
- Investigate potential violations of these Terms or applicable law.
Where legally permitted, Kofa Africa will notify affected users of any such disclosure.
7.5 Corporate Transactions
In the event of a merger, acquisition, asset sale, or other corporate transaction involving Kofa Africa, personal data held by Kofa Africa may be transferred to the acquiring or successor entity. Affected users will be notified via email and Platform notice at least 30 days before their personal data is transferred to an entity operating under a materially different privacy policy.
International Data Transfers
8.1 Data Localisation Position
Kofa Africa processes and stores the personal data of Nigerian-resident users primarily on servers located in Nigerian or African cloud regions to the extent available and technically feasible. Where data is transferred outside of Nigeria, we apply the safeguards described below.
8.2 Transfer Safeguards
| Transfer Destination | Safeguard Mechanism | Applicable Framework |
|---|---|---|
| European Economic Area (EEA) | EEA provides adequate protection; no additional safeguard required | GDPR Chapter V; NDPR Adequacy Recognition |
| United Kingdom | UK Adequacy Regulation by the European Commission; UK-Nigeria data bridge pending | UK GDPR Schedule 21; NDPR |
| United States (cloud / service providers) | Standard Contractual Clauses (SCCs) approved by the European Commission; NDPR cross-border transfer agreement | GDPR Art. 46(2)(c); NDPR 2.11 |
| Other countries (case by case) | Binding Corporate Rules, Standard Contractual Clauses, or explicit consent after full disclosure of risks | GDPR Art. 46 / Art. 49; NDPR 2.11 |
8.3 Requesting Transfer Safeguard Documentation
You may request a copy of the specific transfer safeguards applicable to the processing of your personal data by contacting info@kofa.africa. We will respond within 30 days.
Data Retention Schedule
9.1 Retention Principles
Kofa Africa retains personal data only for as long as necessary to fulfil the purpose for which it was collected, to comply with legal obligations, and to resolve disputes or enforce agreements. Retention periods are reviewed annually by our DPO.
Once a retention period expires, personal data is either securely deleted, anonymised for statistical purposes, or archived in a restricted-access environment where deletion is not immediately possible for legal or technical reasons. Anonymised data (from which no individual can be identified) is not subject to these retention limits.
9.2 Retention Schedule
| Data Category | Retention Period | Basis for Period | Post-Retention Action |
|---|---|---|---|
| Active Account Data (Traveler) | Duration of account | Contract | Deletion on account closure request |
| Active Account Data (Operator) | Duration of account | Contract | Deletion on account closure request |
| Booking Records | 7 years from booking date | CAMA / FIRS tax obligations / AML | Secure deletion |
| Payment & Financial Records | 7 years from transaction date | Finance Act / FIRS reporting | Secure deletion |
| Operator Verification Documents | 7 years post-account closure | AML/CFT / Legal obligation | Secure deletion |
| Verified Reviews | 5 years from submission (or deletion of associated tour) | Legitimate Interest (trust data moat) | Anonymised then deleted |
| Support & Communications Logs | 3 years from last communication | Legitimate Interest / Legal Obligation | Secure deletion |
| Authentication & OTP Logs | 12 months from creation | Security / Fraud prevention | Secure deletion |
| Device & Technical Data | 13 months | Google Analytics standard / Legitimate Interest | Aggregation then deletion |
| Usage & Behavioural Analytics | 13 months (raw); aggregated data indefinitely | Consent / Legitimate Interest | Anonymisation |
| Marketing Preferences & Consent Records | 3 years from last interaction or withdrawal of consent | Legal Obligation (consent audit trail) | Secure deletion |
| Inactive Account Data | 24 months inactivity then account deletion notice; 30-day grace period before deletion | Legitimate Interest | Deletion after 30-day notice |
| Dispute & Legal Hold Records | Duration of dispute plus 2 years; indefinitely for ongoing litigation | Legal Obligation / Legitimate Interest | Secure deletion post-resolution |
| DPIA & Compliance Records | 5 years from completion | NDPR Art. 2.6 / GDPR Art. 30 | Secure archival |
DPO Note: Kofa Africa's retention schedule is intentionally more granular and transparent than the industry standard set by comparable platforms. This reflects our commitment to data minimisation as a competitive trust differentiator.
Cookies, Tracking & Analytics
10.1 What Are Cookies
Cookies are small text files placed on your device when you access the Platform via a web browser. We also use similar tracking technologies including pixel tags, web beacons, local storage objects, and mobile device identifiers. This section applies to the web version of the Platform; the mobile apps use equivalent device-level tracking technologies.
10.2 Cookie Categories & Consent
We categorise our cookies as follows. The first two categories are placed without consent. All others require your explicit, granular consent via our Cookie Preference Centre, accessible at https://kofa.africa/cookies or via the consent banner displayed on first visit.
| Cookie / Tracker | Type & Purpose | Retention |
|---|---|---|
| Strictly Necessary Cookies (No Consent Required) | Essential to Platform operation. Include: session authentication tokens, CSRF protection cookies, load balancer routing, payment flow state management. Cannot be disabled without breaking core functionality. | Session duration |
| Functional Cookies (No Consent Required) | Remember user preferences such as language settings, currency display, and recently viewed listings. Do not track behaviour across third-party sites. | 12 months |
| Analytics Cookies (Consent Required) | Collect anonymised or pseudonymised data on how users navigate the Platform to improve user experience and identify technical issues. Include Google Analytics, Mixpanel or equivalent. Data shared with analytics provider as a data processor. | 13 months |
| Performance & A/B Testing (Consent Required) | Enable controlled experiments and feature flags to test new Platform features before full rollout. No personal data is shared externally for this purpose. | Session to 3 months |
| Marketing & Retargeting Cookies (Consent Required) | Track users across external websites to serve relevant Kofa Africa advertising. Include Meta Pixel, Google Ads, TikTok Pixel where deployed. Data shared with advertising partners who act as independent data controllers. | 90 days |
| Social Media Pixels (Consent Required) | Enable social sharing functionality and measure campaign performance from TikTok, Instagram, and Facebook. These platforms set their own cookies governed by their own privacy policies. | Varies by platform |
10.3 Managing Your Cookie Preferences
You can review and update your cookie consent at any time through:
- The Cookie Preference Centre at https://kofa.africa/cookies
- Your browser settings (note: blocking all cookies will impair Platform functionality)
- Mobile device settings for app tracking (iOS: Settings > Privacy > Tracking; Android: equivalent device settings)
Withdrawing consent for non-essential cookies does not affect the lawfulness of prior cookie-based processing. It may reduce the personalisation quality of your Platform experience.
10.4 Do Not Track (DNT)
Kofa Africa respects browser Do Not Track (DNT) signals for analytics tracking. Where a DNT signal is detected, we will not place analytics or marketing cookies on your device without explicit consent.
Your Privacy Rights
11.1 Universal Rights (All Users)
Regardless of your jurisdiction, Kofa Africa respects the following core privacy rights for all Platform users:
| Your Right | What It Means in Practice |
|---|---|
| Right to Know | You can request information about what personal data we hold about you, why we hold it, who we share it with, and for how long. |
| Right to Access | You can request a copy of the personal data we hold about you in a structured, readable format. Your first request in any 12-month period is free of charge. |
| Right to Rectification | You can correct inaccurate personal data we hold about you. For account data, you can update most information directly in your account settings. |
| Right to Erasure ('Right to be Forgotten') | You can request deletion of your personal data where it is no longer necessary for the purpose it was collected, where you have withdrawn consent, or where you have objected to processing. We may retain certain data where required by law. |
| Right to Withdraw Consent | Where processing is based on consent, you can withdraw it at any time via your account settings or by contacting info@kofa.africa. Withdrawal does not affect processing carried out before withdrawal. |
| Right to Lodge a Complaint | You can lodge a complaint with the relevant supervisory authority (see Section 16.3). We ask that you contact us first so we can attempt to resolve the matter directly. |
11.2 Additional Rights for GDPR / UK GDPR Subjects (EEA & UK Users)
| Your Right | What It Means in Practice |
|---|---|
| Right to Data Portability | Where processing is based on consent or contract and carried out by automated means, you can receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller. |
| Right to Restrict Processing | You can request that we limit the use of your data (for example, while a rectification request is being reviewed, or where you have objected to processing and we are assessing the grounds for that objection). |
| Right to Object | You can object at any time to processing based on legitimate interests, including profiling and direct marketing. For direct marketing objections, we will cease processing immediately. |
| Rights Related to Automated Decision-Making | You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects. See Section 13 for details. |
11.3 Additional Rights for NDPR Subjects (Nigerian Users)
In addition to the universal rights above, Nigerian-resident users have the following rights under the NDPR and Nigeria Data Protection Act 2023:
- Right to object to the processing of personal data for direct marketing purposes (NDPR 3.1(9)).
- Right to request human review of automated decisions that significantly affect you (NDPR / NDPA).
- Right to be notified of a personal data breach that is likely to result in high risk to your rights within 72 hours of Kofa Africa becoming aware of it (NDPR 2.9 / NDPA Section 40).
11.4 Additional Rights for California Residents (CCPA)
California residents have the following additional rights under the CCPA (Cal. Civ. Code §§ 1798.100 et seq.):
- Right to Know: Specific pieces of personal information collected about you in the preceding 12 months.
- Right to Delete: Request deletion of personal information, subject to legal exceptions.
- Right to Opt-Out of Sale: Kofa Africa does not sell personal information. This right is therefore already fully satisfied. A 'Do Not Sell or Share My Personal Information' link is maintained at https://kofa.africa/privacy for compliance purposes.
- Right to Non-Discrimination: Kofa Africa will not discriminate against you for exercising your CCPA rights.
- Right to Correct: Request correction of inaccurate personal information.
11.5 How to Exercise Your Rights
To exercise any of the rights described in this Section, you may:
- Submit a request via your account settings (for data access, export, and deletion of account data).
- Email info@kofa.africa with the subject line 'Privacy Rights Request' and a description of your request.
- Write to our Data Protection Officer at info@kofa.africa.
We will acknowledge your request within 72 hours and respond substantively within 30 days (or within the timeframe specified by applicable law). Where a request is complex or voluminous, we may extend our response period by a further 30 days with notice to you. We may need to verify your identity before processing certain requests.
Children's Privacy
12.1 Age Restriction
The Platform is directed exclusively to individuals aged 18 and over. Kofa Africa does not knowingly collect personal data from anyone under the age of 18. If you are a parent or guardian and believe that your child under 18 has provided personal data to Kofa Africa, please contact us immediately at info@kofa.africa. We will promptly delete such data upon verification.
12.2 Age Verification Mechanism
Kofa Africa implements the following age verification measures at registration:
- Date of birth field at account registration with automated age calculation.
- Phone OTP and Google OAuth verification, which inherently require existing adult-configured accounts.
- Operator verification requires government-issued ID establishing age of 18+.
Kofa Africa acknowledges that age declarations cannot be technically enforced with certainty for Traveler registrations beyond declaration and reasonable inference. Where we become aware that an account belongs to a minor, we will immediately suspend the account and delete associated personal data.
Automated Decision-Making & Profiling
13.1 Overview
Kofa Africa uses automated processing in certain limited circumstances on the Platform. This section describes each instance and its legal basis, in compliance with GDPR Article 22 and equivalent NDPA provisions.
| Automated Process | Description | Legal Basis | Human Review Available? |
|---|---|---|---|
| Tour Recommendation Engine | Surfaces personalised tour suggestions based on booking history, search behaviour, and location. Does not produce legal or significant effects. | Legitimate Interest | N/A — no significant effect on user |
| Fraud Detection Scoring | Assigns risk scores to payment transactions and account activity to detect anomalous patterns. High-risk events trigger manual review before action is taken. | Legitimate Interest / Legal Obligation | Yes — all account actions triggered by fraud scoring require human review by our Trust & Safety team. |
| Operator Verification Status | Document upload triggers automated format and completeness checks. Final verification approval is always made by a human Admin reviewer. | Contract | Yes — always concluded by human Admin decision. |
| Search Ranking Algorithm | Ranks tour listings in search results based on relevance, rating, booking velocity, and completeness. Does not produce significant effects on operators or travelers beyond visibility. | Legitimate Interest | N/A — no significant legal effect |
| Review Spam Detection | Automated flags applied to submitted reviews that match spam or fraud patterns. Flagged reviews are held for human moderation before any removal action. | Legitimate Interest | Yes — flagged reviews reviewed by human moderators. |
Kofa Africa does not make solely automated decisions that produce legal or similarly significant effects on individuals without human review and the ability to contest. If you believe an automated decision has affected you inappropriately, contact info@kofa.africa.
Security Measures
14.1 Technical Security
Kofa Africa implements the following technical security measures to protect personal data:
- Encryption in Transit: All data transmitted between users and the Platform is encrypted using Transport Layer Security (TLS 1.2 or higher).
- Encryption at Rest: All personal data stored on Kofa Africa infrastructure is encrypted using AES-256 encryption.
- Payment Data Isolation: Payment card data is never stored on Kofa Africa's infrastructure. All card capture and tokenisation is handled by Paystack and Flutterwave under their respective PCI-DSS Level 1 compliance programmes.
- Authentication Security: Multi-factor authentication (MFA) is mandatory for Admin Console access. Rate limiting of 5 failed OTP attempts before 15-minute lockout applies to all authentication endpoints.
- Access Controls: Personal data is accessible only to Kofa Africa personnel with a legitimate business need. Role-based access controls limit data exposure on the principle of least privilege.
- Penetration Testing: Kofa Africa conducts regular penetration tests and vulnerability assessments of the Platform infrastructure.
- Secure Development Practices: The Kofa Africa engineering team follows secure development lifecycle (SDL) principles including code reviews, dependency scanning, and OWASP top-10 mitigation.
14.2 Organisational Security
- All staff with access to personal data receive mandatory data protection training on appointment and annually thereafter.
- Confidentiality obligations are included in all employment and contractor agreements.
- Third-party service providers are subject to data protection due diligence and contractual DPA obligations before receiving personal data.
- Kofa Africa maintains a data breach response plan with defined response timelines.
14.3 Personal Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Kofa Africa will:
- Notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, in compliance with NDPA Section 40.
- Notify the relevant EU data protection supervisory authority within 72 hours where the breach affects EEA residents, in compliance with GDPR Article 33.
- Notify affected individual users without undue delay where the breach is likely to result in a high risk to their rights, including via email to their registered address.
- Document all breaches in an internal breach register, regardless of whether notification to supervisory authorities is required.
Kofa Africa does not guarantee absolute security of personal data. No method of electronic transmission or storage is 100% secure. However, we continuously review and improve our security posture to mitigate risks.
Changes to This Privacy Policy
15.1 Right to Update
Kofa Africa may update this Privacy Policy from time to time to reflect changes in our data processing practices, new Platform features, applicable law, or guidance from supervisory authorities. Material changes will not be applied retroactively.
15.2 Notification of Material Changes
Where we make material changes to this Privacy Policy, we will notify you by:
- Sending an email notification to your registered email address at least 14 days before the changes take effect.
- Displaying a prominent notice on the Platform homepage and at login for at least 14 days.
- Updating the 'Last Updated' date at the top of this Policy.
For changes required urgently by law, we will implement them immediately and notify you as soon as practicable.
15.3 Continued Use
Your continued use of the Platform after the effective date of an updated Privacy Policy constitutes acceptance of the revised Policy. If you do not agree with any updates, you must cease using the Platform and may request account deletion at info@kofa.africa.
How to Contact Us & Lodge Complaints
16.1 Primary Contact Points
| Contact Type | Details |
|---|---|
| General Privacy Enquiries | info@kofa.africa |
| Data Protection Officer | info@kofa.africa | Mark all correspondence 'DPO - Confidential' |
| Rights Requests | info@kofa.africa | Subject line: 'Privacy Rights Request' |
| Data Breach Reports | info@kofa.africa | For urgent breach reports only |
| Legal & Compliance | info@kofa.africa | For regulatory authority correspondence |
| Postal Address | [Registered Office Address to be inserted] | Attn: Data Protection Officer |
16.2 Response Timelines
Kofa Africa commits to the following response timelines:
- Acknowledgement of privacy enquiries or rights requests: within 72 hours.
- Substantive response to rights requests: within 30 calendar days (extendable by a further 30 days for complex requests, with notice).
- DPO response to supervisory authority enquiries: within the timeframe required by the applicable regulatory authority.
- Personal data breach notification to supervisory authorities: within 72 hours of becoming aware.
16.3 Supervisory Authority Complaints
You have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction if you believe Kofa Africa has processed your personal data in violation of applicable law. The primary supervisory authorities are:
| Jurisdiction | Supervisory Authority | Contact |
|---|---|---|
| Nigeria | Nigeria Data Protection Commission (NDPC) | ndpc.gov.ng | info@ndpc.gov.ng |
| European Union | Data Protection Authority of your EU member state of residence | edpb.europa.eu/about-edpb/board/members_en |
| United Kingdom | Information Commissioner's Office (ICO) | ico.org.uk | 0303 123 1113 |
| California, USA | California Privacy Protection Agency (CPPA) | cppa.ca.gov |
We would always appreciate the opportunity to resolve any privacy concern directly before a formal supervisory authority complaint is filed. Please contact info@kofa.africa first.
END OF PRIVACY POLICY
Kofa Africa Technologies · Version 1.0 · Effective Q4 2026
NDPR / GDPR / UK GDPR / CCPA Compliant