Sandy Shores, Kikambala
Sandy Shores Kikambala • beachfront penthouse stays
Privacy policy

How Sandy Shells handles guest and booking data.

Guest, website visitor, enquiry and booking data protection notice

Booking data Guest rights Secure handling

Policy overview

Please review before booking.

Effective 4 July 2026

This Privacy Policy explains how Sandy Shells collects, uses, stores, shares and protects personal data relating to website visitors, enquiry contacts, guests, account users and booking parties. It is designed to support transparent processing under Kenya's Data Protection Act, 2019 and related guidance from the Office of the Data Protection Commissioner.

This page is provided for guest clarity and should be read together with the booking confirmation, invoice, house rules and any written instructions shared by Sandy Shells.

Quick reference

Controller

the property owner/operator, trading as or operating Sandy Shells Kikambala.

Data collected

Contact details, booking details, guest details, payment references, communication records, website data and stay-support information.

Main purposes

Enquiries, bookings, payments, guest support, property security, legal compliance, dispute handling and service improvement.

Sharing

Only with necessary service providers, payment channels, property/security teams, professional advisers, authorities or parties needed to fulfil the booking.

Rights

Guests may request information, access, correction, deletion, objection, restriction and portability where applicable.

Contact

reservations@sandyshells.co.ke | +254 723 807 327

1. Who We Are

Sandy Shells is operated by the property owner/operator in relation to accommodation at Sandy Shores, Kikambala, Kilifi County, Kenya. For purposes of this policy, Sandy Shells acts as a data controller where it determines why and how guest or website personal data is processed.

This policy applies to personal data collected through the website, booking forms, enquiry forms, WhatsApp, telephone, email, social media messages, direct invoices, payment references, check-in processes and guest-support communications.

If a booking is made through a third-party platform, that platform may also process personal data under its own privacy policy. Sandy Shells is not responsible for the privacy practices of independent third-party booking platforms.

2. Data Protection Principles

Sandy Shells aims to process personal data lawfully, fairly and transparently; collect data for explicit and legitimate purposes; limit collection to what is necessary; keep data accurate and updated; retain data only as long as necessary; and apply reasonable safeguards when sharing or transferring data.

These principles reflect Kenya's Data Protection Act, 2019 and the rights guidance published by the Office of the Data Protection Commissioner.

3. Personal Data We May Collect

Identity and contact data

  • Full name, phone number, email address, country or town of residence, identification details where reasonably required for check-in, fraud prevention, security or legal compliance.
  • Names and basic details of accompanying guests where needed for occupancy, check-in, security, emergency contact or booking administration.

Booking and stay data

  • Booking dates, apartment selected, number of guests, special requests, arrival and departure information, vehicle details where needed for access or parking, guest preferences and stay-related service requests.
  • Information about incidents, complaints, damages, lost property, maintenance requests, house-rule breaches, refund requests and guest-support communications.

Payment and transaction data

  • Payment amount, payment method, transaction reference, M-Pesa confirmation code, bank reference, invoice number, refund record, billing details and payment status.
  • Sandy Shells does not request full card details by insecure channels. Where card payments are used, card processing should be handled by an authorised payment provider under its own security controls.

Website and technical data

  • IP address, browser type, device type, pages visited, approximate location derived from technical information, referral source, session data, cookies, analytics data and security logs.
  • Messages sent through website forms, account login activity, failed login attempts and spam-prevention signals where applicable.

Communication data

  • Email messages, WhatsApp messages, call notes, SMS messages, social media messages, enquiry history, support requests and feedback.

Security data

  • Security-related records needed for access control, estate or building rules, incident management, guest safety, property protection and dispute handling. If CCTV is used in common or external areas, it will not be placed inside private accommodation areas such as bedrooms or bathrooms.

4. How We Collect Personal Data

We may collect personal data directly from you when you browse the website, complete a form, submit a booking request, contact us, pay for a booking, check in, request support or provide feedback.

We may collect personal data from another person booking on your behalf, from third-party booking platforms, payment providers, property management or security teams, professional advisers, public authorities or fraud-prevention sources where appropriate.

If you provide personal data about another guest, you confirm that you have their permission or another lawful basis to do so and that you have made this Privacy Policy available to them.

5. Why We Use Personal Data

Booking and service delivery

  • To respond to enquiries, check availability, prepare quotations, confirm bookings, manage arrivals, allocate accommodation, provide guest support, arrange housekeeping and communicate stay information.
  • To process booking changes, cancellations, refunds, credits, complaints, maintenance issues and lost-property reports.

Payments and finance

  • To issue invoices or receipts, verify payment references, follow up balances, process refunds, handle chargebacks and maintain accounting records.

Safety, security and property protection

  • To manage access, prevent fraud, respond to emergencies, protect guests and property, investigate incidents, enforce house rules and support insurance or legal claims where applicable.

Legal and compliance purposes

  • To comply with applicable laws, tax and accounting duties, dispute-resolution requirements, lawful authority requests and data protection obligations.

Marketing and service improvement

  • To request feedback, improve services, understand website performance, manage promotions and send marketing communications where permitted or consented to. Guests can opt out of marketing communications.

6. Lawful Basis for Processing

Sandy Shells may process personal data because it is necessary to take steps before entering into a booking, perform a booking contract, comply with legal obligations, protect legitimate business interests, protect vital interests in an emergency or act on consent where consent is the appropriate basis.

Legitimate interests may include property security, fraud prevention, service improvement, guest support, debt recovery, dispute management, website security and direct communication with guests about related services, provided these interests do not override guest privacy rights.

Where we rely on consent, you may withdraw consent at any time, but withdrawal will not affect processing already carried out lawfully before withdrawal.

7. Cookies and Similar Technologies

The website may use essential cookies for security, session management, forms, account access and booking functionality.

The website may also use analytics, performance or marketing cookies to understand how visitors use the website and to improve content, campaigns and user experience.

You can manage cookies through your browser settings. Blocking some cookies may affect website performance or booking functionality.

8. Sharing Personal Data

Sandy Shells does not sell guest personal data. Personal data may be shared only where reasonably necessary for the purposes described in this policy.

Categories of recipients

  • Payment providers, banks, M-Pesa or mobile money channels, accounting providers and refund-processing parties.
  • Website hosting providers, email providers, IT support, booking-system providers, form-processing tools, analytics providers and communication platforms.
  • Housekeeping teams, maintenance teams, property management, estate or building security, access-control teams and emergency support providers.
  • Professional advisers, insurers, auditors, debt recovery providers, dispute-resolution bodies, regulators, law-enforcement bodies, courts or public authorities where legally appropriate.
  • A buyer, successor or adviser if Sandy Shells undergoes restructuring, sale, transfer or business continuity planning, subject to reasonable confidentiality safeguards.

9. International Transfers

Some service providers, software systems, cloud hosting, email, analytics or communication platforms may process or store personal data outside Kenya.

Where personal data is transferred outside Kenya, Sandy Shells will take reasonable steps to ensure appropriate safeguards are in place or obtain consent where required by applicable data protection law.

10. Data Retention

Sandy Shells keeps personal data only for as long as reasonably necessary for the purpose it was collected, including booking administration, guest service, accounting, tax, legal, security, dispute-resolution, fraud-prevention and business-record purposes.

Typical retention periods may include: enquiry records for a reasonable follow-up period; booking and payment records for accounting and legal retention periods; incident, damage or dispute records for as long as needed to resolve the matter and protect legal rights; and website security logs for a limited security-review period.

When personal data is no longer needed, Sandy Shells will delete, anonymise or archive it in a secure manner, subject to technical backups and lawful retention needs.

11. Data Security

Sandy Shells uses reasonable administrative, technical and organisational safeguards to protect personal data from unauthorised access, loss, misuse, alteration or disclosure.

Safeguards may include access controls, password protection, secure hosting, limited staff access, payment verification procedures, backup controls, staff instructions, device security and careful handling of guest identity or payment information.

No website, email, mobile money, internet or storage system is completely secure. Guests should avoid sending unnecessary sensitive information through insecure channels.

12. Guest Rights

Subject to applicable law and reasonable verification, guests may have the right to be informed about how their personal data is used, access personal data held about them, request correction of inaccurate data, request deletion of certain data, object to certain processing, restrict certain processing and request data portability where applicable.

Requests may be sent to reservations@sandyshells.co.ke. Sandy Shells may ask for identity verification before acting on a request and may refuse or limit a request where allowed by law, for example where retention is required for legal, accounting, security or dispute-resolution purposes.

Guests may also raise concerns with the Office of the Data Protection Commissioner in Kenya if they believe their data protection rights have been infringed.

13. Children's Personal Data

Children may stay at the property as part of a family or authorised booking. Sandy Shells may process limited child-related information where necessary for occupancy, safety, emergency support, legal compliance or service delivery.

A parent, guardian or authorised adult must provide child-related information and is responsible for supervising children during the stay, especially around balconies, pools, stairs, lifts, beach access, water slides and shared facilities.

14. Marketing Communications

Sandy Shells may send marketing messages about offers, availability, seasonal promotions or related accommodation services where permitted by law or where a guest has consented.

Guests can opt out of marketing messages by using the unsubscribe method provided, replying with an opt-out request or contacting Sandy Shells directly.

Service messages about existing bookings, payments, safety, policy updates or stay management are not marketing and may still be sent where necessary.

16. Data Breaches

If Sandy Shells becomes aware of a personal data breach that may affect guest rights or freedoms, it should investigate promptly, take reasonable containment steps and make any required notifications to affected persons or the relevant authority in accordance with applicable law.

Guests should report suspected privacy or security concerns as soon as possible using the contact details in this policy.

17. Changes to This Privacy Policy

Sandy Shells may update this Privacy Policy from time to time to reflect legal, operational, technology, payment, booking-system or service changes.

The updated version should be published on the website with a new effective date. Material changes may also be communicated directly where appropriate.

18. Contact

Privacy questions, data-rights requests and complaints may be sent to reservations@sandyshells.co.ke or +254 723 807 327.

Postal or physical correspondence may be directed to Sandy Shells at the property address listed above, unless a different official business address is later published.