Hally Tours & Safari
Plan your safari

Privacy Policy

Plain-English working draft. This policy reflects our current practices, but it has not yet been reviewed by counsel. Before public launch, a lawyer familiar with the Tanzania Personal Data Protection Act 2022, GDPR (for EU/UK travelers), and PCI DSS must review and finalize this text.

Effective date: May 4, 2026 · Last updated: May 5, 2026
Data controller: Hally Tours & Safari, Arusha, Tanzania · hello@hallytours.com

Who this policy is for

This policy explains what personal information Hally Tours & Safari (“we”, “us”) collects when you enquire about, book, or travel on a safari with us, why we collect it, and what choices you have. It applies to our website, our enquiry and booking forms, our email and WhatsApp correspondence, and our in-country operations.

What we collect

Identity and contact

Name, email address, phone number, country of residence, and the messaging channel you prefer (email or WhatsApp).

Trip planning

Travel dates, party size and ages, preferred destinations and accommodation style, budget bracket, and the interests you tell us about (photography, climbing, families, accessibility).

Travel and safety details (only when you book)

Once you confirm a booking, we ask for the additional information we need to operate the trip safely and to satisfy park, lodge, and airline requirements:

  • Passport details (full name, number, expiry, nationality, date of birth) — required for park permits, internal flights, and many lodge check-ins.
  • Dietary requirements and food allergies — shared with camp and lodge kitchens.
  • Relevant medical information you choose to share — for example, altitude considerations for Kilimanjaro, mobility needs, or pre-existing conditions that affect insurance and evacuation planning. We treat this as sensitive personal data and only share it with the specific staff and partners who need it.
  • Emergency contact name and phone number.
  • Travel insurance policy number and insurer (for our records and in the event of medical evacuation).

Payment

We do not store full credit-card numbers on our servers. Card payments are handled by our payment processor (currently Stripe), which is PCI-DSS certified. For bank transfers and mobile-money payments, we keep the transaction reference, amount, and date.

On-trip imagery

Our guides may take photos and short videos during your trip and share them with you afterwards. We will only use your image in our marketing (website, social media, brochures) if you give us specific written consent — we ask separately, and you can revoke consent at any time.

Website technical data

IP address, browser and device type, referring page, and pages viewed. Used to keep the site secure and to understand which pages travelers find useful.

Why we collect it (legal basis)

  • To respond to your enquiry and prepare a quote — based on your request (pre-contractual steps).
  • To deliver the trip you booked — performance of our contract with you.
  • To meet legal and regulatory obligations — tax records, park permit requirements, anti-money-laundering checks where applicable.
  • To protect your safety and ours — medical and emergency information processed under our legitimate interest in operating safe safaris, with explicit consent for sensitive health data.
  • To send you our occasional newsletter — only with your specific opt-in consent. You can unsubscribe from any newsletter email.

Who we share it with

We share the minimum information needed with the following categories of partner. We do not sell your data and we do not share it with advertisers.

  • Lodges, camps, and hotels in your itinerary — passport, arrival/departure date, dietary needs.
  • Ground-transport and domestic-airline partners (e.g. Coastal Aviation, Auric Air, Regional Air) — passport, flight manifest details.
  • Tanzanian park and conservation authorities (TANAPA, Ngorongoro Conservation Area Authority, Marine Parks Unit, Tanzania Wildlife Authority) — details required for entry permits.
  • Mountain operators and porters for Kilimanjaro climbs — medical information relevant to high-altitude safety.
  • Payment processor (Stripe) for card transactions.
  • Travel-insurance broker, only if you ask us to facilitate cover on your behalf.
  • Tanzania Revenue Authority and our accountants — for tax records.
  • Emergency medical and evacuation services — if you need urgent care during the trip.
  • Our hosting and email providers, who process data on our instructions under contract.

International transfers

Hally Tours operates from Tanzania. If you are based outside Tanzania (for example in the EU, UK, US, or elsewhere), the personal data you give us is transferred to and stored in Tanzania, and may also be processed by our partners in the countries listed above. Where required by your home country’s law (e.g. GDPR), we rely on appropriate safeguards such as standard contractual clauses and your explicit consent for the trip you have asked us to plan.

How long we keep it

  • Enquiries that don’t become bookings: 24 months, then deleted.
  • Confirmed bookings and payment records: 7 years after the trip end date, to meet Tanzanian tax-record obligations.
  • Medical and dietary details: deleted within 90 days of trip end, unless you ask us to keep them on file for a future trip.
  • Newsletter list: until you unsubscribe.
  • Marketing imagery used with your consent: until you withdraw consent or until it is removed in the normal course of refreshing the site.

Cookies and analytics

We use a small number of strictly-necessary cookies that keep the site working (for example, remembering that you closed a notice). With your consent we also use privacy-respecting analytics to understand which itineraries travelers find most useful. We do not run advertising trackers and we do not sell traffic data to third parties.

Children

Family safaris are a big part of what we do. When children travel with you we collect only the information needed to operate the trip safely (name, age, dietary or medical needs, passport for park permits and flights), and only from the parent or guardian booking the trip. We do not direct marketing at children.

Your rights

Wherever you live, you can ask us to:

  • Tell you what data we hold about you and give you a copy.
  • Correct anything that is wrong.
  • Delete your data, unless we have a legal reason to keep it (for example, tax records).
  • Stop using your data for marketing.
  • Withdraw consent you have previously given.

EU/UK travelers also have rights under the General Data Protection Regulation, including the right to data portability and the right to object to certain processing. Tanzanian residents have equivalent rights under the Personal Data Protection Act 2022.

To exercise any of these rights, email hello@hallytours.com. We will respond within 30 days. If you are not happy with our response you can complain to the Tanzanian Personal Data Protection Commission, or to the data-protection authority in your country of residence.

How we keep it safe

We use HTTPS across the site, restrict staff access to booking data on a need-to-know basis, and require strong passwords and two-factor authentication on the accounts that hold customer data. Card payments are routed through PCI-DSS-certified processors and never touch our database. If we ever discover a data breach that is likely to put you at risk, we will notify you and the relevant authority within the time limits set by law.

Changes to this policy

We will update this page when our practices change and bump the effective date at the top. For material changes that affect a trip you have already booked, we will email you directly.

Contact us

Privacy questions, access requests, or complaints — hello@hallytours.com, or write to us at our Arusha office (address available on request).