JamboLush Privacy and Data Protection Policy

1. Scope

This policy applies to everyone who uses the Jambolush platform, including travelers, hosts, and field agents. It covers all personal information collected through Jambolush's website, mobile apps, and any connected third-party services, regardless of where the user is located. This ensures that all users' data is handled according to the same rules and protections, no matter their role or geographic location.

2. Lawful Basis for Processing

Jambolush processes personal data only when it is legally allowed to do so. This includes situations where you have explicitly given consent, such as for marketing communications or the use of cookies; when processing is necessary to fulfill contracts, like completing bookings and payments; when required to comply with legal obligations, including tax, financial, or regulatory duties; and when the platform has a legitimate interest, such as maintaining security, preventing fraud, or improving services. This approach ensures that all data processing is lawful, purposeful, and transparent.

3. Categories of Data Collected

- Identification data: This includes your name, ID number, passport, and any other government-issued documents used to verify your identity. - Contact details: Such as your email address, phone number, and physical address, which allow the platform to communicate with you. - Payment details: Information related to payments, handled securely through third-party payment providers. - Booking and transaction history: Records of your reservations, purchases, and interactions on the platform. - Device and location information: Data about the devices you use and your geographic location to improve service functionality and security. - Photos, videos, or documents submitted for property verification: Media you provide to confirm the accuracy or legitimacy of listings. - Cookies and tracking data: Information collected via cookies or other tracking technologies, including analytics, user preferences, and advertising data where applicable.

4. Rights of Data Subjects

Under GDPR, Rwanda's Law No. 058/2021, and other international privacy standards, you have the following rights regarding your personal data: - Access: You can request to see the personal data Jambolush holds about you. - Correction/Update: You can ask for any inaccurate or outdated information to be corrected or updated. - Deletion ("Right to be Forgotten"): You can request that your personal data be deleted from our systems. - Restriction or Objection: You can limit or object to certain types of data processing. - Data Portability: You can request to receive your data in a structured, commonly used format for transfer to another service. - Withdraw Consent: You can withdraw any consent you have previously given for processing your data at any time. - Lodge a Complaint: You can file a complaint with the Rwanda National Cyber Security Authority (NCSA) or, if applicable, your local data protection authority in the EU.

5. Data Sharing and Cross-Border Transfers

Jambolush does not sell your personal data. However, we may share your personal data with certain parties to provide and improve our services: Payment processors and financial institutions: To securely complete transactions. Verified field agents: To verify property listings. Hosting providers, analytics services, and customer support partners: To maintain platform functionality and assist users. Regulatory or government authorities: When required by law. For cross-border transfers of personal data outside Rwanda or the European Economic Area (EEA), Jambolush relies on legal safeguards such as: Adequacy decisions recognized by relevant regulators. Standard Contractual Clauses (SCCs) to ensure proper data protection. Explicit user consent where necessary.

6. Data Security

Jambolush implements appropriate technical and organizational measures to protect personal data. These include encrypting data using TLS for transmission and AES-256 for storage, applying role-based access controls and the principle of least privilege to limit access, conducting regular penetration testing and security audits to identify vulnerabilities, and maintaining incident response and breach notification procedures to address any security issues promptly.

7. Data Retention

Jambolush keeps personal data only for as long as needed to fulfill business and legal obligations. Booking and tax records are retained for up to 7 years. Marketing and communication data is kept until you withdraw your consent. Account-related data is deleted when your account is closed, unless there is a legal requirement to retain it for a longer period.

8. Children's Data

Jambolush is committed to protecting children's privacy and does not knowingly collect personal data from anyone under the age of 16 without explicit parental or guardian consent. If we discover that personal data from a child under 16 has been inadvertently collected, we will take immediate steps to delete it from our systems. Parents or guardians who believe that their child has provided personal data to Jambolush can contact us at any time to request its deletion. This policy ensures that children's information is handled responsibly and that the platform complies with applicable child protection and data privacy laws.

9. Breach Notification

If a personal data breach occurs, Jambolush will promptly inform the Rwanda National Cyber Security Authority (NCSA), the relevant EU supervisory authority when applicable, and any affected users. This ensures that breaches are handled transparently and in compliance with legal requirements, allowing users and authorities to take necessary actions to protect data and mitigate potential risks.

10. Regulatory Registration

Jambolush is officially registered with the Rwanda National Cyber Security Authority (NCSA) as a data controller, meaning it is recognized as responsible for managing and protecting personal data. The platform complies with all audit and registration requirements set out under Rwanda's Law No. 058/2021, ensuring proper data governance and accountability.

11. Contact Information