Privacy Policy

Privacy Policy — Meru Heights Luxury Apartments

Effective date: January 26, 2026
Last updated: January 26, 2026

Contact for privacy queries:
Email: [email protected]
Postal: Katheri-Githongo Road, Kathumbi, Meru, Kenya
Phone: +254 701 680 231 / +254 712 050 449

This Privacy Policy explains how Meru Heights Luxury Apartments (“we”, “us”, “our”) collects, uses, discloses and protects personal information when you visit our website (meruheights.com), make a booking enquiry, confirm a reservation or stay with us. It also explains your rights and how you can exercise them.

1. Scope & key points (short summary)

  • We collect the personal data you provide when enquiring about or booking accommodation, and limited technical data automatically when you use the Website.
  • We use personal data to process bookings, manage your stay, provide services (transfers, housekeeping), maintain safety and for legal/tax recordkeeping.
  • Payment processing is handled by third-party providers (M-Pesa, local banks, Pesapal for card payments). We do not store full card PANs on our servers.
  • We use Google Analytics to improve the website. We do not perform targeted advertising or remarketing.
  • CCTV is used on-site for safety and is managed in accordance with Kenyan law; access requests are handled per legal requirements.
  • You have rights to access, correct and (in some cases) delete your data — see the “Your rights” section below.
  • For privacy questions or to exercise your rights contact: [email protected].

2. Who we are — Data controller

Meru Heights Luxury Apartments is the data controller for personal data collected through this Website and for bookings made with us. Contact the Privacy Contact at [email protected] for privacy enquiries or to exercise your data-subject rights.

3. What personal data we collect

We collect and process the following categories of personal data:

A. Data you give us directly

  • Identity: full name, title.
  • Contact: email address, telephone number (including WhatsApp), postal address, country of residence.
  • Booking details: check-in/check-out dates, number and type of guests, apartment preferences, special requests (including accessibility or medical requests where voluntarily provided).
  • Payment references and billing information: bank transfer references, M-Pesa references, partial card details (e.g., last 4 digits) as needed for invoices or refunds. Full card PANs are processed by Pesapal (PCI-DSS provider) and not stored on our servers.
  • Company information for corporate bookings: company name, billing address, purchase order number, invoicing contact.
  • Communications: messages, emails, or form entries you send us.

B. Data collected automatically

  • Technical and usage data collected when you use the Website: IP address, device and browser type, operating system, pages visited, date/time of access, referral URL, search queries and session data. This information is collected using cookies and similar technologies (see Cookies section).

C. Data from third parties

  • Data we receive from booking platforms, OTAs or travel agents when bookings are made via a third party.
  • Data provided by payment processors confirming payment.
  • Publicly available information (for example, when verifying corporate accounts).

D. CCTV & on-site surveillance

  • CCTV footage recorded on our premises for safety, security and loss prevention purposes. (See CCTV section for details on retention and requests.)

Sensitive Data (special categories): We do not normally request or store special category/sensitive personal data (e.g., health data) except where you voluntarily provide it (for example to explain accessibility needs or dietary restrictions). If we must process special category data we will obtain your explicit consent and limit processing to the minimum necessary.

4. How we use your data (purposes) and legal bases

We only process personal data for specified, lawful purposes. The main purposes and legal bases are:

  1. To perform the booking contract (Contract) — process your booking request, provide booking confirmations, check-in/check-out, and provide the accommodation and paid services you request (transfers, housekeeping, laundry).
  2. To take and process payments, refunds and invoices (Contract / Legal obligation) — dealing with payments, issuing invoices and keeping accounting records for tax/legal purposes.
  3. To communicate about your booking (Contract / Legitimate interest) — confirmations, check-in instructions, service updates, and operational messages.
  4. To manage safety and security (Legitimate interest / Legal obligation) — CCTV operation, incident investigations, limitation of liability and loss prevention.
  5. To improve the Website and Services (Legitimate interest) — analytics (Google Analytics) and aggregated usage data to improve site performance and user experience. We take steps to minimise personal data used for analytics (for example, anonymising IP addresses where possible).
  6. To send marketing material (Consent) — only where you have opted in to receive marketing (newsletter, offers). You may withdraw consent at any time. We do not perform targeted advertising or remarketing.
  7. To comply with legal obligations (Legal obligation) — tax, accounting and regulatory reporting, lawful requests from authorities.
  8. To handle complaints and disputes (Legitimate interest / Legal obligation).

If you choose not to provide required information (e.g., identity details needed at check-in), we may not be able to accept your booking or allow check-in.

5. Cookies & similar technologies

We use cookies and similar technologies to operate the Website and improve your experience.

  • Essential cookies: Required for the core functionality of the site (session management, booking form operation).
  • Performance & analytics cookies: We use Google Analytics to collect non-identifying usage information (page views, session duration, referrer). Google’s analytics may use cookies such as _ga, _gid and _gat. We will respect any local privacy-opt outs and store analytics only as aggregated insights.
  • Marketing / advertising cookies: We do not use targeted advertising or remarketing cookies.

You can manage or disable cookies via your browser settings. Disabling non-essential cookies may affect the functionality of the Website (for example, the booking form might not work as expected). Our Website will present a cookie banner where required to obtain consent for non-essential cookies.

6. How we share your personal data

We may disclose personal data to:

  • Service providers & processors who perform services on our behalf (payment processors, hosting providers, email/CRM providers, maintenance, laundry and transfer providers, cleaning contractors). We use contracts (Data Processing Agreements) to require these parties to protect personal data. Notable processors include: M-Pesa, local banks (for bank transfers), Pesapal (card payments), GoDaddy (web hosting) and Google (Analytics).
  • Booking channels / OTAs or travel agents if your reservation was made via a third party.
  • Legal & regulatory authorities where required by law (tax authorities, law enforcement).
  • Third parties for safety or security (for example, to investigate an incident or fraud).
  • Professional advisers (accountants, legal advisers) where necessary.

We do not sell personal data to third parties.

7. International transfers & hosting

Our Website is hosted by GoDaddy and the servers are located in Europe. Where personal data is transferred outside Kenya (for example: hosting in Europe, Pesapal processors, Google servers), we implement appropriate safeguards to ensure an adequate level of protection for your data, such as standard contractual clauses, equivalent legal protections and security measures. If you would like more details about the safeguards used for a specific transfer, contact [email protected].

8. Retention periods

We retain personal data only for as long as necessary for the purposes set out above, and in accordance with legal or regulatory obligations. Typical retention periods:

  • Booking & reservation records, invoices & payment records: retained for 7 years for tax and accounting compliance.
  • CCTV footage: retained for 30 days by default, unless required for an incident investigation or legal process; in that case footage may be retained longer as needed and as permitted by law.
  • Marketing & newsletter lists: retained until you unsubscribe or request deletion.
  • Website analytics & logs: retained in aggregated/anonymised form; raw logs retained for up to 12 months (or as required by our analytics provider).
  • Job applications / recruitment data: retained for up to 12 months unless otherwise requested.

If you request deletion of your personal data we will assess the request against legal obligations (e.g., tax law) and contractual needs; certain data may need to be retained where required by law.

9. CCTV and on-site surveillance

We operate CCTV on our premises for the purpose of safety, security and loss prevention. CCTV signage is displayed on the property.

  • Retention: footage is retained for 30 days by default unless needed for an active investigation.
  • Access requests: access to CCTV footage is handled in accordance with Kenyan law. Requests for footage will be considered and responded to where legally required; requestors may be required to provide proof of identity and a lawful basis for access. We will not disclose footage to third parties except as required by law or to assist in investigations. To request information about CCTV footage email [email protected]; note that we may refuse requests that are unlawful, excessive or outside statutory rights.

10. Payment processing & card data

All online card payments are processed by Pesapal (PCI-DSS). M-Pesa and bank transfers are used for mobile and bank payments. We do not store full card PANs or CVV values on our servers. We may retain transaction references and partial card identifiers (last 4 digits) for invoicing and refund purposes. For details about how Pesapal, M-Pesa or your bank process card/data see their privacy policies.

11. Your rights (how to exercise them)

Depending on applicable law and subject to legal exceptions, you may have the following rights with respect to your personal data:

  • Right of access: request a copy of personal data we hold about you.
  • Right to rectification: request correction of inaccurate or incomplete data.
  • Right to erasure: request deletion of personal data where we have no legal reason to retain it. (Note: we may not be able to delete booking or payment records required for tax or legal reasons.)
  • Right to restrict processing: ask us to limit processing in certain circumstances.
  • Right to data portability: request a machine-readable copy of data you provided.
  • Right to object: object to processing based on legitimate interests (for example for direct marketing).
  • Right to withdraw consent: where processing is based on consent, you may withdraw consent at any time.

To exercise any of these rights contact us at [email protected]. When making a request we may need to verify your identity. We aim to respond to a valid request within 30 days; complex requests may take longer, but we will keep you informed.

If you are unhappy with our response you may lodge a complaint with the Office of the Data Protection Commissioner (Kenya) or your local supervisory authority (for EU/UK residents, for example the UK Information Commissioner’s Office).

12. Children & minors

We do not intentionally collect personal data from children under 18 via the Website. If you are booking on behalf of minors you should ensure you have parental/guardian authority. Parents/guardians are responsible for the actions and safety of minors during a stay.

13. Security measures

We use reasonable organisational and technical measures to protect personal data against unauthorised access, loss or misuse. Measures include use of TLS (HTTPS) on the Website, access controls, staff training and secure hosting by GoDaddy. However no internet transmission or storage system is completely secure — if you suspect a security incident contact [email protected] immediately.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes we will publish the updated policy on this page with the revised “Last updated” date. Where appropriate (for example where we rely on consent), we will obtain your consent again.

15. Links to other websites

This Website may link to third-party websites (for example OTAs, partner sites or external attractions). This Privacy Policy does not apply to third-party websites. We encourage you to review the privacy notices of those websites before providing personal information.

16. Contact & complaints

If you have any questions, requests or a complaint about our use of your personal data, contact our privacy contact:

Email: [email protected]
Postal: Katheri-Githongo Road, Kathumbi, Meru, Kenya
Phone: +254 701 680 231

If you are not satisfied with our response you may file a complaint with the Office of the Data Protection Commissioner (Kenya) or with the relevant supervisory authority in your country of residence.

17. Annex A — Cookies (summary)

This is a brief list of cookies commonly used on our Website. The exact cookies and their lifetimes may change; the Website cookie banner or a dedicated cookie page has the current list.

  • Essential / functional cookies — session cookies required for the booking form and site functionality (no opt-out for essential cookies).
  • Google Analytics cookies — e.g., _ga (used to distinguish users), _gid (used to distinguish users), _gat (throttle request rate). Purpose: analytics and site improvement.
  • Consent cookie — stores your cookie banner choices.

How to opt out / manage cookies: You can disable cookies via your browser settings. Note disabling non-essential cookies may limit site functionality.

18. Annex B — Processors & third parties (summary)

We use the following main third-party providers (subject to change):

  • GoDaddy — web hosting (servers in Europe).
  • Pesapal — card payment processing (PCI-DSS).
  • M-Pesa / Safaricom — mobile payments.
  • Local banks — bank transfer payments.
  • Google Analytics — website analytics.
  • Local service providers — transfers, housekeeping, laundry, cleaning contractors (as required to fulfil bookings).

We require processors to process personal data only on our instructions and to take appropriate security measures.

19. Additional notes

We do not routinely store identity document copies unless required by law; if a copy is required by local law we will inform you and limit retention to the minimum necessary.

We do not engage in targeted advertising/remarketing.

We do not sell your personal information.