Kaofela Retreats
Enquire
Privacy Policy

Privacy Policy

How we handle and protect your personal data.

Privacy Policy

Data controller Kaofela Retreats Ltd (registered in England and Wales, company number 15725143) ICO registration ZC131599 — verifiable at ico.org.uk/ESDWebPages/Search Contact hello@kaofelaretreats.com Governing law England and Wales | UK GDPR and Data Protection Act 2018 Version 1.0 | April 2026

ABOUT THIS POLICY This policy explains how Kaofela Retreats Ltd collects, uses, stores, and protects your personal data. It applies to all personal data we process through our website at kaofelaretreats.com, retreat bookings, email communications, and paid advertising. We handle your data responsibly and in compliance with UK GDPR and the Data Protection Act 2018.

  1. Who We Are 1.1 Kaofela Retreats Ltd is the data controller for personal data collected through kaofelaretreats.com and in connection with our retreat bookings and communications. We are registered with the Information Commissioner's Office under registration number ZC131599, verifiable at ico.org.uk/ESDWebPages/Search. 1.2 If you have any questions about this policy or your personal data, please contact us at hello@kaofelaretreats.com.

  2. What Data We Collect 2.1 We collect the following categories of personal data: 2.1.1 Identity data: first name, last name, date of birth. 2.1.2 Contact data: email address, phone number, postal address, country of residence. 2.1.3 Booking and payment data: retreat selection, room type, payment plan, payment history, and booking reference. We do not store full card details. Payments are processed by Stripe. 2.1.4 Travel data: passport details where required for logistical purposes, dietary requirements, and transfer information. 2.1.5 Health data (special category): medical conditions, medications, injuries, fitness level, dietary requirements, allergies, and mental health information. We collect this through the pre-retreat health questionnaire where necessary for health and safety, and where required we rely on your explicit consent. 2.1.6 Emergency contact data: name, relationship, phone number, and email of your designated emergency contact. Deleted within 30 days of the retreat end date. 2.1.7 Communications data: emails and messages you send to us. 2.1.8 Marketing data: your subscription status and email engagement data including open rates and click data via Mailchimp. 2.1.9 Technical and behavioural data: IP address, browser type, device information, pages visited, time on page, scroll depth, heatmaps, and session recordings collected via Google Analytics, Microsoft Clarity, and the Facebook Pixel. 2.2 We do not knowingly collect data from individuals under the age of 18.

  3. How We Collect Your Data

  • Directly from you when you complete a booking, submit an enquiry, sign up to our mailing list, or complete the pre-retreat health questionnaire.
  • Automatically when you visit our website through cookies and tracking technologies including Google Analytics, Microsoft Clarity, and the Facebook Pixel.
  • From Stripe in connection with payment transactions.
  • From Mailchimp in connection with email marketing and subscriber engagement.
  1. Why We Use Your Data and Our Legal Basis We use your personal data only where we have a lawful basis to do so.
  • Processing your booking and managing your retreat place: Contract performance
  • Sending booking confirmation and pre-retreat communications: Contract performance
  • Processing payments via Stripe: Contract performance
  • Collecting health questionnaire responses and using them to ensure your safety: Explicit consent
  • Sharing relevant health information with coaching team: Explicit consent
  • Sending marketing emails to subscribers: Consent
  • Running retargeting campaigns on Meta: Consent (cookie banner)
  • Analysing website traffic via Google Analytics: Consent (cookie banner)
  • Analysing session recordings via Microsoft Clarity: Consent (cookie banner)
  • Complying with legal obligations: Legal obligation
  • Protecting our legal rights: Legitimate interests
  1. Who We Share Your Data With 5.1 We share your personal data with the following third parties where necessary:
  • Stripe: payment processing. PCI-DSS Level 1 compliant. We do not store card details.
  • Mailchimp: email marketing. Used to send retreat communications and marketing emails where you have consented.
  • Firebase (Google): website hosting and booking database. Your booking data is stored securely in Firebase Firestore.
  • Google Analytics: website traffic analysis. IP anonymisation is enabled. Data is processed under Google's privacy terms.
  • Microsoft Clarity: session recording and heatmap analysis. Clarity does not collect personally identifiable information directly. Active only where you have accepted analytics cookies.
  • Meta (Facebook Pixel): retargeting advertising on Facebook and Instagram. Active only where you have accepted marketing cookies via our cookie banner.
  • The retreat coaching team: relevant health and fitness information from your health questionnaire, shared on a need-to-know basis to ensure your safety.
  • Tintswalo Waterberg: dietary requirements and logistical information shared to prepare for your stay.
  • Legal and regulatory authorities: where required by law or to protect our legal rights. 5.2 We do not sell your personal data to any third party.

  1. International Data Transfers 6.1 Some of our service providers process personal data outside the UK and the European Economic Area. Where this happens, we use appropriate safeguards such as an adequacy regulation, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses, as applicable. 6.2 Health questionnaire data may be shared with coaching staff based in South Africa for the purposes of your safety during the retreat. This is done securely and only to the extent necessary.

  2. How Long We Keep Your Data

  • Booking and payment records: 7 years
  • Health questionnaire data: 3 months after retreat
  • Emergency contact data: 30 days after retreat
  • Marketing data: Until unsubscribe
  • Analytics data: Up to 26 months
  1. Your Rights 8.1 Under UK GDPR you have the following rights:
  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: ask us to correct inaccurate or incomplete data.
  • Right to erasure: ask us to delete your data in certain circumstances.
  • Right to restrict processing: ask us to pause processing of your data in certain circumstances.
  • Right to data portability: request your data in a structured, commonly used format.
  • Right to object: object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing. For health data, withdrawal may mean we are unable to safely accommodate you on the retreat.
  • Right not to be subject to automated decision-making: we do not carry out automated decision-making that produces legal or similarly significant effects. Some advertising tools may however use limited profiling for audience targeting where you have consented to marketing cookies. 8.2 To exercise any of these rights, email hello@kaofelaretreats.com. We will respond within one calendar month. 8.3 You may lodge a complaint with the Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113. Right not to be subject to automated decision-making: We do not carry out automated decision-making that produces legal or similarly significant effects. Some advertising tools may however use limited profiling for audience targeting where you have consented to marketing cookies.

  1. Cookies and Tracking Technologies 9.1 Our website uses cookies and tracking technologies to improve your experience and enable advertising. A cookie is a small file stored on your device. 9.2 Non-essential cookies including analytics, session recording, and marketing cookies are only set after you accept them via our cookie consent banner. Essential cookies are set automatically as they are required for the site to function. 9.3 Non-essential cookies, including analytics and marketing cookies, are only set after you give your consent via our cookie banner. Essential cookies are required for the Site to function and do not require consent. 9.4 You can manage or withdraw cookie consent at any time through our cookie banner or by adjusting your browser settings. Disabling certain cookies may affect website functionality.

  2. Data Security 10.1 We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. These include secure hosting via Firebase, encrypted data transmission (HTTPS), and access controls limiting who can view personal data. 10.2 Payment data is handled exclusively by Stripe, which is PCI-DSS Level 1 compliant. We do not store card numbers or payment credentials. 10.3 Health questionnaire data is stored securely and access is restricted to the retreat director and the coaching team on a need-to-know basis. 10.4 In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform you without undue delay where required by law.

  3. Children's Data 11.1 Our website and retreats are intended for adults aged 18 and over. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us at hello@kaofelaretreats.com and we will delete it promptly.

  4. Complaints 12.1 If you have a complaint about how we handle your personal data, contact us first at hello@kaofelaretreats.com. We will acknowledge your complaint within 5 working days and aim to resolve it within 28 days. 12.2 If you remain dissatisfied, you may complain to the Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113.

  5. Changes to This Policy 13.1 We may update this Privacy Policy from time to time. The current version is always available at kaofelaretreats.com/privacy-policy. We will notify you of material changes by email where we hold your contact details. Continued use of our website after any change constitutes your acceptance of the updated policy.