Privacy Policy — TRA Kenya Tourism Compliance Gateway

Effective Date: 1 January 2026 · Version: 1.0 · Data Controller: Kenya Tourism Regulatory Authority

1. Introduction

The Kenya Tourism Regulatory Authority ("TRA", "we", "us") is committed to protecting the personal information of tourism operators and their representatives who use the TRA Digital Tourism Compliance Gateway ("the Platform"). This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights as a data subject under the Kenya Data Protection Act, 2019.

TRA is registered as a data controller with the Office of the Data Protection Commissioner (ODPC) of Kenya. Registration Number: [ODPC-REG-XXXXXXX]

2. Data We Collect

Category	Data Elements	Purpose
Identity	Full legal name, National ID / Passport number, ID type, nationality/citizenship status	Operator identification and KYC verification
Contact	Email address, phone number, physical address, county of operation	Account management, notifications, compliance correspondence
Tax	KRA PIN (Personal Identification Number)	KRA PIN verification, eTIMS invoice submission, tax compliance checks
Business	Enterprise name, business registration number, class/category of tourism business, services offered, unit count	Licence processing, classification, public tourism register
Location	GPS coordinates (latitude / longitude), physical address, county	Compliance mapping, GPS intelligence, public register display
Documents	Uploaded copies of certificates, ID documents, EIA reports, permits	KYC verification, licence application processing
Financial	Payment transaction references, amounts paid, M-Pesa receipt numbers	Licence fee processing, reconciliation, eTIMS fiscal reporting
System	IP address, login timestamps, browser type, session identifiers	Security, fraud prevention, audit logging
Tourism Fund	Monthly chargeable revenue declared, levy amounts	Tourism Fund levy calculation and remittance (Classes A & B only)

3. Legal Basis for Processing

We process your personal data on the following legal bases under the Kenya Data Protection Act, 2019:

Legal obligation — Processing required for TRA to fulfil its statutory mandate under the Tourism Act (Cap. 383) and the Tourism Fund Act.
Contract — Processing necessary to issue your licence and manage your compliance obligations.
Consent — Where you have given consent (e.g., promotional tourism sector communications). You may withdraw consent at any time.
Public interest — Maintaining the public tourism register and sharing data with other regulatory bodies as authorised by law.

4. How We Use Your Data

Verify your identity and KRA PIN before issuing a licence.
Process licence applications, renewals, and fee payments.
Submit invoices to the Kenya Revenue Authority (KRA) eTIMS system for fiscal compliance.
Display your enterprise name, class, location, and QR code on the public tourism register at register.tourism.tra.go.ke.
Send compliance notices, licence renewal reminders, and inspection schedules.
Conduct GPS-based compliance mapping and intelligence for enforcement operations.
Detect and prevent fraud, account misuse, and document forgery.

5. Data Sharing

We share your data only as described below and never sell personal data to commercial third parties:

Recipient	Data Shared	Basis
Kenya Revenue Authority (KRA)	KRA PIN, invoice amounts, taxpayer type	Legal obligation — eTIMS fiscal compliance
Tourism Fund Board	Enterprise name, class, monthly levy return data	Legal obligation — Tourism Fund Act
County Governments	Enterprise name, location, licence status	Legal obligation — devolved tourism regulation
Safaricom / M-Pesa	Phone number, payment reference (for STK Push)	Contract — payment processing
Paystack	Email, payment amount (for card payments)	Contract — payment processing
AfricasTalking	Phone number, SMS content	Contract — SMS notification delivery
Public Tourism Register	Enterprise name, class, county, licence status, QR code	Legal obligation — Tourism Act public disclosure

6. Data Retention

We retain your personal data for the following periods:

Licence records: 7 years after licence expiry (Kenya Archives and Documentation Service requirements).
Payment records: 7 years (Income Tax Act requirements).
Audit logs and access logs: 2 years.
Unverified / incomplete registration: 90 days, then deleted.
Tourism Fund returns: 7 years.

7. Data Security

TRA implements technical and organisational measures to protect your data, including:

TLS 1.2+ encryption for all data in transit.
Passwords stored using bcrypt hashing (never in plain text).
Time-based one-time passwords (TOTP) for officer two-factor authentication.
HMAC-signed QR tokens to prevent forgery.
Role-based access control (RBAC) — officers see only data relevant to their role.
All login events, data changes, and administrative actions are logged with IP address and timestamp.

8. Your Rights

Under the Kenya Data Protection Act, 2019, you have the right to:

Access — Request a copy of the personal data we hold about you.
Correction — Request correction of inaccurate data (note: licence records cannot be altered after issuance).
Erasure — Request deletion of data where there is no legal obligation to retain it.
Object — Object to processing based on legitimate interest or public interest grounds.
Portability — Receive your data in a machine-readable format where technically feasible.
Withdraw Consent — Withdraw consent for optional communications at any time.

To exercise any of these rights, email: dataprotection@tourism.tra.go.ke

If you are not satisfied with our response, you may lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at www.odpc.go.ke.

9. Cookies and Tracking

The Platform uses a single session cookie (tra_session) to maintain your authenticated session. This cookie is deleted when you log out or close your browser. We do not use advertising cookies, analytics third-party trackers, or cross-site tracking technologies.

10. Children's Data

The Platform is not intended for use by persons under the age of 18. We do not knowingly collect data from minors. If you believe a minor has registered, contact us immediately at the address below.

11. Changes to This Policy

We may update this Privacy Policy periodically. The "Effective Date" at the top will be updated accordingly. Material changes will be notified by email to your registered address at least 14 days before taking effect.

12. Contact the Data Controller

Data Protection Officer: dpo@tourism.tra.go.ke
General queries: dataprotection@tourism.tra.go.ke
Tel: +254 20 000 0000
Address: Tourism Regulatory Authority, Utalii House, Uhuru Highway, Nairobi, Kenya