Nolawi Tour and Travel Privacy Policy

This Privacy Standard & Policy ("Privacy Standard") explains how Nolawi Tour and Travel ("Nolawi", "we", "us") collects, uses, shares, stores, and protects personal data of customers, employees, drivers, contractors, and other individuals who interact with us. It also sets clear rules for privacy in operations such as vehicle dash cameras, GPS tracking, communication, marketing, and partner management.

This document is designed to support compliance with applicable Ethiopian law, including the Personal Data Protection Proclamation No. 1321/2024, and (where relevant) international privacy requirements for travelers, partners, and suppliers.

1. Scope

• Applies to all Nolawi staff, drivers, tour leaders, contractors, interns, and any third-party processing personal data on Nolawi’s behalf.
• Covers customer bookings, tour operations, transport services, accommodation and activity coordination, payments, customer support, marketing, recruitment, training, and internal administration.
• Applies to all formats of personal data: paper, electronic, audio, video, and photographs.

2. Key Definitions

• Personal Data: information relating to an identified or identifiable natural person (e.g., name, phone number, passport details, location data).
• Sensitive Personal Data: personal data requiring higher protection (e.g., health information, biometric identifiers, children’s data where applicable).
• Processing: any operation performed on personal data (collecting, storing, using, sharing, deleting).
• Data Subject: the person whose personal data we process.
• Controller/Processor: Nolawi is usually the controller; suppliers may act as processors or independent controllers depending on the service.

3. Privacy Principles We Follow

• Lawfulness, fairness, and transparency: we explain what we do with personal data in plain language.
• Purpose limitation: we collect data for specific business and safety purposes and do not use it in incompatible ways.
• Data minimization: we collect only what we need to deliver the service safely and professionally.
• Accuracy: we keep data accurate and up to date where reasonably possible.
• Storage limitation: we keep data only as long as necessary (see retention rules).
• Security and confidentiality: we protect personal data against loss, misuse, unauthorized access, and disclosure.
• Accountability: we assign responsibilities, train staff, and document key decisions.

4. Personal Data We Collect

4.1 Customers and Travelers

• Identity and contact details: name, phone, email, nationality, emergency contact.
• Booking and trip details: itinerary, pick-up points, room preferences, special requests.
• Travel document details where required for service delivery: passport/ID numbers, visa details (only when necessary).
• Payment and invoicing details: transaction references, billing information (we avoid storing full card data unless required; use payment partners where possible).
• Safety-related details: allergies, medical needs, or mobility requirements (only with your knowledge and only when relevant to the trip).
• Communications: messages, call notes, email correspondence, complaints, and feedback.

4.2 Employees, Drivers, and Applicants

• Recruitment and on boarding: CVs, references, driving license and experience records, interview notes, assessments, training results.
• Employment administration: payroll and benefits information, attendance records, disciplinary records, performance records.
• Operational data: vehicle assignment, route logs, incident reports, and training compliance.
• Technology and security logs: device access logs for company systems, and limited monitoring necessary to protect company information.

4.3 Vehicle and Operations Data

• Vehicle telematics: GPS location, trip start/end times, speed/harsh braking indicators where systems exist.
• Dash camera footage (where installed): forward-facing road footage and incident footage; interior-facing footage only if enabled under strict rules described below.
• Call recordings (if used): only with notice and where lawful; used for quality and safety.

5. Why We Use Personal Data (Purposes)

• To provide and manage travel/tour services (booking, scheduling, transport, tour guidance).
• To ensure safety and security of passengers, staff, and vehicles, including accident prevention and investigation.
• To meet legal and regulatory obligations (tax, accounting, insurance, safety reporting).
• To communicate with customers and partners and respond to inquiries and complaints.
• To recruit, train, and evaluate drivers and staff (including safety training and skills assessment).
• To improve service quality and customer experience through feedback and performance review.
• To conduct marketing only where appropriate and allowed (e.g., newsletters with opt-out).

Where required, we rely on consent. In other cases, we process data because it is necessary to deliver the service, comply with a legal obligation, protect vital interests (safety), or for legitimate operational interests, while respecting your rights.

6. Dash Cameras and In-Vehicle Privacy Standard

Nolawi uses modern vehicles and may equip vehicles with dash cameras to improve road safety, support driver coaching, reduce accidents, and document incidents. Dash camera use must always balance safety with customer and employee privacy.

6.1 Default Configuration

• Primary mode: forward-facing (road) recording for safety and incident evidence.
• Interior-facing cameras (if any) are disabled by default and may be enabled only for a defined safety reason and with clear notice.
• Audio recording is disabled by default unless a specific risk assessment justifies it and lawful notice is provided.

6.2 Customer Preferences and Notice

• Before or at pick-up, customers may ask questions about dash cameras and how footage is used.
• Where operationally feasible and lawful, Nolawi can accommodate a customer request to disable or cover an interior-facing camera.
• For forward-facing road cameras, Nolawi may keep recording enabled for safety and insurance requirements; we will still explain our purpose and retention limits.
• Visible notice (sticker/sign) should be displayed in vehicles where cameras are installed.

6.3 Access Controls

• Footage is accessed only by authorized management/safety personnel on a need-to-know basis.
• Footage may be shared with insurers, law enforcement, or legal counsel only where necessary and lawful.
• Drivers are not permitted to copy, share, post, or use footage for personal purposes.

6.4 Retention (Dash Cam)

• Routine footage: retained up to 30 days then automatically deleted/overwritten, unless needed for an incident.
• Incident footage: retained for the duration of the investigation/insurance/legal process and then securely deleted per retention rules.

7. Sharing Personal Data (Partners and Vendors)

• Hotels, airlines, guides, and activity providers: we share only what is needed to deliver the service (e.g., names, dates, room type).
• Driver training schools, mechanics, and fleet partners: we share only the necessary driver and vehicle details for training, compliance, and safety.
• Payment providers and banks: we use trusted payment channels and share only necessary transaction details.
• Government authorities: we may disclose personal data where legally required or to protect safety.

Where a third-party processes personal data on our behalf, we aim to use written agreements and require confidentiality, security controls, and limited use of data.

8. Cross-Border Transfers

Some travel services involve international partners. When personal data must be transferred outside Ethiopia, Nolawi will take reasonable steps to ensure an appropriate level of protection, including contractual safeguards where feasible and compliance with applicable legal requirements.

9. Security Controls

• Access control: role-based access, strong passwords, and least-privilege permissions.
• Device security: lock screens, encrypted storage where available, and secure backups.
• Secure communications: avoid sharing sensitive data in unsecured channels; use official email and approved tools.
• Physical security: secure storage for paper files, restricted access to offices and fleet documents.
• Training: mandatory privacy and confidentiality training for staff and drivers.
• Incident response: prompt reporting and escalation of suspected data breaches.

10. Data Retention and Disposal

Nolawi keeps personal data only as long as necessary. Typical retention periods (may be extended for legal or safety reasons):

• Customer booking and invoicing records: up to 7 years (accounting/tax/contract purposes).
• Customer support messages and complaints: up to 3 years after closure.
• Marketing contact lists: until you opt out, or up to 2 years after last interaction.
• Recruitment records (unsuccessful applicants): up to 12 months.
• Employee personnel files: during employment and as required after separation (per legal/operational needs).
• GPS/telematics logs: up to 90 days for operations and safety analysis.
• CCTV at offices (if used): up to 30 days unless incident-related.
• Dash cam footage: see Section 6.4.

When retention ends, data is securely deleted, destroyed, or anonymized.

11. Individual Rights (Customers and Employees)

• You may request access to your personal data and ask for correction of inaccurate data.
• You may request deletion or restriction of processing where legally applicable.
• You may object to certain processing, including direct marketing.
• You may request a copy of your personal data in a usable format where appropriate.
• You may lodge a complaint with the relevant supervisory authority when applicable.

12. Children and Vulnerable Persons

Nolawi is committed to safeguarding children’s rights and privacy. We minimize collection of children’s personal data and use it only to deliver safe travel services. We do not knowingly use children’s data for marketing without appropriate authorization. Staff must report any safeguarding concern through internal escalation channels.

13. Employee and Driver Privacy Standard

• Nolawi collects employee/driver data mainly for recruitment, safety, payroll, compliance, and operations.
• Any monitoring (GPS, telematics, dash cams, system logs) is limited to safety, security, and service-quality purposes.
• Nolawi does not use monitoring to intrude into private life and does not record private conversations for non-safety purposes.
• Access to employee data is limited to HR, finance, and authorized managers.

14. Marketing and Communications

• We send service messages necessary for your booking (not marketing).
• We send marketing messages only were permitted and always provide an opt-out method.
• We do not sell customer personal data.

15. Photos, Testimonials, and Media

• We request permission before using customer photos, videos, or testimonials for promotional purposes.
• Customers may withdraw permission for future use; content already published may take time to remove from third-party platforms.

16. Data Breach and Incident Response

• All staff must report suspected privacy incidents immediately to management and the designated privacy contact.
• Nolawi will assess, contain, investigate, and document incidents and notify affected individuals and authorities where required.

17. Governance and Responsibilities

• Management: approves privacy controls, resources, and enforcement.
• Privacy Contact: receives requests and incident reports and coordinates response.
• All Staff: follow this standard, keep data confidential, and report concerns.

18. Contact for Privacy Requests

Annex A – Vehicle Privacy Notice

Annex B – Minimum Controls Checklist (Internal)