This Data Protection Policy (Privacy Policy) sets out how Undiscovered Africa (Undiscovered Africa, we or us) collects, stores and handles your personal data.
To ensure you can make informed decisions about supplying personal data relating to you when purchasing our products and using our services, we provide this Privacy Policy outlining our data collection practices and the choices you have concerning how the data is being collected and used.
To ensure a seamless travel experience, we may share your information with trusted travel partners, including lodges, transfer providers and service suppliers involved in your itinerary.
With your consent, we may also use your information to tailor future travel experiences or share relevant opportunities with selected partners.
You can find this Privacy Policy on our website www.undiscovered-africa.com/privacy-policy/.
The website is not intended for children and minors, and we do not knowingly solicit or collect personal data from children and minors. As a parent or legal guardian, please do not allow your children to submit personal data without your permission.
By submitting your personal data to us, you agree to the processing set out in this Privacy Policy. If there are any additional uses of your personal data, we will provide you with the ability to opt-in or out of those additional uses.
This Privacy Policy contains general and technical details about the steps we take to respect your privacy concerns. We have organised the Privacy Policy by major processes and areas so that you can review the information of most interest to you.
1.1 The term "personal data" refers to any personal data that can be used to identify you as an individual.
1.2 We may collect and process the following Personal data about you.
1.2.1 Personal information about you: Personal information that you provide to us including your name, telephone number, e-mail address and address (residential and/or delivery address).
1.2.2 Your payment information: Your payment information such as your credit card information (including credit card number, code and expiry date). This is done via a secure third party. We do not hold onto this information as it is securely processed.
1.2.3 Our correspondence: If you contact us such as when you make enquiries, we may keep a record of that correspondence.
1.2.4 Survey information: We may also ask you to complete surveys that we use for research purposes. In such circumstances we shall collect the information provided in the completed survey.
1.2.5 Your use of our website and mobile applications: Details of your visits to our website, mobile application and information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access.
1.2.6 For our Lodge related services (for example when you make a lodge or spa reservation).
1.2.7 Your travel details and preferences: We may collect information such as your travel details (including flight number, arrival and departure dates and time, country/point of origin and destination), your travel partner information, preferences about room, food and beverages and treatment, service requests, information relating to your dietary, access or treatment requirements. We may also need to collect information as required by local laws such as passport numbers, type of entry visa, and driver’s license.
1.2.8 Your transactions with us: We collect your itemised spending to properly assemble your folio during your stay, which includes your room rate and other expenses billed to your room.
Your transactions with us: We may collect information such as identity document and passport details.
1.3 We may collect your personal data from you directly. We may also collect personal data from third parties including agents and online service providers that make lodge, spa or other reservations on your behalf, facilitate online payments or that are otherwise involved in the reservations process or delivering our services to you. By agreeing to and accepting this Privacy Policy, you expressly consent to our collection of your personal data via a third party.
1.4 If you provide us with personal data about other individuals (e.g. family members or travel companions), regardless of whether you are travelling together, you must inform such individuals that you have provided us with their details and let them know where they can find a copy of this Privacy Policy.
1.5 Special categories of personal data
1.5.1 Special categories of personal data are a subset of personal data, and include personal data relating to your health, political opinions, religious beliefs, ethnicity and race, sex life, trade union membership and in some cases, criminal activity.
1.5.2 As a general rule, we do not process special categories of personal data. We may however process health/medical information in order to handle medical incidents and/or claims as per paragraph 2.2.7 below.
Where we process special categories to handle medical incidents, we do so in order to protect the vital interests of you or another person. Where we process special categories to handle claims, we do so on the basis of establishing, exercising or defending legal claims or whenever courts are acting in their judicial capacity. In addition, we may process special categories of personal data in limited circumstances where you have provided such special categories of personal data including health/medical information (e.g. allergies, disabilities, dietary requirements) so that we can provide our services safely to you (e.g. spa treatments and meals).
1.5.3 Where we must process special categories of personal data mentioned at paragraph 1.5.2 above, we will only do so where you have given us your explicit consent for the collection, processing and disclosure of the special categories of personal data. Where you are providing special categories of personal data about a travel partner, you agree that you have procured their consent to our collection, processing and disclosure of their special categories of personal data.
2.1 Please note that use and processing of personal data under EU and South African data protection laws must be justified on the basis of one of a number of grounds and we are required to set out the grounds in respect of each use in this Privacy Policy. An explanation of the scope of the grounds available can be found below.
2.2 We may use your personal data in the following ways:
2.2.1 To administer your reservations and itineraries:
To process your reservation requests which may be made directly with us, via our website, or via our third party service providers and to confirm your booking. We may send a confirmation of your booking via email, SMS or other means and in the case of Lodge reservations, a pre-arrival message summarising your confirmation details and preferences, and other information about the Lodge, the area and the weather. Use justification: Contract performance, legitimate interests (to enable us to perform our obligations and provide services to you).
2.2.2 To provide you with services:
To provide and charge for (i) Lodge related services, including but not limited to, accommodation, food and beverages and spa treatments, and to facilitate any special requests or assistance that you have asked for, and (ii) non-Lodge services including transport services. Use justification: Contract performance, legitimate interests (to enable us to perform our obligations and provide services to you).
2.2.3 To customize our services and products to you:
To assure your future comfort and attention to your individual needs, we collect and store specific information about you, such as your food and beverage preferences and other special requests. For example, if you are a repeat guest at our Lodges, we may store your personal data in our system to serve you better upon your return.
Use Justification: Legitimate interests (to allow us to provide customized services and products to you).
2.2.4 To provide marketing materials to you:
To provide you with updates, offers, and subscriptions where you have chosen to receive these, or connected with us via social media platforms. With your consent, we may send you information about Undiscovered Africa, including news and offers by post, e-mail, telephone, SMS. You may also see these offers and information on social media platforms through which you have connected with us. Please note that this is subject to the terms and conditions of use of the relevant social media platform. It is however our intention to only send you communications that you may want to receive. We typically use third party e-mail service providers to send e-mails. These service providers are contractually prohibited from using your e-mail address for any purpose other than to send e-mails related to Undiscovered Africa.
Personal data will not be shared with third parties for their own marketing purposes. We provide you with the ability to unsubscribe from all marketing communications. Every time you receive an e-mail, you will be provided with the choice to opt-out of future e-mails by following the instructions provided in the e-mail. You may also opt-out of receiving promotional information by contacting us as set out in Section 6 below.
Use Justification: Consent (which can be withdrawn at any time - please see paragraph 5.1 below).
2.2.5 For analytics and profiling:
To tailor our marketing to you. In connection with our marketing activities, we analyse information that we collect about guests to determine what offers are most likely to be of interest to different categories of guests in different circumstances and at different times. To do this for Lodge-related services, we combine personal data that we have collected about a guest from one Lodge with personal data that we have collected from the same guest from another Lodge. Such personal data includes guest behavioural information such as transaction history, spending pattern, preferences, service requests and interactions with us. From time to time, we will assess the personal data that we hold about you in order to tailor our marketing communications to include offers and content that are relevant to you. We may also use this method to avoid sending you offers that are inappropriate or unlikely to be of interest to you. You have the right to opt-out of such analysis of your personal data at any time. You can exercise this right by contacting us as set out in section 6 below.
Use Justification: Consent (which can be withdrawn at any time - please see section 5.2.1.5 below); legitimate interests (to enable us to tailor our marketing to you).
2.2.6 To comply with our public law and legal obligations:
To comply with our public law and legal obligations such as financial reporting requirements imposed by our auditors and government authorities, and to cooperate with law enforcement agencies, government authorities, regulators and/or the court in connection with proceedings or investigations anywhere in the world where we are compelled to do so. Use Justification: Public law obligation, legal obligation, legitimate interests (to cooperate with law enforcement and regulatory authorities).
2.2.7 To handle incidents and process any claims we receive:
To handle any accidents and incidents such as liaising with emergency services, and to handle any claims made by guests such as personal injury claims. Please note that this may also require the processing of special categories of personal data.
Use Justification: Vital interest (in relation to special categories of personal data), legal claims, legitimate interests (to ensure that incidents and accidents are handled appropriately and to allow us to assist our guests).
2.2.8 To improve our services and products:
To assist us in developing new services and products and to improve our existing services and products. Use Justification: Legitimate interests (to allow us to continuously improve and develop our services).
2.2.9 To ensure our Website functions correctly:
To ensure that content from our Website is presented in the most effective manner for you and for your computer. Use Justification: Contract performance, legitimate interests (to allow us to provide you with the content and services on the Website).
3.1 We may share your personal data in the following ways:
3.1.1 Third party service providers who process personal data on our behalf to help us undertake the activities described in section 2 above:
We may permit selected third parties such as service providers, agents, contractors, entities which may be the Lodge manager, and managers of other Lodges to use your personal data for the purposes set out in section 2, including mail houses and e-mail service providers that we engage to send and disseminate promotional information for Undiscovered Africa, data centre providers that host our servers and third party agents that process mailing, online bookings and reservations on our behalf. These parties are contractually prohibited from using personal data for any purpose other than for the purpose specified in their respective contracts, and will be subject to obligations to process personal data in compliance with the same safeguards that we deploy. We do not permit the sale of personal data to entities outside of Undiscovered Africa for any use unrelated to our operations or use of personal data by third parties for their own purposes.
Use Justification: Contract performance, legitimate interests (to allow us to effectively providing services to you and to run and manage our business).
3.1.2 Law enforcement agencies, government authorities, regulators and the court in order to comply with our legal obligations or to handle incidents / claims:
We may disclose your personal data when required by relevant law or court order, or as requested by other government or law enforcement authorities to assist with proceedings or investigations. Where permitted, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime. This also applies when we have reason to believe that disclosing the personal data is necessary to obtain legal advice, to identify, investigate, protect, contact, or bring legal action against someone who may be causing interference with our guests, visitors, associates, rights or properties, or to others, whether intentionally or otherwise, or when anyone else could be harmed by such activities.
Use Justification: Public law obligation, legal obligation, legal claims, legitimate interests (to cooperate with law enforcement and regulatory authorities).
3.1.3 Third parties who require such data in connection with a change in the structure of our business:
In the event that we (or a part thereof) are (i) subject to negotiations for the sale of our business or (ii) sold to a third party or (iii) undergo a re-organisation, you agree that any of your personal data which we hold may be transferred to that re-organised entity or third party and used for the same purposes as set out in this Privacy Policy, or for the purpose of analysing any proposed sale or re-organisation. We will ensure that no more of your personal data is transferred than is necessary.
Use Justification: Contract performance, legitimate interests (to allow us to run and manage our business).
3.2 This Privacy Policy does not apply to our processing of personal information on behalf of, or at the direction of, third party providers (for example, airlines, car rental companies, or other hospitality websites) who may collect personal information from you and provide it to us. In this situation, we would merely act as a data processor and thus advise you to review applicable the third party provider’s privacy policy before submitting your personal information.
3.3 Use justifications
3.3.1 We note the grounds we use to justify each use of your personal data next to the use in the "How we use personal data" and "How we share personal data" sections of this Privacy Policy.
3.3.2 These are the principal legal grounds that justify our use of your personal data:
3.3.2.1 Consent: Where you have consented to our use of your personal data (you will have been presented with a consent form in relation to any such use).
3.3.2.2 Contract performance: Where your personal data is necessary to enter into or perform our contract with you.
3.3.2.3 Legal obligation: Where we need to use your personal data to comply with an obligation imposed on us by law.
3.3.2.4 Legitimate interests: Where we use your personal data to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights.
3.3.2.5 Public law obligation: Where the processing of your information is necessary for the proper performance of a public law duty by a public body.
3.3.2.6 Legal claims: Where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party.
3.3.2.7 Vital interest: Where we need to process your personal data to protect the vital interest of you or another natural person e.g. where you require urgent assistance.
3.3.3 These are the principal legal grounds that justify our use of your special categories of personal data:
3.3.3.1 Explicit consent: Where you have given your explicit consent to the processing of the personal data for one or more specified purposes. You are free to withdraw your consent by contacting us. Where you do so, we may be unable to provide a service that requires the use of such data.
3.3.3.2 Protection of vital interests of you or another person, where you are unable to consent Processing is necessary to protect the vital interests of you or of another natural person where you are physically or are legally incapable of giving consent.
4.1 Security of communications
4.1.1 It is important to note that no security system or system of transmitting information over the Internet is guaranteed to be secure. There is a risk inherent in the submission of information online, use of e-mail and facsimile. Please be aware of this when requesting information or sending forms to us online or by e-mail or facsimile, for example, from the "Contact Us" section. We recommend that you do not include any sensitive information including credit card details when submitting information online, using e-mail, facsimile or when using any public computers/public WIFI.
4.2 Security controls
4.2.1 We maintain administrative, technical and physical safeguards designed to protect the personal data we maintain against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. Despite such efforts, however, please note that no company can fully eliminate risks or guarantee the security of personal information. Unauthorised entry or use, hardware or software failure, and other factors may compromise the security of information about you at any time, and we bear no liability for uses or disclosures of personal information or other data arising in connection with theft of the information or other malicious actions.
4.2.2 We store certain customer information and reservation details in our Customer Information System and Reservation System on our subcontractor’s secure servers. Our server resides behind firewalls to protect personal data collected from you against unauthorised or accidental access. Because laws applicable to personal information vary by country, we, our Lodges and operations may put in place additional measures that vary depending on the applicable legal requirements.
4.3 Personal data transmission across international borders
4.3.1 The nature of our business and our operations requires us to transfer your personal data to other operations, data centers, or service providers that may be located in countries outside South Africa or your own for the purposes mentioned in this Privacy Policy. Although the data protection and other laws of these various countries may not be as comprehensive as those in your own country, Undiscovered Africa will take appropriate measures, including contractual clauses, to secure the transfer of your personal data to recipients (which may be internal or external Undiscovered Africa) located in a country with a level of protection different from the one existing in the country in which your personal data is collected. Currently, guest data may be transferred via third party service providers which are located in countries such as United States of America, Europe and Australia to process mailing, online bookings and reservations.
4.3.2 Your personal data may be accessed by staff or service providers, transferred, and/or stored outside South Africa to countries which may have a lower level of data protection than under South African and EU data protection laws. We must comply with specific rules when we transfer personal data from inside South Africa to outside South Africa. When we do this, we will use appropriate safeguards to protect any personal data being transferred. Where required, we will transfer your personal data subject to contractual terms that impose data protection obligations directly on the recipient. Please contact us as set out in Section 6 below if you would like to see a copy of the specific safeguards we apply to the export of your personal data.
4.3.3 Your personal data will be stored for the period of time required or permitted by law in the jurisdiction of the operation holding the information (for example certain transaction details and correspondence may be retained until the time limit for claims in respect of the transaction has expired or in order to comply with regulatory requirements regarding the retention of such data). So if information is used for two purposes we will retain it until the purpose with the latest period expires; but we will stop using it for the purpose with a shorter period once that period expires.
4.3.4 Our retention periods are based on business needs and your personal data that is no longer needed is either irreversibly anonymised (and the anonymised information may be retained) or securely destroyed.
5.1 Notification
5.1.1 You have the right to be notified that your personal data is being collected, or that it has been accessed or acquired by an unauthorised person.
5.2 Opt-out of direct marketing
5.2.1 You have the right not to have your personal data processed for purposes of direct marketing by means of unsolicited electronic communications and to ask us not to process your personal data for marketing purposes at any time.
5.2.2 You can exercise your right by checking certain boxes online or on the data collection forms, talking to us in person, or by contacting us as set out in section 6 below.
5.3 Other rights
5.3.1 Subject to various exceptions you may have the following rights:
5.3.1.1 Access: You can ask us to provide you with further details on the use we make of your personal data and a copy of the personal data we hold about you.
5.3.1.2 Correction: You can ask us to correct any inaccuracies in the personal data we hold about you.
5.3.1.3 Complaint: If you are not satisfied with our use of your personal data or our response to any exercise of these rights, you have the right to complain to the Information Regulator established in terms of section 39 of the Protection of Personal Information Act, Act No. 4 of 2013 ("POPI").
5.3.1.4 Erasure: You can ask us to delete your personal data if we no longer have a lawful ground for use.
5.3.1.5 Withdrawal of consent: Where processing is based on consent (e.g. marketing, or certain uses of special categories of personal data), you can withdraw your consent to processing and we will stop that particular processing.
5.3.1.6 Object to processing: You have the right to object to other types of processing (e.g. analytics and profiling activities carried out in relation to your personal data), unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights.
5.3.1.7 Restriction: You can restrict how we use your personal data pending any investigation, for example whilst we are verifying the accuracy of your personal data or where we are verifying the grounds that we use as the basis of holding your personal data.
5.3.1.8 Portability: Where technically feasible, you have the right to ask us to transmit the personal data that you have provided to us to a third party in a structured, commonly used and machine readable form.
5.4 Updating information
5.4.1 We will use reasonable endeavours to ensure that your personal data is accurate.
5.4.2 In order to assist us with this, you should notify us of any changes to your personal data that you have provided to us by contacting us as set out in section 6 below.
5.5 Notifications in the event of breach
5.5.1 Where there are reasonable grounds to believe that your personal data has been accessed or acquired by an unauthorised person, we shall notify the Information Regulator and you, as soon as reasonably possible after our discovery of the compromise, and in accordance with POPI.
6.1 If you have any questions about this Privacy Policy or our processing of your personal data, please contact us at:
6.1.1 Data Privacy Team: Information Officer: Michael Aldren – info@undiscovered-africa.com
7.1 Our website uses cookies to distinguish you from other users of the Website. This helps us provide you with a good experience when you browse our website and also allows us to improve our Website.
7.2 For detailed information on the cookies we use and the purposes for which we use them, please see our Cookies Policy on our Website.
8.1 In the future, we may need to make additional changes. All additional changes will be included in the latest Privacy Policy published on our Website, so that you will always understand our current practices with respect to the information we gather, how we might use that information and disclosures of that information to third parties.
8.2 You can tell when this Privacy Policy was last updated by looking at the date at the bottom of the Privacy Policy.
8.3 Any changes to our Privacy Policy will become effective upon posting of the revised Privacy Policy. 8.4 We will seek your express consent to any changes to how we use or disclose your personal data if required by law but otherwise use of our Website or our services following such changes constitutes your acceptance of the Privacy Policy then in effect.
9.1 If after reviewing this privacy statement you have any privacy questions or concerns or would like to request access to, correction or object to the processing of your data for legitimate purposes, please contact our Data Privacy Team.
9.2 By Email: info@undiscovered-africa.com
Please note that your information will be shared with the relevant lodges and travel partners involved in your itinerary to ensure a seamless journey. Your privacy remains important to us, and all information is handled in accordance with our Privacy Policy.
To access the downloadable version of our Privacy Policy, please click the button below.
Date: January 2026
To access our Undiscovered Africa PAIA Manual, please click the button below.
Date: January 2026