Privacy Policy
How Karibu handles your data and your guests' data.
Where the real policy will go
Replace this placeholder with the generated Privacy Policy. Keep the
<main> wrapper, header, footer, and styles intact.
For Termly: paste their embed script inside <main> and
delete the placeholder block.
What we actually do today (summary)
Two categories of data:
- Hotel staff data โ usernames, names, emails, password hashes (bcrypt). Used to sign in to the platform.
- Hotel guest data โ names, phone numbers, IDs, payment records. The hotel controls this data. Karibu stores it on the hotel's behalf.
Where it lives
All data is stored in Supabase (Postgres on AWS, EU region). Each hotel sees only its own data, enforced at the database level via row-level security policies that check a JWT claim on every query.
Who sees it
- The hotel's own staff (per their role: admin, manager, receptionist).
- Karibu's platform administrators โ for support, debugging, and operational reasons. Access is logged.
- Sub-processors: Supabase (storage), Firebase (hosting, CDN), Formspree (contact form submissions only).
Your rights
Hotel customers and their guests have GDPR-equivalent rights: access, correction, deletion, export. Email obliqque1@gmail.com with your hotel name and what you'd like.
Cookies & tracking
Karibu uses localStorage for keeping you logged in, your language preference, and offline-mode caching. We do not use third-party advertising cookies. Errors may be sent to Sentry (anonymised, no PII) when that integration is enabled.
Security
- HTTPS everywhere; strict Content-Security-Policy.
- Passwords hashed with bcrypt (work factor 10) by Supabase Auth.
- Destructive admin actions require password re-confirmation as a defence against stolen sessions.
- Service-role keys never reach the browser.
Contact
Privacy or data-handling questions: obliqque1@gmail.com