Legal

Privacy Policy

Last updated: 1 June 2026

This page explains what personal data we collect when you visit yetutriathlon.com, register for the Yetu Triathlon — on Mount Kenya, donate to a participant or to Health Yetu Foundation, or subscribe to our newsletter — and what we do with it. It also lists every cookie this site sets or causes to be set, and how to control them.

If you have read the Terms & Conditions, this Privacy Policy is the companion document and uses the same definitions.

1. Who is responsible for your data (Controller)

The data controller under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") is:

The Health Yetu Foundation
A Dutch stichting (foundation) with ANBI status.

KvK (Chamber of Commerce): 75590166
RSIN: 860333139
Registered postal address: Postbus 75879, 1070 AW Amsterdam, Netherlands
General contact: info@healthyetu.com
Privacy-specific contact: privacy@healthyetu.com (fallback: info@healthyetu.com)
Phone: +31 6 48918618

The Health Yetu Foundation operates yetutriathlon.com as the dedicated website for its annual Yetu Triathlon fundraising expedition. The foundation's general website is healthyetufoundation.com; that site has its own privacy policy and you should read it separately if you donate there.

We have not appointed a Data Protection Officer ("DPO"). Under Article 37 GDPR a DPO is not mandatory for organisations of our size and processing scope.

2. What we collect

We collect different categories of data depending on how you use the site.

2.1 If you register for the Yetu Triathlon (via our Jotform registration form)

When you complete the registration form at /register, we collect:

Full legal name (as on your passport).
Preferred name (optional).
Email address.
Phone number.
Date of birth.
Nationality.
Country of residence.
Race format chosen (Sprint or Long).
Emergency contact: name, phone, relationship to you.
Dietary requirements (e.g. vegetarian, halal, allergies).
T-shirt size.
Mountain bike size preference.
Whether you would like help with Nairobi accommodation.
Whether you would like a quote for airport ↔ mountain transfer.
Your acknowledgement and acceptance of the liability waiver, photo and media release, and Terms & Conditions.
Marketing newsletter opt-in (yes/no).
How you heard about us.

The registration form is provided by Jotform Inc. and stored on Jotform's EU servers in Frankfurt, Germany (we have explicitly configured the EU region — see Section 5).

2.2 If you pay or donate (via Stripe)

When you complete a payment — whether the €1,250 participant fee, a donation supporting a participant's fundraising, or a general donation — the payment itself is handled by Stripe Payments Europe Ltd. We do not see or store your full card number, CVV, or expiry date at any point. Stripe handles all card data and is certified to PCI-DSS Level 1 (the highest standard in the payment industry).

What we (Health Yetu Foundation) do receive from Stripe after a successful payment:

Your name (as entered at checkout).
Your email address.
The last 4 digits of your card.
Your billing country (and, for the €1,250 participant fee, city and address line — used for our participant manifest).
The transaction amount, currency, date, and a Stripe transaction reference.
Any custom-field answers you provide at Stripe checkout (for participant payments: your Jotform submission ID and confirmed race format).
Optional message to a participant (for athlete-fundraising donations, if you choose to leave one).

2.3 If you visit the website (server logs)

When you load any page on yetutriathlon.com, our hosting and CDN providers (Cloudflare Pages and Cloudflare, Inc.) automatically record technical request data for security and abuse-prevention purposes:

Your IP address (truncated where possible).
Your browser user-agent string.
The referring URL (where you came from).
The page you requested and the timestamp.
HTTP response status (e.g. 200 OK, 404 Not Found).

These logs are retained for 30 days and then automatically deleted. They are used only for security monitoring, debugging, and abuse prevention — never for marketing or profiling.

2.4 If you view the route map on the Race page (Google Maps)

The Race page (/the-race) embeds an interactive Google Maps view of the Sirimon → Chogoria route. When that map loads, Google LLC sets its own cookies and may receive your IP address, user-agent, and approximate location per Google's Privacy Policy. We do not control what Google collects via its embedded map; we link to Google's policy so you can read it directly.

To minimise this third-party exposure, we use a click-to-load placeholder for the map: the map is replaced by a static image with a "Load interactive map" button. Google sets no cookies and receives no data until you click that button (see Section 11 on cookies).

2.5 If you opt into our newsletter

If you tick the newsletter opt-in box on the registration form (or subscribe through any newsletter form we may add later), we collect:

Your email address.
Your name.
Your opt-in timestamp and the source (e.g. "Yetu Triathlon 2027 registration").

The newsletter is sent via a third-party newsletter platform. We will name the provider here once confirmed and add them to the sub-processor list in Section 5.

You can unsubscribe at any time via the link in every newsletter email, or by emailing us at the address in Section 1.

2.6 If you contact us directly

If you email us, we keep the email (including your email address, name, and any content you choose to send) so we can reply and so we have a record of our correspondence. Standard retention applies (Section 6).

2.7 Special categories of data ("sensitive data")

We do not ask for special-category data (health, religion, sexual orientation, biometric data, etc.) on the registration form. We deliberately do not require a medical declaration or statement of fitness.

However, you may choose to disclose certain information voluntarily — for example, listing a serious allergy in the dietary requirements field, or sharing relevant medical history with our medic before the event. If you do, we treat that information as a special category under Article 9 GDPR and process it only on the basis of your explicit consent and our legitimate interest in your safety on the mountain. We share it only with our medical and emergency partners (see Section 5) and only to the extent strictly necessary for your safety.

3. Why we collect it (purposes)

Purpose	Data used
Process your registration — administer your spot on the 2027 edition, issue race numbers, prepare the participant manifest.	All Jotform registration fields.
Process your payment or donation — accept and reconcile the €1,250 participant fee, athlete-fundraising donations, general donations, and sponsorship invoices.	Stripe-collected data (Section 2.2).
Safety and emergency response on the mountain — make sure we can reach your emergency contact, accommodate your dietary needs, get the right equipment to you, and triage if you need medical attention or evacuation.	Emergency contact, dietary requirements, T-shirt and bike size, any voluntarily disclosed medical information.
Issue tax-compliant donation receipts — Stripe issues automatic receipts and we retain transaction records as required by Dutch tax law.	Stripe-collected payment data.
Fundraising attribution — track which donations support which participant against their personal €1,000 soft fundraising goal.	Participant name + slug; donor name, email, amount; optional message to participant.
Service communication — send you registration confirmations, payment links, the participant briefing pack, training plan, kit list, WhatsApp group invite, and pre-event logistics updates.	Email, phone, name, race format.
Marketing (only if you opt in) — send you Health Yetu newsletters and updates about future editions.	Email, name (newsletter list).
Site security and abuse prevention — detect and block attacks on the website.	Server log data (Section 2.3).
Legal compliance — respond to legal requests and meet our obligations under Dutch and EU law.	Any data above, as required.

We do not use your data for automated profiling or for any decision that has a legal or similarly significant effect on you. We do not sell your data. We do not share your data with advertisers.

4. Legal basis (under GDPR Article 6)

Each processing purpose listed in Section 3 is supported by one of the following legal grounds:

Legal basis	When we rely on it
Performance of a contract (Art. 6(1)(b))	Processing your registration, sending your payment link, taking your payment, delivering the event you've registered for, reconciling refunds.
Compliance with a legal obligation (Art. 6(1)(c))	Retaining transaction records for Dutch tax compliance (currently 7 years for the underlying tax records; we hold registration data 5 years and rely on Stripe to hold transaction records for the longer statutory period).
Legitimate interest (Art. 6(1)(f))	Site security and abuse prevention; safety planning for the mountain; reconciling donations to participant goals; analysing aggregate fundraising results to plan future editions. We've balanced these against your rights and consider the impact minimal.
Consent (Art. 6(1)(a))	Newsletter subscription; use of photos and footage of you in our marketing materials; loading non-essential cookies (Google Maps embed); processing any special-category data you voluntarily disclose (Art. 9(2)(a)).
Vital interests (Art. 6(1)(d))	Sharing your emergency contact and any relevant medical information with the medic, rescue.co, and emergency evacuation operators if an emergency on the mountain requires it.

Where we rely on your consent, you can withdraw it at any time (see Section 8). Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

5. Who we share your data with (sub-processors)

We use the following third parties to operate the service. Each is bound by a Data Processing Agreement (DPA) or equivalent contractual safeguards under Article 28 GDPR.

Sub-processor	Role	Data shared	Location of processing
Jotform Inc.	Hosts the registration form and stores submissions until we export them.	All Jotform registration fields (Section 2.1).	EU — Frankfurt, Germany (we have explicitly selected EU region).
Stripe Payments Europe, Ltd.	Payment processor for card and SEPA payments; issues receipts.	All payment data (Section 2.2).	EU (Stripe's EU operating entity is based in Dublin, Ireland; card networks may route globally as required for authorisation).
Cloudflare, Inc.	Hosts the website (Cloudflare Pages), content delivery network, DDoS protection, edge caching.	IP addresses, user-agent strings, request metadata, page content.	Global edge network; EU edge locations serve EU visitors.
Google LLC	Embedded Google Maps on the Race page (only if you click to load the map).	IP address, user-agent, interaction data with the map. Governed by Google's own policy.	Global.
rescue.co	Supplemental insurance and emergency evacuation provider for the event.	Only triggered in an emergency: your name, date of birth, nationality, emergency contact, and any disclosed medical information relevant to the emergency.	Kenya / US.
Newsletter provider (to be confirmed)	Sends our newsletter (only if you opt in).	Name, email, opt-in timestamp.	EU (preferred); confirmed provider and region will be listed here.

We also share data with on-the-ground event partners — licensed guides (KWS / KMGA), our professional medic, and the Kenya Wildlife Service (KWS) for park permits — to the extent strictly necessary for your participation. These partners receive only what they need (typically: name, nationality, date of birth, emergency contact). They are not "sub-processors" in the GDPR sense because they act as separate controllers for their own legal purposes (permit issuance, medical care), but we want you to know we share with them.

We do not share your data with the foundation's other partners (Lions SightFirst Eye Hospital, MP Shah Hospital, Borana Conservancy, Lewa Wildlife Conservancy, Desert Rose Lodge, Reteti Elephant Sanctuary, Tropic Air) unless you opt into a specific extension or activity that requires it. If you do, we will tell you at the point of opt-in.

6. How long we keep your data (retention)

Data category	Retention period	Why
Registration form submissions (Jotform + our internal Google Sheet)	5 years from the event date.	Event records, participant disputes, audit trail, fundraising attribution history.
Payment transaction records (Stripe + our reconciliation sheet)	7 years from the transaction date.	Dutch tax-law obligation (Wet op de omzetbelasting / Algemene wet inzake rijksbelastingen).
Newsletter subscription data	Until you unsubscribe, plus 30 days in a suppression list to honour your unsubscribe.	Marketing on the basis of consent; suppression list prevents accidental re-subscription.
Server logs (Cloudflare)	30 days, then automatically deleted.	Security monitoring window.
Email correspondence	3 years from last reply, unless tied to an active matter.	Reasonable record of communication; not retained indefinitely.
Photos and video footage from the event	Indefinitely, but only used in marketing where you consented. You may withdraw consent at any time (see Section 8) and we will remove your identifiable image from future use. We cannot retroactively remove images already published in printed materials.	Marketing consent.

When a retention period ends, we either delete the data securely or anonymise it (strip all identifiers so it can no longer be linked to you) and keep only the anonymised version for statistical purposes.

7. International transfers

Our default position is that your data stays in the EU/EEA:

Jotform is configured to use its EU region (Frankfurt).
Stripe's EU operating entity is based in Dublin, Ireland.
The newsletter provider, once confirmed, will be configured for EU hosting where the provider offers it.

Where data nonetheless leaves the EU/EEA — for example, when Google serves the Maps embed globally, when Cloudflare routes a request through a non-EU edge node for latency reasons, or when rescue.co operates from Kenya during an emergency — we rely on one of the following Article 46 GDPR safeguards:

EU Commission Standard Contractual Clauses (SCCs), 2021 version, incorporated into each sub-processor's DPA.
EU–US Data Privacy Framework (DPF) certification (for US sub-processors that participate).
For Kenya: equivalent contractual safeguards in the rescue.co agreement and reliance on Article 49(1)(f) GDPR (necessity for the protection of vital interests) where an emergency is in progress.

You can request a copy of the relevant safeguards by emailing the privacy contact in Section 1.

8. Your rights under GDPR

You have the following rights in respect of your personal data. We will respond to any request within one month of receiving it (extendable by two further months for complex requests, in which case we will tell you).

Right	What it means
Right of access (Art. 15)	Ask us for a copy of the personal data we hold about you.
Right to rectification (Art. 16)	Ask us to correct data that is inaccurate or incomplete.
Right to erasure (Art. 17, "right to be forgotten")	Ask us to delete your data. Note: we may need to keep some data for legal reasons (e.g. transaction records for tax).
Right to restriction of processing (Art. 18)	Ask us to pause processing while we investigate a dispute.
Right to data portability (Art. 20)	Ask us to send your data to you, or directly to another controller, in a machine-readable format.
Right to object (Art. 21)	Object to processing based on legitimate interest (Section 4); we will stop unless we can show overriding grounds. You can always object to processing for direct marketing, with no exceptions.
Right to withdraw consent (Art. 7(3))	Withdraw any consent you've given (newsletter, photo use, optional disclosures). Withdrawal does not affect prior processing.
Right to lodge a complaint (Art. 77)	Complain to the Dutch supervisory authority, the Autoriteit Persoonsgegevens (Dutch Data Protection Authority): autoriteitpersoonsgegevens.nl. You may also complain to the supervisory authority in your country of residence.

To exercise any of these rights, email us at the privacy contact in Section 1. We do not charge a fee for reasonable requests. For repeated or manifestly unfounded requests we may charge a reasonable administrative fee or refuse the request, as permitted by Article 12(5) GDPR.

We will ask you to verify your identity before we act, to protect you against unauthorised disclosure.

9. Children

The Yetu Triathlon — on Mount Kenya is an adult-only event. You must be 18 or older on the event start date (2 March 2027) to register. We do not knowingly collect or process the personal data of anyone under 18 in connection with this site.

If you believe a child has submitted data to us, please email the privacy contact in Section 1 and we will delete it.

10. Security

We protect your data with appropriate technical and organisational measures, including:

HTTPS / TLS in transit across the whole site (Cloudflare-issued certificate; HSTS enforced).
Encryption at rest for data stored in Jotform, Stripe, and the newsletter provider (these are provider-managed and certified).
Access controls: only the Managing Director (Sam van Ooijen) and a small operational team have access to Jotform submissions and the internal Google Sheet, each with their own account and two-factor authentication.
No card or CVV data is ever stored on our infrastructure.
30-day server-log retention to minimise data at rest.

No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours, and we will notify affected individuals without undue delay where the risk is high (Articles 33 and 34 GDPR).

11. Cookie Policy

This section explains every cookie this site sets or causes to be set.

11.1 What is a cookie

A cookie is a small text file stored on your device by a website. Cookies let a site remember things about your visit — such as keeping you logged in, remembering a form you started filling, or recording that you've already dismissed a banner. Similar technologies (local storage, session storage, pixels) are treated the same way under EU law and are covered by this policy.

11.2 Cookies we set

We deliberately keep the cookie footprint of this site very small. The current inventory:

Cookie / token	Set by	Type	Purpose	Duration	Consent needed?
Stripe checkout context	Stripe	Strictly necessary (only set when you click a Donate or Pay button and Stripe checkout opens)	Maintains your checkout session, prevents fraud, and complies with PCI-DSS requirements.	Session.	No — essential to the checkout you initiated.
Cloudflare `__cf_bm` / `cf_clearance`	Cloudflare	Strictly necessary	Bot management and DDoS protection.	30 minutes / up to 1 year.	No — essential for security.
Jotform iframe cookies	Jotform	Strictly necessary (only set when the form is loaded)	Maintains the form session and prevents duplicate submissions.	Session.	No — essential to the registration you initiated.
Google Maps cookies (e.g. `NID`, `SOCS`, `__Secure-...`)	Google	Third-party, non-essential — set only if you click "Load interactive map" on the Race page.	Maps functionality; Google may also use these for advertising and personalisation under its own policy.	Up to 6 months / 2 years.	Yes — we do not load the Google Maps embed until you click to load it.

We do not currently set any analytics, advertising, retargeting, or social-media cookies. We do not use Google Analytics, Plausible, Fathom, Facebook Pixel, LinkedIn Insight Tag, or any similar tracker.

11.3 Click-to-load Google Maps (our chosen design)

Because the Google Maps embed is the only third-party non-essential element on the site, we use a click-to-load placeholder instead of loading the map automatically:

The Race page initially shows a static image of the route with a "Load interactive map" button overlaid.
Google sets no cookies and receives no data while the placeholder is showing.
When you click "Load interactive map", we treat that click as your specific consent to load the Google Maps iframe and accept Google's cookies for that session.
A short consent line appears beside the button: "Loading the interactive map will set Google cookies and share your IP address with Google. Read Google's policy."
Your click is remembered for the rest of your session (so you don't have to click again if you revisit the map on the same visit).

This pattern is the same one used by the foundation's main site healthyetufoundation.com and avoids the need for a full cookie consent banner under EU law for our current cookie set.

11.4 No cookie banner, no third-party analytics

Our v1 position: no full cookie banner, no analytics, click-to-load Maps.

Because we set no analytics, advertising, retargeting, or social-media cookies, and because the only non-essential third-party element (Google Maps) is gated behind an explicit click, we do not display a cookie consent banner on this site. This matches the existing pattern on healthyetufoundation.com and is the simplest legal footing for our current cookie set.

The site is built Plausible-ready: if we add cookie-less, EU-hosted analytics in a future release, we will update this section, add the provider to the sub-processor list in Section 5, and (where required) introduce a banner per the design spec below.

11.5 Future state: cookie banner design spec

If we add analytics, a banner will appear here. Drafted now so it's ready when needed; not built for v1.

Trigger: first page load per visitor; suppressed thereafter for 12 months by the cookie-preference token.
Position: fixed bottom of viewport, full-width, one line of copy + two buttons. Above the footer, below all page content.
Background: aubergine #580e41.
Text: cream #efe5d7, ZT Nature 400, 15 px.
Buttons: Accept (filled, cream background, aubergine text) and Decline (outlined, cream border, cream text). Equal weight — no dark patterns.
Copy: "This site uses essential cookies. We'd also like to set analytics cookies to understand how visitors use the site. You can accept or decline below. Read more in our cookie policy."
Behaviour on Decline: no analytics scripts load; the Google Maps embed still uses click-to-load (Section 11.3).
Behaviour on Accept: analytics scripts load; Google Maps embed loads on click as before (clicking the button is still a separate, specific consent for Maps).
Accessibility: focus trap inside the banner until a choice is made; keyboard-operable; aria-live polite; 4.5:1 minimum contrast (cream-on-aubergine ratio is 12.6:1 — passes AAA).

11.6 Managing cookies in your browser

You can block or delete cookies at any time using your browser's settings:

Blocking essential cookies may break parts of the site — for example, you may not be able to complete a payment if you block Stripe's session cookies.

12. Changes to this policy

We may update this policy from time to time — for example, when we add a new sub-processor, change retention periods, or update our analytics setup. The "Last updated" date at the top of the page always reflects the current version.

If we make a material change that affects your rights or our use of your data, we will:

Update the "Last updated" date.
Post a notice on yetutriathlon.com for at least 14 days.
Email registered participants and newsletter subscribers (where we hold their email).

Previous versions of this policy are available on request.

13. Contact

For anything privacy-related — to exercise your rights, ask a question, or raise a concern — contact:

The Health Yetu Foundation
Postbus 75879, 1070 AW Amsterdam, Netherlands
privacy@healthyetu.com (fallback: info@healthyetu.com)
info@healthyetu.com
+31 6 48918618

If you are not satisfied with our response, you have the right to lodge a complaint with the Autoriteit Persoonsgegevens at autoriteitpersoonsgegevens.nl, or with the data protection authority in your country of residence.