Privacy policy.

This policy applies to two surfaces operated by HMK Living (HMK Estates Ltd, Kigo, Wakiso, Uganda):

• The HMK Living website at hmkestates.net — public marketing pages and the reservations / contact forms.
• The internal HMK Estates owner iOS app, distributed privately via Apple TestFlight to the property owner. The app is a viewer for property-management data (bookings, tenants, invoices, reports) and is not available on the public App Store.

2.1 From you, directly

• Reservation enquiries on the website: name, email, phone, dates, and the message you send us. Used solely to respond to your enquiry and confirm the stay.
• Owner-app account: email, password (stored as a one-way bcrypt hash — we cannot read it), display name, optional avatar.

2.2 Automatically, while you use the app

• Authentication tokens, stored only on the device's secure enclave via Apple Keychain. They never leave the device except to be sent back to our API on each request.
• Device biometric capability — we ask iOS whether Face ID / Touch ID is available so we can offer biometric unlock. The biometric check itself happens entirely on-device; we never see your face or fingerprint.
• Server-side request logs (IP, timestamp, endpoint, response code), kept for 30 days for security and debugging. No request bodies are logged.

2.3 What we do NOT collect

• Location data
• Photos, camera, or microphone access
• Contacts, calendar, health, or HomeKit data
• Third-party advertising or marketing-analytics SDKs (no Google Analytics, no Facebook SDK, no Adjust / AppsFlyer / Amplitude)

• To run the property-management features the owner-app is built for: showing bookings, tenants, invoices, payments, and reports.
• To respond to reservation enquiries from the public website.
• To keep the service secure (rate-limiting, abuse detection, audit trails).

We do not sell, rent, or share your personal information with advertisers or data brokers.

All data is stored on servers we operate, located in the European Union. Backups are encrypted at rest. The owner-app communicates with our servers exclusively over HTTPS (TLS 1.2+) — we never permit cleartext traffic.

We use a small set of service providers strictly to run the service:

• Apple — for TestFlight distribution and Push Notifications (if you opt in).
• Microsoft / Meta WhatsApp Business API — when the property team sends you a booking confirmation or invoice over WhatsApp.
• Our hosting provider — for the API and database infrastructure.

Each is bound by their own data-processing agreement and uses your data only to perform the task we ask of them.

• Reservation enquiries: 24 months after the stay, then anonymised.
• Owner-app accounts: for as long as the account is active. Soft-deleted (recoverable for 30 days) when you tap "Delete account", then permanently purged.
• Server logs: 30 days.

You can, at any time:

• Access the data we hold about you — email us at reservations@hmkestates.net.
• Correct it — edit your profile inside the app, or write to us for website-form data.
• Delete your account — Settings → Account → Delete account inside the iOS app. The action is self-service, requires your password, and takes effect immediately.
• Withdraw consent for any optional processing (e.g. biometric unlock) by changing the corresponding setting in the app.

The owner-app and the website are intended for adults. We don't knowingly collect personal information from anyone under 18.

If we make material changes, we'll update the "Last updated" date at the top of this page and, for owner-app users, surface a notice in-app on next launch.

HMK Estates Ltd, Kigo, off the Entebbe Express Highway, Wakiso, Uganda.
reservations@hmkestates.net
+256 (0) 748 390 401