Privacy Policy

1. INTRODUCTION

1.1 About This Privacy Policy

This Privacy Policy (the “Policy”) explains how Ball Hub, a sole proprietorship registered in the Republic of Kenya under the Registration of Business Names Act and trading as TurfBook (“TurfBook,” “we,” “us,” or “our”), collects, uses, processes, stores, shares, transfers, and protects Personal Data in connection with the TurfBook platform (the “Platform”). The Platform comprises the TurfBook mobile applications for Android and iOS (bundle identifier africa.turfbook.app), the marketing and self-service web presence at turfbook.africa, the public payment and game pages at turfbook.africa/pay/[code] and turfbook.africa/games/[code], and the internal administrative dashboard used by authorised TurfBook personnel.

1.2 Legal Framework

This Policy is drafted in compliance with:

• the Data Protection Act, No. 24 of 2019 of the Laws of Kenya (the “DPA”);
• the Data Protection (General) Regulations, 2021 and the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021;
• Article 31 of the Constitution of Kenya, 2010, which guarantees the right to privacy; and
• any subsequent regulations, guidance notes, codes of practice, or directives issued by the Office of the Data Protection Commissioner (the “ODPC”).

TurfBook is committed to upholding the data protection principles set out in the DPA, including lawful, fair, and transparent processing; purpose limitation; data minimisation; data quality; storage limitation; integrity and confidentiality; and accountability.

1.3 Data Controller

Ball Hub, trading as TurfBook, is the “data controller” (as defined in the DPA) responsible for the processing of Personal Data collected through the Platform. For the purposes of this Policy:

• Registered Office: Neema Court, Kibiku Road, Mihang'o, Embakasi East, Nairobi, Kenya
• Data Protection Contact: privacy@turfbook.africa
• ODPC Status: Registered as a data controller with the Office of the Data Protection Commissioner

Where this Policy refers to inquiries, requests, or complaints concerning Personal Data, the relevant contact is Ball Hub, trading as TurfBook, at the addresses above.

1.4 Scope of Application

This Policy applies to all categories of Data Subject whose Personal Data we process, including:

• Players who register on the Platform to book Turfs, organise Split Payments, create and join Games, and maintain a Wallet;
• Turf Owners who register and operate Turf listings on the Platform;
• Staff to whom a Turf Owner has granted limited Platform access;
• Web Payers who pay a Split Payment Slot via the public payment page without holding a TurfBook account;
• Guest Game Joiners who join a Game via the public game page without holding a TurfBook account;
• Administrators, being authorised personnel of TurfBook;
• Website Visitors who browse the TurfBook marketing website without registering.

1.5 Consent and Lawful Bases

By registering for an account, paying a Slot of a Split Payment, joining a Game, or otherwise accessing or using the Platform, you acknowledge that you have read, understood, and consent to the collection, processing, use, and sharing of your Personal Data as described in this Policy. Where TurfBook relies on consent as the legal basis for a specific processing activity, you may withdraw your consent at any time, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal. Withdrawal of consent for processing that is essential to the operation of the Platform (such as the processing required to deliver a Booking) may result in the suspension or termination of your account.

1.6 Capitalised Terms

Capitalised terms not defined in this Policy have the meanings given to them in the TurfBook Terms of Service, published at turfbook.africa/terms, which is incorporated by reference for the purposes of definitions.

2. PERSONAL DATA WE COLLECT

2.1 Data Collected from Players

When you register and use the Platform as a Player, we collect the following categories of Personal Data:

2.1.1 Registration and Account Data

• full name (required);
• Kenyan mobile phone number, verified via OTP (required);
• email address (optional);
• profile photograph (optional);
• language preference;
• account status, suspension reason, and suspension period (where applicable);
• account creation date, last login date, and account-level metadata.

2.1.2 Location Data

Where you enable location services on your device, we collect your device's geographic location (latitude and longitude) to display Turfs sorted by proximity, to provide location-based search results, and to attribute search logs to geographic areas for demand analytics. Location is collected when you actively use the Platform and have granted the relevant operating-system permission. Your most recent location is stored on your User record and is used as the default reference for proximity searches. You may disable location services at any time through your device settings; doing so will degrade location-dependent features (such as proximity sort) but will not prevent the use of the Platform.

2.1.3 Booking, Wallet, and Transaction Data

• booking references (prefixed “TB-”), Turf and pitch identifiers, dates, times, pitch sizes, durations, and amounts;
• payment status (pending, paid, refunded);
• M-Pesa transaction references and receipt numbers (we do not collect or store M-Pesa PINs);
• Wallet balance, held amounts, and every credit and debit recorded in the Wallet ledger;
• Wallet top-up history, including the prompt amount (including the 0.6% Payment Processing Fee) and the credited amount;
• Split Payment records: total amount, contributions per Contributor, deadline, status, link code, refund history;
• Game participation records: Games created, Games joined, role (organiser or joiner), amounts paid, chat participation;
• cancellation, reschedule, and refund history;
• Reschedule Credit records (where applicable from legacy Bookings).

2.1.4 Reviews, Ratings, and User-Generated Content

• star ratings, written reviews, and uploaded review photographs;
• Game descriptions and Game chat messages;
• profile photographs;
• turf-related communications, dispute submissions, and dispute evidence (including photographs).

User-generated reviews and Game chat messages are visible to other users as described in the Terms of Service. Reviews are public; Game chat is visible only to paid players in the relevant Game (and to the Organiser).

2.1.5 Usage, Device, and Technical Data

• device type, operating system, and app version;
• device push notification token (Expo / Firebase Cloud Messaging / Apple Push Notification service identifier);
• push and SMS notification preferences;
• IP address;
• search queries (text, date, time window, pitch size, location), result counts, and whether the search led to a Booking;
• in-app interaction patterns and feature engagement (e.g., Turfs viewed, Games viewed, link opens);
• product event records used for funnels and analytics (e.g., search_performed, availability_viewed, stk_initiated, payment_confirmed, signup_completed).

2.1.6 Session and Security Data

Each login to your Player account generates the following records:

• a refresh-token session record containing a hashed token identifier, the IP address and user agent of the device that initiated the session, the timestamps at which the session was issued, last used, expires, and (where applicable) revoked;
• one or more security audit log entries recording the login event and any subsequent money-moving action taken in respect of your account, each entry including the action type, IP address, user agent, and timestamp.

These records are used to manage session lifecycle, detect and revoke re-used or compromised refresh tokens, investigate fraud, and meet TurfBook's security and financial-reporting obligations. Retention periods for these records are set out in Section 6.

2.2 Data Collected from Turf Owners

When you register and operate a Turf on the Platform, we collect, in addition to all of the above:

2.2.1 Registration and Business Data

• owner or manager name (required);
• business name (required);
• Kenyan mobile phone number, verified via OTP (required);
• email address (optional);
• M-Pesa payout details: Till number, Paybill number with account, or Send Money phone number (required, and encrypted at rest);
• physical address of the Turf and geographic coordinates (latitude and longitude);
• operational contact phone number for the Turf.

2.2.2 Turf Profile Data

• Turf name, description, landmarks, and city;
• opening and closing hours;
• pitch configurations (size, type, pricing tiers including standard, peak, weekend, holiday);
• amenities (floodlights, changing rooms, showers, parking, ball rental, bib rental, refreshments, water, first aid, WiFi, security, spectator area, etc.);
• house rules;
• uploaded Turf photographs;
• convertible-pitch configuration data, where applicable.

2.2.3 Operational and Financial Data

• booking calendar data, including bookings, blocked slots, walk-in records (where the Turf Owner has recorded a customer name), and recurring blocks;
• earnings, transactions, payouts, payout failures, payout retries, and payout clawbacks;
• verification records: visit dates, identity verification outcomes, photographs taken or supplied during verification, verifier notes, and approval or rejection decisions;
• analytics derived from your Turf's booking activity (peak hours, busiest days, revenue trends, pitch popularity);
• review responses;
• Staff configuration: Staff records, encrypted PIN hashes, permissions, audit logs of Staff actions;
• notification routing configuration (whether to notify Staff on bookings, cancellations, payments).

2.2.4 Walk-In and Off-Platform Booking Data

Where you block Slots on the calendar for walk-in customers or other off-Platform Bookings (and optionally enter a customer name), we record this data and use it for Platform analytics, demand pattern analysis, off-app booking detection, and to inform TurfBook's marketing strategy and recommendations to you. You are required to disclose this practice to your Staff if you authorise them to record walk-in data.

2.3 Data Collected from Staff

Staff records are created by Turf Owners, who select what optional information to provide:

• Staff display name (required);
• Staff phone number (optional, provided by Turf Owner);
• Staff email address (optional, provided by Turf Owner);
• encrypted PIN hash (required);
• granular permission configuration (twenty-two boolean flags) and permission preset where used;
• device push notification token (registered on Staff login);
• last login date, login attempts (success/failure, IP address, user agent);
• audit log entries recording Staff actions on the Platform (block slot, unblock slot, view bookings, etc.);
• session state (token version, used to invalidate sessions on permission or PIN change).

Staff authenticate using the Turf Owner's phone number; Staff are identified on the Platform by the Turf-Owner-assigned name and by their internal Staff record. Audit log entries are attributable to the Turf Owner as a matter of contract under the Terms of Service.

2.4 Data Collected from Web Payers and Guest Game Joiners

Where a person pays a Slot of a Split Payment via the public web page at turfbook.africa/pay/[code], or joins a Game as a guest without holding a TurfBook account, we collect:

• name (as entered on the payment form);
• Kenyan mobile phone number (used to initiate the M-Pesa STK Push prompt);
• the Slot or Game identifier and amount paid;
• payment status and M-Pesa transaction reference;
• IP address, browser type, and device information collected by the public web page;
• a record of the agreement to these Terms of Service and Privacy Policy ticked at the point of payment.

Web Payers and Guest Game Joiners are not registered users and do not hold a Wallet. Refunds due to Web Payers and Guest Game Joiners are processed by way of M-Pesa Business-to-Customer disbursement to the phone number from which payment was originally made.

2.5 Data Collected from Administrators

For Administrators of TurfBook we collect:

• name and email address;
• password hash and TOTP two-factor authentication secret;
• role (SUPER_ADMIN, ADMIN, or SUPPORT) and alert preferences;
• session records (issued JWT hashes, IP, user agent, last seen, expiry, revocation);
• immutable audit log records of every mutating action: action type, target type, target identifier, before and after state, typed reason (required for destructive or financial actions), IP, user agent, and timestamp;
• internal notes attached by Administrators to other entities for support and trust-and-safety purposes.

2.6 Data Collected from Website Visitors

When you visit the TurfBook marketing website without registering, we may collect:

• IP address;
• browser type and version;
• pages visited and time spent;
• referral source;
• device and screen information;
• website event logs maintained by our hosting provider.

The marketing website does not currently set behavioural advertising cookies. The website may set strictly necessary cookies (for example, for security or for the proper functioning of the share-link bounce on deep-link routes).

2.7 Data We Do Not Collect

We do not collect or store:

• M-Pesa PINs — the PIN is entered directly on the user's mobile phone in response to the STK Push prompt and is processed exclusively by Safaricom;
• card numbers, CVV, or bank credentials — we do not accept card or bank payments;
• biometric data;
• national identity card numbers, passport numbers, or KRA PIN numbers, as a matter of routine (except as part of a discretionary verification process where a Turf Owner's identity is in genuine question, and only with the Turf Owner's knowledge).

3. HOW WE USE YOUR PERSONAL DATA

3.1 Purposes of Processing

3.1.1 Service Provision

• creating, maintaining, and securing your account;
• authenticating you via OTP, PIN, or password as applicable to your user type;
• enabling you to discover, search for, and book Turfs;
• processing M-Pesa payments through Kopo Kopo, disbursing earnings to Turf Owners, processing refunds, and operating the Wallet ledger;
• operating Split Payment, including the reservation deadline, organiser forfeiture, and refund logic;
• operating Need Players, including discovery, payments (for CREATED and FROM_SPLIT Games), and the decision state machine;
• sending Booking confirmations, payment receipts, pre-game reminders, cancellation notices, refund notifications, and other transactional communications;
• displaying ratings, reviews, and Game listings;
• providing customer support and resolving disputes between users;
• verifying Turfs and Turf Owners during onboarding.

3.1.2 Platform Improvement and Analytics

• analysing usage patterns, search behaviour, and conversion funnels through our internal product event stream;
• identifying unmet demand by geography, time, and pitch size (using search logs that returned zero results, among other signals);
• analysing walk-in and blocked-slot data to detect off-app booking patterns and inform TurfBook's marketing strategy;
• improving search algorithms, ranking, and user experience;
• monitoring Platform performance, reliability, and security through cron logs, error logs, and webhook event logs;
• conducting A/B tests and experiments and recording decisions in our internal decision log.

3.1.3 Business Operations and Trust & Safety

• calculating and disbursing earnings, commission, and clawbacks;
• financial reporting, reconciliation against M-Pesa records, and management accounting;
• fraud prevention, anti-money-laundering, and Trust & Safety, including the maintenance of an internal Watchlist;
• monitoring login attempts and patterns for security purposes;
• complying with legal and regulatory obligations, including responses to lawful requests from regulators and law enforcement;
• resolving disputes between users and managing administrative actions;
• conducting investigations into reported abuse, fraud, or breach of these Terms.

3.1.4 Communications

We use your contact information to send:

• Critical notifications (always sent, regardless of preferences) — OTPs, Booking confirmations, payment receipts, refund notifications, cancellation notices, account security alerts, pre-game reminders;
• Operational notifications (sent in accordance with your preferences) — new bookings (for Turf Owners), Game updates, Split Payment deadline warnings, dispute updates;
• Service announcements — material changes to the Terms or Privacy Policy, scheduled maintenance, security advisories;
• Marketing communications — only with your explicit opt-in consent, and you may opt out at any time.

3.2 Legal Bases for Processing

In accordance with the DPA, we process your Personal Data on one or more of the following legal bases:

• Consent (Section 32, DPA): account registration; location data collection; optional profile fields (email, photograph); marketing communications; cross-border data transfers; participation in optional features.
• Performance of a contract (with you): processing Bookings, payments, Wallet transactions, payouts, refunds, Game participation, Split Payments, communications essential to the service.
• Compliance with a legal obligation: tax record-keeping, regulatory reporting, response to lawful requests, breach notification under the DPA.
• Legitimate interests (where the interests of TurfBook in operating, securing, and improving the Platform are not overridden by your interests, rights, or freedoms): Platform improvement and analytics; fraud and abuse prevention; search optimisation; off-app booking detection; Trust & Safety; defending legal claims; internal audit; system health and error monitoring.
• Vital interests: in exceptional cases involving safety (for example, responding to a credible report of injury at a Turf).

4. HOW WE SHARE YOUR PERSONAL DATA

4.1 Sharing Between Users on the Platform

4.1.1 Player Data Shared with Turf Owners

Upon confirmation of a Booking, the following data is made visible to the relevant Turf Owner:

• the Player's name;
• the Player's registered phone number;
• Booking details (date, time, pitch, amount paid, payment status);
• any special requests entered by the Player on the Booking screen.

This sharing is necessary for the performance of the booking contract and to enable the Turf Owner to receive and host the Player at the Turf.

4.1.2 Player Data Shared with Staff

Where the Turf Owner has granted a Staff member the relevant permission (for example, viewCustomerPhoneor contactPlayer), the Staff member may view the Player's name, phone number, and Booking details solely for the purpose of managing the on-site operation of the Booking.

4.1.3 Turf Owner Data Shared with Players

Players can view the public profile of each Turf, including the business name, Turf address and geographic location, Turf contact phone number (where provided), photographs, pricing, operating hours, amenities, house rules, and review responses.

4.1.4 Player Data Shared with Other Players

Where you participate in a Game, the following data may be visible to other Players in the same Game:

• your first name (and, for Reserved Games, only first name and last initial);
• the fact of your participation and your Game role (Organiser, joiner, guest);
• chat messages you post in the Game chat (visible only to paid players in that Game);
• system-generated Game lifecycle events (joins, leaves, decisions).

4.1.5 Public Listings

Reviews you submit (with your first name displayed alongside) are visible to all Platform users. Public Games appear on the discovery feed and are visible to all Players.

4.2 Third-Party Service Providers (Data Processors)

We share Personal Data with the following categories of third-party service providers, each of which acts as a data processor in respect of the data shared with them and is contractually bound to process that data only on our documented instructions and to implement appropriate security measures.

Where any of the processors listed above is located outside the Republic of Kenya, the cross-border transfer safeguards described in Section 10 apply.

4.3 Legal and Regulatory Disclosures

We may disclose Personal Data where:

• required by law, regulation, or legal process (including a valid court order or subpoena);
• requested by the ODPC in connection with a regulatory inquiry;
• requested by a law enforcement authority for the prevention, detection, investigation, or prosecution of a criminal offence;
• necessary to protect the rights, property, or safety of TurfBook, its users, or the public, including to prevent fraud, abuse, or harm.

4.4 Business Transfers

In the event of a merger, acquisition, reorganisation, financing, sale of business assets, or change of control of Ball Hub (whether in whole or in part), Personal Data may be transferred to the successor or acquiring entity as part of that transaction. We will notify affected Data Subjects of any such transfer and of any change to this Policy that may result.

4.5 No Sale of Personal Data

TurfBook does not sell, rent, license, or trade your Personal Data to any third party for the third party's own marketing or commercial purposes.

5. USER-SPECIFIC PROCESSING ACTIVITIES

5.1 Players

• Favorites — saved Turfs are stored against your account and are visible only to you.
• Booking, Wallet, and Game history — retained for the purposes of service provision, rebooking, dispute resolution, and tax compliance.
• Search history — logged in identifiable form for analytics and for unmet-demand reporting. Search history is not shared with Turf Owners or other Players in identifiable form.
• Reviews — star ratings, written reviews, and review photographs are publicly displayed alongside your first name.
• Game chat messages — visible to paid players in the relevant Game; subject to moderation in accordance with the Terms of Service.
• Wallet ledger — every Wallet credit and debit is recorded in an internal ledger; the Wallet history is visible to you within the Platform.
• Push token — stored against your account to enable push notifications; removed when you uninstall the app or revoke push permission and your token is cleared on next refresh.

5.2 Turf Owners

• Verification data — photographs taken or supplied during the Turf verification visit, verifier notes, verification status, and any reasons for rejection. Verification photographs are retained for the operational life of the Turf on the Platform.
• Financial data — M-Pesa payout details (encrypted at rest); earnings records (gross, commission, net amounts); payout history; payout failures and retries; clawback history. Used for disbursement, commission calculation, financial reporting, and dispute resolution.
• Analytics — we generate Turf-specific analytics derived from your booking activity (peak hours, busiest days, revenue trends, pitch popularity, repeat customers).
• Off-app booking analytics — data from blocked slots and walk-in records is analysed to understand demand patterns; this analysis may inform TurfBook's marketing strategy and recommendations.
• Staff configuration — Staff records (names, optional phone and email, encrypted PIN hashes, permissions); audit logs of Staff actions are retained for compliance and dispute resolution.

5.3 Staff

• Authentication — we process the Turf Owner's phone number and the Staff PIN for authentication; the PIN is bcrypt-hashed and the plaintext PIN is never stored.
• Activity logs — Staff actions on the Platform are recorded in the AuditLog with the snapshotted actor name, action type, target, timestamp, and contextual details.
• Login attempts — each login attempt is recorded with success or failure, IP address, and user agent, supporting the five-attempt-per-fifteen-minute lockout.
• Sessions — session tokens carry a token version that is incremented on permission change, PIN reset, or deactivation, instantly invalidating outstanding sessions.

Staff acknowledge that the Turf Owner who created the Staff record may view the Staff's activity on the Platform. Turf Owners are encouraged to inform their Staff of this Policy.

5.4 Web Payers and Guest Game Joiners

• data is collected at the point of payment from the public web page;
• the agreement to these Terms of Service and to this Privacy Policy is recorded as the lawful basis (consent and performance of contract);
• refunds are processed by way of M-Pesa Business-to-Customer disbursement to the originating phone;
• data is retained in association with the Booking record for the purposes of dispute resolution and reconciliation.

5.5 Administrators

Administrator access to Personal Data is constrained by role and is logged in an immutable AdminAuditLog. Administrators may not impersonate users except under controlled, time-boxed, and audited support processes. Administrators are bound by internal policies on data protection, confidentiality, and ethical conduct.

6. DATA RETENTION

6.1 Retention Schedule

We retain Personal Data only for as long as necessary for the purposes for which it was collected, for any subsequent compatible purposes, or as required by law. The following retention periods apply:

6.2 Player Account Deletion

Players may request deletion of their account through the Platform settings by typing “DELETE” as confirmation. Account deletion is not available where the Player's Wallet holds a positive balance; the Player must first spend, gift through a Booking, or otherwise exhaust the Wallet balance. Upon successful deletion, the account is immediately deactivated and the user is logged out. Personal Data is retained for thirty (30) days to allow for the resolution of pending disputes, after which it is permanently and irreversibly deleted, except for data that must be retained for a longer period under applicable law (such as transaction records for tax purposes), which is retained for the relevant statutory period.

For users who cannot access the in-app flow (for example, after losing access to the registered device or phone number), a public account-deletion request page is available at turfbook.africa/account-deletion, which documents both the in-app flow and an email-based fallback. Email-based requests are processed by TurfBook personnel after identity verification.

6.3 Turf Owner Account Deletion

Turf Owners may request account deletion subject to the prior fulfilment or cancellation of all confirmed Bookings and the completion of all outstanding payouts and clawbacks. Verification records and verification photographs are retained for the operational life of the Turf on the Platform and for two (2) years after delisting.

6.4 Data Minimisation

In accordance with the data minimisation principle under the DPA, TurfBook collects only the Personal Data necessary for the specified purposes. Optional data fields (such as email address, profile photograph, and location) are identified as optional in the user interface and are not required for the basic use of the Platform.

7. YOUR RIGHTS AS A DATA SUBJECT

Under the DPA, you have the following rights in respect of your Personal Data:

7.1 Right of Access

You have the right to request confirmation of whether we process your Personal Data and, where we do, to obtain access to that data together with information about its origin, purpose, recipients, and retention. We will respond to access requests within thirty (30) days, subject to reasonable identity verification.

7.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete Personal Data. You can update most fields directly through the Platform profile settings. For data that cannot be edited directly (such as your phone number, which requires OTP re-verification), please contact us at privacy@turfbook.africa.

7.3 Right to Erasure

You have the right to request the deletion of your Personal Data, subject to the retention requirements set out in Section 6. You may exercise this right through the account deletion flow in the Platform settings or by contacting us directly. Where deletion is restricted by law (for example, financial records subject to tax retention) or by an ongoing dispute or investigation, we will explain the basis for retention.

7.4 Right to Object

You have the right to object to processing of your Personal Data carried out on the basis of legitimate interests or for direct marketing. Where you object to direct marketing, processing for that purpose will cease immediately. Where you object to processing on the basis of legitimate interests, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless the processing is necessary for the establishment, exercise, or defence of legal claims.

7.5 Right to Data Portability

You have the right to receive a copy of your Personal Data in a structured, commonly used, and machine-readable format and to transmit that data to another data controller. TurfBook provides export functionality for Booking and transaction history through the Platform; for a comprehensive data export, please contact privacy@turfbook.africa.

7.6 Right to Restrict Processing

You have the right to request restriction of processing of your Personal Data where:

• you contest the accuracy of the data (for a period enabling us to verify);
• the processing is unlawful and you prefer restriction over erasure;
• we no longer need the data for the original purpose but you require it for the establishment, exercise, or defence of legal claims;
• you have objected to processing under Section 7.4 pending verification of the legitimate grounds.

7.7 Right Not to Be Subject to Solely Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you. TurfBook does not engage in solely automated decision-making producing legal effects on users. Limited automated processes (such as automated fraud signals, automated cancellation deadlines, and automated Game decision timeouts) operate as part of the service described in the Terms of Service; you may request human review of any such automated outcome that affects you.

7.8 Right to Withdraw Consent

Where processing is based on your consent, you may withdraw your consent at any time, without affecting the lawfulness of processing carried out on the basis of consent before withdrawal. Withdrawal of consent for processing essential to the operation of the Platform may result in the suspension or termination of your account.

7.9 Exercising Your Rights

To exercise any of the above rights, you may:

• use the relevant feature in the Platform (for example, account deletion or profile editing);
• email us at privacy@turfbook.africa with your request and a description of the data concerned;
• contact us through the Help & Support section of the mobile application.

We will verify your identity before processing any request and will respond within thirty (30) days. Where we are unable to fulfil a request in whole or in part, we will explain the reason and inform you of your right to lodge a complaint with the ODPC under Section 16.

8. DATA SECURITY

8.1 Technical Measures

TurfBook implements the following technical security measures:

• all data in transit between the Platform and TurfBook's servers is encrypted using HTTPS (TLS);
• sensitive data fields (including M-Pesa Till, Paybill, and Send Money credentials, and Staff PINs) are encrypted at rest;
• application authentication uses signed JSON Web Tokens (JWTs); access tokens for Players and Turf Owners expire after twenty-four (24) hours; refresh tokens expire after thirty (30) days; Staff tokens expire after twelve (12) hours and have no refresh;
• Staff token revocation is enforced server-side through a token-version mechanism that invalidates outstanding tokens on permission change, PIN reset, or deactivation;
• Administrator authentication requires mandatory time-based one-time password (TOTP) two-factor authentication; Administrator sessions are server-side tracked and may be remotely revoked;
• API access is rate-limited to deter abuse and credential stuffing;
• server-side input validation is applied to deter injection attacks;
• role-based access controls limit data access to authorised personnel and authorised functions;
• OTPs expire after five (5) minutes with a maximum of five (5) verification attempts; OTP requests are rate-limited to three (3) per thirty (30) minutes per phone number;
• payment-provider webhooks are deduplicated and logged for replay and reconciliation, and are gated by signature verification that fails closed where the signing key is missing or the signature is absent or invalid;
• error and cron-run logs are maintained for security and operational integrity monitoring;
• changes to a Turf Owner's M-Pesa payout destination are subject to a twenty-four (24) hour cooling-off period before they take effect, with multi-channel notification (SMS, push, and in-app banner), and payouts during the cooling-off window continue to the previous destination (further detail in the Terms of Service Section 6.4.4);
• refresh tokens rotate on every use, and any detected re-use of a rotated refresh token automatically revokes all sessions associated with the affected account;
• failed OTP verifications are rate-limited per network address, and a phone number that accumulates ten (10) failed verification attempts within a rolling sixty (60) minute window is locked from further verification for the remainder of that window and is sent a security-alert SMS;
• session credentials on mobile devices are stored in the operating-system secure keystore (Android Keystore, iOS Keychain) rather than in cleartext local storage;
• every login event and every money-moving action taken on the Platform is recorded in an append-only platform-wide security audit log, retained as set out in Section 6.

8.2 Organisational Measures

• access to Personal Data is restricted to authorised personnel on a need-to-know basis;
• every Administrator mutation is recorded in an immutable internal audit log;
• incident response procedures are in place for security and data protection incidents;
• personnel are bound by confidentiality obligations;
• third-party processors are contractually bound to appropriate data protection and security obligations;
• internal policies cover data classification, access management, retention, and secure development.

8.3 Limitation

While we take all reasonable steps to protect your Personal Data, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security. In the event of a security incident, we will take immediate remedial action and notify affected parties in accordance with Section 9.

9. DATA BREACH NOTIFICATION

9.1 Notification to the ODPC

In accordance with the DPA, TurfBook will notify the ODPC within seventy-two (72) hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of Data Subjects. The notification will include a description of the nature of the breach, the categories and approximate number of Data Subjects affected, the categories and approximate number of records affected, the likely consequences of the breach, and the measures taken or proposed to address and mitigate the breach.

9.2 Notification to Data Subjects

Where a personal data breach is likely to result in a high risk to the rights and freedoms of affected Data Subjects, TurfBook will notify the affected Data Subjects without undue delay through SMS, push notification, email (where available), or a combination thereof.

10. CROSS-BORDER DATA TRANSFERS

Certain Platform infrastructure providers — including the database and storage provider, the application hosting provider, the content delivery network for the website, and the push notification providers — are located outside the Republic of Kenya. By using the Platform, you acknowledge and consent that your Personal Data will be transferred to, stored at, and processed in jurisdictions outside Kenya. We rely on the following lawful bases under Part IV of the DPA:

• Your explicit consent under Section 48 of the DPA, given by your acceptance of this Policy at registration or at the point of using a public-facing feature (such as paying a Slot of a Split Payment);
• Contractual safeguards with our processors that impose appropriate data protection and security obligations on the recipient;
• Necessity for the performance of the contract between you and TurfBook (the provision of the Platform);
• Necessity for the establishment, exercise, or defence of legal claims;
• Necessity for the performance of a task carried out in the public interest in respect of breach notification to the ODPC.

We do not transfer sensitive categories of Personal Data outside Kenya except in strict compliance with the DPA. We continually review the residency arrangements of our infrastructure and will provide updated information in this Policy as the position evolves.

11. COOKIES AND SIMILAR TECHNOLOGIES

The TurfBook marketing website may use strictly necessary cookies and similar technologies to enable website functionality and security, and to facilitate the share-link bounce behaviour on the public game and payment pages. The website does not use cookies for behavioural advertising. The mobile applications do not use browser cookies but use local storage on your device for session tokens, user preferences, and offline state. You may control cookie preferences through your browser settings; disabling strictly necessary cookies may impair website functionality.

12. CHILDREN'S DATA

The Platform is intended for use only by persons aged eighteen (18) years and above. TurfBook does not knowingly collect Personal Data from any child below the age of eighteen (18) years. In accordance with Section 33 of the DPA, if we become aware that we have collected Personal Data from a child, we will take immediate steps to deactivate the account and delete the Personal Data. If you believe that a child has provided us with Personal Data, please contact us at privacy@turfbook.africa.

13. DATA PROTECTION IMPACT ASSESSMENTS

In accordance with the DPA, TurfBook conducts Data Protection Impact Assessments (“DPIAs”) before implementing new processing activities that are likely to result in a high risk to the rights and freedoms of Data Subjects. DPIAs are conducted for new features involving the collection of additional categories of Personal Data, changes to data-sharing arrangements with third parties, the implementation of new technologies that may impact user privacy, and significant changes to the scale or scope of processing. The results of DPIAs are documented and, where required, submitted to the ODPC for prior consultation.

14. THIRD-PARTY LINKS AND INTEGRATIONS

The Platform may contain links to or integrations with third-party services, including Google Maps (directions and geocoding), the M-Pesa service operated by Safaricom (payment authorisation), and the Google Play and Apple App Store services (application distribution). TurfBook is not responsible for the privacy practices of any third-party service. We encourage you to review the privacy policies of any third-party service before providing Personal Data to it.

15. CHANGES TO THIS PRIVACY POLICY

TurfBook may update or modify this Policy from time to time. We will notify Data Subjects of material changes through in-app notification, SMS, or email at least fourteen (14) days before the change takes effect. The updated Policy will be published on the Platform with the new effective date clearly stated. Your continued use of the Platform after the effective date of any change constitutes acceptance of the updated Policy. Previous versions of this Policy are archived internally and may be made available on request.

16. COMPLAINTS AND DISPUTE RESOLUTION

16.1 Complaints to TurfBook

If you have any concerns about how your Personal Data is being processed, you may contact our data protection contact at privacy@turfbook.africa. We will acknowledge receipt of your complaint within seven (7) days and endeavour to resolve it within thirty (30) days.

16.2 Complaints to the ODPC

If you are not satisfied with our response to your complaint, or if you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Office of the Data Protection Commissioner. The ODPC can be contacted through their official channels, including their website at www.odpc.go.ke.

17. CONTACT INFORMATION

For any questions, requests, or concerns regarding this Privacy Policy or TurfBook's data protection practices, please contact us through the following channels:

Ball Hub, trading as TurfBook
Neema Court, Kibiku Road
Mihang'o, Embakasi East
Nairobi, Kenya

Data Protection Contact: privacy@turfbook.africa
General Support: support@turfbook.africa
In-App: Help & Support section within the TurfBook mobile application
Website: turfbook.africa/privacy
Account Deletion Requests: turfbook.africa/account-deletion