Privacy Policy

1. INTRODUCTION

1.1 About This Privacy Policy

This Privacy Policy (the “Policy”) explains how TurfBook Limited (“TurfBook,” “we,” “us,” or “our”) collects, uses, processes, stores, shares, and protects personal data in connection with the TurfBook platform (the “Platform”), including our mobile applications on Android and iOS, our web-based dashboard for Turf Owners, and our marketing website.

1.2 Legal Framework

This Policy is drafted in compliance with the Data Protection Act, No. 24 of 2019, Laws of Kenya (the “DPA”), the Data Protection (General) Regulations, 2021, the Constitution of Kenya, 2010 (specifically Article 31 which guarantees the right to privacy), and any subsequent regulations, guidance notes, or directives issued by the Office of the Data Protection Commissioner (“ODPC”). TurfBook is committed to upholding the data protection principles enshrined in these laws, including lawful processing, data minimization, purpose limitation, data quality, and the implementation of appropriate security safeguards.

1.3 Data Controller

TurfBook Limited is the data controller responsible for the processing of personal data collected through the Platform. For the purposes of this Policy:

• Registered Office: [Insert Address], Nairobi, Kenya
• Data Protection Contact: privacy@turfbook.co.ke
• Registration Status: [Registered/Pending Registration] with the Office of the Data Protection Commissioner

1.4 Scope of Application

This Policy applies to all users of the Platform, including Players who book turfs, Turf Owners who list their facilities, Staff members who are granted limited access by Turf Owners, and Administrators who manage the Platform internally. It also applies to visitors to our marketing website and any person whose personal data we collect or process in connection with our services.

1.5 Consent

By registering for an account, accessing, or using the Platform, you acknowledge that you have read, understood, and consent to the collection, processing, and use of your personal data as described in this Policy. Where we rely on consent as the legal basis for processing, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

2. PERSONAL DATA WE COLLECT

2.1 Data Collected from Players

When you register and use the Platform as a Player, we collect the following categories of personal data:

2.1.1 Registration Data

1. (a) Full name (required);
2. (b) Phone number, including verification via OTP (required);
3. (c) Email address (optional);
4. (d) Profile photograph (optional); and
5. (e) Google account information, if registering via Google OAuth (name, email, profile picture).

2.1.2 Location Data

If you enable location services on your device, we collect your geographic location data (GPS coordinates) to display turfs sorted by proximity and to provide location-based search results. Location data is collected only when you actively use the Platform and have granted permission. You may disable location services at any time through your device settings; however, this will limit certain features of the Platform.

2.1.3 Booking and Transaction Data

We collect data related to your bookings, including turf name and details for each booking, dates, times, and pitch sizes selected, booking reference numbers, payment amounts, M-Pesa transaction reference numbers (we do not collect or store M-Pesa PINs), payment status (pending, completed, failed, refunded), cancellation and rescheduling history, and reschedule credit balances.

2.1.4 Reviews and Ratings

When you submit a review, we collect your star rating, written review text, and the date and time of submission. Reviews are publicly displayed alongside your name.

2.1.5 Usage and Device Data

We automatically collect device type and operating system, app version, search queries (anonymized for analytics), turfs viewed and interaction patterns, notification preferences, and IP address.

2.2 Data Collected from Turf Owners

When you register and use the Platform as a Turf Owner, we collect the following:

2.2.1 Registration and Business Data

1. (a) Owner or manager name (required);
2. (b) Business name (required);
3. (c) Phone number, including verification via OTP (required);
4. (d) Email address (optional);
5. (e) M-Pesa till number or paybill number (required);
6. (f) Physical address of the Turf (required); and
7. (g) Google account information, if registering via Google OAuth.

2.2.2 Turf Profile Data

We collect data you provide in your Turf profile, including turf name and description, photographs of the facility (minimum five), operating hours, pitch sizes and types, pricing information (including peak and off-peak rates), payment model preferences, available amenities, and turf rules.

2.2.3 Operational Data

We collect data generated through your use of the Platform, including booking calendar data and slot management, walk-in booking records (manually blocked slots), earnings and transaction history, staff access PINs (encrypted), analytics data (peak hours, revenue trends, booking patterns), review responses, and notification preferences.

2.3 Data Collected from Staff

Staff access is managed by Turf Owners. When Staff use the Platform, we collect the Turf Owner's phone number (used for login authentication), session data (login times, duration, and actions performed), and slot blocking and unblocking activity. We do not independently collect Staff members' personal identification data. Staff are identified only by the access slot name assigned by the Turf Owner.

2.4 Data Collected from Website Visitors

When you visit the TurfBook marketing website, we may collect IP address, browser type and version, pages visited and time spent, referral source, and device and screen information. This data is collected through standard web analytics tools and is used to improve the website experience and measure marketing effectiveness.

3. HOW WE USE YOUR PERSONAL DATA

3.1 Purposes of Processing

We process your personal data for the following purposes:

3.1.1 Service Provision

1. (a) Creating and maintaining your account;
2. (b) Enabling you to browse, search, and discover turfs;
3. (c) Processing bookings, payments, and refunds;
4. (d) Facilitating communication between Players and Turf Owners;
5. (e) Sending booking confirmations, reminders, and receipts;
6. (f) Managing reschedule credits and cancellations;
7. (g) Displaying ratings and reviews; and
8. (h) Providing customer support and dispute resolution.

3.1.2 Platform Improvement

We use aggregated and anonymized data to analyze usage patterns and search trends, identify areas of unmet demand, improve search algorithms and user experience, develop new features, and monitor platform performance and reliability.

3.1.3 Business Operations

We process data for calculating and disbursing earnings to Turf Owners, commission tracking and financial reporting, fraud detection and prevention, compliance with legal and regulatory obligations, and resolving disputes between users.

3.1.4 Communications

We use your contact information to send critical notifications (booking confirmations, payment receipts, account security alerts), service updates and announcements, and marketing communications (only with your explicit consent, and you may opt out at any time).

3.2 Legal Basis for Processing

In accordance with the DPA, we process your personal data on the following legal bases:

• Consent (Section 32, DPA): Account registration, location data collection, marketing communications, profile photographs, optional data fields.
• Performance of Contract: Booking processing, payment processing, service delivery, earnings disbursement, booking management.
• Legitimate Interest: Platform improvement and analytics, fraud prevention, search optimization, off-app booking detection analytics.
• Legal Obligation: Tax record keeping, compliance with court orders, regulatory reporting, data breach notification.

4. HOW WE SHARE YOUR PERSONAL DATA

4.1 Sharing Between Users

4.1.1 Player Data Shared with Turf Owners

When a Player makes a confirmed booking, the following data is shared with the relevant Turf Owner:

1. (a) Player's full name;
2. (b) Player's phone number;
3. (c) Booking details (date, time, pitch size, purpose); and
4. (d) Payment status (paid, deposit paid, pending).

This sharing is necessary for the performance of the booking contract and to enable the Turf Owner to manage their facility.

4.1.2 Player Data Shared with Staff

Staff members with access to the Turf Owner's dashboard can view Player names, phone numbers, and booking times for the purpose of managing on-site operations. Staff cannot view payment amounts or financial details.

4.1.3 Turf Owner Data Shared with Players

Players can view the Turf Owner's business name, turf address and location, contact phone number, photographs, pricing, operating hours, amenities, rules, and review responses.

4.2 Third-Party Service Providers

We share personal data with the following categories of third-party service providers, who process data on our behalf and under our instructions:

• Payment Aggregator (IntaSend or similar): Phone number, payment amount, M-Pesa transaction details — for processing M-Pesa payments and split disbursements.
• SMS Gateway (Africa's Talking or similar): Phone number, message content — for sending booking confirmations, reminders, and OTP codes.
• Push Notification Service (Firebase/APNs): Device token, notification content — for delivering push notifications.
• Cloud Hosting Provider: All platform data (encrypted) — for hosting and storing platform data.
• Analytics Tools: Anonymized usage data — for platform performance monitoring and improvement.

All third-party service providers are contractually bound to process personal data only for the specified purposes and to implement appropriate security measures in compliance with the DPA.

4.3 Legal and Regulatory Disclosures

We may disclose personal data where required by law, regulation, or legal process, where necessary to comply with a valid court order or subpoena, to the Office of the Data Protection Commissioner in connection with regulatory inquiries, to law enforcement authorities where necessary to prevent or investigate fraud, security breaches, or illegal activities, and to protect the rights, property, or safety of TurfBook, our users, or the public.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or part of TurfBook's assets, personal data may be transferred to the successor entity. We will notify affected users of any such transfer and any changes to this Policy that may result.

4.5 No Sale of Personal Data

TurfBook does not sell, rent, or trade personal data to third parties for their own marketing or commercial purposes.

5. USER-SPECIFIC DATA PROCESSING

5.1 Players

In addition to the general processing described above, the following data processing activities are specific to Players:

• Favorites: We store your list of saved turfs to enable quick access. This data is visible only to you.
• Booking History: We retain a complete record of your past and upcoming bookings for your reference, rebooking convenience, and dispute resolution.
• Search History: We log search queries in anonymized form for analytics purposes. Your individual search history is not shared with Turf Owners or other users.
• Reviews: Ratings and reviews you submit are publicly displayed alongside your name. You cannot delete a published review, but you may contact us to request removal in exceptional circumstances.
• Reschedule Credits: We track the issuance, balance, and redemption of reschedule credits associated with your account.

5.2 Turf Owners

The following data processing activities are specific to Turf Owners:

• Verification Data: During the verification process, we may collect and retain photographs taken during the verification visit, notes from the verification team, and the verification decision and any reasons for rejection.
• Financial Data: We process and store your M-Pesa till or paybill number, earnings records (gross, commission, and net amounts), and transaction history. This data is used for payment disbursement, commission calculation, and financial reporting.
• Analytics Data: We generate analytics about your turf's performance, including peak hours, busiest days, revenue trends, and booking patterns. This data is derived from booking activity on the Platform.
• Off-App Booking Data: When you manually block slots for walk-in customers, this data is recorded and analyzed to understand demand patterns and off-app booking rates. This data may inform TurfBook's marketing strategies.
• Staff Access Data: We store staff access PINs (encrypted) and staff slot names that you create. You are responsible for managing this data and informing your Staff about how their activity data is processed.

5.3 Staff

Data processing for Staff is limited in scope:

• Authentication Data: We process the Turf Owner's phone number and the staff PIN for authentication. We do not independently collect Staff members' personal names or phone numbers.
• Activity Logs: We log Staff actions on the Platform (slot blocking and unblocking) for audit and security purposes. These logs are associated with the staff slot name, not an individual identity.
• Session Data: We track login times, session duration, and session expiry for security purposes.

Staff members should be aware that the Turf Owner who granted them access may be able to view their activity on the Platform. TurfBook encourages Turf Owners to inform their Staff about this Policy.

5.4 Administrators

TurfBook Administrators access user data in the course of platform management. Administrator access is governed by TurfBook's internal data protection policies. All Administrator actions are logged and auditable. Administrators are bound by confidentiality obligations and may only access personal data to the extent necessary for legitimate platform management purposes, including verification and approval of turf registrations, dispute resolution, user account management, and platform analytics review.

6. DATA RETENTION

6.1 Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The following retention periods apply:

• Active account data: Duration of account plus 30 days after deletion — for service provision and post-deletion dispute resolution.
• Booking records: 3 years from booking date — for dispute resolution, financial reporting, and tax compliance.
• Transaction and payment records: 7 years from transaction date — for tax compliance and financial audit requirements under Kenyan law.
• Reviews and ratings: Duration of account (deleted upon account deletion) — for platform integrity and user information.
• Location data: Not stored persistently; used in real time only — privacy by design.
• Search query logs: 12 months (anonymized) — for analytics and platform improvement.
• Verification records: Duration of turf listing plus 2 years — for regulatory compliance and audit trail.
• Staff activity logs: 12 months — for security audit purposes.
• Inactive account data: 12 months of inactivity, then deleted — for data minimization.

6.2 Account Deletion

Players may request deletion of their account through the Platform settings by typing “DELETE” as confirmation. Upon account deletion, the account is immediately deactivated and the user is logged out. Account data is retained for thirty (30) days to allow for resolution of pending disputes. After the thirty-day period, personal data is permanently and irreversibly deleted, except for transaction records that must be retained for tax compliance purposes (which are anonymized where possible). Turf Owners requesting account deletion must first ensure that all pending bookings are fulfilled or cancelled and all earnings are disbursed.

6.3 Data Minimization

In accordance with the data minimization principle under the DPA, TurfBook collects only the personal data that is necessary for the specified purposes. Optional data fields (such as email, profile photo, and location) are clearly identified and are not required for basic use of the Platform.

7. YOUR RIGHTS AS A DATA SUBJECT

Under the DPA, you have the following rights in relation to your personal data:

7.1 Right of Access

You have the right to request confirmation of whether we process your personal data and, if so, to obtain access to that data. You may request a copy of the personal data we hold about you. We will respond to access requests within thirty (30) days.

7.2 Right to Rectification

You have the right to request the correction of inaccurate or incomplete personal data. You can update most of your personal data directly through the Platform (profile settings). For data that cannot be edited directly (such as phone numbers, which require re-verification), you may contact us at privacy@turfbook.co.ke.

7.3 Right to Erasure

You have the right to request the deletion of your personal data, subject to the retention requirements described in Section 6. You may exercise this right through the account deletion feature or by contacting us directly. Please note that certain data may be retained where required by law (such as transaction records for tax purposes) or for the resolution of pending disputes.

7.4 Right to Object

You have the right to object to the processing of your personal data where we rely on legitimate interest as the legal basis for processing. Upon receiving an objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests. You may also object to the processing of your personal data for direct marketing purposes at any time, and we will cease such processing immediately.

7.5 Right to Data Portability

You have the right to receive a copy of your personal data in a structured, commonly used, and machine-readable format. TurfBook provides data export functionality for transaction and booking history (CSV format). You may request a comprehensive data export by contacting us at privacy@turfbook.co.ke.

7.6 Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, including where you contest the accuracy of the data, where the processing is unlawful and you prefer restriction over deletion, where we no longer need the data but you require it for legal claims, or where you have objected to processing and verification of legitimate grounds is pending.

7.7 Right Not to Be Subject to Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. TurfBook does not currently engage in solely automated decision-making that produces legal effects on users.

7.8 Exercising Your Rights

To exercise any of the above rights, you may use the relevant feature within the Platform (such as account deletion or profile editing), email us at privacy@turfbook.co.ke with your request, or contact us through the Help & Support section of the Platform. We will verify your identity before processing any request and will respond within thirty (30) days. If we are unable to fulfill a request, we will provide reasons and inform you of your right to lodge a complaint with the ODPC.

8. DATA SECURITY

8.1 Technical Measures

TurfBook implements the following technical security measures to protect personal data:

1. (a) All data transmitted between the Platform and our servers is encrypted using HTTPS (TLS/SSL);
2. (b) Sensitive data (including M-Pesa details and staff PINs) is encrypted at rest using industry-standard encryption;
3. (c) API access is secured with JWT (JSON Web Tokens) with access tokens expiring after twenty-four (24) hours and refresh tokens after thirty (30) days;
4. (d) Rate limiting is implemented at one hundred (100) requests per minute per user to prevent abuse;
5. (e) All server-side inputs are validated to prevent SQL injection and cross-site scripting attacks;
6. (f) Role-based access controls ensure that users can only access data appropriate to their role; and
7. (g) OTP codes expire after five (5) minutes with a maximum of three (3) attempts before lockout.

8.2 Organizational Measures

TurfBook implements organizational security measures including access to personal data restricted to authorized personnel on a need-to-know basis, all Administrator actions logged and auditable, regular security assessments and vulnerability testing, incident response procedures for data breaches, staff training on data protection obligations, and contractual data protection obligations imposed on all third-party service providers.

8.3 Data Storage Location

In compliance with Section 50 of the DPA, TurfBook ensures that at least one serving copy of personal data is stored on a server or data centre located in Kenya. Where cloud infrastructure is used, we ensure that data residency requirements under Kenyan law are met.

8.4 Limitation

While we take all reasonable steps to protect your personal data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security. In the event of a security incident, we will take immediate remedial steps and notify affected parties in accordance with our breach notification obligations.

9. DATA BREACH NOTIFICATION

9.1 Notification to the ODPC

In accordance with the DPA, TurfBook will notify the Office of the Data Protection Commissioner within seventy-two (72) hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects. The notification will include a description of the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its effects.

9.2 Notification to Data Subjects

Where a data breach is likely to result in a high risk to the rights and freedoms of affected individuals, TurfBook will notify the affected data subjects in writing within a reasonably practical period. Notification will be made through SMS, push notification, email, or a combination thereof, depending on the contact information available.

10. CROSS-BORDER DATA TRANSFERS

TurfBook's primary operations and data storage are based in Kenya. Where it is necessary to transfer personal data outside Kenya (for example, to cloud infrastructure providers with servers in other jurisdictions), we will ensure compliance with Part IV of the DPA by ensuring that adequate data protection safeguards are in place in the recipient country, obtaining your explicit consent where required, implementing appropriate contractual safeguards (such as standard contractual clauses), and ensuring that at least one serving copy of personal data remains stored in Kenya. We will not transfer sensitive personal data outside Kenya except in strict compliance with the DPA.

11. COOKIES AND TRACKING TECHNOLOGIES

The TurfBook marketing website may use cookies and similar tracking technologies to enable website functionality, analyze website traffic and usage patterns, and measure the effectiveness of marketing campaigns. We do not use cookies for behavioral advertising. You may control cookie preferences through your browser settings. The TurfBook mobile applications do not use browser cookies but may use similar local storage technologies for session management and user preferences.

12. CHILDREN'S DATA

The TurfBook Platform is not intended for use by children under the age of eighteen (18) years. We do not knowingly collect personal data from children. In accordance with Section 33 of the DPA, if we become aware that we have collected personal data from a child without appropriate parental or guardian consent, we will take immediate steps to delete such data. If you believe that a child has provided us with personal data, please contact us at privacy@turfbook.co.ke.

13. DATA PROTECTION IMPACT ASSESSMENT

In accordance with the DPA, TurfBook conducts Data Protection Impact Assessments (“DPIAs”) before implementing new processing activities that are likely to result in a high risk to the rights and freedoms of data subjects. DPIAs are conducted for new features involving collection of additional personal data categories, changes to data sharing arrangements with third parties, implementation of new technologies that may impact user privacy, and significant changes to the scale or scope of data processing. The results of DPIAs are documented and, where required, submitted for prior consultation with the ODPC.

14. THIRD-PARTY LINKS AND SERVICES

The Platform may contain links to third-party websites or services, including Google Maps (for directions), M-Pesa (for payment processing), and app stores (for downloads). TurfBook is not responsible for the privacy practices of third-party services. We encourage you to review the privacy policies of any third-party service before providing your personal data. Your use of third-party services is governed by their respective terms and privacy policies.

15. CHANGES TO THIS PRIVACY POLICY

TurfBook reserves the right to update or modify this Privacy Policy at any time. We will notify users of material changes through in-app notifications, SMS, or email at least fourteen (14) days before the changes take effect. The updated Policy will be made available on the Platform and the marketing website, with the effective date clearly stated. Your continued use of the Platform after the effective date of any changes constitutes acceptance of the updated Policy. We encourage you to review this Policy periodically. Previous versions of this Policy will be archived and made available upon request.

16. COMPLAINTS AND DISPUTE RESOLUTION

16.1 Complaints to TurfBook

If you have any concerns about how your personal data is being processed, you may contact our Data Protection Contact at privacy@turfbook.co.ke. We will acknowledge receipt of your complaint within seven (7) days and endeavor to resolve it within thirty (30) days.

16.2 Complaints to the ODPC

If you are not satisfied with our response to your complaint, or if you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Office of the Data Protection Commissioner. The ODPC can be contacted through their official channels as published on their website at www.odpc.go.ke.

17. CONTACT INFORMATION

For any questions, requests, or concerns regarding this Privacy Policy or TurfBook's data protection practices, please contact us through the following channels:

• Data Protection Contact Email: privacy@turfbook.co.ke
• General Support Email: support@turfbook.co.ke
• In-App: Help & Support section within the TurfBook application
• Website: www.turfbook.co.ke/privacy
• Postal Address: [Insert Address], Nairobi, Kenya