Privacy Policy

1. Who we are

The data controller for this website is:

We are assessing our registration obligations under the Data Protection Act 2019 and applicable ODPC regulations. Where registration is required, we will complete that process before processing personal data at scale. For any data-protection matter — access requests, complaints, or questions about this policy — email us at info@bigbrotherticketing.com.

2. What data we collect

We collect data that you provide directly or that is generated as you use the platform:

• Account data. When you create an account, we collect your name and email address. If you register with email and password, your password is stored in hashed form only. If you sign in via Google, we receive your Google account email, name, and profile picture. You may optionally add a phone number. We also store your assigned platform role and account approval status.
• Match notifications. If you opt in to match alerts, we collect your email address. This feature may not be available at all times.
• Ticket purchase data. When you buy a ticket, we collect your name, email address, phone number, the M-Pesa number used for payment, your order reference, ticket serial numbers, ticket tier, and the amount paid in KES.
• M-Pesa and payment metadata. When your payment is processed, the Safaricom callback returns data that we store, including: M-Pesa receipt number, checkout request ID, merchant request ID, payment status, result code, and transaction date and time. We use this to confirm payment, issue tickets, reconcile transactions, prevent fraud, and resolve disputes. Your M-Pesa PIN and full account credentials are handled entirely by Safaricom and never reach our systems.
• Event entry data. When your ticket is scanned at the venue gate, we record the date and time of entry and the match it relates to.
• Support correspondence. If you email or message us for support, we keep the content of that exchange so we can respond and follow up.
• Platform security and operations data. We maintain a tamper-evident audit log of significant platform actions — including payments, ticket issuance, account role changes, and admin operations — together with the IP address and browser user-agent of the actor. Session tokens are stored in our database and expire automatically. These records exist to protect against fraud and to meet our legal obligations.
• Usage data. Standard server logs including your IP address, browser type, and pages visited. We use this to operate, secure, troubleshoot, and improve the platform, and to prevent fraud and abuse.

We do not intentionally collect sensitive personal data such as health, biometric, or religious information. Please do not send us sensitive personal data unless we specifically ask for it.

3. Why we collect it

4. Who we share your data with

We do not sell your personal data. The table below lists the third-party processors we use and what data each receives:

For events managed by third-party organisers, we may share limited event-related data — such as ticket confirmation numbers and ticket status — with the organiser where necessary to manage entry, handle disputes, or meet legal obligations. We do not share your contact details with organisers without a specific lawful basis.

We also share data when required by Kenyan law or a lawful order from government or law enforcement, and with professional advisors (accountants, lawyers, auditors) under confidentiality. We do not permit processors to use your data for their own purposes beyond what is stated above.

5. International data transfers

Some of our processors store or process data outside Kenya:

• Vercel Inc. (United States / global) — website hosting and server logs
• Google LLC (United States / global) — OAuth authentication
• Resend Inc. (United States) — transactional email delivery
• Cloudinary Ltd. (United States) — image hosting
• Safaricom PLC (Kenya) — payment processing (no cross-border transfer)

Where we transfer your data outside Kenya, we rely on the safeguards permitted under Sections 48 and 49 of the DPA 2019, including contractual protections with our providers. We only use providers who maintain a reasonable standard of data security, and we minimise the personal data transferred outside Kenya.

6. How long we keep your data

• Account records — kept while your account is active. Following a verified deletion request, we delete or anonymise account data within 30 days, except where a linked transaction record must be retained for tax, accounting, or legal purposes.
• Match notification signups — stored as an account record, subject to the same retention period as Account records above. To request removal, submit a Data Subject Request.
• Ticket purchase and entry records — kept for up to 7 years for tax, accounting, audit, and legal purposes. This includes order details, payment references, M-Pesa callback data, ticket serials, and gate scan records.
• Audit and security logs — kept for 12 months, then purged.
• Session tokens — expire after 30 days of inactivity, then deleted.
• Email delivery logs — kept for 90 days, then deleted.
• Support correspondence — kept for up to 2 years from your last interaction, then deleted.
• Server logs — kept for up to 90 days, then deleted.

7. How we protect your data

We apply reasonable technical and organisational measures to keep your data safe:

• All traffic to and from the website is encrypted in transit (HTTPS).
• Access to systems holding personal data is restricted to authorised team members and protected by strong authentication.
• Passwords are stored as secure hashes. Payment references and ticket records are protected through access controls and a tamper-evident audit log.
• Significant platform actions — payments, ticket issuance, role changes, admin operations — are logged with the actor's identity, IP address, and timestamp.

No system is perfectly secure. If a data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware, as required by the Kenya Data Protection Act 2019 s.43. We will notify you directly where the law requires us to or where the breach poses a significant risk to you. Notification will be sent to the email address on your account.

8. Cookies

We use a small number of cookies, only for things the site genuinely needs:

• Session cookie — keeps you signed in while you use the platform. Expires when your session ends or after a period of inactivity.
• CSRF token — protects forms and checkout actions from cross-site request forgery. Session-scoped.

We do not use advertising or cross-site tracking cookies. We do not use Facebook Pixel, Google Ads remarketing, or similar tracking tools. Vercel Analytics collects anonymised performance data on public pages using edge metrics — not cookies — and admin, account, and scanner pages are excluded entirely.

You can disable cookies in your browser, but sign-in and checkout will not work without essential cookies.

9. Your rights under the DPA 2019

Under the Kenya Data Protection Act 2019, you have the following rights:

• Access — you can request a copy of the personal data we hold about you.
• Correction — you can ask us to fix data that is inaccurate or incomplete.
• Deletion — you can ask us to delete your data where we no longer have a lawful reason to keep it.
• Portability — you can request your data in a portable, machine-readable format.
• Restriction — you can ask us to limit how we use your data while a query is being resolved.
• Objection — you can object to processing we carry out under legitimate interest.
• Withdraw consent — you can withdraw consent for match notifications or any other consent-based processing by submitting a Data Subject Request.

How to make a request

• Email info@bigbrotherticketing.com with the subject line Data Subject Request. State which right you are exercising and include the email address on your account. If the request relates to a purchase, include your order reference.
• We will acknowledge your request within 5 business days and respond in full within 21 days. We may need to verify your identity before acting on the request.
• For deletion requests: we will delete or anonymise what we can and explain in writing any data we are required to retain by law (for example, transaction records for tax compliance).
• There is no fee for exercising your rights. We may refuse a request where the law allows us to — for example, where we need to retain data for fraud prevention, tax, or legal claims. We will explain our reasoning if we do.

10. Children and minors

This platform is intended for ticket purchases by users aged 18 and over. We do not knowingly allow minors to create accounts or buy tickets directly. If a ticket is bought for a person under 18, the purchase must be completed by a parent or guardian.

Where we hold limited information about a minor attendee — for example, a child who attends an event on a ticket purchased by an adult — we use that data only as necessary to provide the ticketing service and manage event access.

If you believe a minor has provided us with data directly, please contact us at info@bigbrotherticketing.com and we will delete it.

11. Automated checks

We use automated checks to detect fraud, duplicate payments, suspicious transaction patterns, and invalid or already-scanned tickets. These checks help protect users, organisers, and the platform.

We do not use solely automated decision-making to make decisions that have a significant legal or material effect on you. Refund decisions, account suspensions, and dispute outcomes involve human review.

12. Complaints

If you have a concern about how we handle your data, please contact us first at info@bigbrotherticketing.com. Include your name, contact details, the nature of the issue, and any relevant order or ticket reference. We will acknowledge your complaint and aim to resolve it within 21 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya at odpc.go.ke at any time.

13. Changes to this policy

We may update this policy as the platform evolves. The effective date at the top of this page will be updated to reflect any changes.

For material changes — anything affecting what data we collect, who we share it with, or your rights — we will notify registered users by email at least 14 days before the changes take effect. Continuing to use the platform after that date means you accept the updated policy.