Privacy Policy

1. Who We Are

Bingwa Fantasy, operated by Hekima Labs SL ("we", "us", "our"), operates the fantasy football platform at bingwa.net. This Privacy Policy explains how we collect, use, store and protect your personal information when you use our website and progressive web app (together, the "Service").

2. Data We Collect

We collect the minimum data necessary to provide and improve the Service:

• •Phone number — used for account login, identity verification and M-Pesa prize payments.
• •Display name & team name — shown on public leaderboards.
• •PIN (hashed) — stored securely using PBKDF2 with a unique salt. We never store your PIN in plain text.
• •Game activity — squad selections, transfers, points, rankings.
• •Payment records — subscription transactions processed via PesaPal/M-Pesa. We do not store your M-Pesa PIN or bank details.
• •Device info — browser type and screen size for analytics and performance optimisation.

3. How We Use Your Data

• •To create and manage your account.
• •To calculate points, rankings and award prizes.
• •To process subscription payments via M-Pesa.
• •To pay prizes directly to your M-Pesa account.
• •To send service notifications (e.g., prize won, subscription renewal).
• •To detect and prevent fraud, multi-accounting and abuse.
• •To improve the Service through aggregated, anonymised analytics.

4. Data Sharing

We do not sell your personal data. We share data only with the following third parties, solely to operate the Service:

• •Supabase — database hosting (EU/US servers).
• •PesaPal — payment processing for subscriptions.
• •Vercel — web hosting and content delivery.

Your name and team name may be displayed publicly on leaderboards and winner announcements.

5. Data Security

We protect your data with industry-standard measures including: encrypted connections (HTTPS/TLS), hashed PINs (PBKDF2 with 100,000 iterations), Row Level Security on all database tables, HttpOnly secure cookies, and regular security audits. No system is 100% secure, but we take reasonable steps to protect your information.

6. Data Retention

We retain your account data for as long as your account is active. Game history (points, rankings) is kept for the duration of each KPL season and may be archived afterwards. Payment records are retained for 7 years for tax and compliance purposes. If you delete your account, personal data is removed within 30 days, except where retention is required by law.

7. Your Rights

Under the Kenya Data Protection Act 2019, you have the right to:

• •Access — request a copy of the personal data we hold about you.
• •Correction — update inaccurate or incomplete data (via your profile page).
• •Deletion — request deletion of your account and personal data.
• •Object — object to processing of your data for specific purposes.
• •Portability — request your data in a portable format.

To exercise any of these rights, contact us at support@bingwa.net. We will respond within 30 days.

8. Cookies

We use a single essential HttpOnly cookie to maintain your login session. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No cookie consent banner is required as we only use strictly necessary cookies.

9. Children

The Service is intended for users aged 18 and over. We do not knowingly collect data from anyone under 18. If we become aware that a minor has registered, we will delete their account and data promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via an in-app notification. Continued use of the Service after changes constitutes acceptance. The "Last updated" date at the top reflects the most recent revision.

11. Contact

For privacy-related questions, data requests, or complaints, contact us at support@bingwa.net.