Legal
Privacy Policy
Effective date: 22 June 2026
This policy explains how Billiard Kenya (“we”, “us”) collects, uses, stores, and protects your personal data. It is issued in compliance with the Kenya Data Protection Act, 2019 and its subsidiary legislation.
1. Who we are (Data Controller)
Billiard Kenya is the data controller for personal data collected through this website (billiardkenya.com) and its associated services.
Contact us on data matters at info@billiardkenya.com.
2. What data we collect and why
We only collect data that is necessary for a specific, lawful purpose.
| Data | Purpose | Legal basis |
|---|---|---|
| Name and email address | Creating and managing your owner account; sending transactional emails (verification, password reset) | Performance of a contract / your consent |
| Phone number | Venue contact information displayed on your listing (optional) | Your consent |
| Venue details (name, location, photos, prices) | Publishing your billiard hall listing on the platform | Performance of a contract |
| Payment details (M-Pesa phone number) | Processing listing or event payments via Safaricom Daraja | Performance of a contract |
| IP address and browser information | Security, fraud prevention, and error logging | Legitimate interests |
| Session cookies | Keeping you signed in during your visit | Strictly necessary — no consent required |
| Search queries and filter selections | Improving search results; no personal profile is built | Legitimate interests |
We do not use your data for automated profiling or decision-making that produces legal or similarly significant effects.
3. Cookies
We use only one session cookie (bt_owner_session or bt_admin_session) to keep you signed in. It is deleted when you log out or when it expires (7 days).
We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No cookie consent banner is required because we set no non-essential cookies.
4. Who we share your data with
- Resend (email delivery) — receives your email address to send transactional emails. Processed under a data processing agreement.
- Safaricom / Daraja — receives your M-Pesa phone number to initiate payment requests. Safaricom processes this under its own privacy policy.
- DigitalOcean Spaces (file storage) — stores venue photos you upload. Stored in the EU-West region under a data processing agreement.
- Turso / LibSQL — hosts the database containing your account and listing data, processed under a data processing agreement.
We do not sell, rent, or share your personal data with advertisers or unrelated third parties.
5. International transfers
Some processors (Resend, DigitalOcean, Turso) may store or process data outside Kenya. Where they do, we rely on standard contractual clauses or equivalent safeguards recognised under the Kenya Data Protection Act to protect your data.
6. How long we keep your data
| Data | Retention period |
|---|---|
| Owner account data | For as long as the account is active, plus 12 months after deletion request |
| Venue listings | Until removed by you or by our admin team |
| M-Pesa transaction records | 7 years (required by Kenyan financial regulations) |
| Session logs and security records | 90 days |
| Email delivery logs | 30 days |
7. Your rights under the Kenya Data Protection Act 2019
Under Sections 26–34 of the Kenya Data Protection Act you have the right to:
- Be informed — know what data we hold and how we use it (this policy).
- Access — request a copy of your personal data we hold.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — ask us to delete your data (subject to legal retention obligations).
- Restriction — ask us to pause processing while a dispute is resolved.
- Data portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
To exercise any right, email us at info@billiardkenya.com with the subject line “Data rights request”. We will respond within 21 days.
8. Complaints
If you believe we have handled your data unlawfully, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC):
We encourage you to contact us first so we can try to resolve any concern directly.
9. Security
Passwords are hashed using PBKDF2-SHA512 with a unique salt per account. Sessions are stored as hashed tokens. All data in transit is encrypted via HTTPS/TLS. We never store M-Pesa PINs — payment is handled entirely by Safaricom.
10. Children
Our services are not directed at children under 18. If you believe a child has submitted personal data to us, contact us and we will delete it promptly.
11. Changes to this policy
We may update this policy. We will notify registered owners by email of any material changes and update the effective date above. Continued use after notification constitutes acceptance.
Questions?
Email us at info@billiardkenya.com. We aim to respond within 2 working days.