Privacy Policy

The data controller responsible for the personal data processed under this Policy is the Platform Operator, AssignMaster, operating under the trade name TikitiSalama. All data-protection enquiries, subject-access requests, rectification requests, erasure requests, and complaints may be directed to our designated Data Protection Contact at the email address displayed on the Platform's contact page. We will endeavour to respond to all legitimate enquiries within thirty (30) calendar days, subject to the complexity and volume of requests received.

We collect, or may collect, the following categories of personal data:

• Identity and Contact Data: Full name, username, email address, telephone number (including M-Pesa-registered mobile number), and other identifiers you voluntarily provide during registration or profile completion.
• Authentication Credentials: Hashed passwords, session tokens, refresh tokens, and related security artefacts. We do not store passwords in plaintext under any circumstances.
• Transaction and Financial Data: M-Pesa transaction identifiers, payment reference numbers, ticket purchase amounts, pricing tier selections, promotional code usage, refund records, and organiser payout details. We do not directly store full payment-card numbers or bank-account details.
• Blockchain and Digital-Asset Data: Where the Platform mints blockchain-backed ticket tokens on the Polygon network, your associated wallet address, token identifiers, and on-chain transaction hashes constitute publicly visible data on a decentralised, immutable ledger over which the Platform Operator exercises no control or custodianship once recorded.
• Behavioural and Usage Data: Pages visited, click-stream data, search queries, event views, ticket saves, sharing actions, time-on-page metrics, gamification points and challenge interactions, device type, browser type, IP address, and approximate geolocation data derived from IP address.
• User-Generated Content: Event titles, descriptions, poster images, FAQ entries, and lineup information submitted by organisers; scanner activity logs; and any communications directed to the Platform.
• Verification and Compliance Data: Identity documents, business registration certificates, or other materials submitted during organiser verification processes.
• Security and Audit Data: Login attempt records, account-lockout events, IP addresses, user-agent strings, and other technical metadata retained for fraud prevention, security monitoring, and regulatory compliance purposes.

We process personal data only where we have a lawful basis to do so. Applicable legal bases include:

• Contractual Necessity: Processing necessary for the performance of a contract to which you are a party, including account creation, ticket issuance, payment processing, and payout disbursement.
• Legitimate Interests: Processing necessary for the legitimate interests of the Platform Operator, including fraud detection, security monitoring, platform analytics, and service improvement, provided such interests are not overridden by your fundamental rights and freedoms.
• Legal Obligation: Processing required to comply with applicable laws, regulations, court orders, or lawful requests from competent governmental authorities.
• Consent: Where you have given specific, informed, and freely given consent to processing for defined purposes, such as the receipt of promotional communications or participation in gamification features. Consent so given may be withdrawn at any time without detriment to services that do not depend on such consent.

Your personal data is processed for the following purposes:

• Registration, authentication, and account management;
• Processing ticket purchases, M-Pesa payments, and refunds;
• Minting, transferring, and verifying blockchain-backed digital tickets;
• Facilitating organiser payouts and financial reconciliation;
• Delivering transactional and administrative communications by email or SMS;
• Providing customer support, dispute resolution, and fraud investigation;
• Enforcing the Platform's Terms and Conditions and other policies;
• Complying with applicable law, regulatory obligations, and court orders;
• Conducting analytics to understand Platform usage and improve features;
• Operating gamification, loyalty, and recommendation systems;
• Verifying organiser identities and maintaining platform integrity.

We do not sell, rent, or trade personal data. We may disclose personal data to the following categories of recipients strictly on a need-to-know basis and, where applicable, subject to appropriate data-processing agreements:

• Safaricom PLC (M-Pesa): Payment processing data is transmitted to Safaricom pursuant to the M-Pesa API integration. Safaricom's processing of such data is governed by Safaricom's own privacy policies, over which the Platform Operator exercises no control.
• Polygon Blockchain Network: Wallet addresses and token metadata recorded on the Polygon public blockchain are permanently and irrevocably visible to all participants in that network. The Platform Operator cannot alter, delete, or restrict access to on-chain data.
• Cloud Infrastructure Providers: Hosting, database, and storage services (including Railway and any sub-processors thereof) which process data on our behalf subject to appropriate contractual safeguards.
• Email Service Providers: Transactional email delivery services used to dispatch verification, confirmation, and notification emails.
• Competent Authorities: Law-enforcement agencies, courts, regulatory bodies, or other governmental authorities where disclosure is required by law or in response to valid legal process.
• Professional Advisers: Lawyers, auditors, and insurers in connection with the exercise or defence of legal claims.
• Business Successors: In the event of a merger, acquisition, restructuring, or sale of all or part of the Platform Operator's business assets, personal data may be transferred to the relevant successor entity.

We retain personal data for no longer than is necessary to fulfil the purposes for which it was collected, subject to the following:

• Account data is retained for the duration of your active account and for a period of five (5) years following account deletion or termination, to comply with applicable statutory limitation periods and financial-record-keeping requirements.
• Transaction and payment records are retained for a minimum of seven (7) years in accordance with applicable tax and financial reporting obligations.
• Security logs, audit trails, and fraud-related records may be retained for up to three (3) years or as required by law.
• Blockchain-recorded data is perpetual and irrevocable by its technical nature and cannot be deleted regardless of any request made under data-subject rights.
• Behavioural analytics data is retained in aggregated, pseudonymised form indefinitely for platform improvement purposes.

Subject to applicable law and certain limitations, you have the following rights with respect to your personal data:

• Right of Access: to obtain confirmation of whether we process your data and a copy thereof;
• Right to Rectification: to request correction of inaccurate or incomplete data;
• Right to Erasure: to request deletion of data where there is no legitimate basis for continued processing, subject to overriding legal obligations and the technical impossibility of deleting blockchain-recorded data;
• Right to Restriction: to request that processing be restricted pending resolution of a dispute as to accuracy or lawfulness;
• Right to Data Portability: to receive your data in a structured, commonly used, machine-readable format;
• Right to Object: to object to processing based on legitimate interests;
• Right to Withdraw Consent: to withdraw consent at any time where processing is consent-based, without prejudice to the lawfulness of processing prior to withdrawal.

To exercise any of the above rights, contact us via the Platform's designated Data Protection Contact. Note that we may be required to verify your identity before processing any request, and certain rights may be subject to limitations where compliance would prejudice the rights of others, conflict with a legal obligation, or be technically impossible.

We implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, alteration, or disclosure, including but not limited to: password hashing using industry-standard bcrypt algorithms; JWT-based authentication with token rotation and expiry; TLS/HTTPS encryption for data in transit; role-based access controls; account-lockout mechanisms; and audit logging. Notwithstanding the foregoing, no system of security is impenetrable, and we cannot guarantee the absolute security of data transmitted over the internet. You accept and acknowledge this inherent risk.

The Platform may use cookies, local storage, session storage, and similar technologies to maintain authentication state, remember preferences, and collect usage analytics. By continuing to use the Platform after being presented with this Policy, you consent to the use of such technologies. You may disable cookies at the browser level; however, doing so may impair certain functionality of the Platform.

The Platform is not directed at or intended for use by individuals under the age of eighteen (18) years. We do not knowingly collect personal data from minors. If we become aware that personal data has been submitted by or on behalf of a minor without appropriate consent, we will take reasonable steps to delete such data promptly. Parents or guardians who believe a minor has submitted personal data without authorisation should contact us immediately.

Your data may be processed by our cloud infrastructure providers in jurisdictions outside Kenya. We take reasonable steps to ensure that any such cross-border transfers are subject to appropriate safeguards consistent with the Kenya Data Protection Act, 2019, including standard contractual clauses or equivalent mechanisms where applicable.

We reserve the right to amend this Policy at any time. Amendments will be effective upon posting to the Platform with an updated effective date. Where amendments are material, we will endeavour to provide reasonable notice, which may include a notification within the Platform interface. Your continued use of the Platform following the posting of an amended Policy constitutes your acceptance of such amendments.

This Policy is governed by and construed in accordance with the laws of the Republic of Kenya, including the Kenya Data Protection Act, 2019, without regard to conflict-of- law principles.