This section describes the collection of personal data, reasons for processing, protection measures, and user rights under Kenya law.

What we may collect

• Identification and contact information: full name, username, date of birth, national ID or passport details, residential address, email, and phone number.
• Account and verification information: documents and images for age and identity checks, live verification data, and responsible gaming preferences.
• Financial and transaction information: deposit and withdrawal details, payment method identifiers, betting history, wins and losses, and account balances.
• Technical and usage information: device identifiers, IP address, approximate location, browser type, log data, cookies, and online usage statistics.
• Communications: messages to support, call recordings where permitted, survey responses, and marketing preferences.

Why we collect this information

• To create and manage accounts, provide services, and deliver user support.
• To verify age and identity, prevent fraud, and meet anti-money laundering and counter-terrorist financing obligations.
• To meet requirements under the Betting, Lotteries and Gaming Act and directions of the Betting Control and Licensing Board.
• To improve the performance and safety of our online services and websites.

How we protect personal data

• Encryption in transit, hardened networks, and strict access controls.
• Multi-factor authentication for privileged access and role-based permissions.
• Vendor due diligence, confidentiality commitments, and regular security monitoring.
• Staff training, audit logging, and incident response procedures.

User rights under Kenya’s Data Protection Act, 2019

• Access: request a copy of personal data and information about processing.
• Correction: ask us to update or correct inaccurate data.
• Deletion: request erasure where the law allows.
• Restriction and objection: limit or object to certain processing.
• Portability: request personal data in a structured, commonly used format.
• Consent choices: withdraw consent for marketing and other optional uses.
• Complaint: lodge a complaint with the Office of the Data Protection Commissioner (ODPC) if unresolved.

Compliance

• Processing follows the Kenya Data Protection Act, 2019 and the Data Protection (General) Regulations, 2021. We also align to recognised international principles, including fairness, lawfulness, purpose limitation, and data minimisation.

We use personal data for lawful and transparent purposes:

• Account services: registration, login, account management, and customer support.
• Transactions: deposits, withdrawals, payment reconciliation, and chargeback handling through approved providers.
• Security checks: identity verification, sanctions and fraud screening, and anti-money laundering controls.
• Service improvement: troubleshooting, performance monitoring, and product development for the online platform.
• Personalisation and marketing: tailoring content and sending communications based on consent and preferences.
• Analytics and statistics: aggregated reporting, quality assurance, and testing.
• Responsible gaming: setting limits, self-exclusion, and safety interventions.
• Legal and regulatory: reporting, record keeping, dispute handling, and enforcement of terms.

Legal bases

• Consent for optional communications and certain analytics or cookies.
• Performance of a contract to provide services to the user.
• Legal obligations for gambling, tax, and anti-money laundering requirements.
• Legitimate interests such as platform security and fraud prevention, balanced against user rights.

WinWin processes data in line with these bases and provides straightforward ways to manage preferences.

How to exercise your rights

• Access or update: use account settings or contact our Data Protection Officer to request a copy or to correct information.
• Deletion: request account closure and deletion where permitted. Certain records must be retained for legal reasons.
• Portability: ask for a portable copy of personal data you provided.

Process and timelines

• Verification: we may ask for information to confirm identity before acting on a request.
• Response time: we aim to respond within 30 days, or inform you if more time is needed for complex requests.

Legal limits

• Some data cannot be deleted immediately due to the Proceeds of Crime and Anti-Money Laundering Act, tax laws, and gaming regulations. Financial and verification records may be kept for up to seven years, then securely destroyed or anonymised.

Security checks and payments

• By using WinWin, the user consents to security checks and the processing of payment information by banks, payment providers, and verification partners to deliver the services and meet compliance obligations.

Contact

• Data Protection Officer: [email protected]
• Postal: Data Protection Officer, WinWin, Nairobi, Kenya
• Regulator: Office of the Data Protection Commissioner, odpc.go.ke

The services are intended for persons aged 18 years and above. WinWin does not knowingly collect personal information from minors. Age cannot always be verified without documents, so identity and age checks may be requested.

If a parent or guardian believes a minor has provided personal data, contact the Data Protection Officer. We will delete the account and remove the information as soon as practicable, subject to legal requirements.

Personal data may be processed in other countries where our service providers and partners operate. By using the websites and services, the user consents to such international transfers.

Safeguards for international processing

• Confidentiality and security obligations are imposed on all partners handling information.
• Transfers follow Kenya’s Data Protection Act and applicable regulations on cross-border data transfer.
• Contractual safeguards and risk assessments are used to protect personal data, and access is limited to what is necessary for the service.

Your rights and protections continue to apply to personal data processed abroad.

Where this document contains a disclaimer or notice, it may clarify or limit how certain rules apply. The disclaimer takes effect when the user accepts this policy by signature, affirmative acceptance, or accession through continued use of the services.

Nothing in any disclaimer restricts rights granted by Kenya’s Data Protection Act or other mandatory laws. If there is any conflict, this policy and the applicable disclaimer govern until an updated version is published.

Cookies are small files placed on a device that help a website remember a user and understand how the services are used. We use cookies for statistics, behaviour analysis, personalisation, and site improvement.

Key points

• Types: essential, performance, functionality, and advertising or analytics cookies.
• Purpose: to operate the site, understand usage, tailor content, and measure effectiveness.
• Retention: cookies are stored for up to 1 year.

Managing cookies

• Preferences can be adjusted in the cookie banner and in browser settings. Some features may not work if certain cookies are disabled.
• Third-party cookies used for analytics or advertising are subject to the providers’ policies, which can be reviewed on their websites.

Using the services means full acceptance of this privacy policy. The current version on the website prevails over any prior versions. If material changes are made, notice will be provided where appropriate, and continued use after the effective date indicates acceptance of the updated policy.

We may share personal data in the following situations:

• Legal and regulatory: to comply with the law, regulator requests, court orders, or to protect rights and safety.
• Disputes and enforcement: to pursue or defend claims, recover debts, and enforce terms.
• Service providers: banks, payment processors, identity verification vendors, fraud prevention services, hosting, analytics, customer support tools, and marketing platforms (marketing subject to consent).
• Corporate transactions: mergers, acquisitions, or restructuring, subject to confidentiality and continued protection of information.

The main categories of partners are listed on the website. If a specific third party is not listed, users will be informed of the purpose and scope before or at the time of sharing where required. Providing personal data constitutes consent for sharing where consent is the lawful basis; in other cases, sharing is based on contract or legal obligation.

Recipients must use the information only for the agreed purposes and protect it appropriately.

Our services may include links to third-party websites that have their own privacy policies. We are not responsible for how those websites handle personal information. Users should review the privacy notices on any external site and use caution before providing data.