Legal
Privacy Policy
1. Data Controller
TicketPress Kenya ("we", "us", "our") is the data controller for personal data collected through this Platform. We process your personal data in accordance with the Kenya Data Protection Act 2019 ("DPA 2019") and its subsidiary regulations.
2. Data We Collect
We collect the following categories of personal data:
- Account data: full name, email address, and bcrypt-hashed password when you register
- Payment data: M-Pesa phone number and transaction reference numbers. We do not store your M-Pesa PIN or full account credentials — payments are processed directly by Safaricom via their Daraja API
- Transaction data: tickets purchased, order history, amounts paid, and timestamps
- Usage data: pages visited, events viewed, search queries, and device/browser information collected via server logs
- Communication data: emails we send you and any correspondence you initiate with us
- Resale data: if you list tickets for resale, details of the listing, buyer, and withdrawal requests
We do not collect sensitive personal data as defined under section 2 of the DPA 2019 (such as race, health data, or biometric data).
3. How We Use Your Data
We use your personal data for the following purposes:
- Contract performance: processing ticket purchases, issuing QR-coded tickets, and managing your account
- Payment processing: initiating M-Pesa STK push requests and reconciling payments
- Transactional communications: order confirmations, ticket delivery, password resets, and email verification
- Security & fraud prevention: rate-limiting login attempts, detecting suspicious activity, and protecting other users
- Legal compliance: maintaining records as required by Kenyan tax and financial regulations
- Service improvement: analysing aggregated usage data to improve the Platform (no individual profiling)
We do not use your data for automated individual decision-making that produces legal or similarly significant effects.
4. Legal Basis for Processing
Under the DPA 2019, we rely on the following lawful bases:
- Contract performance (s. 30(1)(b)): processing necessary to fulfil your ticket purchase or account registration
- Legal obligation (s. 30(1)(c)): maintaining financial records as required by Kenyan law
- Legitimate interests (s. 30(1)(f)): fraud prevention, platform security, and service improvement — where these interests are not overridden by your rights
- Consent (s. 30(1)(a)): for optional marketing communications, where you have opted in
6. M-Pesa & Payment Data
Payments on this Platform are processed via Safaricom's M-Pesa Daraja API. When you make a payment:
- We transmit your phone number to Safaricom to initiate a payment request (STK push)
- Safaricom sends us a transaction confirmation containing a reference number and status
- We store the transaction reference, amount, and status — not your PIN or any Safaricom account credentials
- Safaricom's own privacy policy governs their handling of your M-Pesa data
7. Data Retention
We retain your personal data for as long as necessary to fulfil the purposes described in this Policy:
- Account data: retained for the lifetime of your account and deleted within 30 days of an account deletion request, subject to legal hold obligations
- Transaction records: retained for 7 years in accordance with Kenyan tax law requirements
- Server logs: retained for 90 days then automatically purged
- Email verification tokens: deleted immediately upon use or after 24 hours, whichever comes first
- Password reset tokens: deleted immediately upon use or after 1 hour, whichever comes first
8. Your Rights Under the DPA 2019
Under the Kenya Data Protection Act 2019, you have the following rights regarding your personal data:
- Right of access (s. 26): request a copy of the personal data we hold about you
- Right to rectification (s. 26): request correction of inaccurate or incomplete data
- Right to erasure (s. 38): request deletion of your personal data, subject to legal hold obligations
- Right to restrict processing (s. 26): request that we limit how we use your data in certain circumstances
- Right to data portability (s. 26): receive your data in a structured, commonly used, machine-readable format
- Right to object (s. 26): object to processing based on legitimate interests
- Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
To exercise any of these rights, contact us at privacy@ticketpress.co.ke. We will respond within 21 days as required by the DPA 2019.
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Passwords stored as bcrypt hashes — never in plain text
- Email verification tokens and password reset tokens stored as SHA-256 hashes
- All Platform traffic served over HTTPS (TLS)
- Rate limiting on authentication endpoints to prevent brute-force attacks
- Parameterised database queries throughout to prevent SQL injection
No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security and encourage you to use a strong, unique password for your account.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. Your continued use of the Platform after any update constitutes acceptance of the revised Policy.
12. Contact & Complaints
For any privacy-related questions or to exercise your rights, contact our Data Protection Officer:
If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya at odpc.go.ke.