How we handle your information.

The Bestbet platform (the “Service”) is owned and operated by Tshintsha Trade (Pty) Ltd t/a Bestbet(registration number 2015/389865/07), with its registered address at 204 Palmer Crescent, Leopard Park, Mafikeng, 2745, South Africa (the “Company”, “we”, “us”, “our”).

For the purposes of POPIA, the Company is the “Responsible Party” in respect of personal information collected through the Service. Any reference to “you” means the natural person whose personal information is being processed, whether you are a visitor, registered user, subscriber, or contributor.

The Information Officer for the Company is contactable at info@bestbet.co.za. The Information Officer is registered with the Information Regulator of South Africa as required by section 55 of POPIA.

This policy applies to personal information we collect from or about you when you visit the public Bestbet website, register an account, subscribe to a plan, use the live tip feed, participate in the community chat, or otherwise interact with the Service.

The Service is operated from the Republic of South Africa. By using the Service you acknowledge that personal information may be processed in, or transferred to, jurisdictions outside South Africa as set out in Section 10 below.

This policy does not apply to third-party websites, bookmakers, payment processors, or social platforms that you may navigate to from the Service. Each of those parties has its own privacy practices, which we encourage you to review.

We process the categories of personal information described below. Where information is provided to us voluntarily, providing inaccurate or incomplete information may limit your ability to use parts of the Service.

3.1 Information you provide directly

• Account information. Email address, display name, password (stored as a salted hash by our authentication provider), and optionally a profile photo if you sign in via an OAuth provider such as Google.
• Profile information. Information you choose to add to your profile, such as preferred sports, display preferences, and tier-related metadata.
• Subscription information. Billing name, billing email, plan selection, and billing history. Card or banking details are not stored on our systems and are handled exclusively by our PCI-DSS compliant payment processor.
• Community content. Messages you post in chat, feedback, support emails, and any other content you choose to share through the Service.
• Identity verification. Where required by law, for fraud prevention, or in response to a compliance request, we may ask for identity documents to confirm your age and identity. We retain only the minimum necessary information for the minimum necessary period.

3.2 Information collected automatically

• Device and connection data. IP address, approximate geolocation derived from IP, browser type and version, operating system, device model, screen size, language setting, and time zone.
• Usage data. Pages visited, features used, tipsters followed, filters applied, click and scroll events, error logs, session duration, and timestamps.
• Cookies and similar storage. See our Cookies Policy for a full breakdown of what we set, why, and how to control it.

3.3 Information from third parties

• OAuth providers. If you sign in via Google or another supported provider, we receive a limited profile (name, email, profile picture, OAuth identifier).
• Payment processor. Subscription status, transaction outcomes, and refund events. We do not receive your full payment card details.
• Tip data sources. Tipster picks, ledgers, and fixture metadata sourced from our WordPress backend and the AiOdds data engine. This is published content and does not, in the ordinary course, contain end-user personal information.

Section 11 of POPIA requires a lawful basis for every act of processing. Our purposes and the corresponding basis are set out below.

• To provide the Service (creating and maintaining your account, authenticating sign-ins, displaying tips and ledgers, operating chat, processing subscriptions). Basis: performance of a contract with you (section 11(1)(b)).
• To take steps at your request before entering into a contract (account creation, waitlist sign-up). Basis: performance of a contract.
• To comply with a legal obligation(tax record-keeping, anti-fraud measures, age verification, responding to lawful requests from regulators or courts). Basis: compliance with an obligation imposed by law (section 11(1)(c)).
• To protect a legitimate interest(preventing fraud and abuse, securing the Service, debug and error investigation, measuring aggregate usage, enforcing our Terms). Basis: legitimate interests of the Company or a third party (section 11(1)(f) and (d)).
• With your consent (optional marketing communications, optional analytics beyond what is essential). Basis: your voluntary, specific and informed consent (section 11(1)(a)). You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

We will not use your personal information for a purpose that is not reasonably related to one of the purposes above without your further consent or unless we are required to do so by law.

We share personal information only where it is necessary to operate the Service, to meet a legal or regulatory obligation, or to protect the rights of the Company, our users, or third parties. Our standard recipients (operators under POPIA) are listed below.

• Authentication and database. Google LLC (Firebase Authentication and Cloud Firestore) for sign-in, session management, chat storage, and user profile storage.
• Hosting and content delivery. Vercel Inc. and its sub-processors for application hosting and edge content delivery.
• Tip data backend. Our own WordPress installation (operated on infrastructure controlled by the Company) for tipster profile data, tip records, and the settled ledger.
• Payment processing. A licensed payment service provider that handles card and EFT transactions in compliance with PCI-DSS. We receive transaction confirmations only; full card data is not exposed to or stored by us.
• Email. A transactional email provider for account, billing, and support emails.
• Analytics and error monitoring. An aggregated analytics provider and an error monitoring tool, configured to minimise identifying data. Data is used to understand product usage in aggregate and to detect production errors.
• Professional advisers. Our auditors, lawyers, and accountants, bound by professional confidentiality.
• Regulators, law enforcement and courts. Where a lawful request is made, where we are required to disclose by law, or where disclosure is necessary to protect the Company's rights or the safety of any person.
• Successors in interest. In the event of a merger, acquisition, restructure, or asset sale, personal information may form part of the assets transferred, subject to the recipient continuing to honour this policy.

All operators are required by written contract to process personal information only on our instructions and to maintain appropriate security measures, as required by sections 20 to 21 of POPIA.

Some information is published intentionally and is therefore visible to other users of the Service or to the wider public:

• Your display name and avatar in the community chat and on any tipster ledger you publish.
• If you participate as a tipster, your tipster handle, picks, settled outcomes, ROI, and other ledger information are by design public and form part of the append-only ledger that defines the Service.

Once content is posted to chat or the ledger you should treat it as public and effectively permanent. The ledger is append-only by design (see Section 13 of our Terms).

If you operate as a tipster on the Service, the tip data you publish is treated as your published expression and is recorded on the ledger. Once a tip is published it cannot be altered, redacted or removed by the tipster, and outcomes are settled automatically against the price called at the time of publication.

This is a foundational design principle of the Service and is reflected in our Terms. By posting as a tipster you accept that the ledger entry is a permanent record of your published activity. You acknowledge that this design serves a legitimate interest in transparency, fraud prevention and consumer protection.

Section 14 of POPIA requires that personal information must not be retained for longer than is necessary. Our retention is set out below. Where multiple periods could apply, we apply the longest applicable lawful period.

• Active accounts: kept for the lifetime of the account and for a reasonable wind-down period after closure.
• Subscription and billing records: retained for at least five (5) years from the end of the relevant tax year, as required under the Tax Administration Act 28 of 2011.
• Identity verification documents: retained for five (5) years from the date of verification or as otherwise required by anti-money laundering and consumer protection legislation, after which they are securely destroyed.
• Chat messages: retained for the operating life of the Service. Messages flagged for moderation or compliance may be retained for longer where necessary to respond to a regulatory request or to defend a legal claim.
• Tipster ledger entries: retained indefinitely by design. The integrity of the ledger depends on it.
• Server logs, error logs and audit logs: retained for up to twelve (12) months.
• Marketing preferences: retained until you withdraw consent or for two (2) years of inactivity, whichever is sooner.

When we no longer need personal information, we delete it or de-identify it so that it can no longer be associated with you. De-identified data may be retained indefinitely for statistical and research purposes.

We have implemented appropriate, reasonable technical and organisational measures to safeguard the integrity and confidentiality of personal information, as required by section 19 of POPIA. These include:

• TLS encryption in transit for all client-server communication.
• Encryption at rest for personal information held by our infrastructure providers, in line with their published standards.
• Role-based access control to our administrative systems, with audit logging.
• Strong password requirements, support for OAuth sign-in, and session management.
• Routine vulnerability monitoring and dependency review.
• A documented internal procedure for responding to security incidents and notifying the Information Regulator and affected data subjects in accordance with section 22 of POPIA.

No method of electronic storage or transmission is one hundred percent secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security and we accept no liability for any unauthorised access, loss or interference that occurs despite reasonable security measures being in place.

Some of the operators we use (notably Google LLC for Firebase Authentication and Cloud Firestore, and Vercel Inc. for hosting) process personal information outside South Africa, principally in the European Union and the United States.

In accordance with section 72 of POPIA, we transfer personal information across borders only where one of the following applies:

• the recipient is subject to a law or binding scheme that provides an adequate level of protection;
• the transfer is governed by binding contractual terms requiring the recipient to comply with standards substantially similar to POPIA (Standard Contractual Clauses or equivalent);
• the transfer is necessary for the performance of a contract between you and us;
• the transfer is necessary for the conclusion or performance of a contract between us and a third party that is in your interest; or
• you have consented to the transfer.

POPIA gives you the following rights in respect of personal information that we process about you. Each is exercisable by contacting our Information Officer using the details in Section 14.

• Right to be notified that personal information is being collected and to know the purpose (section 18).
• Right of access to confirm whether we hold personal information about you and to request a copy, subject to a reasonable verification process and the limits of section 23.
• Right to correction or deletion of personal information that is inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading or unlawfully obtained (section 24).
• Right to object to processing that is based on the Company's legitimate interests, or to direct marketing by electronic communication (sections 11(3) and 69).
• Right to withdraw consent in respect of any processing where consent is the lawful basis.
• Right to lodge a complaint with the Information Regulator (section 74).

Some of these rights are not absolute and may be limited where we are required to retain information for legal, regulatory, or audit purposes, or where the information forms part of the permanent tipster ledger. We will explain any limitation if we need to rely on one.

The Service is not intended for, and may not be used by, persons under the age of eighteen (18) years. We do not knowingly collect personal information from children. If you become aware that a child has provided personal information to us, please contact the Information Officer and we will take steps to delete that information promptly.

We do not send unsolicited direct marketing. We will only send you marketing communications where you have opted in or where permitted by section 69(3) of POPIA in relation to an existing customer. You can opt out at any time using the unsubscribe link in any marketing email, or by emailing the Information Officer.

Information Officer:
Tshintsha Trade (Pty) Ltd t/a Bestbet
Registration number: 2015/389865/07
204 Palmer Crescent, Leopard Park, Mafikeng, 2745
South Africa
Email: info@bestbet.co.za

If you are not satisfied with the way we have handled your personal information you may lodge a complaint with the Information Regulator of South Africa:

Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: inforeg@justice.gov.za

We may update this Privacy Policy from time to time. Where a change is material, we will give you reasonable notice through the Service or by email before it takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy. The current version is always available at this URL with its effective date at the top.