Legal
Privacy Policy
Aligned with the Tanzania Personal Data Protection Act 2022 and EU GDPR principles.
The English version of this document is the legally binding text; translations are provided for convenience.
1.Data controller
50pick Ltd, Dar es Salaam, Tanzania. Contact: support@50pick.tz. Our data protection officer (DPO) is reachable at the same address.
2.What we collect
- Identity: full name, date of birth, NIDA number, photographic ID
- Contact: phone number (E.164), region
- Financial: deposit and withdrawal records, mobile-money MSISDN, prediction activity
- Technical: IP address, device and browser fingerprint, session timestamps
- Behavioural: time on platform, reality-check responses, limit changes
3.Lawful basis
- Performance of contract: account, wallet, bet placement, settlement
- Legal obligation: KYC under the Gaming Act, AML/CFT under POCA, tax under the Income Tax Act
- Legitimate interest: fraud prevention, market-integrity monitoring, security alerting
- Consent: marketing communications (revocable any time)
4.Sharing
We share data with:
- NIDA (identity verification, mTLS)
- Mobile-money aggregator (Selcom or Azampay) for payment routing
- Source registry partners for resolution data
- Gaming Board of Tanzania, Tanzania Revenue Authority, FIU when legally compelled
- Cloud infrastructure (encrypted at rest, TZ region preferred; failover in EU AWS Frankfurt)
We never sell personal data.
5.Retention
- Account + KYC records: 7 years after closure (AML statutory)
- Prediction and transaction history: 7 years
- Audit log entries: 7 years
- Marketing preferences: until withdrawn or 2 years of inactivity
6.Your rights
- Access: request a copy of your data (delivered within 30 days)
- Rectification: correct inaccurate data
- Erasure: subject to AML retention requirements
- Portability: receive your data in a machine-readable format
- Objection: opt out of profiling for marketing
- Complaint: with the Personal Data Protection Commission of Tanzania
7.Cookies
We use a minimum-necessary set: session authentication (HMAC-signed HttpOnly cookies, 7-day TTL), theme preference, language preference. No third-party advertising or tracking cookies.
8.Security
Sessions signed with HMAC-SHA-256. OTP codes hashed with scrypt + per-OTP salt + global pepper. Passwords (when introduced) will use Argon2id. All data in transit over TLS 1.2+. At-rest encryption via AES-256 in the database tier. Annual ISO 27001 audit cadence; pentest twice a year.