Privacy Policy

1. The 60-second summary

If you don't want to read the whole thing, here's what matters:

• We collect your email + password hash (if you create an account), the booking codes you paste in (to actually convert them), standard analytics (page views, referrers, country) and billing info if you pay.
• We don't sell your data. We don't share it with third parties for marketing.
• We don't access your bookmaker accounts. We don't ask for your bookmaker passwords. Booking codes are public references — that's all we work with.
• You can delete your account and all associated data at any time by emailing legal@betloy.com. We comply within 30 days.
• We comply with NDPC (Nigeria), ODPC (Kenya), POPIA (South Africa), and GDPR (EU users).

2. Who we are

Betloy is a sport tech platform operated by African Sporting Technology, registered and operating in Nigeria. Our website is betloy.com. We are a software-utility provider, not a betting operator. For privacy-related queries, contact legal@betloy.com. Our Data Protection Officer can be reached at the same address.

3. What data we collect

Information you give us directly

• Account data: email address, hashed password, display name (if set), country of residence (if set).
• Conversion data: the booking codes you paste in, the source/destination bookmakers you select, the resulting converted codes. Tied to your account if logged in; anonymous otherwise.
• Payment data: if you subscribe to a paid plan, our payment processor (Paystack / Flutterwave / Stripe) handles card details — we never see them. We only see plan tier, amount, and billing date.
• Communications: if you email us, we keep the message for support history.

Information we collect automatically

• Usage analytics: page views, time on page, referrers, anonymised country and region (city-level only). We use a privacy-focused analytics provider — no cross-site tracking.
• Device info: browser type, OS, viewport size — for layout debugging.
• IP address: hashed and stored for 30 days for security/abuse purposes only. Never linked to your account-level identity beyond that window.
• Ad impressions/clicks: if you see or click an ad on our site, we log that impression/click against the campaign ID (not against your personal identity).

4. Why we collect it

For each data type above, here's the lawful basis under GDPR / NDPC / equivalent:

• Account data — performance of our contract with you (running your Betloy account).
• Conversion data — performance of our contract (running the conversion you requested).
• Payment data — performance of our contract + legal obligation (tax / accounting compliance).
• Usage analytics — legitimate interest (improving the product) + your consent (we ask via cookie banner where required).
• Device info, IP address — legitimate interest (security, abuse prevention, layout debugging).
• Ad impressions/clicks — legitimate interest (running our ad-supported business model).

5. Who we share it with

Almost no one. The complete list:

• Payment processors (Paystack, Flutterwave, Stripe) — only the data needed to process your payment. They have their own privacy policies.
• Cloud infrastructure (AWS, hosted in eu-west-1 by default, with NG-resident replicas where regulator-required) — they store our database and serve traffic. They're contractually bound and don't access the data.
• Email provider (Postmark) — when we send you a transactional email (password reset, billing receipt), they handle the delivery.
• Analytics provider (privacy-focused, no cross-site tracking).
• Affiliate networks — when you click an affiliate link to a bookmaker, the bookmaker's affiliate network (and the bookmaker themselves) sees the click. We never share your account data with them; they only see the standard click-tracking parameters.
• Law enforcement / regulators — only when legally compelled by a valid court order or regulatory request from a relevant African data-protection authority.

We do not sell personal data. We do not share it with advertisers, marketers, or data brokers. We do not use it to train AI models.

6. Cookies and tracking

We use cookies for three things:

• Essential cookies — login session, CSRF protection. Cannot be disabled; the site doesn't work without them.
• Functional cookies — remember your preferred destination bookmaker on the converter, your last selected country on Top Betting Sites pages.
• Analytics cookies — privacy-focused analytics. Asks for consent in EU/UK and other GDPR-applicable regions.

We do not use third-party advertising cookies, retargeting pixels, or social media tracking pixels. Our ad system is first-party and impression-tracked server-side.

7. How long we keep it

• Account data: as long as your account is active. Deleted within 30 days of account closure (subject to legal retention obligations like tax records — those are kept 7 years per Nigerian tax law).
• Conversion data: 90 days for logged-in users (powers the "recent conversions" feed); anonymous conversions are deleted within 24 hours.
• Payment records: 7 years (tax compliance).
• IP addresses: hashed and stored for 30 days, then deleted.
• Email correspondence: 24 months.
• Analytics data: aggregated and retained indefinitely; raw event-level data deleted after 90 days.

8. How we protect it

• HTTPS-only across the entire site, including image and ad assets.
• Passwords hashed with bcrypt (work factor 12+).
• Database access restricted to a small list of named engineers, audit-logged.
• Production infrastructure isolated from non-production via network policy.
• Regular security reviews. Bug-bounty channel: email security@betloy.com.
• If we ever experience a data breach affecting your personal data, we'll notify you (and the relevant data-protection authority) within 72 hours per GDPR / NDPC requirements.

9. Your rights

Under GDPR / NDPC / POPIA / equivalent, you have the right to:

• Access the data we hold about you (we'll send you a JSON dump within 30 days).
• Correct any inaccurate data.
• Delete your data ("right to be forgotten") — subject to legal retention obligations.
• Restrict our processing of your data.
• Port your data to another service provider.
• Object to our processing where it's based on legitimate interest.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with your data protection authority (NDPC for Nigeria, ODPC for Kenya, ICO for UK, etc.).

To exercise any of these rights, email legal@betloy.com. We acknowledge within 48 hours and resolve within 30 days.

10. International transfers

Our infrastructure runs primarily in the EU (eu-west-1). For Nigerian users specifically, we replicate critical account data to a NG-resident database to comply with NDPC data-residency expectations. Where data leaves the country it was collected from, we use Standard Contractual Clauses (SCCs) and the equivalent African transfer mechanisms where applicable.

11. Children

Betloy is for adults aged 18 and over only. We do not knowingly collect data from anyone under 18. If you become aware that a minor has provided us with personal data, contact legal@betloy.com and we will delete it immediately.

12. Changes to this policy

If we make material changes, we'll notify you by email (if you have an account) at least 30 days before the change takes effect. The "Last updated" date at the top of this page always reflects the most recent revision. The full revision history is available on request.

13. Contact us

For privacy / data subject requests: legal@betloy.com
For general questions: hello@betloy.com
For our full contact directory, see the contact page.

If you're not satisfied with our response, you can lodge a complaint with your local data-protection authority — NDPC (Nigeria), ODPC (Kenya), Information Regulator South Africa, ICO (UK), or your country's equivalent.