Privacy Policy

BidaXP is a digital platform offering event ticketing, virtual events, training, wallet payments, and community features. For the purposes of applicable data protection law, BidaXP is the data controller responsible for the personal information you provide when using the Platform.

Our Data Protection contact is reachable at privacy@bidaxp.com. We are based in Nairobi, Kenya and operate primarily in accordance with the Kenya Data Protection Act 2019.

We collect the following categories of personal information:

We collect only the minimum data necessary to provide our services. We do not collect sensitive personal data (e.g., biometric data, health information, or financial account numbers) unless specifically required and disclosed.

We collect your personal information through the following means:

• Directly from you — when you register an account, purchase tickets, fill in attendee details, top up your wallet, send messages, or contact support.
• Automatically — when you use the Platform, we collect technical and usage data via server logs, session cookies, and analytics tools.
• From third parties — Paystack shares transaction outcome data with us to confirm payment status. Social login providers (if used) share basic profile data in accordance with their own policies and your settings.

We use your personal information to:

• Create and manage your account and authenticate your identity.
• Process ticket purchases, issue electronic tickets and QR codes, and manage order records.
• Operate and credit your BidaXP Wallet and process payments via Paystack.
• Send transactional communications: order confirmations, ticket delivery, payment receipts, and event reminders.
• Provide access to virtual events, training content, and quizzes.
• Enable chat and messaging between users attending the same event.
• Personalise your experience, including recommending relevant events.
• Detect, prevent, and investigate fraud, abuse, and security incidents.
• Comply with legal obligations including financial record-keeping and tax compliance.
• Improve the Platform through aggregated usage analytics.
• Send you marketing communications about BidaXP events and features — only if you opt in.

Under the Kenya Data Protection Act 2019, we rely on the following lawful bases for processing your personal data:

• Contract performance — Processing necessary to fulfil our obligations to you (e.g., issuing your ticket, processing your wallet payment).
• Legitimate interests — Processing for fraud prevention, platform security, and service improvement, where these interests do not override your rights.
• Consent — For marketing communications and non-essential cookies. You can withdraw consent at any time.
• Legal obligation — Where we are required to retain or disclose data by Kenyan law (e.g., financial records under the Income Tax Act).

We do not sell your personal data. We share it only in the following limited circumstances:

• Event Organisers: When you purchase a ticket, your attendee information (name, email, mobile number) is shared with the event organiser to manage check-in, communication, and event delivery. Organisers are required to handle this data lawfully and only for event purposes.
• Paystack: Our payment processor receives information necessary to process your payment (email, payment amount, reference). Paystack is a licensed and PCI-DSS certified payment provider. See Paystack's Privacy Policy for details.
• Cloud Infrastructure: We use secure cloud hosting services. Your data is stored on servers that may be located in the EU, US, or other regions — see Section 12.
• Analytics Tools: We may use aggregated and anonymised usage data with analytics providers to understand Platform performance. No personally identifiable information is shared.
• Law Enforcement: We may disclose your data when required to do so by a court order, legal process, or governmental authority in Kenya or applicable jurisdictions.
• Business Transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred as part of the transaction. You will be notified of any such change.

BidaXP uses cookies and similar tracking technologies to operate the Platform and improve your experience.

You can manage or disable non-essential cookies through your browser settings or our cookie preference centre. Disabling essential cookies will affect Platform functionality.

We retain your personal data only for as long as necessary for the purposes described in this Policy, unless a longer retention period is required by law:

• Account data — Retained for the life of your account, plus 12 months after closure to allow reinstatement or resolve disputes.
• Ticket & order records — Retained for 7 years to comply with financial record-keeping obligations under Kenyan law.
• Payment transaction records — Retained for 7 years as required by the Kenya Revenue Authority and financial regulations.
• Chat & message logs — Retained for up to 12 months, then anonymised or deleted.
• Technical/log data — Retained for up to 90 days for security and debugging purposes.

When data is no longer required, we securely delete or irreversibly anonymise it.

Under the Kenya Data Protection Act 2019, you have the following rights regarding your personal data:

To exercise any of these rights, contact us at privacy@bidaxp.com. We will respond within 30 days. We may need to verify your identity before processing your request. Some rights may be limited where we have a legal obligation to retain data.

If you are dissatisfied with our handling of your data or your rights request, you may lodge a complaint with the Office of the Data Protection Commissioner of Kenya at odpc.go.ke.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include:

• 256-bit TLS/SSL encryption for all data in transit.
• Encrypted storage of sensitive data (passwords are hashed using a bcrypt-equivalent algorithm and are never stored in plaintext).
• Strict access controls — Platform data is only accessible to staff who need it to perform their role.
• Payment processing via Paystack's PCI-DSS Level 1 certified infrastructure — we do not store card numbers or mobile money PINs.
• Regular security reviews and vulnerability assessments.
• JWT-based API authentication with short-lived tokens.

BidaXP is not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe a child has provided us with personal information without parental consent, please contact us at privacy@bidaxp.com and we will promptly delete such data.

Parents or guardians who create accounts on behalf of minors for supervised event attendance are responsible for ensuring the account is used appropriately under their supervision.

BidaXP operates primarily within Kenya. However, some of our service providers (including cloud hosting, video infrastructure via Daily.co and Mux, and analytics tools) are based outside Kenya and may process your data in countries including the United States and European Union.

Where data is transferred internationally, we ensure appropriate safeguards are in place, including:

• Contractual data protection clauses aligned with the Kenya Data Protection Act.
• Use of providers that maintain recognised certification frameworks (e.g., ISO 27001, SOC 2, EU SCCs where applicable).

By using BidaXP, you acknowledge that your data may be processed outside Kenya as described above.

We may update this Privacy Policy periodically to reflect changes in law, our practices, or Platform features. When we make material changes we will:

• Update the "Effective" date at the top of this page.
• Notify registered users by email and/or an in-Platform notice at least 14 days before the changes take effect.

Continued use of the Platform after the effective date of any update constitutes your acceptance of the revised Policy. If you do not agree, you may close your account before the changes take effect.

For any privacy-related questions, requests to exercise your rights, or concerns about how we handle your personal data, please contact us:

• Privacy / DPO Email: privacy@bidaxp.com
• General Support: support@bidaxp.com
• In-platform: Use the Help & Support form in your account settings.
• Postal Address: BidaXP, Nairobi, Kenya

We aim to acknowledge all privacy enquiries within 5 business days and provide a full response within 30 days.