Privacy & Data Protection Policy
How SlipConverter collects, uses, and protects your personal information
Who We Are
Data controller information
SlipConverter (operated by Hashback Solutions) is a bet-slip conversion utility that allows users to transform betting codes between bookmakers. We are the data controller for personal data processed through this platform.
- Operator: Hashback Solutions
- Website: https://www.slipconverter.com/
- Email: support@slipconverter.com
- Country of Operation: Kenya
Data We Collect
What personal information we hold and why
| Category | Examples | Source | Required? |
|---|---|---|---|
| Account identifiers | Username, email address, password hash | You (registration) | Yes |
| Telegram identity | Telegram ID, Telegram username, first/last name | Telegram OAuth | If using Telegram login |
| Subscription data | Plan type, expiry date, transaction reference | You (purchase) | If subscribing |
| Usage data | Conversion history, slip codes, bookmaker preferences | Platform activity | Automatic |
| Technical data | IP address, browser type, device, session tokens | Automatic | Automatic |
| Communication data | Support emails, contact-form messages | You | Optional |
What We Do NOT Collect
- Banking details, card numbers, or account credentials
- Bookmaker login credentials
- Government-issued ID or biometric data
- Health, racial, or political data
How We Use Your Data
Purposes and legal bases for processing
| Purpose | Legal Basis | Data Used |
|---|---|---|
| Provide bet-slip conversion services | Contract performance | Account info, usage data |
| Authenticate and secure your account | Contract & Legitimate interest | Email, password hash, session tokens |
| Process subscriptions & payments | Contract performance | Subscription & transaction data |
| Send OTP & verification emails | Contract performance | Email, OTP code |
| Send password-reset emails | Contract performance | Email, reset token |
| Prevent fraud & abuse | Legitimate interest | IP address, usage patterns |
| Improve platform features | Legitimate interest | Anonymised usage data |
| Send service notifications | Legitimate interest / Consent | Email, Telegram ID |
| Comply with legal obligations | Legal obligation | As required by law |
Data Processing
How and where your data is processed
Processing Principles
We process personal data in accordance with the following principles:
- Lawfulness, fairness & transparency — we process data only on a valid legal basis and inform you openly.
- Purpose limitation — data collected for one purpose is not repurposed without notice or consent.
- Data minimisation — we collect only what is strictly necessary.
- Accuracy — we take reasonable steps to keep data accurate and up-to-date.
- Storage limitation — data is not kept longer than necessary (see Retention section).
- Integrity & confidentiality — appropriate technical and organisational measures are applied.
Automated Processing
Our platform performs automated processing for:
- Bet-slip conversion algorithms (matching odds, bookmaker codes)
- Fraud detection and rate-limiting (based on IP and usage patterns)
- Email queue processing — OTP codes and password-reset links are generated automatically and dispatched via a scheduled background job
Email Queue & OTP Processing
When you register or request a password reset, we:
- Generate a time-limited OTP or token (expires within 10–60 minutes)
- Queue the email in our internal
email_queuetable with status tracking - Send the email via our SMTP provider (Gmail / G Suite)
- Purge expired OTPs and tokens automatically
International Transfers
Your data may be processed by sub-processors outside Kenya (e.g., Google SMTP servers). Where transfers occur, we rely on standard contractual clauses or equivalent safeguards to protect your data.
Data Sharing & Third Parties
Who we share your data with and why
We share personal data only in the circumstances below:
Service Providers (Processors)
| Provider | Purpose | Data Shared |
|---|---|---|
| Google (Gmail SMTP) | Transactional email delivery (OTP, password reset) | Email address, message content |
| Telegram | Bot authentication & notifications | Telegram ID, username |
| Paystack / M-Pesa | Payment processing | Transaction reference (no card data stored by us) |
Other Disclosures
- Legal requirement: We may disclose data to comply with a court order, subpoena, or applicable law.
- Protection of rights: We may share data to protect the rights, safety, or property of SlipConverter, our users, or the public.
- Business transfer: If SlipConverter is acquired or merged, user data may transfer as part of that transaction. You will be notified.
Data Retention & Deletion
How long we keep your data
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Until account deletion + 30 days | Service delivery |
| OTP codes | 10–60 minutes after generation | Security (auto-expired) |
| Password-reset tokens | 1 hour after generation | Security (auto-expired) |
| Email queue records | 30 days after sending | Audit / troubleshooting |
| Conversion history | Duration of account + 90 days | Service history |
| Transaction logs | 7 years | Legal & financial compliance |
| Audit / security logs | 12 months | Fraud prevention |
| Support communications | 2 years | Dispute resolution |
When retention periods expire, data is securely deleted or irreversibly anonymised. You may request earlier deletion — see Your Rights below.
Security Measures
How we protect your data
Technical Safeguards
- All data in transit is encrypted via TLS/SSL (HTTPS enforced)
- Passwords are stored as hashed values (bcrypt) — never in plain text
- OTP codes and reset tokens are cryptographically random and time-limited
- Session tokens are rotated on authentication and stored securely
- Rate-limiting and brute-force protection on authentication endpoints
- Database access restricted to application layer; no public DB exposure
Organisational Safeguards
- Access to production data limited to authorised personnel only
- Regular review of third-party service provider security practices
- Incident response plan in place for data breaches
Important
No online platform can guarantee absolute security. If you suspect your account has been compromised, change your password immediately and contact us at support@slipconverter.com.
Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users within 72 hours of becoming aware of the breach, in line with applicable data protection regulations.
Your Rights
Control over your personal data
Right to Access
Request a copy of the personal data we hold about you.
Right to Rectification
Ask us to correct inaccurate or incomplete data.
Right to Erasure
Request deletion of your data ("right to be forgotten") where no legal obligation requires retention.
Right to Restriction
Ask us to limit how we process your data in certain circumstances.
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests, including direct marketing.
Right to Withdraw Consent
Where processing is based on consent, withdraw it at any time without affecting prior processing.
Right to Complain
Lodge a complaint with the relevant data protection authority in your jurisdiction.
To exercise any of these rights, email us at support@slipconverter.com with the subject line "Data Rights Request". We will respond within 30 days. We may need to verify your identity before processing the request.
Contact & Data Protection Officer
How to reach us about privacy matters
Governing Law
This policy is governed by the laws of Kenya, including the Kenya Data Protection Act, 2019. Where users are located in other jurisdictions, we also endeavour to comply with applicable regional laws (including GDPR principles for EU residents).
Changes to This Policy
We may update this policy from time to time. We will:
- Post the updated policy on this page with a revised "Last Updated" date
- Notify registered users by email of material changes at least 14 days in advance
- Obtain fresh consent where required by law
Continued use of SlipConverter after a policy update constitutes acceptance of the revised terms.
Privacy Questions?
We're happy to help with any data privacy concerns.
Subject line: Data Rights Request — we respond within 30 days.