Privacy Policy

Effective Date: 15 June 2025 EventsPOP ("we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights under the Kenya Data Protection Act 2019 and applicable international standards. By using the EventsPOP app, you acknowledge that you have read and understood this policy.

1. Data Controller

EventsPOP is the data controller for personal data processed through the Platform. Contact for privacy matters: Email: privacy@eventspop.org Website: https://eventspop.org Location: Nairobi, Kenya

2. Information We Collect

Account Information: Full name, email address, phone number, password (stored as a secure hash), and account role (talent or hirer). Identity Verification (Talent only): Government-issued photo ID (national ID, passport, or driving licence) and a selfie photograph. These are used solely for identity verification and are stored securely. Profile Information: Profile photo, short biography, event categories, geographic zones, availability, experience, and languages spoken. Payment Information: For talent: M-Pesa phone number and registered account name for payout purposes. We do not store M-Pesa PINs, card numbers, or full financial account details. Payment transactions are processed by Safaricom (M-Pesa) through the Daraja API. Booking and Transaction Data: Gig history, booking status, check-in and check-out records, earnings, reliability scores, and ratings. Communications: Messages, incident reports, and support requests submitted through the Platform. Usage and Device Data: App version, device operating system type, crash reports, and feature usage patterns. We do not collect real-time GPS location. Zone selection (e.g. CBD, Westlands) is entered manually by users.

3. How We Use Your Information

We process your personal data for the following purposes: • Service Delivery: Creating and managing accounts, matching talent to hirers, processing bookings and payments. • Identity Verification: Confirming that talent are who they say they are, for platform safety. • Payments: Processing M-Pesa payouts to talent via Safaricom's Daraja API. • Safety and Trust: Reviewing incident reports, moderating conduct, and taking enforcement actions. • Notifications: Sending booking alerts, status updates, and account communications via push notification and email. • Platform Improvement: Understanding usage patterns to improve features (using anonymised, aggregated data). • Legal Compliance: Complying with Kenyan law, responding to lawful requests from authorities, and enforcing our Terms of Service. We process your data on the legal bases of: performance of contract, legitimate interests, legal obligation, and (for sensitive data such as identity documents) explicit consent.

4. Information Sharing

We do not sell your personal data. We share data only in the following circumstances: Between Users: Talent profile information (name, photo, bio, categories, zones, ratings) is visible to hirers. Hirer company names and ratings are visible to talent. Contact details are not shared directly between users; communication occurs through the Platform. Service Providers: • Supabase Inc. — database and authentication infrastructure (servers may be located outside Kenya; see Section 11) • Safaricom PLC (M-Pesa / Daraja API) — payment processing for escrow and payouts • Push notification providers — for delivering in-app notifications All third-party processors are bound by data processing agreements and are required to protect your data. Legal Requirements: We may disclose your data to law enforcement, courts, or regulatory bodies when required by law, court order, or where we believe disclosure is necessary to prevent imminent harm. Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, subject to the same privacy protections. Safety Emergencies: Where we believe there is an imminent risk to the life or safety of any person, we may share relevant information with emergency services or law enforcement without prior notice.

5. Data Retention

We retain your personal data for as long as your account is active or as necessary to provide our services. Upon account deletion: • Profile and booking history data is deleted or anonymised within 30 days; • Identity verification documents are deleted within 30 days; • Financial transaction records are retained for 7 years as required by Kenyan tax and financial regulations; • Incident reports involving legal proceedings may be retained until the matter is resolved. You can request early deletion of specific data types by contacting privacy@eventspop.org.

6. Your Rights

Under the Kenya Data Protection Act 2019, you have the right to: • Access: Request a copy of the personal data we hold about you; • Correction: Request correction of inaccurate or incomplete data; • Deletion: Request deletion of your personal data (subject to legal retention obligations); • Portability: Request your data in a structured, machine-readable format; • Objection: Object to processing based on legitimate interests; • Restriction: Request restriction of processing in certain circumstances; • Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing. To exercise any of these rights, contact us at privacy@eventspop.org. We will respond within 21 days. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya at www.odpc.go.ke.

7. Account Deletion

You can delete your EventsPOP account at any time from the Settings screen within the app, or by emailing privacy@eventspop.org with the subject line "Account Deletion Request". Upon verified deletion request: • Your profile is immediately hidden from other users; • Personal data is permanently deleted within 30 days; • Anonymised booking transaction records may be retained for fraud prevention and regulatory compliance; • Financial records required by law are retained per Section 5. Deleted accounts cannot be recovered.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include: • Encryption of data in transit (TLS) and at rest; • Secure, access-controlled infrastructure via Supabase; • Role-based access controls limiting staff access to personal data; • Regular security reviews. No system is completely secure. In the event of a data breach that poses a risk to your rights, we will notify you and the ODPC as required by law.

9. Children's Privacy

EventsPOP is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a person under 18, we will delete that data immediately. If you believe a minor has registered on the Platform, please contact us at privacy@eventspop.org.

10. Cookies and Tracking

The EventsPOP mobile app does not use advertising cookies or third-party tracking pixels. We use minimal session-based storage solely to maintain your login state. We do not track your activity across other apps or websites.

11. International Data Transfers

Our infrastructure is provided by Supabase Inc., whose servers may be located in the United States or European Union. By using EventsPOP, you consent to your personal data being transferred to and processed in these jurisdictions. We ensure such transfers are governed by appropriate safeguards, including data processing agreements consistent with applicable data protection standards. Identity verification documents are treated with the highest level of protection regardless of storage location.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified to you via in-app notification or email at least 14 days before taking effect. The effective date at the top of this document will be updated accordingly. Continued use of the Platform after the effective date of any changes constitutes acceptance of the updated policy.

13. Contact Us

For privacy questions, data requests, or concerns: Email: privacy@eventspop.org Website: https://eventspop.org EventsPOP Nairobi, Kenya For complaints: Office of the Data Protection Commissioner (ODPC) www.odpc.go.ke