Bolabet

CUSTOMER PRIVACY NOTICE - BOLABET COMPANY LIMITED - REPUBLIC OF ZAMBIA

Effective date: 01 January 2026

Data controller registration / licence reference: DPC - DP000020

1. Introduction

Bolabet Company Limited (“Bolabet”, “we”, “our” or “us”) respects your privacy and is committed to the lawful, fair and secure processing of personal data. This Customer Privacy Notice explains how we collect, use, verify, analyse, disclose, transfer, retain, secure and otherwise process personal data in connection with our betting, gaming, promotional, customer-support, fraud-prevention, compliance, responsible-gambling and related business operations in Zambia.

This Notice is intended to comply with the laws of the Republic of Zambia, including the Data Protection Act, 2021, the Data Protection (Registration and Licensing) Regulations, 2021, the Financial Intelligence Centre Act, No. 46 of 2010 as amended, applicable Financial Intelligence Centre regulations and guidelines, and applicable betting, gaming, tax, audit and licence-condition requirements.

Nothing in this Notice shall limit or prejudice any obligation imposed upon Bolabet under applicable law, licence condition, regulatory directive, lawful governmental request, anti-money laundering requirement, responsible-gambling obligation, or lawful order of a competent authority.

By registering an account with Bolabet, accessing or using the Bolabet platform, submitting personal data to Bolabet, or otherwise continuing to use Bolabet’s services, you acknowledge that you have read and understood this Privacy Notice and agree to the processing of your personal data in accordance with this Notice, the Bolabet Terms and Conditions of Use, applicable gaming rules, responsible-gambling requirements, anti-money laundering obligations, and all applicable laws and regulatory requirements.

Where processing is based on consent, you may withdraw that consent in accordance with applicable law. However, certain processing activities may continue where Bolabet is required or permitted to process personal data under applicable law, regulatory obligation, legitimate interest, fraud-prevention requirement, responsible-gambling obligation, contractual necessity, or other lawful basis.

2. Who this Notice applies to

This Notice applies to current, former and prospective customers of Bolabet; users of our website, mobile or digital channels; participants in promotions, surveys, competitions and campaigns; individuals who communicate with us; visitors to our premises; and any other person whose personal data is processed by Bolabet in connection with its lawful operations.

Who we are and how to contact us

Bolabet Company Limited is a licensed betting and gaming operator in the Republic of Zambia and acts as a data controller in respect of the personal data described in this Notice, except where Bolabet clearly acts on behalf of another controller. Our contact details are as follows:

Bolabet Company Limited
Plot No. 57/411A, Corner Lukanga and Zambezi Roads, Roma, Lusaka, Zambia
General support: support@bolabet.co.zm
Data Protection Officer: Inkumbu Mwelwa
Privacy complaints and rights requests: inkumbu@bolabet.co.zm

If you are dissatisfied with our handling of your personal data, you may lodge a complaint with the Office of the Data Protection Commissioner in accordance with applicable law.

4. The personal data we collect

Bolabet may collect, receive, generate, verify, infer or otherwise process personal data that is reasonably necessary for the purposes set out in this Notice.

This may include identity and registration information such as your full names, date of birth, nationality, National Registration Card number, passport details, photographs, facial verification images where lawfully required, username and account credentials. It may include contact information such as your mobile number, email address, residential address and postal address.

It may also include financial and transactional data such as bank-account details, mobile-money details, deposits, withdrawals, payment references, betting and gaming history, source-of-funds and source-of-income information, financial-risk indicators, and records required for customer due diligence, fraud prevention and anti-money laundering purposes.

Bolabet will also process technical, device and usage data, including IP address, browser type, operating system, device identifiers, cookies, tracking identifiers, log files, geolocation data where relevant and permitted, session information, linked-device or linked-account indicators, and usage analytics.

Where relevant to operating the account, protecting the platform or meeting legal obligations, Bolabet may process betting patterns, game-play behaviour, session duration, stake levels, self-exclusion records, responsible-gambling indicators, bonus-use patterns, communications with customer support, telephone recordings, emails, chat records, SMS / WhatsApp communications, complaints, dispute material, CCTV and incident/security records.

5. Sensitive personal data, children and vulnerable persons

Bolabet does not intentionally seek or require sensitive personal data as a normal condition of registration or use of the platform unless such processing is strictly necessary, lawfully permitted and proportionate to a legitimate purpose. Where sensitive or higher-risk data is processed, it will be limited to what is necessary for compliance, security, fraud prevention, responsible-gambling interventions, law-enforcement cooperation, dispute resolution or legal proceedings, and will be handled on a strict need-to-know basis.

Because gambling services are restricted to persons aged 18 years and above, Bolabet does not knowingly permit minors to use its services. If we reasonably believe that a person under 18 has attempted to register or has submitted personal data, we may suspend or close the account, retain the minimum data necessary for compliance, fraud prevention and audit purposes, and take any other steps required by law or licence condition.

Where the law imposes additional protection for children or vulnerable persons, Bolabet will apply those safeguards and, where necessary, require consent or authority from a parent, guardian or other legally competent representative.

6. How we collect personal data

We collect personal data directly from you when you register, deposit, withdraw, place bets, participate in games, contact support, submit verification documents, respond to promotions or surveys, or otherwise interact with our services.

We also collect personal data automatically through your use of our website or digital channels, through cookies and similar technologies, through fraud-prevention and security tools, through device and network telemetry, and through CCTV or access-security systems where you visit our premises.

In addition, Bolabet may receive personal data from payment service providers, banks, mobile-money providers, identity-verification vendors, fraud-screening vendors, sanctions-screening vendors, credit-reference or risk-information providers, marketing or analytics service providers, regulators, licensing bodies, law-enforcement agencies, professional advisers, publicly available sources, and other third parties where lawful and necessary.

7. Lawful bases for processing

Bolabet processes personal data only where a lawful basis exists. Depending on the circumstances, processing may be based on your consent; the performance of a contract with you or steps taken at your request prior to entering into that contract; compliance with a legal obligation binding on Bolabet; the protection of your vital interests or those of another person; the performance of a task carried out in the public interest or in the exercise of official authority; or Bolabet’s legitimate interests, provided such interests are not overridden by your rights and fundamental freedoms.

In practical terms, Bolabet generally relies on contractual necessity to register and administer your account, process bets, handle payments, provide support and operate promotions; on legal obligation to carry out KYC/CDD, source-of-funds checks, sanctions and risk screening, suspicious-activity reporting, tax and audit compliance, and cooperation with competent authorities; on legitimate interests for fraud prevention, cyber-security, account integrity, bonus-abuse prevention, platform analytics, customer relationship management, enforcement of terms and conditions, internal investigations, legal defence, and certain responsible-gambling and harm-prevention controls; and on consent mainly for direct marketing and other optional processing where law requires consent.

Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect processing already lawfully undertaken before the withdrawal, and does not affect processing carried out on another lawful basis.

8. Purposes for which we use personal data

Bolabet uses personal data for account-opening and account administration; age and identity verification; customer due diligence and beneficial-owner checks where relevant; source-of-funds and transaction-risk assessment; deposits, withdrawals, settlement of bets and payment of winnings; delivery of betting, gaming and promotional services; customer support; dispute management; fraud prevention; cyber-security; anti-money laundering, counter-terrorist-financing and sanctions compliance; suspicious-transaction detection and reporting; internal audit and governance; legal and regulatory reporting; defence and establishment of legal claims; responsible-gambling monitoring and interventions; prevention of self-exclusion circumvention; business continuity and incident management; service improvement and analytics; and, where permitted, marketing and customer-engagement activities.

Bolabet may also use data to protect the integrity of sporting events, detect unusual patterns or collusive behaviour, prevent multi-accounting and bonus abuse, and protect customers, Bolabet and third parties from financial crime and other unlawful conduct.

9. Automated monitoring, profiling and account controls

Bolabet uses automated tools and rules-based systems, together with human review where appropriate, to assess account risk, detect suspicious activity, identify linked accounts, prevent fraud, enforce bonuses and promotions properly, support responsible-gambling measures, protect system security, and comply with legal obligations.

This may include device fingerprinting, IP analysis, velocity checks, linked-credential analysis, behavioural analytics, sanctions screening, source-of-funds triggers, document-authenticity checks, suspicious-betting alerts, and similar automated or semi-automated tools.

Bolabet may, as a result of those controls, restrict, suspend, decline, review, verify further, refuse withdrawals pending lawful review, or permanently close an account where fraud, misuse, money-laundering risk, sanctions risk, cheating, self-exclusion circumvention, underage activity, false information, security risk or other serious regulatory concerns are identified.

Where prohibited by applicable law, Bolabet will not make a material decision based solely on automated processing without appropriate review. However, this does not require Bolabet to reveal counter-fraud rules, AML methodologies, sanctions-screening logic, nor any information the disclosure of which would prejudice security, an investigation, a regulatory obligation or a prohibition against tipping-off.

10. Responsible gambling and customer protection

Bolabet is committed to responsible gambling and to the prevention of gambling-related harm. For that purpose, we may monitor and analyse account patterns, deposit and wagering behaviour, session duration, affordability indicators, voluntary disclosures, self-exclusion requests, interaction history and other relevant account signals.

Where necessary, Bolabet may apply account restrictions, cooling-off periods, deposit or wagering limits, self-exclusion measures, welfare contacts, verification requirements, or account closure. Bolabet may also retain the minimum personal data necessary to ensure that self-exclusion and related protective measures are effective and are not circumvented through a new or linked account.

Any such records will be retained only to the extent reasonably necessary for compliance, customer protection, fraud prevention, legal defence and evidentiary purposes, and will be periodically reviewed.

11. Marketing communications

Where permitted by law, Bolabet may contact you by SMS, email, WhatsApp, push notification, telephone or other electronic means regarding products, promotions, bonuses, competitions, campaigns and related marketing material.

You may opt out of direct marketing at any time. If you do so, Bolabet will suppress further direct marketing to you, but may continue to send you service, security, legal, responsible-gambling, verification and other non-promotional messages that are necessary for the administration of your account, the performance of our contract, or compliance with law.

Bolabet may retain a minimal suppression record after you opt out or object to marketing in order to ensure that your request is honoured and that prohibited marketing is not re-sent to you.

12. Sharing personal data

Bolabet may disclose personal data to carefully selected third parties where reasonably necessary and lawful, including payment service providers, banks, mobile-money providers, identity-verification vendors, KYC / AML service providers, sanctions-screening providers, fraud-prevention and cyber-security service providers, hosting and infrastructure providers, CRM and communications providers, analytics vendors, call-centre providers, gaming and platform service providers, auditors, insurers, legal and professional advisers, regulators, licensing authorities, the Financial Intelligence Centre, law-enforcement agencies, courts, and other competent authorities.

Bolabet may also disclose personal data within its corporate group, to an actual or proposed purchaser or investor in the event of a restructuring or corporate transaction, or where disclosure is necessary to establish, exercise or defend legal rights, protect customers or the business, prevent unlawful conduct, or comply with a lawful request.

Where Bolabet uses a data processor, that processor will be required to implement appropriate technical and organisational measures and will be bound by written obligations concerning confidentiality, security, restricted use, onward-processing controls, breach reporting and data-return or deletion arrangements.

13. Cross-border transfers and offshore storage

Bolabet may use service providers or systems located outside Zambia, including for hosting, fraud prevention, customer support, payment services, group administration, analytics, cyber-security and disaster recovery.

Where personal data is transferred to, accessed from, or stored outside Zambia, Bolabet will do so only in accordance with the Data Protection Act and any regulations, guidance, authorization requirement, approved standard contractual mechanism or approved intragroup scheme applicable at the time of transfer. Where authorization from the Data Protection Commissioner is required for the transfer or storage of personal data outside Zambia, Bolabet will obtain or maintain that authorization before carrying out the relevant transfer or storage arrangement.

Bolabet will also take reasonable contractual, technical and organisational steps to ensure that personal data transferred outside Zambia receives a level of protection consistent with applicable law and with this Notice.

14. Data retention

Bolabet retains personal data only for so long as it is necessary for the lawful and specific purpose for which it was collected, for so long as it remains relevant to that purpose, and thereafter only for as long as retention is required or justified by law, regulation, audit, security, fraud-prevention, responsible-gambling, dispute-resolution, evidentiary, tax, accounting or legal-claims reasons.

Because Bolabet operates in a regulated sector, different categories of records are subject to different minimum retention periods. Where more than one retention rule could apply, Bolabet will normally apply the longer lawful period, restrict the record to retention-only use where appropriate, and securely delete, destroy or anonymise the record once lawful retention and any related hold period ends. The general retention approach is summarised below:

Record Category: Active Customer Account Records

Retention Approach: Retained for the life of the account, plus any additional period necessary for legal, regulatory, audit, fraud-prevention, dispute, and contractual purposes.
Legislative Basis: Data Protection Act No. 3 of 2021: section 12(1)(b), 12(1)(c), 12(1)(e), 13(b)(i), 13(b)(ii), 13(b)(v) and 51(1)–(2).

Record Category: KYC, AML, and Sanctions Records

(Includes: Customer identification, CDD, source-of-funds, and CFTP records)

Retention Approach: Retained for a minimum of ten years after the business relationship ends or from the date of the relevant transaction. This may be extended for investigations, regulatory inquiries, legal claims, or evidentiary holds.
Legislative Basis: Financial Intelligence Centre Act No. 46 of 2010: section 22(1) and 22(2)(a).

Record Category: Financial and Transactional Records

(Includes: Wagering, deposits, withdrawals, payments, and related account activity)

Retention Approach: Retained for a minimum of ten years after the business relationship ends or from the date of the transaction, subject to any longer lawful holds.
Legislative Basis: Financial Intelligence Centre Act No. 46 of 2010: section 22(1) and 22(2)(b).

Record Category: Support, Security, and Compliance Records

(Includes: Complaints, dispute files, security logs, device/fraud markers, and responsible gambling/self-exclusion records)

Retention Approach: Retained for as long as reasonably necessary for support, security, compliance, investigations, fraud prevention, self-exclusion enforcement, and legal claims. These records are subject to periodic review.
Legislative Basis: Data Protection Act No. 3 of 2021: section 12(1)(c), 12(1)(e), 12(1)(g), 13(b)(ii), 13(b)(v), 14(1)(a), 40(1)–(3), and 51(1)–(2).

Bolabet may retain records beyond ordinary periods where there is an ongoing investigation, suspicious-activity review, litigation hold, regulatory inquiry, dispute, fraud alert, self-exclusion enforcement need, law-enforcement request or other lawful basis for extended retention.

When a record is no longer required, Bolabet will securely delete it, anonymise it, de-identify it or destroy it in a manner appropriate to the sensitivity of the record and the medium on which it is held.

15. Security and confidentiality

Bolabet implements appropriate technical, organisational, administrative and physical safeguards designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access or other unlawful processing.

These safeguards may include role-based access controls, encryption in transit and at rest where appropriate, authentication controls, audit trails, change-management controls, firewall and intrusion-prevention systems, anti-malware controls, logging and monitoring, secure vendor-management practices, staff training, confidentiality obligations, secure storage arrangements, and periodic testing and review of our security measures.

No network, application or storage environment is completely immune from risk. Bolabet therefore cannot guarantee absolute security, but it undertakes to apply and continuously improve reasonable and proportionate safeguards.

16. Security breaches

Where a security breach affecting personal data occurs, Bolabet will investigate the incident, take appropriate containment and remediation measures, maintain an internal record of the incident, and notify the Office of the Data Protection Commissioner, affected customers and any other competent authority within the time and in the manner required by law.

Where Bolabet acts as a processor for another controller, it will notify the relevant controller as soon as practicable after becoming aware of a relevant breach. Where a processor engaged by Bolabet suffers a relevant breach, the processor will be required to notify Bolabet promptly in accordance with contractual obligations and applicable law.

17. Cookies and similar technologies

Bolabet uses cookies, pixels, tags, web beacons, local storage objects and similar technologies to operate and secure its website and mobile channels, remember preferences, authenticate sessions, understand how the services are used, improve performance, prevent fraud, measure campaigns and, where permitted, support advertising and personalization.

Strictly necessary cookies may be used without separate opt-in where that is lawful. Non-essential cookies or advertising technologies will be used in accordance with applicable law and customer choices. You may manage cookies through your browser or device settings, but disabling some technologies may impair service functionality or security.

18. Your rights

Subject to applicable law and lawful limitations, you may be entitled to request access to your personal data; to request information about how it is processed; to request correction of inaccurate or incomplete data; to request deletion or erasure of data in circumstances permitted by law; to request restriction of processing; to object to certain processing activities, including direct marketing; to withdraw consent where consent is the basis for processing; to request portability of certain data; and, where applicable, not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects.

These rights are not absolute. Bolabet may decline, limit or defer a request where processing or retention is required by law; where disclosure would prejudice the prevention, detection or investigation of crime or fraud; where AML/CFTP or sanctions obligations apply; where disclosure would amount to tipping-off; where another person’s rights would be adversely affected; where records must be preserved in original form; or where the data is required for legal claims, audit, tax, accounting, responsible-gambling enforcement or evidentiary purposes.

If Bolabet cannot comply fully with a request, it will, where lawful and appropriate, explain the basis for its position.

19. How to exercise your rights

Rights requests and privacy complaints should be submitted to the Data Protection Officer using the details set out above. Bolabet may request reasonable proof of identity, proof of authority and any other information reasonably required to verify the request and locate the relevant data. Bolabet may also route requests involving AML, fraud, disputes or regulatory matters to its legal, compliance, responsible-gambling or AML functions for review before responding.

20. Third-party websites and services

Our services may contain links to third-party websites, applications, payment pages, messaging tools or content not operated by Bolabet. Bolabet is not responsible for the privacy, security or content practices of third parties. Customers should review the privacy notices of those third parties before submitting data to them.

21. Changes to this Notice

Bolabet may amend this Notice from time to time to reflect legal, regulatory, operational, security or business changes. The latest version published by Bolabet will apply from the effective date stated in the updated Notice, unless otherwise required by law.

22. Responsible gambling notice

No person under the age of 18 years is permitted to gamble. Gambling may be addictive and can cause financial and psychological harm. Bolabet reserves the right to apply responsible-gambling controls, verification procedures, self-exclusion measures and account restrictions where necessary for customer protection, legal compliance and the integrity of our services.

Back To Home