BLOW THE REF
LEGAL · PRIVACY POLICY

Privacy. Plain. Honest.

How BTR (Blow The Ref) (Pty) Ltd collects, uses, stores and shares personal information about fans, partners and visitors.

DRAFT · NOT YET COUNSEL-REVIEWEDSOUTH AFRICA
LAST UPDATED · 27 May 2026VERSION · v0.1CHANGELOG
CONTACT
THE SHORT VERSION

We collect only what we need to run BTR — your email, your sport picks, your pool entries, and the device data needed to deliver the product. We never sell it. We never share it with anyone you wouldn’t expect. You can export or delete your data anytime via Account → Privacy.

§ 1

Who we are

TL;DR — IN PLAIN LANGUAGE

BTR is run by Blow The Ref (Pty) Ltd in Cape Town. We’re the data controller for everything on this site and in the app.

Blow The Ref (Pty) Ltd ("BTR", "we", "us") is a private company registered in South Africa, registration number 2025/XXXXXX/07, with its registered office at 1 Bree Street, Cape Town, 8001, Western Cape.

For the purposes of the Protection of Personal Information Act, 2013 ("POPIA"), BTR is the Responsible Party for personal information collected through www.blowtheref.com, the BTR mobile and web apps, and our partner and sponsor portals.

We are designating an Information Officer per POPIA §55. Contact details are at §6 below; registration with the Information Regulator of South Africa is pending.

§ 2

What we collect

TL;DR — IN PLAIN LANGUAGE

Your email and password. Your sport and team picks. Your pool entries and predictions. The device and network info needed to deliver the app. Wallet top-ups (via Stripe — we never see the card). KYC documents at higher pool tiers.

Account data

  • Email address, display name, password (hashed using bcrypt; we never see your plaintext password).
  • Phone number (only if you opt-in to SMS notifications or two-factor authentication).
  • Optional profile: avatar, bio, favourite teams.

Product activity

  • Predictions you submit, pool entries you join, whistles you blow, mini-games you play.
  • Lobby chat messages (retained 90 days, longer where moderation action is taken).
  • Leaderboard position and rank history.

Wallet & finance (Pools tiers only)

  • Wallet balance and transaction history in our shadow wallet (SHC) — never card numbers.
  • Stripe customer reference (tokenised); card detail lives at Stripe only.
  • For paid pools above the daily KYC threshold: ID number, document scan, selfie liveness — held only as long as POPIA + FICA require.

Device & network data

  • Browser type, OS, screen size, language, time zone.
  • IP address (we keep the country and city derived from it; the full IP is hashed after 30 days).
  • Approximate location at jurisdiction granularity only — to enforce ZA/UK pool rules.
  • Crash logs and performance traces (no personally identifying content).

What we don’t collect

We do not collect biometric data outside the KYC liveness check, we do not track you across other websites, and we do not buy data from data brokers. We do not collect special personal information (race, religion, health, etc.) and ask that you not share it in chat.

§ 3

How we use it

TL;DR — IN PLAIN LANGUAGE

To run the product, score your predictions, settle pools, prevent fraud, and keep you informed. We use anonymised, aggregated data to improve the product and write Hot Take articles.

Under POPIA §11, every use we make of your personal information must have a lawful ground. We rely on these grounds:

  • Contract — most uses (running your account, settling pools, paying you out) flow from your acceptance of our Terms of Service.
  • Legal obligation — KYC/AML record-keeping, financial settlement records, gambling-board reporting where applicable.
  • Legitimate interest — fraud prevention, security, anonymised product analytics, and aggregated editorial coverage of community whistles.
  • Consent — for marketing emails, push notifications and non-essential cookies. You can withdraw consent at any time without affecting product access.

Aggregated whistle data and Hot Takes

When the BTR community blows the whistle, we aggregate the resulting consensus and publish it in our Hot Takes editorial. Aggregated data — e.g. "94% of 12,847 fans" — is not personal information. The individual record of you blowing a whistle is personal information, and we treat it as such.

§ 4

Who we share it with

TL;DR — IN PLAIN LANGUAGE

Only the operators we genuinely need — payments (Stripe), email (Postmark), analytics (PostHog, optional), error logging (Sentry), KYC (Onfido). Never advertisers. Never data brokers. Never your name in our editorial without your explicit say-so.

BTR shares personal information only with operators ("processors" under POPIA) who help us run the service. Each is bound by a written operator agreement. Current operators:

  • Payments: Stripe Inc. (US, with EU sub-processors).
  • Hosting: Amazon Web Services (af-south-1, Cape Town).
  • Email & SMS: Postmark, Twilio.
  • Error & performance: Sentry (errors), Datadog (infrastructure metrics — no PII).
  • Analytics: PostHog (self-hosted; off by default, requires consent).
  • KYC verification: Onfido (UK), with ZA data residency option enabled.
  • Live sports data: in-house data acquisition.

We may share information with law enforcement or regulators (including the South African Information Regulator, the National Gambling Board, the SARB and FIC) only where we are legally compelled to do so. Where the law permits, we will tell you.

We never sell your personal information. We don’t share it with advertisers or social platforms for the purposes of targeted advertising.

§ 5

Where we store it, for how long

TL;DR — IN PLAIN LANGUAGE

Primary data lives in af-south-1 (Cape Town). We keep accounts as long as they’re active and follow the retention schedule below afterwards.

Primary storage is in af-south-1 (Cape Town). Backups are encrypted and replicated within the same region.

Retention schedule

  • Account data: kept while your account is active; 30 days post-deletion in encrypted backup, then purged.
  • Predictions and pool history: 7 years (FICA + gambling-board record-keeping requirement).
  • Wallet and transaction records: 7 years (FICA).
  • KYC documents: 5 years from the last transaction (FICA §22(2)).
  • Lobby chat: 90 days, longer where a moderation case is open.
  • Marketing consent records: until withdrawn, then 12 months for audit.
  • Web access logs: 30 days, then aggregated.
§ 6

Your rights

TL;DR — IN PLAIN LANGUAGE

Access. Correction. Deletion. Objection to marketing. Data portability. To exercise any of these, email privacy@blowtheref.com or use Account → Privacy. We respond inside 30 days.

Under POPIA you have the right to:

  • Be told what personal information of yours we hold (POPIA §23).
  • Request correction or deletion of inaccurate, irrelevant or excessive information (§24).
  • Object to processing for purposes other than what you agreed to (§11(3), §69).
  • Withdraw consent at any time for any purpose that relies on consent.
  • Lodge a complaint with the Information Regulator: complaints.IR@inforegulator.org.za.
  • Request your data in a portable format.

To exercise these rights, sign in and go to Account → Privacy, or email privacy@blowtheref.com. We will respond within 30 days. For complex requests we may extend by a further 30 days and will tell you why.

Information Officer

[TO BE REGISTERED], Information Officer, Blow The Ref (Pty) Ltd, privacy@blowtheref.com. Registration with the Information Regulator of South Africa pending.

§ 7

Children & minors

TL;DR — IN PLAIN LANGUAGE

BTR is 18+. Anyone under 18 is not permitted on the platform. Schools Pools raise funds for school causes but minors don’t hold accounts — only adults transact.

BTR is an 18+ service. We do not knowingly process personal information of anyone under 18. If we become aware that we hold such information, we will delete it.

Schools Pools (Donation Pools) raise funds for beneficiary schools. Pupils do not have accounts — only legal adults transact on the platform. School beneficiary information is handled under the Schools Partner Addendum.

§ 8

Security

TL;DR — IN PLAIN LANGUAGE

Encryption in transit and at rest. SSO and 2FA available. Pen-tested annually. Sentry alerts for anomalous access. Incidents notified within 72 hours per POPIA §22.

We protect personal information using appropriate technical and organisational measures (POPIA §19):

  • TLS 1.3 for all in-transit data; AES-256 at rest in AWS RDS and S3.
  • Password hashing with bcrypt; mandatory 2FA for operator (Mission Control) accounts.
  • Principle of least privilege; access reviewed quarterly; all operator access audited under our Audit Trail context.
  • Annual penetration testing by an independent CREST-accredited firm.
  • Bug bounty programme (HackerOne).

If a security compromise occurs, we will notify the Information Regulator and affected data subjects within 72 hours of becoming aware, as required by POPIA §22.

§ 9

Cookies

TL;DR — IN PLAIN LANGUAGE

We use functional cookies (required), and optional analytics and marketing cookies. You can change preferences anytime via the footer link.

For details on which cookies we set, why, and how to manage them, see our Cookie Policy.

You can update your preferences anytime via Cookie Settings in the footer.

§ 10

Updates to this policy

TL;DR — IN PLAIN LANGUAGE

When we update this policy, we bump the version, log it in the changelog, and email anyone with an active account if the change is material.

We may update this policy from time to time. When we do, we bump the version number, add an entry to the changelog at the bottom of this page, and — if the change materially affects your rights — email anyone with an active account at least 14 days before the change takes effect.

You can subscribe to legal updates only (no marketing) at policy-updates@blowtheref.com.

Changelog

27 May 2026v0.1Initial draft.
QUESTIONS?

Talk to a human.

Email privacy@blowtheref.com. For data-subject requests under POPIA or GDPR, see POPIA §4 — your rights.