🎱
Minilotto
SYSTEM_PROTOCOL :: Privacy_Policy

Privacy Policy

How we collect, use, and protect your personal information.

Effective Date: March 28, 2026  |  Last Updated: March 28, 2026

1.0 :: INTRODUCTION

Minilotto Ltd. (“we”, “our”, or “us”) is committed to protecting the privacy and personal data of all individuals who use our platform. This Privacy Policy explains how we collect, use, store, share, and protect your personal information in connection with our online lottery and gaming services, including the Minilotto player platform, wallet services, and related applications (collectively, the “Platform”).

Minilotto operates under a licence issued by the Betting Control and Licensing Board of Zambia (BCLB) in accordance with the Lotteries Act (Chapter 163 of the Laws of Zambia) and the Betting Control Act (Chapter 164 of the Laws of Zambia). As a licensed lottery operator, we are legally required to collect and process certain personal data to comply with our licence conditions, Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) obligations under the Prohibition and Prevention of Money Laundering Act No. 14 of 2001 (as amended), Know Your Customer (KYC) requirements, and responsible gambling duties.

This Privacy Policy is issued in compliance with the Data Protection Act No. 3 of 2021 (Laws of Zambia). Minilotto is registered as a data controller with the Office of the Data Protection Commissioner of Zambia in accordance with section 19 of the Data Protection Act 2021.

By registering an account or using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.

2.0 :: DATA_CONTROLLER

Minilotto Ltd. is the data controller responsible for the personal information collected through this Platform, registered with the Office of the Data Protection Commissioner of Zambia. For all privacy-related enquiries, please contact our Data Protection Officer (DPO):

ENTITY: Minilotto Ltd.

EMAIL: privacy@minilotto.com

SUBJECT_LINE: Data Privacy Request

RESPONSE_SLA: Within 30 days of receipt

REGULATOR: Betting Control and Licensing Board of Zambia (BCLB)

DATA_COMMISSIONER: Office of the Data Protection Commissioner, Zambia

3.0 :: INFORMATION_WE_COLLECT

We collect the following categories of personal data directly from you at registration, during Platform use, and through automated technical means. Collection is limited to what is strictly necessary for the stated purposes, in accordance with section 24 of the Data Protection Act 2021:

3.1 Identity & Registration Data

Your first name, last name, and National Registration Card (NRC) number. This information is mandatory under our BCLB licence conditions to verify your legal identity and confirm your eligibility to participate. Your NRC number is stored in a write-protected field and is never exposed through any public-facing interface. Collection of this data is a legal obligation; without it, we cannot lawfully permit you to participate.

3.2 Contact Data

Mobile phone number (MSISDN) and email address. Your MSISDN serves as your unique account identifier and primary login credential. It is used to send transactional notifications, process mobile money payments, notify you of game outcomes, and contact you regarding account and regulatory matters — including prize notifications required under the Lotteries Act.

3.3 Authentication & Security Data

Your password is stored in an irreversibly hashed format (bcrypt). We retain a history of your last five password hashes to prevent reuse. Session access is managed via short-lived JSON Web Tokens (JWT) with a 30-minute expiry, alongside a 7-day refresh token stored server-side. Your IP address is captured at login and on each authenticated request for fraud detection and audit purposes; it is not exposed through any public-facing interface.

3.4 Wallet & Financial Data

Your in-platform token balance, wallet transaction ledger (including credit and debit entries with running balances), and a complete history of all token purchase transactions. Each token purchase record includes the amount in Zambian Kwacha (ZMW), the mobile number used, the mobile network (MTN Zambia), the transaction reference, and the payment status. This data is retained as a mandatory record under our licence conditions and the Prohibition and Prevention of Money Laundering Act.

3.5 Gameplay & Participation Data

Records of every game you enter, including the game identifier, slot numbers purchased, tokens spent, game outcomes (win or loss), and dates of participation. Winner data — including the winning user’s identity, slot number, and prize details — is retained permanently as part of our regulatory audit trail under the Lotteries Act. Unclaimed prize records are retained for a minimum of seven years to support any future regulatory enquiry.

3.6 Technical & Device Data

IP address, request timestamps, API endpoint accessed, and session metadata are logged for every authenticated request. This data is captured by our traffic monitoring system and used for fraud detection, platform security, abuse prevention, rate limiting, and regulatory audit compliance. A service worker is installed on your device to cache static assets for offline functionality; it does not collect or transmit any personal data.

3.7 Referral Programme Data

A unique referral code is generated for each account at registration. If you were referred by another user, that relationship is recorded solely for the purpose of crediting applicable token bonuses. Referral data is not shared with third parties.

3.8 Contact & Support Messages

If you submit an enquiry via our contact form, we collect your name and message content. This is used solely to respond to your enquiry and is reviewed and recorded by our support team.

4.0 :: LEGAL_BASIS_FOR_PROCESSING

Under section 25 of the Data Protection Act 2021, processing of personal data must be lawful and based on one of the following grounds. We rely on the following bases:

  • [CONTRACT]Processing is necessary to perform our contract with you — enabling account registration, token purchases via MTN Mobile Money, game participation, and prize disbursement in accordance with lottery rules.
  • [LEGAL_OBLIGATION]We are legally required to collect and retain identity, financial, and transactional data under our BCLB licence conditions, the Lotteries Act (Cap. 163), the Betting Control Act (Cap. 164), the Prohibition and Prevention of Money Laundering Act, the Financial Intelligence Centre Act No. 46 of 2010, and the Zambia Revenue Authority Act. Certain data cannot be deleted on request because of these mandatory obligations.
  • [LEGITIMATE_INTEREST]We process technical and behavioural data to detect and prevent fraud, maintain platform security, enforce rate limits, and manage the integrity of our audit and approval workflows — where these interests are not overridden by your fundamental rights under the Data Protection Act 2021.
  • [CONSENT]Where we send marketing communications, we do so only on the basis of your explicit, freely given, and informed consent in accordance with section 28 of the Data Protection Act 2021. You may withdraw consent at any time without affecting the lawfulness of prior processing.

5.0 :: HOW_WE_USE_YOUR_DATA

Your personal data is used strictly for the following purposes, each of which is specified at the point of collection in accordance with section 26 of the Data Protection Act 2021:

  • Creating and managing your account, including identity verification and age confirmation using your NRC number, as required by our BCLB licence
  • Processing token purchases via MTN Mobile Money and maintaining your immutable wallet ledger
  • Managing game entries, real-time slot availability, winner selection, and prize notifications within the 90-day claim window required under the Lotteries Act
  • Logging all platform actions in our audit trail for compliance with BCLB reporting obligations and the Lotteries Act record-keeping requirements
  • Enforcing a two-person maker-checker approval workflow for all manual wallet credit operations
  • Detecting and preventing fraud, money laundering, and suspicious financial activity; filing Suspicious Activity Reports (SARs) with the Financial Intelligence Centre (FIC) where required under the Financial Intelligence Centre Act
  • Generating financial reconciliation reports and transaction export records for submission to the BCLB and ZRA
  • Sending transactional notifications about game outcomes, prize wins, and wallet activity
  • Administering the referral programme and crediting applicable token bonuses
  • Responding to support and contact form submissions
  • Monitoring gameplay and spending patterns to identify problem gambling indicators and fulfil responsible gaming licence obligations
  • Generating anonymised aggregate statistics (active users, game totals, platform metrics) for operational monitoring — no individual is identifiable in these statistics
  • Sending marketing communications where you have given explicit consent

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects, as prohibited under section 38 of the Data Protection Act 2021, except where required by our AML/CFT obligations.

6.0 :: DATA_SHARING_AND_THIRD_PARTIES

We do not sell your personal data. Disclosure is made only where we have a lawful basis and only to the extent strictly necessary, in accordance with sections 36 and 37 of the Data Protection Act 2021:

6.1 Betting Control and Licensing Board (BCLB)

As our licensing authority, the BCLB may require us to provide identity records, financial data, game participation records, audit logs, and reconciliation reports at any time as a condition of our licence under the Lotteries Act (Cap. 163). We comply with all such requests as a legal obligation.

6.2 Financial Intelligence Centre (FIC)

Under the Financial Intelligence Centre Act No. 46 of 2010, we are required to file Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs) with the FIC where transactions or behaviour meet the relevant reporting thresholds. This reporting is mandatory and cannot be withheld. We are prohibited by law from informing you that such a report has been filed.

6.3 Zambia Revenue Authority (ZRA)

We are required to report prize winnings and financial transactions to the Zambia Revenue Authority as required by Zambian tax legislation. Winners may be subject to withholding tax on prize values in accordance with the Income Tax Act.

6.4 MTN Zambia (Mobile Money Payment Processing)

When you purchase tokens, your MSISDN, full name, email address, transaction amount (in ZMW), and a unique transaction reference are transmitted to MTN Zambia’s Mobile Money API to initiate and confirm payment. We retain MTN’s payment reference (flwRef) alongside our internal transaction reference in our ledger for reconciliation, dispute resolution, and regulatory audit purposes. MTN processes this data in accordance with their own privacy policy and applicable Zambian financial services regulations.

6.5 Google Cloud Platform (Non-Personal Data Only)

Prize images uploaded via our administration platform are stored in a dedicated Google Cloud Storage bucket. No personal data relating to players is stored in Google Cloud. All personal data — including account records, wallet data, transaction history, and audit logs — is stored in database infrastructure hosted within the Republic of Zambia, in compliance with the data localisation requirement under section 72 of the Data Protection Act 2021. The Google Cloud data processing agreement is in place in accordance with section 37 of the Data Protection Act 2021.

6.6 Authorised Internal Personnel

Access to personal data through our administrative dashboard is restricted to authorised personnel in the roles of Administrator, Super, or Moderator. All access is authenticated via JWT, permission-scoped to specific granted authorities, and logged in our immutable audit trail. Manual wallet credits require a second authorised approver under our maker-checker control; no single employee may act unilaterally on any financial record.

6.7 No Third-Party Analytics or Advertising

We do not integrate any third-party analytics services, advertising networks, social media pixels, or external tracking technologies into our player-facing platform. All platform usage data is processed internally.

7.0 :: DATA_LOCALISATION

In accordance with section 72 of the Data Protection Act No. 3 of 2021, all personal data collected through the Minilotto Platform is processed and stored on servers and data infrastructure located within the Republic of Zambia. This includes:

  • All user account and identity data (including NRC numbers) stored in our PostgreSQL database
  • All wallet, financial transaction, and ledger data
  • All gameplay, audit log, and approval records
  • All session and authentication data stored in our Redis instance

The sole exception is prize imagery (non-personal data) stored in Google Cloud Storage, as disclosed in section 6.5 above. No personal data of players is stored outside Zambia.

Any future change to our hosting arrangements that would involve cross-border transfer of personal data will be subject to the prior approval of the Data Protection Commissioner and will be communicated to users in accordance with section 14.0 of this Policy.

8.0 :: DATA_RETENTION

We retain personal data only for as long as necessary to fulfil the stated purposes and to comply with legal obligations, in accordance with section 31 of the Data Protection Act 2021. Retention periods are set by reference to our BCLB licence conditions, AML legislation, and operational necessity:

  • Account and identity records (including NRC data): minimum 5 years from account closure, in line with AML retention requirements
  • Wallet and financial transaction records (token purchases, ledger entries): minimum 5 years from the date of transaction under the Prohibition and Prevention of Money Laundering Act
  • Gameplay and participation records, winner data: permanent retention as required by the Lotteries Act and BCLB licence conditions
  • Unclaimed prize records: minimum 7 years from the date of the relevant draw, consistent with licence obligations
  • Audit log and approval records: 5 years from the date of the logged event
  • SAR-related records: minimum 5 years in accordance with the Financial Intelligence Centre Act
  • IP address and traffic logs: 12 months, or longer where required for an ongoing investigation or regulatory enquiry
  • JWT refresh tokens: 7 days from issuance; automatically purged upon expiry
  • Password history hashes: retained for the lifetime of the active account
  • Marketing consent records: until consent is withdrawn, plus 2 years

Where data is no longer required and no lawful basis for retention exists, we securely delete or irreversibly anonymise it. Our data destruction procedures are documented and available to the BCLB upon request.

9.0 :: SECURITY_MEASURES

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration, in accordance with section 30 of the Data Protection Act 2021:

  • AES-256 encryption for sensitive data at rest; TLS for all data in transit
  • Irreversible bcrypt hashing for all stored passwords, with password reuse prevention across the last five passwords
  • Short-lived JWT access tokens (30 minutes) with rotating 7-day refresh tokens stored server-side in Redis
  • Role-based access control (RBAC) with granular permission scoping on all admin and API operations
  • Sensitive fields (NRC number, password, IP address) are write-protected or excluded from all public GraphQL queries and responses
  • Immutable audit logging of all sensitive actions with actor identity, timestamp, and context
  • Maker-checker dual-authorisation for all manual financial operations; the initiating user cannot approve their own request
  • API rate limiting (30 requests per 10 seconds) and GraphQL query depth restriction (maximum depth: 10) to prevent abuse and denial-of-service attacks
  • IP address logging on all authenticated requests for real-time fraud detection

In the event of a personal data breach, we will notify the Data Protection Commissioner within 72 hours of becoming aware of the breach, in accordance with section 43 of the Data Protection Act 2021. Where the breach is likely to result in high risk to your rights, we will also notify you directly without undue delay.

10.0 :: YOUR_RIGHTS

Under the Data Protection Act No. 3 of 2021 (Part V), you have the following rights in relation to your personal data. These rights may be limited where we are subject to overriding legal obligations under the Lotteries Act, AML legislation, or BCLB licence conditions:

  • [ACCESS — s.32]Request a copy of the personal data we hold about you, including account information, wallet history, and participation records.
  • [RECTIFICATION — s.33]Request correction of inaccurate or incomplete data. You may update your name and email address via account settings. Changes to your MSISDN or NRC require identity re-verification.
  • [ERASURE — s.34]Request deletion of your account and personal data where we have no overriding legal basis for retention. Financial, transactional, and audit data subject to mandatory AML and lottery-law retention periods cannot be deleted.
  • [RESTRICTION — s.35]Request restriction of processing in certain circumstances, such as during an active dispute investigation.
  • [PORTABILITY — s.36]Receive your account data, wallet ledger, and participation history in a structured, machine-readable format (CSV or JSON).
  • [OBJECTION — s.37]Object to processing based on legitimate interests, including direct marketing, at any time.
  • [WITHDRAW_CONSENT — s.28]Withdraw any consent given at any time without penalty and without affecting the lawfulness of processing carried out before withdrawal.

To exercise any right, contact our DPO at privacy@minilotto.com with the subject “Data Privacy Request”. We will respond within 30 days. If we deny your request, we will give reasons and you have the right to appeal to the Office of the Data Protection Commissioner of Zambia.

11.0 :: AGE_VERIFICATION_AND_MINORS

Participation in Minilotto is restricted to persons aged 18 years and above, as required by the Lotteries Act (Cap. 163) and our BCLB licence. We collect your NRC number at registration as our primary means of age and identity verification. The Zambian National Registration Card is issued to citizens aged 16 and above; we conduct additional verification to confirm that participants have attained the minimum gambling age of 18.

If we identify or are notified that a person under 18 has registered an account, we will immediately suspend the account, reverse any transactions where technically and legally possible, and delete or restrict the associated personal data subject to mandatory retention obligations. We do not knowingly collect personal data from persons under 18, and we do not direct marketing at minors.

12.0 :: LOCAL_STORAGE_AND_DEVICE_DATA

To maintain your authenticated session, the following data is stored in your browser’s local storage on your device:

  • Your JWT access token and refresh token (session credentials, cleared on logout)
  • A limited user profile object (account ID, name, MSISDN, and role) to reduce repeated API calls
  • Your display theme preference (light or dark mode)

This data is stored locally on your device and is cleared when you log out. We do not use third-party cookies, advertising cookies, or cross-site tracking technologies. A service worker is installed on your device to cache static platform assets for offline functionality; it does not collect, transmit, or share any personal data.

We do not use Google Analytics, Meta Pixel, or any equivalent third-party tracking tool on the Platform.

13.0 :: RESPONSIBLE_GAMBLING

Minilotto is required to adhere to responsible gaming principles as a condition of our BCLB licence under the Lotteries Act. We monitor gameplay patterns, transaction frequency, and wallet activity to identify potential indicators of problem gambling and to fulfil our duty of care as a licensed operator.

Personal data processed in connection with responsible gambling interventions — including spending analysis and any self-reported information — is used solely for player protection. It is not used for commercial profiling, product recommendation, or any purpose unrelated to your welfare.

If you wish to set account spending limits, request a cooling-off period, or initiate a self-exclusion, please contact us at support@minilotto.com. Self-exclusions are implemented promptly and are irrevocable for the duration of the specified period. If gambling is causing you harm, we encourage you to seek support from relevant services in Zambia.

14.0 :: PRIZE_CLAIMS_AND_WINNER_DATA

In accordance with the Lotteries Act (Cap. 163), winners are notified via their registered MSISDN and through the Platform. Prizes must be claimed within 90 days of the relevant draw. Where a first payment attempt fails, winners have 60 days from that attempt to provide corrected details. Prizes not redeemed within these periods remain the property of Minilotto Ltd. in accordance with our licence conditions.

Winner identity, contact details, and prize records are retained permanently in our audit trail as required by the BCLB. Winner names may be published as part of our regulatory reporting obligations unless you have requested confidentiality in accordance with our licence conditions.

15.0 :: POLICY_UPDATES

We may update this Privacy Policy from time to time to reflect changes in our Platform, legal obligations, BCLB licence conditions, or decisions of the Data Protection Commissioner. Where changes are material, we will notify you by email or through a prominent notice on the Platform at least 14 days before the change takes effect.

The effective date at the top of this page indicates when the current version was last revised. Continued use of the Platform after an update takes effect constitutes your acknowledgement of the revised Policy.

16.0 :: CONTACT_AND_COMPLAINTS

For questions, data subject requests, or complaints regarding our data practices, please contact our Data Protection Officer:

EMAIL: privacy@minilotto.com

SUBJECT_LINE: Data Privacy Request

RESPONSE_SLA: Within 30 days of receipt

If you are not satisfied with our response, you have the right to escalate your complaint to:

  • Office of the Data Protection Commissioner of Zambia — for data privacy complaints under the Data Protection Act 2021
  • Betting Control and Licensing Board of Zambia (BCLB) — for complaints relating to lottery operations, prize disputes, or responsible gambling matters