How we use cookies and similar storage.

A “cookie” is a small text file that a website asks your browser to store on your device. The browser sends the cookie back to the website on subsequent requests, which is how websites recognise you between page loads and visits without forcing you to sign in repeatedly.

In addition to cookies, modern web applications rely on related browser storage mechanisms, including localStorage, sessionStorage, and IndexedDB. For the purposes of this policy, references to “cookies” include those equivalent technologies where they are used to achieve the same outcome.

We classify the cookies and storage we set into four categories. Strictly-necessary cookies are required for the Service to function and cannot be disabled without breaking the Service. All other categories are optional and can be controlled as set out in clause 5.

2.1 Strictly necessary

These are required for the Service to operate. They keep you signed in, protect against cross-site request forgery, and maintain your session as you move between pages.

• Firebase Authentication session: an HTTP-only identifier issued by Google's Firebase Authentication service that proves you are signed in. Removed when you sign out.
• CSRF token: a short-lived value used to protect form submissions from cross-site request forgery attacks.
• Session id: an in-memory or session-scoped identifier that lets the server associate consecutive requests with your active session.

2.2 Preferences

These remember choices you have made so the platform feels the same on your next visit.

• Theme (dark or light): stored in localStorage so your chosen theme persists across reloads.
• Filter and view state: stored in sessionStorage so your current filter selections on the tips feed and ledger are not lost when you navigate.
• Onboarding state: a flag that records that you have dismissed an introductory message or completed an onboarding step.

2.3 Analytics

These help us understand which features are used, where errors occur, and how to improve the Service. They are configured to minimise identifying data and we do not use them for advertising.

• Aggregate usage analytics: page views, feature interactions, broad geographic region (derived from IP), and device category. IP is truncated or hashed before storage where the analytics provider supports it.
• Error monitoring: stack traces, the URL on which an error occurred, and an anonymous user identifier so we can group repeat errors. We do not send chat message content or other personal content to the error monitoring service.

2.4 Third-party cookies

Certain third-party components used by the Service may set their own cookies when you interact with them.

• Google (Firebase / OAuth): cookies set by Google when you authenticate via Firebase Authentication or sign in with a Google account. Refer to Google's privacy policy at policies.google.com/privacy.
• Vercel: cookies set by our hosting provider for edge routing and rate limiting. Refer to Vercel's privacy policy at vercel.com/legal/privacy-policy.
• Payment service provider: cookies may be set in a payment flow window operated by our PCI-DSS compliant payment processor. These cookies are governed by that provider's privacy policy, which is presented to you in the payment window.

We do not set, and we do not authorise any third party to set on our behalf, the following categories of cookie or tracker through the Service:

• Third-party advertising or retargeting cookies.
• Cookies that profile you for advertising elsewhere on the internet.
• Tracking pixels operated by marketers, social networks or affiliate networks.
• Persistent fingerprinting beyond the basic browser metadata required to deliver a working page.
• Cookies or trackers operated by any bookmaker or gambling affiliate network.

We rely on the following lawful bases under POPIA for setting cookies and similar storage:

• Strictly necessary: section 11(1)(b) of POPIA — necessary for the performance of a contract with you. These do not require your consent.
• Preferences: section 11(1)(d) and (f) — the legitimate interest of providing you with a usable and consistent experience.
• Analytics: section 11(1)(f) — the legitimate interest of operating, securing and improving the Service. Where additional analytics cookies are not strictly necessary, we rely on your consent (section 11(1)(a)) and you may withdraw consent at any time as set out in clause 5.
• Third-party cookies: governed by the lawful basis of the relevant third party as disclosed in their policy.

In line with section 45 of ECTA we do not engage in unsolicited direct marketing using cookies or any other mechanism without your consent or unless permitted by section 69(3) of POPIA.

You can review, control and delete cookies directly in your browser at any time. The instructions below are correct as at the date of this policy.

• Chrome: Settings › Privacy and security › Cookies and other site data.
• Safari: Settings › Privacy › Manage Website Data.
• Firefox: Settings › Privacy and Security › Cookies and Site Data.
• Edge: Settings › Cookies and site permissions › Manage and delete cookies and site data.
• Mobile browsers: refer to your device vendor's instructions. On iOS, Settings › Safari › Privacy & Security. On Android, browser-specific settings within Chrome or your preferred browser.

Blocking all cookies will break sign-in and most paid features of the Service. Blocking analytics or preferences cookies will not prevent you from using the Service but may reduce the quality of the experience.

If you want us to delete information we hold about you that is linked to a cookie identifier, exercise your access and deletion rights as set out in our Privacy Policy.

The Service is not intended for and may not be used by persons under the age of eighteen (18). We do not knowingly use cookies to collect information from children. If you become aware that a child has accessed the Service, please contact us at info@bestbet.co.za and we will take immediate steps to remove the relevant information.

Some of the cookies described above are set by service providers (notably Google LLC and Vercel Inc.) that operate outside South Africa. Where a cookie results in personal information being transferred across borders, we rely on the lawful transfer mechanisms set out in section 72 of POPIA, as described in our Privacy Policy.

We may update this Cookies Policy from time to time. The current version is always available at this URL with its effective date at the top. If a change is material, we will give you reasonable notice through the Service or by email before it takes effect.

For any question about this Cookies Policy or your privacy rights more broadly, contact our Information Officer:

Tshintsha Trade (Pty) Ltd t/a Bestbet
Registration number: 2015/389865/07
204 Palmer Crescent, Leopard Park, Mafikeng, 2745
South Africa
Email: info@bestbet.co.za