Privacy Policy

Effective Date: March 24, 2026

1. INTRODUCTION AND SCOPE

XI Royale Incorporated ("the Company," "We," "Us," or "Our") is deeply committed to upholding the privacy and security of your personal data. This Privacy Policy ("Policy") delineates the stringent methodologies and protocols under which we collect, utilize, archive, safeguard, and disseminate your Personally Identifiable Information (PII) when you interface with the XI Royale platform, underlying APIs, and ancillary services ("the Platform"). This Policy is ratified in strict adherence to global data protection standards and the Kenyan Data Protection Act.

2. DATA COLLECTION ARCHITECTURE

The operational framework of XI Royale necessitates the collection of specific data vectors, classified as follows:

• Directly Provisioned Data: To adhere to robust Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations, we explicitly collect your registered Mobile Telephone Number, exact Safaricom M-Pesa Account Name, and an associated email address.
• Public Gamification Data: Upon execution of the FPL ID Asset Handshake, you authorize the Platform's automated engine to synchronously scrape and ingest your public Fantasy Premier League statistical footprint, including encompassing Gameweek scores, historical ranks, chip deployments, and active transfer maneuvers.
• Automated Telemetry: Our servers autonomously log cryptographic telemetry including your IP address, user-agent signatures, access timestamps, and encrypted session identifiers to facilitate fraud detection and secure the routing parameters of the Platform.

3. STRATEGIC UTILIZATION OF DATA

The Company eschews the monetization of your data. Information is fundamentally leveraged for operational execution:

• To mechanically process entry fees, instantiate competition Escrow Pools, and unequivocally disburse automated winnings via the Safaricom Daraja integration.
• To algorithmically adjudicate competition outcomes and update real-time leaderboards unadulterated by human intervention.
• To mitigate sybil attacks, eradicate multi-account collusions, and enforce the integrity of our high-stakes environment.
• To transmit pivotal, time-sensitive systemic communications, encompassing security advisories, payout receipts, and Gameweek deadline proximity alerts.

4. FINANCIAL DATA SEGREGATION AND ENCRYPTION

XI Royale employs a zero-knowledge architecture concerning fundamental financial authorizations. WE NEVER REQUEST, INTERCEPT, OR STORE YOUR M-PESA PIN, BANK DETAILS, OR FPL LOGIN CREDENTIALS. All user-authenticated passwords governing Platform access are unilaterally hashed utilizing the cryptographically resistant Argon2id standard. Financial ledgers are maintained immutably to guarantee absolute auditability and reconciliation precision.

5. THIRD-PARTY DATA TRANSMISSION

Your PII is fiercely shielded and is solely transmitted to vetted third-party infrastructure providers under legally binding Data Processing Agreements (DPAs). These encompass:

• Safaricom PLC: Strictly limited to the conveyance of mobile numbers and required transaction payloads to facilitate the Daraja B2C and C2B API handshakes.
• Transactional Mail Relays: Deployed exclusively for the dissemination of immutable ledger receipts and password reconfiguration links.
• Regulatory Authorities: The Company shall disclose necessitated data vectors if unequivocally compelled by a valid subpoena, court mandate, or binding directive from Kenyan law enforcement traversing verifiable fraud investigations.

6. DATA RETENTION AND RIGHT TO ERASURE

Your data is vaulted within our ecosystem strictly for the duration requisite to fulfill the objectives elucidated herein. Upon request of account termination, the Company executes a deletion protocol nullifying your PII from active databases. Notwithstanding, pertinent financial ledger entries and associated identifiers will be cryptographically quarantined and retained for a statutory period traversing up to seven (7) years to satisfy national tax compliance and AML auditing mandates.

7. USER RIGHTS AND JURISDICTIONS

Under the purview of the Kenyan Data Protection Act, you retain substantive rights regarding your algorithmic footprint. You possess the unalienable right to request access to your data schemas, demand the rectification of erroneous vectors, restrict certain processing modalities, and exercise the right to data portability. To invoke these privileges, formal requests must be remitted to our Data Protection Officer.

8. AMENDMENTS RECTIFICATION

The Company commands the autonomous authority to iterate and overhaul this Privacy Policy to reflect advancing regulatory parameters or architectural shifts in our engine. All material modifications will be synchronously broadcast across Platform notification arrays.

9. CONTACTING THE DATA PROTECTION OFFICER

Should you harbor any inquiries, contestations, or directives regarding our data processing frameworks, you are instructed to dispatch formal correspondence to our Data Privacy Directorate at: xigwroyale@gmail.com.