Site Privacy Policy
1) Purpose and scope
Privacy Policy is a public document that explains to users in a transparent and understandable language:- what personal data you collect,
- for what purposes and on what legal grounds do you process them,
- to whom and how you transfer data (processors, partners, providers),
- how long do you keep, how do you protect and how do you exercise the rights of data subjects.
Who needs: any site/application, especially iGaming and fintech services with KYC/AML, payment operations, anti-fraud analysis, analytics and marketing.
2) Key definitions
Personal data (PD): any information that allows you to identify the user (name, e-mail, IP, device identifiers, payment details, etc.).
Processing: any operations with personal data (collection, storage, modification, transfer, deletion).
Controller/Operator: a company that defines the goals and means of processing.
Processor: a person/organization processing personal data on behalf of the controller.
Cookies and pixels: technologies for storing and reading identifiers for the functioning of the site, analytics and marketing.
Special categories of data: biometrics/medical, etc. (usually not processed in iGaming; exception - KYC biometrics from third parties on a separate consent/basis).
3) What data do you usually collect on the iGaming platform
1. Identification: name, date of birth, citizenship, address, document (passport/ID), selfie/video verification (if KYC is with an authorized provider).
2. Contact: e-mail, phone, instant messengers.
3. Accounts: logins, password hashes, account settings, language/currency preferences.
4. Payment and transaction: tokenized cards, wallet details, payment history, conclusions, chargeback/disputes.
5. Technical: IP, user-agent, device identifiers, log records, session events, cookie-ID.
6. Marketing/analytical: traffic sources, UTM, conversions, segments, A/B test results.
7. Antifraud/AML: behavioral patterns, risk scoring, geo/proxy signals, the result of sanctions and PEP screens (through licensed providers).
4) Legal grounds for processing (approximate list)
Contract execution (registration, account maintenance, processing of rates/payments).
Legal duty (KYC/AML, tax/financial reporting, security logs).
Legitimate interest (fraud, security, service improvement), with a test of the balance of interests.
Consent (marketing mailings, optional cookies, KYC biometrics from individual providers, if required by local law).
Protection of rights and law and order (settlement of disputes, protection against claims).
5) Processing objectives (typical wording)
Creating and administering an account, providing access to games/services.
Payments and withdrawals, returns, Net Deposits settlement, financial statements.
KYC/AML/Sanctions/PEP checks, preventing fraud and bonus abuse.
Support of clients and fulfillment of requests of personal data subjects.
Analytics and product improvement (conversions, UX, performance).
Marketing (e-mail, push, retargeting) if there is a legal basis.
Compliance with regulatory requirements and provision of data on their legitimate requests.
6) Cookies, tracking and pixels
Divided into categories:- Strictly necessary: sessions, security, account functionality.
- Functional: language, currency, interface preferences.
- Analytical: measurement of attendance, funnels, UX-metrics.
- Marketing: traffic attribution, retargeting, look-alike segments.
Practice: a separate banner/consent control panel (CMP), the ability to change the choice at any time. Specify lifetimes, goals and providers.
7) Cross-border transmissions and localization
Describe the geography of storage and processing (EU/EEA, UK, Canada, Brazil, USA, etc.).
Specify mechanisms: standard contractual provisions (SCC), equivalent instruments, local storage/mirrors, DPIA if necessary.
For especially sensitive streams (KYC biometrics) - separate measures and minimization.
8) Distribution targets (categories)
Providers of KYC/AML, sanctions and PEP checks.
Payment providers, issuers, banks, processing gateways.
Antifraud/risk scoring providers, hosting/clouds, CDN, mail/sms services.
Analytics/crash reporting, marketing platforms (by consent).
Auditors, lawyers, regulators and other bodies - legally.
9) Shelf life (minimization principle)
Account and operational data - while the contract and regulatory deadlines are in effect (often 5-10 years for financial documents/AML logs).
Marketing profiles - according to the deadlines agreed with the CMP and before withdrawal of consent.
Security logs - multiple of goals (for example, 12-24 months), unless otherwise required by law.
At the end of the term - safe removal/anonymization.
10) Safety and organizational measures
Encryption at rest and during transmission, strict network policies, WAF/firewalls.
Access control (RBAC/ABAC), logging, regular audits and pen tests.
Segmentation of systems, principle of least rights, secret management.
Continuous monitoring, anti-fraud rules, testing of incident response plans.
Risk assessments and DPIAs for high-risk treatments.
11) Rights of users (data subjects)
Data access, correction, deletion, processing restriction.
Portability (machine-readable format).
Objection to processing (including marketing).
Withdrawal of consent without impairment of mandatory functions.
Complaint to the authorized body (indicate the contacts of the regulator by jurisdiction).
12) Children and age restrictions
iGaming services are intended only for adults according to local laws. Describe the mechanisms for age verification and the procedure for deleting juvenile data in case of erroneous registration.
13) Automated solutions and profiling
Briefly describe profiling for antifraud/risk scoring/marketing.
Indicate whether the result affects legally significant decisions (freeze, KYC request).
Provide for the right to "human review" in controversial cases.
14) Contacts and DPO
Specify e-mail/contact form for requests of subjects, postal address of the company. If a DPO is assigned - name/contacts. Response times (e.g. up to 30 days, with possible extension if permitted by law).
15) Policy updates
Fix effective date and revision.
Transparent notification of significant changes (banner/letter/internal notification).
16) Jurisdictional Notes (Sample Matrix)
EU/EEA (GDPR): grounds, DPIA, DPA with processors, SCC for cross-border transmissions, registration of interests, processing register.
UK (UK GDPR): Similarly, taking into account local authorities.
Brazil (LGPD): legal grounds, LGPD ombudsman, local deadlines.
California (CCPA/CPRA): right to opt-out of "sell/share" data, "Do Not Sell or Share," personal data categories.
Canada (PIPEDA/provinces): consent and target restriction.
Australia (Privacy Act): APPs, cross-border disclosures.
Add local partitions for the countries where you work.
17) Practical checklist before publication
- Data map (what, where, why, for how long, who has access).
- Processing register and DPA with key processors.
- CMP and cookie table with dates and objectives.
- Procedure for responding to subject requests (SLAs, letter templates).
- Incident notification procedure (to whom, when, how).
- Policy versioning and change log.
18) Ready-made Policy template (copy and adapt)
Privacy Notice
Effective: [date] Version: [vX. Y]
1. Who we are
[Full name of company], [registered office], [registration details].Contacts: [support @ domain], [mailing address].
2. Applicability
This Policy applies to the site (s) and applications: [domains/applications], as well as related support services.
3. Data we process
Identification and contact (name, date of birth, e-mail, phone number, address).
Credentials (login, password hash, settings).
Payment/transaction (card tokens, transaction history).
Technical (IP, devices, logs, cookie-ID).
Antifraud/AML (behavioral signals, results of checks at providers).
Marketing/analytical (UTM, conversions) - if agreed, if required.
4. Purposes and legal grounds
We process data for: providing service, payments and conclusions, KYC/AML, security and anti-fraud, support, analytics, marketing (with consent), compliance with the law. Grounds: performance of the contract, legal obligation, legitimate interest, consent.
5. Cookie and similar technologies
We use:- strictly necessary (sessions, security),
- functional (settings),
- analytical,
- marketing.
- Control is available through the [consent panel/CIW link]. See Appendix A for cookie table.
6. Who we share data with
Categories of recipients: KYC/AML providers, payment organizations, hosting/CDN, anti-fraud and analytics, support (e-mail/SMS), auditors, regulators by law. Transfer - based on contracts and security measures.
7. International transmissions
Data can be processed outside your country. We apply legal mechanisms (e.g. standard contractual provisions) and technical/organizational measures for protection.
8. Shelf life
Keep as long as necessary for the purposes and within the time limits established by law (for example, financial/AML records - at least [X] years). After - delete/anonymize.
9. Safety
Encryption, access control, monitoring, segmentation, audit, pen tests. Despite the measures, absolute safety is not guaranteed; we act in accordance with applicable incident notification regulations.
10. Your rights
You can request access, correction, deletion, restriction, portability, objection, and withdraw consent (for processing on consent). Contacts for requests: [privacy @ domain]. You may also file a complaint with [name of authority/jurisdiction].
11. Automated solutions and profiling
We use automated systems for anti-fraud and risk assessment. In the event of a meaningful decision, you can request a human review.
12. Children
The service is intended for persons [18 +] or older according to local law. When a minor's account is detected, data is blocked and deleted.
13. DPO/Owner Contacts
[DPO name/position], e-mail: [dpo @ domain], address: [address].14. Updates to this Policy
We update the Policy periodically. Significant changes will be communicated through the site/notice. The current version is always available at [link].
Appendix A - Cookie Table (Example)
Appendix B. Counterparties (categories)
KYC/AML providers: [name/jurisdiction/role].
Payment processors/banks: [categories].
Hosting/clouds/CDN: [categories].
Marketing/mailings/analytics: [categories].
Support (tickets/SMS/e-mail): [categories].
(Exact names can be disclosed in the DPA/Treatment Registry and categories in the Policy.)
Appendix C. Jurisdictional Additional Terms (Template)
EU/EEA (GDPR): rights, transmission mechanisms, supervisory authority contacts: [link/title].
California (CCPA/CPRA): "Do Not Sell or Share My Personal Information" link, description of categories and consumer rights.
Brazil (LGPD): responsible contact, titulares rights.
UK: UK GDPR and ICO.
Canada/Australia: local rights and regulatory contacts.
19) Tips to stay relevant
Once a quarter, check the Policy with the real data flow and DPIA.
When adding a new provider/SDK, update the processing registry and CMP.
Log and document responses to subject requests (SLAs, templates, metrics).
Keep a version log with a short changelog.
How to use this article
1. Go through the checklist and collect facts about your data and flows.
2. Copy the template and paste your details/deadlines/jurisdictions.
3. Agree with the lawyer and DPO, then publish on the site and connect the CMP.
4. Configure the process for accepting data subject requests and update the Policy when changes occur.