GH GambleHub

Privacy Policy and GDPR

1) Purpose and scope

Purpose: to ensure legal, transparent and secure processing of personal data (PII) of players, partners and employees in all jurisdictions of the operator's presence.
Coverage: web/mobile applications, CRM/BI/DWH, anti-fraud/AML/KYC, PSP/CUS/sanctions providers, support, marketing, affiliates, live studios, hosting and logging.

2) Roles and Responsibilities (RACI)

Data Protection Officer (DPO) - A: compliance oversight, RoPA, DPIA/DTIA, responses to regulators.
Head of Compliance - A: Policy, Risk Appetite, Escalation and Reporting.
Legal - C: legal grounds, DPA/SCCs contracts, banner and notice texts.
Security/SRE - R: technical and organizational measures (TOMs), access log, incidents.
Data/BI - R: data directory, minimization, masking/pseudonymization.
Marketing/CRM - R: consents, preferences, unsubscribes, cookies.
Product/Engineering - R: Privacy by Design/Default, retention and disposition.
Support/VIP - R: Subject Inquiries (DSAR), Identity Verification.

3) Legal Bases

Consent - marketing, analytical/advertising cookies, non-mandatory personalization.
Contract - registration, processing of rates/conclusions, support.
Legal Obligation - KYC/AML/sanctions, accounting and reporting.
Legitimate Interests - anti-fraud, security, product improvement (with interest balancing test - LIA).
Vital/Public Interest - rare RG cases/security, if applicable and permitted by law.

4) Rights of data subjects (DSR/DSAR)

Access (Art. 15), Correction (Art. 16), Deletion (Art. 17), Constraint (Art. 18), Tolerability (Art. 20), Objection (Art. 21), not to be the object of an exclusively automated solution (Art. 22).
DSAR processing SLA: confirmation ≤ 7 days, execution ≤ 30 days (prolongation for another 60 if it is difficult to notify the subject).
Verification: multifactorial; prohibiting disclosure of sensitive data over open channels.
Logs: store request, identity check, issued data package and response time.

5) Processing Operations Register (RoPA)

Minimum fields: target, subject/data categories, legal basis, retention periods, recipients/third countries, security measures, data source, automated decisions/profiling, DPIA/DTIA, if any.

6) DPIA/DTIA: When and How

DPIA - at high risk: large-scale profiling, new anti-fraud models, geodata processing, RG triggers, systematic observation.
DTIA/TIA - for cross-border transmissions outside the EEA/UK: assessment of local access by government agencies, contractual/technical measures.
Process: Screening → assessment of risks and measures → DPO/Legal approval → implementation of controls → assumptions log.

7) Cookies, pixels, SDK and consent banner

Categories: strictly necessary, functional, analytical, marketing.

Requirements:
  • Until consent - we load only strictly necessary ones.
  • Granular agreement and separate refusal; a log of versions and time stamps.
  • CMP with IAB TCF (if applicable); auto-updating the banner when changing targets/providers.
  • Easy unsubscribe/change of choice at any time.

8) Handlers and sub-processors

DPA with each provider: subject, goals, data categories, deadlines, TOMs, sub-processors, audits.
Public register of sub-processors (versioning); notice of changes and right of objection.
Checks: due diligence (ISO/SOC2), test incidents, pentest reports on request, offboarding plan.

9) Cross-border transfers

SCCs/IDTA + DTIA; if necessary - additional measures: E2EE, client encryption, quasi-anonymization, keys in the EU.
We fix the legal mechanism, countries and recipients in the Policy/register.

10) Retention & Deletion

Date matrix (example):
CategoryTermBasis
Player accountUp to 5 years after closingAML/accounting in a number of jurisdictions
KYC/AML documents5-10 yearsLegal Obligation
PII Access Logs1-3 yearsLegitimate Interests/Security
Marketing events24 monthsConsent/LI
Support records24-36 monthsContract/LI

Deletion policy: automatic tasks (job) in DWH/vaults; Deletion in backups by cycle logging. Aliasing ID for analytics.

11) Security (TOMs)

Technical: At Rest/Transit encryption, network segmentation, rights minimization, KMS/key rotation, DLP, EDR/IDS/WAF, SSO/MFA, secret manager, WORM logging.
Organizational: access policies, training, NDA, clean desk, vendor verification, incident management (SANS/NIST).
Privacy by Design/Default: evaluation in change processes, minimum default data sets, test data without PII.

12) Leak and incident notifications

Assessment: confirmation of fact, volume and risk.
Deadlines (benchmarks): to the supervisory authority according to the data - up to 72 hours at the risk of rights/freedoms; users - without undue delay.
Content of the notification: incident description, categories and estimated number of records, DPO contact, consequences, measures taken, recommendations to subjects.
Logs: timeline, solutions, letter/response templates, CAPA.

13) Marketing & Communications

Separation of transactional messages (without consent) and marketing messages (only with consent).
Preference management: settings center, subscriptions by topic/channel, double-opt-in (where required).
Affiliates and tracking: contractual restrictions on the collection/transfer of PII, prohibition of the transfer of identifiers without reason and consent.

14) Public Privacy Policy - Structure

1. Who are we and DPO contacts.
2. What data we collect (by category and source).
3. Objectives/legal grounds (table "purpose → data → basis → term").
4. Cookies/SDK and consent management.
5. Recipients and cross-border transfers (mechanisms and measures).
6. Rights of subjects and how to implement them.
7. Data security (high-level TOMs).
8. Retention periods and criteria.
9. Automated solutions/profiling and logic in general terms.
10. Policy changes (versioning) and how we notify.
11. Contacts for complaints (DPA by jurisdiction, if required).

💡 Language - simple and understandable; avoid jargon and excessive technical detail.

15) Templates and sample formulations

15. 1 Targets/bases table (fragment):

PurposeDataBasisTerm
Registration and accountIdentification, contactContractaccount lifetime + X
KYC/AMLDocuments, photos, liveness, sankz hitsLegal Obligation5-10 years
Antifraud/safetyDevice-ID, IP, behavioralLegitimate Interests24 months
MarketingEmail/Push/Cookie-IDConsentbefore recall

15. 2 Cookie banner (minimum):

"We use cookies. By clicking "Accept All," you agree to the storage of analytical and marketing cookies. You can change the selection by category. "Reject optional" - only strictly required cookies"

15. 3 Profiling section (example):

"We use profiling to prevent fraud and to play responsible (RG). This is necessary for safety and in line with our legitimate interests. You may object unless otherwise prescribed by law (e.g. AML)"

16) Process SOPs

SOP-1: Policy Update

Triggers: new targets/vendors/SDKs/jurisdictions.
Steps: inventory → LIA/DPIA → text update → localization → CMP update → communication to users → version/date of entry.

SOP-2: DSAR

Request channel → identity verification → data volume estimation → package collection (export from systems) → legal audit → issue/refusal with justification → log.

SOP-3: New sub-processor

Due diligence → DPA/SCCs → DTIA → incident test → public registry inclusion → user notification (if required).

17) Training and auditing

Onboarding + annual privacy training for all; additional training for Support/Marketing/Engineering.
Internal audit once a year: RoPA, retention compliance, selective DSAR verification, CIW/cookie review, test applications, penetration test/access log forensics.
KPI:% of employees trained; SLA DSAR; Proportion of systems with aliasing enabled completed CAPAs.

18) Localization and multi-jurisdictionality

GDPR/UK GDPR as a basic standard; consider ePrivacy/PECR for communications and cookies.
Local nuances (example): age of consent to process child data, KYC retention periods, notification forms, document language requirements.
Maintain discrepancy matrix by country and references to applicable codes/licenses.

19) Implementation Roadmap (example)

Weeks 1-2: Data/Systems Inventory, RoPA, Flow Map, Policy Draft.
Weeks 3-4: CIW/banner, sub-processor registry, DPA/SCCs, DPIA for high-risk processes.
Month 2: launch of the preference center, automation of deletion/anonymization, employee training.
Month 3 +: periodic audits, DSAR tests, localization and registry updates.

20) Short readiness checklist

  • DPO assigned, contacts published
  • Up-to-date RoPA and data flow map
  • Policy published, localized, versioned
  • CMP with provable opt-in/opt-out logs
  • DPA/SCCs and Public Sub-Processor Registry
  • DPIA/DTIA completed for risk processes
  • Retention-jobs and deletion/anonymization procedures
  • SOP on DSAR and incidents, trained owners
  • Metrics/KPIs and Annual Privacy Audit

TL; DR

Strong Policy = clear goals and rationale + inventory and RoPA + consents/cookies under control + secure cross-border transfers + sub-processor registry + clear retention and deletion + training DSAR/incidents. This reduces legal and reputational risks and builds player confidence.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.