Privacy Policy

Last updated: August 14, 2025

1. Website Operator and Scope

1.1. Operator Details

This Website is owned and operated by Carletta N.V., a company registered under the laws of Curaçao.

  • Registered office: Dr. Henri Fergusonweg 1, Curaçao
  • Company registration number: 142346
  • Licensing authority: Curaçao Gaming Control Board
  • Licensed since: 24/Jun/2025
  • License number: OGL/2024/580/0570
  • Legal framework: National Ordinance on Games of Chance (LOK)

Carletta N.V. acts as the controller of your Personal Data. This means that we determine the purposes and means of Processing Personal Data when you access or use the Website and Services.

1.2. When This Policy Applies

This Privacy Policy applies to Personal Data collected, used, or processed through the following channels:

  • the Website;
  • communications via [email protected];
  • phone calls with us;
  • support chat sessions with us.

1.3. Purpose of This Policy

This Policy is intended to explain:

  • what Personal Data we process;
  • why we process Personal Data;
  • the legal bases for Processing;
  • how long Personal Data is retained;
  • where Personal Data may be stored or transferred;
  • who Personal Data may be shared with;
  • how cookies and similar technologies may be used;
  • what rights you have;
  • how you can exercise those rights;
  • what happens if required Personal Data is not provided.

2. Key Definitions Checklist

2.1. Account

An Account is a unique account created for you to access the Services or specific parts of the Services.

  • Account access may be subject to identity verification.
  • Account access may also be subject to Regulatory Compliance requirements.

2.2. Company

Company, we, us, or our refers to Carletta N.V.

  • Jurisdiction: Curaçao
  • Registration number: 142346
  • Registered address: Dr. Henri Fergusonweg 1, Curaçao

2.3. Service

Service refers to:

  • the Website;
  • the Website functionalities;
  • related online gaming and interactive services provided by the Company.

2.4. Website

Website includes:

  • this website;
  • any subdomains;
  • associated platforms;
  • applications operated by the Company.

2.5. Personal Data

Personal Data means any information that relates to an identified or identifiable individual, as defined under:

  • the General Data Protection Regulation;
  • the Curaçao Data Protection Framework.

2.6. Processing of Personal Data

Processing of Personal Data means any operation or set of operations performed on Personal Data, whether by automated or manual means.

This may include:

  • collection;
  • recording;
  • organization;
  • structuring;
  • storage;
  • adaptation or alteration;
  • retrieval;
  • consultation;
  • use;
  • disclosure by transmission;
  • dissemination;
  • alignment or combination;
  • restriction;
  • erasure;
  • destruction.

2.7. Regulatory Compliance

Regulatory Compliance means the Company’s legal obligation to process Personal Data in accordance with applicable laws.

This includes:

  • National Ordinance on Games of Chance;
  • Anti-Money Laundering regulations.

Processing for Regulatory Compliance:

  • is based on legal requirements;
  • does not rely on user consent.

3. Personal Data Processing Checklist

3.1. Account Registration and Access to Services

Purpose:

  • to create an Account;
  • to activate access to the Services;
  • to secure the Account;
  • to manage access to specific Service features.

Legal basis:

  • performance of a contract or steps prior to entering into a contract under GDPR Article 6(1)(b).

Personal Data used:

  • email address and/or phone number;
  • hashed password;
  • chosen currency;
  • account identifiers;
  • basic device or access logs used to activate and secure the Account.

3.2. Identity Verification, Age Confirmation, and AML / LOK Compliance

Purpose:

  • to verify identity;
  • to confirm age;
  • to comply with KYC requirements;
  • to comply with AML/CFT obligations;
  • to comply with LOK and NORUT requirements.

Legal basis:

  • compliance with legal obligations under GDPR Article 6(1)(c), including AML/CFT, LOK, and NORUT;
  • legitimate interests in platform integrity under GDPR Article 6(1)(f), where applicable.

Personal Data used:

  • passport;
  • ID card;
  • driver’s license;
  • proof of address;
  • date of birth or age attestation;
  • selfies;
  • liveness checks.

3.3. Payment Processing

Purpose:

  • to process deposits;
  • to process withdrawals;
  • to process refunds;
  • to support payment-related services;
  • to keep required financial records.

Legal basis:

  • performance of a contract under GDPR Article 6(1)(b);
  • legal obligation for financial record-keeping and AML under GDPR Article 6(1)(c);
  • legitimate interests in fraud prevention under GDPR Article 6(1)(f).

Personal Data used:

  • payment instrument data;
  • transaction history;
  • currency;
  • payout channel confirmations.

3.4. Fraud Detection and Security Monitoring

Purpose:

  • to protect the Service;
  • to protect users;
  • to detect potentially fraudulent activity;
  • to prevent unauthorized access;
  • to prevent platform abuse.

Legal basis:

  • legitimate interests in securing the Service and users under GDPR Article 6(1)(f);
  • legal obligations under AML/CTF under GDPR Article 6(1)(c).

Personal Data used:

  • IP address;
  • device type;
  • browser data;
  • device and technical identifiers.

3.5. Responsible Gaming, Player Protection, and Self-Exclusion

Purpose:

  • to manage self-exclusion;
  • to manage cooling-off selections;
  • to apply play limits;
  • to support player protection;
  • to comply with responsible gaming requirements.

Legal basis:

  • compliance with LOK / CGA Responsible Gaming requirements under GDPR Article 6(1)(c);
  • legitimate interests in player welfare and Regulatory Compliance under GDPR Article 6(1)(f).

Personal Data used:

  • self-exclusion status;
  • self-exclusion duration;
  • cooling-off selections;
  • play limits;
  • gameplay frequency;
  • spend metrics indicative of risk;
  • communications related to responsible gaming interventions.

3.6. Customer Support and Service Communications

Purpose:

  • to respond to service requests;
  • to provide customer support;
  • to resolve Account or transaction inquiries;
  • to maintain service quality;
  • to support dispute resolution.

Legal basis:

  • contract performance under GDPR Article 6(1)(b);
  • legitimate interests in service quality and dispute resolution under GDPR Article 6(1)(f).

Personal Data used:

  • support tickets;
  • chat transcripts;
  • email correspondence;
  • call notes;
  • account identifiers;
  • transaction references tied to the inquiry.

3.7. Marketing Communications Where Permitted

Purpose:

  • to send marketing communications where permitted by law;
  • to manage communication preferences;
  • to measure engagement;
  • to apply opt-out and responsible gaming restrictions.

Legal basis:

  • consent under GDPR Article 6(1)(a) for electronic marketing;
  • legitimate interests under GDPR Article 6(1)(f) for similar-product soft opt-in where allowed by law.

Personal Data used:

  • email address;
  • phone number;
  • push token;
  • marketing preferences;
  • engagement metrics;
  • non-sensitive bonus eligibility status.

3.8. Website Performance, Analytics, and Cookies

Purpose:

  • to operate the Website;
  • to improve Website performance;
  • to analyze Website usage;
  • to support essential and non-essential cookie functions where applicable.

Legal basis:

  • legitimate interests in operating and improving the Website under GDPR Article 6(1)(f);
  • consent under GDPR Article 6(1)(a), where required for non-essential cookies.

Personal Data used:

  • usage logs;
  • cookie identifiers;
  • browser type and version;
  • traffic data;
  • on-site interaction metrics.

3.9. Regulatory Reporting, Audits, and Dispute Resolution

Purpose:

  • to cooperate with regulatory authorities;
  • to comply with audits;
  • to support legal proceedings;
  • to resolve disputes;
  • to establish, exercise, or defend legal claims.

Legal basis:

  • legal obligation under GDPR Article 6(1)(c);
  • legitimate interests in establishing, exercising, or defending legal claims under GDPR Article 6(1)(f).

Personal Data used:

  • records required for regulatory cooperation;
  • compliance audit records;
  • records required for legal proceedings;
  • dispute-related records permitted by applicable laws.

4. Data Source Checklist

4.1. Data Provided Directly by You

We may collect Personal Data directly from you when you:

  • create an Account;
  • complete verification steps;
  • make deposits;
  • make withdrawals;
  • communicate with support.

4.2. Data Generated Through Use of the Services

We may collect Personal Data generated through your activity on the platform, including:

  • gameplay;
  • transaction history;
  • device information;
  • log information;
  • cookie data in accordance with the Cookie Policy.

4.3. Data From Third-Party Verification and Compliance Services

We may use trusted third parties to support:

  • compliance functions;
  • security functions;
  • identity verification;
  • payment-related operations.

4.4. Data From Publicly Available and Legitimate Sources

Where necessary, we may supplement information you provide with data from publicly available and legitimate sources.

This is done only for:

  • compliance;
  • verification;
  • risk management.

4.5. Data From Authorities

In some cases, we may receive Personal Data from:

  • regulatory authorities;
  • law enforcement authorities;
  • other competent authorities.

This may occur in connection with legal and compliance obligations.

5. Data Retention Checklist

5.1. General Retention Rule

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected and processed, or for as long as required under applicable legal and regulatory obligations.

5.2. Factors Used to Determine Retention Periods

Retention periods are determined based on:

  • the purpose of Processing;
  • provision of the Services;
  • compliance with contractual obligations;
  • protection of legitimate interests;
  • AML requirements;
  • gaming regulations;
  • tax regulations;
  • legal claims;
  • audit requirements;
  • supervisory requirements.

5.3. End of Retention Period

After the relevant retention period expires, Personal Data is:

  • securely deleted;
  • anonymized; or
  • archived in a way that ensures it can no longer be associated with you.

Further retention may occur only where required by law.

6. Storage and International Transfer Checklist

6.1. Data Storage

Personal Data is stored on secure servers operated by:

  • the Company;
  • trusted service providers.

These servers may be located:

  • within the European Economic Area;
  • outside the European Economic Area, including Curaçao.

The location depends on operational and regulatory requirements.

6.2. Transfers Outside the EEA

When Personal Data is transferred outside the EEA, such transfers are carried out in accordance with applicable data protection laws.

6.3. Transfer Safeguards

Appropriate safeguards may include:

  • adequacy decisions;
  • Standard Contractual Clauses.

6.4. Adequacy Decisions

Adequacy decisions apply where the European Commission recognizes a country as providing an adequate level of data protection.

6.5. Standard Contractual Clauses

Where no adequacy decision exists, we use Standard Contractual Clauses approved by the European Commission to help ensure that Personal Data remains protected.

7. Personal Data Sharing Checklist

7.1. General Sharing Rule

Personal Data may be shared only when necessary and only for the purposes described in this Privacy Policy.

Any sharing is carried out in accordance with:

  • applicable data protection laws;
  • contractual obligations;
  • security measures.

7.2. Regulatory and Supervisory Authorities

Personal Data may be shared with:

  • the Curaçao Gaming Authority;
  • the Financial Intelligence Unit;
  • tax authorities;
  • governmental bodies;
  • law enforcement bodies.

This may be required by law or regulatory obligations, including AML and responsible gaming requirements.

7.3. Identity Verification and Compliance Providers

Personal Data may be shared with providers that help us:

  • verify customer identity;
  • comply with AML obligations;
  • comply with Know Your Customer obligations.

7.4. Payment Processors and Financial Institutions

Personal Data may be shared to enable:

  • deposits;
  • withdrawals;
  • refunds;
  • other payment-related services.

Shared data may include:

  • transaction details;
  • payment method information;
  • account identifiers.

7.5. Customer Support and Communication Tools

External providers may process Personal Data to support:

  • email delivery;
  • live chat;
  • other communication channels;
  • customer service operations.

Personal Data processed may include:

  • contact details;
  • support messages.

7.6. Fraud Prevention and Security Partners

Trusted providers may assist with:

  • platform security;
  • platform integrity;
  • detection of potentially fraudulent activity;
  • prevention of unauthorized activity.

7.7. Analytics and Optimization Platforms

Third-party services may help us:

  • analyze Website usage;
  • conduct A/B testing;
  • improve user experience.

Where possible, data is:

  • anonymized; or
  • pseudonymized.

7.8. Game Content Providers

Licensed third-party game providers may receive only the minimum data required to enable certain platform features.

This may include:

  • player identifiers;
  • game session data.

7.9. Internal Tools and IT Infrastructure Providers

We may use secure hosting and productivity solutions to store and manage data necessary for the operation of the Services.

8. Cookie Checklist

8.1. General Cookie Use

The Website may use cookies and similar technologies to:

  • enhance user experience;
  • enable essential Website functions;
  • analyze site performance.

Cookies are small text files stored on your device when you visit the Website. They allow the Website to recognize your device and store certain information about preferences or past actions.

8.2. Strictly Necessary Cookies

Strictly necessary cookies:

  • are essential for Website operation;
  • cannot be switched off in our systems;
  • enable page navigation;
  • enable access to secure areas;
  • support user authentication.

8.3. Functional Cookies

Functional cookies:

  • support enhanced functionality;
  • support personalization;
  • may remember language preferences;
  • may remember user settings;
  • may be set by us or by third-party providers whose services we use.

8.4. Analytical or Performance Cookies

Analytical or performance cookies:

  • collect aggregated and anonymized data;
  • help measure Website performance;
  • help improve Website performance.

They may relate to:

  • page visits;
  • click-through rates;
  • traffic sources;
  • on-site interaction metrics.

8.5. Advertising or Targeting Cookies

Advertising or targeting cookies may be set by us or by advertising partners to:

  • build a profile of your interests;
  • deliver relevant advertising on this Website or on other websites;
  • limit how often you see an advertisement;
  • assess advertising effectiveness.

8.6. Session and Persistent Cookies

Session cookies:

  • expire when you close your browser.

Persistent cookies:

  • remain on your device for a predetermined period;
  • remain until deleted by you.

8.7. First-Party and Third-Party Cookies

First-party cookies are set by us.

Third-party cookies are set by third-party service providers acting on our behalf, including providers of:

  • analytics;
  • customer support tools;
  • advertising networks.

8.8. Cookie Management

You may control and manage cookies through your browser settings.

Most browsers allow you to:

  • refuse cookies;
  • delete cookies.

Restricting certain cookies may affect the availability or functionality of some parts of the Website.

9. Minor Protection Checklist

9.1. Age Requirement

The Services are intended only for individuals who are:

  • at least eighteen (18) years old; or
  • the legal age defined by their jurisdiction, whichever is higher.

By accessing or registering for the Services, you confirm that you meet this age requirement.

9.2. Responsible Gaming Policy Alignment

In alignment with the Curaçao Gaming Authority’s Responsible Gaming Policy introduced in February 2025, measures are implemented to prevent underage access to the Services.

9.3. Age Verification Mechanisms

Age restrictions may be enforced through document verification.

Users may be required to provide valid government-issued identification documents during registration.

9.4. Preventive Measures

Preventive measures may include:

  • automated monitoring of user activity;
  • detection of inconsistencies;
  • detection of signs of underage access attempts;
  • security reviews where underage access is suspected.

9.5. Security Reviews

Where underage access is suspected, security reviews may include verification of:

  • registration data;
  • financial transactions.

9.6. Data Purging

Personal Data submitted by individuals identified as minors is deleted immediately.

9.7. Parental Controls and Education

Parents and guardians are encouraged to:

  • use available parental control tools;
  • educate minors about responsible online behavior;
  • prevent unauthorized access to the Services.

9.8. Responsible Gaming Commitment

The Company’s responsible gaming approach includes adherence to CGA guidelines on:

  • player protection;
  • age verification.

Policies are reviewed and enhanced to ensure they meet or exceed regulatory standards.

10. Rights Checklist

10.1. Right of Access

Under Article 15 GDPR, you can request:

  • confirmation of whether we process your Personal Data;
  • a copy of such Personal Data;
  • information about how it is used.

10.2. Right to Rectification

Under Article 16 GDPR, you can request correction of:

  • inaccurate Personal Data;
  • incomplete Personal Data.

Correction should be made without undue delay.

10.3. Right to Erasure

Under Article 17 GDPR, you can request deletion of your Personal Data where legal grounds apply.

This may include cases where:

  • data is no longer necessary for the purposes collected;
  • you withdraw consent where applicable;
  • no other lawful basis for processing applies.

10.4. Right to Restrict Processing

Under Article 18 GDPR, you can request that we limit Processing of your Personal Data in specific situations.

This may include cases where:

  • accuracy is contested;
  • Processing is unlawful.

10.5. Right to Data Portability

Under Article 20 GDPR, you can request a copy of the Personal Data you provided to us in a:

  • structured format;
  • commonly used format;
  • machine-readable format.

Where technically feasible, you may transfer that data to another controller.

10.6. Right to Object

Under Article 21 GDPR, you can object to Processing of your Personal Data:

  • for reasons related to your particular situation;
  • where Processing is based on legitimate interests;
  • for direct marketing purposes.

10.7. How to Exercise Your Rights

To exercise your data protection rights, you may contact us through:

11. Consent Withdrawal Checklist

11.1. Right to Withdraw Consent

If we process Personal Data based on consent, you have the right to withdraw that consent at any time.

11.2. Effect of Withdrawal

Withdrawal does not affect the lawfulness of Processing based on consent before its withdrawal.

11.3. How to Withdraw Consent

To withdraw consent, contact us using the channels specified in this Privacy Policy.

After receiving your request, we will stop Processing the relevant Personal Data unless retention is required to comply with legal or regulatory obligations.

11.4. Service Consequences

If withdrawal of consent affects our ability to provide certain Services, we will inform you of the consequences before completing the withdrawal process.

12. Complaint Checklist

12.1. Right to Lodge a Complaint

Under Article 77 GDPR, you have the right to lodge a complaint if you believe that:

  • your Personal Data is being processed unlawfully;
  • your privacy rights have been violated.

12.2. Where to Lodge a Complaint

You may lodge a complaint with:

  • the supervisory authority in the EU Member State where you reside;
  • the supervisory authority in the EU Member State where you work;
  • the supervisory authority in the EU Member State where the alleged violation occurred;
  • the Curaçao Gaming Authority;
  • any other relevant data protection authority in Curaçao.

12.3. Contacting Us First

If you have concerns or unresolved questions about Processing of your Personal Data, we encourage you to contact us directly first.

We will make every reasonable effort to address your concerns in a timely and lawful manner.

13. Required Personal Data Checklist

13.1. Legal Requirement

Providing certain Personal Data may be a legal requirement.

This applies where data is needed to comply with laws and regulations, including:

  • Anti-Money Laundering obligations;
  • responsible gaming requirements.

13.2. Contractual Requirement

Providing certain Personal Data may be a contractual requirement.

This applies where data is necessary to:

  • enter into a contract with you;
  • perform a contract with you;
  • enable access to the Services;
  • process transactions.

13.3. Access Requirement

Providing certain Personal Data may be necessary to access the Services.

Without required Personal Data, we may be unable to:

  • offer certain Services;
  • fulfill contractual obligations;
  • fulfill legal obligations.

13.4. Consequences of Non-Disclosure

Failure to provide required Personal Data may result in:

  • inability to create or maintain an Account;
  • restrictions on the use of the Services;
  • termination of the contractual relationship;
  • inability to comply with regulatory obligations;
  • prevention from providing Services.

14. Legal Disclaimer Checklist

14.1. Service Availability

The Services operate on an “AS-IS” and “AS-AVAILABLE” basis.

No warranties or guarantees are provided for:

  • uninterrupted performance;
  • error-free performance.

14.2. Security Limitation

We take reasonable precautions to protect Personal Data.

However, absolute security cannot be guaranteed because of:

  • the complex nature of technology;
  • evolving cybersecurity threats.

14.3. Limitation of Liability

To the maximum extent permitted by law, we are not liable for:

  • events beyond our direct control, including system failures, cyberattacks, or unauthorized access;
  • indirect, incidental, consequential, or punitive damages arising from data breaches, unauthorized disclosure, or misuse of Personal Data;
  • errors, inaccuracies, or security vulnerabilities on third-party websites linked from the platform.

14.4. Third-Party Websites

By using the Services, you acknowledge and agree that we do not bear responsibility for external websites or services operated by third parties, even if they are linked from the platform.

15. Acceptance, Updates, and Language Checklist

15.1. Acceptance of This Privacy Policy

Your continued use of the Services signifies your explicit acceptance of this Privacy Policy.

This document serves as the entire and exclusive Privacy Policy and replaces any previous versions.

15.2. Related Terms

This Privacy Policy should be read together with:

  • the Terms and Conditions;
  • any additional applicable notices posted on the platform.

15.3. Policy Changes

We reserve the right to modify this Privacy Policy at any time.

Any changes will be posted on the platform.

Continued use of the Services after modifications constitutes acceptance of the revised Policy.

15.4. Regular Review

You are strongly encouraged to review this Privacy Policy regularly to stay informed about updates.

15.5. Language Priority

All versions of this Policy, except for the English version, are provided for informational purposes only.

The English version prevails in case of discrepancies or conflicts between different versions.