Privacy Policy
Last updated: August 14, 2025
1. Website Operator and Scope
1.1. Operator Details
This Website is owned and operated by Carletta N.V., a company registered under the laws of Curaçao.
- Registered office: Dr. Henri Fergusonweg 1, Curaçao
- Company registration number: 142346
- Licensing authority: Curaçao Gaming Control Board
- Licensed since: 24/Jun/2025
- License number: OGL/2024/580/0570
- Legal framework: National Ordinance on Games of Chance (LOK)
Carletta N.V. acts as the controller of your Personal Data. This means that we determine the purposes and means of Processing Personal Data when you access or use the Website and Services.
1.2. When This Policy Applies
This Privacy Policy applies to Personal Data collected, used, or processed through the following channels:
- the Website;
- communications via [email protected];
- phone calls with us;
- support chat sessions with us.
1.3. Purpose of This Policy
This Policy is intended to explain:
- what Personal Data we process;
- why we process Personal Data;
- the legal bases for Processing;
- how long Personal Data is retained;
- where Personal Data may be stored or transferred;
- who Personal Data may be shared with;
- how cookies and similar technologies may be used;
- what rights you have;
- how you can exercise those rights;
- what happens if required Personal Data is not provided.
2. Key Definitions Checklist
2.1. Account
An Account is a unique account created for you to access the Services or specific parts of the Services.
- Account access may be subject to identity verification.
- Account access may also be subject to Regulatory Compliance requirements.
2.2. Company
Company, we, us, or our refers to Carletta N.V.
- Jurisdiction: Curaçao
- Registration number: 142346
- Registered address: Dr. Henri Fergusonweg 1, Curaçao
2.3. Service
Service refers to:
- the Website;
- the Website functionalities;
- related online gaming and interactive services provided by the Company.
2.4. Website
Website includes:
- this website;
- any subdomains;
- associated platforms;
- applications operated by the Company.
2.5. Personal Data
Personal Data means any information that relates to an identified or identifiable individual, as defined under:
- the General Data Protection Regulation;
- the Curaçao Data Protection Framework.
2.6. Processing of Personal Data
Processing of Personal Data means any operation or set of operations performed on Personal Data, whether by automated or manual means.
This may include:
- collection;
- recording;
- organization;
- structuring;
- storage;
- adaptation or alteration;
- retrieval;
- consultation;
- use;
- disclosure by transmission;
- dissemination;
- alignment or combination;
- restriction;
- erasure;
- destruction.
2.7. Regulatory Compliance
Regulatory Compliance means the Company’s legal obligation to process Personal Data in accordance with applicable laws.
This includes:
- National Ordinance on Games of Chance;
- Anti-Money Laundering regulations.
Processing for Regulatory Compliance:
- is based on legal requirements;
- does not rely on user consent.
3. Personal Data Processing Checklist
3.1. Account Registration and Access to Services
Purpose:
- to create an Account;
- to activate access to the Services;
- to secure the Account;
- to manage access to specific Service features.
Legal basis:
- performance of a contract or steps prior to entering into a contract under GDPR Article 6(1)(b).
Personal Data used:
- email address and/or phone number;
- hashed password;
- chosen currency;
- account identifiers;
- basic device or access logs used to activate and secure the Account.
3.2. Identity Verification, Age Confirmation, and AML / LOK Compliance
Purpose:
- to verify identity;
- to confirm age;
- to comply with KYC requirements;
- to comply with AML/CFT obligations;
- to comply with LOK and NORUT requirements.
Legal basis:
- compliance with legal obligations under GDPR Article 6(1)(c), including AML/CFT, LOK, and NORUT;
- legitimate interests in platform integrity under GDPR Article 6(1)(f), where applicable.
Personal Data used:
- passport;
- ID card;
- driver’s license;
- proof of address;
- date of birth or age attestation;
- selfies;
- liveness checks.
3.3. Payment Processing
Purpose:
- to process deposits;
- to process withdrawals;
- to process refunds;
- to support payment-related services;
- to keep required financial records.
Legal basis:
- performance of a contract under GDPR Article 6(1)(b);
- legal obligation for financial record-keeping and AML under GDPR Article 6(1)(c);
- legitimate interests in fraud prevention under GDPR Article 6(1)(f).
Personal Data used:
- payment instrument data;
- transaction history;
- currency;
- payout channel confirmations.
3.4. Fraud Detection and Security Monitoring
Purpose:
- to protect the Service;
- to protect users;
- to detect potentially fraudulent activity;
- to prevent unauthorized access;
- to prevent platform abuse.
Legal basis:
- legitimate interests in securing the Service and users under GDPR Article 6(1)(f);
- legal obligations under AML/CTF under GDPR Article 6(1)(c).
Personal Data used:
- IP address;
- device type;
- browser data;
- device and technical identifiers.
3.5. Responsible Gaming, Player Protection, and Self-Exclusion
Purpose:
- to manage self-exclusion;
- to manage cooling-off selections;
- to apply play limits;
- to support player protection;
- to comply with responsible gaming requirements.
Legal basis:
- compliance with LOK / CGA Responsible Gaming requirements under GDPR Article 6(1)(c);
- legitimate interests in player welfare and Regulatory Compliance under GDPR Article 6(1)(f).
Personal Data used:
- self-exclusion status;
- self-exclusion duration;
- cooling-off selections;
- play limits;
- gameplay frequency;
- spend metrics indicative of risk;
- communications related to responsible gaming interventions.
3.6. Customer Support and Service Communications
Purpose:
- to respond to service requests;
- to provide customer support;
- to resolve Account or transaction inquiries;
- to maintain service quality;
- to support dispute resolution.
Legal basis:
- contract performance under GDPR Article 6(1)(b);
- legitimate interests in service quality and dispute resolution under GDPR Article 6(1)(f).
Personal Data used:
- support tickets;
- chat transcripts;
- email correspondence;
- call notes;
- account identifiers;
- transaction references tied to the inquiry.
3.7. Marketing Communications Where Permitted
Purpose:
- to send marketing communications where permitted by law;
- to manage communication preferences;
- to measure engagement;
- to apply opt-out and responsible gaming restrictions.
Legal basis:
- consent under GDPR Article 6(1)(a) for electronic marketing;
- legitimate interests under GDPR Article 6(1)(f) for similar-product soft opt-in where allowed by law.
Personal Data used:
- email address;
- phone number;
- push token;
- marketing preferences;
- engagement metrics;
- non-sensitive bonus eligibility status.
3.8. Website Performance, Analytics, and Cookies
Purpose:
- to operate the Website;
- to improve Website performance;
- to analyze Website usage;
- to support essential and non-essential cookie functions where applicable.
Legal basis:
- legitimate interests in operating and improving the Website under GDPR Article 6(1)(f);
- consent under GDPR Article 6(1)(a), where required for non-essential cookies.
Personal Data used:
- usage logs;
- cookie identifiers;
- browser type and version;
- traffic data;
- on-site interaction metrics.
3.9. Regulatory Reporting, Audits, and Dispute Resolution
Purpose:
- to cooperate with regulatory authorities;
- to comply with audits;
- to support legal proceedings;
- to resolve disputes;
- to establish, exercise, or defend legal claims.
Legal basis:
- legal obligation under GDPR Article 6(1)(c);
- legitimate interests in establishing, exercising, or defending legal claims under GDPR Article 6(1)(f).
Personal Data used:
- records required for regulatory cooperation;
- compliance audit records;
- records required for legal proceedings;
- dispute-related records permitted by applicable laws.
4. Data Source Checklist
4.1. Data Provided Directly by You
We may collect Personal Data directly from you when you:
- create an Account;
- complete verification steps;
- make deposits;
- make withdrawals;
- communicate with support.
4.2. Data Generated Through Use of the Services
We may collect Personal Data generated through your activity on the platform, including:
- gameplay;
- transaction history;
- device information;
- log information;
- cookie data in accordance with the Cookie Policy.
4.3. Data From Third-Party Verification and Compliance Services
We may use trusted third parties to support:
- compliance functions;
- security functions;
- identity verification;
- payment-related operations.
4.4. Data From Publicly Available and Legitimate Sources
Where necessary, we may supplement information you provide with data from publicly available and legitimate sources.
This is done only for:
- compliance;
- verification;
- risk management.
4.5. Data From Authorities
In some cases, we may receive Personal Data from:
- regulatory authorities;
- law enforcement authorities;
- other competent authorities.
This may occur in connection with legal and compliance obligations.
5. Data Retention Checklist
5.1. General Retention Rule
We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected and processed, or for as long as required under applicable legal and regulatory obligations.
5.2. Factors Used to Determine Retention Periods
Retention periods are determined based on:
- the purpose of Processing;
- provision of the Services;
- compliance with contractual obligations;
- protection of legitimate interests;
- AML requirements;
- gaming regulations;
- tax regulations;
- legal claims;
- audit requirements;
- supervisory requirements.
5.3. End of Retention Period
After the relevant retention period expires, Personal Data is:
- securely deleted;
- anonymized; or
- archived in a way that ensures it can no longer be associated with you.
Further retention may occur only where required by law.
6. Storage and International Transfer Checklist
6.1. Data Storage
Personal Data is stored on secure servers operated by:
- the Company;
- trusted service providers.
These servers may be located:
- within the European Economic Area;
- outside the European Economic Area, including Curaçao.
The location depends on operational and regulatory requirements.
6.2. Transfers Outside the EEA
When Personal Data is transferred outside the EEA, such transfers are carried out in accordance with applicable data protection laws.
6.3. Transfer Safeguards
Appropriate safeguards may include:
- adequacy decisions;
- Standard Contractual Clauses.
6.4. Adequacy Decisions
Adequacy decisions apply where the European Commission recognizes a country as providing an adequate level of data protection.
6.5. Standard Contractual Clauses
Where no adequacy decision exists, we use Standard Contractual Clauses approved by the European Commission to help ensure that Personal Data remains protected.
7. Personal Data Sharing Checklist
7.1. General Sharing Rule
Personal Data may be shared only when necessary and only for the purposes described in this Privacy Policy.
Any sharing is carried out in accordance with:
- applicable data protection laws;
- contractual obligations;
- security measures.
7.2. Regulatory and Supervisory Authorities
Personal Data may be shared with:
- the Curaçao Gaming Authority;
- the Financial Intelligence Unit;
- tax authorities;
- governmental bodies;
- law enforcement bodies.
This may be required by law or regulatory obligations, including AML and responsible gaming requirements.
7.3. Identity Verification and Compliance Providers
Personal Data may be shared with providers that help us:
- verify customer identity;
- comply with AML obligations;
- comply with Know Your Customer obligations.
7.4. Payment Processors and Financial Institutions
Personal Data may be shared to enable:
- deposits;
- withdrawals;
- refunds;
- other payment-related services.
Shared data may include:
- transaction details;
- payment method information;
- account identifiers.
7.5. Customer Support and Communication Tools
External providers may process Personal Data to support:
- email delivery;
- live chat;
- other communication channels;
- customer service operations.
Personal Data processed may include:
- contact details;
- support messages.
7.6. Fraud Prevention and Security Partners
Trusted providers may assist with:
- platform security;
- platform integrity;
- detection of potentially fraudulent activity;
- prevention of unauthorized activity.
7.7. Analytics and Optimization Platforms
Third-party services may help us:
- analyze Website usage;
- conduct A/B testing;
- improve user experience.
Where possible, data is:
- anonymized; or
- pseudonymized.
7.8. Game Content Providers
Licensed third-party game providers may receive only the minimum data required to enable certain platform features.
This may include:
- player identifiers;
- game session data.
7.9. Internal Tools and IT Infrastructure Providers
We may use secure hosting and productivity solutions to store and manage data necessary for the operation of the Services.
8. Cookie Checklist
8.1. General Cookie Use
The Website may use cookies and similar technologies to:
- enhance user experience;
- enable essential Website functions;
- analyze site performance.
Cookies are small text files stored on your device when you visit the Website. They allow the Website to recognize your device and store certain information about preferences or past actions.
8.2. Strictly Necessary Cookies
Strictly necessary cookies:
- are essential for Website operation;
- cannot be switched off in our systems;
- enable page navigation;
- enable access to secure areas;
- support user authentication.
8.3. Functional Cookies
Functional cookies:
- support enhanced functionality;
- support personalization;
- may remember language preferences;
- may remember user settings;
- may be set by us or by third-party providers whose services we use.
8.4. Analytical or Performance Cookies
Analytical or performance cookies:
- collect aggregated and anonymized data;
- help measure Website performance;
- help improve Website performance.
They may relate to:
- page visits;
- click-through rates;
- traffic sources;
- on-site interaction metrics.
8.5. Advertising or Targeting Cookies
Advertising or targeting cookies may be set by us or by advertising partners to:
- build a profile of your interests;
- deliver relevant advertising on this Website or on other websites;
- limit how often you see an advertisement;
- assess advertising effectiveness.
8.6. Session and Persistent Cookies
Session cookies:
- expire when you close your browser.
Persistent cookies:
- remain on your device for a predetermined period;
- remain until deleted by you.
8.7. First-Party and Third-Party Cookies
First-party cookies are set by us.
Third-party cookies are set by third-party service providers acting on our behalf, including providers of:
- analytics;
- customer support tools;
- advertising networks.
8.8. Cookie Management
You may control and manage cookies through your browser settings.
Most browsers allow you to:
- refuse cookies;
- delete cookies.
Restricting certain cookies may affect the availability or functionality of some parts of the Website.
9. Minor Protection Checklist
9.1. Age Requirement
The Services are intended only for individuals who are:
- at least eighteen (18) years old; or
- the legal age defined by their jurisdiction, whichever is higher.
By accessing or registering for the Services, you confirm that you meet this age requirement.
9.2. Responsible Gaming Policy Alignment
In alignment with the Curaçao Gaming Authority’s Responsible Gaming Policy introduced in February 2025, measures are implemented to prevent underage access to the Services.
9.3. Age Verification Mechanisms
Age restrictions may be enforced through document verification.
Users may be required to provide valid government-issued identification documents during registration.
9.4. Preventive Measures
Preventive measures may include:
- automated monitoring of user activity;
- detection of inconsistencies;
- detection of signs of underage access attempts;
- security reviews where underage access is suspected.
9.5. Security Reviews
Where underage access is suspected, security reviews may include verification of:
- registration data;
- financial transactions.
9.6. Data Purging
Personal Data submitted by individuals identified as minors is deleted immediately.
9.7. Parental Controls and Education
Parents and guardians are encouraged to:
- use available parental control tools;
- educate minors about responsible online behavior;
- prevent unauthorized access to the Services.
9.8. Responsible Gaming Commitment
The Company’s responsible gaming approach includes adherence to CGA guidelines on:
- player protection;
- age verification.
Policies are reviewed and enhanced to ensure they meet or exceed regulatory standards.
10. Rights Checklist
10.1. Right of Access
Under Article 15 GDPR, you can request:
- confirmation of whether we process your Personal Data;
- a copy of such Personal Data;
- information about how it is used.
10.2. Right to Rectification
Under Article 16 GDPR, you can request correction of:
- inaccurate Personal Data;
- incomplete Personal Data.
Correction should be made without undue delay.
10.3. Right to Erasure
Under Article 17 GDPR, you can request deletion of your Personal Data where legal grounds apply.
This may include cases where:
- data is no longer necessary for the purposes collected;
- you withdraw consent where applicable;
- no other lawful basis for processing applies.
10.4. Right to Restrict Processing
Under Article 18 GDPR, you can request that we limit Processing of your Personal Data in specific situations.
This may include cases where:
- accuracy is contested;
- Processing is unlawful.
10.5. Right to Data Portability
Under Article 20 GDPR, you can request a copy of the Personal Data you provided to us in a:
- structured format;
- commonly used format;
- machine-readable format.
Where technically feasible, you may transfer that data to another controller.
10.6. Right to Object
Under Article 21 GDPR, you can object to Processing of your Personal Data:
- for reasons related to your particular situation;
- where Processing is based on legitimate interests;
- for direct marketing purposes.
10.7. How to Exercise Your Rights
To exercise your data protection rights, you may contact us through:
- email: [email protected];
- postal address: Dr. Henri Fergusonweg 1, Curaçao.
11. Consent Withdrawal Checklist
11.1. Right to Withdraw Consent
If we process Personal Data based on consent, you have the right to withdraw that consent at any time.
11.2. Effect of Withdrawal
Withdrawal does not affect the lawfulness of Processing based on consent before its withdrawal.
11.3. How to Withdraw Consent
To withdraw consent, contact us using the channels specified in this Privacy Policy.
After receiving your request, we will stop Processing the relevant Personal Data unless retention is required to comply with legal or regulatory obligations.
11.4. Service Consequences
If withdrawal of consent affects our ability to provide certain Services, we will inform you of the consequences before completing the withdrawal process.
12. Complaint Checklist
12.1. Right to Lodge a Complaint
Under Article 77 GDPR, you have the right to lodge a complaint if you believe that:
- your Personal Data is being processed unlawfully;
- your privacy rights have been violated.
12.2. Where to Lodge a Complaint
You may lodge a complaint with:
- the supervisory authority in the EU Member State where you reside;
- the supervisory authority in the EU Member State where you work;
- the supervisory authority in the EU Member State where the alleged violation occurred;
- the Curaçao Gaming Authority;
- any other relevant data protection authority in Curaçao.
12.3. Contacting Us First
If you have concerns or unresolved questions about Processing of your Personal Data, we encourage you to contact us directly first.
We will make every reasonable effort to address your concerns in a timely and lawful manner.
13. Required Personal Data Checklist
13.1. Legal Requirement
Providing certain Personal Data may be a legal requirement.
This applies where data is needed to comply with laws and regulations, including:
- Anti-Money Laundering obligations;
- responsible gaming requirements.
13.2. Contractual Requirement
Providing certain Personal Data may be a contractual requirement.
This applies where data is necessary to:
- enter into a contract with you;
- perform a contract with you;
- enable access to the Services;
- process transactions.
13.3. Access Requirement
Providing certain Personal Data may be necessary to access the Services.
Without required Personal Data, we may be unable to:
- offer certain Services;
- fulfill contractual obligations;
- fulfill legal obligations.
13.4. Consequences of Non-Disclosure
Failure to provide required Personal Data may result in:
- inability to create or maintain an Account;
- restrictions on the use of the Services;
- termination of the contractual relationship;
- inability to comply with regulatory obligations;
- prevention from providing Services.
14. Legal Disclaimer Checklist
14.1. Service Availability
The Services operate on an “AS-IS” and “AS-AVAILABLE” basis.
No warranties or guarantees are provided for:
- uninterrupted performance;
- error-free performance.
14.2. Security Limitation
We take reasonable precautions to protect Personal Data.
However, absolute security cannot be guaranteed because of:
- the complex nature of technology;
- evolving cybersecurity threats.
14.3. Limitation of Liability
To the maximum extent permitted by law, we are not liable for:
- events beyond our direct control, including system failures, cyberattacks, or unauthorized access;
- indirect, incidental, consequential, or punitive damages arising from data breaches, unauthorized disclosure, or misuse of Personal Data;
- errors, inaccuracies, or security vulnerabilities on third-party websites linked from the platform.
14.4. Third-Party Websites
By using the Services, you acknowledge and agree that we do not bear responsibility for external websites or services operated by third parties, even if they are linked from the platform.
15. Acceptance, Updates, and Language Checklist
15.1. Acceptance of This Privacy Policy
Your continued use of the Services signifies your explicit acceptance of this Privacy Policy.
This document serves as the entire and exclusive Privacy Policy and replaces any previous versions.
15.2. Related Terms
This Privacy Policy should be read together with:
- the Terms and Conditions;
- any additional applicable notices posted on the platform.
15.3. Policy Changes
We reserve the right to modify this Privacy Policy at any time.
Any changes will be posted on the platform.
Continued use of the Services after modifications constitutes acceptance of the revised Policy.
15.4. Regular Review
You are strongly encouraged to review this Privacy Policy regularly to stay informed about updates.
15.5. Language Priority
All versions of this Policy, except for the English version, are provided for informational purposes only.
The English version prevails in case of discrepancies or conflicts between different versions.
