This Personal Data Processing Policy (hereinafter - 'the Policy') has been developed in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 of 27.04.2016 (GDPR) and other applicable data protection laws.
The Policy defines the procedure for processing personal data of users of the iGaming Ltd. online platform (hereinafter - the Operator) and measures to ensure the security of such data.
The Operator aims to respect the rights and freedoms of individuals and citizens when processing personal data, including the protection of the right to privacy.
The scope of this Policy applies to all personal data of users collected when using the iGaming online platform website (hereinafter - the Site).
By registering on the Site, the user gives consent to the processing of their personal data by ticking the corresponding box in the registration form.
This consent applies to all personal data processing actions described in the Policy and confirms that the user has read this Policy.
The Policy is a public document posted on the Site and supplements the provisions of the Privacy Policy, with a focus on the legal aspects of data processing.
The Operator processes the following categories of users' personal data:
Contact Data:
the user's email address provided during registration on the Site. This address is used to identify the account and to communicate with the user.Device Identification Data:
IP address, automatically collected when visiting the Site, as well as cookies and other unique identifiers. This data is recorded by the system to ensure the functioning of the Site, save user sessions, and analyze activity.Website Activity Data:
information about the user's actions on the Site, including dates and times of visits, viewed pages, clicks, operation logs, and other details about the use of Site services. This data helps the Operator monitor the operation of services and identify technical problems.Account and Preferences Data:
information related to the use of the account on the Site, including the history of posting advertisements (a list of advertisements published by the user on the platform), interface settings, and preferences (e.g., selected language, time zone, display settings). This information is collected to personalize the interface and for user convenience.Payment Data:
information about the user's transactions and payments on the Site – payment history through the Expay payment system (dates, amounts, payment statuses, etc.).Referral Data:
information about the user's transition to the Site via a referral link (referrer ID, invitation code). This data is used to implement referral programs and accrue bonuses (if applicable).The Operator does not collect special categories of personal data (concerning racial origin, political views, health, etc.) of users, nor does it process biometric data.
The categories listed above are exhaustive for the functioning of the iGaming platform and do not exceed the purposes for which they are collected (the data minimization principle according to GDPR).
The processing of personal data of iGaming platform users is carried out for specific, predetermined, and legitimate purposes. The main purposes of processing include:
The Operator processes data for user account registration and management, ensuring the operation of the Site's main functions (posting and viewing advertisements), fulfilling contractual obligations to the user (providing services for publishing advertisements), and general service administration. For example, the email is used as a login and for communication, and the ad history is used to manage publications and display them on the Site.
Contact data (email) is used to contact the user, send important notifications related to Site use, process support requests, and provide feedback. The Operator may send notifications about the status of posted ads, responses to user requests, and inform about significant changes in the Site's operation.
Payment data (transaction history via Expay) is used to ensure settlements with the user: confirming payment for services (e.g., paid placement or promotion of an ad), providing the user with paid functions, and maintaining financial records. This data is processed to fulfill the agreement with the user and to comply with legal requirements in the field of accounting and tax reporting (where applicable).
The Operator processes data on interface preferences and user activity to personalize the user experience – for example, saving display settings, language, and ad sorting. In addition, anonymized data on user actions (cookies, visit logs) is used to analyze audience behavior, improve the quality of the Site and its content. This helps identify the most demanded functions, optimize navigation, and increase service convenience.
IP addresses, logs, and other technical data are processed to protect the information security of the platform and users. The Operator monitors and analyzes activity to detect suspicious actions, prevent fraudulent operations, unauthorized access, and other violations. Such measures are necessary to protect accounts, prevent hacks, and maintain the integrity of services.
With the user's separate consent, the Operator may use contact data to send informational and marketing materials: newsletters, notifications about new features, special offers, and promotions related to the platform's activities. Advertising and news mailings are carried out strictly on a voluntary basis (opt-in); the user has the right to refuse to receive them at any time.
If the user participates in the referral program, the Operator processes data on referral links to accrue rewards and track program results. This is necessary to fulfill the terms of such a program and to reward users who attract new participants.
The Operator may process and store personal data for the purpose of complying with legal requirements (e.g., providing data upon a legitimate request from government authorities or storing payment information for a tax audit), as well as to protect its rights in legal disputes. In the case of legal obligations, the data will be used only to the extent necessary to fulfill such obligations or protect legitimate interests.
The Operator does not use users' personal data for purposes incompatible with the original ones. Data processing is carried out transparently and in good faith, strictly in accordance with the stated purposes (the principle of purpose limitation of processing). If personal data is to be processed for a new purpose not provided for by this Policy, the Operator will request separate consent from the user for such processing, or ensure there is another legal basis.
The processing of personal data of iGaming platform users is carried out on legal grounds in accordance with Article 6 of the GDPR. Depending on the category of data and the purpose of processing, the Operator relies on the following legal grounds:
The main basis for processing personal data is the user's voluntary, specific, and informed consent, which they provide when registering on the Site by ticking the consent checkbox. The consent covers all data actions specified in the Policy, performed for the relevant purposes. The Operator processes data based on Article 6(1)(a) of the GDPR – the user has approved the processing of their personal data for one or more specific purposes.
Part of the processing is carried out based on Article 6(1)(b) of the GDPR – for the conclusion and performance of a contract with the user. When registering, the user enters into a user agreement with the Operator, and processing their data is necessary to provide the Site's services. For example, processing the email for authorization, publishing ads, and processing payment data to perform paid services are carried out within the framework of the agreement with the user. Such processing is legal even without separate consent, as without it the Operator cannot provide the services requested by the user.
The Operator may process personal data when it is necessary to comply with legal obligations imposed on it (Article 6(1)(c) of the GDPR). For example, accounting and tax requirements may oblige the storage of payment information for a period specified by law, and supervisory authorities may request certain user data. In such cases, processing is carried out to the extent necessary to fulfill the Operator's legal obligations.
The processing of individual data may be carried out based on the legitimate interests of the Operator (Article 6(1)(f) of the GDPR), provided that such interests do not infringe on the rights and freedoms of users. In particular, ensuring the security of the Site, preventing fraud, sending service notifications to current clients, and improving the platform's operation are all recognized as a legitimate interest of the company. For example, storing access logs to investigate security incidents or analyzing anonymized service usage data to improve it is justified by the Operator's legitimate interest in maintaining the reliability and quality of the service. The user has the right to object to such processing, and the Operator will cease it unless it can demonstrate compelling legitimate grounds that override the interests, rights, and freedoms of the data subject (Article 21 of the GDPR).
In all cases, the Operator assesses the applicability of a particular legal basis before starting processing. Personal data processing is not carried out in the absence of at least one of the specified legal grounds. If the purposes of processing change or new types of processing are introduced, the Operator will analyze the legal grounds and, if necessary, request additional consent from the user or ensure another GDPR-compliant basis for the legality of the processing.
The Operator stores users' personal data no longer than is required for the purposes of their processing, for which the user has given consent or which are permitted by applicable law (the principle of data storage limitation). Retention periods vary depending on the category of data and legal requirements:
This information is stored for the entire period of the user's use of the platform. Personal data related to the account is processed as long as the account is active. Upon the user deleting the account or requesting the deletion of personal data, the Operator ceases processing the relevant data and deletes it (provided there are no other grounds for storage). For example, the email and other profile data will be deleted or anonymized within a reasonable period after account deactivation.
The user's payment history is stored as long as necessary for accounting and fulfilling legal obligations. Financial documents and transaction information may be retained for the period established by tax or accounting legislation (usually not less than 5 years or another period required by law). This data will be deleted or anonymized upon the expiration of the mandatory retention period.
Activity logs, IP address records, and other technical data collected to ensure security and identify errors are stored for a limited period necessary for analysis and response to incidents. As a general rule, such data can be stored in the system from 6 months to 1 year, unless a longer period is justified by a specific need. Periodic cleaning (deletion or anonymization of old logs) is performed to comply with the principle of storage limitation.
Cookies have individual retention periods (depending on the specific cookie). Some cookies (session) exist only during the current user session on the Site and are deleted upon exiting the browser. Others (persistent) may be stored longer (e.g., from a few days to several months) to save settings. The user has the right to clear cookies in their browser at any time and also to configure their use (see the Cookie Policy for details).
If, as a result of processing, personal data has been anonymized (de-identified), i.e., ceased to relate to a specific user, such data can be stored by the Operator indefinitely – in an anonymized form, they do not fall under the scope of personal data legislation.
Upon the expiration of the specified retention periods, or upon achieving the purposes of processing (whichever comes first), the Operator destroys or irreversibly anonymizes the personal data. As a result of deletion, the data is excluded from all active Operator systems. In backup copies and archives, the data is also deleted during their scheduled update procedures.
If personal data is necessary for the presentation, satisfaction, or defense of legal claims, the Operator has the right to store it in the volume and for the period required for the relevant legal procedures, but with mandatory access and use restrictions exclusively for the specified purposes.
The Operator regularly reviews the relevance and necessary volume of stored personal data. If redundant or outdated data is found, it is subject to deletion or updating. Thus, the Operator complies with the principle of storing data no longer than necessary and takes measures to prevent indefinite storage of personal information without sufficient grounds.
The Operator takes all necessary legal, organizational, and technical measures to protect users' personal data from unlawful or accidental access, leakage, alteration, blocking, copying, distribution, and other unlawful actions by third parties. In accordance with Article 32 of the GDPR, iGaming Ltd. ensures an adequate level of personal data security, taking into account current risks and modern protection technologies. The main protection measures include:
Personal data is processed and stored on secure servers located in data centers within the European Union (EU-Central region). The choice of location in the EU ensures compliance with the high data protection standards provided by European legislation. Access to the servers is strictly controlled; virtual private servers (VPS/VDS) with limited access are used.
A secure HTTPS protocol (TLS/SSL) is used for all data transmission operations between the user and the Site. This means that personal data is encrypted when it is sent and received, preventing its interception by attackers during network transmission. The confidentiality and integrity of the information are maintained by modern cryptographic means. For example, one-time passwords are sent via secure communication channels.
The Site's web application is protected by a Web Application Firewall (WAF). The WAF analyzes incoming traffic and blocks malicious requests, preventing the most common attacks (SQL injections, XSS, exploits, etc.). This mechanism significantly enhances the Site's security and reduces the risk of unauthorized access, helping to comply with security standards (including GDPR). In addition, the Operator uses Cloudflare (CDN) services to protect against DDoS attacks and filter traffic – this allows for the cutting off of suspicious activity and maintains the resource's availability even under high load.
Antivirus software (e.g., ClamAV and similar tools) is used on servers and in the infrastructure to detect and neutralize malicious code. All files uploaded to the Site may be scanned for viruses. Antivirus databases are regularly updated, which provides up-to-date protection against new threats.
Strict control of employee access to personal data is ensured within the organization. Data processing is carried out only by authorized persons of the Operator, for whom access to the relevant information is necessary within the scope of their work functions. Every employee granted access to personal data signs a non-disclosure agreement. Access is implemented on the principle of least privilege: each employee has access only to the data they need for their work. All data actions in information systems are logged (access logs), which allows for the tracking and auditing of personal information access.
The Operator maintains security event logs and periodically analyzes them for suspicious activity. Intrusion detection tools and automated notification of administrators about potentially dangerous incidents have been implemented. The Site's and server's software are regularly updated, and up-to-date security patches are installed to prevent the exploitation of known vulnerabilities. A regular audit of protection measures and penetration testing (pentest) are performed as needed to ensure the reliability of the Site's defenses.
Users' personal data is regularly backed up (encrypted backup copies of databases are created) to prevent its loss due to equipment failures or other unforeseen circumstances. Backup copies are stored in a secure storage with limited access. In the event of an incident, this allows for the restoration of data and service functionality in the shortest possible time.
The company has implemented internal information security and data protection policies. Employees who work with personal data are instructed on the rules for handling confidential information. Management regularly reviews and updates security measures in accordance with the development of technology and changes in regulatory requirements.
The listed measures are aimed at preventing information leakage and unauthorized access to user data. It should be noted that no method of data transmission over the Internet or method of electronic storage guarantees absolute security. However, the Operator takes commercially reasonable efforts to protect personal data and constantly improves its security systems. In the event of vulnerabilities or incidents, the Operator undertakes to notify the competent supervisory authority and, if necessary, the data subjects themselves within the time limits established by law (Articles 33–34 of the GDPR).
Users of the iGaming platform, who are data subjects, have all the rights granted to them by the GDPR and data protection legislation. The Operator respects these rights and has created procedures for their implementation. The main rights of the data subject include:
the user has the right to request confirmation of the fact of processing their personal data by the Operator, as well as to receive a copy of all personal data relating to them that the Operator holds. Upon request, we will provide information about the data being processed, the purposes of processing, data categories, recipients to whom the data is disclosed, retention periods, and other information provided for by Article 15 of the GDPR.
the user has the right to demand that the Operator amends their personal data if it is inaccurate or outdated, as well as to supplement incomplete data. Upon the user's request, the Operator promptly makes the necessary corrections to guarantee the accuracy and relevance of the processed information.
the user has the right to request the deletion of their personal data if its further processing is not required by the Operator or is unlawful. Upon receiving a request for deletion, the Operator will delete the user's personal data, provided that its storage is no longer necessary on legal grounds (e.g., the data is not required for contract performance or for compliance with legal obligations). In particular, the user can request the deletion of their account and associated data; the Operator will perform such a deletion within the established timeframe.
in certain cases, the user may request the temporary suspension of their data processing (other than storage) – for example, if they dispute the accuracy of the data or the legality of its processing. When processing is restricted, the Operator only stores the data and does not perform other operations without the user's consent, except in cases permitted by law. The restriction will be in effect until the disputed issues are resolved (e.g., accuracy is verified or the legality of processing grounds is determined).
upon the user's request, the Operator will provide them with the personal data that the user themselves provided to the Operator, in a structured, commonly used, machine-readable format (e.g., CSV or JSON). The user also has the right to request that this data be transmitted directly to another controller (e.g., another online service), if technically feasible. This right applies to data processed by automated means based on the user's consent or a contract with them.
the user has the right to object at any time to the processing of their personal data if such processing is carried out based on the Operator's legitimate interests (Article 6(1)(f)) or for direct marketing purposes. If the user objects to processing based on a legitimate interest, the Operator will cease the processing, except in cases where compelling legitimate grounds that override the user's interests and rights are demonstrated. If the objection concerns direct marketing (mailings), the processing for these purposes will be ceased immediately upon receipt of the objection (without any exceptions).
the user has the right not to be subject to a decision based solely on automated processing (including profiling) if such a decision produces legal effects concerning the user or similarly significantly affects them. The iGaming platform does not have algorithms that make decisions regarding users without human intervention, but if such functions are implemented in the future, the user will have the right to demand human involvement in the decision-making, express their point of view, and challenge the decision.
if processing is based on the user's consent, they have the right to withdraw their consent at any time (without retroactivity for already completed processing actions). The Operator will not further process the data based on the previously given consent and, in the absence of other legal grounds, will delete or anonymize the relevant data. The user is informed that the withdrawal of consent may make it impossible to continue providing them with certain Site services that require data processing. Withdrawal of consent is carried out by sending a corresponding request (see Section 8 below).
the user has the right to file a complaint with the competent supervisory authority for data protection if they believe that their rights have been violated as a result of unlawful processing of their personal data. The complaint can be sent to the supervisory authority of the user's country of residence, country of work, or country of the alleged violation. In the EU jurisdiction, such authorities are national data protection authorities. The user also has the right to protect their rights through judicial means – to challenge the actions or inactions of the Operator in court. The Operator recommends first contacting us directly to settle issues, but this does not limit the data subject's legal rights.
To exercise their rights, the user can send a corresponding request to the Operator. This can be done via email to the address specified in the 'Operator Contacts' section of this Policy, or by other means provided on the Site.
The request must contain sufficient information to verify the identity of the applicant (to prevent unauthorized access to data).
The Operator will review the request and provide a response or perform the requested action within 30 days of receiving the request, unless a different period is established by law. In case of the need to extend the period (e.g., for complex requests requiring additional time), the Operator will notify the user of the reason for the delay.
Providing information upon data subjects' requests is free of charge, except in cases of repetitive or clearly excessive requests, when a reasonable fee may be charged in accordance with the GDPR.
The Operator processes users' personal data primarily on the basis of their consent. Consent is obtained during user registration on the Site as follows:
in the registration form, there is a separate checkbox with an explanation indicating consent to the Personal Data Processing Policy. The user expresses their consent by independently ticking this checkbox and then clicking the registration confirmation button.
The checkbox is not pre-ticked by default, which requires the user to perform a clear, active action to provide consent (as required by the GDPR).
Before submitting the registration form, the user has the opportunity to read the text of this Policy (a hyperlink to the document is provided next to the consent checkbox). Thus, the consent is conscious and informed: the user is notified of what data will be collected and how it will be processed, and voluntarily confirms their consent under these conditions.
Ticking the box during registration is considered a clear affirmative action indicating the data subject's willingness to have their personal data processed.
Silence or inaction is not considered consent, and registration cannot be completed without ticking the consent box (the checkbox cannot be left pre-ticked by the system, in accordance with the requirements of the GDPR, recital 32).
The consent provided during registration covers all processing operations described in this Policy, including the collection, storage, use, and distribution of data to the extent necessary to achieve the specified processing purposes.
In cases where separate consents are required for specific types of processing (e.g., for receiving marketing mailings, using cookies for analytics, etc.), the Operator requests them separately, providing the user with the opportunity for free choice (e.g., separate checkboxes or profile settings). Such consents can also be withdrawn at any time.
The user has the right to withdraw their previously given consent to the processing of personal data. To do this, it is necessary to send the Operator a corresponding notification in any form – for example, via email to the support address specified in the contacts.
Upon receiving a withdrawal of consent, the Operator ceases the processing of the user's personal data based on consent and, within 30 days, destroys (deletes or anonymizes) such personal data, unless there are other legal grounds for its further processing (e.g., a legal necessity).
The withdrawal of consent does not affect the legality of processing carried out before the moment of withdrawal.
The Operator informs the user of the result of the review of their withdrawal request (confirms data deletion or justifies the impossibility of complete deletion if there are exceptions according to the law).
Please note that refusing to provide consent during registration makes it impossible to create an account and use the personalized services of the Site – the user has the right not to give consent, but in that case, the Operator will not be able to provide them with the platform's services. Nevertheless, the user can always view publicly available information on the Site without registration and without transmitting personal data.
Operator (data controller): iGaming Ltd. – the company that collects and processes personal data of iGaming platform users.
To contact us regarding personal data issues, you can use the following contacts:
Email (DPO/support service): [email protected] – any requests related to personal data are accepted at this address (consent withdrawals, requests for data access/deletion, questions about the provisions of the Policy).
The Operator will review the received request and provide a response within the time limits established by law.
If your request was not satisfied or you believe that the violation has not been rectified, you have the right to contact the competent data protection authority, as stated in Section 7.
The last update date of this Policy is July 25, 2025.
The Operator reserves the right to make changes to this Policy in case of changes in legislation or the introduction of new processing technologies. In case of significant changes, we will notify users by posting a corresponding announcement on the Site.
We recommend regularly reviewing this document to stay informed about how the Operator protects your personal data.
Thank you for your attention to our Personal Data Processing Policy. We strive to ensure maximum transparency and security when working with your data.
If you have any additional questions or requirements, please contact us using the provided contacts.
iGaming Ltd. values user trust and guarantees that personal data is processed in strict accordance with the current data protection legislation and this Policy.
Source: This Policy was developed taking into account the provisions of the GDPR and best practices for ensuring data privacy, and is also based on standard data processing policies in the iGaming industry. All conditions specified in the document comply with legal requirements and are aimed at protecting the rights of data subjects.