PRIVACY POLICY

Last updated: August 14, 2025

INTRODUCTION AND SCOPE

This Website is owned and operated by Carletta N.V. having its office at Dr. Henri Fergusonweg 1, Curaçao, company registration number 142346, which is licensed by the Curaçao Gaming Control Board since 24/Jun/2025, to offer games of chance under license number OGL/2024/580/0570 in accordance with the National Ordinance on Games of Chance (LOK).

This Privacy Policy (Policy) applies to the collection, use, and processing of your Personal Data through:

our Website;
communications via our email: [email protected];
phone calls and support chat sessions with us.

We act as the controller of your Personal Data, and the primary purpose of this Policy is to explain how we collect, use, store, disclose and protect your Personal Data when you access or use our services through this website, as well as the types of Personal Data we process, the purposes and legal bases for such processing, your rights in relation to your data, and how you can exercise those rights.

DEFINITIONS AND INTERPRETATION

The words of which the initial letter is capitalized have meanings defined in this Policy.

The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

For the purposes of this Policy:

Account — A unique account created for you to access our Services or specific parts of our Services, subject to identity verification and Regulatory Compliance requirements.

Company (referred to as we, us, or our herein) — Refers to Carletta N.V., a company registered under the laws of Curaçao, with registration number 142346 and an official address at Dr. Henri Fergusonweg 1, Curaçao.

Service — Refers to the Website, its functionalities, and related online gaming and interactive services provided by the Company.

Website — including any subdomains, associated platforms, or applications operated by the Company.

Personal Data — Any information that relates to an identified or identifiable individual, as defined under the General Data Protection Regulation (GDPR) and the Curaçao Data Protection Framework.

Processing of Personal Data — Any operation or set of operations performed on Personal Data, whether by automated or manual means, including but not limited to collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure, or destruction.

Regulatory Compliance — The legal obligation of the Company to process Personal Data in accordance with applicable laws, including National Ordinance on Games of Chance (LOK) and Anti-Money Laundering (AML) regulations. Such processing is based on legal requirements and does not rely on user consent.

WHAT DATA, FOR WHAT PURPOSES, AND ON WHAT GROUNDS, DO WE PROCESS

To ensure full transparency, the table below provides an overview of the purposes for which we process your Personal Data, the corresponding legal bases under applicable data protection laws, the categories of Personal Data involved, and the retention periods.

Purpose:Legal Basis:Personal Data Used:
Account Registration & Access to ServicesPerformance of a contract or steps prior to entering into a contract (GDPR Art. 6(1)(b)).Contact credentials (email and/or phone); password (hashed); chosen currency; account identifiers; basic device / access logs used to activate and secure the account.
Identity Verification (KYC), Age Confirmation & AML / LOK ComplianceCompliance with legal obligations incl. AML/CFT, LOK, NORUT (The National Ordinance on the Reporting of Unusual Transactions) (GDPR Art. 6(1)(c)); legitimate interests in platform integrity (Art. 6(1)(f)) where applicable.Government ID (passport, ID card, driver’s license); proof of address; date of birth / age attestation; selfies or liveness checks.
Payment Processing (Deposits, Withdrawals, Refunds)Contract performance (Art. 6(1)(b)); legal obligation for financial record-keeping & AML (Art. 6(1)(c)); legitimate interests in fraud prevention (Art. 6(1)(f)).Payment instrument data; transaction history; currency; payout channel confirmations.
Fraud Detection, Security Monitoring & Platform Abuse PreventionLegitimate interests in securing the Service & users (Art. 6(1)(f)); legal obligations under AML/CTF (Art. 6(1)(c)).Device & technical identifiers (IP address, device type, browser data);
Responsible Gaming, Player Protection & Self-Exclusion ManagementCompliance with LOK / CGA Responsible Gaming requirements (Art. 6(1)(c)); legitimate interests in player welfare & Regulatory Compliance (Art. 6(1)(f)).Self-exclusion status & duration; cooling-off selections; play limits; gameplay frequency & spend metrics indicative of risk; communications related to responsible gaming interventions.
Customer Support & Service CommunicationsContract performance (responding to service requests) (Art. 6(1)(b)); legitimate interests in service quality & dispute resolution (Art. 6(1)(f)).Support tickets, chat transcripts, email correspondence, call notes; account identifiers; transaction references tied to the inquiry.
Marketing Communications (Where Permitted)Consent (Art. 6(1)(a)) for electronic marketing; legitimate interests (Art. 6(1)(f)) for similar-product soft opt-in where allowed by law; always subject to opt-out and responsible gaming restrictions.Contact details (email/phone/push token); marketing preferences; engagement metrics; bonus eligibility status (non-sensitive).
Website Performance, Analytics & CookiesLegitimate interests in operating and improving the site (Art. 6(1)(f)); consent where required for non-essential cookies (Art. 6(1)(a)).Usage logs; cookie identifiers; browser type/version; traffic data; on-site interaction metrics.
Regulatory Reporting, Audits & Dispute ResolutionLegal obligation (Art. 6(1)(c)) to cooperate with CGA, FIU, tax and other authorities; legitimate interests in establishing, exercising or defending legal claims (Art. 6(1)(f)).Relevant records required for regulatory cooperation, compliance audits, or legal proceedings, as permitted by applicable laws.

DATA RETENTION

We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected and processed, or as required under applicable legal and regulatory obligations. The retention period for each category of data is determined based on:

The purpose of processing, including the provision of Services, compliance with contractual obligations, or protection of our legitimate interests.
Applicable statutory retention requirements, including but not limited to Anti-Money Laundering (AML), gaming, and tax regulations.
The need to establish, exercise, or defend legal claims, or to comply with audits and supervisory requirements.

Once the relevant retention period expires, your Personal Data is securely deleted, anonymized, or archived in a way that ensures it can no longer be associated with you, unless further retention is required by law.

WHERE DID WE OBTAIN YOUR PERSONAL DATA FROM

We collect your Personal Data primarily from you when you interact with our Services, including during account registration, identity verification, payment processing, and when you use our Website. In addition, we may obtain Personal Data from the following sources:

Directly from You:Information you provide when creating an account, completing verification steps, making deposits or withdrawals, or communicating with our support team.
Your Use of Our Services:Data generated through your activity on our platform, such as gameplay, transaction history, device and log information, and cookie data (in accordance with our Cookie Policy).
Third-Party Verification and Compliance Services:We may use trusted third parties to support certain aspects of our operations, including compliance, security, and payment-related functions.
Publicly Available and Legitimate Sources:Where necessary, we may supplement the information you provide with data obtained from publicly available and legitimate sources, solely for compliance, verification, or risk management purposes.
Regulatory and Law Enforcement Authorities:In some cases, we may receive data from competent authorities in connection with our legal and compliance obligations.

DATA STORAGE AND INTERNATIONAL TRANSFERS

We store your Personal Data on secure servers operated by us and our trusted service providers. These servers may be located both within the European Economic Area (EEA) and in jurisdictions outside the EEA, including Curaçao, depending on operational and regulatory requirements.

When Personal Data is transferred outside the EEA, we ensure that such transfers comply with applicable data protection laws, including implementing appropriate safeguards such as:

Adequacy Decisions: Transfers to countries recognized by the European Commission as providing an adequate level of data protection.
Standard Contractual Clauses (SCCs): Where no adequacy decision exists, we use SCCs approved by the European Commission to ensure your data remains protected.

WHO MAY WE SHARE YOUR PERSONAL INFORMATION WITH

We may share your Personal Data only when necessary and for the purposes outlined in this Privacy Policy. Sharing occurs strictly in compliance with applicable data protection laws, contractual obligations, and security measures.

Your Personal Data may be shared with:

Regulatory and Supervisory Authorities
Such as the Curaçao Gaming Authority (CGA), the Financial Intelligence Unit (FIU), tax authorities, and other governmental or law enforcement bodies, as required by law and regulatory obligations, including AML and responsible gaming requirements.
Identity Verification and Compliance Service Providers
These providers help us verify customer identity, and comply with AML and Know Your Customer (KYC) obligations.
Payment Processors and Financial Institutions
To enable deposits, withdrawals, and other payment-related services, we may share Personal Data such as transaction details, payment method information, and account identifiers.
Customer Support and Communication Tools
External service providers that facilitate email delivery, live chat, or other communication channels may process Personal Data (e.g., contact details, support messages) to assist in providing customer service.
Fraud Prevention and Security Partners
We may engage trusted service providers who assist us in protecting the security and integrity of our platform, including the detection and prevention of potentially fraudulent or unauthorized activity.
Analytics and Optimization Platforms
Third-party services that help us analyze website usage, conduct A/B testing, and improve user experience. Where possible, this data is anonymized or pseudonymized.
Game Content Providers
Licensed third-party game providers who enable certain features of our platform. We share only the minimum data required for gameplay (e.g., player identifiers and game session data).
Internal Tools and IT Infrastructure Providers
We use secure hosting and productivity solutions to store and manage data necessary for the operation of our Services.

WHAT ABOUT COOKIES

This Website may use cookies and similar technologies to enhance user experience, enable essential website functions, and analyze site performance. Cookies are small text files that are stored on your device when you visit the Website. They allow the Website to recognize your device and store certain information about your preferences or past actions.

Types of Cookies and Their Purposes

We may utilize various categories of cookies, each serving distinct purposes:

Strictly Necessary Cookies

These cookies are essential for the functioning of the Website and cannot be switched off in our systems. They enable core functionality such as page navigation, access to secure areas, and user authentication.

Functional Cookies

These cookies support enhanced functionality and personalization, such as remembering language preferences or user settings. They may be set by us or by third-party providers whose services we use.

Analytical or Performance Cookies

These cookies collect aggregated, anonymized data regarding how visitors use our Website (e.g., page visits, click-through rates, traffic sources). The purpose is to measure and improve Website performance.

Advertising or Targeting Cookies

These cookies may be set by us or our advertising partners to build a profile of your interests and deliver relevant advertising on our Website or on other websites. They may also help limit how often you see an advertisement and assess its effectiveness.

Session vs. Persistent Cookies

Some cookies are session-based and expire when you close your browser. Others are persistent cookies, which remain on your device for a predetermined period or until deleted by you.

First-Party vs. Third-Party Cookies

Cookies used on this Website may be set by us (first-party cookies) or by third-party service providers acting on our behalf (third-party cookies). These may include providers of analytics, customer support tools, or advertising networks.

Managing Cookies

You may control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note, however, that restricting certain cookies may affect the availability or functionality of some parts of the Website.

WHAT DO WE DO TO PROTECT MINORS

In alignment with the Curaçao Gaming Authority’s (CGA) Responsible Gaming Policy introduced in February 2025, we have implemented stringent measures to prevent underage access to our Services.

Age Restrictions and Affirmation

Our Services are strictly intended for individuals who are at least eighteen (18) years old or have reached the legal age as defined by their respective jurisdictions, whichever is higher. By accessing or registering for our Services, you affirm that you meet this age requirement.

Comprehensive Age Verification Mechanisms

To enforce these age restrictions effectively, we have implemented robust age verification mechanisms, including:

Document Verification: Users are required to provide valid government-issued identification documents during the registration process.

Preventive Measures and Security Reviews

In addition to age verification, we have instituted preventive measures to ensure compliance with our age policies:

Automated Monitoring: Continuous monitoring of user activity to detect inconsistencies or signs of underage access attempts.
Security Reviews: Conducting thorough security reviews when underage access is suspected, including verification of registration data and financial transactions.
Data Purging: Immediate deletion of Personal Data submitted by individuals identified as minors.

Parental Controls and Education

We encourage parents and guardians to utilize available parental control tools and educate minors about responsible online behavior to prevent unauthorized access to our Services.

Commitment to Responsible Gaming

Our dedication to responsible gaming includes adherence to the CGA’s guidelines on player protection and age verification. We continually review and enhance our policies to ensure they meet or exceed regulatory standards.

By using our Services, you acknowledge and agree to these terms, affirming that you meet the legal age requirements and understand our commitment to responsible gaming practices.

NECESSARY INFORMATION ABOUT YOUR RIGHTS

Your rights

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your Personal Data:

Right of Access (Article 15 GDPR)

You can request confirmation of whether we process your Personal Data and obtain a copy of such data, along with information about how it is used.

Right to Rectification (Article 16 GDPR)

You can request the correction of inaccurate or incomplete Personal Data without undue delay.

Right to Erasure (Right to be Forgotten) (Article 17 GDPR)

You can request the deletion of your Personal Data where certain legal grounds apply (e.g., when data is no longer necessary for the purposes collected, or you withdraw consent where applicable).

Right to Restrict Processing (Article 18 GDPR)

You can request that we limit the processing of your Personal Data in specific situations (e.g., when accuracy is contested or processing is unlawful).

Right to Data Portability (Article 20 GDPR)

You can request a copy of the Personal Data you provided to us in a structured, commonly used, and machine-readable format and transfer it to another controller, where technically feasible.

Right to Object (Article 21 GDPR)

You can object at any time to the processing of your Personal Data for reasons related to your particular situation, where processing is based on our legitimate interests or for direct marketing purposes.

Exercising your rights

If you wish to exercise any of your data protection rights you can contact us at:

our email: [email protected];
our postal address: Dr. Henri Fergusonweg 1, Curaçao.

WITHDRAW CONSENT

If we process your Personal Data based on your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.

To withdraw your consent, please contact us using the channels specified in this Privacy Policy. After receiving your request, we will stop processing your Personal Data unless retention is required to comply with legal or regulatory obligations.

Please note that if withdrawing consent affects our ability to provide certain Services, we will inform you of the consequences before completing the withdrawal process.

COMPLAINT

Pursuant to Article 77 GDPR, if you believe that your Personal Data is being processed unlawfully or your privacy rights have been violated, you have the right to lodge a complaint with:

The supervisory authority in the EU Member State where you reside, work, or where the alleged violation occurred.
The Curaçao Gaming Authority (CGA) or any other relevant data protection authority in Curaçao.

If you have any concerns or unresolved questions regarding the processing of your Personal Data, we encourage you to first contact us directly. We will make every reasonable effort to address your concerns in a timely and lawful manner.

PROVISION OF PERSONAL DATA AND CONSEQUENCES OF NON-DISCLOSURE

Providing your Personal Data may be:

A legal requirement: Certain data must be provided to comply with applicable laws and regulations, such as anti-money laundering (AML) obligations and responsible gaming requirements.
A contractual requirement: Some data is necessary to enter into and perform a contract with you, including enabling access to our Services and processing transactions.
A requirement necessary to access our Services: Without providing the required Personal Data, we may be unable to offer certain Services or fulfill our contractual or legal obligations.

Obligation to Provide Data

You are obliged to provide Personal Data when required by law or necessary for the performance of a contract. Failure to provide such data may result in:

Inability to create or maintain an Account;
Restrictions on the use of our Services;
Termination of the contractual relationship;
Failure to comply with regulatory obligations, which may prevent us from providing Services.

LEGAL DISCLAIMER

Our Services operate on an “AS-IS” and “AS-AVAILABLE” basis without any warranties or guarantees of uninterrupted or error-free performance. While we take reasonable precautions to protect your Personal Data, we cannot guarantee absolute security due to the complex nature of technology and evolving cybersecurity threats.

Limitations of Liability

To the maximum extent permitted by law, we are not liable for:Events beyond our direct control, including but not limited to system failures, cyberattacks, or unauthorized access.Indirect, incidental, consequential, or punitive damages arising from data breaches, unauthorized disclosure, or misuse of Personal Data.Errors, inaccuracies, or security vulnerabilities on third-party websites linked from our platform.

By using our Services, you acknowledge and agree that we do not bear responsibility for external websites or services operated by third parties, even if they are linked from our platform.

CONSENT TO PRIVACY POLICY

Your continued use of our Services signifies your explicit acceptance of this Privacy Policy. This document serves as our <,>entire and exclusive Privacy Policy, replacing any previous versions.

The Privacy Policy should be read together with our Terms and Conditions and any additional applicable notices posted on our platform.
We reserve the right to modify the Privacy Policy at any time. Any changes will be posted on our platform, and continued use of our Services after modifications constitutes acceptance of the revised Policy.
We strongly recommend regularly reviewing this Policy to stay informed about updates.

OTHER TERMS

All versions of the Policy, except for the English version, are provided for informational purposes only. The English version shall prevail in case of any discrepancies or conflicts between different versions.