Main
/
Privacy Policy

Privacy Policy

Last updated: August 14, 2025

Introduction and Scope

This Website is owned and operated by Carletta N.V., with its registered office at Dr. Henri Fergusonweg 1, Curaçao, company registration number 142346. The Company has been licensed by the Curaçao Gaming Control Board since 24/Jun/2025 to offer games of chance under license number OGL/2024/580/0570 in accordance with the National Ordinance on Games of Chance (LOK).

This Privacy Policy (Policy) governs how we collect, use, and process your Personal Data through:

  • our Website;
  • communications via our email: [email protected];
  • phone calls and support chat sessions with us.

We act as the controller of your Personal Data. The main purpose of this Policy is to explain how we collect, use, store, share, and protect your Personal Data when you access or use our services through this Website, what categories of Personal Data we process, why and on what legal grounds we process it, what rights you have, and how you can exercise those rights. This Policy is intended for users in India as well as users in other jurisdictions where our services are available, and local legal requirements may also apply.

Definitions and Interpretation

Words with an initial capital letter have the meanings assigned to them in this Policy.

These definitions apply equally whether used in the singular or plural form.

For the purposes of this Policy:

  • Account — An individual account created for you to access our Services or specific sections of our Services, subject to identity checks and Regulatory Compliance requirements.
  • Company (referred to as we, us, or our) — Carletta N.V., a company incorporated under the laws of Curaçao, registration number 142346, with its official address at Dr. Henri Fergusonweg 1, Curaçao.
  • Service — The Website, its features, and related online gaming and interactive services offered by the Company.
  • Website — The Website and any subdomains, related platforms, or applications operated by the Company.
  • Personal Data — Any information relating to an identified or identifiable person, as described under the General Data Protection Regulation (GDPR) and the Curaçao Data Protection Framework.
  • Processing of Personal Data — Any action performed on Personal Data, by automated or manual means, including collection, recording, organization, structuring, storage, updating, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, deletion, or destruction.
  • Regulatory Compliance — The Company’s legal duty to process Personal Data under applicable laws, including the National Ordinance on Games of Chance (LOK) and Anti-Money Laundering (AML) rules. Processing for Regulatory Compliance is based on legal obligations and does not depend on user consent.

What Data We Process, For What Purposes, and On What Grounds

To be transparent, the overview below describes the purposes for processing your Personal Data, the relevant legal grounds under applicable data protection laws, the categories of Personal Data involved, and the retention approach.

Processing purpose Legal basis Personal Data categories
Account setup and access to the Services Contract performance or steps before entering into a contract (GDPR Art. 6(1)(b)) Email and/or phone; hashed password; selected currency; account identifiers; basic device/access logs used to activate and secure the Account
Identity checks (KYC), age verification, and AML/LOK compliance Legal obligation, including AML/CFT, LOK, NORUT (GDPR Art. 6(1)(c)); where relevant, legitimate interests in platform integrity (Art. 6(1)(f)) Government-issued ID (passport, ID card, driver’s license); proof of address; date of birth/age confirmation; selfies or liveness checks
Payment operations (deposits, withdrawals, refunds) Contract performance (Art. 6(1)(b)); legal obligation for record-keeping and AML (Art. 6(1)(c)); legitimate interests in fraud prevention (Art. 6(1)(f)) Payment method data; transaction records; currency; payout channel confirmations
Fraud prevention, security monitoring, and misuse prevention Legitimate interests in protecting the Services and users (Art. 6(1)(f)); legal obligations under AML/CTF (Art. 6(1)(c)) Technical and device identifiers (IP address, device type, browser details)
Responsible gaming, player safety, and self-exclusion administration Legal obligation under LOK/CGA responsible gaming requirements (Art. 6(1)(c)); legitimate interests in player welfare and Regulatory Compliance (Art. 6(1)(f)) Self-exclusion status and duration; cooling-off choices; play limits; play frequency and spending indicators that may signal risk; communications related to responsible gaming actions
Customer support and service communications Contract performance (Art. 6(1)(b)); legitimate interests in service quality and dispute management (Art. 6(1)(f)) Support requests; chat transcripts; email correspondence; call notes; account identifiers; transaction references connected to the request
Marketing communications (where permitted) Consent for electronic marketing (Art. 6(1)(a)); legitimate interests for similar-product soft opt-in where allowed (Art. 6(1)(f)); always subject to opt-out and responsible gaming restrictions Contact details (email/phone/push token); marketing preferences; engagement metrics; non-sensitive bonus eligibility status
Website operations, analytics, and cookies Legitimate interests in operating and improving the Website (Art. 6(1)(f)); consent where required for non-essential cookies (Art. 6(1)(a)) Usage logs; cookie IDs; browser type/version; traffic data; on-site interaction metrics
Regulatory reporting, audits, and dispute handling Legal obligation to cooperate with CGA, FIU, tax and other authorities (Art. 6(1)(c)); legitimate interests in establishing, exercising, or defending legal claims (Art. 6(1)(f)) Records required for regulatory cooperation, compliance reviews, or legal proceedings, as permitted by applicable laws

Data Retention

We keep your Personal Data only for as long as needed to achieve the purposes for which it was collected and processed, or for as long as we must keep it under legal and regulatory requirements. Retention periods are determined by:

  • the purpose of processing, including providing Services, meeting contractual obligations, or protecting our legitimate interests;
  • mandatory retention duties under laws and regulations, including AML, gaming, and tax requirements;
  • the need to establish, exercise, or defend legal claims, and to meet audit or supervisory requests.

After the applicable retention period ends, we securely delete, anonymize, or archive your Personal Data so it can no longer be linked to you, unless the law requires longer retention.

Where We Obtained Your Personal Data From

We mainly collect your Personal Data directly from you when you interact with our Services, including account creation, verification, payment actions, and your use of our Website. We may also obtain Personal Data from:

  • Directly from You: Details you provide when registering an account, completing verification, making deposits or withdrawals, or contacting support.
  • Your Use of Our Services: Data produced through your activity on the platform, such as gameplay, transaction history, device and log data, and cookie-related information (as described in our Cookie Policy).
  • Third-Party Verification and Compliance Services: We may use reputable third parties to support parts of our operations, including compliance, security, and payment processing.
  • Publicly Available and Legitimate Sources: Where needed, we may supplement the information you provide with data from publicly available, lawful sources, strictly for compliance, verification, or risk-control purposes.
  • Regulatory and Law Enforcement Authorities: In some situations, we may receive information from competent authorities connected to our legal and compliance duties.

Data Storage and International Transfers

We store your Personal Data on secure servers operated by us and by trusted service providers. Depending on operational and regulatory needs, these servers may be located within the European Economic Area (EEA) and in countries outside the EEA, including Curaçao.

Where Personal Data is transferred outside the EEA, we ensure the transfer meets applicable data protection requirements by applying safeguards such as:

  • Adequacy Decisions: Transfers to countries recognized by the European Commission as providing adequate protection.
  • Standard Contractual Clauses (SCCs): Where no adequacy decision applies, we use European Commission-approved SCCs to safeguard your data.

Who May We Share Your Personal Information With

We disclose your Personal Data only when necessary and only for the purposes described in this Policy. Any sharing is carried out in line with applicable data protection laws, contractual obligations, and appropriate security controls.

Your Personal Data may be shared with:

  • Regulatory and Supervisory Authorities: Including the Curaçao Gaming Authority (CGA), the Financial Intelligence Unit (FIU), tax authorities, and other state or law enforcement bodies, where disclosure is required by law or by regulatory obligations, including AML and responsible gaming requirements.
  • Identity Verification and Compliance Service Providers: Service providers that assist with identity checks and support our AML and Know Your Customer (KYC) obligations.
  • Payment Processors and Financial Institutions: To process deposits, withdrawals, refunds, and related payment services, we may share transaction details, payment method information, and account identifiers.
  • Customer Support and Communication Tools: Providers that enable email delivery, live chat, or other communication channels may process Personal Data (such as contact details and support messages) to help us provide customer service.
  • Fraud Prevention and Security Partners: We may work with trusted partners who help us protect the security and integrity of the platform, including detecting and preventing suspicious, fraudulent, or unauthorized activity.
  • Analytics and Optimization Platforms: Third-party tools used to analyze Website usage, run A/B testing, and improve user experience. Where possible, information is anonymized or pseudonymized.
  • Game Content Providers: Licensed third-party providers that deliver certain platform features. We share only the minimum data needed for gameplay, such as player identifiers and game session details.
  • Internal Tools and IT Infrastructure Providers: We use secure hosting and productivity services to store and manage data required to operate our Services.

What About Cookies

This Website may use cookies and similar technologies to improve user experience, enable essential functions, and measure Website performance. Cookies are small text files placed on your device when you visit the Website. They help the Website recognize your device and remember certain details about your preferences or past actions.

Types of Cookies and Their Purposes

We may use different cookie categories, each with a specific purpose:

  • Strictly Necessary Cookies: These cookies are required for the Website to operate and cannot be turned off in our systems. They support core functions such as navigation, access to secure areas, and authentication.
  • Functional Cookies: These cookies enable additional functionality and personalization, such as remembering language choices or user settings. They may be placed by us or by third-party providers whose services we use.
  • Analytical or Performance Cookies: These cookies collect aggregated, anonymized information about how visitors use the Website (for example, page visits, click-through rates, and traffic sources). This helps us measure and improve Website performance.
  • Advertising or Targeting Cookies: These cookies may be placed by us or our advertising partners to build a profile of your interests and show relevant advertising on our Website or elsewhere. They may also help control how often you see ads and evaluate effectiveness.

Session vs. Persistent Cookies

  • Session cookies: Some cookies are session cookies and are removed when you close your browser.
  • Persistent cookies: Other cookies are persistent and remain on your device for a set period or until you delete them.

First-Party vs. Third-Party Cookies

  • First-party cookies: Cookies set by us.
  • Third-party cookies: Cookies set by third-party providers acting for us, including analytics providers, customer support tools, or advertising networks.

Managing Cookies

You can manage cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that limiting some cookies may reduce the availability or functionality of parts of the Website.

What Do We Do to Protect Minors

Following the Curaçao Gaming Authority’s (CGA) Responsible Gaming Policy introduced in February 2025, we apply strict measures to prevent underage access to our Services.

Age Restrictions and Affirmation

Our Services are intended only for individuals who are at least eighteen (18) years old or who meet the legal age requirement in their jurisdiction, whichever is higher. By accessing or registering for our Services, you confirm that you meet the applicable age requirement, including any age requirements applicable in India.

Comprehensive Age Verification Mechanisms

To enforce age restrictions, we use strong age-verification methods, including:

  • Document Verification: Users must submit valid government-issued identification during registration.

Preventive Measures and Security Reviews

Alongside age checks, we use additional safeguards to support compliance with our age rules:

  • Automated Monitoring: Ongoing monitoring of user activity to identify inconsistencies or signs of attempted underage access.
  • Security Reviews: Detailed reviews where underage use is suspected, including checks of registration details and payment activity.
  • Data Purging: Immediate deletion of Personal Data submitted by individuals identified as minors.

Parental Controls and Education

We encourage parents and guardians to use parental control tools and educate minors about safe online behavior to reduce the risk of unauthorized access to our Services.

Commitment to Responsible Gaming

Our approach to responsible gaming includes following the CGA’s requirements on player protection and age checks. We regularly review and strengthen our controls to ensure they meet or exceed regulatory standards.

By using our Services, you acknowledge and accept these requirements, confirm you meet the legal age criteria, and understand our commitment to responsible gaming practices.

Necessary Information About Your Rights

Your rights

Under the General Data Protection Regulation (GDPR), you have these rights regarding your Personal Data:

  • Right of Access (Article 15 GDPR): You may request confirmation of whether we process your Personal Data and obtain a copy of it, together with information on how it is used.
  • Right to Rectification (Article 16 GDPR): You may request correction of inaccurate or incomplete Personal Data without undue delay.
  • Right to Erasure (Right to be Forgotten) (Article 17 GDPR): You may request deletion of your Personal Data where certain legal grounds apply (for example, where the data is no longer needed for the purposes collected, or where you withdraw consent, if applicable).
  • Right to Restrict Processing (Article 18 GDPR): You may request that we limit the processing of your Personal Data in specific cases (for example, where accuracy is contested or processing is unlawful).
  • Right to Data Portability (Article 20 GDPR): You may request a copy of Personal Data you provided in a structured, commonly used, machine-readable format and ask to transfer it to another controller, where technically feasible.
  • Right to Object (Article 21 GDPR): You may object at any time to processing of your Personal Data for reasons related to your situation where processing is based on legitimate interests, or where processing is for direct marketing.

Exercising your rights

To exercise any data protection right, you can contact us at:

Withdraw Consent

Where we rely on your consent to process Personal Data, you can withdraw that consent at any time. Withdrawal does not affect processing that occurred before your consent was withdrawn.

To withdraw consent, contact us using the details in this Policy. After we receive your request, we will stop processing the relevant Personal Data unless we must keep it to meet legal or regulatory requirements.

If withdrawing consent limits our ability to provide certain Services, we will inform you about the implications before finalizing the withdrawal.

Complaint

Under Article 77 GDPR, if you believe your Personal Data is being processed unlawfully or your privacy rights have been breached, you may file a complaint with:

  • the supervisory authority in the EU Member State where you live, work, or where the alleged breach took place;
  • the Curaçao Gaming Authority (CGA) or another competent data protection authority in Curaçao.

If you have concerns or unresolved questions about how we process your Personal Data, we encourage you to contact us first. We will make reasonable efforts to resolve concerns promptly and in accordance with the law.

Provision of Personal Data and Consequences of Non-Disclosure

Providing your Personal Data may be:

  • A legal requirement: Certain information is required to meet legal and regulatory rules, including AML obligations and responsible gaming requirements.
  • A contractual requirement: Some information is needed to enter into and perform a contract with you, including granting access to our Services and processing transactions.
  • A requirement necessary to access our Services: Without required Personal Data, we may not be able to provide certain Services or meet legal or contractual duties.

Obligation to Provide Data

You must provide Personal Data where required by law or needed to perform a contract. If you do not provide required data, it may lead to:

  • inability to create or keep an Account;
  • limits on your use of our Services;
  • termination of the contractual relationship;
  • non-compliance with regulatory requirements, which may prevent us from providing Services.

Legal Disclaimer

Our Services are provided on an “AS-IS” and “AS-AVAILABLE” basis without warranties of uninterrupted or error-free operation. Although we take reasonable steps to protect Personal Data, absolute security cannot be guaranteed due to the complexity of technology and evolving cybersecurity risks.

Limitations of Liability

To the fullest extent permitted by law, we are not responsible for:

  • events outside our reasonable control, including system failures, cyberattacks, or unauthorized access;
  • indirect, incidental, consequential, or punitive losses arising from data breaches, unauthorized disclosure, or misuse of Personal Data;
  • mistakes, inaccuracies, or security issues on third-party websites linked from our platform.

By using our Services, you acknowledge that we are not responsible for external websites or third-party services, even if we link to them.

Consent to Privacy Policy

Your continued use of our Services confirms your acceptance of this Privacy Policy. This document is our entire and exclusive Privacy Policy and replaces any prior versions.

This Policy should be read together with our Terms and Conditions and any other relevant notices posted on our platform.

We may update this Policy at any time. Updates will be published on our platform, and continued use of our Services after changes means you accept the updated Policy.

We recommend reviewing this Policy regularly to stay aware of updates.

Other Terms

All Policy versions other than the English version are provided only for convenience. The English version prevails if there is any inconsistency or conflict between different language versions.