Privacy Policy

1. Scope and who this applies to

This Policy covers players, people who want to play, site visitors, and people who get in touch with us (for example, for help, marketing, or job applicants using the Platform). It includes information that is used when you browse, sign up, transfer or withdraw money, play games, enter contests, get help, or change your settings. When it makes sense, business contact information of partners and providers is covered. The Platform is only for adults 18 and up.

2. Our legal bases

We process personal data under the GDPR/AVG using the following legal bases:

• Contract — to set up and operate your account, take payments, provide games, and support you.
  
• Legal obligation — to comply with the Remote Gambling Act, Wwft (AML/CTF), Sanctions Act, tax, bookkeeping, and consumer law; to check CRUKS; to respond to lawful requests.
  
• Legitimate interests — to keep the Platform secure; prevent fraud and abuse; improve features; personalise the experience; measure performance; defend legal claims. We balance these interests against your rights.
  
• Consent — for non‑essential cookies/SDKs, certain marketing, and where the law requires consent. You can withdraw consent at any time in the Platform or via the unsubscribe link.
  

3. Categories of personal data we collect

We collect the following categories, depending on how you use the Platform:

3.1 Identification and contact

Name, date of birth, nationality, residential address, e‑mail, mobile number, language, account ID/username, and communication preferences.

3.2 Verification (KYC)

Document images and metadata (passport, ID card, driving licence, residence permit), liveness selfie/video, identity verification results, adverse media/PEP/sanctions screening results, and address proofs (e.g., bank statement, utility bill). We do not seek special‑category data; however, documents may incidentally contain sensitive information which we do not use beyond verification.

3.3 Account and gameplay

Registration time, login history, session time stamps, game selections, bets and outcomes, bonuses claimed and progress, devices used, responsible‑play settings (limits, time‑outs, self‑exclusion), and support tickets.

3.4 Payments

Deposit and withdrawal history, method type (e.g., iDEAL, card, bank transfer), masked card data (first 6 and last 4 digits), IBAN/beneficiary details, transaction identifiers, and chargeback or dispute data. We do not store full card numbers.

3.5 Device and network

IP addresses, signals indicating location (such as GPS or Wi-Fi for eligibility checks), identifiers of devices, versions of operating systems and apps, information about cookies and local storage, details of crashes, and signals used to identify bots or account takeovers are all part of the data.

3.6 Marketing and communications

Opt‑ins and opt‑outs, campaign interactions, open/click information for e‑mails (via pixels), preference centre selections, and survey responses.

3.7 Records for compliance

AML/CTF case notes, source‑of‑funds/wealth evidence where requested, transaction monitoring logs, STR references, CRUKS checks (yes/no outcome), and sanctions screening logs.

4. Where we get your data

• Directly from you — when you register, verify, play, pay, contact support, or change settings.
  
• From your device — cookies/SDKs, local storage, and telemetry as described in the Cookie Policy.
  
• From third parties — identity/KYC vendors, sanctions/PEP/adverse‑media databases, payment processors, fraud‑prevention and device‑intelligence providers, analytics platforms, and marketing partners where you have agreed to be referred. We also receive CRUKS checks as required by law.
  

5. How we use personal data

We use personal data for the purposes below. Each purpose lists its primary legal bases.

1. Create and manage your account — registration, profile, eligibility, and support (Contract; Legal obligation).
   
2. Provide games and features — lobbies, game sessions, bonuses, leaderboards (Contract; Legitimate interests).
   
3. Payments — deposits, withdrawals, anti‑fraud controls, pay‑to‑source, reconciliation (Contract; Legal obligation; Legitimate interests).
   
4. KYC and age checks — identity, address, beneficial ownership of payment method (Legal obligation).
   
5. AML/CTF and sanctions — monitoring, investigations, reporting to FIU‑Netherlands, and screening (Legal obligation).
   
6. Responsible Gambling — limits, time‑outs, self‑exclusion, detection of harm indicators, and interventions (Legal obligation; Legitimate interests).
   
7. Security and abuse prevention — detecting bots, account takeover, and location spoofing; protecting the Platform and players (Legitimate interests; Legal obligation).
   
8. Service communications — confirmations, policy updates, security alerts (Contract; Legal obligation).
   
9. Marketing — only with your consent or where permitted; managing opt‑ins and suppression lists (Consent; Legitimate interests for certain communications to existing customers where allowed by law).
   
10. Analytics and product improvement — measuring performance, quality, and usage to improve the Platform (Legitimate interests; Consent for non‑essential cookies/SDKs).
    
11. Legal and regulatory — responding to complaints or lawful requests, defending legal claims, and meeting audit requirements (Legal obligation; Legitimate interests).
    

6. Automated decision‑making and profiling

We use automated systems to support decisions such as fraud detection, sanctions screening, CRUKS checks, risk scoring, bonus abuse detection, and responsible‑gambling monitoring. These systems help BinoBet respond quickly and consistently. Where a decision produces legal or similarly significant effects (e.g., blocking gameplay or payments), you have the right to request human review, to express your point of view, and to contest the decision. Contact our DPO to exercise this right.

7. Who we share data with

We share personal data with:

• Payment providers and banks — to process deposits, withdrawals, and chargebacks.
  
• Identity and verification partners — to verify documents and perform liveness checks.
  
• Sanctions/PEP/adverse‑media databases — for screening.
  
• Fraud‑prevention and security vendors — device intelligence, bot detection, geolocation, and risk scoring.
  
• Game studios and platform aggregators — to run games; these providers receive pseudonymous session or gameplay data necessary to operate the round.
  
• Analytics and crash‑reporting services — performance measurement and troubleshooting (pseudonymous where feasible).
  
• Marketing tools and CMP — to manage consent, campaigns, and preference logs.
  
• Customer support platforms — to handle chats and e‑mails.
  
• Regulators and authorities — KSA, FIU‑Netherlands, law enforcement, tax authorities, or courts, where we are legally required or permitted.
  
• Professional advisers — auditors, lawyers, and consultants under confidentiality.
  
• Corporate transactions — in the context of a merger, acquisition, or restructuring, subject to safeguards and continuity of protections.
  

We do not sell personal data. Where vendors act as processors, they follow our written instructions and data‑processing terms. Where vendors act as independent controllers, they provide their own notices.

8. International transfers

Some providers process data outside of the EEA/UK. When personal data is sent to another country, it is protected by things like adequacy decisions, extra technological measures (such encryption at rest and in transit, access controls, and minimization), and Standard Contractual Clauses (SCCs). Please contact our DPO for a copy of the relevant safeguards (with security and privacy redactions).

9. Data retention

We keep data only as long as needed for the purposes described, including legal and accounting obligations. Typical retention periods (subject to change by law):

Data category	Typical retention
Account profile and core ledger	Life of account + 7 years (tax/bookkeeping)
KYC documents and checks	5–7 years after account closure or last transaction (Wwft)
AML/CTF case files and STR records	Minimum 5 years after closure (Wwft)
CRUKS check logs (yes/no)	5 years or per legal guidance
Payments (deposits, withdrawals)	7 years (finance and audit)
Gameplay logs (pseudonymised where practicable)	Account life + 2 years for dispute resolution
Customer support tickets	2–5 years depending on issue type
Marketing preferences and consent logs	Until you withdraw consent + up to 24 months for audit
Cookies/SDK identifiers	As stated in the Cookie Policy or until you clear them

If the law requires, we may retain certain records longer (e.g., a legal hold for litigation). When retention ends, we erase or anonymise the data.

10. Your rights under GDPR/AVG

You have the following rights. We respond without undue delay and within one month (extendable in complex cases). We may need to verify your identity.

• Access — get a copy of your personal data.
  
• Rectification — correct inaccurate or incomplete data.
  
• Erasure — request deletion where there is no legal reason to keep data. Some records (e.g., AML/CTF, transaction logs) cannot be erased before legal retention expires.
  
• Restriction — temporarily limit processing in certain circumstances.
  
• Portability — receive data you provided to us in a structured, commonly used format and request we transmit it to another controller where technically feasible.
  
• Object — object to processing based on legitimate interests or direct marketing (including profiling).
  
• Withdraw consent — at any time for processing based on consent (e.g., non‑essential cookies/marketing).
  
• Human review of automated decisions — where decisions have legal or similarly significant effects (see Section 6).
  

To exercise your rights, contact [email protected] or use in‑product tools (Account → Privacy). If you are unhappy with our response, you may complain to the Autoriteit Persoonsgegevens.

11. Marketing choices

We send service messages necessary for your account (e.g., security alerts, policy updates). For marketing (news, offers, bonuses), we rely on your consent or permitted soft opt‑in rules. You can opt out in the message footer, in Account → Communications, or via our support team. We maintain suppression lists to make sure opt‑outs are respected.

We may run targeted messages based on your activity (e.g., game genre interests) using pseudonymous identifiers. We do not use special‑category data for marketing.

12. Cookies, SDKs, and similar technologies

We use cookies/SDKs to run the Platform, measure performance, enhance security, and personalise content. Non‑essential categories (analytics, personalisation, marketing) operate only with your consent. For details and controls, see the Cookie Policy. You may change your choices at any time. Where technically feasible, we honour Global Privacy Control (GPC) signals for marketing.

13. Security

We implement organisational and technical measures appropriate to the risks, including:

• encryption in transit (TLS) and for sensitive data at rest;
  
• strict access controls and multi‑factor authentication for staff;
  
• logging, monitoring, fraud detection, and intrusion prevention;
  
• vendor due diligence and contractual protections;
  
• secure development practices, testing, and change control;
  
• incident response with containment, remediation, and notification where required.
  

While no system is perfectly secure, we work to protect your data and review our measures regularly.

14. Responsible Gambling and wellbeing data

We process certain behavioural and affordability indicators to support duty of care and to help you stay in control. This includes limits, time‑outs, self‑exclusion status (including CRUKS), session lengths, deposit patterns, and support notes. We use this information to provide tools, prompts, and where necessary, to intervene. We do not infer sensitive health data; our processing focuses on behaviour observed on the Platform and information you give us about your circumstances.

15. Children’s data

Our services are not for children. If we discover that a person under 18 has registered or provided data, we will close the account, delete non‑mandatory data, and—where permitted by law—return any deposits to the original payment method. We may also record the event to prevent re‑registration.

16. Third‑party links and social features

The Platform may link to third‑party sites (e.g., game studio pages, help articles) or embed content. Those sites operate under their own privacy policies and are not controlled by us. Review their policies before providing data to them.

17. International play and geolocation

Access to real‑money play requires that you are physically located in the Netherlands. We use IP, GPS/Wi‑Fi, and device signals to ascertain location. VPNs, proxies, or remote‑desktop tools may interfere with compliance checks; using them to bypass restrictions is prohibited.

18. Changes to this Policy

We may update this Policy to reflect legal, regulatory, or technical changes. We will post the new version with the effective date and, where changes are material, provide a notice in the Platform. If we change how a consent‑based feature works, we will seek fresh consent where required.

Historic versions are available on request.

19. Glossary

• AML/CTF — laws and checks to prevent money laundering and terrorist financing.
  
• CRUKS — the Dutch national self‑exclusion register.
  
• Controller — the organisation that decides why and how personal data is processed.
  
• Legitimate interests — a lawful reason to process data when balanced against your rights.
  
• PEP — politically exposed person (and close associate/relative).
  
• SCCs — Standard Contractual Clauses for international data transfers.
  
• Special‑category data — sensitive data like health or beliefs; we do not seek this.
  
• Suppression list — a list of contacts who opted out of marketing, used only to prevent future sends.