1. Data Collection Practices
We collect the following categories of personal data to provide our iGaming portfolio management services:
Personal Information
- Identity Data: First name, last name, job title, company name
- Contact Data: Email address, phone number, postal address
- Account Data: Username, password (encrypted), user preferences
- Financial Data: Billing address, payment method details (processed by Stripe)
Business Information
- Operator Data: Company registration details, licensing information
- Brand Configurations: Casino brand settings, game portfolio configurations
- Compliance Data: Jurisdiction licenses, certification documents
- Operational Data: Game performance metrics, user activity logs
Technical Data
- Device Information: IP address, browser type and version, device type
- Usage Data: Pages visited, time spent, feature usage patterns
- Performance Data: Page load times, error logs, system performance metrics
- Security Logs: Login attempts, access patterns, security events
Legal Basis for Processing: We process your data based on contract performance, legitimate interests, legal obligations, and consent where required under GDPR Article 6.
2. How We Use Your Information
Your information is used exclusively for:
- Providing and maintaining our platform services
- Processing payments and managing subscriptions
- Providing customer support and technical assistance
- Ensuring platform security and preventing fraud
- Sending important service updates and notifications
- Improving our services based on usage patterns
3. Data Security
We implement enterprise-grade security measures including:
- End-to-end encryption for data transmission
- Encrypted data storage with regular security audits
- Multi-factor authentication and access controls
- Regular security monitoring and threat detection
- Compliance with iGaming industry security standards
4. Data Sharing
We do not sell, rent, or share your personal data with third parties except:
- With your explicit consent
- To comply with legal obligations or court orders
- With trusted service providers who assist in platform operations (under strict confidentiality agreements)
- In case of business transfers, with appropriate data protection measures
5. Your Rights Under GDPR
As a data subject under the General Data Protection Regulation (GDPR), you have comprehensive rights regarding your personal data:
Request confirmation of data processing and receive a copy of your personal data.
Response time: 30 days
Correct inaccurate or incomplete personal data.
Response time: 30 days
Request deletion of your personal data ("right to be forgotten").
Subject to legal retention requirements
Limit how we process your data under certain circumstances.
May affect service availability
Export your data in a structured, machine-readable format.
Available in JSON/CSV formats
Object to processing based on legitimate interests or direct marketing.
We will cease unless compelling grounds exist
How to Exercise Your Rights
To exercise any of these rights, contact us at support@casinosync.io with:
- Clear identification of the right you wish to exercise
- Sufficient information to verify your identity
- Specific details about your request
Supervisory Authority
You have the right to lodge a complaint with the Malta Data Protection Commissioner:
Website: idpc.org.mt | Email: commissioner.dataprotection@gov.mt
6. Data Retention Policies
We maintain comprehensive data retention policies that balance operational needs with privacy principles and legal requirements:
| Data Category |
Retention Period |
Legal Basis |
Deletion Method |
| Account Data |
Active account + 90 days after termination |
Contract performance |
Secure deletion + overwrite |
| Financial Records |
7 years after last transaction |
Legal obligation (tax law) |
Encrypted archival, then deletion |
| Compliance Data |
10 years from last license activity |
Regulatory requirements |
Secure archival per jurisdiction rules |
| Security Logs |
2 years from creation |
Legitimate interest (security) |
Automated purge + log rotation |
| Usage Analytics |
Anonymized - no retention limit |
Legitimate interest (improvement) |
Anonymization (not deletion) |
| Support Communications |
3 years from last contact |
Legitimate interest (service) |
Secure deletion |
- Scheduled purge processes
- Automated retention monitoring
- Secure overwriting protocols
- Audit trail maintenance
- Regular data audits
- Purpose limitation enforcement
- Unnecessary data identification
- Proactive minimization
Legal Hold Exceptions
Data may be retained beyond standard periods when:
- Subject to legal proceedings or regulatory investigations
- Required for pending dispute resolution
- Mandated by court orders or regulatory requests
- Necessary for law enforcement cooperation
Data Export Before Deletion
Before any scheduled deletion, we will:
- Notify you 30 days in advance via email
- Provide opportunity to export your data
- Offer extension options where legally permissible
- Confirm deletion completion via audit logs
7. Third-Party Integrations
We integrate with trusted third-party services to provide comprehensive platform functionality. Each integration is governed by strict data protection agreements:
| Service Provider |
Purpose |
Data Shared |
Data Location |
Privacy Policy |
| Stripe |
Payment processing & billing |
Billing info, payment methods, transaction data |
EU/US (adequacy decision) |
View Policy |
| Analytics Services |
Platform usage analytics |
Anonymized usage data, performance metrics |
EU data centers |
GDPR-compliant processing |
| Email Services |
Transactional emails & notifications |
Email addresses, notification preferences |
EU data centers |
SOC 2 Type II certified |
| Cloud Infrastructure |
Platform hosting & data storage |
All platform data (encrypted) |
EU data centers only |
ISO 27001 certified |
Data Transfer Safeguards: All third-party data transfers are protected by Standard Contractual Clauses (SCCs) and additional safeguards as required under GDPR Chapter V.
Stripe Payment Processing
For payment processing, we use Stripe, a PCI DSS Level 1 certified payment processor. Stripe processes your payment information according to their privacy policy. We do not store complete payment card details on our servers - only encrypted tokens provided by Stripe for subscription management.
Analytics and Performance Monitoring
We use privacy-focused analytics to understand platform usage and improve performance. This includes:
- Anonymized user behavior analytics
- Performance monitoring and error tracking
- Feature usage statistics for product development
- Security monitoring and threat detection
8. Cookie Usage
We use cookies and similar technologies to provide essential platform functionality and enhance your experience:
- Authentication & session management
- Security & CSRF protection
- Platform functionality
- User preferences & settings
- Language & region settings
- Dashboard customizations
For detailed information about our cookie usage, including how to manage your preferences, see our comprehensive Cookie Policy.
9. Data Processing Role
Important for Enterprise Customers
CasinoSync Ltd acts as a data processor for customer game portfolio data under GDPR Article 28. This means:
- Retain full ownership of all data
- Determine purposes and means of processing
- Make decisions about data usage
- Control data access and permissions
- Process data only per your instructions
- Implement appropriate security measures
- Assist with GDPR compliance obligations
- Return or delete data upon termination
Data Processing Framework
All data processing activities are governed by our comprehensive Data Processing Agreement (DPA), which ensures:
- Malta Gaming Authority compliance for all iGaming data
- GDPR Article 28 adherence for EU data subjects
- Jurisdictional compliance for multi-jurisdiction operations
- Data minimization principles in all processing
- Purpose limitation to authorized business functions
- Audit trail maintenance for regulatory requirements
Data Ownership and Control
- Your Data Remains Yours: All game portfolio data, brand configurations, and operational data remain your property
- Processing Instructions: We process data solely according to your documented instructions and contractual agreements
- No Secondary Use: Customer data is never used for our own business purposes or shared with third parties without explicit consent
- Data Portability: Full data export capabilities ensure you can migrate or backup your data at any time
| Data Category |
Processing Purpose |
Legal Basis (Customer) |
Retention Control |
| Game Portfolio Data |
Platform functionality per customer instructions |
Legitimate business interests |
Customer-controlled |
| Brand Configurations |
Multi-brand management services |
Contract performance |
Customer-controlled |
| Compliance Records |
Regulatory reporting assistance |
Legal obligations |
Regulatory requirements |
| Usage Analytics |
Service optimization (anonymized) |
Legitimate interests |
Platform improvement only |
Data Processing Agreement (DPA)
Enterprise customers receive a comprehensive DPA that covers:
- Detailed processing instructions
- Security measures and safeguards
- Sub-processor agreements
- Data breach notification procedures
- Audit rights and compliance monitoring
- Data return and deletion procedures
10. Contact Us
For privacy-related questions or to exercise your rights, contact us at:
Data Protection Officer
CasinoSync Ltd
Email: support@casinosync.io
Registration: Malta Company