Privacy Notice

Introduction

Casumo Holding plc (herein ‘Casumo’) is the “controller” of your personal data. This means we are responsible for deciding how we process personal information about you.

Casumo has a Data Protection Officer who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the Data Protection Officer at dpo@casumo.com.

Casumo may at times share personal data with third party service providers such as banks, payment providers, and others.

What information do we collect

Personal data, or personal information, means information relating to an identified or identifiable living individual. It does not include data where the identity has been removed (anonymous data) and it would not be possible to identify an individual from this anonymous data.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us. This includes, but is not limited to, any change of address, contact details and name.

Where we need to collect personal data by law, or under the terms of an agreement we have with you for the provision of services, and you fail to provide that information when requested (e.g. validation documents), we may not be able to provide any services to you, which may result in your account being terminated.

In order to provide our services or offer employment to you, we may need to collect, use, store and transfer different kinds of personal data about you, including:

1. General information including full name, address, email address, date of birth, contact telephone numbers, nationality and employment details.

2. Identification details including copies of your ID or passport, identification numbers issued by government bodies and photographs which identify you.

3. Criminal conviction data and or/police vetting form.

4. Financial information including your bank account and card details, salary and source of wealth information.

5. Special categories of personal data including information about your health.

6. IP address, which is a unique number identifying your computer.

7. Information collected from the use of our website and/or customer portal. This will include information to identify your browser, device, network you are using, IP address and to analyse use of the website and portal. We use cookies to enhance the online experience and you will find more information on our use of cookies in our cookie policy which is displayed on our website.

8. Photographs to help us validate your details and account.

9. References as may be requested from, and provided by, a previous employer(s).

10. Information which you may have provided during the course of your application to a vacancy with Casumo. This may include information provided indirectly via recruitment agency. 

11. Health information which may be required to be processed, in accordance with one or more lawful bases, during the course of your employment with Casumo.

12. Information linked to your personal business ID/swipe card such as business premise log-in and log-out data.

We also obtain information about you from these sources:

1. Introductory services such as affiliates or advertisers.

2. Credit reference agencies to confirm your identity, assess the risk, check your credit history and prevent fraud. We can obtain this information at any point during your relationship with us. A credit reference agency check may be recorded on your credit report. You can find more information on the credit reference agency via this link.

3. Publicly available information including county court judgements, bankruptcy and social media and networking sites.

4. Third party databases available to the online gaming industry including but not limited to anti-fraud databases.

How we use your information

The information we collect will be used for the purposes of providing services to, and fulfilling our agreement with you for the provision of services, risk assessment, including fraud prevention, financial status, sanctions checking, payment collection and statistical analysis to ensure the products we offer are in line with market needs and demands.

We use your information during our relationship with you, and after the end of our relationship in line with our retention policy to comply with our legal and regulatory obligations and where necessary, to support our legitimate interests in managing our business, improving our products and services, preventing and detecting crime, general risk modelling, transferring books of business, obtaining insurance, company sales and re-organisation.

The legal basis for processing your personal information

We will only use your personal information when the law allows us to, or where you have provided specific and explicit consent. Most commonly, we use your personal data in the following circumstances:

• Where we need to perform the services required as part of our agreement with you. This includes using your data to enable you to access and use the games on our platform, process deposits and withdrawals and account management and administration.
• Where it is necessary for our legitimate interests, provided your interests and fundamental rights do not override those interests. This includes improving our products and services, preventing and detecting crime, general risk modelling, research and statistical analysis.
• Where we need to comply with a legal obligation, including the detection and prevention of crime, such as Anti-Money Laundering (AML) and the Countering the Financing of Terrorism (CFT), and sharing information with regulators.
• Where you have given us consent to process your personal information, including but not limited to marketing and advertising purposes.

We may at times process your special category data (which consists of more sensitive information, such as your health data) in the following circumstances:

• Where you have given us your explicit consent.
• The processing is necessary for the exercise or defence of legal claims.
• The processing is necessary for reasons of substantial public interest.

We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

Who will we share your information with?

Where necessary, we will share your information with:

• Other companies or brands within our group of companies which provide a range of group operational support services including HR, IT, legal, management information, marketing, finance, risk and compliance advice and assistance.
• Business partners, agents or affiliates, carefully appointed third parties providing a service to us on our behalf, including processing our post and mail, payment service providers, recruitment and administrative services.
• Third party databases available to the gaming industry including anti-fraud and money laundering databases.
• Legal, financial, medical and other professional advisors.
• Other companies when we are trialling their products and services which we consider may improve our services to you and our business processes.
• Other organisations that have a specific role in law such as statutory or regulatory bodies and other organisations where we have a duty or are permitted to disclose your personal information by law (for example if we receive a valid request from an official organisation in the interests of preventing or detecting crime)
• Other third parties or individuals if you have given us permission to do so or if they are acting on your behalf.
• Another company if our business, or part of it, is bought or taken over by that company or during confidential discussions about a sale or take over. We will ensure the information is protected by confidentiality agreements.
• Credit reference agencies.

Unless we are required to disclose your information by law, we will not share your personal data without safeguards being in place. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We have contracts in place with our third party data processors which means that they are unable to do anything with your personal information unless we have instructed them to do it.

Financial Crime and other fraud prevention and detection

To prevent and detect fraud, we may check your information against publicly available sources (such as social media and networking sites), with fraud prevention agencies and databases.

We have a regulatory requirement to put in place systems and controls to manage the risk of financial crime.

International Transfers

We, and our appointed service providers, may transfer and process personal information outside the European Economic Area. To protect your personal information, transfers are subject to data safeguards to ensure compliance with data protection laws.

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised and/or unlawful way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, consultants and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have also put in place procedures to deal with any personal data breach (whether suspected or actual) and we will notify you and any applicable regulator of a breach where we are legally required to do so, or where we believe you have the right to know of such a breach.

How long do we keep your information

We will only keep your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for your personal data, we take into account the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Your legal rights

You have a number of rights under data protection laws in relation to your personal data. The rights available to you depend on our reason for processing your information.

• Right of access - Right to ask for copies of your personal information. This is known as a Subject Access Request (SAR). You can always rely on this right, but there are some exceptions, which means you might not always receive all of the information we process.
• Right to rectification -  Request rectification of your personal data if it is inaccurate or incomplete;
• Right to erasure - Request erasure of your personal data in certain circumstances;
• Right to restriction of processing - Restrict our use of your personal data in certain circumstances;
• Right to data portability - Move (or port) personal data. This only applies to information you have given us. You have the right to transfer the information you gave us, from one organisation to another or for us to give it to you, in machine readable format.
• Right to Object - object to the processing of your data where our legal basis for processing is based on our legitimate interests.

Should you wish to exercise your rights as listed above, please contact us at hey@casumo.com and dpo@casumo.com. 

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us by emailing our DPO at dpo@casumo.com. 

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the relevant Data Protection authorities based on your location:

UK: ICO           

Website: https://www.ico.org.uk/make-a-complaint

Malta: IDPC

Email: idpc.info@idpc.org.mt 

Spain: AEPD

Website: www.aepd.es

Gibraltar: GRA

Email: info@gra.gi 

Croatia: AZOP

Email: azop@azop.hr 

Macedonia: PDPA

Email: info@privacy.mk

Finland: The Office of the Data Protection Ombudsman

Email: tietosuoja@om.fi 

Germany: BfDI

Email: poststelle@bfdi.bund.de 

An extensive list of jurisdictions and their respective Regulatory Bodies can be found here.

Version: 1.0
Last updated: January 15, 2025