Privacy Policy

This is version 2.4 of the Winzon Group LTD Privacy Policy, last updated on 01 June 2023

Abbreviations & Definitions
Controller & Contact details
Changes to the Privacy policy and your duty to inform us on changes
Data collected, Purposes & Legal basis for processing
Special categories of Data
Categories of data recipients & Data transfer
Retention period for the data
Cookie policy
Your rights
What we may need from you
Different brands
Time limit to respond

Abbreviations & Definitions

AML	Anti-money laundering and countering the financing of terrorism as defined in the 5^th AML directive and the FATF Recommendations.
DPO	Data Protection Officer.
EEA	European Economic Area.
EU	European Union.
GDPR	Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ( General Data Protection Regulation).
PEP	Politically exposed person. Such status is also applicable to family members or persons known to be close associates of politically exposed persons.
Player	End-customer, who participates or takes preparatory steps to use Services provided by WINZON. References in this policy to you or your are references to player.
Services	As appropriate, the services offered for the time being by WINZON through the website and/or via any mobile or tablet application.
Website	https://winzz.com and/or any other website owned or operated by WINZON.
WINZON	Winzon Group Ltd., reg.no. C89900 with the registered office at MK Business Centre 115A, Floor 2, Valley Road, Birkirkara BKR 9022, Malta. References in this policy to us, our, we or company are references to WINZON.

Other abbreviations & definitions (for example, personal data, controller, processor, data subject, recipient, third party, consent, processing, etc.) used in this policy have the same meaning as they are defined in the GDPR.

WINZON is the GDPR subject - in the context of this policy WINZON may be referred to also as the controller.

WINZON processes personal data of the players as data subjects – in the context of this policy the data subject and the player have the same meaning, and by a term data – it is assumed the personal data of the players, which are processed by WINZON.

Controller & Contact details
WINZON is the controller of the players personal data, and the player can contact WINZON and the DPO at compliance@winzon.com or by mail at:

Winzon Group LTD MK Business Centre 115A, Floor 2, Valley road, Birkirkara BKR 9022, Malta
Changes to the Privacy policy and your duty to inform us on changes
We reserve the right, at our complete discretion, to change, modify, add and/or remove portion of this Privacy Policy at any time. You shall be in advance informed by us of any material changes made to this Privacy policy (as well as other terms and conditions relevant to the website.

Data collected, Purposes & Legal basis for processing

You hereby acknowledge and accept that it is necessary for us to collect and otherwise use your personal data in order to allow you access and use of the website and in order to allow you to participate in games or bets.

We hereby acknowledge that in collecting your personal data as stated in the previous provision, we are bound by the GDPR and Data Protection Act (CAP 586) of Malta. We will protect your personal data and respect your privacy in accordance with best business practices and applicable laws.

We will use your personal data to allow you to participate in the games and bets and to carry out operations relevant to your participation in the games or bets. We may also use your personal data to inform you of changes, new services and promotions that we think you may find interesting. If you do not wish to receive such direct marketing data, you may opt out of such service - please log in to your gaming account and edit profile in order to opt out. If you wish to opt-in again and receive any kind of marketing material, you can do so by logging in in to you gaming account and edit profile or by contacting Customer Support.

We may contact you periodically by email, telephone or other forms of mobile-based communication with offers and promotions from other WINZON related companies, which are operated by and under the licenses of WINZON. You hereby consent to such contact. Calls may be recorded and used for training purposes.

Where we need to collect data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our services).

Please make sure that your username does not contain any personally identifiable information, as the username is shared with certain partners and in the course of the sharing of the username, this is not, separately, considered personal data. Please contact us if your username contains your personally identifiable data, so we can make proper arrangements to protect your data and guide you as to how to change the username.

The following table outlines the categories of personal data which we process, the purpose for which we process such data, as well as the corresponding legal basis used for such processing. It is pertinent to know that the same categories of personal data may be processed for different purposes and therefore on the basis of a various legal grounds simultaneously depending on the purpose of processing

Data processed	Processing purpose	Legal basis for the processing
Identification & Verification data (incl. AML data) - name, surname, maiden name (if applicable), mailing/residence/permanent address, incl. proof of address (copy of utility bill, bank reference letter, etc.), date of birth, place of birth (if applicable), identity card/passport data (incl. copy of the ID card/passport), nationality, media involvement, Power of Attorney (if applicable), family members, degrees and qualifications, schools/universities attended, employment history and information	Age, identity and contact details verification.	Compliance with a legal obligation.
	To establish and investigate any suspicious behavior in order to protect our business from any risk and fraud.	Legitimate interest (detection and prevention of fraud).
	To execute and manage payment transactions.	Contractual necessity.
	For AML and due diligence purposes.	Compliance with a legal obligation.
Contact data - name, surname, maiden name (if applicable), phone number, email address, mailing/residence/permanent address, incl. proof of address (copy of utility bill, bank reference letter, etc.)	To fulfill WINZON’s obligations on reporting to regulators/ law enforcement authorities.	Compliance with a legal obligation.
	To establish and investigate any suspicious behavior in order to protect WINZON’s business from any risk and fraud	Legitimate interest (detection and prevention of fraud).
	Monitoring and evaluation of transactions and bets, control and comparison of such information for accuracy and verification with third parties.	Legitimate interest (ensuring the accuracy and legal nature of the information provided).
	To set up a gaming account on WINZON’s system and register a player as a new user.	Contractual necessity.
	To manage WINZON’s and player’s ongoing relationship and provide a player with customer care services.	Contractual necessity.
	To perform statistical analysis in order to improve and upgrade WINZON’s current services/games and develop updated or new games.	Legitimate interest (service reports & business development.
	To allow a player to take part in any potential loyalty scheme on website.	Legitimate interest (loyalty program purposes).
	To subscribe to a newsletter, campaigns and/or to be added to a mailing list.	Player’s consent.
	Monitoring and evaluation of a player’s gambling behavior/habits and activities for personalized offers, bonuses and user interface.	Player’s consent.
	To present a player offers, promotions and new services/games.	Player’s consent.
	To participate in any online survey or poll.	Player’s consent.
	For AML and due diligence purposes.	Compliance with a legal obligation.
	Social media marketing.	Legitimate interest (to promote WINZON’s own services, to develop WINZON’s business and enhance relationship with the player by targeted offers) OR Player’s consent.
Registration data - name, surname, maiden name (if applicable), username, password, date of birth, place of birth (if applicable), country of residence and address (if applicable), gender	To register a data subject as a new player, to identify the player and verify the player when he/she access to his/her gaming account to allow him/her to participate in games.	Contractual necessity.
	AML and due diligence purposes. Conduct AML investigations (e.g., verifying identity, age, address and if you are a politically exposed person) and other investigations during the customer relationship.	Compliance with a legal obligation.
	To fulfill Winzon's obligations on reporting to regulators / law enforcement authorities.	Player’s consent.
	To establish and investigate any suspicious behavior in order to protect our business from any risk and fraud.	Legitimate interest (detection and prevention of fraud).
	To enforce our terms and conditions.	Legitimate interest (ensuring WINZON maintains an accurate record on WINZON’s system).
	Monitoring and evaluation of transactions and bets, control and comparison of such information for accuracy and verification with third parties.	Legitimate interest (ensuring the accuracy and legal nature of the information provided).
	To perform statistical analysis in order to improve and upgrade WINZON’s current services/games and develop updated or new games.	Legitimate interest (service reports & business development).
	To allow the player to take part in any potential loyalty scheme on Winzon's web site.	Legitimate interest (loyalty program purposes)
	To subscribe to a newsletter, campaigns and/or to be added to a mailing list.	Player’s consent.
	Monitoring and evaluation of the player's gambling behavior/habits and activities for personalized offers, bonuses and user interface.	Player’s consent.
	To present the player offers, promotions and new services/games.	Player’s consent.
	To participate in any online survey or poll.	Player’s consent.
Financial & Payments data - financial status information (bank statement including through open-banking solutions subject to your authorization, source of income and source of wealth - copy of bank notice, payment account statement, etc.), bank/PSPs details, masked credit card details (e.g., last 4 digits of the credit card), payment account number, bank transfer information (data requested and processed differs country by country and PSP by PSP) such as currency, location, amount/value, player IP, username, token, transaction information (transaction history, transaction attempt history), proof of e-wallet ownership, tax identification number, territory applicable personal identification where required or permitted by law	To verify the transaction is not fraudulent and make relevant cross-checking to avoid chargebacks.	Compliance with a legal obligation.
	AML and due diligence purposes. Conduct AML investigations (e.g., verifying identity, age, address and if a player is/is not a politically exposed person) and other investigations during the customer relationship.	Compliance with a legal obligation.
	To fulfill WINZON’s obligations on reporting to regulators/ law enforcement authorities.	Compliance with a legal obligation.
	To establish and investigate any suspicious behavior in order to protect WINZON’s business from any risk and fraud.	Legitimate interest (detection and prevention of fraud).
	Monitoring and evaluation of transactions and bets, control and comparison of such information for accuracy and verification with third parties.	Legitimate Interest (ensuring the accuracy and legal nature of the information provided).
	To perform statistical analysis in order to improve and upgrade WINZON’s current services/games and develop updated or new games.	Legitimate Interest (service reports & business development).
	To allow you to take part in any potential loyalty scheme on Our site.	Legitimate interest (loyalty program purposes).
	To execute and manage payment transactions.	Contractual necessity.
Responsible gaming data - name, surname, maiden name (if applicable), mailing/residence/permanent address, phone number, email address, date of birth, place of birth (if applicable), country of residence, transaction information (transaction history, transaction attempt history), Self-exclusion, Identification & Verification data	To adhere to WINZON’s Responsible Gaming and/or Self-exclusion obligations.	Compliance with a legal obligation.
	Responsible gaming profiling.	Compliance with a legal obligation.
Data required for marketing purposes – name, surname, mailing address, phone number, email address, proof of opt-in consent (where required), proof of objections to marketing, website data and online identifiers (such as IP address, and other information generated by the player’s browser	To provide you with marketing material that You have requested from us or that we are otherwise authorized to send you.	Player’s consent (where required) OR Legitimate interest (for marketing purposes, where WINZON does not require Player’s consent & to improve WINZON’s services).
	To personalize your customer experience.	Player’s consent (where required) OR Legitimate interest (for marketing purposes, where WINZON does not require Player’s consent & to improve WINZON’s services).
Online activity data - traffic data, geo-location data, weblogs and communication data	To detect and prevent fraud.	Legitimate interest (detect and prevent fraud).
	To fulfill WINZON’s obligations on reporting to regulators / law enforcement authorities.	Compliance with a legal obligation.
	AML and due diligence purposes. Conduct AML investigations (e.g., verifying identity, age, address and if you are a politically exposed person) and other investigations during the customer relationship.	Compliance with a legal obligation.
	To ensure that our services are only provided to territories we is licensed to operate in.	Compliance with a legal obligation.
Self-exclusion data – data pertaining you and your self-exclusion such as Registration data and Contact data, and your self-exclusion information such as reason, start and date, utilization of self-exclusion tools such as exclusions, session limit, loss limit, wager limit, deposit limit, reality check	To adhere to WINZON’s Responsible Gaming and/or Self-exclusion obligations.	Compliance with a legal obligation.
	To fulfill WINZON’s obligations on reporting to regulators / law enforcement authorities.	Compliance with a legal obligation.
	To manage WINZON’s relationship with the player, to communicate with the player, to provide the player with access to WINZON’s services and any ancillary services.	Contractual necessity OR Compliance with a legal obligation.
Transaction & Usage data – data generated through your use of our services and include payments to and from you (deposits, withdrawals, failed deposits and reversed withdrawals) and other details of services you have purchased from us (such as bets, wagers (real and bonus), wins), date and time of the transactions, gaming account balances (bonus and real), bonuses used (conversion and forfeiture), bonuses turnover, bonuses balance, channels used, transaction games player, language, country	To allow the player to use WINZON’s services.	Contractual necessity.
	To process and manage payment transactions.	Contractual necessity.
	To manage WINZON’s relationship with the player, to communicate with the player, to provide the player with access to WINZON’s services and any ancillary services	Contractual necessity OR Compliance with a legal obligation.
	For AML and due diligence purposes.	Compliance with a legal obligation.
	Responsible gaming profiling.	Compliance with a legal obligation.
	Customer segmentation for the purpose of tailored offers and bonuses sent via direct marketing.	Legitimate interest (to promote WINZON’s own services, to develop WINZON’s business and enhance relationship with the player by targeted offers).
	Loyalty program purposes to (i) offering bonuses and other gifts which would be of interest to the player, based on previous bonuses or gifts the player may have benefited from, and (ii) contacting the player on his/her preferred contact channels.	Legitimate interest (to promote WINZON’s own services, improve player’s experience with WINZON’s services and for offer the player tailored loyalty programme).
	Customer segmentation for the loyalty program purposes and reasonable gambling purposes.	Compliance with a legal obligation OR Legitimate interest (to promote WINZON’s services, improve player’s experience with WINZON’s services and for offer the player tailored loyalty programme).
	Commercial business analysis for the creation of standard, periodical as well as ad hoc reports.	Legitimate interest (to develop WINZON’s products/services and grow WINZON’s business).
	Web analytics.	Legitimate interest (to develop WINZON’s products/services and grow WINZON’s business).
	Games recommendation.	Legitimate interest (to provide customized, quality experiences for the players).
Login data – includes internet protocol (IP) address, your logins (first login, last login, last failed login), duration of logins, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the device you use to access our services	To register a data subject as a new player, to identify the player and verify the player when he/she access to his/her gaming account to allow him/her to participate in games.	Contractual necessity.
	To establish and investigate any suspicious behaviour in order to protect WINZON’s business from any risk and fraud.	Legitimate interest (to detect and prevent fraud).
Profile data – includes internal notes to your gaming account, interests, preferences, feedback, information about events which you have attended; your preferences as to whether you wish to attend any events, and what type of events you prefer; any bonus/cash back deals, or bonus preference you have been offered or benefitted from; whether you have received any giveaways or/and your preferences regarding what type of gifts you would like to receive; your preferences as to contact channels; information regarding your hobbies and interests	To manage WINZON’s relationship with the player, to communicate with the player, to provide the player with access to WINZON’s services and any ancillary services.	Contractual necessity OR Compliance with a legal obligation.
	Direct marketing of WINZON’s own services – loyalty programme.	Legitimate interest (to promote WINZON’s own services, to develop WINZON’s business and enhance relationship with the player by targeted offers) OR Player’s consent.
	Loyalty program purposes to (i) offering bonuses and other gifts which would be of interest to the player, based on previous bonuses or gifts the player may have benefited from, and (ii) contacting the player on his/her preferred contact channels.	Legitimate interest (to promote WINZON’s own services, improve player’s experience with WINZON’s services and for offer the player tailored loyalty programme).
Marketing communication data – includes your preferences in receiving marketing from us (opt in/ opt out), as well as your Contact data and Registration data	Direct marketing of WINZON’s own services – including bonuses and offers.	Legitimate interest (to promote WINZON’s own services, to develop WINZON’s business and enhance relationship with the player) OR Player’s consent.
	Direct marketing of WINZON’s own services – loyalty programme.	Legitimate interest (to promote WINZON’s own services, to develop WINZON’s business and enhance relationship with the player by targeted offers) OR Player’s consent.
Analytics data – include various data generated with respect to your use of our websites and our services such as your player ID, language, location, browser data, campaigns used, channels used, device, payment provider, Transaction & Usage data, and in case of online acquisition analytics also pages visited, postcards clicked, scroll depth. Certain information is collected using cookies and/or similar tracking technology (please see further section “Cookies”)	Commercial business analysis for the creation of standard, periodical as well as ad hoc reports.	Legitimate interest (to develop WINZON’s products/services and grow WINZON’s business).
	Web analytics.	Legitimate interest (to develop WINZON’s products/services and grow WINZON’s business).
Other Communication data – generated as part of communications with us (via recorded calls, chats, emails or SMS, etc.), which may include various data such as network communication data, content of the communication including your intentions, interests, complaints, preferences, as well as internal communication and notes	To manage WINZON’s relationship with the player, to communicate with the player, to provide the player with access to WINZON’s services and any ancillary services	Contractual necessity OR Compliance with a legal obligation.
	To establish and investigate any suspicious behaviour in order to protect WINZON’s business from any risk and fraud.	Legitimate interest (to detect and prevent fraud).
	Identification and investigation of gaming activity for responsible gaming purposes.	Compliance with a legal obligation.
	Responsible gaming profiling.	Compliance with a legal obligation.

Special categories of Data
We do not collect any special categories of Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). However, from our experience, we may not exclude that you, at your own discretion, send us such data in communication with us.

Please note that although ID documents are processed, images contained therein are not technically processed to allow or confirm a unique identification match. Therefore, such data is not to be considered biometric data (special category of data).
Categories of data recipients/processor & Data transfer
Your data will not be disclosed to third parties unless such disclosure is necessary for the processing of your requests in relation to your participation in the games or bets; or unless it is required by law; or unless we must do so in order to responsibly fulfil anti-fraud and AML obligations to which we are subject.

As WINZON’s business partners or suppliers or service providers may be responsible for certain parts of the overall functioning or operation of the website and the services offering, personal data may be disclosed to them for the above-named purposes on behalf of WINZON. Employees of WINZON, in specific Customer Support, the Payment Team and other employees shall also have access to your personal data for the purpose of executing their duties and providing you with assistance and service.

The general categories of recipients of the personal data are provided below:
- game providers for the purpose of provision of games and risk management purposes,
- PSPs/banks to perform payment transactions (deposit and withdrawals),
- marketing suppliers and marketing partners, including but not limited, affiliates, to perform certain marketing activities on behalf of WINZON,
- marketing consultants to provide marketing advice to WINZON,
- service providers that technically enable communication with you (via email, chat, SMS, phone),
- technical suppliers to support functioning of the website and our technical systems (both front and back end),
- technical administrators of the database to maintain the functioning of the database,
- AML providers providing and/or processing certain data for the purposes of compliance with our AML obligations,
- services providers regarding or organization and booking emails, trips and/or delivery of presents and gifts with respect to our loyalty program (if any),
- cloud services providers for provision of cloud-based services such as storage or hosting certain software,
- service providers for the purpose of data analytics and/or business intelligence,
- credit rating agencies, fraud detection agencies, AML agencies for fraud detection and control purposes, in the processing of your gaming account and associated transactions,
- companies within WINZON group to provide certain services/support with functions of Winzon,
- professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services,
- prospective and existing partners and/or investors (incl. financers) in the context of the personal data as a value/asset of the company,
- potential successor entity during negotiations or successor entity in the event of a business transition, such as a merger, corporate reorganization or acquisition of all or a portion of our business to another company, and the company financing (or potentially financing) WINZON and/or its group companies.

We may disclose your personal data with the-above named categories of recipients pursuant to a written contract between us and each respective recipient.

In order to provide you with an efficient service, we and/or our service providers may transfer your personal data from one country to another worldwide.
- If we transfer data outside/inside the EEA/EU, we will comply with the transfer protocols required by EU law. Your personal data will only be transferred outside of the EEA/EU or any other non-EEA/EU country which has been deemed by the European Commission to offer an adequate level of protection (also referred to as “white-listed countries”) in the following circumstances: when you have expressly consented us to do so; when it is necessary to constitute or execute a contract entered between you and WINZON; or to be compliant and in line with any and all legal obligations or duties.
- In the event that personal data is transferred outside of the EEA/EU, we will ensure that all appropriate safeguards and measures are put in place as required, including by incorporating specific contracts approved by the European Commission.
1. Processing by group companies/other brands
  When applicable, your personal data, for the purpose of compliance with legal obligations, and/or our license conditions, and/or for the establishment, exercise, or defense of legal claims, is shared also with other companies within the same group. Likewise, for the same purposes, WINZON shares your data with other brands and respective brand owners (if any, which are operated under WINZON’s license.
2. Processing by PSPs and banks
  WINZON uses several PSPs and banks. Your data might be stored both in the WINZON systems and in the systems of the PSPs and banks. With regard to the data processed, each party acts as an independent responsible body within the meaning of Art. 4 No. 7 GDPR. If you have any questions about data protection at the PSPs and the bank, you can contact the PSPs and the bank directly. The processing of data in connection with payments is based on Art. 6 b), f) GDPR. We also recommend that you inform yourself about the data protection regulations of the respective PSPs and/or the bank.
3. Processing by verification service providers, PEP and Sanctions Lists checks, fraud prevention
  Insofar as we are legally obliged or otherwise entitled to check and verify your identity, including age, place of birth, place of residence, nationality and other data, we reserve the right to check and verify these data with the help of the following companies – verification service providers - in order to safeguard our legitimate interests. In addition, we may use these companies to carry out the necessary verification of the payment account and payment method, including the origin of assets and financial resources.
  - SCHUFA Holding AG, Privatkunden ServiceCenter, Postfach 10 34 41, 50474 Köln, Germany. Please note that we check your identity and payment account, as well as carry out a credit check with the help of SCHUFA; further information on SCHUFA’s activities can be found on the Internet at https://www.schufa.de/;
  - SUM AND SUBSTANCE LTD, 30 St. Mary Axe, London, England, EC3A 8BF, UK. SUM & SUB offers identification services. Further information on SUM & SUB’s activities can be found on the Internet at https://sumsub.com/.
  
  For this purpose, we will transmit the data you have entered to the companies named above. The companies then carry out a corresponding review and verification. The information received in this way is the basis of our decision on the establishment, implementation or termination of the contractual relationship. In addition, it is in WINZON’s legitimate interest to further process the data received from these providers for investigative purposes, to prevent fraud and to fulfil inquiries from or submissions to regulatory authorities.
  
  Insofar as we are legally obliged or otherwise entitled to check if you are a PEP and you are not included in the Sanctions Lists, we reserve the right to check your data provided by you to us with the help of the following company in order to safeguard our legitimate interests.
  - Global Data Consortium, Inc., 19 W. Hargett St, 6th Floor, Suite 602, Raleigh, NC 27601, USA. GDC offers PEP database and Sanctions Lists check. Further information on GDC’s activities can be found on the Internet at https://www.globaldataconsortium.com/.
  - dilisense GmbH, Weinbergstrasse 131, 8006 Zurich, Switzerland. GDC offers PEP database and Sanctions Lists check. Further information on GDC’s activities can be found on the Internet at https://dilisense.com.
  
  The information received in this way is the basis of our decision on the establishment, implementation or termination of the contractual relationship. In addition, it is in WINZON’s legitimate interest to further process the data received from these providers for investigative purposes, to prevent fraud and to fulfil inquiries from or submissions to regulatory authorities.
  
  In order to process the above-named personal data via the above-named verification service providers and/or service providers, which provide PEP and/or Sanctions Lists checks, we reserve the right to grant access to your data provided by you to us with the help of the following gateway service provider in order to safeguard our legitimate interests.
  - DEVCODE IDENTITY AB, Sveavägen 49, 113 59 Stockholm, Sweden. DEVCODE IDENTITY AB is used mainly for the purpose of recording, organisation, structuring and disclosure by transmission to the above-named verification service providers and/or service providers, which provide PEP and/or Sanctions Lists checks. Further information on DEVCODE IDENTITY AB’s activities can be found on the Internet at https://www.devcodeidentity.com/.
  
  We also reserve the right to carry out security checks at any time to confirm the accuracy of your identity, age, login and other details, and to check whether your use of our services and your financial transactions may violate our Terms of Use and applicable laws. Security checks may include information about possible fraudulent activities or other confirmations of your information using third-party databases. If we have a legitimate interest within the meaning of Art 6 f) GDPR, we may use the data collected about you and pass it on to third parties, if this is necessary for us to carry out security checks or if we consider this to be necessary in order to check the information you have provided when using our services. If necessary, this can include the transfer of this information abroad, including to countries outside the EU/EEA.
  
  For example, if you are suspected to have breached our Terms of Use or any applicable laws (for example when we suspect that a crime may have been committed), or for the purpose of preventing, detecting or suppressing fraud or other criminal activity, we have a right to:
  - forward your data to the government authorities,
  - share any your data to the relevant gambling regulator(s) and other relevant bodies such as, sports integrity agencies or related associations where this is permitted by law,
  - share your data with relevant law enforcement and/or crime investigation bodies or organisations and assist the same with any type of investigation into your actions,
  - respond to any court subpoena or order or similar official request for personal data.
  
  Moreover, we may collect your background information by using so-called OSINT analyses (Open-Source Intelligence) collected from publicly available sources (e.g., Google search, all social media services like Facebook, Twitter, Pinterest, Instagram, LinkedIn, as well as other services/sites).
  
  Inquiries to verification service providers and PEP status and Sanctions Lists check service providers and other third parties involved by us as part of the above-named checks may be saved by these service providers. The respective service provider is the (separate) responsible body for this storage within the meaning of Art. 4 No. 7 GDPR. If you have any questions about data protection at the above-named service providers, you can contact the above-named service providers directly.
4. Processing by national self-exclusion registers
  If a player is registered with a national self-exclusion register (incl. without limitation OASIS, GAMSTOP, etc.) certain Self-Exclusion data is also received from such register. In particular, information on whether you are/are not self-excluded. This information is received once you login. Registration with such a register means that you cannot register with us, and you will not be able to log on to your gaming account. You will also not be sent any commercial messages directed to you personally.
  
  Where national laws establishing self-exclusion registers require the communication, disclosure, or update of self-exclusion data, we will have an obligation to promptly communicate to the authority responsible for such register, any data and information as stipulated under the applicable legal framework, such as, information relating to players who have decided to make use of self-exclusion tools, as well as players who have opted for the subsequent reactivation of the gaming account.
  
  The processing of data in connection with the above-named checks is done on the basis of Art. 6 c), f) GDPR.
5. Processing by OASIS and LUGAS (applicable to German players)
  Insofar as we are legally obliged or otherwise entitled to check if you are not currently self-excluded (self-barred) from gaming in Germany (OASIS) and to ensure that the deposit limit stated by the respective Germany gaming laws is complied with and that you do not log in with more than one operator at a time (LUGAS), we reserve the right to process the data requested by these systems in Germany.
  
  For this purpose, we will transmit the data you have entered to the systems named above. The systems then carry out a corresponding review and verification. The information received in this way is the basis of our decision on the establishment, implementation or termination of the contractual relationship. In addition, it is in WINZON’s legitimate interest to further process the data received from these systems for investigative purposes, to prevent fraud and to fulfil inquiries from or submissions to regulatory authorities.
6. Processing by other third parties
  For the sake of completeness, hereby we expand the description of some of the categories of recipients of the personal data provided in Section 6 above, which are:
  - To simplify the sign-up procedure a separate process, such as i) bank ID or similar, ii) Facebook connect, iii) Google sign-In, iv) Apple Pay, v) Trustly or vi) a similar Pay & Play option, may be used as a source for identification and verification. If such a process is used, once the authorization of access and the necessary information is provided by you upon sign-up, personal data (Registration data and Contact data) will be automatically fed to the player profile from the third-party source to facilitate your registration. Such data is used as further specified in this Privacy Policy.
  - In order centrally capture, store, and enable real-time search and log analysis from any component in the IT infrastructure and applications of our company, we use Graylog, Inc services. Further information on Graylog, Inc activities can be found on the Internet at https://www.graylog.org/privacy-policy/.
  - We may share your data as well as with third parties, including but not limited to any companies belonging to the same group of companies as WINZON or affiliated to WINZON, or potential or existing purchasers or investors of our company or any company within WINZON’s group or affiliated to WINZON, to whom we may choose to assign, transfer, sell, or merge parts of our operations, business, our assets, or as a result of restructuring. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy.
External links
If links of third parties are available, please be aware that when the link is clicked on, we no longer have influence on which data is collected and used by this provider. You can find more detailed information concerning the collection and usage of data in the privacy policy of the respective provider. As WINZON has no control over the collection and usage of data in this regard, WINZON cannot take any responsibility for this.
Retention period for the data
Any and all personal data we will keep will be protected in the best way possible and will only be used for purposes which are compatible with the applicable data protection laws, as well as any other applicable laws.

WINZON will retain your personal data only for as long as is necessary (taking into consideration the purpose for which it was originally obtained). The criteria we use to determine what is ‘necessary’ depends on the particular personal data in question and the specific relationship we have with you (including its duration). Generally, our normal practice is to determine whether there is/are any specific EU and/or Maltese and/or Germany law(s) (for example, tax or AML or gaming related laws) permitting or even obliging us to keep certain personal data for a certain period of time (in which case we will keep the personal data for the maximum period indicated by any such law). For example, any data that can be deemed to be ‘accounting records’ must be kept for 10 years, any data that can be deemed to be ‘AML records’ must be kept for 5 years commencing on the date, when the business relationship between you and us ends, player interaction records and where an interaction has been ruled out, the reasons for this (without prejudice to any requirements under the AML legislation) must be kept for at least 2 years from the date of the last interaction.

Where your data is no longer required by us, we will either securely delete or anonymize the personal data in question. Whenever is it not possible or feasible for us to make use of anonymous and/or anonymized data (in a manner that does not identify any users of the website or customers of our services), we are nevertheless committed to protecting your privacy and the security of your personal data at all times.

In the processing of your gaming account and associated transactions, we may have recourse to credit rating agencies, fraud detection agencies, anti-money laundering agencies. These agencies may keep a record of your data. You hereby consent to such disclosures and to the keeping of such records by third parties.
Cookie policy
In order to make your visit to the websites more user-friendly, to keep track of visits to the website and to improve the service, we collect a small piece of information sent from your browser, called a ‘cookie’. However, these tools do not provide us with any personal data of the users. Instead, we only receive statistical data about the use of services offered by WINZON. This enables us to learn, for example, what content is particularly popular, at which times the services are used very intensively, from which cities and parts of the world the users use these services, and which browsers and operating systems users generally use to access the services. We use this information to constantly improve the technical, creative, and editorial aspects of these services, and to make these services more convenient for the users. We can optimize the web design on the basis of statistical information concerning browser types and operating systems. The tools used for web analytics concern the following services.

We hereby state that WINZON’s websites and apps use Google Analytics, a web analysis service of Google Inc. ("Google"). Google Analytics uses "cookies", which are files stored on the user’s device and allow for analysis of the user’s webpage usage. The information generated by the cookie about the user’s use of this website (including their IP address) is transmitted to a Google server in the USA and stored there.

If an IP anonymization service is activated on this website, Google will shorten the user’s IP address within member states of the European Union or other states within the European Economic Area. Only in rare cases will an entire IP address be sent to a Google server in the USA and shortened there. IP anonymization is active on this website. Google uses the information collected by Google Analytics to assess the user’s usage of the website, to compile reports about the website’s activity, and to provide other services connected with the website and internet usage to the website operator.

Google does not, under any circumstances, link any of its other data with the user’s IP address. The customer can prevent the storing of cookies by using the corresponding settings in their browser. However, it should be noted that the customer may not be able to use all functions of the services offered by WINZON in their entirety if the customer chooses to do this. Furthermore, the user can prevent Google Analytics from collecting data in the future by installing the following browser add-on: http://tools.google.com/dlpage/gaoptout?hl=en.

The user can prevent Google Analytics from collecting data within this website in the future by clicking on this link: Set Google Analytics opt-out cookie. This is an alternative to a browser add-on and can be used for browsers on mobile devices. This opt-out choice only applies for the browser being used and for this domain. When the user clicks on the aforementioned link, an opt-out cookie is placed on their device. If cookies are deleted from the browser, the user has to click on the link again to reset the opt-out cookie.

The user can also prevent their data from being collected via Google Analytics in the future in the apps which WINZON offers by deactivating "Google Analytics" in the settings of the relevant app.

By using the services offered by WINZON, the user agrees to their data being processed by Google as described above and for the purpose stated above.

Demographic data and interests are also collected via Google Analytics. This feature enables us to view anonymous and extensive data regarding the gender, age, and interests of visitors to the website. The data is collected through first-party cookies (such as the Google Analytics cookie) and third-party cookies (such as the DoubleClick cookie).

If there is a malfunction on the website or in the apps, technical information will be sent to us so that the cause of the problem can be investigated. Personal data may also be sent to us for the same reason. We use this information to constantly improve the technical aspects of our services and to make these services more convenient for our users.

For more information, please refer to our Cookie Policy.
Your rights
WINZON undertakes to assist you in the best way possible should you choose to exercise any of your rights with respect to your personal data. In certain cases, we might need to verify your identity prior to acceding to your request to exercise any relevant right.
1. Right of Access
2. Right to Rectification
3. Right of Erasure (the “right to be forgotten”)
4. Right to Restriction of Processing
5. Right to Data Portability
6. Right to Object to Processing
7. Lodge a complaint to a supervisory authority
What we may need from you
When exercising your rights by contacting us, we may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We will only use personal information provided in your request to verify your identity or authority to make the request. To the extent possible, we will avoid requesting additional information from you for the purposes of verification. However, if we cannot verify your identity from the information already maintained by us, we may request that you provide additional information for the purposes of verifying your identity and for security or fraud-prevention purposes. We will delete such additionally provided information as soon as we finish verifying you.

You are entitled to designate an authorized agent to make a request under the GDPR on your behalf. We may deny a request from an authorized agent that does not submit proof that they have been validly authorized to act on your behalf in accordance with the GDPR.
Different brands
WINZON is operating its gaming business also under other brands and trademarks. For the purpose of the exercise of your rights as provided in this Privacy Policy, and for the purpose of clarity and legibility of our reply, we will initially comply with the requests with respect to data processed under the brand from where the request is originating. Should you wish your requests to be complied with respect to all of the brands with respect to which WINZON operates its business, please make sure to flag this in your request.
Time limit to respond
We try to respond to all legitimate requests within one month (unless a shorter period is required by law). Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.