Privacy Policy

This is version 2.3 of the Winzon Group LTD Privacy Policy, last updated on 12th October 2022

  1. Abbreviations & Definitions
  2. Controller
  3. Data collected, Purposes & Legal basis for processing
  4. Categories of data recipients & Data transfer
  5. Retention period for the data
  6. Cookie policy
  7. Your rights
    1. Right of Access
    2. Right to Rectification
    3. Right of Erasure (the “right to be forgotten”)
    4. Right to Restriction of Processing
    5. Right to Data Portability
    6. Right to Object to Processing
    7. Lodge a complaint to a supervisory authority
  1. Abbreviations & Definitions

    AML

    Anti-money laundering and countering the financing of terrorism as defined in the 5th AML directive and the FATF Recommendations.

    DPO

    Data Protection Officer.

    EEA

    European Economic Area.

    EU

    European Union.

    GDPR

    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ( General Data Protection Regulation).

    PEP

    Politically exposed person. Such status is also applicable to family members or persons known to be close associates of politically exposed persons.

    Player

    End-customer, who participates or takes preparatory steps to use Services provided by WINZON. References in this policy to you or your are references to player.

    Services

    As appropriate, the services offered for the time being by WINZON through the website and/or via any mobile or tablet application.

    Website

    https://winzon.com and/or any other website owned or operated by WINZON.

    WINZON

    Winzon Group Ltd., reg.no. C89900 with the registered office at MK Business Centre 115A, Floor 2, Valley Road, Birkirkara BKR 9022, Malta. References in this policy to us, our, we or company are references to WINZON.

    Other abbreviations & definitions (for example, personal data, controller, processor, data subject, recipient, third party, consent, processing, etc.) used in this policy have the same meaning as they are defined in the GDPR.

    WINZON is the GDPR subject - in the context of this policy WINZON may be referred to also as the controller.

    WINZON processes personal data of the players as data subjects – in the context of this policy the data subject and the player have the same meaning, and by a term data – it is assumed the personal data of the players, which are processed by WINZON.

  2. Controller

    WINZON is the controller of the players personal data, and the player can contact WINZON and the DPO at compliance@winzon.com or by mail at:

    Winzon Group LTD MK Business Centre 115A, Floor 2, Valley road, Birkirkara BKR 9022, Malta

  3. Data collected, Purposes & Legal basis for processing

    You hereby acknowledge and accept that it is necessary for us to collect and otherwise use your personal data in order to allow you access and use of the website and in order to allow you to participate in games or bets.

    We hereby acknowledge that in collecting your personal data as stated in the previous provision, we are bound by the GDPR and Data Protection Act (CAP 586) of Malta. We will protect your personal data and respect your privacy in accordance with best business practices and applicable laws.

    We will use your personal data to allow you to participate in the games and bets and to carry out operations relevant to your participation in the games or bets. We may also use your personal data to inform you of changes, new services and promotions that we think you may find interesting. If you do not wish to receive such direct marketing data, you may opt out of such service - please log in to your WINZON account and edit profile in order to opt out. If you wish to opt-in again and receive any kind of marketing material, you can do so by logging in in to you WINZON account and edit profile or by contacting Customer Support.

    We may contact you periodically by email, telephone or other forms of mobile-based communication with offers and promotions from other WINZON related companies, which are operated by and under the licenses of WINZON. You hereby consent to such contact. Calls may be recorded and used for training purposes. Such calls and electronic communications are stored for 1 year and then deleted from the system.

    The following table outlines the categories of personal data which we process, the purpose for which we process such data, as well as the corresponding legal basis used for such processing. It is pertinent to know that the same categories of personal data may be processed for different purposes and therefore on the basis of a various legal grounds simultaneously depending on the purpose of processing

    Data processed

    Processing purpose

    Legal basis for the processing

    Identity & Age verification data - name, surname, maiden name, address, date of birth, place of birth, identity card/passport data (incl. copy of the ID card/passport)

    Age, identity and contact details verification.

    Compliance with a legal obligation.

    To establish and investigate any suspicious behavior in order to protect our business from any risk and fraud.

    Legitimate interest (detection and prevention of fraud).

    To execute and manage payment transactions.

    Contractual necessity.

    Contact data - name, surname, maiden name, phone number, email address, mailing address, incl. proof of address (incl. copy of utility bill, bank reference letter, etc.)

    To fulfill WINZON’s obligations on reporting to regulators/ law enforcement authorities.

    Compliance with a legal obligation.

    To establish and investigate any suspicious behavior in order to protect WINZON’s business from any risk and fraud

    Legitimate interest (detection and prevention of fraud).

    Monitoring and evaluation of transactions and bets, control and comparison of such information for accuracy and verification with third parties.

    Legitimate interest (ensuring the accuracy and legal nature of the information provided).

    To set up an account on WINZON’s system and register a player as a new user.

    Contractual necessity.

    To manage WINZON’s and player’s ongoing relationship and provide a player with customer care services.

    Contractual necessity.

    To perform statistical analysis in order to improve and upgrade WINZON’s current services/games and develop updated or new games.

    Legitimate interest (service reports & business development.

    To allow a player to take part in any potential loyalty scheme on Website.

    Legitimate interest (loyalty program purposes).

    To subscribe to a newsletter, campaigns and/or to be added to a mailing list.

    Player’s consent.

    Monitoring and evaluation of a player’s gambling behavior/habits and activities for personalized offers, bonuses and user interface.

    Player’s consent.

    To present a player offers, promotions and new services/games.

    Player’s consent.

    To participate in any online survey or poll.

    Player’s consent.

    Registration data - username, password, date of birth, place of birth, country of residence, gender

    AML and Due Diligence purposes. Conduct KYC investigations (e.g., verifying identity, age, address and if You are a politically exposed person) and other investigations during the customer relationship.

    Compliance with a legal obligation.

    To fulfill Our obligations on reporting to regulators / law enforcement authorities.

    Player’s consent.

    To establish and investigate any suspicious behavior in order to protect our business from any risk and fraud.

    Legitimate interest (detection and prevention of fraud).

    To enforce our terms and conditions.

    Legitimate interest (ensuring WINZON maintains an accurate record on WINZON’s system).

    Monitoring and evaluation of transactions and bets, control and comparison of such information for accuracy and verification with third parties.

    Legitimate interest (ensuring the accuracy and legal nature of the information provided).

    To Perform statistical analysis in order to improve and upgrade WINZON’s current services/games and develop updated or new games.

    Legitimate interest (service reports & business development).

    To allow You to take part in any potential loyalty scheme on Our site.

    Legitimate interest (loyalty program purposes)

    To subscribe to a newsletter, campaigns and/or to be added to a mailing list.

    Player’s consent.

    Monitoring and evaluation of Your gambling behavior/habits and activities for personalized offers, bonuses and user interface.

    Player’s consent.

    To present You Offers, Promotions and new Services/Games.

    Player’s consent.

    To participate in any online survey or poll.

    Player’s consent.

    Financial data - bank/payment service provider details, credit card details(last 4 digits of the credit card), account number, bank transfer information(data requested and processed differs country by country and PSP by PSP), transaction information(transaction history, transaction attempt history), source of funds/wealth(copy of bank notice, bank account statement, etc.), tax identification number.

    To verify that transaction is not fraudulent and make relevant cross-checking to avoid chargebacks.

    Compliance with a legal obligation.

    AML and Due Diligence purposes. Conduct KYC investigations (e.g., verifying identity, age, address and if a player is/is not a politically exposed person) and other investigations during the customer relationship.

    Compliance with a legal obligation.

    To fulfill WINZON’s obligations on reporting to regulators/ law enforcement authorities.

    Compliance with a legal obligation.

    To establish and investigate any suspicious behavior in order to protect WINZON’s business from any risk and fraud.

    Legitimate interest (detection and prevention of fraud).

    Monitoring and evaluation of transactions and bets, control and comparison of such information for accuracy and verification with third parties.

    Legitimate Interest (ensuring the accuracy and legal nature of the information provided).

    To perform statistical analysis in order to improve and upgrade WINZON’s current services/games and develop updated or new games.

    Legitimate Interest (service reports & business development).

    To allow You to take part in any potential loyalty scheme on Our site.

    Legitimate interest (loyalty program purposes).

    To execute and manage payment transactions.

    Contractual necessity.

    Responsible gaming data - name, surname, maiden name, mailing address, phone number, email address, date of birth, place of birth, country of residence, transaction information (transaction history, transaction attempt history), self-exclusion status.

    To adhere to WINZON’s Responsible Gaming and/or Self-exclusion obligations.

    Compliance with a legal obligation.

    Data required for marketing purposes – name, surname, mailing address, phone number, email address, proof of opt-in consent (where required), proof of objections to marketing, website data and online identifiers (such as IP address, and other information generated by the player’s browser

    To provide You with marketing material that You have requested from us or that we are otherwise authorized to send You.

    Player’s consent (where required) OR Legitimate interest (for marketing purposes, where WINZON does not require Player’s consent & to improve WINZON’s services).

    To personalize Your customer experience.

    Player’s consent (where required) OR Legitimate interest (for marketing purposes, where WINZON does not require Player’s consent & to improve WINZON’s services).

    Online activity data - traffic data, geo-location data, weblogs and communication data

    To detect and prevent fraud.

    Legitimate interest (detect and prevent fraud).

    To fulfill WINZON’s obligations on reporting to regulators / law enforcement authorities.

    Compliance with a legal obligation.

    AML and Due Diligence purposes. Conduct KYC investigations (e.g., verifying identity, age, address and if You are a politically exposed person) and other investigations during the customer relationship.

    Compliance with a legal obligation.

    To ensure that Our services are only provided to territories We are licensed to operate in.

    Compliance with a legal obligation.
  4. Categories of data recipients & Data transfer

    Your personal data will not be disclosed to third parties unless such disclosure is necessary for the processing of your requests in relation to your participation in the games or bets; or unless it is required by law; or unless we must do so in order to responsibly fulfil anti-fraud and anti-money laundering obligations to which we are subject.

    As WINZON’s business partners or suppliers or service providers may be responsible for certain parts of the overall functioning or operation of the website and product offering, personal data may be disclosed to them. Employees of WINZON, in specific Customer Support, the Payment Team and other employees shall also have access to your personal data for the purpose of executing their duties and providing you with assistance and service.

    In order to provide you with an efficient service, we and/or our service providers may transfer your personal data from one country to another worldwide. If we transfer data outside/inside the EEA/EU, we will comply with the transfer protocols required by EU law. Your personal data will only be transferred outside of the EEA/EU or any other non-EEA/EU country which has been deemed by the European Commission to offer an adequate level of protection (also referred to as “white-listed countries”) in the following circumstances: when you have expressly consented us to do so; when it is necessary to constitute or execute a contract entered between you and WINZON; or to be compliant and in line with any and all legal obligations or duties. In the event that personal data is transferred outside of the EEA/EU, within the WINZON’s group or to any of the WINZON’s business partners, we ensure to implement all appropriate safeguards to ensure that the same protection is afforded, and the same standards are applied as would be within the EEA/EU. You are entitled to receive a copy of such safeguards by contacting us.

    1. Processing by PSPs

      WINZON uses several PSPs. Your data might be stored both in the WINZON systems and in the systems of the PSPs. With regard to the data processed, each party acts as an independent responsible body within the meaning of Art. 4 No. 7 GDPR. If you have any questions about data protection at the PSPs, you can contact the PSPs directly. The processing of data in connection with payments is based on Art. 6 b), f) GDPR. We also recommend that you inform yourself about the data protection regulations of the respective PSPs.

    2. Processing by verification service providers, PEP and Sanctions Lists checks, fraud prevention

      Insofar as we are legally obliged or otherwise entitled to check and verify your identity, including age, place of birth, place of residence, nationality and other data, we reserve the right to check and verify these data with the help of the following companies – verification service providers - in order to safeguard our legitimate interests. In addition, we may use these companies to carry out the necessary verification of the bank account and payment method, including the origin of assets and financial resources.
      - SCHUFA Holding AG, Privatkunden ServiceCenter, Postfach 10 34 41, 50474 Köln, Germany. Please note that we check your identity and payment account, as well as carry out a credit check with the help of SCHUFA; further information on SCHUFA’s activities can be found on the Internet at https://www.schufa.de/;
      - SUM AND SUBSTANCE LTD, 30 St. Mary Axe, London, England, EC3A 8BF, UK. SUM & SUB offers identification services. Further information on SUM & SUB’s activities can be found on the Internet at https://sumsub.com/.

      For this purpose, we will transmit the data you have entered to the companies named above. The companies then carry out a corresponding review and verification. The information received in this way is the basis of our decision on the establishment, implementation or termination of the contractual relationship. In addition, it is in WINZON’s legitimate interest to further process the data received from these providers for investigative purposes, to prevent fraud and to fulfil inquiries from or submissions to regulatory authorities.

      Insofar as we are legally obliged or otherwise entitled to check if you are a PEP and you are not included in the Sanctions Lists, we reserve the right to check your data provided by you to us with the help of the following company in order to safeguard our legitimate interests.
      - Global Data Consortium, Inc., 19 W. Hargett St, 6th Floor, Suite 602, Raleigh, NC 27601, USA. GDC offers PEP database and Sanctions Lists check. Further information on GDC’s activities can be found on the Internet at https://www.globaldataconsortium.com/.

      The information received in this way is the basis of our decision on the establishment, implementation or termination of the contractual relationship. In addition, it is in WINZON’s legitimate interest to further process the data received from these providers for investigative purposes, to prevent fraud and to fulfil inquiries from or submissions to regulatory authorities.

      In order to process the above-named personal data via the above-named verification service providers and/or service providers, which provide PEP and/or Sanctions Lists checks, we reserve the right to grant access to your data provided by you to us with the help of the following gateway service provider in order to safeguard our legitimate interests.
      - DEVCODE IDENTITY AB, Sveavägen 49, 113 59 Stockholm, Sweden. DEVCODE IDENTITY AB is used mainly for the purpose of recording, organisation, structuring and disclosure by transmission to the above-named verification service providers and/or service providers, which provide PEP and/or Sanctions Lists checks. Further information on DEVCODE IDENTITY AB’s activities can be found on the Internet at https://www.devcodeidentity.com/.

      We also reserve the right to carry out security checks at any time to confirm the accuracy of your identity, age, login and other details, and to check whether your use of our services and your financial transactions may violate our Terms of Use and applicable laws. Security checks may include information about possible fraudulent activities or other confirmations of your information using third-party databases. If we have a legitimate interest within the meaning of Art 6 f) GDPR, we may use the data collected about you and pass it on to third parties, if this is necessary for us to carry out security checks or if we consider this to be necessary in order to check the information you have provided when using our services. If necessary, this can include the transfer of this information abroad, including to countries outside the EU/EEA.

      Inquiries to verification service providers and PEP status and Sanctions Lists check service providers and other third parties involved by us as part of the above-named checks may be saved by these service providers. The respective service provider is the (separate) responsible body for this storage within the meaning of Art. 4 No. 7 GDPR. If you have any questions about data protection at the above-named service providers, you can contact the above-named service providers directly.

      The processing of data in connection with the above-named checks is done on the basis of Art. 6 c), f) GDPR.

    3. Processing by OASIS and LUGAS (applicable to German players)

      Insofar as we are legally obliged or otherwise entitled to check if you are not currently self-excluded (self-barred) from gaming in Germany (OASIS) and to ensure that the deposit limit stated by the respective Germany gaming laws is complied with and that you do not log in with more than one operator at a time (LUGAS), we reserve the right to process the data requested by these systems in Germany.

      For this purpose, we will transmit the data you have entered to the systems named above. The systems then carry out a corresponding review and verification. The information received in this way is the basis of our decision on the establishment, implementation or termination of the contractual relationship. In addition, it is in WINZON’s legitimate interest to further process the data received from these systems for investigative purposes, to prevent fraud and to fulfil inquiries from or submissions to regulatory authorities.

  5. Retention period for the data

    Any and all personal data we will keep will be protected in the best way possible and will only be used for purposes which are compatible with the applicable data protection laws, as well as any other applicable laws.

    WINZON will retain your personal data only for as long as is necessary (taking into consideration the purpose for which it was originally obtained). The criteria we use to determine what is ‘necessary’ depends on the particular personal data in question and the specific relationship we have with you (including its duration). Generally, our normal practice is to determine whether there is/are any specific EU and/or Maltese and/or Germany law(s) (for example, tax or AML or gaming related laws) permitting or even obliging us to keep certain personal data for a certain period of time (in which case we will keep the personal data for the maximum period indicated by any such law). For example, any data that can be deemed to be ‘accounting records’ must be kept for 10 years, any data that can be deemed to be ‘AML records’ must be kept for 5 years commencing on the date, when the business relationship between you and us ends, player interaction records and where an interaction has been ruled out, the reasons for this (without prejudice to any requirements under the AML legislation) must be kept for at least 2 years from the date of the last interaction.

    In the processing of your betting account and associated transactions, we may have recourse to credit rating agencies, fraud detection agencies, anti-money laundering agencies. These agencies may keep a record of your data. You hereby consent to such disclosures and to the keeping of such records by third parties.

  6. Cookie policy

    In order to make your visit to the websites more user-friendly, to keep track of visits to the website and to improve the service, we collect a small piece of information sent from your browser, called a ‘cookie’. You can, if you wish, turn off the collection of cookies (please refer to your browser instructions as to how to do this). You must note, however, that turning off cookies may restrict your use of the website. For more information, please refer to our Cookie Policy.

  7. Your rights

    WINZON undertakes to assist you in the best way possible should you choose to exercise any of your rights with respect to your personal data. In certain cases, we might need to verify your identity prior to acceding to your request to exercise any relevant right.

    1. Right of Access

      2. You have a right to ask us whether we are processing any personal data which concerns you and if this is the case, you shall have the right to access that personal data as well as the following information:

      • What personal data we have,
      • Why we process them,
      • Who we disclose them to,
      • How long we intend on keeping them for (where possible),
      • Whether we transfer them abroad and the safeguards we take to protect them,
      • What your rights are,
      • How you can make a complaint,
      • Where we got your personal data from and
      • Whether we have carried out any automated decision-making (including profiling), as well as related information.
    2. Right to Rectification

      3. You have a right to ask us to have any inaccurate or incomplete personal data relating to you rectified and/or completed.

    3. Right of Erasure (the “right to be forgotten”)

      4. You have the right to ask us to delete your personal data and we shall comply without undue delay but only where:

      • The personal data are no longer necessary for the purposes for which they were collected; or
      • You have withdrawn your consent (in those instances where we process on the basis of your consent) and we have no other legal ground to process your personal data; or
      • You shall have successfully exercised your right to object (as explained below); or
      • Your personal data shall have been processed unlawfully; or
      • There exists a legal obligation to which we are subject; or
      • Special circumstances exist in connection with certain children’s rights.

      In any case, we shall not be legally bound to comply with your erasure request if the processing of your personal data is necessary to comply with a legal obligation imposed on us.

    4. Right to Restriction of Processing

      5. You have the right to ask us to restrict the processing of your personal data. However, you are only able to exercise this right where:

      • The accuracy of your personal data is contested (see the right to data rectification above), for a period enabling us to verify the accuracy of the personal data; or
      • The processing is unlawful, and you oppose the erasure of your personal data; or
      • We no longer need the personal data for the purposes for which they were collected, but you need the personal data for the establishment, exercise or defence of legal claims; or
      • You exercised your right to object and verification of our legitimate grounds to override your objection is pending.

      Should you successfully exercise this right, we would only be in a position to process your personal data:

      • Where we have your consent; or
      • For the establishment, exercise or defence of legal claims; or
      • For the protection of the rights of another natural or legal person; or
      • For reasons of important public interest.
    5. Right to Data Portability

      6. You have the right to ask us to provide you with your personal data, which you would have previously provided to us. We will provide you such data in a structured, commonly used, machine readable format, or (where technically feasible) we may have the data sent directly to another data controller, provided this does not adversely affect the rights and freedoms of others.

      You may only exercise this right where:

      • The processing is based on your consent or on the performance of a contract with you; and
      • The processing is carried out by automated means.
    6. Right to Object to Processing

      7. In certain instances, you have the right to object to the processing of your personal data. Where we are only processing your personal data on the basis of one of the following purposes:

      • The processing is necessary for the performance of a task carried out in the public interest; or
      • When processing is necessary for the purposes of the legitimate interests pursued by us or by a third party.

      the processing shall only cease where the data controller has not provided compelling and legitimate grounds which outweigh the objections raised by you in such a request and which require the processing to continue.

      Where your data is being processed for direct marketing purposes, you have the right to object to the processing of your personal data at any time.

      In all other instances apart from those listed above, this general right to object shall not subsist

    7. Lodge a complaint to a supervisory authority

      8. In accordance with Article 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU country of your habitual residence, place of work or place of an alleged infringement. You can find a list of data protection authorities in each respective EU state here: https://edpb.europa.eu/about-edpb/board/members_en.