PRIVACY POLICY

Download

Last updated: August 14, 2025

INTRODUCTION AND SCOPE

This Privacy Policy explains how Carletta N.V. collects, handles, keeps, shares, and protects Personal Data in connection with the sports betting website and the related online services made available through it.

Carletta N.V. is incorporated in Curaçao under company registration number 142346 and has its registered office at Dr. Henri Fergusonweg 1, Curaçao. The Company operates under Curaçao online gaming licence number OGL/2024/580/0570, issued by the Curaçao Gaming Authority under the National Ordinance on Games of Chance.

This Policy applies when you use or interact with:

the Website and any betting account features available through it;
email communications sent to or from [email protected];
telephone support, live chat, helpdesk tickets, or other customer-service channels operated for the Services.

For the Personal Data covered by this Policy, the Company acts as the data controller. This means that we determine why and how Personal Data is processed, subject to applicable privacy, betting, anti-money laundering, responsible betting, and related regulatory requirements.

DEFINITIONS AND INTERPRETATION

Capitalised terms used in this Policy have the meanings given below. A term used in the singular also covers the plural, and the plural also covers the singular where the context allows.

Account — the individual user profile created to access the Services or selected parts of them, including any account that may require identity, age, or compliance checks.

Company, we, us, our — Carletta N.V., a Curaçao company with registration number 142346 and registered office at Dr. Henri Fergusonweg 1, Curaçao.

Service or Services — the Website, account area, sportsbook functionality, betting-related tools, support channels, and any connected online features provided by the Company.

Website — the sports betting website, together with any subdomains, connected web pages, platform interfaces, or applications operated by or for the Company.

Personal Data — information relating to an identified or identifiable natural person, including information protected under the GDPR and the Curaçao data protection framework.

Processing — any action performed on Personal Data, including collection, storage, use, review, organisation, transmission, disclosure, restriction, deletion, anonymisation, or destruction.

Regulatory Compliance — processing required or justified by laws and regulatory standards applicable to betting operators, including the LOK, KYC, AML/CFT, sanctions, reporting, audit, tax, responsible betting, and similar obligations. Where processing is legally required, it is not based on consent.

WHAT DATA, FOR WHAT PURPOSES, AND ON WHAT GROUNDS, DO WE PROCESS

The table below summarises the main reasons for processing Personal Data, the legal grounds we rely on, and the categories of Personal Data that may be used. Not every category will apply to every user in every situation.

Purpose	Legal Basis	Personal Data Used
Opening and operating an Account; access to the Services	Contract performance and pre-contractual steps under GDPR Article 6(1)(b).	Email address and/or telephone number; hashed password; chosen account currency; account ID; login and access records needed to open, authenticate, and protect the Account.
KYC checks, age confirmation, AML/CFT screening, and LOK compliance	Legal obligation under GDPR Article 6(1)(c), including AML/CFT, LOK, NORUT, and other mandatory compliance rules; legitimate interests under Article 6(1)(f) where platform integrity requires additional checks.	Identity document data such as passport, ID card, or driving licence; proof of address; date of birth; age declarations; selfie, video, or liveness-verification materials; sanctions, PEP, or risk-screening results where applicable.
Deposits, withdrawals, refunds, payment reconciliation, and financial controls	Contract performance under Article 6(1)(b); legal obligations for AML, accounting, and record-keeping under Article 6(1)(c); legitimate interests in fraud reduction under Article 6(1)(f).	Payment method information; payment account references; transaction records; currency; deposit and withdrawal history; payment processor responses; payout channel confirmations.
Security, fraud prevention, account misuse detection, and technical monitoring	Legitimate interests in protecting users, the Website, and the Services under Article 6(1)(f); legal obligations connected with AML/CFT and suspicious-activity handling under Article 6(1)(c).	IP address; device and browser data; technical identifiers; login timestamps; geolocation signals where used for compliance; risk flags; security logs; patterns indicating automated, abusive, or unauthorised activity.
Responsible betting controls, player protection, limits, cooling-off, and self-exclusion	Legal and regulatory obligations under Article 6(1)(c); legitimate interests in user protection, service integrity, and responsible betting under Article 6(1)(f).	Limit settings; cooling-off or self-exclusion status and duration; betting frequency; stake and loss indicators; risk markers; responsible betting communications and interventions.
Customer support, operational notices, and dispute handling	Contract performance for service requests under Article 6(1)(b); legitimate interests in service quality, record accuracy, and dispute resolution under Article 6(1)(f).	Support tickets; chat logs; emails; call notes; account identifiers; transaction or bet references relevant to the enquiry; documents or screenshots voluntarily supplied by the user.
Marketing, promotions, service updates, and preference management where allowed	Consent under Article 6(1)(a) for direct electronic marketing where required; legitimate interests under Article 6(1)(f) for permitted soft opt-in or similar-service communications, always subject to opt-out and responsible betting limitations.	Contact details; push tokens where used; communication preferences; marketing consents and opt-outs; engagement data; non-sensitive eligibility information for offers or betting promotions.
Website operation, analytics, cookies, and product improvement	Legitimate interests in maintaining and improving the Website under Article 6(1)(f); consent under Article 6(1)(a) where required for non-essential cookies or similar technologies.	Cookie IDs; usage logs; session data; browser and device characteristics; traffic sources; page views; interaction statistics; aggregated or pseudonymised analytics data where possible.
Regulatory reporting, audit cooperation, legal claims, and authority requests	Legal obligation under Article 6(1)(c); legitimate interests in establishing, exercising, or defending legal rights under Article 6(1)(f).	Records required for regulator, tax, FIU, law-enforcement, audit, complaint, chargeback, litigation, or compliance purposes, limited to what is relevant and permitted by law.

DATA RETENTION

We do not keep Personal Data for longer than is reasonably needed for the reason it was collected, unless a longer period is required or permitted by law. Retention is assessed by reference to:

the purpose for which the data is processed, including account operation, betting services, payments, support, and security;
statutory record-keeping obligations, including AML, betting regulatory, accounting, tax, audit, and reporting requirements;
the need to investigate misuse, respond to complaints, process chargebacks, cooperate with regulators, or bring, defend, or settle legal claims.

When a retention period ends, Personal Data is deleted, irreversibly anonymised, or placed in restricted archives where it is no longer used for ordinary business activity, unless further retention is legally required.

WHERE DID WE OBTAIN YOUR PERSONAL DATA FROM

Most Personal Data is obtained directly from you or created through your use of the Services. Depending on the feature used and the applicable legal requirements, data may come from the following sources:

Information provided by you: registration details, verification materials, payment instructions, account settings, responsible betting choices, support messages, and documents you upload.
Service activity: account actions, betting records, transaction history, login activity, technical logs, device information, and cookie or analytics data collected in line with this Policy and the Cookie Policy.
Verification, payment, risk, and compliance partners: identity verification providers, payment processors, AML screening tools, fraud-prevention vendors, and other trusted service providers.
Public and lawful sources: information available from legitimate databases, public registers, sanctions or PEP lists, and other lawful sources used only where necessary for verification, compliance, or risk management.
Authorities and competent bodies: information received from regulators, law-enforcement agencies, financial intelligence units, courts, or other public bodies where relevant to legal obligations or lawful requests.

DATA STORAGE AND INTERNATIONAL TRANSFERS

Personal Data may be stored and processed on systems operated by the Company or by carefully selected service providers. Those systems may be located in the European Economic Area, Curaçao, or other jurisdictions that support the operation and regulation of the Services.

Where Personal Data is transferred outside the EEA or another jurisdiction with comparable safeguards, we use transfer mechanisms required by applicable law. These may include:

Adequacy decisions, where the destination country has been recognised as providing an adequate level of data protection.
Standard Contractual Clauses or equivalent contractual safeguards, where no adequacy decision applies.
Additional organisational and technical controls, such as access restrictions, encryption where appropriate, vendor due diligence, and contractual security commitments.

WHO MAY WE SHARE YOUR PERSONAL INFORMATION WITH

We share Personal Data only where this is necessary for the Services, required by law, justified by legitimate operational needs, or otherwise permitted under this Policy. Recipients may include:

Regulators, supervisory bodies, FIUs, tax authorities, courts, law-enforcement agencies, and other competent public authorities when disclosure is required or permitted by law.
KYC, identity-verification, age-verification, sanctions-screening, and AML/CFT service providers that help us meet legal and compliance obligations.
Payment processors, banks, card schemes, e-wallet providers, payout partners, chargeback processors, and other financial institutions involved in deposits, withdrawals, refunds, reconciliation, or fraud control.
Customer-support, email, live-chat, ticketing, notification, and communication tools used to respond to enquiries and deliver service messages.
Fraud-prevention, cybersecurity, hosting, cloud infrastructure, logging, monitoring, and IT-service providers that help protect and operate the Services.
Analytics, testing, and optimisation providers that help us understand Website performance and improve the user experience, using aggregated or pseudonymised data where practical.
Sportsbook technology, odds-feed, sports-data, and betting platform partners where limited technical identifiers or session data are needed to provide betting functionality.
Professional advisers, auditors, insurers, consultants, and legal representatives where needed for compliance, governance, audits, disputes, or legal claims.
Group companies or business successors where permitted by law, for internal administration, restructuring, merger, acquisition, asset transfer, or similar corporate purposes, subject to appropriate safeguards.

WHAT ABOUT COOKIES

The Website may use cookies, pixels, SDKs, local storage, and similar technologies. These technologies help the Website remember information, keep essential functions working, improve performance, protect accounts, and measure how users interact with the Website.

Types of Cookies and Their Purposes

Strictly necessary cookies: required for core Website operations, such as secure login, session management, navigation, fraud prevention, and access to protected account areas.
Functional cookies: used to remember choices such as language, region, display settings, or similar preferences.
Analytical or performance cookies: used to understand traffic, page performance, user journeys, errors, and aggregated interaction patterns so that the Website can be maintained and improved.
Advertising or targeting cookies: used, where permitted, to measure campaigns, manage frequency, and show more relevant betting-related advertising or promotions.

Session vs. Persistent Cookies

Session cookies are deleted when the browser session ends. Persistent cookies remain on the device for a defined period or until you delete them, depending on the cookie settings and applicable law.

First-Party vs. Third-Party Cookies

Some cookies are placed by us directly. Others may be placed by third-party providers acting for us, such as analytics, support, advertising, fraud-prevention, or technical-service providers.

Managing Cookies

You can usually block, delete, or manage cookies through your browser settings. Some non-essential cookies may also be controlled through consent tools made available on the Website. Blocking certain cookies may reduce functionality or prevent parts of the Website from working correctly.

WHAT DO WE DO TO PROTECT MINORS

The Services are not directed to minors. We apply age-control and responsible betting measures designed to prevent underage access and to support compliance with applicable Curaçao regulatory requirements.

Age Restrictions and Affirmation

You may use the Services only if you are at least eighteen (18) years old or have reached the higher legal age required in your jurisdiction. By opening an Account or using the Services, you confirm that you satisfy the applicable age requirement.

Comprehensive Age Verification Mechanisms

We may require documents, database checks, or other verification methods to confirm age and identity. This may include a government-issued identity document and, where appropriate, additional checks such as selfie, video, or liveness verification.

Preventive Measures and Security Reviews

Monitoring account activity and registration information for signals that may indicate underage access.
Suspending or restricting accounts where age or identity cannot be verified to the required standard.
Reviewing registration details, account behaviour, and payment activity when underage use is suspected.
Deleting or restricting Personal Data submitted by a person confirmed to be a minor, except where retention is legally required for investigation, reporting, dispute, or compliance purposes.

Parental Controls and Education

Parents and guardians are encouraged to use device-level and network-level parental controls and to educate minors about avoiding unauthorised access to betting websites and other age-restricted online services.

Commitment to Responsible Betting

Responsible betting is part of our compliance framework. We review our age-control and player-protection procedures and may update them to reflect regulatory expectations, operational experience, and changes in applicable law.

NECESSARY INFORMATION ABOUT YOUR RIGHTS

Your rights

Subject to legal conditions and exceptions, the GDPR may give you the following rights in relation to your Personal Data:

Right of access: to ask whether we process your Personal Data and to receive a copy and related information.
Right to rectification: to ask us to correct Personal Data that is inaccurate or incomplete.
Right to erasure: to request deletion where the relevant legal conditions are met.
Right to restriction: to ask us to limit processing in certain circumstances, such as while a data accuracy dispute is assessed.
Right to data portability: to receive Personal Data you provided to us in a structured, commonly used, machine-readable format, where the right applies.
Right to object: to object to processing based on legitimate interests in circumstances connected with your situation, and to object at any time to direct marketing.

Exercising your rights

To submit a rights request, contact us using one of the following channels:

email: [email protected];
postal address: Dr. Henri Fergusonweg 1, Curaçao.

We may need to verify your identity before acting on a request. Some rights may be limited where processing is necessary for legal obligations, AML/CFT controls, regulatory reporting, responsible betting requirements, security, disputes, or legal claims.

WITHDRAW CONSENT

Where we rely on consent to process Personal Data, you may withdraw that consent at any time. Withdrawal does not affect processing that took place lawfully before the withdrawal.

After receiving a withdrawal request, we will stop the consent-based processing unless another legal basis applies or continued retention is required by law, regulation, audit, dispute, or security obligations. If withdrawing consent affects access to a feature or communication, we will explain the practical consequences where required.

COMPLAINT

If you believe that your Personal Data has been handled unlawfully or that your privacy rights have not been respected, you may lodge a complaint with a competent supervisory authority, including:

the supervisory authority in the EU Member State where you live, work, or where the alleged infringement occurred, under Article 77 GDPR;
the Curaçao Gaming Authority or another competent authority in Curaçao, where applicable.

We encourage you to contact us first so that we can review and address your concern directly, although doing so does not limit your right to complain to a competent authority.

PROVISION OF PERSONAL DATA AND CONSEQUENCES OF NON-DISCLOSURE

Some Personal Data is required by law, some is needed to enter into or perform the contract with you, and some is necessary for access to particular features of the Services. For example, we may be unable to provide betting services, process payments, verify your identity, or meet responsible betting and AML requirements without certain information.

Providing Personal Data may therefore be:

a legal requirement, especially for AML, KYC, age verification, responsible betting, regulatory reporting, tax, or audit purposes;
a contractual requirement needed to create, operate, secure, or close an Account and process transactions;
a technical or operational requirement for Website access, security checks, support, or selected betting features.

Obligation to Provide Data

Where Personal Data is mandatory and you do not provide it, or where verification cannot be completed, the consequences may include:

refusal or delay in Account registration;
restricted access to deposits, withdrawals, betting functions, promotions, or support services;
temporary suspension or permanent closure of the Account;
cancellation, delay, or review of transactions where required by law or risk controls;
inability for us to provide the Services or continue the contractual relationship.

LEGAL DISCLAIMER

The Services are provided on an “as is” and “as available” basis. We aim to maintain reliable and secure systems, but we do not guarantee that the Website will always operate without interruption, delay, error, vulnerability, or unauthorised interference.

We apply reasonable technical and organisational measures to protect Personal Data. However, no internet-based service, electronic transmission, or storage system can be made absolutely secure, particularly in light of evolving cybersecurity risks.

Limitations of Liability

To the fullest extent permitted by applicable law, we are not responsible for:

events outside our reasonable control, including network outages, service disruptions, cyberattacks, system failures, or unauthorised access despite reasonable safeguards;
indirect, incidental, consequential, punitive, or similar losses connected with data incidents, disclosure, misuse, or temporary unavailability of the Services;
the privacy, security, accuracy, or conduct of third-party websites, services, or platforms that may be linked from the Website but are not operated by us.

Links to third-party websites or services do not mean that we control or endorse their privacy practices. You should review their own privacy notices before using them.

CONSENT TO PRIVACY POLICY

By continuing to use the Services, you acknowledge that you have read this Privacy Policy and understand how Personal Data is processed as described in it. This Policy replaces earlier versions relating to the same subject matter.

This Policy should be read together with the Terms and Conditions, Cookie Policy, responsible betting information, and any other notices displayed on the Website.
We may update this Policy from time to time. The updated version will be published on the Website and will apply from the date stated in it, unless a different effective date is specified.
You are encouraged to review this Policy regularly so that you remain informed about how Personal Data is handled.

OTHER TERMS

Translations of this Policy may be provided for convenience. If there is any inconsistency between the English version and a translated version, the English version prevails to the extent permitted by law.