32Red Privacy Notice
1. Introduction and general terms
At 32Red, we are committed to protecting and respecting your privacy and maintaining the confidence and trust of our customers.
This Privacy Notice explains how and why your personal information is collected, through the use of our website www.32red.com and all variants thereof, including our mobile apps (the “Website”), why it is collected and how it is kept secure.
2. Who are we?
32Red is 32Red Ltd, a company registered in Gibraltar under number 83626, having its registered office at Suite 2B, 143 Main Street, Gibraltar, GX11 1AA, the “Data Controller” under this Notice. 32Red Ltd belongs to Kindred Group plc (“Kindred Group”). Kindred Group is listed on the Nasdaq OMX Nordic Exchange in Stockholm and is one of the largest listed online gambling operators in the European market. Founded in 1997, it has substantial expertise in the area of online gambling and is a leader in providing innovative solutions focusing on the protection of customers, increased transparency and a safer safe and secure player environment. You can find more information at www.kindredgroup.com.
Kindred Group operates across different markets and jurisdictions, and has in its portfolio the following brands:
- Roxy Palace
- Maria Casino
- Bohemia Casino
3. How can you get in touch?
For general queries please do not hesitate to get in touch with our Player Experience team via our Help Centre.
If you have specific questions regarding your personal information or how we use it, please contact our Data Protection Officer directly by email at DPO.firstname.lastname@example.org.
4. What types of personal information do we collect?
We collect personal information when you interact with us and use our services (the “Services”). Sometimes, this information is provided to us by you – like when you register for the first time and when you make use of our products or get in touch with us. Sometimes third parties or publicly available sources provide us information about you.
Read more: What types of personal information do we collect?
Information you provide to us:
- Your personal details, such as your name, email address, postal address, telephone or mobile number, gender or date of birth;
- Photographic identification and proof of address documents (to carry out due diligence)
- Banking and financial details (to establish the source of funds where a transaction is involved)
- Your account login details, such as your username and password
Through your use of 32Red’s services:
- Information about how you interact with our products
- Information about your online browsing behaviour on the Website, mobile apps, and other 32Red content online – please see our Cookies Policy for more details;
- Information about any devices you have used to access our Services (such as model, operating system, IP address, browser type, mobile device identifier)
- Recording phone calls – we may monitor or record phone calls with you. We might do this to check that we have carried out your instructions correctly; to resolve queries or issues; for regulatory purposes; to help improve our quality of service; to help us train our staff; or to help detect or prevent fraud or other crimes.
Other sources of personal data
- Where we provide personalised services, we may use third party data about you, for example, your Twitter or Facebook feeds, to get to know you better and to provide more effective personalisation.
- Data received from our business partners and from other organisations, such as specialist companies providing verification services, credit reference agencies, and fraud prevention agencies.
- Publicly available sources, like postcode lookup.
Information about third parties
If you give us personal information about someone else (for example via a Refer a Friend scheme) then you should not do so without their permission. Where information is provided by you about someone else, or someone else discloses information about you, it may be added to any personal information that is already held by us and it will be used in the ways described in this Privacy Notice.
This list of personal data types collected by 32Red is not exhaustive and further information may be requested from you when 32Red considers it fair and necessary to do so.
Special categories of data
Personal data collected by 32Red may include so called “special categories of data”, such as health data related to responsible gambling (see Section 5E).
We have in place additional measures to protect your sensitive personal data and its confidentiality (see Section 11).
5. Why do we collect your Personal Data and on what basis?
We recognise the trust and confidence our customers place in us as a service provider. In return, 32Red is open about why we collect your data. First and foremost, collecting your information is essential for providing you the services and products you want. In addition, your data is used to personalise and improve your experience using our services, and to contact you from time to time with important information. In some cases, we need to collect and use your information to comply with the law. Under data protection laws, we also need to identify a specified lawful basis upon which we are processing your personal information. We rely on different bases for different processing activities.
Read more: Why do we collect your Personal Data and on what basis?
A) Under the contract – when it is necessary for the performance of a contract to which you are a party. Our T&Cs, which you have accepted at registration, set out the terms of the contract and the services we will provide:
To make our services available to you as part of our contract
- to provide gaming and betting services, activities or online content, to provide you with information about them and to deal with your requests and enquiries;
- to assess betting risk - when you make a bet, an automated system may be used to assess the risk connected to your bet, in accordance with our Betting Rules (see our Terms and Conditions). It is a system widely used by the betting operators to help make fair and informed decisions on betting. Betting scoring takes account of information you provide (both, at registration and through your use of our services). If your bet has been rejected or limited, you have the right to ask for a manual assessment by our traders.
- to process your transactions;
B) Under legitimate interests - It is necessary to process your data for the purposes set out below, except where our interests are overridden by the interests, rights or freedoms of affected individuals (such as you). To determine if we can process your data on this basis, we shall consider a number of factors, such as what you were told at the time you provided your data, what your expectations are about the processing of the data, the nature of the data, and the impact of the processing on you.
To personalise your experience
- to offer a more relevant, tailored service; for instance, we could use your playing history to provide personalised recommendations and products;
To improve our services and products
- to provide you with the most user-friendly online navigation experience;
- for analysis and research purposes so that we may improve the services offered by 32Red;
- testing new systems and checking upgrades to existing systems;
- evaluating the effectiveness of marketing and for market research and training;
- customer modelling, statistical and trend analysis, with the aim of developing and improving products and services.
To contact and interact with you
- Contact you about our services, for example by phone, email or post or social media;
- Manage promotions and competitions you choose to enter;
- Invite you to take part in and manage customer surveys, questionnaires and other market research activities carried out by 32Red and by other organisations on our behalf (We carry out market research to improve our services, however, if we contact you about this, you do not have to take part in the activities. If you tell us that you do not want us to contact you for market research, we will respect this choice and this will not affect your ability to use our services);
- Respond to your queries and complaints.
To make your game safer and more enjoyable
- to deter, prevent or detect the use of third party software in peer-to-peer gambling;
- to deter, prevent, or detect any activities conducted in breach of the 32Red T&Cs.
C) Under the legal obligation – when it is necessary in order to comply with mandatory legal obligations to which we are subject under EU or local laws:
- to determine where you are accessing the services from to redirect you to the correct country site, in accordance with our license conditions;
- to make sure we offer our services to eligible persons;
- crime detection, prevention, and prosecution;
- to verify your identity and establish the source of funding in any transaction;
- to carry out appropriate anti-fraud checks (by conducting online searches using a third party identity provider). Please note that this will not affect your credit rating;
- to ensure your personal information remains accurate. In connection with these obligations we may periodically re-verify the personal data we hold about you to ensure it remains accurate and current (including by disclosing your personal data to and receiving personal data about you from third party identity and address verification services). If we update your personal data as a result of these verification processes, we will take reasonable steps to inform you. If you believe any of the personal data we hold about you is not accurate, please contact us using contact details in Section 3;
- to assess and manage any potential risks and prevent problem gambling.
D) Under your consent
Marketing and market research
We will send you relevant offers and news about our products and services in a number of ways including by email, sms, phone call, post, social media targeted advertising, but only if you have previously agreed to receive these marketing communications. When you register with us we will ask if you would like to receive marketing communications, and you can change your marketing choices online, over the phone or in writing at any time.
We may use information which we hold about you to show you relevant advertising on third party sites (e.g. Facebook, Google, Instagram, Snapchat and Twitter). If you don’t want to be shown targeted advertising messages from us, some third party sites allow you to request not to see messages from specific advertisers on that site in future. If you want to stop all personalised services from us, including targeted advertising messages on third party sites you can contact our our Help Centre or by email at DPO.email@example.com to disable personalisation.
We also like to hear your views to help us to improve our services, so we may contact you for market research purposes. You always have the choice about whether to take part in our market research.
E) Special categories of data
We will only process such data if:
- you have given us your explicit consent;
- it relates to personal data which you have made public;
- it is necessary for the establishment, exercise or defence of legal claims;
- is necessary for reasons of substantial public interest, on the basis of European Union or Member State law.
6. Cookies and similar technologies
a. to identify the Account Holder's (as defined in our Terms and Conditions) preferred language, so it can be automatically selected when the Account Holder returns to the Website;
b. to ensure that bets placed by the Account Holder are associated with the Account Holder's betting coupon and Account;
c. to ensure that the Account Holder receives any bonuses for which they are eligible, and
d. for analysis of the Website traffic, so as to allow 32Red to make suitable improvements.
More information can be found in our Cookies Policy.
7. When do we share your personal information?
We do not share your personal information to third parties outside the Kindred Group for marketing purposes. However, there are circumstances when we share your personal data with other companies in the Kindred Group, with third parties that provide services to you on our behalf, and with other third parties in the course of complying with our legal obligations. Other examples of when we share your personal information include when we enter any kind of merger or business sale, as customers’ personal information is likely to be included in the sale/transfer. We would inform you prior to affecting such transfer of personal data. Even when it is shared, we ensure that your personal information will only be used for the purposes outlined in this Privacy Notice.
Read more: When do we share your personal information?
With other companies within Kindred Group
We may share the personal data we collect with other companies in the Kindred Group for the following purposes:
- providing you with products and services and notifying you about either important changes or developments to the features and operation of those products and services;
- responding to your enquiries and complaints;
- administering offers, competitions, and promotions;
- facilitating the secure access to online platforms
- updating, consolidating, and improving the accuracy of our records
- undertaking transactional analysis;
- testing new systems and checking upgrades to existing systems;
- crime detection, prevention, and prosecution, as well as complying with regulatory requirements;
- evaluating the effectiveness of marketing, and for market research and training;
- customer modelling, statistical and trend analysis, with the aim of developing and improving products and services.
With third parties
We may share personal data with third parties in the following circumstances:
- when ordered to do so by any regulatory body and/or under any legal provision contained in the governing law;
- we may instruct and authorise the Financial Institution with which an Account Holder's account is held to disclose any information as may be requested by the Regulator in respect of an Account Holder's account;
- in order to establish, exercise or defend our legal rights;
- for verification, and fraud detection purposes, we may transfer your personal data to third parties, including but not limited to so-called Address Verification System service providers, Payment Service Providers, Financial Institutions, and credit reference agencies such as Transunion, which will leave a “soft” footprint on your credit file; more details: https://www.transunion.co.uk/legal-information/privacy-centre Furthermore, we reserve the right to disclose the Account Holder’s personal data to relevant parties where 32Red has reasonable grounds to suspect irregularities involving a 32Red Account;
- with service providers to enable us to provide our services, such as companies that help us with technology services, storing and combining data, and processing payments or providing relevant online advertising for our products and services;
- with external auditors who may carry out independent checks as part of our accreditations
- to an organisation we sell or transfer (or enter into negotiations to sell or transfer) any of our businesses or any of our rights or obligations under any agreement we may have with you to. If the transfer or sale goes ahead, the organisation receiving your personal data can use your personal data in the same way as us; or
- to any other successors in title to our business.
8. Do we transfer your data outside the EEA?
The personal data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by companies operating outside the EEA who work for us or for one of our service providers. For instance, the computer servers used to host a website could be located outside the EEA – this is not unusual given that the internet is a global environment. Your personal information could be held at a destination which offers a different level of data protection than in the EEA, including Australia, Serbia, India, US. To ensure your personal information remains safe when transferred like this, we will take all reasonable steps to maintain a suitable level of protection in line with this Policy.
Any transfer of your personal information to a location outside the EEA will be based on:
- the Standard Data Protection Clauses adopted by the European Commission or a relevant data protection authority; or
- an adequacy decision from the European Commission, confirming that the third country provides adequate protection for your personal information; or
- Your consent, or another legal basis on which we are entitled to make the transfer.
9. How long will 32Red keep my data?
We will only retain your information for as long as needed to fulfill the purposes for which they are collected. While you are a customer, we will need to retain your information to meet our legal and contractual requirements. However, when you cease using 32Red's Services, we will still retain your personal information for a period of time. There are several reasons why we retain your information, these include:
- To comply with legal obligations under EU/local laws (for example, anti-money laundering regulations, or licensing regulations);
- To establish or defend legal claims (for example negligence claims) which could be made against us;
- To comply with our contractual obligations and rights in relation to the information involved;
- Our legitimate interests where we have carried out balancing tests;
- To comply with guidelines issued by relevant data protection authorities.
10. Your rights & choices over your personal information
We appreciate that by law and subject to certain conditions, you have a number of rights concerning the personal information we hold about you. If you wish to exercise these rights, you should contact our Data Protection Officer using the details set out above in Section 3. These rights include the right to access, amend and erase the personal information we hold about you, the right to object to the processing of your data, the right to withdraw consent, and the right to data portability. You also have the right to complain to your data protection authority if you are concerned with how we process your information. In addition, you have certain rights relating to automated decision-making and ‘profiling’. Further information and advice about your rights can be obtained from from your country’s data protection regulator or the Information Commissioner’s Office.
The personal information we ask for on registration is compulsory (unless indicated in the forms as optional) and we need it to be able to process your registration, contact you and comply with gambling and financial laws to which you are subject. Unfortunately, therefore, if you do not want to provide such personal information, you will not be able to use our services.
Read more: Your rights & choices over your personal information.
Right to access and rectify the information we hold about you
You have a right to request a copy of the personal information we hold about you, known as a data subject access request. You also have the right to request that information we hold about you which may be incorrect, or which has been changed since you first told us, is updated or removed. These requests are free of charge and can be sent by email to our Data Protection Officer by email at DPO.firstname.lastname@example.org or by contacting our Help Centre.
Right to delete your data
In some circumstances, you can ask us to erase personal information we hold about you (‘the right to be forgotten’). This includes when:
- the information is no longer necessary in relation to the purpose for which it was collected (as explained in our privacy notice);
- if you previously gave consent to the use of your information, but decide to withdraw it and we cannot justify another legal ground for using it under data protection law;
- we process your information based on our legitimate interests and we cannot demonstrate overriding legitimate grounds to continue processing the information;
- we don’t have a lawful ground under data protection law to process your information;
- the data has to be erased to comply with a legal requirement;
This right is subject to mandatory retention periods under EU/local laws.
Right to restrict processing
You have the right to ask us to restrict (‘block’ or ‘suppress’) the processing of your personal information. When processing is restricted, we can still store your information, but will not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in the future. This right is available to you when:
- you dispute the accuracy of the personal information (while we verify matters);
- the processing is unlawful, and you object to the erasure of the information and request that we restrict processing instead;
- we no longer need the data, but you require it to establish, exercise or defend a legal claim; and
- we process your information for our legitimate business interests but you object and while we verify the grounds for continued processing.
Right to Data Portability
You have the right to receive personal information you provide to us, in a ‘commonly used machine-readable format’. This allows you to obtain and reuse your information for your own purposes across different services. For example, if you decide to switch to a different provider, this enables you to move, copy or transfer your information easily between our IT systems and theirs safely and securely, without affecting its usability. This is not a general right however, and only arises when the processing of your information is:
- based on your consent or where it is necessary for the performance of a contract, and
- when the information is processed by solely by automated means.
Right to object
Based on your particular situation, you can object to the processing of your personal information, that is:
- based on our legitimate business interests (including profiling); or
- done for research and statistical purposes.
You also have the right to object to the use of your personal information for direct marketing purposes (including profiling), such as when you receive emails from us notifying you about other Kindred Group services which we think will be of interest to you.
Right to withdraw consent
When we rely on your consent as the basis to process your personal information – such as for sales and marketing communications (see section 5D) – you have the right to withdraw your consent at any time. We’ll always strive to make it easy for you to withdraw consent by choosing an “unsubscribe” option in every communication you receive from us. If you find this isn’t the case, then just get in touch with our Data Protection Officer in the ways outlined above in Section 3, and we’ll try to fix things ASAP.
Rights related to automated decision making, including profiling
We sometimes use systems to make automated decisions based on your personal information. This helps us to make sure our decisions are quick, fair, efficient and correct, based on what we know. These automated decisions can affect the products, services or features we may offer you now or in the future, or the ability to use our services.
We may use automate decisions making in the following situations:
- tailoring products and services – we may pace you in groups with similar customers (segments) to study and learn about preferences and your needs, and offer more tailored experience for you;
- detecting fraud - we use your personal information to help decide and detect if your account may be being used for fraud or money-laundering. If we think there is a risk of fraud, we may block or suspend the account;
- opening account - when you open an account with us, we check that the product or service is relevant for you, based on what we know. We also check that you meet the conditions needed to open the account. This may include checking age, residency, nationality or financial position;
- risk assessment connected to your bet, as more particularly explained in section 5A.
Data protection law seeks to safeguard individuals against harm that may arise from decision-making - including profiling - that takes place without human intervention. You have the right not to be subject to a decision - including profiling - when it is based on the automated processing of your personal information and it has a legal effect or a similarly significant effect on you.
Please note that the right does not apply when the processing is:
- necessary for entering into or for the performance of a contract with you; or
- when it is authorised by law; or
- when it is based on your explicit consent.
Any requests relevant to this Section must be addressed in writing to our Data Protection Officer on DPO.email@example.com. We will respond to any of your requests relevant to this Section within one (1) month from their receipt. Upon prior notice, this period may be extended by a further two (2) months if necessary, taking into account the complexity of the request and the number of any other pending requests. In case of rejection of your request, we will provide relevant justification. If your request does not meet the requirements of the data protection law, we reserve the right either to: (a) impose a reasonable fee, taking into account the administrative costs of providing the information or communicating or executing the requested action; or (b) reject your request.
11. Security of your data and confidentiality
We are committed to protecting the personal information you entrust to us. We take all reasonable steps to ensure that all information collected through our Website is treated securely and in line with this Privacy Notice and strict data protection standards. Accordingly, we have adopted robust procedures and technologies to protect your data from unauthorised access and improper use.
After logging in all information sent to and from the Website is encrypted using 128-bit Secure Socket Layer (SSL) technology. The SSL certificate used is issued and verified by a carefully selected third party, click on the image for more information.
Your credit card details are encrypted and sent only once over the Internet to 32Red. It is then stored encrypted in our secure systems. We are is dedicated to protecting our customers confidential information and, as part of doing so, we are certified towards the Payment Card Industries Data Security Standard.
The security of our systems and applications are tested several times per year by third-party security experts. Furthermore we jave an Intrusion Detection System that monitors all network traffic 24/7 for signs of attacks or intrusions.
We have a dedicated fraud department and advanced systems in place to detect and prevent suspicious activity, to ensure that 32Red’s website remains a secure playing-field. Any account involved in suspicious activity will be suspended and investigated to the fullest extent. Should you as user have any doubts about the activity on your account, such as unrecognized transactions in the transaction history or surprising changes in the balance, please contact us immediately.
If you wish to raise a complaint on how we have handled your personal data, you can contact us to have the matter investigated by emailing DPO.firstname.lastname@example.org.
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the ICO.
13. Changes to 32Red Privacy Notice
This Privacy Notice may be updated from time to time to reflect changes in the way we work or the way our work is regulated - so you may wish to check it each time you submit personal information to us. The date of the most recent revisions will appear on this page. If you do not agree to these changes, please do not continue to submit personal information to 32Red or use 32Red services in any way. Otherwise, by continuing to do this, you will be deemed to have accepted the changes to the Privacy Notice. You can also close your 32Red account at any time. If significant changes are made to the Privacy Notice, for instance affecting how we would like to use your personal information, we will provide a more prominent notice (including, for certain services, notification of Privacy Notice changes by email). and you will be required to expressly accept such a change in order to continue using the Services and the change will apply immediately following your acceptance thereof.
14 Your Obligations
By using our Website and by providing your personal data, you acknowledge that you are required to provide your actual, accurate and complete data as requested by 32Red. Furthermore, you must inform us of any changes to your information so as to ensure it is kept up-to-date and accurate. If you are found to be in breach of your obligations or if we have reasonable suspicion that the information you provide is false or incomplete or in any way contrary to Data Protection Law or this Notice, we retain the right to reject your application for registration or to suspend or terminate your account immediately without notice. In this case, you have no right to any compensation due to the rejection of your application, or the suspension or termination of your account.
Last updated: 3rd August 2020, 14:43 GMT+1