Privacy Policy
Last updated: August 14, 2025
INTRODUCTION
This Privacy Policy explains how Carletta N.V. collects, uses, stores, discloses, and protects Personal Data when you access or use this Website and the related services available through it.
This Website is owned and operated by Carletta N.V., with its registered office at Dr. Henri Fergusonweg 1, Curaçao. Carletta N.V. is registered under company registration number 142346 and is licensed by the Curaçao Gaming Control Board since 24/Jun/2025 to offer games of chance under license number OGL/2024/580/0570 in accordance with the National Ordinance on Games of Chance (LOK).
This Privacy Policy applies to Personal Data processed through:
- our Website;
- communications sent to or received from [email protected];
- phone calls and support chat sessions with us.
For the purposes of applicable data protection laws, Carletta N.V. acts as the controller of your Personal Data. This means that we determine why and how your Personal Data is processed in connection with your use of the Website and Services.
The purpose of this Policy is to provide clear information about the categories of Personal Data we process, why we process it, the legal grounds for such processing, how long we retain it, who we may share it with, how we protect it, and what rights you have in relation to your Personal Data.
DEFINITIONS
In this Privacy Policy, capitalized terms have the meanings set out below. These definitions apply whether the terms are used in singular or plural form.
Account means a unique account created for you to access our Services or certain parts of our Services, subject to identity verification and Regulatory Compliance requirements.
Company, we, us, or our means Carletta N.V., a company registered under the laws of Curaçao, with registration number 142346 and registered address at Dr. Henri Fergusonweg 1, Curaçao.
Service means the Website, its functionalities, and the related online gaming and interactive services provided by the Company.
Website means this website, including any subdomains, associated platforms, or applications operated by the Company.
Personal Data means any information relating to an identified or identifiable individual, as defined under the General Data Protection Regulation (GDPR) and the Curaçao Data Protection Framework.
Processing of Personal Data means any operation or set of operations performed on Personal Data, whether by automated or manual means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
Regulatory Compliance means the Company’s legal obligation to process Personal Data in accordance with applicable laws, including the National Ordinance on Games of Chance (LOK) and Anti-Money Laundering (AML) regulations. Such processing is based on legal requirements and does not depend on user consent.
PERSONAL DATA WE PROCESS, PURPOSES, AND LEGAL BASES
We process Personal Data only where there is a lawful basis to do so and where the processing is necessary for a defined purpose. The categories below describe the main types of processing carried out by us.
Account Registration and Access to Services
We process Personal Data to create, activate, secure, and manage your Account and to provide access to the Services.
Legal basis: performance of a contract or steps prior to entering into a contract under GDPR Article 6(1)(b).
Personal Data used: contact credentials such as email address and/or phone number, hashed password, chosen currency, account identifiers, and basic device or access logs required to activate and protect the Account.
Identity Verification, Age Confirmation, and AML / LOK Compliance
We process Personal Data to verify your identity, confirm your age, comply with KYC requirements, and meet applicable AML/CFT, LOK, and NORUT obligations.
Legal basis: compliance with legal obligations under GDPR Article 6(1)(c), including AML/CFT, LOK, and NORUT, and legitimate interests in platform integrity under GDPR Article 6(1)(f), where applicable.
Personal Data used: government-issued identification documents such as passport, ID card, or driver’s license, proof of address, date of birth or age attestation, selfies, or liveness checks.
Payment Processing
We process Personal Data to handle deposits, withdrawals, refunds, and related financial operations.
Legal basis: performance of a contract under GDPR Article 6(1)(b), compliance with legal obligations for financial record-keeping and AML under GDPR Article 6(1)(c), and legitimate interests in fraud prevention under GDPR Article 6(1)(f).
Personal Data used: payment instrument data, transaction history, currency, and payout channel confirmations.
Fraud Detection, Security Monitoring, and Platform Abuse Prevention
We process Personal Data to protect the security, integrity, and proper functioning of the Services and to detect or prevent fraudulent, unauthorized, or abusive activity.
Legal basis: legitimate interests in securing the Service and protecting users under GDPR Article 6(1)(f), and legal obligations under AML/CTF rules under GDPR Article 6(1)(c).
Personal Data used: device and technical identifiers, including IP address, device type, and browser data.
Responsible Gaming, Player Protection, and Self-Exclusion Management
We process Personal Data to support responsible gaming measures, player protection requirements, cooling-off options, play limits, and self-exclusion management.
Legal basis: compliance with LOK / CGA Responsible Gaming requirements under GDPR Article 6(1)(c), and legitimate interests in player welfare and Regulatory Compliance under GDPR Article 6(1)(f).
Personal Data used: self-exclusion status and duration, cooling-off selections, play limits, gameplay frequency, spend metrics indicative of risk, and communications related to responsible gaming interventions.
Customer Support and Service Communications
We process Personal Data to respond to your requests, resolve issues, communicate with you about your Account or transactions, and maintain service quality.
Legal basis: performance of a contract under GDPR Article 6(1)(b), and legitimate interests in service quality and dispute resolution under GDPR Article 6(1)(f).
Personal Data used: support tickets, chat transcripts, email correspondence, call notes, account identifiers, and transaction references linked to your inquiry.
Marketing Communications Where Permitted
We may process Personal Data to send marketing communications where permitted by law and subject to applicable restrictions.
Legal basis: consent under GDPR Article 6(1)(a) for electronic marketing, and legitimate interests under GDPR Article 6(1)(f) for similar-product soft opt-in where allowed by law. Marketing communications are always subject to opt-out and responsible gaming restrictions.
Personal Data used: contact details such as email, phone number, or push token, marketing preferences, engagement metrics, and non-sensitive bonus eligibility status.
Website Performance, Analytics, and Cookies
We process Personal Data to operate, maintain, analyze, and improve the Website and its performance.
Legal basis: legitimate interests in operating and improving the Website under GDPR Article 6(1)(f), and consent under GDPR Article 6(1)(a) where required for non-essential cookies.
Personal Data used: usage logs, cookie identifiers, browser type and version, traffic data, and on-site interaction metrics.
Regulatory Reporting, Audits, and Dispute Resolution
We process Personal Data when required to cooperate with competent authorities, respond to audits, comply with reporting obligations, or establish, exercise, or defend legal claims.
Legal basis: legal obligation under GDPR Article 6(1)(c) to cooperate with the Curaçao Gaming Authority, FIU, tax authorities, and other relevant authorities, and legitimate interests under GDPR Article 6(1)(f) in legal claims.
Personal Data used: records required for regulatory cooperation, compliance audits, legal proceedings, or dispute resolution, as permitted by applicable laws.
DATA RETENTION
We retain Personal Data only for as long as necessary for the purposes for which it was collected and processed, or for as long as required under applicable legal and regulatory obligations.
Retention periods are determined by considering:
the purpose of processing, including provision of the Services, performance of contractual obligations, and protection of our legitimate interests;
applicable statutory retention obligations, including AML, gaming, and tax requirements;
the need to establish, exercise, or defend legal claims;
audit, supervisory, and regulatory requirements.
When the relevant retention period expires, we securely delete, anonymize, or archive Personal Data in a way that ensures it can no longer be associated with you, unless further retention is required by law.
SOURCES OF PERSONAL DATA
We collect most Personal Data directly from you when you interact with the Services. This may occur when you register an Account, complete verification steps, process payments, use the Website, or contact our support team.
We may obtain Personal Data from the following sources:
Directly from You
This includes information you provide when creating an Account, completing identity or age verification, making deposits or withdrawals, or communicating with customer support.
Your Use of the Services
This includes data generated through your activity on the platform, such as gameplay, transaction history, device and log information, and cookie data in accordance with our Cookie Policy.
Third-Party Verification and Compliance Services
We may use trusted third parties to support verification, compliance, security, and payment-related functions.
Publicly Available and Legitimate Sources
Where necessary, we may supplement information provided by you with data from publicly available and legitimate sources, solely for compliance, verification, or risk management purposes.
Regulatory and Law Enforcement Authorities
In certain cases, we may receive Personal Data from competent authorities in connection with legal, compliance, or regulatory obligations.
DATA STORAGE AND INTERNATIONAL TRANSFERS
We store Personal Data on secure servers operated by us and by trusted service providers. These servers may be located within the European Economic Area and in jurisdictions outside the EEA, including Curaçao, depending on operational and regulatory requirements.
Where Personal Data is transferred outside the EEA, we ensure that such transfers comply with applicable data protection laws and are protected by appropriate safeguards, including:
Adequacy Decisions
Where the European Commission has recognized a country as providing an adequate level of data protection, Personal Data may be transferred on that basis.
Standard Contractual Clauses
Where no adequacy decision exists, we use Standard Contractual Clauses approved by the European Commission to help ensure that Personal Data remains protected.
DISCLOSURE OF PERSONAL DATA
We may share Personal Data only where necessary and for the purposes described in this Privacy Policy. Any sharing is carried out in accordance with applicable data protection laws, contractual obligations, and appropriate security measures.
Personal Data may be shared with the following categories of recipients:
Regulatory and Supervisory Authorities
This may include the Curaçao Gaming Authority, the Financial Intelligence Unit, tax authorities, and other governmental or law enforcement bodies where disclosure is required by law or regulatory obligations, including AML and responsible gaming requirements.
Identity Verification and Compliance Service Providers
These providers assist us in verifying customer identity and complying with AML and Know Your Customer obligations.
Payment Processors and Financial Institutions
To enable deposits, withdrawals, refunds, and other payment-related services, we may share Personal Data such as transaction details, payment method information, and account identifiers.
Customer Support and Communication Tools
External providers that support email delivery, live chat, or other communication channels may process Personal Data such as contact details and support messages to assist in providing customer service.
Fraud Prevention and Security Partners
We may engage trusted providers that help protect the security and integrity of the platform, including detecting and preventing potentially fraudulent or unauthorized activity.
Analytics and Optimization Platforms
Third-party services may help us analyze Website usage, conduct A/B testing, and improve user experience. Where possible, this data is anonymized or pseudonymized.
Game Content Providers
Licensed third-party game providers may receive the minimum Personal Data required to enable certain platform features, such as player identifiers and game session data.
Internal Tools and IT Infrastructure Providers
We use secure hosting, internal tools, and productivity solutions to store and manage data necessary for the operation of the Services.
COOKIES AND SIMILAR TECHNOLOGIES
This Website may use cookies and similar technologies to enhance user experience, enable essential Website functions, and analyze Website performance. Cookies are small text files stored on your device when you visit the Website. They allow the Website to recognize your device and remember certain information about your preferences or previous actions.
Types of Cookies We May Use
Strictly Necessary Cookies
These cookies are essential for the functioning of the Website and cannot be switched off in our systems. They enable core functions such as page navigation, access to secure areas, and user authentication.
Functional Cookies
These cookies support enhanced functionality and personalization, such as remembering language preferences or user settings. They may be set by us or by third-party providers whose services we use.
Analytical or Performance Cookies
These cookies collect aggregated, anonymized data about how visitors use the Website, such as page visits, click-through rates, traffic sources, and interaction metrics. They are used to measure and improve Website performance.
Advertising or Targeting Cookies
These cookies may be set by us or by advertising partners to build a profile of your interests and provide relevant advertising on this Website or on other websites. They may also help limit how often you see an advertisement and measure advertising effectiveness.
Session and Persistent Cookies
Some cookies are session cookies and expire when you close your browser. Other cookies are persistent cookies, which remain on your device for a predetermined period or until you delete them.
First-Party and Third-Party Cookies
Cookies may be set by us as first-party cookies or by third-party service providers acting on our behalf as third-party cookies. These providers may include analytics services, customer support tools, or advertising networks.
Managing Cookies
You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that restricting certain cookies may affect the availability or functionality of some parts of the Website.
PROTECTION OF MINORS
In accordance with the Curaçao Gaming Authority’s Responsible Gaming Policy introduced in February 2025, we maintain measures intended to prevent underage access to the Services.
Age Restrictions
The Services are intended only for individuals who are at least eighteen (18) years old or who have reached the legal age required in their respective jurisdiction, whichever is higher. By accessing or registering for the Services, you confirm that you meet the applicable age requirement.
Age Verification
To enforce age restrictions, we apply age verification mechanisms, including document verification. Users may be required to provide valid government-issued identification documents during the registration process.
Preventive Measures and Security Reviews
We use preventive measures to support compliance with age-related requirements, including:
automated monitoring of user activity to detect inconsistencies or signs of underage access attempts;
security reviews where underage access is suspected, including review of registration data and financial transactions;
immediate deletion of Personal Data submitted by individuals identified as minors.
Parental Controls and Education
We encourage parents and guardians to use available parental control tools and educate minors about responsible online behavior to help prevent unauthorized access to the Services.
Responsible Gaming Commitment
Our responsible gaming approach includes compliance with CGA guidance on player protection and age verification. We review and enhance our policies to ensure they meet or exceed applicable regulatory standards.
By using the Services, you acknowledge and agree to these terms and confirm that you meet the legal age requirements.
YOUR DATA PROTECTION RIGHTS
Under the GDPR, you may have the following rights in relation to your Personal Data:
Right of Access under Article 15 GDPR
You may request confirmation of whether we process your Personal Data and obtain a copy of such data, together with information about how it is used.
Right to Rectification under Article 16 GDPR
You may request correction of inaccurate or incomplete Personal Data without undue delay.
Right to Erasure under Article 17 GDPR
You may request deletion of your Personal Data where applicable legal grounds exist, for example where the data is no longer necessary for the purposes for which it was collected, or where you withdraw consent and no other lawful basis applies.
Right to Restrict Processing under Article 18 GDPR
You may request that we limit the processing of your Personal Data in specific circumstances, such as where the accuracy of the data is contested or processing is unlawful.
Right to Data Portability under Article 20 GDPR
You may request a copy of the Personal Data you provided to us in a structured, commonly used, machine-readable format and may transfer it to another controller where technically feasible.
Right to Object under Article 21 GDPR
You may object at any time to processing of your Personal Data based on our legitimate interests or to processing for direct marketing purposes, for reasons related to your particular situation.
How to Exercise Your Rights
To exercise your data protection rights, you may contact us at:
email: [email protected];
postal address: Dr. Henri Fergusonweg 1, Curaçao.
WITHDRAWAL OF CONSENT
Where we process Personal Data based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
To withdraw consent, contact us using the contact channels provided in this Privacy Policy. After receiving your request, we will stop processing the relevant Personal Data unless continued retention or processing is required for legal or regulatory reasons.
If withdrawal of consent affects our ability to provide certain Services, we will inform you of the consequences before completing the withdrawal process.
COMPLAINTS
Under Article 77 GDPR, if you believe that your Personal Data is being processed unlawfully or that your privacy rights have been violated, you have the right to lodge a complaint with:
the supervisory authority in the EU Member State where you reside, work, or where the alleged violation occurred;
the Curaçao Gaming Authority or any other relevant data protection authority in Curaçao.
If you have concerns or unresolved questions about how we process your Personal Data, we encourage you to contact us first. We will make every reasonable effort to address your concerns in a timely and lawful manner.
PROVISION OF PERSONAL DATA AND CONSEQUENCES OF NON-DISCLOSURE
Providing Personal Data may be required in different circumstances.
Legal Requirement
Certain Personal Data must be provided so that we can comply with applicable laws and regulations, including AML obligations and responsible gaming requirements.
Contractual Requirement
Some Personal Data is necessary to enter into or perform a contract with you, including enabling access to the Services and processing transactions.
Requirement for Access to Services
Without required Personal Data, we may be unable to provide certain Services or fulfill our contractual or legal obligations.
Obligation to Provide Data
You are obliged to provide Personal Data where it is required by law or necessary for performance of a contract. Failure to provide such data may result in:
inability to create or maintain an Account;
restrictions on use of the Services;
termination of the contractual relationship;
inability to comply with regulatory obligations, which may prevent us from providing Services.
LEGAL DISCLAIMER
The Services are provided on an “AS-IS” and “AS-AVAILABLE” basis, without warranties or guarantees of uninterrupted or error-free performance. Although we take reasonable precautions to protect Personal Data, absolute security cannot be guaranteed due to the complexity of technology and evolving cybersecurity threats.
Limitations of Liability
To the maximum extent permitted by law, we are not liable for:
events beyond our direct control, including system failures, cyberattacks, or unauthorized access;
indirect, incidental, consequential, or punitive damages arising from data breaches, unauthorized disclosure, or misuse of Personal Data;
errors, inaccuracies, or security vulnerabilities on third-party websites linked from our platform.
By using the Services, you acknowledge that we are not responsible for external websites or services operated by third parties, even where they are linked from our platform.
ACCEPTANCE OF THIS PRIVACY POLICY
Your continued use of the Services signifies your explicit acceptance of this Privacy Policy. This Privacy Policy represents the entire and exclusive statement of our privacy practices and replaces any previous versions.
This Policy should be read together with our Terms and Conditions and any additional applicable notices posted on the platform.
We reserve the right to modify this Privacy Policy at any time. Changes will be posted on the platform, and continued use of the Services after such changes constitutes acceptance of the revised Policy.
We recommend reviewing this Privacy Policy regularly to stay informed about updates.
OTHER TERMS
All versions of this Privacy Policy other than the English version are provided for informational purposes only. In case of discrepancies or conflicts between versions, the English version shall prevail.