Privacy Policy
Date of Last Update: January 19, 2026
This document helps to understand which tools, procedures, and options for managing Personal Data apply when using the Website and its related Services. It explains what information may be processed, in which situations it is required, how security is ensured, which categories of third parties may be involved in the processing, and what actions are available to the user regarding their data.
The Website is owned and operated by Carlitta N.V., a company registered in Curaçao under registration number 162777. The official address of the Company is: Zuikertuintjeweg Z/N (Zuikertuin Tower), Willemstad, Curacao. Since June 24, 2025 (24/Jun/2025), the Company has been licensed by the Curaçao Gaming Control Board to provide services under license number OGL/2024/1516/0841 in accordance with the National Ordinance on Games of Chance (LOK).
This Policy applies to the processing of Personal Data via the Website, communications sent to [email protected], telephone inquiries, and support chat. Carlitta N.V. is the controller of such data, as it determines the purposes and means of its processing within the framework of applicable law.
Terms Used in this Document
For a uniform understanding of this Policy, the following definitions are used.
- Account – an individual user account created to access the Services or specific features. The use of an Account may require identity verification and compliance with Regulatory Compliance requirements.
- Company – Carlitta N.V., registered in Curaçao under number 162777. References to “we”, “us”, and “our” refer to this same Company.
- Service – the Website, its functions, as well as related online and interactive services provided by the Company.
- Website – the website, including subdomains, associated platforms, and applications operated by the Company.
- Personal Data – any information relating to an identified or identifiable natural person within the meaning of the General Data Protection Regulation (GDPR) and the applicable data protection framework of Curaçao.
- Processing of Personal Data – any operations performed on data, whether manually or automatically. Such operations include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- Regulatory Compliance – the Company’s obligation to process Personal Data in accordance with applicable laws, including the National Ordinance on Games of Chance (LOK) and Anti-Money Laundering (AML) requirements. Such processing is carried out on a statutory basis and does not depend on the user’s consent.
Account Access Tool
The Account is used to access the Services and specific features of the Website. To create, activate, and secure an Account, the Company may process email and/or phone number, hashed password, selected currency, Account identifiers, basic device data, and access logs.
This information allows the Company to provide the user with access to the Services, maintain account operations, and implement necessary security measures. The legal basis for processing is the performance of a contract or steps taken prior to entering into a contract under Article 6(1)(b) of the GDPR.
Identity and Age Verification Tools
To confirm identity, verify age, and comply with KYC, AML/CFT, LOK, and NORUT (The National Ordinance on the Reporting of Unusual Transactions) requirements, the Company may use identification procedures.
Within these procedures, a passport, ID card, driver’s license, proof of address, date of birth or age verification, as well as selfies or liveness check results may be processed.
This processing is necessary for compliance with legal obligations under Article 6(1)(c) of the GDPR. Where applicable, the Company’s legitimate interest in ensuring the integrity of the platform under Article 6(1)(f) of the GDPR may additionally be used.
Payment Processing Tools
For deposits, withdrawals, and refunds, the Company may process information necessary to execute the payment transaction and confirm its result.
Such information includes payment instrument details, transaction history, currency, and payout channel confirmations.
The legal basis may be the performance of a contract under Article 6(1)(b) of the GDPR, compliance with legal obligations regarding financial accounting and AML under Article 6(1)(c) of the GDPR, as well as a legitimate interest in preventing fraud under Article 6(1)(f) of the GDPR.
Security and Monitoring Tools
To protect the Website, users, and technical infrastructure, the Company may use security monitoring tools. They help identify suspicious activity, prevent unauthorized access, mitigate fraud risks, and protect the Services from abuse.
Within such processing, IP address, device type, browser data, and other technical identifiers may be used.
The processing is based on the Company’s legitimate interests in ensuring the security of the Service and users under Article 6(1)(f) of the GDPR. If the processing is related to AML/CTF requirements, the legal basis is also a legal obligation under Article 6(1)(c) of the GDPR.
Tools for Responsible Use of the Service
To protect users and fulfill the requirements of LOK / CGA Responsible Gaming, the Company may apply tools related to the responsible use of the Service and self-exclusion.
The data that may be used in this context includes self-exclusion status, its duration, selected cooling-off periods, set limits, activity frequency, spending patterns that may indicate risk, as well as communications related to responsible service use measures.
Such processing is conducted based on legal obligations under Article 6(1)(c) of the GDPR and the Company’s legitimate interests in protecting users and complying with regulatory requirements under Article 6(1)(f) of the GDPR.
User Support Tools
When a user contacts support, the Company uses the data necessary to review the request, prepare a response, and resolve potential disputes.
Support tickets, email correspondence, chat transcripts, phone call notes, Account identifiers, and transaction links (if they relate to a specific inquiry) may be involved in the processing.
The legal basis is the performance of a contract when processing service requests under Article 6(1)(b) of the GDPR. A legitimate interest in ensuring quality of service and resolving disputes under Article 6(1)(f) of the GDPR also applies.
Communications and Marketing Preferences Tools
The Company may use Personal Data for marketing communications only when permitted by applicable law.
For such communications, email, phone number, push token, marketing preferences, interaction metrics, and bonus eligibility status may be used, provided that this information does not constitute sensitive data.
Electronic marketing is carried out on the basis of consent under Article 6(1)(a) of the GDPR. If legislation permits a “soft opt-in” for similar products, processing may be performed on the basis of a legitimate interest under Article 6(1)(f) of the GDPR. The user retains the option to opt out of such messages. In doing so, restrictions related to the responsible use of the Service are taken into account.
Analytics and Website Operation Tools
To ensure the stable operation of the Website, analyze performance, and improve user experience, the Company may process technical and analytical information.
Such information includes usage logs, cookie identifiers, browser type and version, traffic data, and interaction metrics on the website.
The basis for processing may be a legitimate interest in operating and improving the Website under Article 6(1)(f) of the GDPR. If consent is required for non-essential cookies, it is applied under Article 6(1)(a) of the GDPR.
Regulatory Reporting and Audit Tools
To fulfill legal and regulatory obligations, the Company may use records necessary for interacting with competent authorities, undergoing inspections, conducting audits, and protecting legal interests.
Such data may be related to cooperation with the CGA, FIU, tax authorities, and other government or supervisory bodies. It may also be used in legal proceedings or dispute resolution.
The basis for processing is a legal obligation under Article 6(1)(c) of the GDPR and a legitimate interest in establishing, exercising, or defending legal claims under Article 6(1)(f) of the GDPR.
Data Sources
Personal Data may come from several sources. The primary source is the user themselves when they register, pass verification, deposit funds, request a withdrawal or refund, or contact support.
Part of the data is generated during the use of the Services. This may include activity records, transaction history, technical logs, device data, and cookie data.
The Company may receive data from trusted third-party providers who support identity verification, compliance, security, and payment processes.
If necessary for verification, risk management, or compliance with legal requirements, the information provided by the user may be supplemented with data from lawful and publicly available sources.
In certain cases, data may come from regulatory or law enforcement authorities in connection with the legal and compliance obligations of the Company.
Data Retention Management
The Company retains Personal Data only for the period necessary for the respective processing purposes, or for the duration stipulated by applicable legislation and regulatory requirements.
When determining the retention period, the purpose of processing, the provision of Services, the fulfillment of contractual obligations, the protection of legitimate interests, AML requirements, tax and regulatory rules, as well as the need to establish, exercise, or defend legal claims are taken into account.
After the expiration of the applicable period, the data is securely deleted, anonymized, or archived in such a manner that it can no longer be associated with the user, unless further retention is required by law.
Storage and International Transfer Tools
Personal Data is hosted on secure servers used by the Company and trusted service providers. Such servers may be located within the European Economic Area (EEA) or outside it, including Curaçao, if required for operational or regulatory reasons.
If Personal Data is transferred outside the EEA, the Company applies protection measures provided for by data protection legislation.
Such measures include Adequacy Decisions, when data is transferred to countries recognized by the European Commission as providing an adequate level of protection, as well as Standard Contractual Clauses (SCCs), if there is no adequacy decision for the respective country.
Categories of Data Recipients
The Company may disclose Personal Data only when necessary and within the purposes specified in this Policy. The transfer is carried out in compliance with applicable legislation, contractual obligations, and security measures.
Regulatory and supervisory authorities, including the Curaçao Gaming Authority (CGA), the Financial Intelligence Unit (FIU), tax authorities, government bodies, and law enforcement agencies, may receive data if required by law, AML obligations, or responsible service use requirements.
Identity verification and compliance providers may process data necessary to confirm the user’s identity and fulfill AML and Know Your Customer (KYC) requirements.
Payment processors and financial institutions may receive transaction details, payment methods, and Account identifiers if required for deposits, withdrawals, or other payment operations.
Support and communication services, including email delivery, live chat, and other communication channels, may process the user’s contact details and messages to provide support.
Security partners may assist in protecting the platform, identifying suspicious activity, and preventing fraud or unauthorized access.
Analytics and optimization platforms may be used to analyze Website performance, conduct A/B testing, and improve user experience. Wherever possible, data is applied in an anonymized or pseudonymized form.
Licensed third-party content providers may receive only the minimal amount of data necessary for the operation of specific platform features, such as user identifiers and session data.
IT infrastructure providers and internal tools may be used for the secure storage, management, and technical maintenance of data.
Cookie Management Options
The Website may use cookies and similar technologies that help ensure basic functions, save individual settings, analyze performance, and improve usability.
Cookies are small text files saved on the user’s device when visiting a website. They allow the device to be recognized and take into account certain settings or previous actions.
Strictly necessary cookies support the basic operation of the Website, including navigation, access to secure sections, and authentication. Such cookies cannot be disabled in our systems, as the website cannot function correctly without them.
Functional cookies help save user preferences, such as language or other settings. They may be set by the Company or by third-party providers whose services are used on the Website.
Analytical or performance cookies collect aggregated and anonymized information about visits, clicks, traffic sources, and Website usage. This data helps evaluate and improve website performance.
Advertising or targeting cookies may be placed by the Company or advertising partners to determine user interests and display relevant advertising on the Website or other sites. They may also be used to limit the frequency of impressions and evaluate advertising effectiveness.
Session cookies remain active until the browser is closed. Persistent cookies remain on the device for a set period or until deleted by the user.
Cookies can be first-party if they are set by the Website itself, or third-party if they are placed by third-party providers acting on behalf of the Company. Such providers may include analytics services, support tools, or advertising networks.
The user can manage cookies through browser settings. Most browsers allow cookies to be blocked or deleted. However, restricting certain cookies may affect the availability or correct operation of some Website functions.
Tools for the Protection of Minors
The Company implements measures aimed at preventing minors from accessing the Services. These measures comply with the Responsible Gaming Policy of the Curaçao Gaming Authority, introduced in February 2025.
The Services are intended only for persons who have reached at least 18 years of age, or a higher legal age if established in the user’s jurisdiction.
When accessing the Services or registering, the user confirms that they meet the applicable age requirement.
To verify age, a valid identity document issued by a government authority may be required. Such verification may be conducted as part of the registration process.
The Company also uses automated activity monitoring to detect inconsistencies or signs of attempts to access by minors. If a suspicion of such access arises, security checks may be conducted, including the analysis of registration data and financial transactions.
If an individual is identified as a minor, the Personal Data provided by them is deleted immediately.
Parents and legal guardians are advised to use parental control tools and explain the rules of safe online behavior to minors in order to prevent unauthorized access to the Services.
The Company adheres to the CGA guidelines regarding user protection and age verification. Policies and procedures are regularly reviewed and enhanced to meet or exceed regulatory standards.
User Rights Regarding Their Data
In accordance with the General Data Protection Regulation (GDPR), the user can exercise rights related to their Personal Data.
The user may request access to data under Article 15 of the GDPR. Such a request may include confirmation of processing, obtaining a copy of the data, and information on how it is used.
The user may demand the rectification of inaccurate or incomplete data under Article 16 of the GDPR without undue delay.
The user may request the erasure of data under Article 17 of the GDPR if there are legal grounds for doing so. For example, when the data is no longer necessary for the processing purposes, or when the user withdraws consent where the processing is based on consent.
The user may demand the restriction of processing under Article 18 of the GDPR in certain situations, including cases where the accuracy of the data is contested or the processing is unlawful.
The user may request data portability under Article 20 of the GDPR. This allows obtaining the data provided to the Company in a structured, commonly used, and machine-readable format and transmitting it to another controller, if technically feasible.
The user may object to processing under Article 21 of the GDPR if the processing is based on the Company’s legitimate interests and there are reasons related to the user’s specific situation. The user may also object to processing for direct marketing purposes.
A request regarding data rights can be sent via email to [email protected] or by post to the address Zuikertuintjeweg Z/N (Zuikertuin Tower), Willemstad, Curacao.
Right to Withdraw Consent
If Personal Data is processed on the basis of consent, the user may withdraw such consent at any time.
The withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal. Upon receiving the request, the Company shall cease the respective processing, unless further retention or use of the data is required to fulfill legal or regulatory obligations.
If the withdrawal of consent may affect the provision of certain Services, the Company will inform the user of the consequences before completing the process.
Right to Lodge a Complaint
In accordance with Article 77 of the GDPR, the user may lodge a complaint if they believe that their Personal Data is being processed unlawfully or that their privacy rights have been violated.
The complaint may be directed to a supervisory authority of the EU member state where the user resides, works, or where the alleged infringement occurred. The user may also contact the Curaçao Gaming Authority (CGA) or another relevant data protection authority in Curaçao.
If the user has questions or unresolved concerns regarding the processing of Personal Data, it is recommended to first contact the Company directly. We will make reasonable efforts to review the inquiry in a timely manner and in accordance with the law.
When Data Provision is Obligatory
The provision of Personal Data may be necessary by law, under a contract, or as a condition for accessing specific Services.
Data may be required to comply with applicable laws and regulations, including AML obligations and responsible service use requirements. Certain data is necessary for entering into and performing a contract, including providing access to the Services and processing transactions.
If the user fails to provide data required by law or necessary for the performance of a contract, it may result in the inability to create or maintain an Account, restriction of the use of Services, termination of contractual relations, or the impossibility to fulfill regulatory obligations, which may prevent the provision of the Services.
Legal Limitations and External Services
The Services are provided on an “AS-IS” and “AS-AVAILABLE” basis. The Company does not guarantee that the Services will always operate without interruptions or errors.
Although the Company takes reasonable measures to protect Personal Data, absolute security cannot be guaranteed due to the complexity of technologies and constantly changing cyber threats.
To the maximum extent permitted by law, the Company shall not be held liable for events beyond its direct control, including system failures, cyberattacks, or unauthorized access.
The Company is also not liable for indirect, incidental, consequential, or punitive damages related to data leaks, unauthorized disclosure, or misuse of Personal Data.
Furthermore, the Company is not responsible for errors, inaccuracies, or security vulnerabilities on third-party websites, links to which may be posted on the platform.
By using the Services, the user acknowledges that external websites and third-party services are not managed by the Company, even if links to them are placed on the platform.
Final Provisions
Continued use of the Services signifies acceptance of this Privacy Policy.
This Policy constitutes the complete and exclusive statement of the privacy rules and supersedes all previous versions. It should be read in conjunction with the Terms and Conditions and other applicable notices published on the platform.
The Company may amend the Policy at any time. Updates are posted on the platform, and further use of the Services after the publication of changes signifies acceptance of the updated version.
The user is advised to periodically review the Policy to remain informed of the current terms of Personal Data processing.
All versions of the Policy, except for the English version, are provided solely for informational purposes. If discrepancies or contradictions arise between the language versions, the English version shall prevail.