1. Who we are and the scope of this policy
Cinoslots N.V. ("Cinoslots", "we", "us", "our") is the data controller of personal data processed in connection with your use of the Cinoslots platform. We are incorporated in Curaçao under registration number 158942 and operate under master licence #8048/JAZ2020-013 issued by the Antillephone Authority. This Privacy Policy explains what personal data we collect, why and how we collect it, the legal bases on which we process it, with whom we share it, where we transfer it, how long we keep it, and the rights you have over it. It applies to every visitor to cinoslots.com and every registered Player, regardless of country.
For users in the European Economic Area, the United Kingdom, Switzerland and other jurisdictions whose law is materially aligned with the EU General Data Protection Regulation ("GDPR") and the United Kingdom GDPR ("UK GDPR"), the additional rights set out in Section 9 apply. For users in California, Colorado, Connecticut, Utah, Virginia and other US states with comprehensive privacy laws, the rights set out in Section 10 apply.
2. Personal data we collect
We collect data in three ways: (a) data you give us directly, (b) data we collect automatically when you use the platform, and (c) data we receive from third parties. The categories below are exhaustive in the sense that we do not collect any category not listed.
Direct (you provide): email address, password (stored hashed), date of birth, country of residence, residential address (only if KYC is triggered), full legal name (only if KYC is triggered), phone number (optional, for SMS 2FA), profile preferences (display currency, language, marketing preferences), KYC documents you upload (passport, ID card, driving licence, proof of address, source-of-funds documents — only when explicitly requested), support tickets and the messages you send, marketing communications you reply to.
Automatic (collected when you use the platform): IP address, country and city derived from IP, user-agent string, device type and operating system, browser fingerprint hash, referral URL, pages visited and time spent, click and tap interactions, deposit and withdrawal history with transaction hashes, wager history including stake, game, RTP, outcome and seed pair, login timestamps and session durations, security events (failed logins, password changes, 2FA enrolments), cookie identifiers (see Cookie Policy).
Third-party (we receive): identity-verification results from KYC providers (Onfido, Sumsub) consisting of a pass/fail decision, the matched document type, and a risk band; sanctions and PEP screening results from World-Check or equivalent; blockchain analytics scores from Chainalysis or Elliptic indicating whether deposit funds touched a sanctioned address, mixer or known criminal wallet; affiliate referral data (the affiliate code under which you registered and the campaign metadata associated with it).
We do not knowingly collect special-category data (race, religion, health, sexuality, biometrics) except where biometric liveness is performed by a KYC provider strictly to confirm the document holder is the live applicant; the biometric template itself is held by the KYC provider, not by us.
3. Why we process your data and the legal basis
| Purpose | Legal basis | |---|---| | Operating the platform, executing wagers, paying winnings | Performance of contract | | Identity verification, sanctions screening, source-of-funds review | Legal obligation (AML/CTF law) | | Fraud prevention, multi-accounting detection, transaction monitoring | Legitimate interests; legal obligation | | Responsible-gambling monitoring and intervention | Legitimate interests; vital interests | | Customer support and dispute resolution | Performance of contract; legitimate interests | | Operational logging, security and incident response | Legitimate interests; legal obligation | | Service-quality analytics, A/B testing of UI | Legitimate interests | | Marketing emails, push notifications, SMS | Consent (revocable at any time) | | Personalised offers based on play history | Consent | | Disclosure to regulators, courts, law enforcement | Legal obligation | | Tax reporting where applicable | Legal obligation |
Where we rely on legitimate interests, we have completed a balancing assessment that weighs our interests against your privacy interests; you may request a summary by emailing [email protected].
4. Cookies and similar technologies
We use cookies, local storage and similar device-based identifiers as described in our Cookie Policy. Strictly necessary cookies (session, CSRF, fraud-prevention) cannot be turned off. Performance cookies (anonymous analytics) and marketing cookies (cross-site advertising) are off by default and only enabled if you grant consent through the cookie banner.
5. Sharing your data
We do not sell personal data and we do not share it for cross-context behavioural advertising under the meaning of California's CPRA. We share personal data only with the following recipients and only to the extent necessary for the purpose stated.
Game providers (Pragmatic Play, Hacksaw Gaming, Nolimit City, Evolution and others listed in the Providers index) receive a pseudonymous player identifier and the wagers placed in their games — never your name, email or KYC documents. KYC providers receive your KYC documents, name, date of birth and address solely to perform verification. Payment and blockchain analytics providers receive transaction data and wallet addresses to score risk. Affiliates receive aggregated, non-identifying conversion data attributable to their referral code; they never receive your email, name or play history. Cloud hosting and infrastructure is provided by AWS (eu-west-1, eu-central-1) and Cloudflare; data is encrypted in transit and at rest. Customer support tooling (Intercom, Zendesk) processes ticket content. Email and push (Postmark, OneSignal) processes the recipient address and message content. Regulators, courts and law enforcement receive data only in response to a lawful order or in voluntary cooperation where legally permitted.
A current and exhaustive list of sub-processors is published at cinoslots.com/sub-processors and updated within thirty (30) days of any change.
6. International transfers
We are based in Curaçao and use sub-processors in the European Union, the United Kingdom, the United States and (for blockchain analytics) Israel. Where personal data is transferred from the EEA, UK or Switzerland to a country not subject to an adequacy decision, transfers are protected by the European Commission's Standard Contractual Clauses (Module Two — Controller to Processor) supplemented by transfer-impact assessments and, where appropriate, additional technical safeguards including end-to-end encryption and pseudonymisation.
7. Retention
| Data category | Retention period | |---|---| | Account profile, login history, support tickets | Duration of the account + 5 years (AML) | | KYC documents, verification results | 5 years from the date the account is closed | | Wager and transaction history | 7 years from the date of the transaction | | Marketing preferences and consents | Until withdrawn + 2 years (proof of consent) | | Self-exclusion records | 7 years from the end of the exclusion | | Cookie analytics (aggregated) | 26 months | | Server access logs | 90 days | | Security incident records | 7 years |
After the retention period elapses we either delete the record irreversibly or anonymise it so that re-identification is not reasonably possible.
8. How we keep your data secure
We apply technical and organisational measures appropriate to the risk: TLS 1.3 in transit, AES-256 at rest, hashed and salted passwords (Argon2id), tokenised payment data, role-based access control with least privilege, multi-factor authentication for staff, network segmentation, vulnerability scanning and quarterly penetration testing, an SOC-2 Type II aligned operations programme, supplier due-diligence, an incident-response plan with a 72-hour regulator notification target where required, and an annual data-protection audit. We never store seed phrases or full payment-card numbers.
9. Your rights under GDPR / UK GDPR
You have the right to: (a) be informed about how we use your data (this policy fulfils that right); (b) access a copy of your data; (c) rectify inaccurate data; (d) erase data where we no longer need it and where erasure is not blocked by AML retention; (e) restrict processing where its lawfulness is contested; (f) data portability for data you provided under contract or consent; (g) object to processing based on legitimate interests or direct marketing; (h) not be subject to a solely automated decision producing legal or similarly significant effects (we operate human-in-the-loop on KYC and AML decisions); (i) withdraw consent at any time without affecting the lawfulness of prior processing; and (j) lodge a complaint with the Curaçao Personal Data Authority or with the supervisory authority of your habitual residence in the EEA or UK.
To exercise any right email [email protected]. We will respond within thirty (30) days; complex requests may be extended by a further sixty (60) days with notice.
10. Your rights under US state privacy laws
California (CCPA/CPRA), Colorado, Connecticut, Utah and Virginia residents have the right to know what categories of personal data we collect, to access a copy, to delete personal data subject to legal exemptions, to correct inaccurate data, to opt out of "sale" or "sharing" (we do neither but the right is preserved), to opt out of profiling for decisions producing legal or similarly significant effects, and to non-discrimination for exercising any of these rights. To exercise any right submit a verifiable consumer request via [email protected]. An authorised agent may submit a request on your behalf with written authorisation.
11. Children
The platform is not directed at and not intended for use by anyone under eighteen years old. We do not knowingly collect personal data from minors. If we discover that we have inadvertently collected data from a minor we delete it immediately and close the associated account. If you believe a minor has registered, contact [email protected].
12. Changes to this policy
We may amend this policy from time to time. Material changes will be notified at least fourteen (14) days in advance by email and through an in-product banner; immaterial changes (typos, clarifications) take effect immediately. The version history is available on request.
13. Contact and Data Protection Officer
Data Protection Officer: [email protected]. General privacy queries: [email protected]. Postal: Cinoslots N.V., Attn: DPO, Heelsumstraat 51, E-Commercepark Unit 102, Willemstad, Curaçao. EU representative (where appointed): published at cinoslots.com/eu-representative.
في هذه الصفحة
- 1. Who we are and the scope of this policy
- 2. Personal data we collect
- 3. Why we process your data and the legal basis
- 4. Cookies and similar technologies
- 5. Sharing your data
- 6. International transfers
- 7. Retention
- 8. How we keep your data secure
- 9. Your rights under GDPR / UK GDPR
- 10. Your rights under US state privacy laws
- 11. Children
- 12. Changes to this policy
- 13. Contact and Data Protection Officer
هذه الوثيقة هي الإصدار 3.1، نافذة منذ 15 April 2026. الإصدارات السابقة محفوظة في الأرشيف ومتاحة عند الطلب من [email protected]. Cinoslots N.V.، كوراساو سجل 158942، الترخيص #8048/JAZ2020-013.