Privacy & Management of Personal Data
Learn all about how we are protecting your online safety and privacy here.
Table of Contents
- Introduction and General Terms
- Who we are and How you can contact us
- What kind of personal information do we collect?
- How do we collect personal data and why?
- Cookie capture technology and its uses
- Personal data sharing policies
- Personal data sharing policies outside of the EEA
- Personal data consent
- Data Security
- Data archiving
- Your Legal Rights
Introduction and General Terms
Your privacy is very important to us!
Please note that this section is addressed to customers and potential customers. If you are an SirLotto employee, a contractor to SirLotto or a third-party service provider, your personal information will be used in connection with your employment contract, your contractual relationship or in accordance with our internal policies.
Any reference to ‘us’, ‘our’, ‘we’ or ‘SirLotto’ in this privacy section is a reference to each group company within the SirLotto as the context requires unless otherwise stated.
Similarly, any reference to ‘you’, ‘your’, ‘yours’ or ‘yourself’ in this privacy section is a reference to any of our customers and potential customers as the context requires, unless otherwise stated.
By accessing our website, including the use of any communication channels to contact us, we consider that you have read and understood the terms of this section and how we process any information you disclose to us including personal data prior to becoming a client. Once you open an account with us, you agree that this section, including any amendments, will govern how we collect, store, use, share and in any other form process your personal data and your rights during our business relationship and after its termination.
Who we are and How you can contact us
This privacy section applies to the processing activities of the following data controller entities within the SirLotto group of companies, which are:
- Holzman Limited company registered at 75, Prodromou Avenue, Oneworld Parkview House - 4th floor, 2063 Nicosia, Cyprus, payment processor for K.I.K. Corporation B.V., registered at Kaya Richard J. Beaujon Z/N Landhuis Joonchi II, Curaçao, holder of Curaçao eGaming License No.1668 JAZ.
- If any of your personal data changes, or if you have any questions, comments or requests regarding the protection of your personal data or this policy, please contact us via email at [email protected] or in writing at the address set out on the Support section of the website.
What kind of personal information do we collect?
As part of our business we collect personal data from customers and potential customers that include the following:
- Name, Surname and contact details
- Date of birth and gender
- Location data
- IP address, device specifications and web browser
- Bank account, e-wallets and credit card details through third parties authorized for such storage.
If you are opening a new account with us, we are required by law to identify you. To meet the standards set under the Anti-money laundering (AML) laws, we must sight and record details of certain documents (identification and non-photographic documents, for example).
Identification documentation, as required under anti-money laundering legislation or other legislation relevant to the services we provide to you includes:
- driving licence
- government identity card
- utility bills
- bank statement
How do we collect personal data and why?
We have the right to request any additional information we deem necessary to be compliant with our legal and regulatory requirements.
We obtain this information in a number of ways;
- through your use of our services and website,
- the account opening applications,
- website cookies and similar tracking technology built into our website,
- subscribing to news updates and,
- from information provided in the course of our ongoing relationship.
We may also collect this information about you from third parties either through bought-in third party marketing lists, publicly available sources, social media platforms, affiliates and/or other third-party associates.
We may request voluntary personal information on occasion (i.e, through market research, surveys or special offers). If you choose not to provide the information required to fulfill your request for a specific product or service, we may be unable to provide you with the requested product or service.
We may record communications, electronic, by telephone or otherwise, that we have with you in relation to the services we provide to you and our relationship with you. These recordings will be our sole property and will constitute evidence of the communications between us. Such telephone conversations may be recorded without the use of a warning tone or any other further notice.
Cookie capture technology and its uses
Personal data sharing policies
As part of using your personal information for the purposes set out above, we may disclose your information to:
- other companies within the SirLotto group which provide other services,
- payment service providers and banks processing your transactions,
- affiliates with whom we have a mutual relationship,
- service providers and specialist advisers who have been contracted to provide us with services such as administrative, IT, analytics and online marketing optimization, financial, regulatory, compliance, insurance, research or other services,
- auditors or contractors or other advisers auditing, assisting with or advising on any of our business purposes,
- courts, tribunals and applicable regulatory authorities as agreed or authorized by law or our agreement with you,
- government bodies and law enforcement agencies where required by law and in response to other legal and regulatory requests,
- any third-party where such disclosure is required in order to enforce or apply our Terms and Conditions of Service or other relevant agreements,
- anyone authorized by you
We endeavor to disclose to these third parties only the minimum personal data that is required to perform their contractual obligations to us. Our third-party service providers are not permitted to share or use personal data we make available to them for any other purpose than to provide services to us.
Our websites may have links to external third-party websites. However, these third-party websites are not covered by this privacy section and those sites are not subject to our privacy standards and procedures. Please check with each third party as to their privacy practices and procedures.
Personal data sharing policies outside of the EEA
The personal data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (EEA). It may also be processed by companies operating outside the EEA who work for us or for one of our service providers. I.e, the computer servers used to host the website could be located outside the EEA – as the internet is a global environment, this is not an unusual practice in web hosting. Your personal information could be held at a destination which offers a different level of data protection than in the EEA, including Australia, Serbia, India, and the US. To ensure your personal information remains safe when transferred like this, we take all reasonable steps to maintain a suitable level of protection in line with this Policy.
Any transfer of your personal information to a location outside the EEA will be based on:
- the contractual Standard contractual clauses for data transfers between EU and non-EU countries adopted by the European Commission or a relevant data protection authority; or
- an adequacy decision from the European Commission, confirming that the third country provides adequate protection for your personal information; or
- Your consent, or another legal basis on which we are entitled to make the transfer, as appropriate.
Personal data consent
When and how do we obtain your consent?
- We may process your personal data for one or more lawful bases of processing (“Lawful Basis”) depending on the specific purpose for which we are using your data.
The Lawful Basis contains the following measures:
- to perform our contractual obligations towards you,
- to be compliant with the legal and regulatory requirements,
- to pursue our legitimate interests
Where our use of your personal information does not fall under one of these three rules of Lawful Basis we would require your consent. Such consent shall be freely given by you and you have the right to withdraw your consent at any time by contacting us using the contact details set out in this privacy section or by unsubscribing from email lists.
We are committed to safeguarding and protecting personal data and will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to protect any personal data provided to us from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
We have appointed a Data Protection Officer to ensure that our management of personal information is in accordance with this privacy section and the applicable legislation.
We require that organisations outside the SirLotto group which handle or obtain personal information acknowledge the confidentiality of this information, undertake to respect any individual’s right to privacy and comply with all relevant data protection laws and this privacy section.
As a summary, the data protection measures we have in place are the following:
- we train our employees who handle personal information to respect the confidentiality of customer information and the privacy of individuals.
- we require our employees to use passwords when accessing our systems.
- employees only have access to the personal data required for the purposes of the tasks they handle.
- we have adopted and implemented data protection policies.
- we apply data encrypting technologies during data transmission in internet transactions and client access details transmitted across networks.
- employing cloud protection technologies to protect against unauthorized persons and viruses infecting our systems.
How do we store personal information and for how long?
- We hold personal information in secure computer storage facilities and take steps to protect the personal information we hold from misuse, loss, unauthorized access, modification or disclosure.
- When we consider that personal information is no longer needed, we will remove any details that will identify you or we will take action to securely destroy the records.
- However, we may need to maintain records for a significant period of time. For example, we are subject to anti-money laundering laws which require us to retain copies and evidence of the actions taken by us in regard to your identity verification, sources of incomes and wealth when needed, monitoring of your transactions, telephone, chat and email communications, orders history, handling of your complaints and records that can demonstrate that we have acted in line with regulatory code of conduct throughout the business relationship. These records must be maintained for a period of five years after our business relationship with you has ended or even longer if we are asked by our Regulators.
- Where you have opted out of receiving marketing communications we will hold your details on our suppression list so that we know you do not want to receive these communications.
- When we transfer your data to other third parties outside the EEA, we may in some cases rely on applicable standard contractual clauses, binding corporate rules, the EU-US Privacy Shield or any other equivalent applicable arrangements.
- If you would like a copy of such arrangements, please contact us using the contact details below.
Your Legal Rights
Please note that these rights do not apply in all circumstances. You are entitled to:
- request access to your personal data (commonly known as a “data subject access request”)
- request correction of the personal data that we hold about you
- request erasure of your personal data. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request
- object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts your fundamental rights and freedoms. You also have the right to object to where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms
request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- if you want us to establish the data’s accuracy
- where our use of the data is unlawful, but you do not want us to erase it
- where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims
- you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it
- request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information (i.e. not to hard copies) which you initially provided consent for us to use or where we used the information to perform a contract with you
- withdraw consent at any time where we are relying on consent to process your personal data
Please complete the personal data request by email using the registered email address you disclosed to us, to the following email address:[email protected]
We try to respond to all requests within one month. Occasionally, it may take us longer than one month if your request is particularly complex or you have made a number of requests. In this case, we will notify you within one month of the receipt of your request and keep you updated.
We may charge you a reasonable fee when a request is manifestly unfounded, excessive or repetitive, or we receive a request to provide further copies of the same data. In this case, we will send you a fee request which you will have to accept prior to us processing your request. Alternatively, we may refuse to comply with your request in these circumstances.
If you wish to raise a complaint on how we have handled your personal data, you can contact us to have the matter investigated by contacting the following email address:[email protected]
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to your national data protection regulator.