NV Casino
NV Casino
EN DE PL FR LT BG CS RO
EN DE PL FR LT BG CS RO

General provisions and scope

This Privacy policy governs the processing of personal data in connection with access to, and use of, the services made available under nvcazino.eu.com. It applies to data processed by NV Casino acting as data controller, and to processing carried out on its behalf by authorised service providers acting as processors. The document is intended for a global audience and is drafted to reflect generally applicable data protection standards, including principles aligned with the GDPR where relevant. Where local mandatory laws impose stricter requirements, such requirements apply to the extent they are applicable to the relevant processing activity. This document forms part of the contractual and compliance framework applicable to the services and shall be read together with any terms of use and responsible gambling disclosures.

This Privacy policy is limited to processing activities that relate to the provision, security, and lawful operation of the services. It does not address third party websites or services that may be accessible through links, integrations, or payment interfaces, which are governed by their own notices. The controller maintains records of processing activities and applies data minimisation, purpose limitation, and storage limitation as baseline measures. Where the services involve regulated gaming activity, processing may also be influenced by anti money laundering, counter terrorist financing, fraud prevention, and age verification requirements. Any conflict between this document and mandatory statutory rights shall be resolved in favour of the applicable statutory rights.

Regulatory framework and compliance principles

For a global audience, personal data is processed according to widely recognised privacy principles, including lawfulness, fairness, transparency, accuracy, integrity, and confidentiality. Where GDPR style obligations apply, the controller implements appropriate technical and organisational measures and provides mechanisms to exercise data subject rights. For jurisdictions with equivalent laws, such as those requiring lawful bases, notice, and security safeguards, the controller aims to meet or exceed common regulatory expectations. Compliance efforts include internal governance, role based access controls, and periodic reviews of the processing inventory. Where a supervisory authority requires specific disclosures, additional region specific notices may be provided through the services.

In regulated gaming contexts, compliance may require verification checks, risk scoring for fraud prevention, and record keeping, which can affect the scope and duration of data processing. The controller applies a risk based approach and applies safeguards proportionate to the likelihood and severity of potential harm. Where consent is relied upon, it is captured in a manner designed to be specific, informed, and freely given, and may be withdrawn through available settings or by written request. Where legitimate interests are relied upon, the controller documents balancing assessments, including the impact on individuals and the mitigations applied. Where contractual necessity is relied upon, the processing is limited to what is objectively required to provide the requested functionality.

Categories of personal data processed

Personal data means any information relating to an identified or identifiable natural person, and includes identifiers that can be linked to an account or device. The controller may process identity and contact data, such as full name, date of birth, residential address, email address, and telephone number, where required for registration or verification. Account data may include username, account status, preferences, and history of support interactions, including messages exchanged with customer service. Transactional and financial metadata may be processed, such as deposit and withdrawal amounts, payment method type, partial account references, and timestamps, while avoiding collection of full payment card numbers where tokenisation is available. Technical data may include IP address, device identifiers, approximate geolocation derived from IP, browser type, and log data.

Special categories of personal data are not intentionally collected for ordinary service provision, and the controller seeks to avoid such processing unless strictly required by applicable law. Where verification or security controls incidentally reveal sensitive information, it is handled under enhanced confidentiality safeguards and limited access. Data relating to gambling behaviour, such as gameplay history, limits, self exclusion status, or responsible gambling interactions, may be processed for compliance and player protection purposes. NV Casino may also process inferred risk indicators, such as fraud signals or automated flags, subject to human review where required by law. For children and individuals under the legal gambling age, the services are not intended, and any detected data is handled in accordance with the relevant restrictions and removal obligations.

Methods and sources of data collection

Operationally, personal data is collected when an account is created, when verification is completed, when transactions are initiated, and when support requests are submitted. Data may be provided directly through forms, communications, and account settings, or generated automatically through the use of the services. The controller collects server logs and security telemetry to maintain availability, detect abuse, and enforce access controls. Where responsible gambling tools are used, the associated settings and confirmations are recorded to support compliance and protect individuals. Data may be collected across multiple sessions using identifiers and logs that enable fraud prevention and troubleshooting.

Data may also be collected from third party sources where permitted by law and necessary for compliance, such as identity verification providers, payment institutions, fraud prevention networks, and sanctions screening databases. Where such sources are used, the controller aims to obtain only the data necessary for the relevant verification purpose and to apply contractual restrictions and security requirements to the providers. Publicly available sources may be consulted in limited circumstances, for example to validate information for legal compliance, while avoiding excessive profiling. In certain cases, the controller may receive data from affiliates or marketing partners acting under their own obligations, provided a lawful basis exists and appropriate notices have been provided. Where data is received indirectly, reasonable steps are taken to inform the individual of the source and purposes when required.

Purposes of processing under this Privacy policy

This Privacy policy explains that personal data is processed to provide and administer accounts, to enable secure access, and to deliver the functions requested through the services. Processing supports registration, authentication, customer support, payments, withdrawals, and the prevention of duplicate or unauthorised accounts. Compliance oriented processing may include age checks, identity verification, anti fraud measures, anti money laundering controls, and the maintenance of audit trails. Operational analytics may be used to monitor performance, detect errors, and improve service stability, while applying data minimisation and, where feasible, aggregation. Communications related to account security, transaction confirmation, policy updates, and regulatory notices are processed as service messages.

Where permitted, limited processing may occur for service optimisation and to develop risk controls, including detection of bots, account takeover attempts, and other suspicious behaviour. The controller may process data to enforce terms, to investigate disputes, and to protect legal rights in the event of claims. Responsible gambling processing may include applying limits, monitoring patterns to identify potential harm, and implementing exclusions in accordance with the relevant rules. The controller does not engage in selling personal data as a business model and does not use personal data for unrelated purposes without a lawful basis. Any purpose materially incompatible with the originally stated purposes is subject to additional notice and, where required, consent.

Under data protection frameworks that require a lawful basis, processing is carried out on one or more grounds depending on the context. Contractual necessity applies where data is needed to open and manage an account, process payments, and provide the services that have been requested. Legal obligation applies where the controller must conduct age verification, anti money laundering checks, record keeping, reporting, or regulatory audits. Legitimate interests apply where processing is necessary for security, fraud prevention, service integrity, and defence of legal claims, provided that such interests are not overridden by the rights and freedoms of individuals. Consent applies where required for certain cookies, optional marketing communications, or other processing that is not strictly necessary.

Where a legitimate interests basis is used, the controller applies proportionality controls, including access restrictions, retention limits, and review mechanisms. For consent based processing, withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal, and service delivery may continue where another lawful basis exists. For compliance activities, refusal to provide data required by law may result in limitations on account functionality, including restrictions on withdrawals or closure, where permitted and proportionate. Where automated decision making is used in security or fraud contexts, it is designed to reduce harm and is subject to safeguards, including the possibility of human review where legally required. The controller documents the lawful basis and retains supporting compliance records for accountability.

Cookies and tracking technologies within this Privacy policy

This Privacy policy covers the use of cookies and similar technologies that may store or access information on a device to ensure core functionality and to maintain session security. Such technologies may include cookies, local storage, and similar identifiers used for authentication, fraud prevention, and load balancing. Certain cookies are strictly necessary to provide the service and cannot be disabled without affecting essential functions such as login, secure navigation, and transaction integrity. Other cookies may be used for preferences and performance measurement, subject to applicable consent requirements. Where consent is required, consent management tools are made available and preferences may be updated at any time.

Cookie lifetimes vary depending on purpose and may include session identifiers that expire when the browser is closed, as well as persistent cookies that remain for defined periods such as 30 days or 180 days. Analytics data derived from cookies is used in a manner intended to minimise identification, including aggregation and limited retention where feasible. Third party measurement tools may be used, subject to contractual safeguards, access limitations, and restriction of use to the documented purposes. The controller seeks to restrict tracking technologies that are not necessary for service delivery and applies periodic reviews to remove redundant tags. Where local rules require additional disclosures, supplementary notices regarding cookie categories and providers may be presented through the services.

Data retention policy and storage limitation

The controller retains personal data only for as long as necessary to fulfil the purposes described, subject to applicable legal and regulatory requirements. Retention periods depend on the category of data, the reason for processing, and the legal obligations attached to regulated gaming activities. Account profile data is typically retained for the duration of the active account relationship and for a subsequent period required for compliance, dispute handling, and audit readiness. Records relevant to anti money laundering, payment reconciliation, and regulatory reporting may be retained for 5 years where required by applicable standards. Where a shorter or longer period is mandated by local law, that period takes precedence.

Logs and security records are retained for periods appropriate to detect and investigate incidents, such as 90 days for routine access logs, while certain high risk security events may be retained for up to 12 months to support investigations and prevent recurrence. Support communications may be retained for 24 months to evidence complaint handling and to maintain service quality, unless legal claims require extended retention. Where an account is closed, certain information may be retained in restricted access archives to comply with legal obligations and to prevent fraud, and any further use is limited. When retention periods expire, data is deleted, anonymised, or irreversibly de identified where feasible, subject to the integrity constraints of backups. Backup data is protected with access controls and is overwritten on rolling cycles designed to balance resilience with minimisation.

Data sharing and disclosure arrangements

Personal data may be shared with service providers where necessary to operate the services and to meet legal obligations. Such recipients may include hosting and infrastructure providers, payment processors, identity verification services, fraud prevention providers, customer support systems, and compliance tooling. The controller requires processors to act on documented instructions, to implement appropriate security measures, and to support confidentiality obligations and data subject rights where applicable. Where processors engage sub processors, contractual flow down protections are required, and due diligence measures are applied commensurate with risk. Data sharing is limited to what is necessary for the stated purpose and is subject to access controls and audit rights where appropriate.

Disclosure may also occur to regulators, law enforcement, courts, or other competent authorities where required by law or to respond to valid legal process. The controller may disclose information to protect the rights, property, or safety of individuals, to enforce terms, and to investigate suspected unlawful activity, provided such disclosure is lawful and proportionate. In the context of corporate transactions, such as restructuring, merger, or asset transfer, personal data may be shared with professional advisers and potential counterparties under confidentiality obligations, and further processing is limited to due diligence and transaction completion. Where NV Casino uses external auditors or legal counsel, access is limited to what is necessary to perform professional services. The controller does not disclose personal data to third parties for their independent marketing purposes without a lawful basis and, where required, consent.

International transfers and cross border processing

For a global audience, personal data may be processed in countries other than the country of residence of the individual, including locations where service providers maintain data centres or support teams. Where cross border transfers occur and the originating jurisdiction requires safeguards, the controller implements appropriate transfer mechanisms, such as standard contractual clauses, data transfer agreements, or equivalent safeguards recognised under applicable law. Transfer assessments may be undertaken to evaluate local laws and practical risks, and supplementary measures may be applied where needed, such as encryption and strict access controls. The controller seeks to keep data within appropriate regions where feasible, while ensuring operational continuity and security. Cross border access for support purposes is restricted to authorised personnel and subject to logging and oversight.

Where a transfer is necessary for the performance of a contract, such as processing a payment via an international provider, the controller limits the transfer to what is required to complete the transaction. Where consent is used as a transfer basis in particular jurisdictions, it is collected in a manner intended to meet legal standards, and individuals are informed of material risks when required. For compliance related sharing, such as sanctions screening or fraud intelligence, the controller applies minimisation and ensures recipients are bound by confidentiality and security obligations. If a transfer mechanism is invalidated or requires modification due to legal developments, the controller will adopt alternative safeguards and update notices accordingly. Any onward transfers by processors are subject to contractual constraints and are reviewed as part of vendor governance.

Security measures and incident management

The controller applies technical and organisational measures intended to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Controls may include encryption in transit, encryption at rest where appropriate, multi factor authentication for privileged access, network segmentation, and vulnerability management. Access to systems is provided on a least privilege basis and is reviewed periodically, including at least every 6 months for high privilege roles. Security monitoring and alerting are implemented to detect suspicious activity and to support timely response. For certain sensitive processing, additional safeguards may include enhanced logging, restricted administration paths, and segregation of duties.

Security is treated as a continuous process and includes testing, patch management, and staff training aligned with the confidentiality obligations applicable to regulated gaming services. The controller aims to maintain a high availability posture and may apply resilience controls targeting 99.9% service uptime as an operational objective, while recognising that availability targets do not eliminate residual risk. Incident response procedures are maintained to assess severity, contain impacts, and document remediation steps. Where legally required, relevant authorities and affected individuals will be notified within applicable timeframes, which may include 72 hours under GDPR aligned regimes. Post incident reviews are conducted to update controls and reduce recurrence, and records are retained to evidence accountability.

Rights of individuals and lawful requests

Data protection laws may provide rights to individuals in relation to their personal data, and the controller supports the exercise of such rights where applicable. These rights may include the right of access, rectification, erasure, restriction of processing, objection to processing, and data portability, subject to conditions and exemptions under law. A rights request may be refused or limited where the controller is required to retain data for legal obligations, where disclosure would adversely affect the rights of others, or where the request is manifestly unfounded or excessive. Where identity verification is necessary to protect confidentiality, the controller may request additional information that is proportionate to the risk and the nature of the data requested. Rights are applied consistently across regions to the extent practicable, while respecting jurisdiction specific requirements.

Where a request is accepted, the controller will respond within a reasonable period and, where applicable law sets a deadline, typically within 30 days, subject to lawful extensions for complex matters. The controller may extend response periods where permitted, for example by up to 60 additional days, and will provide an explanation where required. For rectification, the controller may request supporting evidence where necessary to ensure accuracy and prevent fraud. For objection requests based on legitimate interests, the controller will assess the specific circumstances and either cease processing or demonstrate compelling legitimate grounds where permitted. Where an individual considers that processing infringes applicable law, a complaint may be lodged with the competent supervisory authority, without prejudice to other administrative or judicial remedies.

Contact channels and data request procedures

Requests and enquiries concerning personal data, this Privacy policy, or compliance measures should be submitted through the contact details made available on nvcazino.eu.com. The controller may route requests through dedicated privacy workflows to ensure tracking, authentication, and timely handling, including assignment of a reference number for accountability. To protect personal data, the controller may require verification steps before disclosing account data, particularly where a request concerns financial transactions or identity records. Where an authorised agent submits a request, evidence of authority may be required, together with verification of the identity of the individual concerned. Communications are retained for compliance and quality purposes in line with the applicable retention rules.

NV Casino may maintain separate channels for security incident reports, responsible gambling matters, and privacy requests to ensure appropriate handling and segregation of information. Where a request concerns data processed by a processor, the controller will coordinate with the processor to fulfil the request within applicable timeframes. If a request cannot be fulfilled in full, the controller will provide a lawful explanation describing the basis for refusal or limitation and the available escalation routes. The controller endeavours to provide responses in English for a global audience, while considering reasonable accommodations where required by local law. Where applicable, the controller will not charge a fee for rights requests unless permitted by law for manifestly unfounded, excessive, or repetitive requests.

Amendments, governance, and final provisions of this Privacy policy

This Privacy policy is maintained as a controlled compliance document and is reviewed to reflect changes in legal requirements, regulatory expectations, security practices, and operational processing activities. Governance measures include ownership assignment, periodic assessment of vendor risk, and documentation of material processing changes, including updates to lawful bases and retention schedules. Where changes are material, the controller may provide advance notice through the services, by email to the registered address, or by other appropriate means, taking account of the nature of the change and the applicable legal duties. The controller may also publish clarifications to address emerging regulatory guidance, new security threats, or changes in the categories of data processed. Any updated version will apply from its effective date and will be made accessible at nvcazino.eu.com/privacy-policy.

This Privacy policy confirms an ongoing commitment to lawful, fair, and transparent processing, including the application of minimisation, confidentiality, and accountability principles aligned with GDPR where relevant for a global audience. Where a processing change introduces a new purpose that is not compatible with the original purposes, the controller will provide appropriate notice and, where required, seek consent before commencing the new processing. Individuals are encouraged to review the document periodically to remain informed of the governance approach and of the available request procedures, without implying any obligation to do so as a condition of service access where such conditioning is not lawful. When amendments affect rights handling, the controller will continue to honour pending requests under the applicable rules at the time of submission and will aim to resolve open matters within the same response standards, including the 30 day timeframe where applicable. Continued use of the services after an effective date may be treated as acknowledgement of the updated terms to the extent permitted by law, while statutory rights remain unaffected. This Privacy policy therefore functions as the authoritative notice for personal data processing by the controller and will be updated through a documented amendment procedure designed to ensure traceability, auditability, and regulatory compliance.