Privacy Policy

Last updated 21st April 2025

Version 2.6

INTRODUCTION

Welcome to the LeoVegas Gaming plc's privacy policy relating to provision of the Services (e.g. Games) provided via https://www.betuk.com and/or any local country-code websites and/or any sub-website and/or associated domains (and/or sub-domains) and any related software applications (“Site”, “Website”), where Personal Data is processed by the same relating to You.

LeoVegas Gaming plc respects your privacy and is committed to protecting your personal data and processing it in compliance with the applicable laws, in particular, – any data protection legislation or instrument as applicable in the territory where our establishment is located or as may apply by virtue of territorial or extra-territorial scope in those territories where our services are made available.

In summary of this Privacy Policy we think that this information is the most relevant for you:

• Purpose of processing: We process your personal data for the purpose of providing you with Our services, to allow your access to Website, to comply with our legal obligations such as anti-money laundering and responsible gaming, to detect and prevent fraud and to commercially grow our business (e.g. direct marketing, analyses);

• Controller: When processing your Personal Data, LeoVegas Gaming plc acts as a controller;

• Your rights: You have a number of rights afforded by applicable laws, especially a right to object processing that is based on our legitimate interest such as direct marketing of our own goods and services, segmentation, loyalty programme and risk management. When we process your data on the basis of your consent, you can withdraw it at any time. You also have a right to request access to all of the personal data that is undergoing processing and a right to erasure of the data that is no longer necessary;

• Implications of processing: Processing of personal data will result in provision of services (or denial thereof if certain data is not provided), receiving marketing communication, segmentation with respect to risk categories or bonuses and similar offers.

We however recommend that you read this Privacy Policy in full, with care. For the ease of your understanding, these are the contents of this Privacy Policy:

1. IMPORTANT INFORMATION AND WHO WE ARE

- Purpose of this Privacy Policy

- Controller

- Contact details

- Changes to the privacy policy

2. THE DATA WE COLLECT ABOUT YOU

- Personal Data

- Data Obtained from You

- Data obtained from other sources

- Special categories of Personal Data

- If you fail to provide data

- Username

3. WHY AND HOW WE USE YOUR PERSONAL DATA

- General purposes

- Detailed purposes and legal basis

- Direct marketing

4. RETENTION

- Criteria used to determine retention period

- Details on our retention periods

5. RECIPIENTS OF YOUR PERSONAL DATA

- Processors

- Authorised disclosures

- Group companies/other brands for Responsible Gaming Purposes

- Group Companies/other brands for AML purposes

- Data sharing for AML and Responsible Gaming Purposes between brands

- Corporate restructuring

- Joint Controllers

6. INTERNATIONAL TRANSFERS

7. DATA SECURITY

8. YOUR RIGHTS UNDER DATA PROTECTION LAWS

- Right of access

- Right to rectification

- Right to Erasure (right to be forgotten)

- Right to data restriction

- Right to data portability

- Right to object certain processing

- Right to withdraw consent

- Right to Lodge a complaint

- What we may need from you

- Time limit to response

- Different brands

9. AUTOMATED PROCESSING – PROFILING

- Responsible Gaming Profiling

- AML profiling

- Loyalty Profiling

- Direct Marketing Profiling

- Sports Risks Segments Profiling

- Games recommendation

10. COOKIES

1. IMPORTANT INFORMATION AND WHO WE ARE

1.1. PURPOSE OF THIS PRIVACY POLICY

This privacy policy aims to give you information on how We collect and process your personal data through or in conjunction with your use of this website and Our Services.

This Privacy Policy stipulates details and conditions of collecting and processing your Personal Details and provides you with information in accordance with the transparency principle and requirements under the applicable data protection laws.

This website is not intended for anyone under the age of eighteen and we do not knowingly collect data of anyone under the age of eighteen.

1.2. CONTROLLER

LeoVegas Gaming plc is the controller responsible for your personal data (referred to as "the Controller", "We", “we”, “Us”, "us", “Our” or "our" in this Privacy Policy).

For the purposes of this Privacy Policy, unless otherwise specified, any reference to the term “Group” refers to MGM Resorts International and any direct or indirect subsidiaries thereof from time to time, including us.

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise rights please contact Us or the DPO using the details set out below.

1.3. CONTACT DETAILS

Although Our goal is to always be as clear and transparent as possible, if You need any clarification on this Privacy Policy or a specific legal basis We are relying on to process Your Personal Data for a specific processing operation, We would be happy to provide You with any such information You may need.

Our full details are:

General email address: privacy@leovegasgroup.com

DPO email address: dpo@leovegasgroup.com

Postal address: LeoVegas Gaming plc, Level 7, The Plaza Business Centre, Bisazza Street, Sliema SLM 1640, Malta

1.4. CHANGES TO THE PRIVACY NOTICE AND OUR DUTY TO INFORM YOU OF CHANGES

We reserve the right, at Our complete discretion, to change, modify, add and/or remove portions of this Privacy Policy at any time. You shall be notified by Us periodically, in case of material changes made to this Privacy Policy, (together with other terms and conditions relevant to the Site).

2. THE DATA WE COLLECT ABOUT YOU

2.1. Personal Data: means any information that identifies You as an individual or that relates to an identifiable individual.

2.2. Data obtained from You: We collect from You, through interaction with You or through Your interaction with Us or our Services different kinds of personal data about you which we have grouped together as follows:

a) Registration Data provided by you when you register and/or open Your Member Account (notably as specified in our T&Cs) including first name, last name, username or similar identifier, date of birth, territory applicable social security or similar identification number where permitted or required by law, gender, country.

b) Contact Data includes permanent address, email address and telephone numbers.

c) Identification and Verification Data (Anti-Money Laundering/Due Diligence/KYC data) that include your name, surname, permanent address and proof, age, nationality, family members and associates (including their KYC data if required), degrees and qualifications, schools/universities attended, occupation, employment history and information, media involvement, financial status information (e.g. bank statement including through open-banking solutions subject to Your authorisation, source of income and source of wealth, tax information), masked credit card details, proof of e-wallet ownership such as Netller, Skrill, Paypal, Paysafe, territory applicable personal identification where required or permitted by law, KYC documentation (e.g. ID card, Power of attorney).

d) Responsible Gambling Data (RG) including name, surname, postcode, email, phone number, country, date of birth, territory applicable social security or similar identification number where permitted or required by law, affordability limits (where applicable), approved transactions (deposits and withdrawals), denied transactions (deposits and withdrawals), Identification and Verification Data, Self-exclusion Data.

e) Self-exclusion Data include data pertaining to you and your self-exclusion such as your Registration and Contact Data and your self-exclusion information such as reason, start and date, utilisation of self- exclusion tools such as exclusions, session limit, loss limit, wager limit, deposit limit, reality check.

f) Payments Data includes bank/payment account details, as well as information pertaining to a transaction such as currency, location, amount/value, client IP, user ID, token.

g) Transaction and Usage Data generated through your use of our Services (e.g. playing Games) and include payments to and from you (deposits, withdrawals, failed deposits and reversed withdrawals) and other details of Services you have purchased from Us (such as bets, wagers (real and bonus), wins), date and time of the transactions, account balances (bonus and real), bonuses used (conversion and forfeiture), bonuses turnover, bonuses balance, channels used, transaction games played, language, country, account balances.

h) Log in Data includes internet protocol (IP) address, your logins (first log in last login, last failed login), duration of logins, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our Services.

i) Profile Data includes internal notes to your account, interests, preferences, feedback, information about events which you have attended; Your preferences as to whether you wish to attend any events, and what type of events you prefer; Any bonus/cash back deals, or bonus preference you have been offered or benefitted from; Whether you have received any giveaways or, and your preferences regarding what type of gifts you would like to receive; Your preferences as to contact channels; information regarding your hobbies and interests.

j) Competitions and Events Data includes any data provided directly by you which is necessary for the purpose of participating in any competitions or for your attendance to any events, such as identification data, contact details and any other data required for the purpose of organising and facilitating your participation in any event, including but not limited to, any reservations or other logistic arrangements.

k) Marketing Communications Data includes your preferences in receiving marketing from us (opt in/opt out), as well as your Contact and Registration Data.

l) Other Communication Data generated as part of communications with Us (via recorded calls, chats, emails, or SMS) which may include various data such as network communication data, content of the communication including your intentions, interests, complaints, preferences, as well as internal communication and notes.

m) Analytics Data include various data generated with respect to your use of our Website and Services such as your player ID, language, location, browser data, campaigns utilised, channels used, device, payment provider, Transaction and Usage data and in case of online acquisition analytics also pages visited, postcards clicked, scroll depth. Certain information is collected using cookies and/or similar tracking technology – please see further section “Cookies”. Player ID in combination with other non-personal data generated from your activity is also processed on the basis of legitimate interest, to train machine learning models. This data is processed and kept separately from any player profile data and is not used to make any specific decisions which may impact you.

n) Visual Images Data (both videos and photographs) relating to individuals may be captured whilst they are attending at any events hosted by Us, Our affiliates, or partners, as well as at public and private events where We have a presence, including but not limited to those events sponsored by, reported by, or otherwise associated with Us. The use of such images will always be subject to your rights including to withdraw consent or object from this processing as applicable.

2.3. Data from different sources

2.3.1. We collect information for AML/CFT purposes on the background of the player from open public sources where these are available and the processing is permitted by law, and/ or, from third party providers (private companies working mostly with public sources), including as applicable in your territory, Dow Jones, Transunion international UK limited (these checks will not negatively impact your credit score), GBG Group, Mitek, and which includes information whether player is politically exposed person and whether any international and/or financial sanctions have been imposed and/or information on any corporate or property ownership, court judgements and/or insolvency, and taxation information insofar as this is legally required or permitted in your territory for the purpose of establishment of the source of funds and source of wealth during the AML risk monitoring and due diligence process. Moreover, background information is, using so-called OSINT analyses (Open-Source Intelligence) collected from publicly available sources and websites (e.g. Google search, all social media services like Facebook, Twitter, Pinterest, Instagram, LinkedIn as well as other publicly available services or websites). Automated data collection methods may be employed.

2.3.2. To comply with our legal obligations stemming from applicable laws and licence conditions, when applicable, we collect Self Exclusion Data also from other licensed gaming operators belonging to the same group of companies as the Controller. Likewise, for the same purposes, the Controller uses Self Exclusion Data collected with respect to any other brands under which the Controller operates its licensed gaming business.

2.3.3. If a player is registered with a National Self-Exclusion Register (incl. without limitation GAMSTOP) certain Self-Exclusion Data is also received from such register. In particular, information on whether you are/are not self-excluded. This information is received once you log-in. Registration with such a register means that you cannot register with the Controller and you will not be able to log on to your Member Account. You will also not be sent any commercial messages directed to you personally. The Controller is also a participant of GamProtect, the Single Customer View in the UK, which aims at protecting individuals displaying high-risk behaviour from gambling related harm. More information about how your data is used in the Single Customer View is available here: www.gamprotect.co.uk/privacy.

2.3.4. Profile data (hobbies, interests) as well as public interactions on social media which are related or relevant to the Controller’s services are also gathered by search or through analysis of publicly available sources such as Facebook, LinkedIn, Twitter and Instagram, Google search.

2.3.5. In order to prevent and detect fraud and misuse of our systems (e.g. use of VPN), certain Log In Data, such as; IP address, device model/type, browser information, operating system and device or other identification data are sourced and processed by Us utilising a services of third-party fraud detection software provider.

2.3.6. Where our sportsbook is available, we obtain information on your sports risk segment (Sports Risk Data) from our sportsbook provider Kambi Group plc (“Kambi”). All information on its processing activities may be found here: https://www.kambi.com/player-fair-processing-notice. As Kambi does not obtain a player's real name or email address and does not process any personal data of players on an identified basis, please contact us if you have any queries as to how Kambi processes your personal information or if you wish to exercise any of your data subject rights.

2.3.7. To simplify the sign-up procedure a separate process, such as i)Bank ID or similar, ii_Facebook connect, iii) Google sign-In, iv) Apple Pay, v) Trustly or vi) a similar Pay n Play option, may be used as a source for identification and verification. If such a process is used, once the authorisation of access and the necessary information is provided by You upon sign up, personal data (Registration and Contact Data) will be automatically fed to the players profile from the third-party source to facilitate your registration. Such data is used as further specified in this Privacy Policy.

2.4. Special Categories of Personal Data

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). However, from our experience, we cannot exclude that Special Categories of Personal Data may be processed during your participation in any event, depending on the nature of the event and your specific needs, such as health information related to your dietary and accessibility requirements. In such cases, we will rely on your explicit consent for the processing of such data. We also may not exclude the possibility that there are instances where You, at your own discretion, send us Special Categories of Personal Data in communication with Us.

Please note that although ID cards are processed, images contained therein are not processed in a manner to allow or confirm a unique identification match. Therefore, such data is not to be considered biometric data (special category of data).

2.5. IF YOU FAIL TO PROVIDE PERSONAL DATA Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with Our Services).

2.6. USERNAME

Please make sure that your username does not contain any personally identifiable information, as the username is shared with certain partners and in the course of the sharing of the username, this is not, separately, considered personal data. Please contact us if your user name contains your personally identifiable data, so we can make proper arrangements to protect your data and guide you as to how to change the username.

3. WHY AND HOW WE USE YOUR PERSONAL DATA

3.1. We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• To allow You to participate in Games and to provide ancillary services to You

• To allow You access and use of the Website

• For legal and regulatory reasons, to comply with our legal obligations and licence conditions such as Anti-money laundering and responsible gaming

• For identification and verification proposes

• To prevent and detect illegal or fraudulent behaviour

• for purposes that constitute a legitimate interest of the Controller or with your consent, regarding direct marketing of its own similar goods and services via electronic mail as provided below; and

• for purposes that constitute a legitimate interest of the Controller or with your consent, regarding direct marketing via live telephone calls or postal mail as provided below

• for analytics purposes

3.2. Detailed purposes and legal basis

3.2.1 We have set out below, in a table format, a description of the possible ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

3.2.2. Please note that the below table sets out the general information about the Personal Data We process. Certain data categories and/or purposes may differ in different jurisdictions and/or brands under which the Controller provides its services. Please contact us if you need further details about the specific purpose for processing or data category in your jurisdiction.

3.3. DIRECT MARKETING

3.3.1. In accordance with the applicable laws (incl. local regulations) and on the basis of Our legitimate interest and/or Your consent, the Controller may, from time to time, inform You about its own similar products or services (incl. without limitation Own new services and promotions, bonuses and offers, experience), and those relating to other brands pertaining to the Group, as applicable via direct communication channels, such as:

• electronic mail (incl. email, SMS or instant messaging)

• live phone calls

• postal mail

• push notification (desktop and/ or app)

Without prejudice to anything contained in this Privacy Policy, when registering on Our site, if We are relying on legitimate interest, the Controller will guide You accordingly on how You may oppose such direct marketing.

When relying on consent, the consent may be granted by You when registering or using the services on Our site. Apart from direct communication channels, we also rely on third-party online platforms, including social media to deliver personalised marketing offers which are relevant to you. In relation to social media, the processing of any personal data collected through cookies when You are browsing on Our site is done on the basis of your preferences when interacting with Our cookie consent mechanism, and in accordance with Our Cookie Policy, whilst personal data which is processed as a result of You utilising Our Services (by signing-up), is based on legitimate interest. We only share limited data with social media partners to enable us to deliver relevant adverts to you via their platforms, or market to other audiences within their platforms who have similar characteristics to you.

In all cases, if you do not wish to receive direct marketing any longer, or object to the use of your personal data for such purposes, You may opt out, easily, at any time and free of charge, as applicable, by:

• activating the relevant link at the end of an electronic message

• contacting us through our communication channels

• informing the caller (in the case of phone call)

• changing your Settings in your profile

• changing your App Permission Settings on your device, third-party sites or applications (e.g. social media) where the receipt of marketing is enabled and controlled on such systems.

3.3.2. Please note that even if You object to receiving direct marketing material, from time to time We may still need to send You important communications from which You cannot opt-out.

3.3.3. From time to time we may conduct surveys or ask customers to rate their experience with us to improve our service. You can however, decide whether to take part in these surveys, as well as have the right to object from being contacted for these purposes.

4. RETENTION

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

The criteria We use to determine what is ‘necessary’ depends on the nature of the particular personal data in question. Our normal practice is to determine whether there is/are any specific law(s) (for example licence requirement, tax or corporate laws) permitting or even obliging Us to keep certain personal data for a period of time (in which case We will keep the personal data for the maximum period indicated by any such law) and if not, whether there are any laws and/or contractual provisions that may be invoked against Us by You and/or third parties and if so, what the prescriptive periods for such actions are. In the latter case, We will keep any relevant personal data that We may need to defend Ourselves against any claim(s), challenge(s) or other such action(s) by You and/or third parties.

We typically keep your personal data for a maximum of ten years following the closure of your account. Once this period has elapsed, or if your personal data is no longer needed by us even before the end of this retention period, we will securely delete or anonymize the relevant personal data.

There are some exceptions, namely:

• If you are permanently self-excluded from any of our services, we will retain this information indefinitely.

• If you are under investigation or where we have identified possible fraudulent or other criminal activity, we may retain your personal data for longer and as required in order to cooperate with the relevant authorities.

• If there is a legal dispute, we will retain your personal data for at least the entire duration of the dispute and as may be required in order to defend our rights in any subsequent claim or any subsequent proceeding arising from the same.

Due to gaming authority restrictions relating to the use of multiple accounts, players are only permitted to create and use a single account per brand on the Controller’s system (as per our terms and conditions). Therefore as long as we store, for the above mentioned purposes, all of the Personal Data of the player, the player may, following a closure, only reopen their existing account, provided the account is eligible for opening.

Further details of retention periods for different aspects of your personal data are available in our retention policy which you can request by Contacting Us.

5. Recipients of your Personal data

5.1. As the Controller’s business partners, suppliers or service providers are responsible for certain parts of the overall functioning or operation of the Website, Games and other services, Personal data are processed also by them for the above-mentioned purposes on behalf of the Controller.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes unless this is permitted or required by law, and only allow them to process your personal data for specified purposes and in accordance with our instructions, after thorough vetting of these partners and on the basis of strict data processing agreements as may be necessary.

5.1.1 Details on the categories of recipients of the personal data

• Game providers for the purpose of provision of games

• Sportsbook provider for the purpose of provision of sportsbook service and risk management purposes

• Payment service providers to perform payment transactions (deposit and withdrawals) and for the purposes of preventing fraud and enabling compliance with AML obligations

• Marketing suppliers including social media platforms and other business partners to perform marketing activities, such as: personalised or non-personalised advertising campaigns including through audience creation techniques, optimisation, market analysis and research on behalf of the Controller

• Service providers for the purpose of content creation for marketing and promotional purposes on behalf of the Controller

• Marketing consultants to provide marketing advice to the Controller

• Service providers that technically enable communication with you (via email, chat, SMS, phone)

• Technical suppliers to support functioning of the Website and Our technical systems (both front and back end)

• Technical administrators of the database to maintain the functioning of the database

• AML providers providing and/or processing certain data for the purposes of compliance with our AML obligations

• Services providers regarding or organisation and booking emails, trips and/or delivery of presents and gifts with respect to our loyalty programme

• Cloud services providers for provision of cloud-based services such as storage or hosting certain software

• Service providers for the purpose of data analytics and/or business intelligence

• Credit rating agencies, fraud detection agencies, anti-money laundering agencies for fraud detection and control purposes, in the processing of Your Member Account and associated transactions

• Companies within the Group to provide certain services/support with functions of the Controller

• Professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.

5.2. Authorised disclosure: If You are suspected to have breached our Terms and Conditions or any applicable laws (for example when we suspect that a crime may have been committed), or for the purpose of preventing, detecting or suppressing fraud or other criminal activity, or when required for your own protection and vital interests, the Controller has a right to:

• forward Your Personal Data to the relevant government or public authorities;

• share any of Your Personal Data to the relevant gambling regulator(s) and other relevant bodies such as, Sports Integrity Agencies or related associations where this is permitted by law;

• share Your Personal Data with relevant law enforcement and/or crime investigation bodies or organisations and assist the same with any type of investigation into Your actions;

• respond to any Court subpoena or order or similar official request for Personal Data.

Where national laws establishing Self-Exclusion Registers require the communication, disclosure, or update of self-exclusion data, the Controller will have an obligation to promptly communicate to the authority responsible for such register, any data and information as stipulated under the applicable legal framework, such as, information relating to players who have decided to make use of self-exclusion tools, as well as players who have opted for the subsequent reactivation of the gaming account.

5.3. Group companies/other brands for Responsible Gaming Purposes When applicable, Your information, in particular, Self-Exclusion Data is, for the purpose of compliance with legal obligations, and/or Our licence conditions, shared also with other companies within the same group. Likewise, for the same purposes, the Controller shares your Self Exclusion data with other brands under which it operates its gambling activities.

5.4. Group companies/other brands for AML Purposes When applicable, Your information, such as, Identification and Verification Data, Transaction and Usage Data, Registration Data and Contact data are for the purpose of compliance with legal obligations, shared between various brands under which the Controller operates its gambling activities.

5.5. Group companies/other brands and third-parties for fraud prevention and establishment, exercise or defence of legal claims Your information, including as applicable, Identification and Verification Data, Transaction and Usage Data, Registration Data, Contact data and Log-in data are for the purpose of preventing, detecting, or suppressing fraud, shared with as well as sourced via other Group companies/ brands under which the Controller operates its gambling activities, as well as third-party fraud detection tools and providers. In addition, the Controller may, subject to its legitimate interests and insofar as permitted by law, share and source information via other Group companies and third parties for the establishment, exercise or defence of legal claims.

5.6. Corporate restructuring Third parties, incl. any companies belonging to the same group of companies as the Controller, to whom we may choose to sell, transfer, or merge parts of our business, our assets or operations or as a result of restructuring. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

5.7. Joint controllers: Certain data is shared with other parties, acting as joint controllers. The following are the details on the essence of the joint-controller arrangements:

• Sportsbook Provider Kambi

Where Sportsbook is available, the following Data are processed with Kambi as joint controllers: Transaction and Usage data in the extent: gender, first part of postcode, currency, language, last method of deposit, account balance and bet history, Player ID for the purpose of provision of the Sportsbook services. Kambi does not process a player's real name or email address but makes use of a pseudonymised ID relating to each player.

Further information on the Kambi’s processing activities may be found here: https://www.kambi.com/player-fair-processing-notice

The essence of the Joint Controller Arrangement between the Controller and Kambi:

• The Controller shares transaction and usage data in pseudonymised manner with Kambi for the purpose of provision of sportsbooks services;

• The Controller responds to data subjects' requests; and

• The Controller and Kambi also act as joint controllers when it comes to any changes to the Sports Risk Segment.

In other cases, each party acts as a sole controller. However, we will in all cases be responsible for handling any queries that players may have with respect to Kambi's data processing activities

6. INTERNATIONAL TRANSFERS

Some of our suppliers and partners (as listed above) are based outside the United Kingdom (UK) as well as the European Economic Area (EEA), so their processing of your personal data will involve a transfer of data outside these territories. Whenever we transfer your personal data, we ensure that a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• Transfer of your personal data is performed to countries, territories, or subject to arrangements or mechanisms that have been deemed to provide an adequate level of protection for personal data both by the UK Government and the European Commission.

• Where we use service providers which are not subject to an adequacy mechanism, we will ensure that additional safeguards and measures are put in place as required, including by incorporating specific contracts approved by the UK Government and the European Commission.

Please Contact us if you want further information on the specific mechanism used by us when transferring your personal data.

7. DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In order to comply with the applicable data protection legislation, various technical controls ensure data and information are always encrypted during transit and at rest using industry standard encryption techniques at all other times. This ensures confidentiality and integrity at all times. At an organisation level, the handling of all information is governed by our comprehensive Information Security Policies. This is complemented by an Information Security Awareness Programme designed specifically to ensure we embrace security best practices whenever it comes to handling information. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a need-to-know business requirement. They will only process your personal data on our instructions or subject to a lawful ground, as well as their duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

8. Your Rights Under the Data Protection Laws

8.1 Your Right of Access

You may, at any time, with reasonable intervals, request Us to confirm whether or not We are processing personal data that concerns You and, if We are, you shall have the right to access that personal data and to the following information:

• what personal data We have,

• why We process them,

• who We disclose them to,

• how long We intend on keeping them for (where possible),

• whether We transfer them abroad and the safeguards We take to protect them,

• what Your rights are,

• how You can make a complaint,

• where We got Your personal data from and whether We have carried out any automated decision-making (including profiling) as well as related information.

In order to facilitate the exercise of such right We have developed the “Download my Data”, which is a self-service feature enabling You to request your data directly by activating this functionality from your profile. Upon triggering such functionality, You will be provided with a copy of all your transaction data and an exhaustive summary of all categories of data, their sources and recipients, all processing operations, the purposes thereof and retention periods applicable. In case this functionality is not supported on any of our brands or otherwise unavailable, or should you need to obtain additional explanations or information concerning your personal data you may alternatively send your request to: sar@leovegasgroup.com. Upon such request, We shall (without adversely affecting the rights and freedoms of others including Our own) provide You with such additional information and/or with a copy of the personal data undergoing processing within one month (or a shorter period if required by law), from receipt of the request, which period may be extended by another two months where necessary, taking into account the complexity and number of the requests. We shall inform You of any such extension within the required time frame, together with the reasons for the delay.

8.2. The Right to Rectification

Although all reasonable efforts will be made to keep Your Personal Data updated, you are kindly requested to inform Us promptly of any changes. With respect to your residential address and phone number, you can notify us of the change by amending Your profile of any changes to Your Personal Data. If the change pertains to data that cannot be amended by changing your profile, please contact us. To this end You have the right to ask Us to rectify inaccurate personal data and to complete incomplete personal data concerning You. We may seek to verify the accuracy of the data before rectifying it.

8.3. The Right to Erasure (The Right to be Forgotten)

You have the right to ask Us to delete Your personal data and We shall comply without undue delay but only where:

• The personal data are no longer necessary for the purposes for which they were collected; or

• You have withdrawn Your consent (in those instances where We process on the basis of Your consent) and We have no other legal ground to process Your personal data; or

• You have successfully exercised Your right to object (as explained below); or

• Your personal data have been processed unlawfully; or

• There exists a legal obligation to erase the data to which We are subject; or

• Special circumstances exist in connection with certain children’s rights.

In any case, We shall not be legally bound to comply with Your erasure request if the processing of Your personal data is necessary:

• for compliance with a legal obligation to which We are subject (including but not limited to Our data retention obligations); or

• for the establishment, exercise or defence of legal claims.

There are other legal grounds entitling Us to refuse erasure requests although the two instances above are the most likely grounds that may be invoked by Us to deny such requests.

You may request the erasure of data by following these steps:

• close your account by using the ‘My Account’ Menu options;

• submit a request to privacy@leovegasgroup.com to complete the process.

Following your request, personal data which is still relevant to fulfil our legal obligations or required to defend our legal rights, will be subject to the maximum retention period of 10 years and as further specified in section 4 of this privacy policy. Any other data will be deleted or anonymised when this is no longer required.

8.4. The Right to Data Restriction

You have the right to ask Us to restrict (that is, store but not further process) Your personal data but only where:

• The accuracy of Your personal data is contested (see the right to data rectification above), for a period enabling Us to verify the accuracy of the personal data; or

• The processing is unlawful, and You oppose the erasure of Your personal data; or

• We no longer need the personal data for the purposes for which they were collected but You need the personal data for the establishment, exercise or defence of legal claims; or

• You exercised Your right to object and verification of Our legitimate grounds to override Your objection is pending.

Following Your request for restriction, except for storing Your personal data, We may only process Your personal data:

• Where We have Your consent; or

• For the establishment, exercise or defence of legal claims; or

• For the protection of the rights of another natural or legal person; or

• For reasons of important public interest.

You may request the restriction by contacting us.

8.5. The Right to Data Portability

You have the right to ask Us to provide Your personal data (that You shall have provided to us) to You in a structured, commonly used, machine-readable format, or (where technically feasible) to have it 'ported' directly to another data controller, provided this does not adversely affect the rights and freedoms of others. This right shall only apply where:

• The processing is based on Your consent or on the performance of a contract with You; and

• The processing is carried out by automated means.

To a great extent, you may exercise this right by activating “download my data” functionality of your profile. For any request over and above the data provided or if you would like us to assist you with the actual transfer of such data to another operator, please contact us.

If you are a customer of another gaming operator and would like to have your data “ported” to Us, please contact us. In this respect please note, that notwithstanding any portability right utilisation, you will still be expected to provide all Registration and Contact Data due to the requirements of our customer registration / sign up procedure requirements.

8.6. The Right to Object to Certain Processing

In those cases where We process Your personal data for the performance of a task carried out in the public interest or when processing is necessary for the purposes of the legitimate interests pursued by Us or by a third party (including as indicated in the Table in the clause 3.2 above), You shall have the right to object to processing of Your personal data by Us.

When Your data is processed for direct marketing purposes, You have the right to object at any time to the processing of Your personal data, which includes profiling to the extent that it is related to such direct marketing.

For the avoidance of all doubt, when We process Your personal data when this is necessary for the performance of a contract, when necessary for compliance with a legal obligation to which We are subject or when processing is necessary to protect Your vital interests or those of another natural person, this general right to object shall not subsist.

With respect to Direct marketing of our own goods and services incl. related profiling, You may object to such processing at any time, by contacting us, or by selecting your preferences on your account Profile – Settings page.

8.7. Right to withdraw consent (when we process your data on the basis of consent)

In those cases where We process Personal Data on the basis of Your consent (which We will never presume but which We shall have obtained in a clear and manifest manner from You), YOU HAVE THE RIGHT TO WITHDRAW YOUR CONSENT AT ANY TIME and this, in the same manner as You shall have provided it to Us.

Should You exercise Your right to withdraw Your consent We will determine whether at that stage an alternative legal basis exists for processing Your Personal Data (for example, on the basis of a legal obligation to which We are subject) where We would be legally authorised (or even obliged) to process Your Personal Data without needing Your consent and if so, notify You accordingly.

When We ask for such Personal Data, You may always decline, however should You decline to provide Us with necessary data that We require to provide requested services, We may not necessarily be able to provide You with such services (especially if consent is the only legal ground that is available to Us).

Just to clarify, consent is not the only ground that permits Us to process Your Personal Data (As indicated in the Table in the clause 3.2 above there are various grounds that We rely on when processing Your Personal Data for specific purposes).

8.8 The Right to lodge a Complaint You also have the right to lodge complaints with the appropriate Data Protection Supervisory Authority. We kindly ask that You please attempt to resolve any issues You may have with Us first (even though, as stated above, You have a right to contact the competent authority at any time).

8.9. WHAT WE MAY NEED FROM YOU When exercising your rights by contacting us, we may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

8.10. TIME LIMIT TO RESPOND

We try to respond to all legitimate requests within one month (unless a shorter period is required by law). Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

8.11. DIFFERENT BRANDS

The Controller is operating its gaming business also under other brands and trademarks. For the purpose of the exercise of your rights as provided above, and for the purpose of clarity and legibility of our reply, we will initially comply with the requests with respect to data processed under the brand from where the request is originating. Should you wish your requests to be complied with respect to all of the brands with respect to which the Controller operates its business, please make sure to flag this in your request.

9. AUTOMATED PROCESSING - PROFILING

9.1. Meaningful information about the logic involved in the automated processing for responsible gaming purposes

The Controller is on the basis of the applicable laws and licence conditions legally obliged to monitor its players in order to identify people who may be experiencing, or at risk of developing, problems with their gambling, and interact with them to offer help or support. To this end, and to fulfil this obligation, by using historical data describing behaviour of players, in particular certain Responsible Gaming Data, Transaction and Usage Data, and Other Communication Data (in particular sentiments used in messages) the Controller has established rules regarding who is likely to suffer from gambling addiction and then take relevant action.

Our approach is based on classification trees because they allow for clear interpretation of why players get classified as potential gambling addicts. Based on data describing unique players, the algorithm provides us with an estimated probability of gambling addiction. Decisions on the basis of the prediction and which may impact customers, are not taken automatically without human intervention.

9.2. Meaningful information about the logic involved in the automated processing for AML purposes

The Controller is, on the basis of the applicable laws and licence conditions, legally obliged to monitor its players in order to identify potentially suspicious activities regarding AML/CFT. Based on data describing the behaviour of players, in particular Transaction and Usage Data, the algorithm suggests a risk profile.

Decisions on the basis of the prediction and which may impact customers, are not taken automatically and require human intervention.

9.3. Meaningful information about the logic involved in the automated processing for loyalty segmentation purposes

By making use of the historical data that players generated in their first 2 days, We assess whether You will qualify for our loyalty program. This model is used on fresh players and depending on their involvement with our services the loyalty status is predicted. The result of the model is a prediction as to whether the player will become a loyalty customer. In addition, apart from gender, country and age, we will use affordability criteria and enhanced due diligence information insofar as permitted or required by law, to determine your eligibility for loyalty/ High-Value schemes. Decisions on the basis of the prediction and which may impact customers, are not taken automatically without human intervention. The process is based on our compliance with legal obligation and with respect to the loyalty offers, the performance of our contract with You as well as the legitimate interest of the Controller regarding its commitment in providing customised, quality experience and reward loyalty of the players. You can object to such processing by contacting us or changing your preferences in your account.

9.4. Meaningful information about logic involved in automated processing with respect to direct marketing segments

By making use of Your Transaction and Usage data, certain Registration Data such as gender, country, date of birth and Your overall interaction with our services, We analyse and establish various segments of the customers. These segments are then processed manually, in order to ensure that We provide the most appropriate offers and bonuses to our customers. These decisions are not taken automatically without human intervention. The process is based on the legitimate interest of the Controller with regard to providing customised, quality experience for the players and reward loyalty of the players. You can object to such processing by contacting us or changing your preferences in your account.

9.5. Meaningful information about logic involved in automated processing with respect to Sports Risks Segments (applicable only where Sportsbook is available)

The Controller is manually processing your Sports Risks Segments as established by the sportsbook provider – Kambi. The Sports Risk Segments are established by Kambi on the basis of automated profiling performed by Kambi. They use automated processing to suggest a risk profile, however such risk profile is confirmed or amended by Kambi's personnel. In conjunction with provision of its services, Kambi uses automated risk management technology to assess the risk of particular betting activities. If You seek to undertake a bet that falls outside of the parameters associated with your risk profile, the bet is flagged for Kambi’s personnel to review. To safeguard your rights and interests, Kambi allows you to contest any decision that they make about your risk profiling or to object to our use of profiling. To this end, please contact us . For further information on processing activities performed by Kambi please consult Kambi’s privacy notice here: https://www.kambi.com/player-fair-processing-notice

9.6. Meaningful information about logic involved in automated processing with respect to Game or Sportsbook recommendation

By making use of your Transaction and Usage data, we provide you a list of games or sport events that are aligned with your tastes and preferences. The system determines your affinity towards different games or sport events and generalises your preferences. Ranking the computed preferences, an ordered list of games or sport events is produced and can be served as recommendations.

The recommendation is produced without human intervention. The process is based on legitimate interest of the Controller regarding providing a customised, quality experience for the players.

9.7. Meaningful information about logic involved in automated processing with respect to Your Interactions with Us

For the purposes of improving Your overall experience with Us, we conduct automated processing of your Communication Data (in particular the sentiments used in messages) to identify recommended areas for improvement in our services and the need for specific follow-ups based on your interactions with Us.

Whilst the recommendation is produced without human intervention, the decision to conduct specific follow-ups with customers is not automated. The process is based on legitimate interest of the Controller regarding providing a quality experience for the players.

10. Cookies

Our site uses cookies, for further information on what cookies are, which cookies we use, how and why we use cookies, and how you can control which cookies are dropped, please read our Cookies Policy.