PRIVACY POLICY (Palmirico Online OÜ)

Privacy Notice

1. Introduction

This Privacy Notice outlines how we gather, handle, and safeguard personal data when you use our website and engage with our services. It also details the rights you have under applicable data protection law, including the General Data Protection Regulation (GDPR).

We encourage you to read this notice thoroughly. By accessing our services and creating an account with us, you acknowledge that you understand the way we process your personal data as described herein.

Please note: In order to use our services, it is necessary to provide certain personal data during registration. Without this information, we are unable to create your account or provide access to our platform, as the operation of our services is inherently dependent on the processing of such data.

This site is operated by Palmirico Online OÜ, who is a controller of your personal data.

For any privacy-related inquiries, contact our Data Protection Officer at: [email protected]

Company information:

Palmirico Online OÜTallinn

Põhja-Tallinna linnaosa Telliskivi 57, 10412

2. What data we collect

In order to run our platform responsibly and meet both legal and operational obligations, we process several categories of personal data:

• Identity or verification data: name, date of birth, ID/passport number, nationality, gender, username.
• Contact details: physical address, phone number, email, and other provided contact methods.
• Financial information: bank account details, card data, and other data from documents validating the source of your funds or wealth or necessary to make transactions.
• Gaming activity data: gameplay history, bonus participation, session times, and responsible gaming actions.
• Technical access data: IP address, device type, browser version, OS, time zone, and geolocation data.
• Marketing preferences: your interactions with our promotional materials and your stated preferences.
• Other submitted information: any additional information you provide in correspondence with us.

3. Purposes and legal basis of processing your data

We process your personal data only where we have a valid legal basis under the General Data Protection Regulation (GDPR). Depending on the context in which we collect your data, processing may be necessary for the performance of our contract with you, compliance with legal obligations, the pursuit of our legitimate interests, or your consent. Below we explain the specific purposes for which we process your data and the corresponding legal bases:

• Account management and service delivery
  We process your personal data to create and manage your account, process payments and withdrawals, record bets and game activity, and provide customer support.
  Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)
• Identity and age verification
  We are required by law to verify your identity and ensure you are of legal age to gamble. This involves checking identification documents and other relevant data.
  Legal basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR)
• Anti-Money Laundering and Counter-Terrorism Financing (AML/CFT) Compliance
  To comply with AML and CFT regulations, we monitor transactions, verify customer identities, and conduct risk assessments.
  Legal basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR)
• Responsible gambling measures
  We process data to detect problem gambling patterns, enforce deposit and loss limits, and support self-exclusion tools in line with applicable laws and licensing conditions.
  Legal basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR)
  Alternative basis: Legitimate interests (Art. 6(1)(f) GDPR), where not mandated by law, to protect players from gambling-related harm
• Fraud detection and security monitoring
  We use automated systems to detect suspicious activity, prevent fraud, secure your account, and protect the integrity of our services.
  Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) – to protect our business and users from fraud and abuse
• Location and jurisdictional compliance
  We determine your geolocation to ensure that you are accessing our services from a permitted jurisdiction and in compliance with our licensing conditions.
  Legal basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR)
• Marketing and promotional communications
  We may process your data to send you marketing messages, offers, and promotions based on your preferences.
  Legal basis:
  Consent (Art. 6(1)(a) GDPR) – for electronic direct marketing where required Legitimate interests (Art. 6(1)(f) GDPR) – for tailored offers and promotions where legally permitted

You have the right to opt out of marketing at any time by updating your account settings or contacting us at[email protected].

• Personalization
  To improve your experience, we analyze your gameplay and transaction history to recommend relevant games and features.
  Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) – to enhance user engagement and satisfaction
• Service improvement and analytics
  We use aggregated and anonymized data to monitor service performance, fix bugs, and improve platform functionality.
  Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)
• Legal compliance and enforcement
  We may process and disclose your data where required by law, regulatory authorities, or to enforce our terms and conditions or protect legal rights.
  Legal basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR)

4. How we obtain your data

We may collect data directly from you or from trusted third parties, including:

• Verification services (identity, address, etc.)
• Financial institutions
• AML/PEP databases and sanctions lists
• Regulatory bodies
• Affiliate networks and marketing platforms (providing pseudonymized tracking data)

5. Sharing your data

We may disclose or transfer your personal data to third parties under specific circumstances, always in compliance with applicable data protection laws.

We continuously enhance and maintain the technical infrastructure to safeguard the security and confidentiality of the personal data we handle and to support key operational functions that ensure our services remain accessible and effective. To facilitate this, we share your profile information with trusted third-party providers offering services such as cloud storage and hosting, cybersecurity, system maintenance and support, and communication tools.

The recipients may include the following categories:

• Regulatory and enforcement authorities
• Financial institutions and payment providers
• Legal advisors, compliance or financial consultants, notaries etc.
• Service providers under data processing agreements

We may share your personal information with external parties for legal, contractual, or operational reasons, for example:

• Corporate restructuring or business transfers
  In the event of a merger, acquisition, sale of assets, or similar transaction, your personal information may be part of the assets transferred to the acquiring or merging entity. Where legally required, we will inform you in advance and seek your consent before such a transfer takes place.
• Legal and regulatory compliance
  We may disclose your information where required to comply with legal obligations, enforce our terms, protect our rights, respond to lawful requests from authorities, or prevent fraud and abuse.
• Based on your consent
  We may share your personal data for purposes not listed in this notice when you have explicitly agreed to it or directed us to do so.
• Anonymous or aggregated data
  Where data has been anonymised or aggregated to the extent it no longer identifies you personally, we may use or share such information without restriction—for example, for statistical or analytical purposes.

6. International Data Transfers

To provide our services, we may need to transfer your personal data to countries outside the European Economic Area (EEA). When doing so, we are committed to ensuring that your data remains protected in accordance with the standards set by the General Data Protection Regulation (GDPR).

Where applicable, we rely on adequacy decisions adopted by the European Commission. These decisions confirm that a third country or an international organisation offers a level of data protection essentially equivalent to that within the EEA. Transfers to such jurisdictions may occur without additional safeguards.

In the absence of an adequacy decision, we implement appropriate safeguards as required by Article 46 GDPR. We will rely on Standard Contractual Clauses (SCCs) approved by the European Commission, which impose contractual obligations on the recipient to ensure the protection of your data at the same level as in EU.

7. Retention period

We store personal data only as long as necessary to fulfill the purposes stated in this notice or to meet legal retention obligations.

For example, AML regulations require us to retain certain financial data for a minimum of five (5) years. Once retention is no longer justified, data will be securely deleted or anonymized.

8. Profiling and automated decisions

We do not engage in fully automated decision-making processes, including profiling, that produce legal effects concerning data subjects or similarly significantly affect them, as defined under Article 22 of the General Data Protection Regulation (GDPR).

While certain processes within our services (responsible gambling monitoring, AML & fraud screening), may involve partial automation to support risk assessment or flagging of unusual behavior, these systems do not independently make final decisions that impact users' rights or access. All such flagged cases are subject to further human review and validation by trained personnel before any final action is taken.

This approach ensures that significant decisions are not made solely based on automated processing, and that data subjects’ rights and freedoms are adequately protected.

9. Safeguarding your data

We use a combination of physical, technical, and administrative controls to secure your data, including:

• Access control protocols
• Use of firewalls and secure networks
• Regular penetration testing and security audits

While we do everything within reason to protect your data, no system is entirely immune to breaches. Users must also take precautions to protect their account credentials.

If a breach occurs that compromises your personal data, we will notify you and relevant authorities as required by law.

10. Cookies

We use cookies and related technologies to enhance your experience and tailor content. Some are strictly necessary for platform functionality; others require your consent.

You can manage cookie preferences through your browser or device settings.

11. Age restrictions

Our services are strictly for individuals who meet the legal gambling age in their jurisdiction. We do not intentionally collect data from minors. If we become aware that an underage person has provided us with personal data, we will take steps to delete it promptly and block access to our services.

12. Your rights as data subject

You are entitled to exercise the following rights in relation to your personal data:

• Right to access – Request a copy of the personal data we hold about you.
• Right to correction – Ask us to fix inaccurate or incomplete data.
• Right to erasure – Request deletion of your data under specific conditions ("right to be forgotten").
• Right to restriction – Ask us to limit processing in certain circumstances.
• Right for portability – Obtain your data in a reusable format for transfer to another provider.
• Right to withdraw consent – Revoke any consent you’ve given us, such as for marketing.
• Right to object – Challenge processing based on our legitimate interests.
• Right to lodge a complaint – Contact your local Data Protection Authority if you believe your rights have been violated.

13. Updates

We may update this notice from time to time to reflect regulatory developments or changes to our operations. We will inform you by posting the revised version on our website.