General provisions and scope

This Privacy policy governs the collection, use, disclosure, and safeguarding of personal information in connection with Chumba Casino and the website available at chumba-ca.com. It applies to individuals who access the services from Canada, and it addresses information handled through web, mobile, and customer support channels. This document is intended to reflect Canadian privacy requirements, including the principles of accountability, limiting collection, and safeguarding, and it is interpreted in light of provincial variations where applicable. Where processing activities involve individuals in other jurisdictions, internationally recognized privacy principles comparable to those reflected in GDPR may also be applied as a matter of internal governance.

For the purposes of this document, personal information means any information about an identifiable individual, and includes identifiers, device data, and records associated with account administration. Processing includes any operation performed on personal information, such as collection, organization, storage, use, disclosure, or deletion. The services may involve age and identity checks, fraud screening, payment related verification, and responsible gaming controls, each of which requires controlled processing. The scope of this document does not extend to third party sites that may be linked through the services, which are governed by their own notices and contractual terms.

Categories of personal data processed

Personal information processed by the controller may include identification and contact details such as name, date of birth, email address, telephone number, and mailing address. It may also include account credentials, verification outcomes, transaction references, and records evidencing compliance checks. Where required for regulatory and risk purposes, the processing may extend to government issued identifiers used solely for verification, such as a driver’s licence number, and to limited biometric liveness results when an identity provider supplies such outputs. The Privacy policy limits these categories to what is proportionate to the stated purposes and to what is required by law, contractual necessity, or demonstrable legitimate interests.

Operational and technical data may be processed, including IP address, approximate geolocation derived from network signals, device identifiers, operating system details, and browser characteristics. Log data may include timestamps, error reports, session identifiers, and security events associated with attempted access. Communications data may include support messages, call recordings where permitted by law, and dispute correspondence, together with the time and channel used. This information may be linked to an account or may remain pseudonymous, depending on the operational need and the technical design of the relevant system.

Methods of data collection

Personal information is collected directly when an individual creates an account, submits verification materials, communicates with support, or completes transactions. Collection may occur when forms are completed, when documents are uploaded, or when consent preferences are recorded within account settings. The services also collect information automatically through standard internet technologies, including server logs and security monitoring tools. Where casino Chumba integrates third party payment processing or identity verification, certain information may be collected indirectly from those providers, subject to contractual controls.

Sources and indirect collection

Indirect collection may occur when fraud prevention partners provide risk signals, when payment providers provide confirmation codes, or when identity verification providers return validation results. Such sources are used to validate account integrity, prevent unauthorized use, and satisfy statutory or regulatory obligations that may apply to gaming related services. Where information is obtained from third parties, it is limited to what is necessary for the verified purpose and is subject to data minimization controls. The Privacy policy requires that third party sourcing be documented and capable of being explained in response to lawful access requests.

Accuracy and data quality

Data quality is maintained through reasonable measures such as validation checks, account review processes, and periodic refresh of verification status where risk indicators require it. Individuals may be requested to update out of date information to ensure that records remain accurate for compliance, security, and payment integrity purposes. Where discrepancies are identified, processing may be restricted pending resolution, including temporary account limitations to reduce harm. These measures are intended to ensure that decision making based on personal information is fair, proportionate, and auditable.

Legal basis for processing and consent management

Processing is conducted on legal bases recognized under Canadian privacy frameworks, including consent, contractual necessity, and purposes that a reasonable person would consider appropriate in the circumstances. Consent may be express or implied depending on the sensitivity of the information and the reasonable expectations associated with the service function. Contractual necessity applies where processing is required to establish and administer an account, provide requested services, and complete transactions. Legitimate operational purposes may include security monitoring, fraud prevention, and enforcement of terms, provided that impacts on individuals are mitigated.

Where consent is used, it is managed through recorded preference settings, notices at the point of collection, and documentation of the consent context. Withdrawal of consent is respected where legally and operationally feasible, but certain processing may continue when required by law or to resolve disputes. Consent withdrawal may result in limitations on service availability where the processing is necessary to provide core functions. This Privacy policy distinguishes between optional processing, such as certain analytics, and processing required for legal compliance or security, which may not be fully avoidable.

Purposes of processing and operational explanations

Processing is undertaken to provide and administer the services, including registration, identity and age screening, authentication, and account management. It supports the completion of transactions, reconciliation, chargeback management, and the delivery of service communications such as verification requests and security alerts. It is also used to ensure platform integrity through detection of suspicious activity, prevention of account takeover, and investigation of potential breaches. In the context of casino Chumba, processing is further used to implement responsible gaming controls, including self exclusion functionality where offered, and to respond to regulatory inquiries where applicable.

Customer support and dispute handling

Customer support processing includes reviewing messages, validating account ownership, and documenting the actions taken in response to requests or complaints. Records may be used to train support quality and to ensure consistent application of policies, subject to access restriction and confidentiality controls. Dispute handling may involve sharing limited information with payment providers and financial institutions to address chargebacks or unauthorized transaction allegations. The controller retains support records for defined periods aligned to limitation periods and audit needs, with access limited to authorized personnel.

Compliance and risk management

Compliance processing includes sanctions screening where required, verification of eligibility, and maintaining evidence of checks performed. Risk management includes profiling limited to security and fraud contexts, using indicators such as device reputation and anomalous access patterns, and it does not involve decisions producing legal effects without appropriate safeguards. Where automated tools are used to score risk, appropriate human review may be applied for adverse outcomes such as account suspension. The Privacy policy requires that such tools be periodically reviewed to reduce false positives and to document accountability.

Cookies, tracking technologies, and the Privacy policy

The services use cookies and similar technologies for essential operation, including maintaining sessions, preventing fraudulent access, and remembering security settings. Non essential tracking may be used to understand service performance, detect errors, and improve technical reliability, subject to applicable consent requirements. Cookie identifiers may be linked to account records when necessary for security, but they are otherwise maintained in a pseudonymous form. This Privacy policy addresses the categories of cookies, the purposes for which they are used, and the mechanisms available to control them.

Cookie management and device controls

Browser controls can be used to delete or block cookies, though certain features may not function properly if essential cookies are disabled. Where consent banners or preference tools are implemented, selections are stored and respected for a reasonable period, such as 6 months, unless reset by the user’s device settings. Some tracking may be performed through local storage or similar mechanisms that function like cookies, and the same principles of transparency and choice apply. Security related cookies may be set without consent where required to protect accounts and to prevent malicious activity.

Data retention standards and deletion timelines

Retention is determined by the purposes for which personal information was collected, by legal and regulatory obligations, and by legitimate operational requirements such as dispute resolution and fraud prevention. Account data is generally retained for as long as an account remains active and for a further period needed to meet legal obligations and to address claims. Verification evidence may be retained for at least 5 years where required for auditability and to demonstrate compliance, and may be kept longer where a dispute or investigation is ongoing. The Privacy policy requires that retention periods be reviewed at intervals not exceeding 12 months to ensure continued proportionality.

Where information is no longer required, it is securely deleted, anonymized, or de identified using reasonable technical methods. Backup archives may retain residual copies for a limited period, such as 90 days, after deletion events, due to system integrity requirements. Legal holds may suspend deletion where litigation, regulatory inquiries, or fraud investigations require preservation. Retention practices are documented and are subject to access controls and audit logging.

Sharing, disclosure, and third party processing

Personal information may be disclosed to service providers acting on documented instructions, including hosting providers, payment processors, identity verification providers, customer support tooling providers, and security monitoring vendors. Disclosures are limited to what is necessary for the contracted purpose, and providers are required to implement confidentiality, security safeguards, and restrictions on further use. Information may also be disclosed to professional advisers, including legal counsel and auditors, where necessary for compliance and risk management. In the operational context of casino Chumba, disclosures may occur to address fraud signals, verify transactions, and enforce platform safety measures.

Disclosures may be made to governmental authorities, law enforcement, or regulators where required or authorized by applicable law, including in response to court orders, subpoenas, or lawful requests. Where legally permissible, the controller seeks to assess the validity and scope of such requests and to disclose only the minimum information required. Aggregated and de identified information may be shared for analytics or reporting where it does not identify individuals. The Privacy policy prohibits the sale of personal information as a standalone commercial activity.

International transfers and cross border safeguards

Personal information may be processed or stored outside Canada where service providers maintain infrastructure in other jurisdictions, including the United States or other locations relevant to cloud hosting. Cross border transfers may subject information to the laws of the receiving jurisdiction, including lawful access by public authorities. Where transfers occur, the controller implements contractual and organizational safeguards to provide a level of protection comparable to Canadian standards, and it applies principles aligned with GDPR where appropriate for risk mitigation. Transfer assessments consider the nature of the data, the sensitivity of the processing, and the security posture of the recipient environment.

Where a provider relies on sub processors, the controller requires transparency regarding sub processing chains and the ability to object or terminate for material compliance risks. Data localization is not guaranteed unless explicitly stated in a specific service notice, and operational requirements may necessitate distributed storage for resilience. Individuals may request information about the categories of countries involved in processing, subject to security limitations and confidentiality obligations. The Privacy policy frames cross border disclosures as a controlled activity requiring documented oversight.

Information security, integrity, and accountability controls

Security safeguards are implemented to protect personal information against loss, theft, unauthorized access, disclosure, copying, modification, or destruction. Measures include encryption in transit and at rest where feasible, role based access control, multi factor authentication for administrative access, and continuous monitoring for anomalous activity. Vulnerability management includes patching and periodic assessments, and internal access is restricted to personnel with a demonstrable need to know. Security objectives include maintaining confidentiality, integrity, and availability, and these objectives are supported by incident response governance.

Incident management and testing

Security incidents are assessed and triaged according to potential impact, sensitivity of data, and likelihood of harm. Where legally required, breach notifications are made to affected individuals and to regulators within applicable timeframes, and internal records are maintained for audit purposes. Business continuity controls may include redundancy and backup systems designed to maintain service availability, such as 99.5% targeted uptime for critical components, although operational conditions may affect outcomes. Testing may include penetration testing and access reviews, with remediation actions tracked to completion.

Individual rights and request handling

Individuals have rights concerning their personal information, including rights of access, correction, and withdrawal of consent, subject to lawful limitations and identity verification. Requests may be refused or limited where disclosure would reveal confidential commercial information, compromise security, or disclose personal information about another individual. Rights are administered through documented procedures to ensure consistency and legal compliance, and identity verification is applied to prevent unauthorized disclosure. The Privacy policy provides a framework for responding to requests in a traceable manner and for maintaining records of decisions.

Response periods and verification

Requests are generally addressed within 30 days, subject to permitted extensions where complexity or volume requires additional time. Where an extension is necessary, the requester is informed of the reason and the expected response date. Identity verification may require matching at least 2 data points or requesting additional documentation when the request concerns sensitive information. Where correction requests are accepted, reasonable steps are taken to amend records and to communicate corrections to relevant service providers where appropriate.

Contact information and data request procedures

Operationally, privacy inquiries are handled through a designated contact channel intended to route requests to the appropriate internal function. Requests should include sufficient detail to identify the account or context, the nature of the request, and a preferred method of response, while avoiding submission of excessive sensitive data. Where an authorized representative submits a request, evidence of authority may be required to protect the individual’s information. In relation to casino Chumba services, request handling may involve coordination with payment and verification providers, but responses are issued under the controller’s accountability framework.

Communications regarding privacy may be submitted by email to [email protected], and responses may be provided electronically unless another method is required by law or requested and reasonably feasible. If an individual is dissatisfied with the response, the matter may be escalated internally for reconsideration, and information may be provided regarding applicable external complaint avenues in Canada. Records of requests and responses may be retained for at least 24 months to demonstrate compliance and to maintain an audit trail. The Privacy policy expects that all communications be handled in a manner consistent with confidentiality and data minimization.

Privacy policy amendments, governance, and compliance commitment

This Privacy policy is maintained under an internal governance framework designed to support accountability, transparency, and safeguarding consistent with Canadian privacy expectations and privacy by design concepts. Updates may be required due to changes in legal obligations, regulatory guidance, security standards, or operational practices, including modifications to identity verification or fraud prevention tooling. When amendments are material, reasonable steps are taken to provide notice through the website or account communications prior to the change taking effect, except where immediate change is necessary to address security or legal compliance. The effective date and revision context are documented so that individuals can evaluate how processing practices have evolved over time.

Compliance is supported through staff training, access governance, vendor due diligence, and periodic reviews that examine collection practices, retention alignment, and disclosure controls. Where cross border processing occurs, contractual safeguards and transfer risk assessments are revisited when a provider changes its processing locations or sub processor chain. The controller also maintains procedures for handling complaints, inquiries, and rights requests, and it aims to respond within 30 days except where lawful extensions apply. This Privacy policy forms part of a broader compliance posture that includes incident response readiness, evidence retention, and ongoing evaluation of technical and organizational measures, including periodic security testing and documented remediation. Where any conflict arises between this Privacy policy and applicable law, the applicable law prevails, and the policy is interpreted to preserve maximum compliance while maintaining fairness and proportionality.