PRIVACY POLICY

Last updated: August 14, 2025

INTRODUCTION AND SCOPE

This website is operated by Carletta N.V., a company incorporated in Curaçao with company registration number 142346 and registered office at Dr. Henri Fergusonweg 1, Curaçao. The operator holds online license number OGL/2024/580/0570 issued by the Curaçao Gaming Authority for remote betting operations in accordance with the National Ordinance on Games of Chance (LOK).

This Privacy Policy explains how Personal Data is handled when you interact with the Website and the sports betting services made available through it. It applies to Personal Data processed through:

• the Website and any related account features, sports betting interfaces, mobile or web-based functionality, and customer areas operated by us;
• communications sent to or received from [email protected];
• telephone conversations, live chat, messaging tools, complaints handling, verification requests, and other support interactions.

For the Personal Data described in this Policy, Carletta N.V. acts as the data controller. This means that we determine why and how the data is processed, subject to applicable privacy, betting, anti-money laundering, consumer protection, tax, and regulatory requirements.

The purpose of this Policy is to give you a clear explanation of the information we collect, the reasons for using it, the legal grounds relied upon, how long it may be kept, who may receive it, how we protect it, and what choices and rights you may have in relation to it.

DEFINITIONS AND INTERPRETATION

Capitalized words used in this Policy have the meanings set out below. The same meaning applies whether a term is used in the singular or plural.

Account — the individual user profile created to access the Services, manage betting activity, verify identity, process payments, apply limits, and comply with regulatory checks.

Company, we, us, or our — Carletta N.V., incorporated under the laws of Curaçao, registration number 142346, with registered office at Dr. Henri Fergusonweg 1, Curaçao.

Service or Services — the Website, sportsbook functionality, account tools, payment features, support channels, responsible betting tools, promotional functions where permitted, and other online services provided by the Company.

Website — the website, subdomains, web pages, interfaces, account areas, and related applications or technical environments operated by or on behalf of the Company.

Personal Data — information relating to an identified or identifiable natural person, including information that can identify a person directly or indirectly, as understood under the GDPR and applicable Curaçao data protection principles.

Processing of Personal Data — any action performed in relation to Personal Data, including collection, recording, verification, storage, organization, use, consultation, matching, disclosure, restriction, deletion, anonymization, or destruction, whether carried out manually or by automated means.

Regulatory Compliance — processing required or reasonably necessary to meet legal and supervisory duties applicable to the Company, including obligations under the LOK, AML/CFT rules, suspicious or unusual transaction reporting, responsible betting standards, sanctions screening, tax rules, and lawful requests from authorities.

WHAT DATA, FOR WHAT PURPOSES, AND ON WHAT GROUNDS, DO WE PROCESS

The table below summarizes the main categories of processing. Depending on how you use the Services, not every category will apply to you. Where several legal bases are listed, they may apply to different parts of the same processing activity.

Processing purpose	Legal basis	Personal Data involved
Creating and maintaining an account; enabling access to betting services	Performance of a contract and pre-contract steps (GDPR Article 6(1)(b)); legitimate interests in secure access and account integrity where applicable (Article 6(1)(f)).	Email address and/or phone number; hashed password; account ID; selected currency; registration details; login timestamps; access records needed to activate, protect, and administer the account.
Identity checks, age verification, KYC, AML/CFT and LOK compliance	Compliance with legal duties (Article 6(1)(c)); legitimate interests in preventing misuse and protecting the regulated betting environment (Article 6(1)(f)), where relevant.	Identity documents such as passport, national ID card or driving licence; date of birth; age confirmation; proof of address; nationality or residence information where required; selfie, liveness or video verification data; screening and verification results.
Deposits, withdrawals, payment reconciliation and refunds	Performance of a contract (Article 6(1)(b)); legal obligations for AML, accounting, tax and financial record retention (Article 6(1)(c)); legitimate interests in payment security and fraud prevention (Article 6(1)(f)).	Payment method details to the extent required; transaction records; deposit and withdrawal history; currency; payment provider references; refund data; payout channel confirmations; risk and reconciliation flags.
Security controls, fraud prevention, misuse detection and account protection	Legitimate interests in maintaining a safe and reliable Service (Article 6(1)(f)); legal obligations connected with AML/CFT and regulated betting operations (Article 6(1)(c)).	IP address; device type; browser and operating system data; session identifiers; login patterns; geolocation indicators derived from technical data; suspicious activity signals; failed access attempts; abuse reports and investigation records.
Responsible betting, player protection, cooling-off and self-exclusion	Legal and regulatory obligations under applicable responsible betting requirements (Article 6(1)(c)); legitimate interests in user protection, compliance, and risk management (Article 6(1)(f)).	Self-exclusion status and duration; cooling-off selections; deposit, loss, session or wagering limits; betting frequency; stake patterns; spend indicators; risk markers; interactions with responsible betting tools or support teams.
Customer support, complaints, dispute handling and operational messages	Contract performance when we answer service requests (Article 6(1)(b)); legitimate interests in service quality, record keeping, complaints management and dispute resolution (Article 6(1)(f)).	Support tickets; chat records; email correspondence; call notes; complaint files; account identifiers; transaction references; screenshots or documents supplied by you; internal notes connected with your request.
Marketing, promotions and service-related recommendations where allowed	Consent for electronic marketing where required (Article 6(1)(a)); legitimate interests for limited similar-service communications where lawful and subject to opt-out (Article 6(1)(f)); responsible betting restrictions always apply.	Contact details; communication preferences; opt-in and opt-out records; promotion eligibility data; non-sensitive segmentation data; message engagement metrics; bonus or offer interaction history.
Website operation, analytics, diagnostics and cookie-based measurement	Legitimate interests in running, securing and improving the Website (Article 6(1)(f)); consent where law requires consent for optional cookies or similar technologies (Article 6(1)(a)).	Cookie IDs; device and browser data; page views; referral information; traffic and performance logs; on-site interaction data; error reports; aggregated or pseudonymized analytics information.
Regulatory reporting, audits, authority cooperation and legal claims	Legal obligation to cooperate with competent authorities (Article 6(1)(c)); legitimate interests in establishing, exercising or defending legal rights (Article 6(1)(f)).	Account, verification, betting, payment, communication and compliance records that are relevant to an audit, investigation, report, legal proceeding, supervisory request or claim, as permitted or required by law.

DATA RETENTION

We do not keep Personal Data indefinitely. Retention is assessed by reference to the reason for processing, the type of record, the sensitivity of the information, and the legal or operational need for keeping it.

In particular, retention periods may depend on:

• the time needed to provide the Services, administer your Account, complete transactions, handle complaints, and meet contractual duties;
• mandatory record-keeping periods under AML/CFT, betting, accounting, tax, corporate, and supervisory rules;
• the need to investigate suspicious activity, enforce platform rules, respond to regulator requests, or establish, exercise or defend legal claims;
• responsible betting and self-exclusion obligations, where retaining certain data is necessary to prevent re-registration or unauthorized access.

When Personal Data is no longer needed for the relevant purpose and no law requires further retention, we delete it, irreversibly anonymize it, or place it in restricted archives with access limited to legally justified purposes.

WHERE DID WE OBTAIN YOUR PERSONAL DATA FROM

Most Personal Data is received directly from you or generated when you use the Services. We may also receive or validate information through trusted external sources when this is necessary for verification, security, payment handling, risk management or compliance.

The main sources include:

Information supplied by you: details entered during registration, verification, profile management, payment requests, support conversations, complaints, responsible betting requests or document submissions.

Use of the Website and Services: technical logs, betting activity, account actions, payments, communications, cookie data, security events, and other data created when you navigate or use the platform.

Verification, payment, security and compliance partners: information returned by providers that support identity checks, document validation, sanctions or PEP screening, fraud prevention, payment processing, transaction monitoring, analytics or secure communications.

Publicly available and lawful third-party sources: records or information used only where relevant for compliance, verification, risk assessment, dispute handling or legal purposes.

Authorities and official bodies: information or requests received from regulators, courts, law enforcement agencies, financial intelligence units, tax authorities, or other competent public bodies when permitted or required by law.

DATA STORAGE AND INTERNATIONAL TRANSFERS

Personal Data may be stored and processed on systems operated by us or by carefully selected service providers. Those systems may be located in the European Economic Area, Curaçao, or other jurisdictions, depending on technical, business continuity, payment, security and regulatory requirements.

Where Personal Data is transferred outside the EEA or another jurisdiction that restricts international transfers, we use appropriate safeguards required by applicable law. These safeguards may include:

• transfers to jurisdictions that have been recognized as providing adequate protection, where such recognition applies;
• Standard Contractual Clauses or another approved transfer mechanism where no adequacy decision is available;
• contractual confidentiality, security, access control and audit obligations imposed on processors and other recipients;
• technical and organizational controls such as encryption, access limitation, monitoring and data minimization, where appropriate.

WHO MAY WE SHARE YOUR PERSONAL INFORMATION WITH

We disclose Personal Data only where there is a lawful reason and only to the extent needed for the relevant purpose. Recipients are required to process the data in accordance with applicable law, confidentiality duties, security standards and, where applicable, written data processing agreements.

Personal Data may be made available to the following categories of recipients:

Regulators, supervisory bodies and public authorities: including the Curaçao Gaming Authority, Financial Intelligence Unit, tax authorities, courts, police, law enforcement agencies and other governmental bodies where reporting, cooperation or disclosure is required or legally justified.

Identity, KYC, AML and compliance providers: partners that assist with document verification, age checks, screening, risk scoring, sanctions controls, unusual transaction analysis and other compliance workflows.

Payment processors, acquiring banks and financial institutions: entities that support deposits, withdrawals, refunds, payment authentication, transaction monitoring, reconciliation and chargeback handling.

Customer support and communication suppliers: providers of live chat, ticketing systems, email delivery, phone support, notification tools and similar communication channels used to respond to users and operate the Service.

Fraud prevention, cybersecurity and platform integrity partners: specialists that help detect unauthorized access, bot activity, account takeover, suspicious transactions, system abuse, or breaches of platform rules.

Analytics, diagnostics and optimization providers: tools used to understand Website performance, identify errors, measure user journeys, test improvements and evaluate service reliability. Where practical, information is aggregated, anonymized or pseudonymized.

Sportsbook, odds, trading, risk and settlement suppliers: licensed or contracted providers that support sports betting markets, odds feeds, bet acceptance, risk control, event settlement or related platform functionality. We share only what is needed for the relevant function, such as user or session identifiers and transaction references.

Hosting, cloud, IT, security and business operations providers: companies that provide infrastructure, storage, database administration, monitoring, productivity tools, backup, disaster recovery and secure internal systems.

Professional advisers and counterparties: lawyers, auditors, consultants, insurers, payment agents, corporate service providers or potential business transferees where disclosure is necessary for audits, advice, claims, restructuring, financing or corporate transactions.

WHAT ABOUT COOKIES

The Website may place cookies, pixels, local storage objects, SDKs, tags and comparable technologies on your device. These technologies help the Website function, remember choices, secure sessions, understand performance, improve content and, where permitted, deliver relevant communications or advertising.

Types of Cookies and Their Purposes

We may use the following categories:

Essential cookies: required for core Website operation, including navigation, secure login, account authentication, fraud prevention, load balancing, consent storage and access to protected areas. These cannot normally be disabled through our systems because the Service would not work properly without them.

Preference and functionality cookies: used to remember settings such as language, region, interface choices, account display preferences and other features that make the Website more convenient.

Analytics and performance cookies: used to measure traffic, identify technical issues, understand which pages are used, evaluate response times, and improve Website stability. The information is generally aggregated or pseudonymized where possible.

Advertising and targeting cookies: used, where permitted, to tailor ads or promotional content, measure campaign effectiveness, manage frequency, and build audience segments. These cookies are subject to consent or opt-out where required by law and to responsible betting limitations.

Session vs. Persistent Cookies

Some cookies are deleted when you close your browser. Others remain for a defined period or until you remove them. Persistent cookies help remember choices, maintain security signals, or recognize a returning browser.

First-Party vs. Third-Party Cookies

Cookies may be set by us directly or by third parties that provide services to us, such as analytics, security, customer support, advertising, payment or technical service providers.

Managing Cookies

You can control cookies through your browser or device settings and, where available, through the consent tools on the Website. Blocking some cookies may reduce functionality, prevent secure areas from working, or limit our ability to provide parts of the Services.

WHAT DO WE DO TO PROTECT MINORS

The Services are not intended for minors. Access is limited to individuals who are at least eighteen (18) years old or who have reached the higher legal age for betting in their place of residence or location of access.

Age Restrictions and Affirmation

By opening an Account, using the Website or placing a bet, you confirm that you meet the applicable legal age requirement. We may refuse registration, suspend access, request documents, or close an Account if we cannot verify that this requirement is met.

Comprehensive Age Verification Mechanisms

We apply age verification controls designed to prevent underage access. These controls may include:

• requesting government-issued identity documents during registration, before withdrawals, or at any other time required by risk or compliance controls;
• checking date of birth, document authenticity, personal details and verification results through internal tools or trusted third-party providers;
• using selfie, liveness or additional checks where needed to confirm that the person using the Account matches the verified identity.

Preventive Measures and Security Reviews

We may use monitoring and review measures to detect attempts by minors to access the Services, including:

• automated and manual checks for inconsistent registration data, document anomalies, unusual account activity or other underage access indicators;
• temporary restrictions while age or identity is being reviewed;
• review of registration data, betting activity, payment records and support communications where underage use is suspected;
• closure of Accounts and deletion or restriction of data submitted by persons confirmed to be minors, except where retention is legally required for compliance, reporting, fraud prevention or dispute purposes.

Parental Controls and Education

Parents and guardians are encouraged to use parental control software, device restrictions and network filtering tools, and to explain the risks of unauthorized online betting to minors.

Commitment to Responsible Betting

Our responsible betting approach includes age-gating, verification checks, user protection tools, self-exclusion controls and ongoing review of policies against applicable regulatory expectations. By using the Services, you acknowledge that you meet the legal age requirement and that betting is intended only for eligible adults.

NECESSARY INFORMATION ABOUT YOUR RIGHTS

Your rights

Depending on where you are located and which law applies, you may have the following rights in relation to your Personal Data:

Access: to ask whether we process your Personal Data and to receive a copy of the data and key information about the processing.

Rectification: to ask us to correct inaccurate data or complete data that is incomplete.

Erasure: to request deletion where the applicable legal conditions are met, for example where the data is no longer needed or consent has been withdrawn and no other legal basis applies.

Restriction: to ask us to limit processing in certain circumstances, such as while accuracy is being checked or where processing is contested.

Data portability: to receive certain data that you provided to us in a structured, commonly used and machine-readable format, and to transmit it to another controller where technically feasible and legally required.

Objection: to object to processing based on legitimate interests due to your particular situation, and to object at any time to direct marketing.

Consent withdrawal: to withdraw consent where processing is based on consent. Withdrawal does not affect processing that took place before withdrawal.

These rights are not absolute. We may need to verify your identity before acting on a request and may refuse or limit a request where the law permits or requires this, including where retention is necessary for AML, tax, responsible betting, dispute, audit or regulatory reasons.

Exercising your rights

To exercise a data protection right, please contact us through one of the following channels:

• email: [email protected];
• postal address: Dr. Henri Fergusonweg 1, Curaçao.

Please describe the right you wish to exercise and provide enough information for us to identify your Account and process the request securely.

WITHDRAW CONSENT

Where we rely on consent to process Personal Data, you may withdraw that consent at any time. This will not invalidate any processing carried out before the withdrawal.

You may withdraw consent by using the available account or communication preference tools, where provided, or by contacting us using the details in this Policy. After we receive the request, we will stop the relevant consent-based processing unless another lawful basis applies or continued retention is required by law, regulation or legitimate legal purposes.

If withdrawal of consent affects the availability of a feature, communication, promotion or part of the Services, we may explain the practical consequences before or when the withdrawal is applied.

COMPLAINT

If you believe that your Personal Data has been handled unlawfully or that your privacy rights have not been respected, you may lodge a complaint with a competent supervisory authority. Under Article 77 GDPR, this may include the authority in the EU Member State where you live, work, or where the alleged infringement took place, where the GDPR applies.

You may also contact the relevant Curaçao authority or the Curaçao Gaming Authority in relation to regulated betting matters, where appropriate.

We encourage you to contact us first if you have concerns. This does not limit your right to complain to an authority, but it may allow us to review and resolve the issue more quickly.

PROVISION OF PERSONAL DATA AND CONSEQUENCES OF NON-DISCLOSURE

Some Personal Data is needed because the law requires it, because it is necessary to enter into or perform a contract with you, or because it is required for secure and compliant access to the Services.

For example, we may need certain information to:

• verify your identity and age;
• open and administer an Account;
• process deposits, withdrawals, refunds and payment checks;
• comply with AML/CFT, tax, reporting, responsible betting and regulatory obligations;
• protect the Website, other users and the integrity of the betting environment;
• respond to support requests, complaints, disputes or authority inquiries.

Obligation to Provide Data

Where Personal Data is legally or contractually required, failure to provide it may mean that we cannot lawfully or practically provide the relevant Services. This may result in:

• inability to create, verify or maintain an Account;
• delays, refusals or restrictions on deposits, withdrawals or other transactions;
• limits on Website features or betting access;
• temporary suspension or closure of the Account;
• inability to complete compliance checks or meet regulatory obligations.

LEGAL DISCLAIMER

The Services are provided on an as-is and as-available basis, subject to applicable law and the Terms and Conditions. We work to maintain a secure and reliable Website, but no online service, network, storage environment or transmission method can be guaranteed to be completely secure, continuously available or free from errors.

We use reasonable technical and organizational measures designed to protect Personal Data against unauthorized access, loss, misuse, alteration or disclosure. These measures may include access controls, encryption, monitoring, supplier due diligence, internal policies, staff restrictions and incident response procedures.

Limitations of Liability

To the fullest extent permitted by applicable law, we are not responsible for:

• events outside our reasonable control, including network outages, hosting failures, cyberattacks, malware, unauthorized third-party activity, force majeure events or failures of third-party systems;
• indirect, incidental, special, consequential, punitive or similar damages connected with unauthorized access, disclosure, loss or misuse of Personal Data;
• the privacy practices, security standards, content or availability of third-party websites, applications, payment channels or services that are not operated by us, even if they are linked from the Website.

Nothing in this Policy excludes or limits liability where such exclusion or limitation is not permitted by law.

CONSENT TO PRIVACY POLICY

By accessing the Website, creating an Account, using the Services, submitting Personal Data, or continuing to use the Services after this Policy is made available, you acknowledge that you have read and understood this Privacy Policy.

This Policy should be read together with the Terms and Conditions, Cookie Policy, responsible betting notices, promotional rules, and any additional privacy or service notices displayed on the Website.

We may update this Policy from time to time to reflect changes in law, regulation, technology, business operations, security practices or the Services. The updated version will be published on the Website and will apply from the date stated in that version unless a different effective date is specified. We recommend reviewing the Policy regularly.

OTHER TERMS

This Privacy Policy may be made available in several languages. Translations are provided for convenience only. If there is any inconsistency, ambiguity or conflict between versions, the English version prevails to the extent permitted by applicable law.