Kingmaker Casino Privacy policy

General provisions and scope

This Privacy Policy governs the processing of personal data in connection with the services made available on kingmakeronline.it.com and related service channels. The Kingmaker Casino Privacy policy applies to processing activities carried out for account creation, identity verification, payment operations, customer support, responsible gaming administration, and the technical delivery of the website. For the purposes of this document, references to personal data protection shall include collection, use, storage, disclosure, and deletion of personal data under a risk based and accountability oriented approach. The policy is designed for a global audience and incorporates GDPR principles where relevant, including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability. Where local legal requirements impose stricter standards, those standards prevail to the extent applicable.

The data controller determines the purposes and means of data processing for the website and related operations, and ensures governance measures suitable for the nature of the processing and the likely risks to privacy. Where service providers act on documented instructions, they shall be treated as processors and shall be subject to contractual obligations that reflect appropriate confidentiality and security commitments. This document covers processing performed through registration data submission, login details authentication, device and browser interactions, and support communications, as well as processing associated with regulatory compliance and fraud prevention. The scope includes users, visitors, and individuals whose data is provided in the course of transactions, verification procedures, or support engagements. Processing is limited to what is necessary for defined purposes and is subject to periodic review.

Regulatory framework and core principles

This policy is framed by widely recognised data protection principles applicable to a global audience, including GDPR aligned concepts where relevant and comparable privacy frameworks in other jurisdictions. The processing of personal data shall be conducted under a lawful basis, documented operational purposes, and security and confidentiality safeguards proportionate to the risks of unauthorised access, loss, or misuse. The controller maintains records of processing activities where required, and adopts internal controls intended to demonstrate compliance and facilitate audits or regulatory inquiries. Where consent is used as a lawful basis, it shall be collected through clear affirmative action and shall be capable of being withdrawn without detriment to processing that is necessary on other legal grounds. Where legitimate interests are relied upon, those interests are balanced against the rights and freedoms of individuals.

Accountability is implemented through governance measures that support personal data protection, including access restrictions, training, and internal escalation procedures for incidents and rights requests. Data accuracy is supported through mechanisms that allow correction of registration data and identification data, and through verification checks where required by law or risk controls. Storage limitation is implemented through retention periods aligned to operational and legal requirements, after which data is deleted or anonymised, subject to technical feasibility and legal holds. Integrity and confidentiality are supported through security controls such as encryption, secure authentication, monitoring, and incident response workflows. Transparency is implemented through this policy, through contextual notices where appropriate, and through responses to data subject requests.

Categories of personal data processed

The controller may process identification data such as name, date of birth, nationality, and government issued identifiers where required for verification and compliance screening. Registration data may include contact details, residential address, account preferences, and certain responsible gaming settings. Login details may include credentials, authentication factors, security questions, and logs linked to account access, with safeguards designed to prevent credential compromise. Financial data may include payment method tokens, transaction identifiers, billing descriptors, and records needed for reconciliation, chargeback handling, and anti fraud controls, while avoiding storage of full payment card details where not necessary. Technical and usage data may include IP address, device identifiers, browser settings, timestamps, and activity logs within the service, to support security, performance, and incident investigation.

The controller may also process communications data contained in messages to customer support, including attachments and contextual information required to resolve disputes or verify account ownership. Where legally required, the controller may process verification artifacts relating to age and identity, and may record outcomes of screening or risk assessments, while limiting access to authorised personnel. For regulatory and safety purposes, processing may include information relevant to self exclusion administration, limits enforcement, and integrity controls, subject to confidentiality measures. Certain processing activities may involve special categories under some laws depending on the content provided by the individual, and such data will not be requested as a condition of service unless strictly required by law. Data minimisation is applied by limiting the collection of personal data to what is necessary for stated purposes, and by restricting the files and fields used in forms.

How personal data is collected and recorded

Operationally, personal data is collected through account creation workflows, verification steps, payment interactions, and communications with support channels. The Kingmaker Casino Privacy policy covers data submitted directly by the individual, such as registration data and identification data, and data generated through use of the website, such as activity logs and security signals. Technical collection occurs through server logs and client side mechanisms that record events necessary to maintain service availability, prevent abuse, and measure performance. Data may also be obtained from payment service providers and verification partners that confirm identity attributes or transaction status, subject to contractual safeguards and lawful basis assessment. Where permitted, the controller may use automated checks to detect inconsistent or suspicious activity, and the results may be logged for auditability.

Collection may occur during password reset processes, multi factor authentication, dispute resolution, and investigation of account security incidents. Where necessary to comply with legal requirements, collection may include capture of documents or images submitted for verification, with secure transmission channels and restricted storage. Data received from third parties is limited to what is required, for example confirmation of payment authorisation or verification outcomes, and is not used for unrelated purposes. Where an individual provides third party information, the controller expects that the information is provided lawfully and only to the extent required for the relevant transaction or support request. The controller may also collect information from publicly available sources or official registers only where necessary for compliance screening or fraud prevention and where permitted by applicable law.

Purposes of processing and operational necessity

Processing is carried out to provide core services, including account administration, authentication, game session management, payment processing, and delivery of customer support. The controller processes personal data to maintain service integrity, including monitoring for suspected fraud, misuse, and unauthorised access attempts. Processing is also performed to satisfy legal and regulatory obligations that may apply to gaming operations, such as age verification, identity verification, and record keeping. The controller may use data to manage risk, resolve disputes, handle chargebacks, and perform internal reporting and reconciliation. Where service availability and stability require diagnostics, limited technical data is processed to detect failures, improve performance, and maintain compatibility across devices.

The Kingmaker Casino Privacy policy also covers processing performed to enforce terms, prevent prohibited activity, and ensure the safety and security of systems and individuals. Responsible gaming controls may require processing to implement limits, enforce exclusions, and document compliance actions, subject to strict access control. Communications data is processed to respond to inquiries, manage complaints, and retain evidence of instructions where necessary. Where legally required, processing may include responding to lawful requests from competent authorities and maintaining documentation to demonstrate compliance. The controller does not process personal data for purposes that are incompatible with those described, unless further notice is provided or a lawful basis permits the change.

Legal basis for data processing

Processing is conducted on the basis of contractual necessity where it is required to create and administer an account, authenticate login details, process transactions, and provide the requested services. The controller relies on legal obligations where processing is required for compliance measures such as identity verification, record retention, and responses to lawful authority requests. Legitimate interests may be relied upon for security monitoring, fraud prevention, and service improvement, provided that such interests are not overridden by the rights and freedoms of individuals. Consent may be used for certain non essential cookies and comparable tracking mechanisms, and for specific optional processing activities where applicable. Where multiple legal bases may apply to the same processing operation, the controller documents the primary basis used for compliance purposes.

The legal basis analysis is reviewed when processing conditions change, such as when new regulatory requirements apply, when security risks evolve, or when new service features are introduced. Where consent is the relevant basis, withdrawal is implemented through available controls and will apply prospectively, without affecting processing already performed. Where legitimate interests are relied upon, the controller considers proportionality, reasonable expectations, and the nature of the data, and implements safeguards such as limited retention and access restrictions. For users in jurisdictions that provide additional rights or require specific notices, the controller will provide supplementary information where required by law. Nothing in this section limits the right of an individual to lodge a complaint with a competent supervisory authority where applicable.

Data retention and deletion standards

The controller retains personal data for no longer than necessary to achieve the purposes described and to comply with applicable legal obligations and operational requirements. The Kingmaker Casino Privacy policy applies retention rules that differentiate between categories such as identification data, registration data, financial data, and security logs, reflecting their distinct compliance and risk characteristics. Account data is generally retained for the life of the account and for a post closure period to support dispute resolution, compliance audits, and fraud prevention, subject to legal requirements that may mandate longer retention. Certain transaction and verification records may be retained for 5 years where such a period is required or justified for legal claims, regulatory compliance, or audit defence. Security and access logs may be retained for 90 days to 12 months depending on threat levels, incident response needs, and the sensitivity of the system involved.

Deletion and anonymisation processes are implemented through scheduled routines and controlled workflows, with exceptions for legal holds, active disputes, or ongoing investigations. Where a request for erasure is received, the controller assesses whether continued retention is required by law, necessary for the establishment, exercise, or defence of legal claims, or required for security and fraud prevention. Where retention is required, data may be restricted from routine use and access may be limited to authorised personnel. Technical limitations may affect immediate deletion from certain backup systems, in which case deletion will occur through normal backup rotation cycles, with safeguards applied to prevent further active processing. Retention periods may be reviewed at least once every 12 months to reflect changes in applicable law, operational necessity, and risk assessment outcomes.

Disclosure to third parties and intra group access

Personal data may be disclosed to processors and service providers acting on documented instructions, including hosting providers, customer support tooling providers, identity verification providers, and payment processors, to the extent necessary to deliver the services. The controller limits disclosures to the minimum necessary data fields and applies contractual requirements on confidentiality, data security, and restrictions on further use. The controller may also disclose personal data where required to comply with a legal obligation, respond to lawful requests, or protect the rights, property, or safety of the controller, users, or others. Where disputes, chargebacks, or fraud allegations arise, limited financial data and related logs may be shared with relevant payment networks or financial institutions as required for investigation and resolution. Internal access is managed on a need to know basis, with role based access controls and audit logging.

The casino Kingmaker service environment may involve affiliated entities or operational partners that support compliance, risk management, or technical operations, and access is restricted to approved purposes and authorised roles. The controller does not sell personal data, and does not disclose personal data for unrelated third party purposes without a lawful basis and appropriate notice. Where processors are engaged, due diligence is performed to evaluate data security posture, sub processing arrangements, and incident response capability, including contractual duties to notify without undue delay. Where third party tools process data as independent controllers, the controller will identify such roles where practicable and provide appropriate notices, subject to the structure of the service. Disclosures are documented to support accountability and to enable response to rights requests and regulatory inquiries.

International data transfers and cross border processing

The Kingmaker Casino Privacy policy anticipates that processing may involve cross border transfers due to globally distributed infrastructure, support operations, and third party providers. Where personal data is transferred internationally, the controller applies safeguards intended to ensure an essentially equivalent level of protection, including contractual clauses, transfer risk assessments, and supplemental technical or organisational measures where appropriate. Transfers may occur to jurisdictions that do not provide an adequacy decision under certain frameworks, in which case additional safeguards are applied to mitigate access risks and support enforceable rights. Access to systems from different regions, including remote support access, is treated as a transfer where applicable and is controlled through secure access methods and logging. Individuals may request information about applicable transfer safeguards, subject to limitations where disclosure would compromise security or confidential commercial information.

Operationally, cross border processing may occur where payment processors and verification partners operate in multiple jurisdictions, or where disaster recovery systems are hosted in alternative regions. The controller uses encryption in transit and applies access controls to reduce the likelihood of unauthorised disclosure during transfer and storage. Where data is transferred to service providers, the controller seeks to ensure that sub processors are subject to equivalent obligations and that onward transfers are restricted. The controller evaluates legal risks associated with government access requests and applies measures such as data minimisation, pseudonymisation where feasible, and strict access governance. International transfer arrangements are reviewed when material changes occur in provider locations, legal frameworks, or threat intelligence.

Cookies and similar tracking technologies

Cookies and similar technologies are used to ensure the website functions properly, to maintain sessions, to protect account security, and to support the delivery of services. The controller distinguishes between strictly necessary cookies required for authentication and security, and optional cookies used for analytics or preference management where applicable. The casino Kingmaker environment may use cookies to remember session identifiers, to detect repeated failed login attempts, and to support security measures such as anti fraud checks. Where consent is required by applicable law for non essential cookies, the controller collects and records such consent and provides a mechanism to modify choices. Browser and device settings can be used to manage cookies, although blocking certain cookies may impair functionality.

The Kingmaker Casino Privacy policy applies to information collected through cookies insofar as it constitutes personal data, including identifiers that can be linked to an account or device. Cookie retention depends on the type, with session cookies expiring when the browser session ends and persistent cookies retained for defined periods aligned to their function. Analytics related identifiers, where used lawfully, may be retained for up to 13 months to support trend analysis and security monitoring, subject to consent where required. Security cookies may be retained for shorter periods such as 30 days where risk signals are needed to prevent abuse and investigate incidents. The controller implements controls intended to limit tracking to what is proportionate and to reduce the risk of unauthorised profiling.

Information security measures and breach response

Security is implemented through technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Measures may include encryption for data in transit and at rest, secure key management, network segmentation, vulnerability management, and monitoring of suspicious activity. Access to personal data is limited by role based permissions, multi factor authentication where appropriate, and logging designed to support accountability and incident investigation. Operational safeguards include least privilege administration, periodic access reviews, and separation of duties for sensitive functions such as payment administration. The controller targets an availability objective of 99.9% for core systems where feasible, while recognising that resilience measures are not a substitute for legal compliance and security risk management.

Incident management procedures are maintained to detect, assess, contain, and remediate suspected personal data breaches. Where a breach is likely to result in a risk to rights and freedoms, notification to competent authorities and affected individuals will be assessed under applicable legal thresholds and timeframes, including a 72 hour assessment window where GDPR aligned standards apply. Post incident reviews are performed to identify root causes, implement corrective actions, and document lessons learned. Security controls are tested and reviewed periodically, including through audits and technical assessments, and improvements are prioritised based on risk severity and business impact. The controller also applies contractual requirements to processors regarding incident notification timelines and cooperation duties.

Data subject rights and request handling

Rights based framing applies to the processing of personal data, and the controller recognises rights that may be available under applicable laws, including the right of access, rectification, erasure, restriction, portability, and objection where relevant. Individuals may also have rights related to consent withdrawal and rights to challenge certain automated decision making where such processing produces legal or similarly significant effects. The controller implements procedures intended to verify identity before fulfilling requests, including checks against identification data and account security signals, in order to prevent unauthorised disclosure. Where an agent submits a request on behalf of an individual, evidence of authority may be required to protect privacy and prevent fraud. Requests are assessed on a case by case basis to determine applicability, scope, and any legal exceptions.

The Kingmaker Casino Privacy policy provides that rights requests will be handled without undue delay and, where GDPR aligned timelines apply, generally within 30 days from verification of identity and scope. Where requests are complex or numerous, the response period may be extended in accordance with applicable law, and the requester will be informed of the extension and reasons. Where the controller cannot fulfil a request in full, reasons will be provided to the extent permitted, including references to legal obligations, security considerations, or rights of others. The casino Kingmaker operations may require retention of certain financial data and compliance records even where erasure is requested, in which case processing may be restricted and the rationale documented. The controller maintains a log of rights requests to support accountability, including dates, outcomes, and applied exemptions.

Contact channels, verification, and data request procedures

Requests regarding personal data protection, including questions about this policy and submissions of rights requests, may be directed through the contact channels published on kingmakeronline.it.com. The controller may request specific information to verify identity, such as account identifiers, recent transaction references, or other information proportionate to the risk of unauthorised access. Where an account is suspected to be compromised, the controller may apply additional checks and may temporarily restrict account access to protect personal data and financial data. Communications may be retained as part of compliance records and for dispute resolution, with retention aligned to the retention standards described in this policy. The controller endeavours to provide clear confirmations of receipt and to maintain confidentiality in correspondence.

Where a request concerns cookies or tracking, the controller may request information about device and browser context to assist in identifying relevant files and cookie identifiers. Where a complaint is submitted, the controller may request supporting materials and may open an internal investigation, limiting access to authorised roles. If an individual considers that the response is inadequate, applicable laws may provide for escalation to a supervisory authority or other competent body, and the controller will not retaliate against complainants. The casino Kingmaker support process aims to resolve routine privacy inquiries within 10 business days where feasible, while recognising that statutory timelines govern formal rights requests. Any documentation collected during verification is used solely for handling the request and is then deleted or retained only as necessary to demonstrate compliance.

Policy amendments and compliance commitment

The Kingmaker Casino Privacy policy may be amended to reflect changes in law, regulatory guidance, operational practices, security controls, or the categories of personal data processed. Amendments may also be required where new services are introduced, where processors or infrastructure locations change, or where risk assessments indicate that additional safeguards are appropriate. The controller will publish the updated version on kingmakeronline.it.com/privacy-policy and will update the effective date within the document, and material changes may be communicated through account notices where appropriate. Continued use of the services after publication of an amended policy will be treated as acknowledgement of the updated terms to the extent permitted by applicable law, without limiting rights related to consent where consent is required. Where changes affect processing based on consent, fresh consent will be sought where legally required before the new processing begins.

Compliance commitment is maintained through periodic reviews of data processing activities, internal controls, and vendor management, with attention to personal data protection, data security, and the integrity of record keeping. The controller applies GDPR aligned principles where relevant to a global audience, including transparency, purpose limitation, data minimisation, and accountability, and documents decisions affecting rights and risks. Where this policy is amended, prior versions may be retained for 2 years for governance purposes and to evidence compliance decisions, with access restricted to authorised personnel. The controller remains responsible for ensuring that data processing aligns with the stated legal bases, that retention periods are applied consistently, and that security measures such as encryption and access controls are reviewed for effectiveness. For any questions or requests connected to the Kingmaker Casino Privacy policy, individuals may use the published contact and data request procedures, and the controller will address such communications in accordance with applicable legal time limits and documented internal processes.