Data protection

RABBIT ENTERTAINMENT LTD. PRIVACY POLICY STATEMENT

A. General

This Privacy Policy applies to the website www.tigerspin.com and is incorporated in the Terms & Conditions.

This Privacy Policy will inform you on how we look after your personal data when any person is registering with Rabbit Entertainment for participating in gameplay on our website (hereinafter referred to as ‘you’) and informs you on how your data is processed, your privacy rights and how the law protects you.

This website is not intended for children and we do not knowingly collect data relating to children.

Without prejudice to what has been stated within the ‘Operational aspects of the website’ section below, the primary entity responsible for this website for the purposes of data protection law is Rabbit Entertainment Ltd, with company registration number C-66436, having its registered address at Level 3, 14 East Business Tower, Triq Tas-Sliema, Gzira, GZR 1544, Malta (the “Controller”).

Rabbit Entertainment Limited ist darauf bedacht, alle personenbezogenen Daten, die sich in unserem Gewahrsam befinden, zu schützen. Wir verpflichten uns zur Einhaltung der Europäischen-Datenschutz-Grundverordnung 2016/679 (die „DSGVO“).

Any reference in this Privacy Policy to “Rabbit Entertainment Ltd.”, “us”, “we” or “our” is a reference to the Controller.

We refer to you, the visitor and/or the user of our services, as “you” and derivatives of the word “you”.

Rabbit Entertainment Limited is concerned with protecting the privacy of any personal data we hold. We are committed to comply with the European General Data Protection Regulation 2016/679 (the "GDPR").

If you have any questions about this Privacy Policy or our privacy practices, you may contact our DPO:

Email address: [email protected]

Postal address: Level 3, 14 East Business Tower, Triq Tas-Sliema, Gzira, GZR 1544, Malta

Operational aspects of the website

Notwithstanding the generality of the foregoing, kindly note that this website is operated by GMC Entertainment Limited, having company registration number C 96294, with its registered office at 51, Santa Lucia Street, Valletta VLT 1182 Malta (the “White Label Partner”).

Whilst the website is owned by us (we are the rightful registrar to the website and the latter is run under our MGA licence), the White Label Partner operates the website with respect to all the aspects pertaining to player life-cycle-related activities (e.g. from acquisition efforts to retention, or re-acquisition as the case may be), as well as all marketing/promotional undertakings as addressed to you.

Henceforth, due to the above-elucidated facts, there is a reciprocal and constant exchange of your personal data between us and the White Label Partner which qualifies the said parties as Joint Controllers in accordance with the terms contained within Article 26 of the GDPR.

Following the above, please note that the White Label Partner, therefore, has and requires constant full access to your personal data. Thus, any permissions granted herein to us are extended to the White Label Partner.

Notwithstanding the foregoing, please bear in mind that any exchange of personal data between us and the White Label Partners occurs upon solid and structured arrangements in compliance with the requirements of the GDPR and its principles. Should you want to hear more about such joint controller relationship please do not hesitate to get in touch either through [email protected] or [email protected]. The essence of the said arrangements can be made available to you without undue delay and upon your request.

B. Changes to the Privacy Policy and your duty to inform us of changes

We keep our Privacy Policy under regular review. This version was drafted on May 2021. Historic versions can be obtained by contacting us.

We reserve the right to amend this Privacy Policy from time to time. This Privacy Notice may be subject to changes, of which you will be notified without undue delay on your player account.

C. Third-Party links and Third-Party Cookies

This website may include links to third-party websites, plug-ins, applications and cookies. Clicking on those links or enabling those connections or cookies may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the Privacy Policy of every website you visit.

This is inclusive of event of the games on our website being provided via the game provider websites and therefore not within our framework of privacy regulations. The third party games offered on our website include:

Play’n GO
Bally Wulff
Big Time Gaming
Gamomat
NetEnt
Microgaming
Amatic
Booming Games
Amusnet Gaming
Thunderkick
Lionline Entertainment
Yggdrasil
Endorphina
Playson
Playtech
Pariplay
Push Gaming
Oryx Gaming
Pragmatic Play
Kalamba Games
WMS
Leander Games
Shuffle Master
Barcrest
Evolution Gaming
Merkur Gaming
NextGen Gaming
United Remote
Wazdan
Red Tiger
Redrake
Relax Gaming
Blueprint Gaming
Shuffle Master
1x2 Gaming
Quickspin
Revolver Gaming
Spearhead

D. Cookies

For more information on how we use Cookies by please visit our Cookie Policy. It also contains a schedule displaying the third-party cookies implemented our websites and links to the particular third privacy policy.

EADR	https://eadr.org
WHISTLEBLOWER SYSTEM	https://chevron-consultants.com/hinweisgebersystem

E. What personal data will be processed?

Processing of personal data means any operation or set of operations which is/are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Personal data is any information that identifies you as an individual.

Kindly note that despite the fact that we make use of automated systems to assist us in monitoring and reviewing our players (especially from an AML and RG point of view), there is no instance of decisions affecting yourself based solely on automated processing as we always rely on human intervention when taking all final decisions and, generally speaking, within any decision-making process.

The following is the categories we give to the sets of data that we process during the customer relationship:

Player Account Data: including first name, last name, username or similar identifier, date of birth, gender, country;

Contact Data: including email address, postal address, telephone numbers;

Financial and Transactional Data: including payment method, transaction history (e.g. logins, gaming frequency, deposits, winnings, bonuses and games played, promotions and services you have taken part in), payment details (such as bank transfer, currency, credit card or another acceptable means of payment);

Identification and Verification Data: including proof of address, identity, age, nationality, qualifications, schools/universities attended, employment history and information, financial status information (e.g. source of income, source of wealth); in this respect, please note that we also collect information on the background of yourself as sourced from third party providers (private companies working mostly with public sources), namely CRIFBÜRGEL. More information relating to such third-party provider can be found at https://www.crifbuergel.de/en/datenschutz.

Profile Data: including interests, preferences, feedback, information about events which you have attended, what type of events you prefer, information about how you use our website, products and services;

Technical and Analytics Data: including IP address, access provider and type/version of browser used (this is further explained within our Cookie Policy as certain data is collected using cookies and/or similar tracking technology);

Marketing and Communications Data: including your preferences in receiving marketing from us and our third parties and your communication preferences; and

Correspondence Data: we store data obtained through communication with you (via recorded calls, chats, email, or SMS) which may include data pertaining to your complaints, as well as internal communication and notes;

Aggregated Data: we also collect, use and share Aggregated Data such as statistical or demographic. While aggregated Data is derived from your personal data this data will not directly or indirectly reveal your identity. For example, we may aggregate your Profile Data to calculate the percentage of users accessing a specific website feature.

Origin of the data

Provided data: refers to any information actively provided by your kind self when making use of our services (e.g. when you have to indicate your age in your user profile);

Observed data: apart from the personal data that comes directly from you, we also collect personal data as provided by yourself by virtue of using a specific functionality of the website, service or device (e.g. when you use a specific device to access your account with us we might be able to collect device type, GPS coordinates, mobile telephone number and so on);

Inferred data: “Inferred data” or “derived data” is created by ourselves on the basis of the ‘provided data’ or ‘observed data’ (e.g. we might be able to infer that a particular individual is likely to be interested in a particular product on the basis of his or her gambling activity and exchange of communications with ourselves).

We also collect information from third parties such as our partners, service providers and publicly available online searches, to comply with our legal and regulatory obligations, and provide and enhance the services.

Please note that if at any point, a data set is formed from the data that we hold about you, that directly or indirectly identify you, we treat the combined data set as personal data which will be used in accordance with this Privacy Policy.

F. What are the purposes of Processing?

As a first remark, please note that we need to process your personal information in order to provide you with our services; this follows your registration process for an account with us including the acceptance of the Terms & Conditions, and this Privacy Policy. In order for us to be able to keep up our contractual obligations and provide you with access to our services we need to process data or data sets that identifies you. We also need to process your personal data to fulfil our legal obligations.

The processing delivered on purposes which relate to your access to the services and our legal obligations are mandatory. You will always be informed about the purposes and which of the information we request or processing is mandatory and what information and processing is optional. Should you fail or decide not to provide us with pieces of information, or let us perform processing that is mandatory, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we will not be in the position to offer any service to you.

The purposes of processing relative to your access to the services are being provided here for in more details for your reference in this Privacy Policy, together with the other purposes of processing for your reference. We will use your personal data for the purpose of providing the service to you, and only authorise processors, sub-processors and third parties providing services to us or to you on our behalf to process data in the remit of the same purposes.

Specifically, this includes but is not limited to the following purposes we have envisaged in order to make use of your personal data:

Help you create, operate and manage your player account, allowing you to access our games and services; generally, administrating, communicating, and managing our relationship with you;

enable you to partake in a prize draw, competition or complete a survey;

deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you;

monitor the gaming activity for responsible gaming purposes;

oversee and investigate any suspicious behaviour in order to safeguard our activities from any risk and fraud;

monitor and investigate transactions and game play in order to prevent and detect fraud, money laundering;

manage registration of duplicate accounts and individuals from jurisdictions where gambling is prohibited;

statistical analysis and research;

marketing, market research, customer surveys and customer profiling data analysis;

comply with licensing and regulatory requirements;

research and development.

We will only use your personal data for the purposes for which they were obtained, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

For your protection, for our legitimate interest to protect against fraud and addiction as well as to satisfy our remote gambling and AML legal obligations we make use of automated systems to assist us in monitoring and reviewing our players. As mentioned, rest assured that all final decisions taken on any actions are done so through human intervention and human decision-making process.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Lastly, please note that should you not wish that your personal data is processed within the context of any activities of the website we will not be in the position to offer you our services.

G. What are the Legal Grounds underpinning such Processing?

Processing of your personal data will be mainly carried out based on the below-listed legal grounds from Article 6 GDPR. We may use more than one of the blow four legal grounds and this depends on what is the most appropriate considering the specific purpose in question and for which we are processing your data and the kind of relationship we have with you.

Contract Art. 6 (1b) GDPR: The processing is necessary for a contract entered into with you or to take steps at your request before entering into such a contract (i.e. when opening a registered player account).

Legal Obligation Art. 6 (1c) GDPR: The processing is necessary for us to comply with legal and regulatory obligations (especially those related to Anti Money Laundering regulations and the relevant online gambling and betting laws and regulations)

Consent Art. 6 (1a) GDPR: You have given clear consent for us to process the personal data for a specific purpose provided that and you will be able to withdraw your consent at any time. (By way of example, your consent will be needed in order to send you marketing and promotional communications. You will receive marketing communications from us if you have subscribed to the service and have not opted out of receiving that marketing. We will get your express opt-in consent before we share your personal data with any third party for marketing purposes. Should you no longer wish to receive these promotional communications, newsletters and marketing offers, you may opt-out of receiving them either when you register with us initially, or subsequently by the 'opt-out' option included in each communication therein. You are also, in addition, entitled at any time to notify us that you do not wish to receive any promotional communications from us and you may do this by emailing the customer support team by dropping an email to the following address: []

Legitimate Interest Art. 6 (1f) GDPR: The processing is necessary for the legitimate interest of our business or the legitimate interests of a third party in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We protect your personal data against activities where our interests are overridden by the impact on you unless we have your consent or are otherwise required or permitted to by law. (By way of example we process your personal data as part of our business critical anti-fraud measures, for network security, to manage disputes with players, to direct players to responsible gaming support staff, and to improve the players’ experience).

H. What are your legal rights?

You have rights under data protection laws in relation to your personal data.

Request access to your personal data (Art. 15 GDPR) - You may obtain a copy of the personal data held by us about you at any time via [email protected] or [email protected]

Request correction of your personal data (Art. 16 GDPR) - You may at any time request through customer support that we correct any of your data.

Request erasure of your personal data (Art. 17 GDPR) - You may at any time request that we erase data held about you. We shall ensure that such personal data is, upon request, deleted provided that it is not required for purposes outlined in the How long do we store your data? section. Should it be the case, you will be advised that with the deletion of such personal data, the quality of your user-experience on the website will be diminished.

Right to restriction of processing (Art. 18 GDPR) - objection to processing (Art. 21 GDPR) and withdrawal of consent (Art. 7 GDPR) – You may at any time request to the customer support team that we restrict or cease to conduct certain data processes and we shall accede to that request, provided that there exists no legal obligation to process said data. Likewise, with respect to any data processes which are conducted by us on the basis of your consent, you may at any time withdraw said consent via the My Account section after logging in. Provided that the withdrawal of consent shall not affect the lawfulness of any data processing that would have taken place prior to said withdrawal.

Request transfer of your personal data (Art. 20 GDPR) - You may request that certain categories of your data are transferred to third parties by us by sending the request to the email addresses as denoted herein.

Right to lodge a complaint (Art. 77 GDPR) - You have the right to make a complaint at any time to a supervisory authority. The Information and Data Protection Commissioner (IDPC), in Malta is the Lead Supervisory Authority (www.idpc.org.mt).

Please note that there are exceptions the abovementioned rights. For instance, by way of example, request to be forgotten may not be fulfilled completely as we need to retain certain personal data, such as Transactional Data, due to retention periods set out in licence requirements and which we are subject to.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights); any query relating to data access or the exercise of any of your rights will be processed within thirty (30) days as of the submission of your request to us (unless otherwise specified). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

I. How long do we store your data?

We will only retain your personal data for as long as necessary for the legitimate purposes of processing outlined in this Privacy Policy and effectively implement the appropriate technical and organisational measures to provide effective protection against unauthorised or unlawful processing.

When your player account is closed, your personal data will remain stored for the minimum length of time required for us to comply with our legal obligations imposed us as a gaming operator by various legal instruments (such as applicable taxation laws, anti-money laundering regulation and gambling regulation and best practices) and our legitimate interests (for the purposes of resolving disputes).

Notwithstanding the foregoing, kindly bear in mind that this means that, in practical terms, we are obliged to retain your personal data up to 10 years from the date of a relevant transaction performed to and from your account registered with us. For more specific information about retention terms and respective set of personal data, please contact our Data Protection Officer and we will provide the specific data retention terms relative to you.

Lastly, without prejudice to the above, rest assured that when your personal data is no longer required by us, we will either securely delete or anonymise the personal data in question.

J. Who do we share your personal data with?

Group Companies and Processors
Throughout the provision of our services to you, your personal data is transferred and/or disclosed with recipients, who are authorised to process your personal data for the abovementioned purposes on our behalf or who are authorised by the law.
These recipients are either group companies subject to our privacy standards, or external companies who have been chosen to carry out the processing of your data on our behalf subject to the appropriate agreements ensuring that the processing of personal data in line with the provisions of the General Data Protection Regulation and this Privacy Policy. We take your privacy seriously; hence, we do our best to take all the steps reasonably necessary to make sure that your data is treated securely and in accordance with this Privacy Policy.
Please find details of the categories of the recipients involved in the processing of personal data as follows:
- Our group companies only for the purposes described in this Privacy Policy including the provider of the Gaming System;
- Game providers for the purpose of provision of games;
- White Label Partner
- Payment service providers to perform payment transactions;
- Marketing providers to perform certain marketing activities on our behalf and only with your consent;
- Regulatory bodies or Licensing bodies or supervisory authorities;
- IT/system support services;
- Third parties assisting in investigations (such as AML investigations) for the purpose of detecting and preventing fraud or other security or technical problems;
- Cloud services providers for provision of cloud-based services such as storage or hosting certain software;
- Professional advisors acting as processors or joint controllers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, credit rating, insurance and accounting services;
- Service providers for the purpose of data analytics;
- Third parties, including any company that belongs to the same group of companies as Rabbit, to whom we may sell, transfer or merge parts of our business, our assets or operations or as a result of a restructuring. Please note further that should there be a change in our business, the new owners may use your personal data in the same way that is established in this privacy policy;
- Service providers enabling communication with you from a technical standpoint (e.g. via email, chat).
Please note that most of the above epitomize essential pillars to the provision of our services to you being inextricably tied up with our operations (e.g. Cloud services providers, IT/system support providers); thus, should you not wish that your personal data is processed by certain service providers and retract your consent in this regard we will not be in the position to offer you our services.
Other recipients In the case of a supply of personal data to third parties who process data for their own purposes and subject to their own privacy policy, we will provide specifically the name of the third parties, explain for what purpose such persons may use that data and we will ask for your consent via a specific opt-in. Please note that more extensive details over our Group of Companies, Processors and other Recipients with whom we share your personal data are easily retrievable, on a free-of-charge basis, by emailing [email protected].

K. Will your personal data be transferred outside the EEA?

Should we transfer your personal data to any country outside the EEA (given that our suppliers might have their servers located outside of the EEA and/or have staff operating outside the EEA), such transfer will be protected and the appropriate safeguards will be ensured by applying the appropriate provisions in Chapter V of the GDPR and subject to the advice of the supervisory authority if we deem necessary in order to ensure that the level of protection of your personal data is not undermined.

To be more specific, we transfer personal data to third countries only upon:

adequacy decision from the EU Commission (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en) in accordance with Art. 45 of the GDPR;

appropriate safeguards such as contractual clauses between us or processor and ourselves, processor or the recipient of the personal data in the third country or international organization in accordance with Art. 46 of the GDPR;

your consent to the proposed transfer, after having informed you of the aspects relating to such transfer in accordance with Art. 49 of the GDPR; or

an assessment regarding the necessity of the transfer of personal data to a third country for the performance of a contract between you and ourselves or the implementation of pre-contractual measures taken at your request;

Countries outside the EEA to which we may transmit your personal information are:

- United States of America (USA) - By way of example, our analytics service providers (such as Google) who process personal data for their own purposes as data controllers are based overseas. Please refer to our applicable Cookie Policy in order to identify how you may prevent access to your personal data by analytics providers. Also, you may find useful to go directly to Google terms of use https://www.google.com/analytics/terms/us.html and privacy statements https://privacy.google.com/businesses/compliance.

United Kingdom (UK) - By way of illustration, our data centers/servers facility provider (located in the UK) supports our workloads at scale across all the leading public and private clouds, whether they are powered by AWS, Microsoft, OpenStack, VMware, Google or Alibaba (which are all based in the USA);

Please note that all the above epitomize essential pillars to the provision of our services to you being inextricably tied up with our operations; thus, should you not wish that your personal data is processed outside the EEA area we will not be in the position to offer you our services.

Further information on how we process personal data and ensure the protection of the processing of personal data in this regard can be obtained by sending an email to [email protected]

L. Response to Personal Data Breaches Incidents

When we learn of a suspected or actual personal data breach, we shall perform an internal investigation and take appropriate remedial measures in a timely manner. Where there is any risk to the rights and freedoms of our visitors and/or users, we will notify the Lead Supervisory Authority and the data subjects where applicable, without undue delay and, when possible, within 72 hours from when it learns of such breach.

M. Data Security

No method of transmission over the Internet, or method of electronic storage is 100% secure and we cannot ensure or warrant the security of the information you transmit to us or store on the server and that you are doing so at your own risk. We also cannot guarantee that such information may not be accessed, disclosed, altered and or destroyed by breach being physical, technical or organisational.

That being said, we take all adequate technical and organisational efforts to protect your personal data from access by unauthorised persons and to prevent accidental or unlawful processing, disclosure, destruction, loss, alteration or damage. Only authorised personnel of ours or of third-party companies contractually bound to us and to the compliance with the principles of data protection and the terms of this Privacy Policy Statement, obtain access to your personal data.

All sensitive data which is transmitted between your computer and us is transferred securely via the internet, using strong encryption. We use secure and tested encryption technology bearing certificates provided by renowned certificate authorities.

In addition, all personal data will be protected from unauthorised or damage access by firewall and intrusion prevention systems.

Lastly, please note that whilst we do our part, you should also take your personal steps to safeguard the security of your data both physically and electronically by following common best practice procedures such as:

Running Anti-Virus software and keeping it up to date;

Applying operating systems, web browsers and other security updates;

Ensuring your laptop or other device is not left unattended whilst logged into our website;

Using strong passwords for all services/logins.

N. Validity

The version of this document is 1.0 and was drafted on 10th of May 2021.