burger icon
Shuffle Casino
Log In

Privacy Policy

This Privacy Policy explains how shuffle-casino at https://shuffle-ca.com collects, uses, discloses, transfers, and protects personal information. It applies to players and website/app visitors in Canada who access our services via shuffle-ca.com. Effective date: January 1, 2025.

Who We Are

OBSERVE: Operator and contact identity.

EXPAND: Provide verifiable company and supervisory details for accountability.

REFLECT: Data controller: Natural Nine B.V. (private limited company), registered in Curaçao, company no. 160998. Legal/registered address: Korporaalweg 10, Willemstad, Curaçao. Gaming licence: OGL/2025/1337/0628 issued by Curaçao Gaming Control Board (GCB), status active (valid through 2025 as per provided information). Brand: shuffle-casino on shuffle-ca.com.

  • Data Protection Office (DPO): Natural Nine B.V., Korporaalweg 10, Willemstad, Curaçao
  • Email: [email protected] (preferred channel)
  • Postal: Attn: DPO, Natural Nine B.V., Korporaalweg 10, Willemstad, Curaçao
  • Phone: By appointment on request via email (for record-keeping and security, we first verify your request in writing).
  • Website: https://shuffle-ca.com

What Personal Data We Collect

OBSERVE: We collect data necessary to open, operate, secure, and enhance your account and gameplay.

EXPAND: Collection occurs via forms, gameplay, device interactions, cookies/SDKs, payment/KYC partners, and support channels.

REFLECT: Categories we process:

  • Identity/contact: full name, date of birth, address, email, phone, government ID/KYC documents, selfies/liveness checks (where required).
  • Account/behavioral: username, preferences, responsible-gambling settings, session data, bets, wins/losses, transaction history, clickstream, referral data.
  • Technical: IP address, device identifiers, OS/browser, language, time zone, app version, crash reports, security logs, geolocation (approximate, where necessary for compliance).
  • Payment/financial: card/bank/e-wallet identifiers (tokenized where possible), deposits, withdrawals, chargebacks, verification records.
  • Communications: support tickets, chat transcripts, call notes, complaints, marketing preferences and consents.
  • Cookies/trackers: session and persistent cookies, analytics SDKs, advertising pixels (only with consent where required), device fingerprinting for anti-fraud.

We may combine data across devices and sessions to secure accounts and maintain service integrity.

Legal Basis for Processing

OBSERVE: Canadian and international players may be protected by PIPEDA/provincial laws, and in some cases GDPR or other regimes.

EXPAND: We align bases to the user's location and service context.

REFLECT:

  • Consent (PIPEDA/GDPR): For marketing communications, certain cookies/advertising IDs, and optional features. You may withdraw anytime via account settings or by contacting us.
  • Contract necessity: To register, verify, provide gameplay, process payments/payouts, offer support, and operate your account.
  • Legal obligations: KYC/AML checks, record-keeping, sanctions screening, fraud reporting, tax/audit requirements, responsible-gambling obligations.
  • Legitimate interests (GDPR) / Appropriate purposes (PIPEDA): Service security, anti-fraud/abuse prevention, service analytics, product improvement; balanced against your privacy expectations and with safeguards.
  • Vital/public interest: In rare cases, to prevent serious harm or comply with lawful requests.

Regional Compliance Note: Under PIPEDA and provincial laws (e.g., Quebec Law 25), we use purposes a reasonable person would consider appropriate in the circumstances and explain cross-border processing and safeguards.

Purpose of Processing

OBSERVE: Clear purposes help ensure meaningful consent and necessity.

EXPAND: We minimize data to what is needed per purpose.

REFLECT:

  • Provide and operate services: account creation, age/identity verification, deposits/withdrawals, gameplay, customer support.
  • Safety and fraud prevention: risk scoring, device fingerprinting, bot/abuse detection, chargeback management, security monitoring.
  • Compliance: KYC/AML screening, transaction monitoring, sanctions checks, audits, regulatory reporting.
  • Service improvement and analytics: performance measurement, bug fixes, feature testing, user experience optimization (aggregated or pseudonymized where possible).
  • Marketing and personalization: newsletters, offers, bonuses, onsite recommendations-only with consent where required; you can opt out at any time.
  • Responsible gambling: setting limits, monitoring risky patterns, self-exclusion and cooling-off enforcement.

Disclosure & Sharing

OBSERVE: We use vetted third parties to run core functions.

EXPAND: We impose contractual safeguards and share only what is necessary.

REFLECT:

  • Payments/fintech: processors, banks, e-wallets, chargeback handlers (for deposits, withdrawals, fraud resolution).
  • KYC/AML and compliance vendors: identity verification, sanctions/PEP screening, transaction monitoring, liveness checks.
  • Technology/service providers: hosting, cloud, CDN, security, analytics, customer support platforms.
  • Marketing/affiliates: email/SMS providers, affiliate tracking, ad networks (only with valid consent and subject to opt-out).
  • Corporate transactions: mergers, acquisitions, financing, or asset sales (transferees bound by this Policy or equivalent terms).
  • Authorities and regulators: lawful requests, audits, compliance with applicable laws and license conditions.
  • Group/affiliates: intra-group transfers for operational efficiency, subject to safeguards and need-to-know access.

International Transfers

OBSERVE: Data may be processed outside your province or Canada.

EXPAND: Typical locations include Curaçao (controller), EU/EEA/UK (specialist vendors), United States (cloud/analytics), Cyprus (regional operations), Canada (local infrastructure/CDN).

REFLECT: We implement safeguards such as:

  • Contractual protections: EU Standard Contractual Clauses (SCCs), UK IDTA/Addendum, and Quebec Law 25 transfer assessments and contractual clauses.
  • Transparency under PIPEDA: notice of cross-border processing and contact pathways for inquiries.
  • Technical/organizational measures: encryption, access controls, data minimization, and transfer impact assessments.
  • US transfers: preference for vendors certified under the EU-US Data Privacy Framework where applicable, plus SCCs if required.

Data Retention

OBSERVE: Keep data only as long as necessary for stated purposes or legal requirements.

EXPAND: Apply category-based schedules and secure deletion/anonymization.

REFLECT:

  • Account and identity data: for your account lifecycle and up to 5 years after closure (to manage disputes, fraud prevention, chargebacks).
  • KYC/AML records: typically 5-7 years from last transaction or as required by applicable AML laws.
  • Transactional/payment data: 7 years for accounting, tax, and audit obligations.
  • Behavioral/log data: 12-24 months for security and analytics, then anonymized or deleted.
  • Support communications: up to 3 years post-resolution (longer if tied to a dispute or regulatory inquiry).
  • Marketing preferences: retained until you opt out or the purpose expires; suppression lists kept indefinitely to honor opt-outs.
  • Cookies/trackers: session cookies expire on browser close; persistent cookies typically 3-24 months (see Cookies section for details).

Deletion occurs when retention periods expire, upon successful erasure requests (subject to legal holds), or when purposes are fulfilled.

Your Rights

OBSERVE: Rights vary by jurisdiction; we provide a robust, user-centric process.

EXPAND: Core rights include access, correction, deletion, restriction, objection, portability, and consent withdrawal.

REFLECT:

  • Canada (PIPEDA/provincial laws): access and correct your data; challenge compliance; withdraw consent (e.g., marketing); lodge a complaint. Quebec Law 25 includes data portability for certain computerized data, subject to regulations and feasibility.
  • GDPR (if you are in the EEA/UK): access, rectification, erasure, restriction, objection (including to direct marketing), portability, and the right to lodge a complaint with your supervisory authority.
  • Mexico (LFPDPPP, if applicable): ARCO rights-Access, Rectification, Cancellation (erasure), Opposition. Statutory response within 20 days to inform outcome and 15 days to implement, subject to permitted extensions.

How to exercise your rights (procedure)

  1. Submit a request: email [email protected] from your registered email or use the in-account secure message tool (if available). Specify the right(s) you wish to exercise and the scope of data.
  2. Identity verification: we may request additional information (e.g., partial ID match) to protect your account.
  3. Response time: we aim to respond within 30 days. Complex requests may be extended in line with applicable law, and we will notify you of any extension and reasons.
  4. Fees: requests are free of charge unless manifestly unfounded or excessive; if a fee applies, we will explain why and provide the amount before proceeding.
  5. Limitations: we may refuse or limit a request where it would breach legal obligations (e.g., AML retention), reveal trade secrets, or infringe others' rights. We will explain our reasoning when permitted.
  6. Marketing opt-out: use unsubscribe links in messages or change settings in your account; you may still receive essential service communications.

Cookies & Tracking Technologies

OBSERVE: Cookies help operate and improve the service.

EXPAND: We use a consent management tool to record your choices where required.

REFLECT:

  • Session cookies (functional): essential features like login, security, load balancing; expire when you close your browser.
  • Persistent cookies (preferences/analytics): remember settings and help analyze usage; typical lifespan 3-24 months.
  • Third-party cookies/SDKs (advertising/affiliates): measure campaigns and personalize offers with your consent where required.

Managing cookies: use our onsite consent banner/panel to set preferences; adjust browser settings to block or delete cookies; opt out of third-party advertising via industry tools (e.g., AdChoices) where available. Blocking certain cookies may impact functionality.

Data Security

OBSERVE: Security protects confidentiality, integrity, and availability.

EXPAND: We combine technical, organizational, and procedural controls.

REFLECT:

  • Encryption: TLS 1.2+ in transit; strong encryption (e.g., AES-256) at rest for sensitive data and backups.
  • Access controls: least-privilege, role-based access, MFA for privileged accounts, segregation of duties, secure key management.
  • Monitoring and testing: vulnerability scans, penetration tests, logging/alerting, anti-DDoS, integrity checks.
  • Secure development: SDLC with code reviews, dependency scanning, change management.
  • Vendor risk management: due diligence, DPAs/SCCs, transfer impact assessments, ongoing monitoring.
  • Training and awareness: regular staff training on data protection, phishing, and incident procedures.
  • Incident response: documented plan with detection, containment, eradication, recovery, and notification steps; we will notify affected users and regulators when required by law.
  • Standards: controls aligned with ISO/IEC 27001 and SOC 2 principles where applicable.

Complaints & Contacts

OBSERVE: Clear routes for inquiries and escalation.

EXPAND: Provide internal resolution steps and supervisory contacts by region.

REFLECT:

  • Contact the DPO: [email protected] or postal to Attn: DPO, Natural Nine B.V., Korporaalweg 10, Willemstad, Curaçao. Include your name, account ID, and issue description.
  • Procedure:
    1. Acknowledge receipt within 5 business days.
    2. Investigate and respond with findings and actions within 30 days (or explain any permitted extension).
    3. If unresolved, we provide escalation options.
  • Canada supervisory authorities:
    • Office of the Privacy Commissioner of Canada (OPC): https://www.priv.gc.ca, Toll-free 1-800-282-1376, 30 Victoria Street, Gatineau, QC K1A 1H3.
    • Alberta OIPC: https://www.oipc.ab.ca
    • BC OIPC: https://www.oipc.bc.ca
    • Quebec CAI: https://www.cai.gouv.qc.ca
  • EU/UK (if applicable): You may lodge a complaint with your local supervisory authority. EU list: https://edpb.europa.eu/about-edpb/about-edpb/members_en
  • Mexico (if applicable): Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI): https://www.inai.org.mx

Updates

OBSERVE: Policies evolve with services and laws.

EXPAND: We record versions and notify you of material changes.

REFLECT: We may update this Policy periodically. For material changes, we will provide at least 30 days' advance notice via email, website banner, and/or account dashboard alerts before the effective date. Minor editorial/clarifying updates may take effect upon posting.

  • Version control: Last updated: January 2025.
  • Changelog (material changes):
    • Added Quebec Law 25 and cross-border transfer assessment details.
    • Expanded security controls and incident response description.
    • Clarified retention schedules and rights procedures, including Mexico ARCO references.
  • Your options: If you object to material changes, you may adjust privacy settings, withdraw consent, or close your account before changes take effect. Continued use after the effective date indicates acceptance.

Regional Compliance Note: This Policy is tailored for users in Canada accessing shuffle-casino via shuffle-ca.com and aligns, where relevant, with GDPR and Mexican LFPDPPP for cross-border scenarios.