General provisions and scope

This Privacy policy governs the collection, use, disclosure, and safeguarding of personal information processed in connection with casino-chumba.ca and related services operated under the name Chumba Casino. It is drafted for the Canadian context and is intended to align with the principles of the Personal Information Protection and Electronic Documents Act and applicable provincial private sector privacy statutes where they apply. Where activities involve individuals in other jurisdictions, generally recognised GDPR principles are used as a reference point for fairness, transparency, data minimisation, and accountability. This document applies to visitors, registered account holders, and any individual whose information is processed through website interactions, customer support, or security monitoring. The policy does not apply to third party websites or services that may be accessible through links, integrations, or embedded tools. Use of the site signifies acknowledgement of the terms described herein, subject to any consent choices available through the relevant interfaces.

Definitions and interpretive rules

Personal information means information about an identifiable individual, including identifiers and any data that can reasonably be linked, directly or indirectly, to a particular person. Processing includes any operation performed on personal information, such as collection, recording, organisation, storage, use, disclosure, transmission, or deletion. Consent refers to express or implied permission, as recognised under Canadian privacy law, and may be withdrawn subject to legal or contractual restrictions and reasonable notice. Security incident means a breach of safeguards involving loss of, unauthorised access to, or unauthorised disclosure of personal information, whether confirmed or suspected. Where the term service provider is used, it refers to an entity processing personal information on behalf of the operator under contractual obligations. In the event of conflict between an interpretive provision and a mandatory statutory requirement, the statutory requirement prevails.

Regulatory basis and accountability framework

This Privacy policy is implemented within an accountability framework designed to demonstrate responsible governance over personal information across operational functions. The operator maintains internal procedures intended to reflect the 10 fair information principles, including identifying purposes, limiting collection, limiting use, accuracy, safeguards, openness, and individual access. Documented roles are maintained for operational owners of data sets, and privacy related requests are routed through designated channels for review and response. Where appropriate, privacy impact considerations are applied to material changes, such as introduction of new verification tools or analytics providers. Compliance is assessed using risk based controls and periodic review, which may include internal audits at intervals such as 12 months depending on the nature of processing and incident history. Records may be maintained to support auditability, regulatory inquiries, or dispute resolution within legally permitted limits.

Categories of personal data processed

The information processed may include identity and contact data, such as name, date of birth, email address, telephone number, mailing address, and account identifiers. It may also include verification information used to support age and identity checks, such as government issued identifier metadata, document validation outcomes, and liveness or fraud signals, without retaining full document images where not necessary. Financial and transaction data may be processed, including deposit and withdrawal records, payment instrument tokens, billing information, chargeback indicators, and limited banking details where required for payouts. Technical and usage data may include IP address, device identifiers, browser attributes, logs, session timestamps, and security telemetry used to protect the service. Support and communications data may include customer service correspondence, call records where permitted by law, and complaint handling documentation. Responsible gaming and integrity data may include self exclusion status, session limits, gameplay risk indicators, and records required to address suspected fraud or policy violations.

Methods of collection and data sources

Operationally, personal information is collected directly through account registration, profile updates, payment flows, identity verification steps, and communications submitted via support channels. This Privacy policy also covers information collected automatically through server logs and security tools when a browser or device interacts with the site. Certain data may be obtained from service providers that perform verification, risk scoring, payment processing, or cybersecurity monitoring, subject to contractual restrictions and proportionality requirements. Where permitted, publicly available sources may be used to validate information for fraud prevention, sanctions screening, or dispute resolution. Information may also be generated internally through gameplay and platform systems, including transaction reconciliation records and responsible gaming indicators. The operator endeavours to ensure that collection methods are proportionate and limited to what is necessary for identified purposes, taking account of the sensitivity of the information.

Legal bases for processing under Canadian law and GDPR aligned principles

Processing is undertaken on bases recognised in Canada, including consent where required, and other lawful grounds such as necessity for providing a requested service, fulfilling legal obligations, and establishing, exercising, or defending legal claims. For certain activities, implied consent may be relied upon when the purpose is obvious and the information is not sensitive, while express consent is sought for higher risk processing where feasible. Contractual necessity may apply to account administration, payment processing, fraud prevention controls integral to platform operation, and delivery of customer support. Legal obligations may include record keeping, anti fraud requirements, identity and age verification duties, and responding to valid regulatory or law enforcement requests. Legitimate interest style reasoning may be applied as a GDPR informed principle for limited processing such as network security, service integrity, and system analytics, while ensuring that the impact on individuals is assessed and mitigated. Where consent is the basis, withdrawal is respected subject to limitations required by law, security, or dispute resolution.

Purposes of processing and operational necessity

This Privacy policy describes processing purposes that are specific, limited, and connected to the platform’s lawful operation. Personal information is processed to create and manage accounts, authenticate logins, process transactions, administer bonuses where applicable, and maintain accurate records for reconciliation. It is also processed to conduct age and identity verification, prevent prohibited access, address fraud and chargebacks, and protect the integrity of gameplay and payment systems. Customer support and complaint handling rely on communications data to investigate issues, provide responses, and document outcomes. Technical and usage information is processed to maintain system performance, diagnose errors, and monitor abuse, including automated detection of suspicious activity. Where responsible gaming measures are implemented, information is processed to support risk based interventions, self exclusion administration, and compliance with internal safeguards.

Responsible gaming and integrity processing

Operationally, responsible gaming features may require processing of session data, limit settings, and behavioural indicators to identify patterns associated with potential harm. Such processing is carried out to support safety objectives and to meet governance expectations in the iGaming sector, and it is designed to be proportionate to the identified risk. Where interventions occur, records may be created to document the action taken, the reason, and the outcome, including the date and time of the interaction. Where feasible, the system applies controls that limit use of these records to authorised staff and to defined purposes, including review and quality assurance. Data used for integrity reviews may be correlated with device and transaction signals to investigate suspicious patterns without relying on unnecessary sensitive attributes. If a dispute arises, these records may be retained to support investigation and resolution.

Communications and dispute resolution

Information submitted through support channels is processed to verify identity, triage the request, and provide an appropriate response. Communications may be reviewed for training, quality assurance, and compliance monitoring, using access controls designed to limit exposure to a need to know basis. Where recording of calls is permitted, notice may be provided and recordings may be used for dispute resolution and security purposes. Complaint handling records may be kept to evidence the steps taken, including references to dates such as a response issued within 30 days where required by applicable law or policy. Dispute related records may be retained beyond ordinary retention periods if necessary to establish, exercise, or defend legal claims.

Data retention and deletion standards

This Privacy policy establishes retention practices based on legal obligations, operational necessity, and proportionality, while seeking to avoid indefinite retention. Account information is retained for as long as an account remains active and for a reasonable period thereafter, such as 24 months, to manage disputes, security investigations, and reconciliation. Transaction and payment related records may be retained for periods required by financial, tax, or anti fraud obligations, which can extend to 7 years depending on the record type and jurisdictional requirements. Verification outcomes may be retained for a shorter period, such as 18 months, where retention supports fraud prevention and compliance while reducing the amount of stored sensitive information. Technical logs may be retained for security and performance analysis for periods such as 90 days, subject to extension where an incident investigation is underway. When retention is no longer necessary, information is deleted, de identified, or anonymised using methods appropriate to the data type and system constraints.

Backup systems and residual copies

Operationally, certain data may persist in encrypted backups or disaster recovery environments for limited periods due to system design. Such residual copies are protected by access restrictions and are not used for routine processing once deleted from production systems, except where restoration is required. Backup retention schedules are designed to balance resilience with minimisation, and may involve fixed cycles such as 35 days for certain snapshots. Where deletion requests are received, the operator applies deletion to active systems first and then allows backup cycles to expire, unless legal holds apply. If a legal hold is in place, deletion may be delayed until the hold is lifted, with access restricted to authorised personnel. Evidence of deletion steps may be logged for accountability.

Data sharing, disclosures, and third party processing

Personal information may be disclosed to service providers that support the operation of the site, including payment processors, identity verification vendors, customer support platforms, hosting providers, analytics providers, and cybersecurity vendors. Disclosures are limited to what is necessary for the relevant function and are governed through contractual terms addressing confidentiality, security safeguards, permitted uses, and breach notification responsibilities. This Privacy policy also contemplates disclosures required or permitted by law, including to regulators, law enforcement, or courts where a valid request is received. Information may be disclosed to professional advisers such as legal counsel, auditors, or insurers where necessary for compliance, risk management, or dispute resolution. In the event of a corporate transaction, such as an asset sale, merger, or reorganisation, information may be disclosed under confidentiality constraints and transferred as part of the transaction, subject to applicable legal requirements. Where feasible, vendor due diligence is performed to assess risk, including review of security certifications and incident history.

Payment processing and fraud prevention partners

Payment processing requires sharing certain identifiers and transaction details to complete deposits, withdrawals, chargeback handling, and fraud checks. Fraud prevention partners may receive device, network, and behavioural signals to assess risk, detect suspicious activity, and protect both the platform and individuals from unauthorised use. Where tokenisation is available, payment card numbers are not stored on the operator’s primary systems, and processors may store such data under their own compliance obligations. In certain cases, additional information may be requested to resolve a failed transaction or to comply with bank requirements, and such requests are limited to what is necessary. Records of fraud decisions may be retained to support consistent enforcement and appeals, subject to minimisation principles. The term casino Chumba may appear in transaction descriptors or support records as necessary to identify the service relationship.

Cross border processing and international transfers

This Privacy policy recognises that service providers may process information outside Canada, including in the United States or other jurisdictions where infrastructure and specialist vendors are located. When information is processed in another country, it may be subject to the laws of that jurisdiction, including lawful access by governmental authorities. The operator seeks to implement safeguards appropriate to cross border transfers, which may include contractual protections, confidentiality obligations, and security requirements proportionate to the sensitivity of the data. Transfers are undertaken to support operational continuity, fraud prevention, hosting resilience, and customer support availability. Where GDPR aligned safeguards are relevant, contractual measures and transparency are applied to reflect equivalent protection principles. Individuals may request information about the general categories of service providers and the countries in which processing occurs, subject to security and confidentiality limitations.

Security measures and incident management

Security safeguards are implemented to protect personal information against loss, theft, unauthorised access, disclosure, copying, use, or modification, taking account of the sensitivity of the data. Measures may include encryption in transit and at rest, access control policies, logging, network segmentation, and vulnerability management processes. Administrative safeguards include staff access limitation, confidentiality obligations, and training designed to reduce human error and misuse. Technical controls may include multi factor authentication for privileged access, automated monitoring, and security testing, with remediation tracked under internal governance. Certain controls are assessed against recognised standards, and risk based measures may be adjusted when threat conditions change. As an internal benchmark, the operator may target service availability and protective monitoring coverage exceeding 99% for critical security logging pipelines, subject to maintenance windows and incident response activities.

Security incident response and notification

A documented incident response process is maintained to identify, contain, investigate, and remediate suspected or confirmed security incidents. Where a breach of safeguards creates a real risk of significant harm, notification obligations under Canadian law are considered, including reporting to the Office of the Privacy Commissioner of Canada where applicable. Individuals may be notified in a timely manner where required, with content designed to describe the nature of the incident, the information involved, and steps available to reduce risk. Internal records of breaches are maintained as required, and may be retained for at least 24 months to meet accountability expectations and statutory record keeping duties. Post incident reviews may be performed to assess root cause and to implement corrective measures. Not all security events result in notification, particularly where investigation confirms that the risk threshold is not met.

Cookies and tracking technologies

This Privacy policy addresses the use of cookies and similar technologies that enable core functionality, security, analytics, and preference management. Cookies may be used to maintain sessions, remember settings, support fraud detection, and prevent repeated authentication prompts within reasonable time windows. Certain analytics tools may collect information about page interactions, device type, and approximate location derived from IP address, with configuration intended to reduce unnecessary identifiability. Where consent mechanisms are implemented, preferences may be recorded and respected, subject to essential cookies required for security and service delivery. Tracking technologies may also include pixels, SDKs, or server side event logging, depending on platform architecture and vendor integrations. The operator endeavours to limit use of such technologies to defined purposes and to avoid collection of sensitive personal information through tracking without a lawful basis.

Managing cookie preferences

Operationally, cookie settings may be managed through browser controls and, where available, on site preference tools. Blocking certain cookies may affect essential functions such as login persistence, payment flow stability, and security protections, and such impacts depend on device configuration. Where third party cookies are used, the relevant third party may act as an independent controller for its own purposes, and their policies govern their processing. Logs indicating consent choices may be retained to demonstrate compliance and to respect preferences over time, subject to retention limits. Where legally required, consent may be sought before non essential cookies are placed. The name casino Chumba may appear within technical logs or preference records as a service identifier.

Individual rights and access requests

Rights based framing is applied to ensure that individuals can exercise meaningful control over personal information within legal constraints. This Privacy policy recognises the right to request access to personal information held by the operator and to request correction of inaccurate or incomplete information. Requests may also include seeking information about how data has been used and to whom it has been disclosed, subject to lawful exceptions such as solicitor client privilege, security constraints, or information about other individuals. Where consent is relied upon, withdrawal may be requested, recognising that withdrawal may limit access to services that require the relevant processing to function. Where applicable, individuals may request deletion or de identification, although certain information must be retained to meet legal obligations, prevent fraud, or resolve disputes. The operator aims to respond within 30 days where feasible, and may extend the period where permitted, for example by an additional 15 days when complexity or volume requires it.

Identity verification for rights requests

To protect privacy and prevent unauthorised disclosure, the operator may require verification of identity before responding to access, correction, or deletion requests. Verification may involve confirming account details, requesting additional information, or using secure challenge methods, depending on the sensitivity of the request. Where an authorised representative submits a request, evidence of authority may be required, such as a signed authorisation or legally valid power of attorney documentation. If verification cannot be completed, the request may be refused or limited, with reasons provided where legally required. The operator seeks to minimise verification data and to retain it only as long as necessary to complete the request and document compliance. Records of requests and outcomes may be retained for a period such as 3 years to support accountability and dispute handling.

Special considerations for minors and eligibility controls

Access to the services is restricted to individuals who meet applicable age requirements, and age gating and verification controls are used to support compliance. Where information suggests that an individual may be under the applicable age threshold, processing may occur to prevent account creation, suspend access, or request verification, consistent with legal duties and platform integrity. If personal information relating to a minor is identified, the operator takes steps to delete or de identify it where lawful and feasible, unless retention is required for security, fraud prevention, or legal claims. Records of attempted access may be retained for limited periods to prevent repeated circumvention attempts and to support integrity monitoring. These controls are applied without using unnecessary sensitive profiling attributes and are intended to be proportionate to the risk of harm. References to casino Chumba may appear in eligibility workflows to ensure consistent enforcement across systems.

Contact information and data request procedure

Operational explanation is provided to enable structured submission and handling of privacy related communications. Requests regarding personal information, including access, correction, consent withdrawal, and complaints, may be submitted through the contact channels made available on casino-chumba.ca, and the operator may require sufficient detail to locate relevant records. The operator may request confirmation of the email address associated with the account, and may ask for additional context such as relevant dates, transaction references, or device identifiers to facilitate accurate retrieval. Where a request is incomplete, the operator may seek clarification and the response period may run from the time sufficient information is received. If a complaint is submitted, it is reviewed under internal escalation procedures, and where appropriate it may be referred to a privacy lead or external adviser. Individuals may also have the right to contact the Office of the Privacy Commissioner of Canada or an applicable provincial authority where concerns remain unresolved.

Policy amendments, transparency commitments, and effective date

This Privacy policy is maintained as a living compliance document and is updated to reflect changes in legal requirements, operational practices, technology, or risk controls. Amendments may occur when new vendors are introduced, when identity verification methods change, when cookie tools are modified, or when retention rules are adjusted to reflect statutory developments. Where changes materially affect processing purposes, categories of personal information, or disclosure practices, reasonable notice is provided through the website or account communications, and where required, consent is obtained through appropriate mechanisms. The effective date of each revision is recorded within the policy publication context, and prior versions may be retained for audit and dispute resolution for a limited period such as 6 years. The operator affirms an ongoing commitment to accountability, transparency, and safeguard effectiveness consistent with Canadian privacy law and GDPR aligned principles where relevant. This Privacy policy also confirms that amendment procedures include internal review, vendor impact assessment where applicable, and documented approval steps before publication, with the objective of maintaining lawful, fair, and proportionate processing across casino Chumba operations.