burger icon
F12 Bet Casino
Log In

Privacy Policy

This Privacy Policy explains how f12-bet-casino at f12bet-casino-ca.com collects, uses, discloses, and safeguards personal information of players and website/app visitors. It applies to all users who interact with our services, regardless of device. Effective date: 31 October 2025.

Who We Are

OBSERVE: Users need to know the legal operator, registration/licensing details, and a direct privacy contact.

EXPAND: We identify the operating entities and provide a dedicated privacy contact for rights requests and inquiries.

REFLECT: This ensures accountability and a clear point of contact for Canadian users and others.

  • Operator: f12-bet-casino is operated for the Canadian site at f12bet-casino-ca.com by F12 Gaming N.V., a public limited company registered in Curaçao (Company No. 159643).
  • Gaming licence: Curaçao Gaming Authority, Licence No. OGL/2025/245/0104 (issue date: 19 May 2025; status: active). Certain localized services may be supported by group affiliates, including F12 DO BRASIL JOGOS ELETRONICOS LTDA (Brazil).
  • Registered office: F12 Gaming N.V., Curaçao (full registered address available upon justified request to our Data Protection Office).
  • Data Protection Office (DPO): Email: [email protected]. Use this channel for privacy questions, data subject requests, or complaints.

Regional compliance note: For Canadian users, we align with PIPEDA and substantially similar provincial laws (Quebec, Alberta, BC). For EEA/UK users, we align with GDPR/UK GDPR, and for Mexico, with LFPDPPP.

What Personal Data We Collect

OBSERVE: We collect data necessary to operate a compliant online casino and to meet KYC/AML obligations.

EXPAND: We also collect technical, behavioral, and cookie data to secure the platform and improve services.

REFLECT: We minimize data and tie each category to lawful purposes.

  • Identity and contact data: Full name, date of birth, address, email, phone, government ID details (for KYC), nationality, and age verification records.
  • Account data: Username, credentials (stored as hashed values), security questions, preferences, communication consents.
  • Payment and transactional data: Deposits, withdrawals, payment instrument tokens, billing details, currency, limits, chargeback records, tax and reporting identifiers where required.
  • Technical and usage data: IP address, device identifiers, OS/browser details, app telemetry, log files, session data, language, time zone, approximate geolocation (derived from IP), and crash/diagnostic logs.
  • Behavioral and gaming data: Game selections, betting history, stakes, outcomes, session duration, clickstream, responsible gambling interactions (e.g., self-exclusion, limits).
  • Communications: Customer support records, recordings/transcripts where applicable, complaint files, surveys, and feedback.
  • Cookies and similar technologies: Session/persistent cookies, SDKs, pixels, device fingerprint components used for functionality, analytics, security/anti-fraud, and (with consent) advertising.
  • Inferences: Risk scores (e.g., AML/fraud), responsible gambling risk indicators, and service personalization inferences.

Legal Basis for Processing

OBSERVE: Processing must rest on recognized legal grounds applicable to user location and services delivered.

EXPAND: We incorporate Canada's PIPEDA principles, GDPR for EEA/UK users, and Mexico's LFPDPPP where relevant.

REFLECT: We match each activity to a lawful basis and respect consent withdrawal and statutory obligations.

  • Consent: Optional activities (e.g., email/SMS marketing, certain cookies). You may withdraw consent at any time via account settings or by emailing our DPO.
  • Contract necessity: Account creation, identity verification, enabling deposits/withdrawals, operating games, customer support, bonus fulfillment, dispute resolution.
  • Legitimate interests: Fraud/abuse detection, network and information security, service analytics and optimization, prevention of bonus abuse, and personalization balanced against your privacy rights.
  • Legal obligations: KYC/AML screening, sanctions checks, age verification, record-keeping, responding to lawful requests from competent authorities and regulators, tax and financial reporting.
  • Vital interests/public interest (rare): Safeguarding users or complying with urgent law enforcement needs.

Purpose of Processing

OBSERVE: Users need clarity on how their data supports the service lifecycle.

EXPAND: We enumerate operational, security, compliance, and marketing purposes.

REFLECT: Each purpose corresponds to the minimum data required.

  • Provide and maintain services: Account onboarding, gameplay, payments, customer support, and feature delivery.
  • Compliance and risk: KYC/AML, sanctions screening, responsible gambling measures, transaction monitoring, audits.
  • Security and integrity: Access controls, fraud detection, incident response, and platform resilience.
  • Analytics and improvement: Service performance metrics, usability analysis, troubleshooting, and product development.
  • Marketing and communications: With consent, send promotions, bonuses, surveys, and service notices; manage preferences and opt-outs.
  • Legal defense and business continuity: Managing disputes, enforcing terms, corporate transactions, and backups/archiving.

Disclosure & Sharing

OBSERVE: Data sharing occurs to deliver payments, verification, hosting, compliance, and marketing.

EXPAND: We define processors vs. controllers, conditions for sharing, and safeguards.

REFLECT: Sharing is restricted to necessity, with contracts and controls.

  • Payment partners: Acquirers, banks, and payment gateways to process deposits/withdrawals and handle chargebacks.
  • KYC/AML and fraud vendors: Identity verification, sanctions/PEP checks, device fingerprinting, fraud scoring.
  • Hosting and IT providers: Cloud infrastructure, content delivery networks, security monitoring, and customer support tools.
  • Analytics and measurement: Aggregated or pseudonymized data for performance and product insights.
  • Marketing and affiliation: Email/SMS services, affiliate networks, and advertising partners only where consented.
  • Group companies: F12 group affiliates (including Brazilian entity) for intra-group services under intercompany agreements.
  • Regulators and authorities: Curaçao Gaming Authority, anti-fraud/financial authorities, and other competent bodies when legally required.
  • Corporate transactions: Mergers, acquisitions, or reorganization subject to confidentiality and continuity safeguards.

We require service providers to process data under written instructions, apply robust security, and refrain from using data for their own purposes.

International Transfers

OBSERVE: Cross-border processing may involve Curaçao, Brazil, the EU/EEA, the UK, and the United States.

EXPAND: We implement legal and technical safeguards to ensure continuity of protection.

REFLECT: Transfers are limited to necessity, with standardized protections.

  • EEA/UK transfers: Where EU/UK data is involved, we use European Commission Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable), plus supplementary measures (encryption, access controls, minimization).
  • Canada transfers: Under PIPEDA and substantially similar provincial laws, we use contractual, organizational, and technical safeguards to ensure a comparable level of protection when data is processed outside Canada.
  • U.S. vendors: Where feasible, we engage providers participating in the EU-U.S. Data Privacy Framework and otherwise rely on SCCs with added protections.
  • Mexico transfers: For Mexican users, we obtain consent where required by LFPDPPP and apply contractual safeguards for foreign transfers.
  • Transparency: Key processing locations currently include Curaçao (primary), Brazil (group support), and cloud regions disclosed by our vendors. Details are available on request.

Data Retention

OBSERVE: Retention must satisfy legal obligations and business needs without keeping data longer than necessary.

EXPAND: We set category-based timelines and clear deletion/suppression criteria.

REFLECT: We prioritize minimization and defensible retention policies.

  • Account and KYC records: For the life of the account and up to 5 years after closure or last transaction, to meet AML and record-keeping duties.
  • Transactions and financial records: Up to 7 years after the end of the fiscal year of the transaction for accounting, tax, and audit purposes.
  • Security and system logs: 12 months by default, longer if needed for investigations or litigation holds.
  • Marketing data: Until consent is withdrawn or after 24 months of inactivity, whichever occurs first.
  • Complaints and disputes: Until resolution plus the applicable limitation period (up to 6 years, unless local law requires otherwise).
  • Suppression lists: Indefinitely retained in minimal form to honor opt-outs.

Deletion criteria: purpose fulfilled, expiry of retention period, successful objection/erasure request (where applicable), or legal obligation to delete. Backups are purged on rolling cycles.

Your Rights

OBSERVE: Users require a clear path to exercise privacy rights, with timelines and verification steps.

EXPAND: We align with Canada's PIPEDA and substantially similar laws, and provide GDPR and Mexican LFPDPPP parity where they apply.

REFLECT: We facilitate requests free of charge within standard timelines, subject to lawful exceptions.

  • Access: Obtain confirmation and a copy of your personal information in our custody/control, including the categories, sources, purposes, and disclosures.
  • Correction/Rectification: Request correction of incomplete or inaccurate data.
  • Deletion/Erasure: Request deletion where no longer necessary, consent is withdrawn, or processing is unlawful (subject to legal/AML retention obligations).
  • Restriction/Objection: Request restriction or object to processing based on legitimate interests, including profiling, on grounds relating to your situation.
  • Portability: Receive certain data in a portable format and transmit it to another controller where technically feasible (available under GDPR and Quebec Law 25 where applicable).
  • Marketing opt-out: Withdraw consent to marketing at any time and manage cookie preferences.
  • ARCO rights (Mexico): Access, Rectification, Cancellation, and Opposition in line with LFPDPPP where applicable.
  1. How to exercise: Email [email protected]. We may request information to verify your identity and account ownership.
  2. Timeframes: We aim to respond within 30 days of receipt and verification. We may extend by an additional 30 days for complex requests and will inform you of the reason.
  3. Fees: Requests are free of charge unless manifestly unfounded or excessive; if so, we may charge a reasonable fee or refuse with justification.
  4. Limits: We may decline requests where disclosure would reveal another person's data, violate law or privilege, or impair fraud/AML controls. We will explain our decision where legally permitted.

Regional compliance note: Canadian users may also complain to the Office of the Privacy Commissioner of Canada (OPC). EEA/UK users may contact their local data protection authority. Mexican users may seek recourse with INAI.

Cookies & Tracking Technologies

OBSERVE: Cookies support functionality, security, analytics, and consented advertising.

EXPAND: Users must be able to understand types and manage preferences.

REFLECT: We provide layered choice, including browser and on-site controls.

  • Types:
    • Session cookies: Essential, expire when you close the browser.
    • Persistent cookies: Remain for a set duration for preferences, analytics, or security.
    • Third-party cookies/SDKs: Analytics, anti-fraud, and (with consent) advertising measurement/retargeting.
  • Purposes: Functional operation (login, balance, ticketing), security/anti-fraud, analytics and performance, and marketing (only with consent).
  • Controls: Manage preferences through our on-site cookie banner/settings and via browser settings (block/delete cookies). Disabling certain cookies may affect functionality.

Data Security

OBSERVE: Casino operations demand strong technical and organizational security measures.

EXPAND: We use encryption, access controls, audits, and incident response aligned with industry standards.

REFLECT: Security is risk-based, continuously improved, and documented.

  • Encryption: TLS 1.2+ for data in transit; encryption at rest for sensitive data; key management with restricted access.
  • Access controls: Role-based access, least privilege, MFA for privileged accounts, network segmentation, and secure admin tooling.
  • Monitoring and testing: Logging, anomaly detection, vulnerability management, independent testing where appropriate, and change control.
  • Vendor security: Security due diligence, contractual requirements, and periodic reassessments.
  • Training and governance: Staff training, background checks where lawful, and a documented information security program aligned with ISO 27001 and SOC 2 principles.
  • Incident response: Defined runbooks, rapid containment, investigation, and notification to authorities and users where legally required (e.g., PIPEDA "real risk of significant harm" reporting to OPC and affected individuals).

Complaints & Contacts

OBSERVE: Users need clear complaint channels and escalation paths.

EXPAND: We provide internal steps and supervisory authority contacts for multiple jurisdictions.

REFLECT: Transparent pathways help resolve issues efficiently.

  • Contact our DPO: [email protected]. Include your account ID, request details, and preferred contact method.
  • Procedure:
    1. Submit your request/complaint to the DPO.
    2. We acknowledge within 5 business days.
    3. Substantive response within 30 days (possible 30-day extension for complexity).
    4. If unresolved, we provide escalation options.
  • Canada (federal): Office of the Privacy Commissioner of Canada (OPC), 30 Victoria Street, Gatineau, Quebec K1A 1H3, +1-800-282-1376, priv.gc.ca.
  • Quebec: Commission d'accès à l'information (CAI), cai.gouv.qc.ca.
  • Alberta: Office of the Information and Privacy Commissioner (OIPC), oipc.ab.ca.
  • British Columbia: OIPC BC, oipc.bc.ca.
  • Mexico: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI), inai.org.mx.
  • EEA/UK: Contact your local supervisory authority. See the EDPB list: edpb.europa.eu/about-edpb/board/members.

Updates

OBSERVE: Policies evolve due to regulatory, operational, or vendor changes.

EXPAND: We commit to transparent notification, versioning, and user choices.

REFLECT: Material updates will be announced with advance notice.

  • Notification methods: Email notices (where available), website banner, and in-account alerts.
  • Advance notice: For material changes (e.g., new processing purposes, new categories of recipients, or significant international transfer changes), we provide at least 30 days' notice before the effective date, unless immediate changes are required by law or to address security/abuse.
  • User options: You may object to certain changes, withdraw consent for optional processing, or close your account before the effective date.
  • Version control: Last updated: October 2025.
  • Changelog (material changes):
    • Added Curaçao licence details and clarified group affiliates (2025-10).
    • Expanded international transfer safeguards and breach notification references (2025-10).
    • Aligned rights with Quebec Law 25 and clarified Mexico ARCO rights (2025-10).

If any provision conflicts with mandatory local law, the stricter standard applies to the affected user. For questions, contact [email protected].