Privacy Policy

Effective date: 6 November 2025 (Last updated: November 2025). This Privacy Policy explains how Velobet, operated via velobed.casino, collects, uses, shares, and protects personal data of website visitors and registered players. A privacy policy is required to provide transparency and to comply with applicable data protection laws, including the UK GDPR and the Data Protection Act 2018, and (where relevant to cross-border interactions) other privacy regimes described below.

Who We Are

OBSERVE: Velobet is presented to UK users via velobed.casino. The operating entity and registered address available to us are in Curaçao, with a payment processing subsidiary referenced in Cyprus. A dedicated phone number is not specified, and the primary contact email is provided.

EXPAND: UK GDPR requires clear identification of the controller and contact route for privacy queries (and DPO contact where appointed). Where a DPO is not formally appointed, a "data protection contact" must still be offered. Transparency obligations also require identifying material third-party processing arrangements (e.g., payment processing in Cyprus) and the relevant jurisdictions for storage/processing.

REFLECT: The following controller and contact details apply for privacy matters concerning Velobet on velobed.casino:

• Data controller / Operator: Santeda International B.V.
• Company registration number: 151296 (Curaçao)
• Registered legal address: Pareraweg 45, Curaçao
• Payments processing (subsidiary referenced): Santeda International Limited (Cyprus) - street address not specified in the available records
• Data Protection Contact (DPO / Privacy team): [email protected] (please mark the subject line "Data Protection Request")
• Telephone: Not specified (main office and support numbers are not provided)
• Website: https://velobed.casino

What Personal Data We Collect

OBSERVE: Velobet collects data required to create and operate accounts, process deposits/withdrawals (including via third parties), secure the service, and meet verification/AML requirements. The service also uses technical identifiers and cookies.

EXPAND: Under UK GDPR transparency requirements, we must describe categories of data, including identifiers, financial and transactional data, usage/behavioural data, and technical/cookie data, plus any KYC/AML verification data that may be collected later (e.g., at withdrawal or risk triggers).

REFLECT: Depending on how you use velobed.casino, we may collect the following categories of personal data:

• Identity & contact data: Full name, date of birth (where requested for age verification), email address (e.g., [email protected] used for communications), phone number (if you provide it), country/region, and account credentials (hashed/password-protected).
• Account & gameplay data (behavioural): Username/player ID, betting and gameplay history, bonus participation, responsible gambling interactions (e.g., self-exclusion requests), clicks and in-site navigation events, and preference settings.
• Technical data: IP address, approximate location derived from IP, device identifiers, browser type/version, operating system, crash reports, server logs, login timestamps, and anti-fraud signals.
• Payment & transaction data: Deposit/withdrawal amounts, timestamps, payment method metadata, payment status, chargeback/return information, wallet addresses for crypto transactions (where used), and limited card/payment identifiers where supplied by payment partners (we typically do not store full card numbers).
• Verification (KYC/AML) data: Copies/records of identity documents, proof of address, payment method ownership evidence, source-of-funds/source-of-wealth information, sanctions/PEP screening results, and notes/outcomes of verification checks (especially if triggered at withdrawal or risk events).
• Communications: Emails, live chat transcripts (24/7 live chat available via the site interface), complaints correspondence, and operational messages about your account.
• Cookies and similar technologies: Cookie IDs, consent signals, advertising identifiers (where enabled), and analytics tags (see "Cookies & Tracking Technologies").

Legal Basis for Processing

OBSERVE: Velobet needs lawful grounds under UK GDPR to process personal data for account operation, security, payments, compliance (KYC/AML), and marketing. Some processing is optional (e.g., advertising cookies) and should rely on consent.

EXPAND: UK GDPR Article 6 bases commonly apply: contract, legal obligation, legitimate interests, consent, and (rarely) vital interests/legal claims. Gambling operations also require enhanced fraud controls and identity verification; these are typically "legal obligation" and/or "legitimate interests," depending on the specific requirement and jurisdictional setup.

REFLECT: We rely on the following legal bases (UK GDPR) when processing personal data on velobed.casino for Velobet:

• Contract (performance of a contract): To register your account, provide access to games, apply bonuses per the applicable rules, handle deposits/withdrawals, provide customer support, and manage self-exclusion requests.
• Legal obligation: To carry out identity/age verification, KYC/AML checks, record-keeping, and regulatory or law-enforcement requests where applicable to our operations and financial transaction processing.
• Legitimate interests: To prevent fraud, protect account security, defend legal claims, maintain service integrity, conduct internal analytics and service improvement, and enforce our Terms & Conditions and AML/KYC policy.
• Consent: For non-essential cookies, certain analytics, and personalised advertising/affiliate tracking where required by UK PECR and cookie rules; and for direct marketing where consent is required or where you have not opted out.

Regional compliance note (UK): Cookie-related consent is managed in line with the UK Privacy and Electronic Communications Regulations (PECR). You can withdraw cookie consent at any time (see "Cookies & Tracking Technologies").

Purpose of Processing

OBSERVE: The platform processes data to deliver gambling services, run payments, secure systems, comply with verification obligations, and communicate with users.

EXPAND: Purposes should be specific and mapped to categories, including marketing/affiliates (with consent where required) and risk controls (fraud/bonus abuse). Industry practice also includes maintaining internal "risk lists" to protect against abuse; this must be described as a security/legitimate interests purpose.

REFLECT: We use personal data for the following purposes:

• Service provision: Create and administer accounts, provide access to games and features, apply promotions/bonuses, and manage responsible gambling tools such as self-exclusion via [email protected].
• Payments and payouts: Process deposits, withdrawals, refunds (where applicable), and payment reconciliation, including through payment partners and the Cyprus-based processing arrangements referenced in our operational information.
• Verification & compliance: Conduct KYC/AML, age/identity checks, sanctions screening, and transactional monitoring; respond to lawful requests from competent authorities.
• Security & fraud prevention: Account protection, risk scoring, detection of fraudulent behaviour, prevention of "bonus abuse," chargeback management, and enforcement of platform rules.
• Customer support & communications: Respond to queries, handle operational notices, and manage complaints (email and live chat where available).
• Analytics & improvement: Understand performance and user experience, diagnose technical issues, and improve games, payments, and site reliability.
• Marketing (where permitted): Send service updates and promotional communications, and measure campaign performance (subject to your preferences and applicable consent/opt-out rules).

Disclosure & Sharing

OBSERVE: Velobet may share data with payment partners, service providers, regulators/authorities, and potentially affiliates/advertising networks where consent applies. The service also references Curaçao licensing and related complaint portals.

EXPAND: UK GDPR requires transparency about recipients/categories of recipients, plus safeguards and purpose limitation. For advertising/affiliate tracking, PECR/cookie consent is often required. For fraud prevention, sharing may be necessary with processors and, in limited cases, other controllers (e.g., group companies) subject to lawful basis and minimisation.

REFLECT: We may disclose personal data (as necessary and proportionate) to:

• Payment providers and financial intermediaries: Banks, card processors, crypto payment facilitators, and payout partners to execute transactions and perform fraud screening.
• Service providers (processors): Hosting, infrastructure, analytics, customer support tooling, identity verification/KYC vendors, email delivery services, and security monitoring providers acting under contractual obligations.
• Group/related operational entities: Where relevant to provide the service, manage risk, or prevent fraud/abuse across shared infrastructure (only to the extent permitted by law and subject to appropriate safeguards).
• Affiliates and advertising networks: Only where you have provided the required cookie/marketing consents (or where another lawful basis applies under applicable rules) and with appropriate contractual protections.
• Regulators and authorities: Competent authorities, law enforcement, courts, and/or regulatory bodies where we are legally required to disclose data or where necessary to establish, exercise, or defend legal claims. For licensing-related matters, the public portal referenced is https://curacao-egaming.com/public-and-players/complaints.

Regional compliance note (UK): We do not "sell" personal data in the ordinary sense. Where sharing could constitute "targeted advertising" or similar profiling, we use consent and provide opt-out controls as required by UK GDPR/PECR.

International Transfers

OBSERVE: The operator is registered in Curaçao and data storage is indicated to occur under Curaçao jurisdiction; payment processing is referenced in Cyprus. Users may be in the UK, and vendors may operate in other regions.

EXPAND: UK GDPR restricts transfers outside the UK to territories without adequacy; safeguards like the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs are typically required. "Privacy Shield" is not a UK GDPR transfer mechanism; we should instead describe SCCs/IDTA and risk assessments. We should also describe that transfers may occur to Curaçao, Cyprus, and vendor locations (e.g., EU/EEA/US) depending on tooling.

REFLECT: Your personal data may be transferred to, stored in, or accessed from locations outside the United Kingdom, including:

• Curaçao: Operator registration and indicated data storage/operations context.
• Cyprus (EU): Payment processing arrangements referenced for Santeda International Limited.
• Other countries: Where our contracted service providers (e.g., hosting, security, analytics, communications, KYC/AML) operate or maintain support teams.

Where UK GDPR requires transfer safeguards, we use appropriate measures such as:

• Contractual safeguards: The UK IDTA and/or the UK Addendum to the EU Standard Contractual Clauses (as applicable), with vendor due diligence and confidentiality/security obligations.
• Risk assessments: Transfer risk assessments and supplementary measures where required (e.g., encryption, access controls, data minimisation).
• Security controls: Encryption in transit and at rest and restricted access based on role (see "Data Security").

Data Retention

OBSERVE: Gambling and payments operations require retaining records for compliance, fraud prevention, and dispute handling. The content requirements request clear retention periods (example: no more than 5 years after account closure) and deletion criteria.

EXPAND: Retention should be purpose-limited and reflect AML record-keeping (often 5 years), transactional/accounting obligations, and complaint/legal claim limitation periods. Where exact statutory periods vary by jurisdiction, we should provide a clear baseline and explain exceptions (e.g., ongoing investigations, legal claims, regulatory requests).

REFLECT: We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer period is required or permitted by law. Indicative retention periods for Velobet on velobed.casino are:

• Account profile data: Up to 5 years after account closure or last activity, unless legal/compliance needs require longer.
• Transaction and payment records: Typically 5 years from the date of the transaction (or longer if required for accounting, anti-fraud, chargeback handling, or legal claims).
• KYC/AML verification data: Typically 5 years after the end of the customer relationship and/or completion of relevant checks, subject to applicable AML/financial rules and investigative holds.
• Customer support communications (email/live chat): Usually 2 years from ticket closure, unless needed longer for complaint handling or legal defence.
• Security logs and device/IP logs: Typically 6-24 months, depending on the log type, threat environment, and investigation needs.
• Marketing preferences and consent records: For as long as necessary to demonstrate compliance and respect your preferences (e.g., until you withdraw consent plus a limited audit period).

Deletion criteria: Data may be deleted or irreversibly anonymised when (i) the retention period expires, (ii) the processing purpose no longer applies, and (iii) no legal/compliance basis requires continued retention. Some data cannot be erased immediately if we must retain it to meet legal obligations or to establish, exercise, or defend legal claims.

Your Rights

OBSERVE: Users require a clear explanation of rights under UK GDPR (and, per the content specification, alignment with Mexican privacy law concepts) with procedures, timelines (30 days), and free-of-charge assurances. A practical channel is provided: [email protected]. A phone number is not specified.

EXPAND: UK GDPR rights include access, rectification, erasure, restriction, portability, objection, and withdrawing consent; plus rights regarding automated decision-making/profiling where applicable. UK GDPR response time is generally 1 month (extendable by 2 months for complex requests with notice). The prompt also asks to reference Mexican regulations: Mexico's Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) and its ARCO rights (Access, Rectification, Cancellation, Opposition). We should present this as "where applicable" for users interacting from Mexico or where Mexican law may be relevant, without overstating jurisdiction.

REFLECT: Subject to applicable law, you may exercise the following rights:

• Right of access: Obtain confirmation that we process your personal data and receive a copy, along with key information about how it is used.
• Right to rectification: Ask us to correct inaccurate or incomplete personal data.
• Right to erasure ("right to be forgotten"): Request deletion of personal data where there is no overriding legal basis to keep it (for example, we may need to retain KYC/AML or transaction records).
• Right to restriction: Ask us to limit processing in certain situations (e.g., while a dispute about accuracy is resolved).
• Right to object: Object to processing based on legitimate interests, including certain profiling, and object to direct marketing at any time.
• Right to data portability: Receive certain data you provided to us in a structured, commonly used, machine-readable format, and transmit it to another provider where technically feasible.
• Right to withdraw consent: Where processing is based on consent (e.g., non-essential cookies/marketing), you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Automated decisions and profiling: If we use automated tools to assess fraud/abuse risk, you may request meaningful information about the logic involved and contest outcomes where required by law.

How to Exercise Your Rights (Procedure)

1. Submit your request: Email [email protected] with the subject "Data Protection Request" and specify the right you wish to exercise.
2. Verify your identity: For security, we may request additional information to confirm you are the account holder (this protects you from unauthorised disclosure).
3. Our response timeframe: We aim to respond within 30 days. If a request is complex or numerous, we may extend by up to an additional 60 days, and we will tell you why.
4. Fees: Requests are generally handled free of charge. We may charge a reasonable fee or refuse only where permitted by law (e.g., manifestly unfounded or excessive requests), and we will explain our decision.

Mexican Privacy Law Alignment (Where Relevant)

Where Mexican data protection rules are relevant (for example, if you interact with velobed.casino from Mexico or where service arrangements require it), we also recognise concepts under Mexico's LFPDPPP and its ARCO rights:

• Access: Know what data we hold and how it is used.
• Rectification: Correct inaccurate data.
• Cancellation: Request deletion where legally possible.
• Opposition: Object to certain processing.

This section is provided to increase transparency for cross-border users; your specific rights and remedies depend on your location and the laws applicable to the processing activity.

Cookies & Tracking Technologies

OBSERVE: Velobet uses cookies and similar technologies for essential site function, analytics, and potentially advertising/affiliate tracking. UK PECR requires consent for non-essential cookies.

EXPAND: We should categorise cookies (session/persistent, first/third-party) and explain purposes (strictly necessary/functional, performance/analytics, advertising). Provide management options (cookie banner/panel where available; browser controls). If no internal panel is specified, we should describe "cookie banner/consent tool on the site where available."

REFLECT: Cookies and similar technologies are small text files or identifiers placed on your device. We use:

• Session cookies (first-party): Temporary cookies that expire when you close your browser; used for login sessions, security, and navigation.
• Persistent cookies (first-party): Stored for a set period; used to remember preferences, language, and certain security settings.
• Third-party cookies / SDKs: Set by service providers (e.g., analytics or advertising/affiliate tools) to measure usage, detect fraud, or attribute marketing campaigns (where enabled).

Cookie Purposes

• Strictly necessary / functional: Enable core site features (account login, payments workflow, security protections). These are generally required for the service to function.
• Analytics / performance: Help us understand site usage and improve stability and user experience (typically requires consent under UK cookie rules unless strictly necessary).
• Advertising / affiliate tracking: Measure marketing effectiveness and, where applicable, personalise advertising (requires consent where required by UK PECR/UK GDPR).

How to Manage Cookies

• Cookie banner/consent tool: Use the on-site cookie consent controls on velobed.casino (where presented) to accept, reject, or adjust non-essential cookies.
• Browser settings: You can delete cookies and block future cookies via your browser settings; blocking strictly necessary cookies may affect site functionality.
• Device controls: On mobile devices, you may manage tracking permissions via operating system privacy settings (where applicable).

Data Security

OBSERVE: The service handles sensitive operational data (payments, verification, gameplay history). Available information indicates TLS 1.3 is used and that user login 2FA is not available. The specification requires describing comprehensive security measures (TLS 1.2+, encryption, MFA, audits, training, incident response) and referencing ISO 27001/SOC 2 where applicable-without making false certification claims.

EXPAND: We must present a truthful security posture: state transport security (TLS 1.2+), encryption at rest "where applicable," access controls, monitoring, secure SDLC, incident response, and staff training. For MFA, we should distinguish internal administrative MFA (common) from player-facing 2FA (not available per provided data). For ISO/SOC, we can state "aligned with" or "based on" best practices, unless certified.

REFLECT: We implement technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, including:

• Encryption in transit: We use HTTPS with TLS 1.2+ (our current configuration is indicated as TLS 1.3) to protect data transmitted between your device and our systems.
• Encryption at rest: We apply encryption and/or strong cryptographic controls for stored data where appropriate, particularly for sensitive records (e.g., verification documents), alongside key-management and access logging.
• Access controls: Role-based access, least-privilege permissions, account logging, and segregation of environments to reduce unauthorised access risks.
• Authentication safeguards: Administrative access may require multi-factor authentication (MFA) and additional controls. Note: Player-facing login two-factor authentication (2FA) is not currently available; users should use strong, unique passwords and protect email accounts linked to their profiles.
• Security monitoring and audits: Ongoing monitoring for suspicious activity, vulnerability management, and periodic security reviews. Where external audits are used, they follow recognised industry practices.
• Staff training: Privacy and security awareness training for personnel with access to systems or personal data.
• Incident response: Documented procedures to assess, contain, investigate, and remediate security incidents, including notification processes where required by applicable law.
• Standards alignment: Our controls are designed to align with widely used information security frameworks (e.g., ISO/IEC 27001 and SOC 2 principles) where applicable; this statement does not imply that a specific certification has been granted unless explicitly stated elsewhere.

Regional compliance note (UK): If a personal data breach occurs that is likely to result in a risk to individuals' rights and freedoms, we will assess notification duties under UK GDPR and, where required, notify the relevant supervisory authority and affected users.

Complaints & Contacts

OBSERVE: The primary operational contact is [email protected], live chat exists but has no direct URL, and phone numbers are not specified. The service is licensed in Curaçao and provides a regulator complaints portal link. The prompt requires escalation to supervisory authorities, including Mexican and EU contacts "where applicable," but the primary jurisdiction for UK users is the UK ICO.

EXPAND: For UK GDPR, users must be told they can complain to the UK Information Commissioner's Office (ICO) and how. For Mexico, the authority is INAI. For EU, a user in the EEA can contact their local supervisory authority; we should give the EU EDPB directory link. Provide a step-by-step internal complaints process with response times and identify channels.

REFLECT: If you have questions or concerns about privacy on Velobet via velobed.casino, you can contact us and/or lodge a complaint as follows.

Contact Channels

• Data protection / privacy requests: [email protected] (subject: "Data Protection Request")
• Customer support (general, self-exclusion): [email protected]
• Live chat: Available via the velobed.casino site interface (24/7); direct URL not specified
• Postal address: Santeda International B.V., Pareraweg 45, Curaçao (no separate mailing address specified)
• Telephone: Not specified

How We Handle Privacy Complaints (Step-by-Step)

1. Submit the complaint: Send details to [email protected], including your username (if any), the issue, relevant dates, and any supporting documents.
2. Acknowledgement: We aim to acknowledge receipt within 3 business days.
3. Investigation: We review logs, account records, consent status (where applicable), and vendor processing (if relevant).
4. Outcome: We aim to provide a substantive response within 30 days. If additional time is required due to complexity, we will explain the reason and expected timeline.
5. Escalation: If you remain dissatisfied, you may contact the relevant supervisory authority (see below).

Escalation to Supervisory Authorities

• United Kingdom (ICO): Information Commissioner's Office - https://ico.org.uk/make-a-complaint/
• European Economic Area (where applicable): You may contact your local data protection authority; directory: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en
• Mexico (INAI): Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales - https://www.inai.org.mx/

Gaming-license complaint portal (not a data protection authority): For licensing-related player complaints referenced for the operator's licensing jurisdiction, see https://curacao-egaming.com/public-and-players/complaints. Privacy complaints should be directed to the supervisory authorities listed above.

Updates

OBSERVE: The required "Last updated" date is provided as 2025-11-06. The prompt requires notification procedures (email, banners, dashboard alerts), version control with timestamp and a changelog of material changes, plus at least 30 days' advance notice for significant changes and user options to object or close accounts.

EXPAND: We must distinguish material vs non-material changes, describe how notice is delivered, and keep a changelog. Also specify that continued use may indicate acceptance where lawful, but give the user a path to close account if they object.

REFLECT: We may update this Privacy Policy to reflect changes in law, technology, operational practices, or service features for Velobet on velobed.casino.

• Version control: Last updated: November 2025 (effective 6 November 2025).
• How we notify you:
  • Email: If you have an account and the change is material, we may notify you via the email linked to your account.
  • Website banner/pop-up: A notice may be displayed on velobed.casino.
  • Account dashboard alert: Where available, we may show an in-account notification.
• Advance notice for significant changes: For material changes that affect your rights or how we use data, we aim to provide at least 30 days' notice before the change takes effect, unless urgent changes are required for security or legal compliance.
• Your options: If you object to a material change, you may (i) adjust your privacy/cookie preferences where applicable, (ii) withdraw consent for marketing, and/or (iii) request account closure and applicable data handling consistent with "Data Retention" and legal obligations.

Changelog of Material Changes

• November 2025: Policy refreshed for UK GDPR/UK PECR-aligned cookie transparency; clarified international transfers involving Curaçao and Cyprus payment processing; expanded user rights procedure (30-day response target) and added supervisory authority escalation links (UK ICO, EDPB directory, INAI).