GDC Media Limited, a subsidiary of Gambling.com Group Limited (Nasdaq: GAMB) (“GAMB”), is the owner of the websites operated by and on behalf of the Group.
The terms “GDC”, “we”, “us”, or “our” refer collectively to GAMB, and its current and future subsidiaries (“Group Members”).
GDC Media Limited has licensed the operation of certain GDC’s websites in certain geographic locations to other Group Members, including:
(a) all GDC websites operating in the United States to GDC America Inc., a GAMB subsidiary;
(b) certain GDC websites operating in the area of the United States to Roto Sports, Inc., a GAMB subsidiary, under a sub-license from GDC America; and
(c) certain GDC websites operating worldwide (excluding the United States), to NDC Media Limited, a GAMB subsidiary.
This Privacy and Cookies Policy (“Policy”) describes the practices of GDC Media Limited, including the Group Members involved in the operation of the GDC’s websites in different geographic locations and the rights and choices available to individuals regarding personal data.
GDC respects your privacy and is committed to protecting your personal data. Personal data means any information that relates to an identifiable individual. It does not include data where the ability to identify an individual has been removed (anonymous data).
This Policy describes the rights and choices regarding your personal data. It is important that you read the Policy carefully. If you have any questions about this Policy, including any requests to exercise your legal rights, please contact us using the details set out below.
We may alter this Policy as needed for certain services of GDC and to abide by local laws or regulations around the world, such as by providing supplemental information in certain countries. This Privacy Notice does not apply to GDC’s processing of the personal data of its personnel, such as employees and contractors.
We also provide important additional information in paragraph 8 that is solely applicable to individuals located within the Member States of the European Union, countries in the European Economic Area, the United Kingdom, and Switzerland (collectively, “Europe” or “European”) and for individuals located in the State of California, United States:
· European users should read the important information provided below about transfer of personal data outside of Europe.
· California residents should read the important information provided below regarding our handling of the personal data.
We collect personal data about individuals from various sources described below. Where applicable, we indicate whether and why individuals must provide us with personal data, as well as the consequences of failing to do so. We may collect, use, store and transfer different kinds of personal data about you (“Personal Data”) which we have grouped as follows:
“Personal Information” includes any information from which you can be personally identified, including your name, surname, email address, telephone number or mobile number.
“Profile Data” includes a username, password and a profile image that an individual may establish and upload on one of our websites or mobile applications, along with any other information that an individual enters into their account profile;
“Financial account data” includes payment card details or bank account details;
“Recruitment Process Data” includes the CV and any covering letter of a job applicant and notes taken for the duration of your recruitment process relating to a job application and interview of a job applicant; Other information supplied by a job applicant, such as professional credentials and skills, educational and work history, and other information of the type included on a CV or covering letter;
“Technical Data” includes internet protocol (IP) address, browser type and version, time zone setting and location, operating system and platform, and other technology on the devices you use to access our websites;
“Usage Data” includes information about how you use our websites.
We also may collect, use and share “Aggregated Data” such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity.
We do not collect any information about your race, ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data. However, if you are applying for a job with us, we will collect information about criminal convictions and offences.
We automatically collect Technical Data and Usage Data. If you are using a mobile device, we collect data that identifies your mobile device, device-specific settings and characteristics, app crashes and other system activity.
We may use different methods to collect data from and about you including the following:
· Via direct interactions. You may give us your Personal Information and Recruitment Process Data by: a) filling in any a job application form on our Career Page, b) providing an email address to register with our websites and/or receive our newsletter, or c) providing your contact details via our registration and/or newsletters form.
· Automated technologies. As you interact with our websites, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this data by using cookies, server logs and other similar technologies.
· Third parties or publicly available sources. We may partner with third parties (such as content providers and analytics companies including Google Analytics, OptInMonster, Hotjar, and Convert.com) to help us improve the services of our website, including to provide you with relevant and interesting content and to conduct analytics and measurement to understand how our services are used. These companies may collect information from you automatically in connection with your visit.
Generally, our websites can be accessed and used without registration and without having to provide us any Personal Data (Personal Information, Profile Data, and/or Recruitment Process Data). You may opt in to receive information about promotions, bonuses, bets, tips and strategy by subscribing to our mailing list by providing your email address. You may any time opt out from receiving such communications by writing to us or clicking the “unsubscribe” button in any of our emails to you. In case you contact us, whether by email, through contact forms, or in other writings, we may keep a copy of that correspondence. We will not share your Personal Data with third parties for marketing purposes unless you have provided us with your express consent to do so.
We may use your Personal Data for the purposes of:
Providing our services, which may include:
· Operating, evaluating, maintaining, improving, and providing the features and functionality of our services;
· Fulfilling a payment transaction initiated by you;
· Communicating with you regarding your account with us, if you have one, including by sending you service-related emails or messages (e.g., messages regarding account verification, changes or updates to the functionality of our services, technical and security notices and alerts, and support messages)
· Personalizing the manner in which we provide our services;
· Administering and protecting our business; and
· Providing support and maintenance for our services, including responding to your service-related requests, questions, and feedback.
For research and development
We use the information we collect for our own research and development purposes, which include:
· Developing or improving our services; and
· Developing and creating analytics and related reporting.
We may use your Personal Data to form a view on what services we think you may want or need or what may be of interest to you.
We may contact you with marketing communications using the Personal Data you have provided to us if you have actively expressed your interest in availing of our services or have availed of our services and, in any case, you have not opted out of receiving that marketing, to the extent permitted by applicable law.
You can ask us to stop sending you marketing messages at any time by contacting us using the details below or clicking on the opt-out link included in each marketing message.
Should you choose to opt out of receiving our marketing messages, we will continue to conduct our other relevant activities using your Personal Data, including sending non-marketing messages.
Managing our recruiting and processing employment applications
We process Personal Data, such as information submitted to us in a job application, to facilitate our recruitment activities and process employment applications, such as by evaluating a job candidate for an employment activity, and monitoring recruitment statistics.
Complying with law
We use your Personal Data as we believe necessary and appropriate to comply with applicable laws, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities.
Compliance, fraud prevention and safety
We use your Personal Data as we believe necessary or appropriate to (a) enforce the terms and conditions that govern our services; (b) protect our rights, privacy, safety or property, and/or that of you or others; and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
With your consent
In some jurisdictions, applicable law may require us to request your consent to use your Personal Data in certain contexts, such as when we would like to send you certain marketing messages. If we request your consent to use your Personal Data, you have the right to withdraw your consent any time in the manner indicated when we requested the consent or by contacting us. If you have consented to receive marketing communications from our third-party partners, you may withdraw your consent by contacting those partners directly.
To create anonymous data
We may create anonymous data from your Personal Data and other individuals whose Personal Data we collect. We make Personal Data into anonymous data by excluding information that makes the data personally identifiable to you and use that anonymous data for our lawful business purposes.
We may have to share your data to the following parties:
We may disclose your Personal Data to other Group Members for purposes consistent with this Policy.
We may employ third parties to administer and provide services on our behalf (such as third parties that provide customer support, third parties that we engage to host, manage, maintain, and develop our websites, mobile applications, and IT systems, and third parties that help us process payments). These third parties may use your information only as directed by us and in a manner consistent with this Policy. These third parties are prohibited from using or disclosing your information for any other purpose.
Participants in the transaction processing chain
We may share your Personal Data with companies in the transaction processing chain in connection with processing a payment transaction, such as merchants, banks or other card issuers, card associations, debit network operators and their members.
We may disclose your Personal Data to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary, in the course of the professional services that they render to us.
Compliance with Laws and Law Enforcement; Protection and Safety
GDC may disclose information about you to government or law enforcement officials or private parties as required by law, and disclose and use such information as we believe necessary or appropriate to (a) comply with applicable laws and lawful requests and legal process, such as to respond to subpoenas or requests from government authorities; (b) enforce the terms and conditions that govern our services; (c) protect our rights, privacy, safety or property, and/or that of you or others; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors, subsidiaries, affiliates and other third parties who have a business need to know. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality. We have put in place commercially reasonable procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will process and store the relevant Personal Data for as long as it is necessary or required in order to fulfil our legal, contractual, or statutory obligations and/or for the establishment, exercise or defence of legal claims.
In this section, we describe the rights and choices available to all users. Users who are located in Europe may read additional information about their rights in paragraph 8 below.
You can ask us to stop sending you marketing messages at any time by contacting us or clicking on the opt-out link included in each marketing message. You may continue to receive service-related and other non-marketing messages.
Choosing not to provide your Personal Data
Where we request Personal Data directly from you, you do not have to provide it to us. If you decide not to provide the requested information, in some circumstances we may be unable to provide services to you. For example, we may be unable to process your transaction.
Accessing, modifying or deleting your information
In some jurisdictions, applicable law may provide a right for individuals to access, modify, or delete their Personal Data in some. You may contact GDC directly to request access to, modify or delete your information. We may not be able to provide access to, modify, or delete your information in all circumstances.
If you have a complaint about our handling of your Personal Data, you may contact our data protection officer using the contact information below. We request that a complaint be made in writing. Please provide details about your concern or complaint so that we can investigate it. We will determine whether to take action in response to your complaint, which, if we do so, may include conducting internal discussions with relevant business representatives. We may contact you for additional details or clarification about your concern or complaint. We will contact you to inform you of our response to your complaint. You also may have a right to file a complaint with a national or local regulatory agency.
GDC is the data controller for the purpose of the General Data Protection Regulation (“GDPR”), and other applicable data protection laws. This means that GDC is principally responsible for looking after your Personal Data and this Policy determines the means and purposes of processing of Personal Data.
Legal bases for processing
We are required to inform you of the legal bases of our processing of your Personal Data, which are described in the table below. If you have questions about the legal basis of how we process your Personal Data, please contact us at firstname.lastname@example.org.
|Providing our services
|Processing is necessary to perform the contract governing our provision of the services.
|Marketing For research and development To manage our recruiting and process employment applications For compliance, fraud prevention and safety To create anonymous data
|These processing activities constitute our legitimate interests. We make sure we consider and balance any potential impact on you and your rights before we process your Personal Data for our legitimate interests. We do not use your Personal Data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
|To comply with law
|Processing is necessary to comply with our legal obligations.
|With your consent
|Processing is based on your consent. Where we rely on your consent, you have the right to withdraw it anytime in the manner indicated at the time we collect your information or by contacting us at email@example.com
Use for new purposes
We may use your Personal Data for reasons not described in this Policy where permitted by law and the reason is compatible with the purpose for which we collected it.
How long will we use your Personal Data?
We will use your Personal Data for as long as necessary based on why we collected it and what we use it for. This may include our need to satisfy a legal, regulatory, accounting, or reporting requirement.
To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In general terms, we will retain your Personal Data for the duration of your involvement/engagement with us and for as long as reasonably necessary afterwards. There are also certain types of information which are required to be retained for a certain period by law.
Your individual legal rights
You have the right to obtain access, rectification, erasure, restriction of Personal Data, portability of Personal Data and to object to the processing of your Personal Data, under the conditions and restrictions laid out in Chapter III of the GDPR as follows:
· Access. You are entitled to ask us if we are processing your Personal Data and, if so, for a copy of the Personal Data we hold about you, as well as obtain certain other information about our processing activities.
· Correction. If any Personal Data we hold about you is incomplete or inaccurate, you can require us to correct it, though we may need to verify the accuracy of the new data you provide to us.
· Erasure. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it.
· Object. Where our reason for processing your Personal Data is legitimate interest, you may object to processing as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes.
· Restriction. You may ask us to suspend our use of your Personal Data in the following scenarios:
· if you want us to establish the data's accuracy;
· where our use of your Personal Data is unlawful but you do not want us to erase it;
· where you need us to hold your data for a longer period than we usually would, because you need it to establish, exercise or defend legal claims; or
· you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
· Transfer. Where it is possible, we will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to Personal Data provided by you which you initially provided consent for us to use or where we used the information to perform a contract with you.
· Withdraw consent. Where our reason for processing is based on your consent, you may withdraw that consent at any time. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.
· Automated decision making. You have the right not to be subject to automated decision making (e.g., profiling) that significantly affects you. The exercise of this right is not available to you in the following cases:
· The automated decision is required to enter into, or perform, a contract with you.
· We have your explicit consent to make such a decision.
· The automated decision is authorised by local law of an EU member state.
However, in the first two cases set out above, you still have the right to obtain human intervention in respect of the decision, to express your point of view and to contest the decision.
If you have any questions about this Policy or wish to exercise any of the rights set out above, please contact us at firstname.lastname@example.org.
We may need to request specific information from you to help us confirm your identity and ensure you are entitled to exercise a right in respect of your Personal Data. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
There may be legal or other reasons why we cannot, or are not obliged to, fulfil a request to exercise your rights. We will use available lawful exemptions to your individual rights to the extent appropriate. If we decline your request, we will tell you why, subject to legal restrictions.
You also have the right to make a complaint at any time to a supervisory authority (for more information go to https://edpb.europa.eu/about-edpb/board/members_en).
We are required by the California Consumer Privacy Act of 2018 (“CCPA”) to provide California residents with an information of how we collect, use and share their Personal Data, and of the rights and choices we offer California residents regarding our handling of the Personal Data.
Your California privacy rights
As a California resident, you have the rights listed below. However, these rights are not absolute, and we may decline your request as permitted by the CCPA.
· Information. You can request the following information about how we have collected and used your Personal Data during the past 12 months:
· The categories of Personal Data that we have collected.
· The categories of sources from which we collected Personal Data.
· The business or commercial purpose for collecting Personal Data.
· The categories of third parties with whom we may share your Personal Data.
· Whether we have disclosed your Personal Data for a business purpose, and if so, the categories of Personal Data received by each category of recipient.
· Whether we’ve sold your Personal Data; and, if so, the categories of Personal Data received by each category of recipient.
· Access. You can request a copy of the Personal Data that we maintain about you.
· Deletion. You can ask us to delete the Personal Data that we maintain about you.
· Non-discrimination. You are entitled to exercise the rights described above free from discrimination. This means that we will not penalize you for exercising your rights by taking actions such as by denying you goods or services, increasing the price/rate of goods or services, decreasing the service quality, or suggesting that we may penalize you as described above for exercising your rights. However, the CCPA allows us to charge you a different price or provide a different service quality if that difference is reasonably related to the value of the Personal Data we are unable to use.
How to exercise your rights
You may exercise your California privacy rights as follows:
Right to information, access and deletion
You can request to exercise your information, access and deletion rights by:
· Contacting us at email@example.com
· Identify verification. The CCPA requires us to verify the identity of the individual submitting the request before providing a substantive response to the request. A request must be provided with sufficient detail to allow us to understand, evaluate and respond. The requester must provide sufficient information to allow us to reasonably verify that the individual is the person about whom we collected information. A request may also be made on behalf of your child under 13.
· Authorized agents. California residents can empower an “authorized agent” to submit requests on their behalf. We will require the authorized agent to have a written authorization confirming that authority.
Sale of Personal Information
We do not sell your Personal Information to third parties as defined in the CCPA.
Personal information that we collect, use and share
The table below summarizes what data we may collect or what data may have been collected from California residents during the last 12 months before the effective date of this Policy.
Please note that the categories and examples provided in the list below are those defined in the CCPA. This does not mean that all examples of that category of personal information were in fact collected by GDC but reflects our good faith belief to the best of our knowledge that some of that information from the applicable category may be and may have been collected. For example, certain categories of personal information would only be collected if you provided such personal information directly to us.
|Categories of Information We Collect
|Data Elements within the Category
|Do we collect this information?
|Do we share this information for business purposes?
|Real name, alias, postal address, unique personal identifier, customer number, email address, account name, other similar identifiers.
|An online identifier or other persistent identifier that can be used to recognize a person, family or device, over time and across different services, including but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers (i.e., the identification of a person or a device to a degree of certainty of more probable than not) that can be used to identify a particular person or device.
|Protected Classification Characteristics
|Race, religion, sexual orientation, gender identity, gender expression, age
|Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
|An individual's physiological, biological or behavioural characteristics, including DNA, that can be used, singly or in combination with each other or with other identifying data, to establish an individual's identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a face print, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
|Internet or Network Information
|Browsing history, search history, and information regarding a consumer's interaction with an Internet website, application, or advertisement.
|Precise location, e.g., derived from GPS coordinates or telemetry data.
|Professional or Employment Information
|Information relating to a person's current, past or prospective employment or professional experience (e.g., job history, performance evaluations), and educational background.
|Bank account number, debit or credit card numbers, insurance policy number, and other financial information.
|Personal information about an individual's health or healthcare, including health insurance information.
Cookies are small pieces of data served on your computer that remember what you enter while you're browsing a website. For more information about cookies and how they work, please visit: www.aboutcookies.org.
More information on how to deactivate or delete cookies can be found below as well as on https://www.aboutcookies.org/cookie-faq/.
Some browsers provide helpful cookie guides:
· Firefox: http://support.mozilla.org/en-US/kb/Cookies
· Internet Explorer: http://support.microsoft.com/kb/278835
· Safari 5 for Mac: https://support.apple.com/e
In addition, Google Analytics provides its own opt-out options:
In the case of mobile devices, it may be necessary to consult the device’s instruction manual to manage cookies effectively. Restriction of cookies may have an impact on the functionality of our websites.
Essential cookies are necessary for our websites to work effectively. They help to make our websites usable by enabling basic functionalities such as page navigation and accessibility to secure areas of our websites. Cookies of this nature may also be used to protect and accelerate our websites for security reasons and to identify our trusted visitors. They may filter bots and distinguish them from legitimate users, preventing any form of spam activity on our websites.
Preference cookies enable our websites to remember information that changes the way our websites behave or look. They may also be used to provide services you have asked for.
Analytics cookies analyse information about how our websites are being used. Analytics cookies can process information about the number of visitors to our websites, where visitors to our websites came from, the pages they visit, scrolling activities, downloads, information about user agents, time spent on our websites and approximate geo-location of a device that you use to access our websites. We use this information to compile reports that help us to improve our websites.
In case we allow others to service cookies through our websites and/or apps, these cookies are called “third party cookies”.
Below is more information about most common cookies that we use, how they are used, and how long they will be stored on your computer or device.
Our most common cookies are:
|KAX_P - Placed by GDC
|This is a first party cookie to give us information about how visitors discover our websites (e.g., whether they clicked a Google search result, an advertisement or typed any of our websites address on their browser). This cookie is stored for 1 month.
|Google Analytics – Placed by Google
|This third-party cookie provides us information about your use of the site, including where the site is accessed from, time of visit, pages viewed, etc. This cookie is stored for 2 years.
|Google AdWords - Placed by Google
|This third-party cookie enables us to advertise our site using Google AdWords campaigns. This cookie is stored for 2 years.
|_ga - Google cookie used to identify users which expires after 2 years. _gid - Google cookie used to identify users which expires after 24 hours. _gasessionid - Placed by Google. Used to tie user activity to a specific time window. _gaclientid - Placed by Google. Unique identifier for a browser–device pair that helps Google Analytics link user actions on a site. _utmzz - Placed by Google. Used to track where visitors came from.
|Microsoft Clarity. Placed by Microsoft. Used to track how users interact with a site. MMID - Placed by Microsoft Identifies unique web browsers visiting Microsoft sites.
|KTag Cookies (our inhouse tracking system)
|g_uuid - KTag User ID. Placed by gambling.com group and used to assign an anonymous identifier to each user so we can tailor content to your preferences. g_sid - KTag session id. Placed by gambling.com group and used to assign an anonymous session to each user so we can track which advertisements perform best.
|Optin Monster Cookies
|Placed by Optin Monster. Used to track user interactions with AB tests.
|PrivacyModalVisited. Placed by gambling.com. Used to track if users interacted with a model to avoid showing it twice.
|Hotjar - Placed by Hotjar
|This third-party cookie allows us to measure and observe user behaviour on our websites with no connection to personal information.
|This third-party cookie allows us to tailor content based on viewer preferences. This cookie is stored for 10 Months.
|This third-party cookie allows us to create interactive features for our users on some of our websites and it enables you to log in to be able to post a comment, like a comment, follow a user or a conversation, etc.
|Cloudflare - Placed by Cloudfare.
|This cookie is strictly necessary for Cloudflare's security features and cannot be turned off. It does not correspond to any user ID in your web application and does not store any personally identifiable information. This cookie is stored for 12 Months.
|This cookie is used to deliver GDC advertisements relevant to you, based upon your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of an advertising campaign. This cookie is stored indefinitely.
|Facebook custom audiences
|This cookie is used to deliver GDC advertisements relevant to you, based upon your on-site actions. This cookie is stored for 180 days. We may use Facebook custom audiences to deliver advertisements to email subscribers based on email addresses we have gathered. For further information on Facebook advertising please visit here. To learn how to opt out of Facebook advertising please visit here.
|This cookie is used to send you notifications relevant to you based upon your interests, after you have subscribed to receive notifications from GDC. They are also used to send you notifications based on your geolocation. For instructions on how to unsubscribe from receiving notifications please visit here.
|Cohort - ID
|This cookie is used categorise the user into a group based on their device so that we are able to tailor better offers for you.
|This cookie is used to deliver GDC advertisements relevant to you, based upon your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of an advertising campaign. This cookie is stored indefinitely. If you would like to opt out of our service for all browsers we have been able to link to the cookie ID of your current browser, please see the opt out module included in the “User Choices” section here. If you only want to opt out from your current browser uncheck the box.
If you have any questions about this Policy or you wish to exercise any of the rights set out above, please contact us at firstname.lastname@example.org.
We will respond to all legitimate requests promptly and, in any event, within any timeframes prescribed by applicable law. In general, we must respond to queries within one month from the receipt of the request. Occasionally, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.