ComeOn! accessible on www.comeon.nl (“Website”), is operated by, or on behalf of Tulipa Ent Limited (“Company” or “We” or “Us” or “Our”), incorporated in accordance with the laws of Malta, bearing registration number C101828 and has its registered office at 3rd Floor, Spinola Park, Triq Mikiel Ang Borg, St Julians SPK 1000, Malta.
- ABOUT US
- YOUR DATA
- LEGAL BASIS FOR DATA PROCESSING
- PURPOSE OF PROCESSING
- SHARING OF PERSONAL DATA
- INTERNATIONAL TRANSFER OF PERSONAL DATA
- DATA SECURITY
- DATA RETENTION
- YOUR RIGHTS
We aim to safeguard your personal data and respect your privacy rights, in accordance with the applicable law(s), in particular in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the applicable local laws of the jurisdiction in which We operate and hold a licence.
2. ABOUT US
Name of Legal Entity: Tulipa Ent Ltd
Mailing address: 3rd Floor, Spinola Park, Triq Mikiel Ang Borg, St Julians SPK 1000 (Malta)
Email address: [email protected]
3. YOUR DATA
In relation to your personal data, you are responsible for providing personal data that is complete and accurate and also for informing the Company in writing of any changes that may apply so that We can use all reasonable means to maintain information regarding you accurate, current and up-to-date. In addition, We reserve the right to implement data accuracy checks in accordance with the GDPR at any time, requiring you to verify personal data We hold on you.
4. LEGAL BASIS FOR PROCESSING
The legal basis for the collection, storage and usage of your personal data may include either one or more of the following:
- Consent: Refers to the processing of personal data based on the explicit consent of the data subject for one or more specific purposes. When processing personal data based on explicit consent We do so for as long as you do not withdraw your consent, save for exceptional circumstances which may be provided for by law. You have a right to withdraw consent at any time to stop processing operations by the Company. Such withdrawal does not however affect any processing of personal data undertaken by the Company prior to withdrawing your consent.
- Performance of a Contract: Refers to the processing of personal data undertaken when necessary for the performance and/or fulfilment of the contractual obligations that you and the Company are a party to, including but not limited to the Terms and Conditions of this Website.
- Compliance with Legal Obligations: Refers to the processing of personal data, including retention, as required by law or regulations to which the Company is subject to.
- Legitimate Interest: Refers to the processing of personal data in order to operate and provide you the best possible service and experience through Our Website. Processing undertaken on the basis of a legitimate interest is done taking account of the impact that such processing operations may have on your interests and fundamental rights and freedoms.
5. PURPOSE OF PROCESSING
The below table explains what personal data We collect, at which point and the how and why We process it.
|Categories of data collected
|When is this data collected?
|What is the purpose for the collection of this data?
|What is the legal basis for the collection of this data?
|Identification Data - this includes name, surname, date of birth, et cetera.
|Requested upon registration on the Website (and may be requested thereafter for data validation).
|Contact Data - this includes your email address, home address, et cetera.
|Requested upon registration on the Website (and may be requested thereafter for data validation).
|Data which is necessary for verification purposes (this includes your ID document, proof of address, proof of income, proof of wealth, et cetera).
|To be provided by upon request by the Company (automated or otherwise), irrespective of the means of communication, frequency and request thereof.
|Financial data (this includes your bank, credit card and/or your chosen payment method details, et cetera).
|Collected upon depositing and/or withdrawing from your customer account (automated or otherwise), and irrespective of the means of communication.
|Transaction data (this includes details that relate to payment orders to and/or by you).
|Automatically registered when effecting a deposit and requesting a withdrawal from and/or to your customer’s account.
|Game data (this includes details related to the games you play on our Website).
|Automatically generated upon participation in a game on the Website.
|Communication data (this relates to all communication between you and the Company).
When contacted (irrespective of the means of communication thereof, automated or otherwise, and includes communication originating from the Company or you).
|User and Profile data - data related to your gaming habits and preferences to how you use our Website.
|Technical data (this may include your internet protocol (IP) address, login information, browser type and version, time zone, location and location, system and platform).
|Automatically generated upon interaction with the Website or participation in a game on the Website, and Cookie data.
This data is used to (i) ensure that customers are not from restricted territories; (ii) ensure that customers do not use a proxy or VPN; (iii) ensure that customers do not misuse bonuses or conduct fraud; (iv) to improve the functionality of the Website, solve technical problems, et cetera; (v) evaluate use of social media campaigns.
|Performance of contract &/or Legitimate interest.
|Marketing data (this includes your preferences regarding receiving marketing messages from us and other 3rd parties that we operate with).
|Requested upon registration on the Website (as may be thereafter amended by the customer or following the customer’s direct instructions).
|Marketing via various communication means (own marketing or through affiliates).
Explicit consent (granular - per means of communication/type) &/or Legitimate Interest.
The below section provides further information on automated processing undertaken by the Company.
- Marketing activities
In accordance with the applicable laws and on the basis of Our legitimate interest and/or your consent, We may, from time to time, inform you about our own similar products or services (such as our new services, promotions and/or bonuses) based on your interest identified taking into account player preference in relation to games. We do our best to ensure that you have control over the type of marketing material you receive from Us or from third parties who act as data processors to Us and processing your data on our behalf and following our instructions. You can view, change and/or update your marketing related preferences from your “My Account” section. You may also contact the DPO or the Company’s Customer Service on live chat or [email protected] to change your marketing preferences at any time.
- AML and Social Responsibility
To comply with our legal obligations stemming from applicable law, license requirements and conditions, if and when applicable, We collect data relating to your self-exclusion, which for your guidance includes data pertaining to you as listed above, and which provides information on your gambling patterns, and your self-exclusion such as your identification data and contact data and your self-exclusion information, such as commencement date, reason, and your use of limit functions made available to you by Us, such as exclusions, product limits, deposit limits, wager limits et cetera (“Self-Exclusion Data”). Please note that the full list of the limit functions available to you is listed on your account; alternatively, please contact Customer Support for further information and/or assistance in relation to the limit functions available to you.
In order to comply with our legal obligations stemming from applicable law, license requirements and conditions, if and when applicable, We collect financial data, transaction data, self-exclusion data and any other data category listed above (as applicable) related to you. The data is generated on the basis of a risk assessment compiled on the basis of player activity with a view to undertake risk assessments of players for AML and RG purposes based on set categories.
It is to be noted, however, that all the processes listed in this section are not undertaken solely by automatic means. Ongoing monitoring is subject to manual checks in each case and all decisions involve an element of human intervention.
6. SHARING OF PERSONAL DATA
As the Company’s suppliers, service providers or business partners are required/responsible for certain parts of the overall functioning or operation of the Website, games and other services made available to you by Us, We may need to share your personal data for the above-mentioned purposes with the said suppliers, service providers or business partners. These include:
- Game and/or Sportsbook Providers: At times, our game providers will need access to certain data (such as your username and/or IP address) in order to provide us with the games you play on our Website.
- Payment Service Providers: We share your personal data with the payment service provider you use to make deposits and withdrawals on our Website.
- Marketing Suppliers or Partners: When you consent to Us sending you marketing and promotions, We may share your contact information (such as email address or postal address) with our marketing partners who are responsible for sending our marketing material to you.
- Customer Interaction Software Providers: We use third party software to help Us communicate with you, allowing Us to send emails to you and speak with you on our live chat function.
- AML, Identity and Anti-Fraud Software Providers:We may, if necessary or authorized by law, provide your personal data to law enforcement agencies, government or regulatory organizations, courts or other public authorities. We may, at our discretion, contest such claims if We believe the requests are disproportionate, unclear or lack the proper authority.
- Government or regulators: where necessary or permitted by law, we may disclose your personal data to law enforcement agencies, governments or regulators, courts or other public entities. We may dispute such claims in our sole discretion if we believe that a request is disproportionate, unclear, or not being made with proper authority.
- Data Analytics and/or Business Intelligence Service Providers: We may use service providers for the purpose of data analytics and/or business intelligence.
- External Auditors
- Group Companies or Third Party Suppliers: We may share your personal data with other companies that are within the same group of companies and/or with third party suppliers, that provide certain services/support for services and functions made available to you by the Company on Our Website.
Furthermore, We may share personal data if We enter any kind of merger, acquisition or business sale or part thereof (as customers’ personal data generally is included in the sale or transfer thereof) and/or sale or transfer of specific asset/s of the business which might include customers’ personal data.
7. INTERNATIONAL TRANSFER OF PERSONAL DATA
Some of the service providers (listed above) may be based outside the European Economic Area (“EEA”), and accordingly, the processing of your personal data will involve a transfer of data outside the EEA. Whenever We transfer your personal data outside of the EEA, We do so ensuring a similar degree of protection to your personal data as provided by Us to you. To ensure the protection of your personal data, We will implement one of the following safeguards:
- Adequacy Basis – We will ensure that the transfer of your personal data is undertaken with entities established in countries that are deemed to provide an adequate level of protection for personal data by the European Commission.
- Standard Contractual Clauses – In absence of an adequacy decision basis, We may use the Standard Contractual Clauses approved by the European Commission, providing the same standard of protection to personal data as in the EEA. In accordance with the Court of Justice of the European Union Schrems II decision, We shall also implement complementary measures (including technical and organisational measures), in addition to the Standard Contractual Clauses as necessary.
8. DATA SECURITY
As a company, We aim to achieve the highest possible level of security and privacy, taking the confidentiality, integrity and availability of all data that is processed seriously. In order to deliver such value to our customers, employees and interested parties, We manage our Information Security Management System according to the ISO 27001 Standard. We also review and update our security objectives and risk treatment on a regular basis and commit to procure all necessary resources for the continuous improvement of our established Information Security Program to sustain a professional level of protection.
To ensure the security of personal data, the Company has implemented a number of technical, contractual, as well as organizational measures to ensure that personal data is not accidentally lost, used or accessed in an unauthorized manner, altered or disclosed. We also limit access to personal data by employees, agents, contractors and other third parties on a "need-to-know" basis. This means that only persons with a need to access your personal data will have access to it (or parts of it – as applicable). In addition, the said persons will only process your personal data on Our instructions subject to a duty of confidentiality.
We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where We are legally required to do so.
9. DATA RETENTION
The Company will only retain your personal data for as long as it is necessary to fulfil the purpose we collected it for, including but not limited to the purposes of meeting and complying with any legal, accounting, or reporting requirements.
When determining how long a retention period is appropriate for your personal data, We take into account various factors, such as the nature and sensitivity of the personal data, the potential risk of unauthorized use or disclosure of such data, the purpose We collected and processed such data for and applicable laws and/or legal requirements to which We are subject.
Upon the closing of your account, We retain your personal data to fulfil legal obligations to which We are subject to, and use them for the purpose of establishing, defending or exercising legal claims. When your personal data is no longer required for such purposes, We will either securely delete or anonymise the personal data in question.
Please contact the DPO for further information about Our retention periods.
10. YOUR RIGHTS
You have the following rights with respect to your personal data processed by the Company:
- Right of Access: You can request to know if We are processing personal data relating to you and also request a copy thereof free of charge.
- Right to Rectification: IIf any personal data We hold about you is incomplete or incorrect, you can request to have your personal data corrected. Please note that We may need you to provide proof and documentation (such as your proof of address) in order to verify accuracy of the data and comply with your request.
- Right to Object to Certain Processing: You have a right to object to the processing of your personal data where personal data is processed for direct marketing or where We rely on legitimate interest (Ours or of a third-party), and you feel that your interests or fundamental rights and freedoms override the legitimate interest. However, in the latter circumstance, We may prove We have compelling legitimate reasons to process your personal data which may override your rights. When exercising this right you are to submit the reasons for objecting to the processing of personal data to Our DPO.
- Right to Restriction: You may, in some cases, request a restriction/suspension of the processing of your personal data. Instances of when this right may be exercised include instances where personal data is incorrect or where you have objected to the processing of your personal data, until such time that We verify whether We have compelling overriding legitimate reasons to reject your request to object.
- Right to Withdraw Your Consent: Where We process personal data on the basis of Your consent, you have a right to withdraw consent at any time. Should you exercise your right to withdraw consent, We will determine whether at that stage an alternative legal basis (such as a legal obligation) exists for processing of your personal data. If We are authorised to process you personal data in absence of your consent We undertake to inform you accordingly. It is to be noted that withdrawal of your consent will not affect the legality of the processing performed until the time you withdrew your consent.
- Right to Data Portability: You may request to receive your personal data in a structured, commonly used and machine-readable format for use by another data controller and, where technically feasible, to have such data directly transmitted to the other data controller.
- Right to Erasure: You have a right to request the deletion of your personal data but this shall apply only where We do not have a legal ground for processing your data further. It is important to note that although you have the right to have your personal data deleted, We are often not in a position to delete the data in its entirety, due to compliance with a legal obligation and for the establishment, exercise and defence of legal claims entitling Us to retain personal data for a specific period.
- Right to Lodge a Complaint: You have the right to submit a complaint with a supervisory authority at any time. Our lead supervisory authority is the Information and Data Protection Commission (“IDPC”), Malta. However, We would encourage you to contact us in the first instance for the opportunity to resolve and/or answer any queries, concerns or issues that you may have before referring the matter to the supervisory authority.
When exercising your rights, We may need to request further information from you to help Us verify and confirm your identity and ensure you are exercising your right in relation to your personal. Such information is requested as a security measure to ensure that personal data is not disclosed to persons who do not have a right to receive it.
We will do Our utmost to respond to all legitimate requests within a period of one month from the submission of a request and subsequent verification and confirmation of your identity. Occasionally it may take Us longer than a month if your request is particularly complex or you have made more that one request. In such circumstances, We will keep you updated and notify you of the need for an extension of the timeframe in accordance with the GDPR.
If you choose to communicate via social media, the information you provide is also linked to your social media profile /account. Social media platforms have their own privacy policies and you must contact them directly in order to exercise your rights or request the deletion of communication between you and Us on the platform in question.
We may periodically offer you the opportunity to participate in competitions or surveys on Our Website. If you participate, We may, in some cases, ask you for certain personal data. Participation in these surveys or competitions is completely voluntary and it is up to you if you choose to disclose personal data.
We also post customer testimonials, comments and reviews on Our Website which may contain personal data. Such personal data is only made public after We collect consent via email prior to posting the testimonial. You may request to have your personal data removed from testimonials, comments or reviews, at any time by contacting us on [email protected].
We may post winner notifications, leaderboards and similar notices on Our Website but names will be censored in all such posts. Nonetheless, these notifications and messages may be connected to specific games and/or campaigns. Please refer to Our Terms and Conditions and/or the campaign-specific Terms and Conditions for more information. If you would like to object to this, or reduce the amount of information posted, please contact us at [email protected].
Implementation date: 13-10-2022
Description: Document created
Version: Version 1.0