Data Protection at Boo Casino

This document defines the procedures for collecting, storing, using, and disclosing the personal data of all individuals interacting with Boo Casino New Zealand – from casual visitors to active players with verified accounts. The document applies to the main site, all related web pages, advertising materials, emails, and push notifications under our management. We acknowledge that you have the right to know what data we receive, why we need it, and what happens to it at every stage. This document is not a formal obligation but a working tool that describes the platform's actual practices. We recommend reading it before creating an account. Providing personal data is exclusively your choice. No one has the right to compel you to do so. If you do not accept the described conditions, simply do not use the platform. If you register an account or continue using the site after reading this document, we consider this informed consent to our data processing rules.

What Data We Receive

Information reaches us through several channels: generated automatically with each visit, provided by you during registration and verification, accumulated during gaming activity, and also coming from third-party services integrated into the platform. Details for each category are provided below.

Technical Data – Automatic Collection

Every request to the server records a set of technical parameters: IP address, browser type and version, operating system, screen resolution, language and keyboard settings, and internet provider. In parallel, information about behavior on the site is collected: which page you came from, which elements you clicked on, how long you viewed a particular section, and at what scroll depth you left the page. Click heatmaps and session timestamps are part of the same dataset.

Geolocation is determined at the country or region level by IP address. A unique device identifier is assigned at the first visit and allows for recognizing repeat visits from the same device. Part of the data is collected directly by our servers, part through cookies and similar technologies, and part through partner analytics systems.

Player Data During Registration and Verification

Opening a gaming account requires a standard set of information established by the regulator. At the start, this is a basic form: name, email, phone, address, date of birth, and gender. As you use the platform, the volume of data expands – gaming history, transactions, support requests, and self-exclusion applications are recorded.

To complete KYC, we may require an expanded package of documents. The specific list depends on the verification level and transaction amounts:

Data CategoryWhat It Includes
Identity documentPassport, national ID, driver’s license
Address confirmationUtility bills, bank statements no older than 3 months
Payment detailsCard or bank account data
Financial documentsSource of funds for large transactions
Gaming historyDeposits, withdrawals, bonus activity, and self-exclusion applications
Health dataOnly with explicit consent, exclusively for responsible gaming programs

The request for certain documents is not our initiative, but a mandatory condition of the licensing agreement with the regulator.

Data From Your Communications

Any contact with the support team – through chat, email, or phone – leaves a record: name, contact details, nature of the request, attached files, and any additional information you provide voluntarily. This information is used to process the request and is stored as part of the account interaction history.

Data From Third-Party Platforms

Payment systems, gaming content providers, affiliate networks, and marketing platforms may transmit technical identifiers and transactional data to us as part of the integration process. Each of these services operates under its own privacy policy, which is not canceled or replaced by ours. When using third-party platforms, we recommend familiarising yourself with their rules separately.

Why We Use the Data

All collected data serves specific operational and regulatory purposes. We do not collect data “just in case” – every data category is tied to a clear purpose.

  • Platform operation. Without technical data, the site will not display correctly on your device. Without registration data, it is impossible to create an account. Without payment details, a transaction cannot be conducted. This is the foundation on which everything else rests.
  • Identity verification. We are obliged to ensure that you are a real person who has reached the age of majority and has the right to participate in gambling in your country. This is not our choice, but a condition of the current license.
  • Processing financial transactions. Every deposit and every withdrawal is recorded, checked against anti-fraud criteria, and archived. Payment data is transferred to processing partners solely for conducting a specific transaction and for no other purpose.
  • Security and fraud prevention. Technical data and gaming activity are analyzed in real time. This allows for identifying suspicious patterns, such as creating multiple accounts for one player, bonus abuse, unauthorized access, and attempts to launder funds through gaming operations.
  • User support. The history of requests allows our operators to see the full context of a problem. You will not have to explain the situation from scratch to each new contact – the operator can see the previous correspondence and understand the essence of the matter.
  • Product improvement. Aggregated behavioral data – without reference to specific users – helps identify interface bottlenecks, test changes, and prioritize development.
  • Personalized marketing. Based on gaming preferences, we may offer relevant bonuses and promotions. This happens only with your consent and only to the extent that it does not violate responsible gaming principles.
  • Legal compliance. Part of the data we are obliged to store and, when necessary, provide to the regulator – regardless of any other considerations.

Depending on your jurisdiction, we rely on one or more legal grounds: performance of a contract with the player, the operator’s legitimate interest, the user’s explicit consent, or compliance with regulatory requirements.

If the legislation applicable to you requires separate consent for processing, acceptance of the terms of use counts as such consent. It can be withdrawn at any time by writing to [email protected].

Where Your Data Is Stored

Main processing takes place in the United Kingdom. Some technical partners are physically located in other countries. In such cases, we conclude data processing agreements with them, obliging them to maintain protection standards comparable to European requirements – regardless of how strict local legislation is.

Player data is transferred outside the main jurisdiction only to countries permitted by our licensing agreements. We do not work with partners who cannot confirm compliance with the personal data protection standards we have adopted.

How Long Is Data Stored

The principle is simple: no longer than is reasonably necessary. Specific periods are determined by the nature of the data, the purpose of its collection, possible legal risks, and regulatory requirements.

Data of a registered player after account closure is stored for no less than five years – this is a mandatory requirement of the gambling regulator. This period cannot be reduced upon user request: we are not entitled to violate licensing obligations. Upon expiry of the established periods, data is deleted or irreversibly anonymized.

Correspondence with support, technical logs, and marketing data are stored in accordance with internal regulations based on the type of information and potential legal risks. We do not notify individuals about data deletion on an individual basis – this occurs in a scheduled manner as storage periods expire.

To Whom We Transfer Data

We do not sell personal data to third parties and do not use it for purposes beyond this document. Data transfer occurs in strictly defined cases, each of which is described below.

  • Government bodies and law enforcement. Upon receiving a lawful request – a court order, official warrant, or requirement within an investigation – we provide data to the extent strictly necessary to fulfill that requirement. The initiative in such cases comes from authorized bodies, not from us.
  • Technical and service partners. We engage specialized companies to ensure platform operation: payment processors, IT infrastructure providers, identity verification services, analytics systems, and marketing tools. Each partner has access only to the data needed to perform their specific function and operates under a data processing agreement with clear restrictions.
  • Affiliated structures of the GFO group. Internal data exchange occurs within the tasks described in this document and does not go beyond the group without additional grounds.
  • Business buyers. In the event of a merger, acquisition, or asset sale, data may be transferred to a successor. We will notify you of significant changes of this kind in advance – by email or through a notice on the site – with a description of how this will affect your data.

Anonymized and aggregated data, which cannot be used to identify a specific person, may be transferred to partners without additional consent. This is standard practice for analytics and product improvement.

Cookies and Tracking Technologies

Our platform uses several types of cookies. Session cookies store technical parameters of the current visit and are deleted when the browser is closed. Persistent cookies remain on the device between sessions and are used for analytics, personalization, and targeted communications. Tracking pixels and container tags are used within marketing campaigns – both ours and partners’.

Some cookies temporarily store personal data – for example, an IP address or device identifier. Cookie management is available through the settings of any modern browser: they can be blocked, deleted, or notifications configured upon receipt. Complete rejection of cookies may limit site functionality. We do not process the Do Not Track signal at the HTTP level. A detailed description of our cookie practices is available in a separate document on the site.

Communications With Users

We divide all communications into two types with fundamentally different management modes. Understanding the difference between them matters: one category is tied directly to your account’s functioning and cannot be disabled, while the other is entirely within your control.

Service notifications concern your account directly: transaction status updates, technical maintenance, requests for verification documents, notifications of changes to terms and conditions, payment issue alerts, and reminders about pending actions. These messages are not marketing – they are operational. Sending them is our obligation as a licensed operator, and receiving them is a condition of using the platform. There is no opt-out option for this category, nor do we provide one.

Promotional communications are a separate matter. This category covers bonus offers, tournament announcements, seasonal promotions, personalized incentives based on your gaming activity, and general platform news. We send these only when you have given explicit consent – we do not assume consent from account registration alone.

If you decide you no longer want to receive promotional materials, opting out is straightforward: update your communication preferences in account settings, click the “unsubscribe” link in any promotional email, or contact support directly at [email protected]. Opt-out requests are processed promptly.

Data Protection

To ensure the security of personal data, we implement a comprehensive set of technical and organizational measures. At the technical level, these are data encryption during transmission and storage, differentiation of access rights between employees and systems, secure servers, firewalls, and regular database backups. At the organizational level, we implement internal information handling regulations, mandatory procedures for partners, and periodic security system audits.

At the same time, we openly acknowledge limitations: absolute data protection does not exist in any system worldwide. We take all reasonable measures consistent with industry standards, but cannot guarantee complete invulnerability – neither of our own systems nor of partner infrastructure. If you believe your data has been compromised, contact us immediately.

Your Rights

The scope of rights regarding personal data is determined by your jurisdiction. Users from the EEA are guaranteed the full set of rights under GDPR. Residents of other regions – rights established by applicable local legislation. Regardless of jurisdiction, we consider every request and seek to satisfy it to the fullest extent possible.

The list of available rights includes:

  • Access to data and receipt of a copy thereof;
  • Correction of inaccurate or outdated information;
  • Deletion in the absence of lawful grounds for storage;
  • Restriction of processing in cases provided for by law;
  • Objection to processing based on the operator’s legitimate interest;
  • Data portability in machine-readable format;
  • Withdrawal of previously given consent.

To exercise any of the listed rights, send a request to [email protected]. To confirm identity, we may require additional information – this is a standard procedure that also protects your data from unauthorized access. 

Several rights may be limited by our regulatory obligations: for example, we cannot delete player data before the expiry of the mandatory five-year storage period. In such a case, we will explain the reason and refer to the applicable norm.

Roles in Data Processing

In GDPR terminology, we act as data controllers, independently determining the methods and purposes of processing players’ personal information. Our technical partners, in most cases, are processors – they act strictly on our instructions and are not entitled to use data for their own purposes.

The exception is analytics and advertising platforms that process data simultaneously for our tasks and for their own purposes. In such cases, we and the relevant partner act as joint controllers. To limit the independent use of your data on such platforms, disable third-party cookies in your browser settings.

Age Restriction

The platform works exclusively with an adult audience. Individuals under 18 years of age are not permitted to use the service – this is required by both legislation and our licensing obligations. We never intentionally collect or process data from minors. When an account belonging to a person under 18 years of age is identified, access is blocked immediately, and related data is deleted as soon as possible – except where retention is required by law.

We reserve the right to request age confirmation at any time. If you are aware of a minor being registered on the platform, inform us at [email protected].

Document Updates

We review the privacy policy as necessary – when legislation changes, platform functionality expands, or operational practices are adjusted. For significant changes, we notify you as early as 10 days before they take effect. By continuously using the website after this period expires, you accept the updated terms. Links to third-party resources posted on our site do not imply our responsibility for their privacy policies.

Contacts

For questions regarding personal data processing, withdrawal of consent, exercise of your rights, and any other privacy-related matters: [email protected]