1. Scope of This Policy

• Applies to all users of smash.casino, including visitors, registered players and applicants whose registration was not completed.
• Applies to data collected via the website, customer support channels, marketing emails, and the Progressive Web App (PWA).
• Does not apply to third-party sites linked from smash.casino — please read their own privacy notices before submitting any data.

2. Information We Collect

Information you provide directly

• Identity: full legal name, date of birth, gender, nationality.
• Contact: email address, phone number, residential address, province.
• KYC documents: government-issued ID, proof of address, selfie verification, source-of-funds documents where required.
• Financial: payment method details (last 4 digits of cards, e-wallet IDs, bank account references), deposit and withdrawal history.
• Account: username, password (hashed), security questions, preferences.
• Marketing: communication preferences, opt-in choices.
• Support: any information you provide via chat, email or phone.

Information collected automatically

• Device: IP address, device type, operating system, browser, screen resolution, language.
• Usage: pages visited, games played, session length, stakes, win/loss history, login times.
• Location: approximate location from IP (province-level) to enforce geo-restrictions.
• Cookies & similar technologies — see our Cookies Policy.

Information from third parties

• KYC / AML data from identity-verification providers (e.g. Jumio, SumSub, Veriff).
• Fraud-prevention data from anti-fraud networks.
• Payment confirmation data from payment processors and banks.
• Marketing attribution data from affiliates (only the fact you arrived from their tracking link).
• Public records and credit-reference agencies, where permitted by law, for AML and source-of-funds checks.

3. Why We Collect Your Data (Purposes & Legal Bases)

Under PIPEDA, we rely on the principle of knowledge and consent. Under Law 25, we rely on express consent for sensitive uses and contractual necessity for service delivery. We collect personal information only for the specific purposes listed below, and only what is reasonably necessary for those purposes.

4. How We Share Your Data

We never sell personal data. We share it only with the categories of recipients below, only as necessary, and only under written contracts that require equivalent protection:

• Payment processors and banks — to process deposits and withdrawals.
• KYC and AML providers — to verify identity and screen against sanctions / PEP lists.
• Fraud-prevention partners — to detect collusion, bot-play and chargeback abuse.
• Game suppliers — to deliver games; suppliers receive game-level data only, never your identity documents.
• Cloud hosting providers (data centres in [Placeholder: EU and Canada]).
• Customer-support platform vendors.
• Affiliates — only the referral source, never your personal data.
• Regulators and law enforcement — when required by court order, AML legislation, or licence conditions (Anjouan ALSI, AGCO where applicable).
• Professional advisors (lawyers, auditors) under confidentiality.
• Successor entities in the event of a merger, sale or restructuring (with notice to you).

5. International Transfers

Smash Casino is operated from outside Canada, and your personal data may be transferred to and processed in jurisdictions including the European Union, the United Kingdom and Anjouan (Comoros). For Quebec residents under Law 25: before transferring personal information outside Quebec we conduct a Privacy Impact Assessment (PIA) that considers the receiving jurisdiction's legal regime, the sensitivity of the data, the purposes of the transfer, and the applicable security measures. All transfers are governed by Standard Contractual Clauses (SCCs) or an equivalent contractual safeguard. You may contact our Privacy Officer at [email protected] for a summary of the PIA covering your data.

6. How Long We Keep Your Data

After the retention period expires we either delete the data or anonymise it so it can be used for statistical purposes only without re-identifying you.

7. How We Protect Your Data

• 256-bit SSL/TLS encryption on all data in transit.
• Encryption at rest for KYC documents and payment-related data.
• Tokenised payment data — full card numbers never touch our servers (PCI-DSS-compliant processors).
• Role-based access controls — only staff with a business need can access personal data, and every access is logged.
• Annual independent security audits and penetration testing by certified third parties.
• Privacy Officer (Law 25 requirement) responsible for ongoing oversight and breach response.
• Mandatory breach reporting to the Office of the Privacy Commissioner of Canada (OPC) and, for Quebec residents, the Commission d'accès à l'information (CAI), within the required time frames.

8. Your Privacy Rights (PIPEDA & Law 25)

As a Canadian resident you have the rights set out below. To exercise any of them, email [email protected] with proof of identity (a copy of the ID we have on file is sufficient). We respond within 30 days under PIPEDA, and within 30 days extendable by 30 days under Law 25.

Limits on these rights

• We cannot delete data we are legally required to keep (e.g. AML records for 5 years).
• We cannot stop processing necessary to deliver a service you are still actively using.
• Vexatious or repetitive requests may be declined or charged a reasonable fee in line with the OPC's guidance.

9. Automated Decision-Making

We use automated systems for: (i) fraud and bot-play detection; (ii) responsible-gambling pattern detection; (iii) AML transaction monitoring; and (iv) marketing personalisation. None of these decisions is made solely by an algorithm with significant legal effect on you — a trained human reviews any account closure, withdrawal block, or sanction before it is applied. Quebec residents may request information about the rules and the main factors used in any such decision by writing to [email protected].

10. Marketing Communications

We only send marketing emails or SMS where you have opted in — either at registration or later. You can opt out at any time via the link at the bottom of every email, in Account → Preferences, or by emailing [email protected]. Opting out of marketing does not stop transactional emails (deposit confirmations, withdrawal notifications, KYC requests and security alerts), which we are required to send while you hold an active Account.

11. Cookies

We use cookies and similar technologies (pixel tags, local storage, SDKs in the PWA) for security, functionality, analytics and — with your consent — advertising. For the full list, categories, durations and how to manage them, see our Cookies Policy.

12. Children

smash.casino is for adults 18+ (19+ in ON, BC, NB, NS, NL, PE, MB, YT, NT, NU). We do not knowingly collect personal information from anyone under that age. If we discover an underage Account, we close it immediately, refund all deposits to the original payment method, and delete the data — except KYC records we must retain for fraud-prevention purposes.

13. Changes to This Policy

We may update this Policy. Material changes will be notified by email and an in-product banner at least 30 days before they take effect. The Effective Date at the top of this page always reflects the latest version. Previous versions are available on request via [email protected].

14. Contact & Complaints

Privacy Officer: [email protected]
Mailing address: Softon Ltd, Privacy Office, [Placeholder: Suite 9, Eden Plaza, Eden Island, Mahé, Seychelles]

We aim to resolve all privacy complaints within 30 days. If you are not satisfied with our response, you may complain to:

• Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca, 1-800-282-1376
• Commission d'accès à l'information du Québec (CAI) — cai.gouv.qc.ca, 1-888-528-7741 (Quebec residents)
• Your provincial privacy commissioner (British Columbia, Alberta)