DonBet Casino

DonBet Privacy Policy

What personal data DonBet collects, why it is collected, how long it is kept, who it is shared with, and the rights UK players retain when using a Curaçao-licensed operator. Written in plain English, not legalese.

18+ Curaçao licensed (OGL/2024/250/0115) — not UKGC. T&Cs apply. BeGambleAware.org

The Short Version

DonBet is operated by Santeda International B.V. on the GTW B.V. platform under Curaçao Gaming Control Board licence OGL/2024/250/0115. The operator is the data controller for personal information you provide when registering, depositing, playing, withdrawing or contacting support on donbet.com.

Three categories of data move through the system: identity and KYC data (name, date of birth, address, ID document, proof of address — collected because Curaçao's 2024 LOK regime and AML rules require it before any payout), transactional and gameplay data (deposits, withdrawals, bets, sessions — kept for AML reconciliation and fraud monitoring), and technical data (IP, device, cookies, behavioural events — used for security, fraud prevention and limited analytics).

Data is retained for at least five years after account closure for AML compliance under the Curaçao LOK and is shared with payment processors, KYC vendors, game studios, regulators and law enforcement on request. UK players retain GDPR-equivalent rights — access, rectification, erasure where the law permits, portability and objection — exercisable through [email protected]. The UK Information Commissioner's Office (ICO) does not directly regulate this operator; the Curaçao GCB is the supervisory authority.

DonBet Casino privacy policy overview

Personal Data DonBet Collects

Five buckets, each tied to a specific lawful basis. If a field isn't on this list, the operator should not be asking for it.

Registration data

Email, username, password (hashed), date of birth, country, currency choice, marketing-consent flag. Collected at sign-up to create the account and confirm you are 18+.

KYC documents

Government-issued photo ID (passport, driving licence, national ID), proof of address (utility bill or bank statement under three months old), selfie / liveness check, and source-of-funds evidence on enhanced due diligence. Required by AML law before withdrawal.

Transactional data

Deposit and withdrawal amounts, payment method (last four digits of card, masked e-wallet ID, crypto wallet address), bet stakes, win/loss records, bonus claims and wagering progress.

Device & technical data

IP address, geolocation (country / region only), browser and OS version, device fingerprint, screen size, language, referral URL. Used for fraud detection, geo-restriction and session security.

Behavioural data

Pages visited, click streams, game preferences, session duration, deposit cadence. Feeds responsible-gambling pattern detection and limited product analytics.

Support communications

Live-chat transcripts, email correspondence, attachments shared with support. Retained for dispute resolution and quality monitoring.

Why It Is Collected (Lawful Basis)

Each data category has a specific legal justification. The operator cannot rely on consent for KYC because anti-money-laundering law overrides any "no thanks" — withdraw consent and the account is closed instead.

Purpose Lawful basis Consequence if you refuse
Operating your account, processing deposits, paying winnings Performance of contract Account cannot be opened or maintained
KYC, age verification, AML monitoring, source-of-funds checks Legal obligation (Curaçao LOK + AML) Withdrawals cannot be released; account suspended
Fraud detection, multi-account & bonus-abuse prevention Legitimate interest Service refused on integrity grounds
Marketing emails, SMS, push notifications Consent (opt-in, withdrawable any time) No marketing — gameplay unaffected
Responsible-gambling pattern monitoring Legal obligation + legitimate interest Cannot be opted out — it is a licence condition
Tax reporting, regulator requests, court orders Legal obligation Disclosure made regardless of consent

Who Your Data Is Shared With

DonBet does not sell personal data. It does share specific subsets with vetted processors and regulators when there is a clear operational or legal reason.

Payment processors

Card acquirers, Skrill, Neteller, AstroPay, SEPA banks and crypto on/off-ramp providers. They receive the minimum needed to process the transaction (name, amount, masked instrument, billing country).

KYC / identity vendors

Industry-standard providers (typically SumSub, Jumio, Onfido or equivalent) handle document verification, liveness checks and PEP / sanctions screening. They act as processors under contract.

Game studios & aggregators

Pragmatic Play, Evolution, NetEnt, Play'n GO and the platform's aggregators receive a session token and pseudonymised player ID — they do not see your name, address or ID document.

Regulators

Curaçao Gaming Control Board (GCB) for licensing audits, AML supervision and complaint adjudication. The GCB can request transaction logs and KYC files at any time.

Law enforcement

Disclosure on a valid court order, subpoena or formal request from a recognised authority (UK, EU or international) — typically tied to fraud, AML or tax investigations.

Infrastructure & analytics

Cloud hosting, email delivery, fraud-scoring providers and limited product analytics — all under data-processing agreements requiring confidentiality and equivalent security standards.

International Data Transfers

The operator is incorporated in Curaçao, a jurisdiction outside the EEA and outside the UK. Data is processed primarily in Curaçao and on EU-region cloud infrastructure, with onward transfers to processors located in the UK, EU, United States and other jurisdictions where KYC and payment vendors operate.

UK players should understand that data leaves the UK when they register. Transfers to non-adequacy countries are protected through contractual safeguards equivalent to the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum where applicable, plus access controls at each processor.

If a transfer is challenged, the supervisory authority is the Curaçao Gaming Control Board, not the UK ICO. UK players retain the right to lodge a complaint with the ICO if they believe their data has been mishandled, but the ICO has no direct enforcement power against a Curaçao-based controller.

How Long Data Is Kept

KYC documents & AML records

5 years post-account-closure

Minimum under Curaçao LOK / AML; longer where a regulator or court directs.

Transaction & gameplay logs

5 years post-account-closure

Required for AML reconciliation, dispute resolution and audit trails.

Self-exclusion records

Indefinite

A self-exclusion flag must remain on file to enforce future re-registration blocks.

Marketing-consent flags

Until withdrawn + 2 years

Kept briefly after opt-out as evidence the request was honoured.

Support transcripts

3 years

For dispute, complaint and quality-assurance review.

Server & security logs

12 months

Rolling window for intrusion detection and forensic review.

Your Rights as a Player

Curaçao's data-protection regime grants the standard GDPR-style rights set, with one important carve-out: erasure cannot override the five-year AML retention obligation.

Right of access

Request a copy of the personal data held on you, free of charge once per 12 months. The operator must respond within 30 days.

Right of rectification

Correct any inaccurate or incomplete data — most fields are editable in Account → Profile; locked fields (date of birth, name on file) are corrected via support with new ID evidence.

Right to erasure

Request deletion — granted for marketing, behavioural and analytics data. KYC and transaction records are retained for the AML period and then deleted.

Right to portability

Receive the data you provided (registration, transactions, communications) in a structured, machine-readable format (CSV / JSON).

Right to object

Object to processing for direct marketing at any time — actioned immediately. Object to processing on legitimate-interest grounds and the operator must show overriding cause to continue.

Right to restrict processing

Pause processing while a dispute over accuracy or lawful basis is investigated.

Withdraw consent

Where processing is based on consent (marketing, optional cookies), you can withdraw at any time without affecting the lawfulness of past processing.

Complaint to a supervisor

Lodge a complaint with the Curaçao Gaming Control Board as the regulator, or with the UK ICO as your local supervisory authority. Both are free.

How to exercise any right: email [email protected] from the email address on file, or open a ticket via in-account live chat. Identity verification is required before any data is released. Standard response time is up to 30 days.

Cookies & Tracking

Cookies are small text files set in your browser. DonBet uses four categories — strictly necessary cookies are loaded by default because the site cannot function without them; the rest require your consent via the cookie banner shown on first visit.

Strictly necessary

Session cookies for login state, anti-CSRF tokens, load balancer routing, cookie-consent record. Always on; cannot be disabled without breaking the site.

Functional

Language, currency, deposit-limit prompts, recently played games, layout preferences. Improves usability — opt-in via the banner.

Analytics

First-party event tracking and aggregated traffic analytics. Pseudonymised; IP truncated. Used to fix broken funnels and improve the cashier UX.

Affiliate & marketing

Affiliate-attribution cookies (which referral sent you), retargeting tags on ad networks where you have opted in. Withdraw consent at any time via the cookie banner trigger in the footer.

Most browsers let you block or delete cookies at the device level (Settings → Privacy). Blocking strictly necessary cookies will prevent login and gameplay. The site uses no third-party tracking pixels by default; any added in future will require fresh consent.

Security Measures

Data in transit

  • TLS 1.3 on every endpoint, HSTS enforced
  • Strict transport security and certificate pinning on mobile
  • 2FA via TOTP available on every account
  • Passwords stored bcrypt-hashed; never emailed in plain text

Data at rest & access

  • KYC documents encrypted at rest with per-record keys
  • Role-based access control — staff see only what their job requires
  • All admin access logged and reviewed; production data not accessible from staff laptops
  • Annual penetration test by a third-party firm; ongoing vulnerability scanning

Breach notification: in the event of a personal-data breach likely to result in risk to your rights, the operator will notify the Curaçao GCB and affected players without undue delay (typically within 72 hours of becoming aware), with a description of the breach, likely consequences and the measures taken in response.

Children & Underage Use

DonBet is an 18+ service. Registrations from anyone under the age of 18 are prohibited — the platform does not knowingly collect data from minors.

Age is checked at registration and verified again during KYC before any payout. If an account is identified as belonging to a minor, the account is closed immediately, all stakes returned, and any winnings forfeited under the licence terms. Personal data collected is then deleted, except for what must be retained for legal-obligation reasons (proof the operator acted on the discovery).

If you believe a minor has registered, contact [email protected] — investigation is treated as priority.

Privacy FAQ

Can I close my account and have all my data deleted today?
You can close the account today and stop active processing. Marketing data, behavioural events and optional analytics are deleted on request. KYC files and transaction history are retained for at least five years under Curaçao AML rules — that retention is a legal obligation, not a commercial choice. After five years the residual data is purged.
Does GDPR apply to DonBet for UK players?
DonBet is established in Curaçao, not the UK or EU, so UK GDPR / EU GDPR do not apply directly. Curaçao's local data-protection regime grants the same core rights — access, rectification, erasure, portability, objection — and the operator commits to honouring them at GDPR-equivalent standards. The practical difference: enforcement is via the Curaçao GCB, not the UK ICO.
Why does DonBet need a copy of my passport?
Curaçao's 2024 LOK regime and AML directives require licensees to verify identity, age and address before paying out winnings. The KYC document is checked by an industry vendor (SumSub / Jumio class), encrypted at rest with per-record keys and access-controlled. It is not shared for marketing.
How do I opt out of marketing emails?
Use the unsubscribe link at the foot of any marketing email, or toggle the marketing-consent flag in Account → Communication preferences. The change applies immediately. Account-related operational messages (KYC requests, withdrawal confirmations, security alerts) continue regardless — they are not marketing and cannot be opted out of while the account is open.
Can I complain to the UK ICO if something goes wrong?
You can file a complaint with the ICO and they will record it, but their direct enforcement powers do not extend to a Curaçao-incorporated controller. The supervisory authority with jurisdiction is the Curaçao Gaming Control Board (GCB). For data-protection disputes, file with the GCB first; for unresolved disputes, AskGamblers and Casino.Guru also accept complaints against Curaçao operators.
Are my data shared with affiliate sites like this one?
No personal data — name, email, KYC — is shared with affiliates. Affiliates receive only aggregated, anonymised conversion signals (a click ID was credited, a deposit was made) so commission can be calculated. Your gameplay, balance and identity are not visible to the referrer.

Contact & Policy Changes

Privacy queries

Email [email protected] with subject line "Privacy / Data Request". Response within 30 days.

Identity verification required before any data is disclosed.

Controller of record

Santeda International B.V., operating on the GTW B.V. platform under Curaçao GCB licence OGL/2024/250/0115. Domain: donbet.com.

Changes to this policy

The operator may update this policy to reflect new product features, regulatory changes or processor changes. Material changes (new data category, new third-party recipient, change of legal basis) trigger an in-account notification and a 30-day notice period before the change takes effect. Non-material changes (clarifications, formatting) are pushed silently with the "last updated" date refreshed.

Last updated: 14 June 2026.

UK-specific reality check

DonBet is a Curaçao-licensed operator (OGL/2024/250/0115). The UK Information Commissioner's Office does not directly regulate this controller — the Curaçao Gaming Control Board does. UK players retain GDPR-equivalent rights through Curaçao's data-protection framework plus the operator's stated commitments, but enforcement is slower and the escalation path is foreign.

If absolute UK ICO oversight, UK ADR access and UKGC consumer protections matter to you, a UKGC-licensed site is the safer choice. Cross-check current operator complaints at AskGamblers and Casino.Guru before depositing.