At Rootz, transparency is very important to us and we take your privacy extremely seriously. We appreciate that you are trusting us with your personal data and we want to be transparent about how we use it.
Rootz Ltd., acting as data controller, is committed to protecting your Personal Data and processing it in compliance with applicable laws – notably: The Inter-State Treaty on Gambling in Germany 2021 (hereafter: ISTG 2021 – esp. sections 4, 4b, 4c, 6g, 8, 23), the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – the ‘GDPR’, the German Federal Data Protection Act (Bundesdatenschutzgesetz – “BDSG”) and the the German Act on Data Protection in Telecommunications and Telemedia (Telekommunikations- und Telemediendatenschutzgesetzt – “TTDSG”).
This Policy applies to the company and its directly or indirectly controlled wholly-owned subsidiaries conducting business within the European Union (EU), the European Economic Area (EEA) or processing the Personal Data of Data Subjects within the EU/EEA.
If you have any questions please contact us at [email protected].
- Who we are and how to contact us Officer
- General Information on the Processing of your Personal Data
- Data Processing for the Provision of the Website and Creation of Log Files
- Data processing for the Provision of Marketing Communication
- Data processing for the Registration of a player account, for the Undertaking of Transactions, for the subsequent Game Participation, and for the processing of communication with us via email and/or via regular post
- Obtaining of Consent Pursuant to Art. 6 para. 1 lit. a GDPR
- Rights of the Data Subject
- Disclosures/Transfers of your Personal Data
- Data Security
- Privacy Settings
- International Transfers
- Further Information
Rootz Ltd., a Maltese company with the registration number: C83903 at the Malta Business Registry, collects, processes and retains your Personal Data and provides you with the Services.
The person responsible within the meaning of the General Data Protection Regulation (“GDPR”) and other national data protection laws of the member states as well as other data protection provisions for determining the purposes and means of the processing of Personal Data (“data controller”) is:
Rootz LTD., Ewropa Business Centre, Level 3 - 701, Dun Karm Street,
Birkirkara BKR 9034, Malta, E-Mail: [email protected].
If you are seeking to exercise any of your statutory rights, please contact our Data Protection Officer on [email protected] through physical mail on:
c/o Data Protection Officer
Ewropa Business Centre
Level 3 - 701, Dun Karm Street
Birkirkara BKR 9034
2.1. “Personal Data” means any information, by which the Data Subject may be personally identified or may be identifiable, including, but not limited to, the first name, surname, maiden name, email address, home address, telephone number, mobile phone number, date of birth, place of birth, governmental ID information, electronic location information and electronic device information – this covers the passport/license-number of the device, and the IP address.
The following terms “Anonymisation”, “Controller”, “Processor”, “Data Subject”, “Data Portability”, “Personal Data”, “Processed/Processing”, “Pseudonymisation”, “Cross-Border processing of Personal Data” and “Supervisory Authority” used in this document shall have the same meaning as in the GDPR;
“Visitor” means an individual, other than a user, who uses the public area, but has no access to the restricted areas of the Site or Service, which may only be used with a player account.
This Policy is based on the following GDPR principles:
- The Processing of Personal Data shall take place in a lawful, fair and transparent way;
- The collection, processing and retention of Personal Data shall only be performed for specified, explicit and legitimate purposes and no further processing will take place, which is incompatible with those purposes;
- The collecting and retaining of Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed;
- The Personal Data shall be accurate and, where necessary, kept up to date;
- Every reasonable step shall be taken to ensure that Personal Data that is inaccurate having regard to the purposes, for which they are processed, are erased or rectified without delay;
- Personal Data shall be kept in a form, which permits an identification of the Data Subject for no longer than it is necessary for the purpose for which the Personal Data is procured;
- All Personal Data shall be kept confidential and stored in a manner that ensures appropriate security;
- Personal Data shall not be shared with third parties except for a disclosure being absolutely necessary in order for them to provide services upon agreement, in which case the Data Subject has to be informed accordingly;
- Data Subjects shall have the right to request access to and rectification or erasure of Personal Data, or restriction of Processing, or to object to the processing as well as the right of Data Portability.
In the following, we outline the scope of and the legal basis for the processing of your Personal Data and provide information on the retention period.
3.1 Scope of the processing of Personal Data
We need to process your Personal Data in order to provide you with our Services.
As a matter of principle, we process Personal Data of our users only insofar, as this is necessary for the provision of a functional website and our content and services. The processing of Personal Data of our users is regularly done only with the consent of the user. An exception applies in cases, where it is not possible to obtain prior consent for factual reasons, and, the processing of the Personal Data is necessary to perform our contractual obligations or is permitted or even required by legal provisions.
3.2 Legal basis for the processing of your Personal Data
Insofar as we obtain the consent of the data subject for the processing of Personal Data, Art. 6 par. 1 sent. 1 lit. a) GDPR serves as the legal basis.
When processing Personal Data that is necessary for the performance of a contract, to which the data subject is a party, Art. 6 par. 1 sent. 1 lit. b) GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.
Insofar as the processing of Personal Data is necessary for the fulfilment of a legal obligation, to which our company is subject, Art. 6 par. 1 sent. 1 lit. c) GDPR serves as the legal basis.
In the event that vital interests of the data subject or another natural person require the processing of Personal Data, Art. 6 par. 1 sent. 1 lit. d) GDPR serves as the legal basis.
If the data processing is necessary for the performance of tasks, which are in the public interest, or take place in the exercise of public authority, with which the controller has been empowered, then Art. 6 par. 1 sent. 1 lit. e) GDPR will be the legal basis.
If the data processing is necessary to protect a legitimate interest of our company or of a third party, and, if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned legitimate interest of the company or of the third party, then Art. 6 par. 1 sent. 1 lit. f GDPR will serve as the legal basis for the data processing.
3.3 Data deletion and retention periods
In accordance with money laundering regulations, we are obliged to retain your Personal Data, which we have collected to fulfil our customer due diligence obligations, for a period of five years beginning with then end of the year, in which your player account has been closed, and your transaction data and monitoring results for a period of five years beginning with the end of the year, in which the data has been collected. According to sec. 6g par. 1 ISTG 2021, we are obliged to retain all of your personal data for a period of five years beginning with the closing of your player account.
When you close your account with us, the account will be marked as “closed” and the Personal Data associated with it will be held securely and processed only for the legally specified purposes until the legal retention period has expired. Subsequently, this data will be destroyed in a secure manner. For further information on retention periods, please see our Customer Data Retention Policy.
4.1 Description and scope of the data processing
In the case of a mere informational visit of the website, i.e. if you do not register or otherwise transmit information to us, we only collect the Personal Data that your browser transmits to our server.
The following data is collected in this process:
- The passport/license-number of the device;
- Information about the type of browser and the version used;
- The user’s operating system;
- The user’s internet service provider;
- The user’s IP address;
- Date and time of the access;
- Websites, from which the user’s system accesses our website;
- Websites that are accessed by the user’s system via our website.
This data is also stored in the log files of our system. This data is not stored together with other Personal Data of the user.
4.2 Legal basis for the data processing
The legal basis for the temporary storage of the data and the log files is Art. 6 par. 1 f GDPR.
4.3 Purpose of the data processing
The temporary storage of the IP address and/or other personal data such as the passport/license-number of the device by the system is necessary to enable the delivery of the website to the user’s computer/device. For this purpose, the user’s IP address and/or other personal data such as the passport/license-number of the device must remain stored for the duration of the session.
These purposes are covered by our legitimate interest in the data processing according to Art. 6 par. 1 f GDPR.
4.4 Retention period
In case of the storage of personal data in log files, this is the case after seven days at the very latest. A storage beyond this period is possible. In this case, the IP addresses and/or any further personal data of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.
4.5 Possibility of objection and removal
The collection of the aforementioned data for the provision of the website and the storage of the personal data in log files is strictly necessary for the operation of the website. Consequently, there is no possibility for the user to object.
5.1 Cookies on our website
5.2 Use of Web-Beacons
Spinz web pages may contain electronic images, known as web beacons or spotlight tags.
Web beacons (also known as pixel tags or clear GIFs) are small graphic files used in connection with the provision of our services and are usually used in conjunction with cookies to track the use of an online service.
These enable Spinz to count users who have visited certain pages on our website. Web beacons and spotlight tags are not used by us to access your personal information, they are simply a tool we use to analyse which web pages customers view, in an aggregated manner.
When calling up our website, the user is informed about the use of functionality related, but not strictly necessary cookies, of performance cookies, of advertising cookies, of all third party cookies and his or her consent to the processing of Personal Data used in this context is obtained. In this context, a reference to this data protection declaration is also made. A website-visitor may choose, which cookies he/she wants to allow by enabling such cookies in the cookie-settings offered when the user accesses our website.
6.1. Description and scope of the data processing
On our website, you have the possibility to subscribe to Marketing Communication. When registering with a double-opt-in-procedure for the granting of your consent to the receipt of the marketing communications, the complete data from the registration mask is transmitted to us, i.e.:
- Your full name;
- As the case may be your maiden name;
- Your postal address;
- Your date and place of birth;
- Your nationality;
- Your email-address (username);
- Your user name
- The player-ID, which we allocate to you.
In addition, the following data is collected during the double-opt-in-procedure:
(1) IP address of the calling computer;
(2) Date and time of registration.
Moreover, we will not only gather your consent to the receipt of marketing communications by way of the double-opt-in-procedure, but in this course will also ask you for your consent that we may undertake an OASIS-request to ensure that there is no player-exclusion stored in OASIS for you. We are legally obliged to undertake such an OASIS request prior to the sending of newsletters by law according to sec. 5 par. 5 sent. 2 and 3 ISTG 2021. In connection with the data processing for the dispatch of newsletters, the data will not be passed on to third parties (except for the OASIS-request, to which you need to grant your consent). The data is used exclusively for sending out marketing communications.
6.2 Legal basis for the data processing
The legal basis for the processing of your personal data after your subscription for the newsletter is, if you have given your consent, Art. 6 par. 1 sent. 1 lit. a) GDPR. The same applies to the data processing for the OASIS-request. Moreover, Art. 6 par. 1 sent. 1 lit. c) GDPR serves as a legal basis for the undertaking of this request, since we are legally obliged to do so by sec. 5 par. 5 sent. 2 and 3 ISTG 2021.
6.3 Purpose of the data processing
The collection of the user’s e-mail is used to deliver the marketing communication.
The collection of other Personal Data within the scope of the subscription process is required for the OASIS-request and serves to prevent a misuse of the services or of the e-mail used.
6.4 Retention period
The data is deleted as soon as it is no longer required to achieve the purpose, for which it was collected. The user’s email address and further personal data is therefore stored for the purpose of marketing communications as long as the subscription is active.
6.5 Possibility of objection and cancellation
The subscription can be cancelled by the user concerned at any time. For this purpose, a corresponding link can be found. Moreover, the consent will be deemed to be withdrawn, if a long-term player-exclusion (of at least three months) is inserted in OASIS. After the deletion of such a long-term player-exclusion in OASIS; a new consent must be granted for the receipt of marketing communications as well as for the undertaking of the OASIS-request.
7.1 Description and scope of the data processing in case of the registration of a player account and a subsequent undertaking of transactions and of a game participation.
7.1.1 Data Processing for the Registration of a Player Account
When you register for an account with Spinz, you enter into a contract with us, as set out in our Terms and Conditions.
On our website, we offer users the opportunity to register a player account by providing Personal Data in order to participate in the games offered on our website. The data is entered into an input mask and is transmitted to us and stored.
The following personal data is collected during the registration process:
- First and last name;
- As the case may be the maiden name;
- Your gender;
- Your e-mail address;
- Your home (postal) address;
- Your country of residence;
- Your mobile phone number;
- Your place and date of birth;
- Your nationality;
- A freely selectable user name and password;
- Your IP address;
- The date and time of your registration.
We use the above personal data to:
- Help you create, operate and manage your personal account, allowing you to access our games and services;
- Manage loyalty points and reward schemes;
- Troubleshoot and protect against errors;
- Protect your personal profile and account;
- Process your transactions (deposits, withdrawals, stakes and winnings), including your use of credit/debit cards and online payment systems and to enable your game participation;
- Conduct research and surveys;
- Provide customer support and service updates;
- Analyse user trends and improve the services we provide; and
- Monitor the registration of multiple accounts.
We also use segmentation to split our players into groups based on their gaming behaviour. We do this to help us understand how people use the product and to help us develop our marketing approach, including bonuses and promotions.
7.1.2 Data Processing for the Identity verification
Furthermore, in order to comply with our statutory obligations arising of sec. 6a ISTG 2021, of the money laundering laws applicable both in Germany and the EU and youth protection laws, we are obliged to verify the following Personal Data provided by you during the registration upon the opening a player account, which serves to verify your identity and your age (‘Know Your Customer’ process, hereafter: KYC) :
- First and last name, if applicable maiden name;
- Postal address (street, postcode, city, country);
- Date of birth;
- Place of birth;
- Nationality (country);
- As the case may be Government ID information.
We also ask you to provide your mobile phone number for identity verification purposes.
For the identity verification, we may use third party KYC-services providers, which act as our data processors in this case, and therefore have an according data processing agreement in place with us, and are of course bound to keep your Personal Data confidential. They will only process your Personal Data as requested by us.
7.1.3 Data Processing for Deposits and Withdrawals
In order to participate in the Services offered on our website, you first have to make a deposit into your player account in order to have the money for the placement of stakes for a game participation. With such deposits, we collect and process your payment information:
- Your bank account details (name and location of the bank, IBAN, BIC) in case of a bank transfer (by means of, but not limited to, Brite, Genome, Inpay, Skrill Giiropay), direct debit or the use of a payment initiation service, such as, such as but not limited to, Sofort, Giropay, Trustly, Online-Überweisung, Skrill-RapidTransfer;
- Your e-wallet-details in case of the use of the following payment methods: Skrill, NETELLER, Ecopayz, MyPaySafeCard, MuchBetter and PayPal, that means your email-address or phone-number, under which your e-wallet is operated;
- Your payment card details (the name of the card-owner, in which the card is issued, the card number – whereby the two middle four digit blocks are blackened, the validity date and the CVV-Code – whereby the latter is not stored, but rather only used for verification purposes);
- The transaction amounts, i. e. the amounts you deposit into your player account;
- The date and time of the deposits.
Moreover, we are legally obliged by sec. 6b par. 4 ISTG 2021 to verify that the payment accounts used by you are also operated in your name. For this purpose, we will obtain the name of the account owner from the bank/e-wallet-provider and will compare this name to the player name registered for your account. In case of a bank transfer or direct debit, we will obtain the name of the account owner with the transaction information provided by your bank. In case of the use of one of the payment initiation services, the latter will obtain the name of the bank account owner from the online-banking account used for the transaction and will pass-on this name to us. In case of a use of one of the e-wallets, we will obtain the name of the account-owner from the e-wallet-providers.
In case of credit card payments, we are only obliged to verify the identity of the card-owner with the player in case of transactions exceeding EUR 25 or EUR 100 in case of several transactions per calendar month. Therefore, Spinz will enforce the 3D-secure-procedure for all credit card payments exceeding those thresholds. Moreover, we will request you to provide us with a copy of your credit card in order to verify that it is issued in your name. We will ask you to blacken the two middle 4-digit-blocks prior to the filing of the credit card copy, since it is not possible for us to store your complete credit card number due to the GPDR, wherefore the two middle 4-digit-blocks need to be blackened.
Further, we use card-acquiring services for credit card payments (Visa and MasterCard). Moreover, Rootz has outsourced the processing of payment card payments to a payment gateway and external “card vault” provider. In addition, the credit card fields displayed on our checkout page are hosted by the provider instead of by Rootz. Therefore, Rootz at no time stores or even comes into contact with complete credit card data. Therefore not us (Rootz), but rather only the payment gateway and external “card vault” provider the aforementioned acquirers will obtain and process your credit card information for the processing of your credit card transactions. The provider is PCI-DSS (= payment card industry data security standard) certified. Besides the payment gateway and card vault-agreement, we also have a data processing-agreement in place with the provider, which regulates the handling of the Personal Data of the card paying players.
We also use a payment gateway for some of the payment methods offered for deposits and withdrawals. This means that those payment methods are integrated into our platform via an API to the payment platform of the provider, which means that your payments and payment data are processed via their platform.
With regard to the processing of your Personal Data for withdrawals, the same applies as to the processing of your Personal Data for deposits.
7.1.4 Data Processing for the Game participation
In order for you to participate in the games offered on our website, we process the following Personal Data:
18.104.22.168 Geographic Location
22.214.171.124 Transaction-relevant data
- Account balance;
- Game stakes (time, amount or number, type stake);
- Game winnings (time, amount or number, type won);
- Game cancellations (time, amount or number, type and amount of stakes used, which need to be cancelled and therefore refunded as the case may be);
- Bonus credits.
126.96.36.199 Session-relevant data
- Type of game;
- Start of session;
- End of session, including reason;
- Browser history;
- Game session start;
- Game session end;
- Match round start;
- Match round end.
188.8.131.52 Audit Trail
- Changes to Personal Data;
- KYC status;
- Identification documents (identity card or passport);
- Player protection, if applicable;
- Monitoring of limits compliance;
- Limitation of session duration.
184.108.40.206 Deposit limit file
Pursuant to the legal requirements applicable in Germany (see Section 6c (1) Inter-State Treaty on Gambling 2021), the player must be requested during the registration process to determine an individual monthly cross-operator deposit limit or to indicate that an already set individual monthly cross-operator deposit limit is to be retained unchanged. The competent authority maintains a central limit monitoring file (“limit file”) to monitor the cross-operator deposit limit. Whenever the cross-operator deposit limit is determined or changed, we as operators must transmit the following Personal Data of the player as well as the amount of the new deposit limit to the limit file, which we collect and process for this purpose:
- Surnames, first names, maiden names;
- Date of birth;
- Place of birth;
- Amount of the cross-operator deposit limit set by the player;
- Date the limit was set;
- Amount and date of deposits made;
- Total amount of deposits made.
Prior to the completion of each deposit transaction, we as operator must transmit to the limit file the data required for the clear identification of the player as well as the amount of the deposit intended by the player.
220.127.116.11 Cross-operator activity file
Pursuant to the legal requirements applicable in Germany (see Section 6h ISTG 2021), a parallel game participation in public games of chance with several operators by a player is prohibited. In order to prevent cross-operator parallel gaming on the Internet, the competent authority maintains an activity-file with the following Personal Data, which we collect and process for this purpose:
- Surname, first name, name at birth;
- Date of birth;
- Place of birth;
- Address, and
- The information, whether this player is set active within the meaning of Section 6h (3) and (4) ISTG 2021.
We may only allow a player to participate in public games of chance on the Internet, if we have previously transmitted the aforementioned Personal Data as well as the information that the player is to be set active in the file, and, if we have not immediately been informed back that the player is already set active in the file.
18.104.22.168 Safe Server
Operators of sports bets, online casino games, online poker games and virtual slot machine games on the internet are obliged to implement and operate a technical system for the safe server at their own expense, which accurately records all data required for the implementation of gambling supervision. This obligation requires operators to store the aforementioned data digitally in a non-modifiable manner and to enable electronic control at any time, including an immediate access by the competent supervisory authority. The Personal Data must be pseudonymised, whereby it shall remain recognisable for the supervisory authority, which transactions and game participations stored in the safe-server concern the same player (see sec. 6i par. 2 ISTG 2021). For the safe server, the following data of the players (if applicable, pseudonymised by the player ID) are processed:
- The data collected within the framework of the central files;
- The date of registration;
- The determination of automatic profit distribution limits;
- Imposed exclusions;
- Determinations of provider-related limits;
- Single-player and multiplayer matches played;
- Stored and used payment methods and service providers;
- Account balances, transactions and their effectiveness;
- Explanations on the start of a virtual slot machine game and the game played;
- Inactive determinations;
- Issuance of the hourly notice of elapsed playing time and confirmation by the player or termination of the activity;
- Confirmation of the information on the dangers and prevention of gambling addiction as well as on counselling services and the areas used by the provider;
- Display of all stakes, winnings and losses in the last 30 days,
Requests to determine the cross-provider limit, a new cross-provider limit and the result of the requests to the central files;
- Requests for a correction, when attempting to set a cross-provider limit that is too high;
- Requests to make a deposit, amount of the deposit and result of the request to the central limit file;
- Requests for an (in)activation and the result of the requests to the central activity file;
- Requests for an inactivation by the player;
- Requests for the blocking status and result of the request to the blocking file;
- As well as the aforementioned data in pseudonymised form.
22.214.171.124 Early detection of gambling addiction
Pursuant to the legal requirements applicable in Germany (see Section 6i (1) ISTG 2021), we must use an automated system based on scientific findings and algorithms for the early detection of players at risk of gambling addiction and of gambling addicted players. The system for the early detection of (a risk of) gambling addiction evaluates the data recorded on the gambling account and is updated regularly. For this purpose, we collect and process the following Personal Data:
- All transactions undertaken as well as the amounts as well as the dates and the times of such transactions;
- Failed transactions;
- All game participations undertaken as well as the dates and times of such game participations;
- The frequency of transactions;
- The frequency and duration of the game participations;
- All changes in the transaction and/or gaming patterns;
- Any signs for a problematic gambling such as loss-hunting (increases of the stakes after losses);
- Unusual game participation times (especially a predominant game participation during night times);
- No significant gaming breaks (gambling for many hours all night long);
- The number of payment methods used;
- A lack of withdrawals;
- The number and amounts of your limits;
- The handling of your limits by you – esp., the frequency of limit changes;
- Whether you have stored an automatic withdrawal of winnings above a certain amount determined by you;
- The loss-quote related to the number and amount of the limits;
- Complaints filed by you.
126.96.36.199 Money-Laundering, Terrorist Financing and Fraud Prevention
Moreover, we monitor your transactions and your game participations for the purpose of a prevention of money laundering, terrorist financing, fraud and other misuse of our offers. For this purpose, especially the following Personal Data is monitored and processed:
- Your IP-address;
- Your device-information;
- Your browser-information;
- The date, the time, the amount and the frequency of your transactions;
- The payment methods used by you for deposits and withdrawals;
- Whether there are any inconsistencies in the information provided by you;
- The date and time of your game participations, the frequency of your game participation, the stakes placed and the winnings gained by you;
- Whether you use your deposits for a game participation, or whether there are any signs for an employment of the smurfing-method (the depositing of many small amounts, which, however, summed-up, make up for a significant amount, then only playing and wagering on a very small scale, which is just sufficient to make the account look genuine and authentic, and then requesting refunds of the deposits without a significant game participation – as the case may be to several different bank/payment accounts;
- Whether you use the same payment account for your deposits and withdrawals as another player – which is prohibited;
- Whether you may even use the same device for your game participation as another player;
- Whether there are any signs for a bonus abuse.
188.8.131.52 Reconciliation with the player blocking system (OASIS)
For the protection of players and to combat gambling addiction, a central blocking file is maintained across all forms of gambling in Germany (see Section 8 and Section 23 ISTG 2021). Banned players may not participate in public games of chance.
We are obliged to identify persons willing to play by checking an official identity document or a comparable identity check and to carry out a reconciliation with the central blocking file.
The identity verification is carried out prior to the reconciliation by means of suitable technical procedures (see above). The reconciliation with OASIS is done at the time, when the reconciliation with the cross-operator activity file is undertaken pursuant to Section 184.108.40.206 above. We transmit the following Personal Data to the central player-exclusion file (OASIS) for this purpose of the ensuring of an exclusion of blocked players from a game-participation:
- Surnames, first names, names at birth;
- Alias names, false names used;
- Date of birth;
- Place of birth;
- Residential address.
220.127.116.11 Insertion of player blockings (self-exclusions or third party-exclusions)
On our site, wherever you can participate in our Services, there is a “Panic Button”. If you click on this Panic Button, this will result in a game interruption of 24 hours (cool down period). During this cooling off period, your player account will be disabled and you will not be able to log into it. It is mandatory for Rootz to enter the 24-hour gaming pause after a use of the Panic Button into the central player blocking file OASIS, so that it subsequently applies not only to our website, but to all online gambling sites connected to OASIS. For the insertion of this 24 hours gaming break into OASIS, Rootz will transmit the following Personal Data to OASIS:
- Surnames, first names, names at birth;
- Alias names, false names used;
- Date of birth;
- Place of birth;
- Residential address;
- A photograph (e. g. the copy of the ID-card or passport, which we have obtained during our KYC-process);
- The fact that the Panic Button has been used;
- The date and the time of the use of the panic button, and
- Us (Rootz) as inserting operator.
Another exclusion-option is that you exclude yourself from using our and all other online gambling services on a long-term basis. They will then enter the requested self-exclusion into OASIS, so that you are subsequently blocked not only on our site, but also for all online gambling sites that are connected to OASIS. For the insertion of such a long-term-self-exclusion into OASIS, Rootz will transmit the following Personal Data to OASIS:
- Surnames, first names, names at birth;
- Alias names, false names used;
- Date of birth;
- Place of birth;
- Residential address;
- A photograph (e. g. the copy of the ID-card or passport, which we have obtained during our KYC-process);
- The reason for the self-exclusion;
- The minimum duration of the self-exclusion, and
- Us (Rootz) as inserting operator.
Such a long-term self-exclusion does not expire automatically, even if you have requested an exclusion for a specific period. A written deletion request from you is always required to remove such a long-term self-exclusion. You can either send this cancellation request to us or directly to OASIS. If you submit the cancellation request to us, we will immediately forward it to OASIS. The cancellation request requires the same Personal Data as was necessary for the insertion of the exclusion into OASIS, wherefore we will re-submit the same data as has been submitted for the insertion of the exclusion to OASIS, if you send the cancellation-request to us and we will forward it to OASIS.
In addition to the possibility of entering a self-exclusion into OASIS, Rootz also has to enter so-called third-party-exclusions into OASIS, if Rootz knows, based on the perception of its staff or based on reports from third parties, or must assume based on other factual indications, that a player is at risk of gambling addiction or is over-indebted, does not meet his/her financial obligations or risks gambling stakes that are disproportionate to his/her income or assets. Before such a third-party block is entered into OASIS, the player concerned must be given an opportunity to comment on it. Rootz will set you a specific deadline for this statement. For the granting of the possibility to submit such a statement to us, Rootz will process your contact details (your email-address and/or (as the case may be) your postal address). If you do not comment on the planned third-party exclusion within the set time limit, Rootz will insert it into OASIS. Otherwise, Rootz will evaluate your statement according to its own dutiful discretion and then decide on the registration of the third-party exclusion. If a third-party-blocking is registered at OASIS, Rootz transmits the same Personal Data to OASIS as for a self-exclusion (see above). Moreover, Spinz will inform you immediately about the insertion of the third-party-blocking and will again use your (aforementioned) contact details for the provision of this information.
Here, too, you can apply for the exclusion to be lifted at the earliest after this minimum exclusion period has expired. For this cancellation request, the same Personal Data will be processed, as for the insertion of the third-party-exclusion into OASIS, wherefore we will re-submit the same data as has been submitted for the insertion of the exclusion to OASIS, if you send the cancellation-request to us, and we will forward it to OASIS. If the third-party exclusion is based on the notification of third parties, they will be informed about your request for a deletion and the possibility to apply for a new third-party ban. For this information, the same Personal Data is provided to the third party, on whose request the exclusion was registered, as was inserted into OASIS for the exclusion (see above).
7.1.5 Data Processing for communication with us via the live-chat, via email and/or via regular post
If you use our live-chat, we process the following Personal Data:
- Your IP-Address;
- Your name and your user-name, if you provide it to us during the chat (but otherwise we will not be able to assist you);
- The date and time of the communication;
- The content of the communication;
- As the case may be, further contact details such as your postal address, your phone number and/or your email-address, or further personal information such as your date of birth, if you provide it to us in the communication.
To ensure a good quality of our customer-service, we may monitor any communication you have with us, whether in writing or by electronic mail or via the live-chat (“recordings”). Such recordings will only and exclusively be used for the purposes of a quality control and to ensure that your matter is dealt with adequately. The storage of the recordings is based on our justified legal interest.
7.2 Legal basis and purposes of the data processing
The data collection and processing described above is carried out for the purposes already described, and summarised again below and is assigned to the corresponding legal basis:
Pursuant to Art. 6 para. 1a GDPR based on the data subject’s consent to the processing of his or her Personal Data in order to carry out market research campaigns and to keep you informed on offers and promotions in relation to our products and services as well as to undertake the necessary OASIS-request prior to sending you any marketing-materials;
Pursuant to Art. 6 para. 1b GDPR for the performance of contractual obligations or for the performance of pre-contractual measures: for setting up, administering and managing your account, for the processing of your deposits and withdrawals, for the processing of your service orders - inter alia, for the verification of your identity, for the execution of your game participations, the collection of your stakes, for the distribution of winnings and in order to be able to offer you a customer service, for correspondence with you and to notify you of updates to the software and/or the Services or otherwise to provide you with information about and support for the Services, including changes to the Services, technical updates and changes to the T&Cs, for the settlement of claims by you or by us, to ensure the technical administration of our website and to manage our customer data; to enable you to communicate with other players;
Pursuant to Art. 6 para. 1b and c GDPR for the fulfilment of contractual obligations as well as for the compliance with legal obligations, to which we are subject: to send you important e-mails with information about the use of our software and our website as well as the services offered there, current information about technical problems or matters in connection with our legal or regulatory obligations; and especially to ensure that we fulfil all our regulatory and licence obligations;
Pursuant to Art. 6 para. 1c GDPR for the compliance with legal obligations to which we are subject or pursuant to Art. 6 para. 1e GDPR for the performance of a task carried out in the public interest: to protect you and us (including our affiliates) from fraud and tampering, for identity and age verification purposes (to comply with legal requirements for the protection of minors and to prevent money laundering and terrorist financing), to meet our payment method verification and payment transparency obligations to prevent money laundering and terrorist financing, as well as to meet the player protection requirements that form part of our licence obligations, which includes, in particular, the aforementioned cross-operator deposit limit, the cross-operator activity file, the use of an automated system for an early detection of gambling addiction and the undertaking of status requests at and the insertion of blockings into the central blocking file (OASIS); to fulfil our regulatory and licence obligations and to enforce the territorial restriction of our licence in order to determine your current location; investigate and assist in the investigation of suspected unlawful, fraudulent or other improper activity connected with the Services, including, where appropriate, dealing with requests from authorized entities/authorities for the disclosure/sharing of information;
Pursuant to Art. 6 para. 1f GDPR to protect our legitimate interests, in particular: to assert or exercise legal rights or claims that we have against you or, to defend ourselves against legal claims asserted by you; to maintain the network and information security - including the prevention of unauthorised accesses to our electronic communications network; for statistical analysis and research and development purposes; as well as for the improvement and further development of our offers.
7.3 Possibility of objection and removal
As a user, you have the option to cancel your registration at any time. You can have the data stored about you changed at any time. If the data is required for the fulfilment of a contract, for the implementation of pre-contractual measures or the compliance with regulatory and/or licence requirements, an early deletion of the data is only possible insofar as contractual or legal obligations do not prevent the deletion. The ISTG 2021 obliges Rootz to retain your Personal Data for A period of five years beginning with the closure of your player account. AML-legislation, tax laws and/or commercial laws applicable to may require even longer storage periods – see already above thereon in section 3.3.
(1) Obtaining of a consent for marketing purposes
Without prejudice to the foregoing, we separately request your consent to use your Personal Data for marketing purposes, in particular for:
- Carrying out market research campaigns and to keep you informed on offers and promotions in relation to our products and services;
- Promotional communications by email or text message from us;
- Promotional calls by us to you are prohibited outside of an existing contractual relationship – however, if you have a registered player account on one of our gambling platforms, and therefore have entered into a contract on the maintaining of this player account with us, we may call you not only for the provision of information concerning your contract with us and modalities concerning this contract, but also for marketing purposes, if you have provided your consent to us for the receipt of such marketing calls from:
- (a) Us;
- (b) other companies belonging to our group of companies, or also
- (c) By third party service providers who may complement or support our offering, which may be why we would like to share your Personal Data with those third party service providers;
- The undertaking of OASIS-requests prior to the sending of marketing communications or prior to the undertaking of marketing calls to avoid the sending of marketing communication and the undertaking of calls to blocked players;
(2) Right of withdrawal
You have the right to withdraw your consent to the uses described above at any time, Art. 7 par. 3 GDPR, by following the “unsubscribe” instructions at the end of each newsletter or by sending an email without content but with the word “Remove” in the subject line to our Customer Support at [email protected].
In this case, we will immediately remove your information from our marketing distribution lists and from any future lists we may share with our marketing partners. The revocation of your consent does not affect the lawfulness of the data processed until the revocation.
Your consent will be deemed to have been withdrawn, if there is a player-exclusion inserted for you in OASIS. According to sec. 5 par. 5 sent. 4 ISTG 2021, players, who are excluded in OASIS, have to re-grant their consent to the receipt of marketing communication and to the undertaking of status-requests for them prior to the sending of marketing communication after the deletion of their exclusion in OASIS.
(3) Deletion without revocation
If you do not revoke your consent, your Personal Data processed for the purposes described above will be deleted in accordance with the deletion periods.
If you choose to delete your account, as the case may be, we may be obliged by law to retain your master, transaction and game play data, see above in sec. 3.3. In this case, the data will be kept separately from our active player data base and secured to ensure that the data is only and exclusively maintained for the purposes described in the statutory retention regulations.
If your Personal Data is processed, you are a data subject within the meaning of the GDPR, wherefore you have the rights established vis-à-vis the controller and outlined in detail below.
9.1 Right of access (Art. 15 GDPR)
You may request a confirmation from us as the data controller as to whether Personal Data relating to you is being processed by us or not.
If there is such data processing, you can request any information from us as the data controller in relation to the services provided and the personal data processed within the context of the services and we will reply within thirty days.
9.2 Right to rectification (Art. 16 GDPR)
You have a right to a rectification and/or completion vis-à-vis the controller, if the Personal Data processed concerning you is inaccurate or incomplete. The controller must make the rectification and/or completion without undue delay.
9.3 Right to erasure (“right to be forgotten” – Art. 17 GDPR)
9.3.1 Obligation to delete
You may request the controller to erase the Personal Data concerning you without undue delay and the controller is obliged to erase such data without undue delay, unless the erasure of Personal Data is necessary to comply with a legal obligation to which the controller is subject.
9.3.2 Information to third parties
If the controller has made the Personal Data concerning you public and is obliged to erase it pursuant to Art. 17 para. 1 GDPR, the controller shall take the necessary steps, taking into account the available technology and the costs for implementation measures, including those of a technical nature, to inform the party responsible for the processing of the Personal Data and who processes the data, that you, as the data subject, request the erasure of all links to such Personal Data or copies or replications of such Personal Data.
9.4 Right to a restriction of the processing (Art. 18 GDPR)
You may request the restriction of the processing of Personal Data concerning you under the following conditions:
- If you contest the accuracy of the Personal Data concerning you for a period enabling the controller to verify the accuracy of the Personal Data;
- If the processing is unlawful and you object to the erasure of the Personal Data and instead request the restriction of the use of the Personal Data;
- The controller no longer needs the Personal Data for the purposes of the processing, but you need the data for the assertion, exercise or defence of legal claims; or
- If you have objected to the processing pursuant to Article 21 par. 1 GDPR and it is not yet clear, whether the controller’s legitimate reasons override your grounds.
If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
9.5 Notification obligation (Art. 19 GDPR)
If you have asserted the right to a rectification, erasure or restriction of the processing against the controller, the controller is obliged to inform all recipients, to whom the Personal Data concerning you have been disclosed, of this rectification or erasure of the data or the restriction of the processing, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed by the controller about these recipients.
9.6 Right to a data portability (At. 20 GDPR)
You have the right to receive the Personal Data concerning you that you have provided to the controller in a structured, common and machine-readable format. In addition, you have the right to transfer this data to another controller without hindrance by the controller, to whom the Personal Data was provided, provided that (1) the processing is based on a consent pursuant to Art. 6 par. 1a GDPR or Art. 9 par. 2a GDPR or on a contract pursuant to Art. 6 par. 1b GDPR and (2) the processing is carried out with the help of automated processes.
In exercising this right, you also have the right to have the Personal Data concerning you transferred directly from one controller to another controller, insofar as this is technically feasible. This must not affect the freedoms and rights of other persons. The right to a data portability does not apply to the processing of Personal Data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Art. 6 par. 1 sent. 1e GDPR).
9.7 Right to object (Art. 21 GDPR)
You have the right to object at any time, on grounds relating to your particular situation, to the processing of Personal Data concerning you, which is carried out on the basis of Article 6 par. 1e or f GDPR; this also applies to profiling based on these provisions.
The controller shall no longer process the Personal Data concerning you, unless it can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.
If the Personal Data concerning you is processed for the purposes of direct marketing, you have the right to object at any time to the processing of Personal Data concerning you for the purposes of such marketing; this also applies to profiling insofar as it is related to such direct marketing. If you object to the processing for direct marketing purposes, the Personal Data concerning you will no longer be processed for these purposes. You have the possibility, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures involving the use of technical specifications.
9.8 Right to withdraw consent (Art. 7 para. 3 GDPR)
9.9 Automated decision-making in individual cases, including profiling (Art. 22 GDPR)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects vis-à-vis you, or similarly significantly affects you.
9.10 Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place where the alleged infringement has taken place, if you consider that the processing of your Personal Data is in breach of the GDPR.
9.11 Execution of the data subjects rights outlined in sec. 9.1 to 9.9 (Art. 15 to Art. 22 GDPR)
You may execute the rights outlined in sec. 9.1 to 9.9 above according to Art. 15 to Art. 22 GDPR by sending an email to our data protection officer under the following email-address: [email protected] or by sending us a letter in paper form via regular post to our business-address:
Ewropa Business Centre, Level 3
701, Dun Karm Street
Birkirkara BKR 9034
and/or as otherwise described in the foregoing. In your request, please provide:
- Your name;
- Your Contact details;
- Your registered email;
- Full details of your request.
We may request that you provide us with identity documents so that we can verify your identity to ensure that the requests really originate from you. We will carry out your request, to the extent that it is possible to do so.
10.1 Except as described in this Policy, we will not disclose the Personal Data that we collect and/or retain on the Service to third parties without your prior explicit consent.
10.2 In some cases, we use external service providers (order processors or third parties) to process your Personal Data. These have been carefully selected and commissioned by us. If they are data processors on commission, the service providers are bound by our instructions and are regularly audited. In all cases, where data is transferred, we always ensure that an appropriate contract is in place with the data recipients to ensure that the transferred data is transferred in a secure manner and that we only transfer the minimum amount of Personal Data required. Under no circumstances do we sell your data to third parties.
10.3 We work with the following data processors and/or third parties and may share your Personal Data with them as necessary:
- With payment service providers for the processing of payment transactions, i.e. deposits and withdrawals, as well as for making debits of stakes and crediting of winnings and additionally for the fulfilment of the statutory payment method verification and payment transparency requirements to which we are subject;
- With software providers and developers, from whom we licence the software for the games of chance we offer or who (further) develop such software directly on our behalf;
- With maintenance service providers, who maintain, service, repair and update our hardware and software;
- With service providers to manage our customer data and to handle and process customer service contacts via the chat function, by email or in writing;
- With affiliated companies for the use of group structures, in particular for administrative purposes, and to meet accountability obligations to any parent company and/or corporate owner;
- With services related to identity and age verification and the prevention of money laundering, terrorist financing, fraud and manipulation;
- With services related to responsible gambling monitoring and intervention with players, who display a problematic gambling behaviour;
- Where applicable, with collection agencies engaged by us to process payments and for the collection of transactions of our customers;
- Website performance monitoring systems and security systems;
- Marketing and advertising agencies, where applicable, provided you have given your prior consent to the marketing activity;
- Communication platform providers;
- Social media platforms;
- Where applicable, with (partial) legal successors who acquire our company or any part of our company.
10.4 Occasionally, we receive a request from law enforcement, regulatory and supervisory authorities to disclose data about players. We will always ensure that the entity requesting the information has the appropriate legal basis to do so and, in any event, will only disclose the minimum amount of information required in a secure manner. We will also disclose your personal information to law enforcement, regulatory and supervisory authorities, if we believe that a criminal offence has been committed or may be committed.
10.5 We shall keep the Data Subjects informed and ensure that these trusted partners and/or third parties will abide with the mandatory data protection measures. During such data transmission, we shall take all appropriate organizational, technical and legal protection measures. Any Personal Data transfers outside the EU/EEA will follow procedure as described in section 15.
11.1 We take appropriate technical and organizational security measures to protect our customers’ data against loss, misuse and unauthorized access, alteration, disclosure, or destruction of your information. Rootz has taken steps to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and services processing Personal Data, and will restore the availability and access to information in a timely manner in the event of a physical or technical incident.
11.2 Your winnings and cash-outs are kept strictly confidential, and winnings information is stored in secure operating environments. We do not provide winnings information to any third party, unless such information is required to be disclosed by law, regulation or a similar governmental authority.
11.3 No method of transmission over the Internet, or method of electronic storage, is 100% secure. We cannot ensure or warrant the security of any information you transmit to us or store on the Service. However, we shall ensure that adequate technical and organizational security mechanisms designed to protect Personal Data will be used to prevent Personal Data from being stolen, misused or abused, and to prevent Personal Data breaches. If you believe your Personal Data has been compromised, please contact us: [email protected].
Although we may allow you to adjust your privacy settings to limit access to certain Personal Data, please be aware that no security measures are perfect or impenetrable. Additionally, we cannot control the actions of other users, with whom you may choose to share your information. We cannot and do not guarantee that information you post on or transmit to the Service will not be viewed by unauthorized persons. We have taken the necessary steps to protect as much as possible your Personal Data in transit by utilising adequate safeguards and security measures.
We will be happy to provide you with further information on how we protect and use your Personal Data. Please contact the support team at [email protected].
You can also obtain helpful information on the subject of data protection and privacy from the Office of the Federal Commissioner for Data Protection and Freedom of Information.
If you have questions regarding the processing of your Personal Data, you can contact us at:
Data Protection Officer
Email: [email protected]
Ewropa Business Centre, Level 3
701, Dun Karm Street
Birkirkara BKR 9034
If there are any conflicts or inconsistencies between the translated versions of this privacy notice, the German version will prevail.