Privacy Policy

Section 01

About This Policy

This Privacy Policy governs the collection, use, disclosure, and storage of personal information by CrimsonDeck Entertainment Ltd. ("CrimsonDeck", "we", "us", "our") in connection with your use of the CrimsonDeck website located at crimsondeck.com and related gaming services (collectively, the "Platform").

By accessing or using our Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please discontinue use of our Platform immediately.

This Policy applies to all users who register an account, visit our website, contact our support team, or otherwise interact with CrimsonDeck services. It applies to information collected online and through any related communications.

This document should be read in conjunction with our Terms and Conditions and Cookie Policy, which together constitute the complete legal framework governing your use of CrimsonDeck.

Section 02

Who We Are

CrimsonDeck is operated by CrimsonDeck Entertainment Ltd., a corporation registered in the Province of Alberta, Canada, operating as a licensed online gaming operator under the iGaming Alberta Act, S.A. 2026, c. I-1.5.

• Registered Name: CrimsonDeck Entertainment Ltd.
• Address: Suite 800, 10180 – 101 Street NW, Edmonton, AB T5J 3S4
• AGLC Licence No.: AB-IG-2583-2583
• Customer Support: 1-888-2583-542 (24/7)
• Privacy Officer Email: [email protected]

CrimsonDeck acts as the "data controller" for the purposes of PIPEDA and is responsible for ensuring that your personal information is handled lawfully and transparently.

Section 03

Personal Information We Collect

3.1 Registration & Identity Information

When you create an account with CrimsonDeck, we collect the following personal identifiers to establish and verify your identity:

• Full legal name (first, middle if applicable, and last name)
• Date of birth (to verify you are 18 years of age or older)
• Gender (optional, for personalization purposes)
• Residential address including postal code
• Province of residence (must be Alberta to use our services)
• Email address (primary communication channel)
• Mobile or landline telephone number
• Username and encrypted password

3.2 Identity Verification (KYC) Documents

To comply with AGLC regulations, Anti-Money Laundering (AML) requirements, and to prevent fraud, we require the following documents prior to your first withdrawal:

• Government-issued photo identification (Canadian passport, provincial driver's licence, or NEXUS card)
• Proof of address (utility bill, bank statement, or official government correspondence dated within 90 days)
• Payment method verification (screenshot or photo of the payment method used for deposits)
• Selfie or video verification for enhanced due diligence cases

3.3 Financial Information

We collect financial information necessary to process transactions and comply with AML obligations:

• Deposit and withdrawal amounts and transaction history
• Payment method type (Interac, Visa, Mastercard, Apple Pay, Google Pay)
• Partial payment card numbers (last four digits only; full card numbers are tokenized by our PCI-DSS-certified payment processor)
• Bank account details for Interac e-Transfer (masked in our systems)
• Source of funds declarations where required by AGLC

3.4 Gaming Activity

We record comprehensive gaming activity data for regulatory, responsible gambling, and service improvement purposes:

• Games played, wagering amounts, wins, and losses
• Session start and end times, duration of play
• Bonus claims, wagering progress, and promotional activity
• Responsible gambling settings, limits set, and any self-exclusion requests
• Player complaints and dispute records

3.5 Communications

• Live chat transcripts, email correspondence, and support ticket contents
• Responses to surveys and feedback forms
• Marketing communications opt-in/opt-out preferences

Section 04

Technical & Automatically Collected Data

When you access our Platform, our systems automatically collect technical data that helps us deliver, secure, and improve our services:

4.1 Device & Browser Information

• IP address (used for geolocation verification to confirm you are in Alberta)
• Device type, manufacturer, and model
• Operating system and version
• Browser type and version
• Screen resolution and display settings
• Time zone and language settings

4.2 Usage Data

• Pages visited and navigation paths within our Platform
• Referring URL and exit pages
• Search terms entered within the Platform
• Clicks, scroll depth, and interaction heatmaps
• Error logs and crash reports

4.3 Cookies & Tracking Technologies

We use cookies, web beacons, and similar technologies. Full details are available in our Cookie Policy. You can manage your cookie preferences via the cookie banner on our site.

Section 05

Third-Party Data

In some circumstances, we receive information about you from third parties. This data is handled with the same level of care as information you provide directly:

• Identity verification providers: We use certified KYC/AML service providers who may verify your identity against credit bureau records, government databases, or document authentication services.
• Payment processors: Our payment processing partners provide transaction confirmation and fraud scoring data.
• AGLC and regulatory bodies: We may receive notifications or data from the AGLC in connection with our licensing obligations, including self-exclusion register updates.
• Fraud prevention networks: Shared industry databases used to identify fraudulent accounts or suspicious patterns.
• Analytics partners: Aggregated and anonymized data from analytics platforms used to understand platform performance.

We do not purchase personal data lists from third parties for marketing purposes.

Section 06

How We Use Your Information

We use the information we collect for the following purposes:

• Account creation and management: Establishing and maintaining your player account, verifying your identity, and providing access to our gaming services.
• Regulatory compliance: Meeting our obligations under AGLC licensing, PIPEDA, AML/KYC laws, and iGaming Alberta Act requirements.
• Transaction processing: Processing deposits, withdrawals, and bonus credits accurately and securely.
• Responsible gambling: Monitoring player behaviour to identify potential problem gambling, enforcing player-set limits, and responding to self-exclusion requests.
• Customer support: Responding to your inquiries, resolving complaints, and improving our service quality.
• Fraud prevention and security: Detecting and preventing fraudulent activity, unauthorized access, and money laundering.
• Marketing and promotions (with your consent): Sending you relevant offers, bonus notifications, and platform updates via email or SMS if you have opted in.
• Service improvement: Analysing usage patterns to improve our platform, fix bugs, and develop new features.
• Legal proceedings: Preserving and disclosing records in connection with legal disputes, regulatory investigations, or court orders.

Section 07

Legal Bases for Processing

Under PIPEDA and applicable Alberta privacy legislation, we process your personal information on the following grounds:

• Consent: For marketing communications, analytics cookies, and optional data collection. You may withdraw consent at any time.
• Contractual necessity: To fulfil our obligations under the Terms and Conditions you accepted when registering your account.
• Legal obligation: To comply with AGLC licensing requirements, AML regulations, tax reporting obligations, and applicable Canadian law.
• Legitimate interests: For fraud prevention, platform security, and improving our services, where these interests are not overridden by your rights and freedoms.

Section 08

Sharing Your Information

We do not sell your personal data. We share information only in the following limited circumstances:

• AGLC and regulatory authorities: We are legally required to report certain information to the AGLC, including player identity, gaming activity, and financial transactions, as a condition of our licence.
• KYC/AML service providers: Identity verification partners who process your documents and identity data on our behalf under strict data processing agreements.
• Payment processors: PCI-DSS-certified processors who handle your financial transactions. They receive only the minimum data required to process payments.
• Game software providers: Certified game studios receive anonymized session data required for game operation and RNG certification.
• IT and hosting providers: Cloud infrastructure and security providers who host our Platform under confidentiality obligations.
• Legal and law enforcement: Where required by court order, subpoena, or regulatory demand, or where disclosure is necessary to prevent serious harm.
• Professional advisors: Lawyers, auditors, and accountants bound by professional confidentiality obligations.

All third parties who process your data on our behalf are bound by data processing agreements that require them to protect your information and use it only for specified purposes.

Section 09

International Data Transfers

CrimsonDeck is a Canadian operator and we strive to keep your data within Canada wherever possible. However, some of our service providers and technology partners operate globally, which may result in your data being processed in other countries, including the United States and European Economic Area jurisdictions.

When data is transferred internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) or equivalent data transfer agreements
• Transfers only to jurisdictions with adequate data protection laws as recognized by Canada
• Vendor security assessments and contractual data protection obligations

By using our Platform, you acknowledge that your data may be transferred to and processed in countries outside Canada. If you have concerns about international data transfers, please contact our Privacy Officer.

Section 10

Data Retention

We retain your personal information for as long as necessary to fulfil the purposes outlined in this Policy, subject to the following minimum retention periods required by law and our AGLC licence:

• Account and identity records: 7 years from account closure or last gaming activity
• Financial transaction records: 7 years from the date of each transaction, as required by Canadian AML legislation
• KYC documents: 7 years from account closure or last transaction
• Gaming session records: 7 years from date of play
• Communication records: 3 years from the date of communication
• Marketing consent records: Until consent is withdrawn, plus 2 years
• Technical logs and cookies: As set out in our Cookie Policy (typically 13 months)

Upon expiry of the applicable retention period, your data will be securely deleted or anonymized in accordance with industry standards. Data subject to ongoing legal proceedings or regulatory investigations will be retained until the matter is resolved.

Section 11

Your Rights

Under PIPEDA and applicable Alberta legislation, you have the following rights regarding your personal information:

• Right of Access: Request a copy of the personal information we hold about you, including the categories, sources, and purposes of processing.
• Right to Rectification: Request correction of inaccurate or incomplete personal information.
• Right to Withdrawal of Consent: Withdraw consent for data processing activities based on consent (e.g., marketing emails), without affecting the lawfulness of prior processing.
• Right to Deletion: Request deletion of your personal information, subject to our legal retention obligations under AGLC regulations (minimum 7-year retention applies to gaming records).
• Right to Lodge a Complaint: File a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca if you believe your privacy rights have been violated.
• Right to Restrict Processing: In certain circumstances, request that we limit how we use your data pending resolution of a dispute or complaint.

To exercise any of these rights, please contact our Privacy Officer at [email protected] or by mail at our registered address. We will respond to verifiable requests within 30 days. Identity verification will be required before we disclose or modify any personal information.

Section 12

Security

CrimsonDeck implements comprehensive technical and organizational security measures to protect your personal information against unauthorized access, loss, destruction, or disclosure:

• 256-bit SSL/TLS encryption for all data in transit between your device and our servers
• AES-256 encryption for sensitive data at rest, including identity documents and financial records
• Multi-factor authentication (MFA) available and recommended for all player accounts
• Role-based access controls limiting staff access to personal data on a need-to-know basis
• Regular penetration testing and vulnerability scanning by independent cybersecurity firms
• Annual third-party security audits and certifications
• Incident response plan and mandatory data breach notification procedures
• Secure data deletion protocols for expired records

In the event of a data breach that poses a real risk of significant harm to you, we will notify the Office of the Privacy Commissioner and affected individuals as required by PIPEDA's breach notification regulations.

Section 13

Children's Privacy

CrimsonDeck's gaming services are strictly for adults aged 18 years and over. We do not knowingly collect personal information from anyone under the age of 18. Our registration process includes mandatory date-of-birth verification and age gate confirmation.

If we discover that a minor has created an account or provided us with personal information, we will immediately close the account, refund any deposits, and securely delete all associated personal data. If you believe a minor has accessed our Platform, please contact us immediately at [email protected].

We support the use of parental control software to prevent underage access to gambling platforms. Recommended tools include Net Nanny, CyberPatrol, GamBlock, and BetBlocker.

Section 14

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or AGLC regulatory guidance. When we make material changes, we will:

• Update the "Last Revised" date at the top of this Policy
• Display a prominent notice on our Platform for at least 30 days
• Send an email notification to all registered players
• For significant changes, require renewed consent before continued use of the Platform

We encourage you to review this Policy periodically. Your continued use of our Platform after the effective date of any changes constitutes acceptance of the updated Policy.

Section 15

Contact & Complaints

If you have questions, concerns, or complaints about this Privacy Policy or our data handling practices, please contact our Privacy Officer: