britain's biggest bingo site

Privacy Notice

 

Last Update: 26th September 2024

1. OVERVIEW 

At tombola, we like to make things easier for our customers and that includes being clear and open about how and why we use your personal data. We know there's nothing more off-putting than the sight of a lot of boring small print, so this privacy notice ("Notice") is designed for you to easily access the information you need, when you need it. It's also written in plain English, to make it clear, simple, and easy to read.

This Notice applies to our websites, application, products or services that link to this Notice or that do not have a separate privacy notice (collectively our "Services"). 

In the first section of the Notice, we provide an Introduction to tombola (including our contact details), we provide information on Privacy and Data Protection at tombola, we explain How to navigate and read this document and we also explain how to stay abreast of Changes to the Notice.

We hope that you find this Notice helpful but if you have any concerns or questions please feel free to share feedback via the contact methods listed in the Contact details, including DPO section below.

1.1 Introduction to tombola

1.1.1. Controller details

References in this document to "us", "our", "we", “tombola”, “Tombola” or “TOMBOLA” are references to the following data controllers: 

 

  • tombola International Plc (“TIP”), is a company registered at, Floor 4, 55 Line Wall Road, Gibraltar, GX11 1AA and COMPANY registration number 105556 with offices based in Gibraltar and the UK.  tombola International Plc (TIP) is licensed and regulated by the Gambling Commission of the United Kingdom (licence numbers 038613-R-319397-012 and 038613-R-319397-012) in respect of customers located in the UK, Denmark and Sweden.

 

  • tombola International Malta (“TIM”), is a company registered at Spinola Park - Level 2, Triq Mikiel Ang Borg, St Julian's, SPK 1000 Malta and COMPANY registration number C92843 with offices based in Malta, Italy, Spain and the Netherlands.  tombola International Malta (TIM) is licensed and regulated by the Gambling Commission of Malta (general licence number 209-11/GO/N0440880A/SGR and single licence numbers 210-11/BNG/N0440880A/SGR and MAZ/2018/043) In respect of customers located in Italy, Spain and The Netherlands.

A data controller is the main decision-maker and exercises overall control over the purposes and means of the processing of personal data and must demonstrate compliance with all data protection principles as well as other GDPR requirements

 

1.1.2. About the Flutter Group

tombola is a member of the Flutter Group of Companies. Any reference to the "Group" within this Notice includes Flutter Entertainment plc and all or any of it's direct or indirect subsidiary undertakings, joint venture partners, and their related companies wherever located in the world as may exist from time to time including, but not limited to, Paddy Power, Betfair, Sportsbet, BetEasy, FanDuel, TVG, Adjarbet, Sky Betting and Gaming, Full Tilt, and PokerStars.

The Flutter Group is split into four regional divisions, namely UK & Ireland ("UK&I"), US, Australia and International, with each one housing a number of the abovementioned Flutter Group brands. tombola is within the UK&I division, alongside Paddy Power, Betfair UK&I and Sky Betting and Gaming.

Please note that the Flutter Group also operates other gambling companies and your use of those products and services will be subject to privacy notices that may differ to the one contained herein. Any exercise of your privacy or data protection rights in accordance with this Notice will only relate to the personal data being processed by the tombola companies listed in the Controller details section and will not apply in regard to any products or services operated directly by the Flutter Group unless otherwise stated in this Notice.  

The Flutter Group operates separate privacy policies for individuals residing in the UK which are available at:

https://www.pokerstars.uk/privacy/
https://www.paddypower.com/aboutUs/Privacy.Policy/
https://www.betfair.com/en/aboutUs/Privacy.Policy/
http://support.skybet.com/s/article/Privacy-Policy

1.1.3 Contact details, including DPO

If you have any concerns about how tombola handles your personal data, you can contact our Data Protection Officer (DPO) and Data Protection Team at [email protected]. If you wish to exercise your Data Protection rights, please see YOUR DATA SUBJECT RIGHTS.

 

1.2 Privacy and Data Protection at tombola

Data protection is all about keeping your personal data safe and secure, and ensuring that your legal rights in relation to your data are respected. Privacy is a fundamental right, and you are entitled to have your personal data protected, used in a fair way, and made available to you when you ask for a copy. 

 

1.2.1. Our commitment

At tombola, we take the protection of our customers' personal data and privacy very seriously, and we never lose sight of the fact that your personal data is YOUR personal data.

We believe in using your personal data to make things simpler and better for you, and we will always keep your personal data safe using the highest standards of security. We'll be clear and open with you about why we collect your personal data and how we use it, and where you have choices or rights, we'll explain them to you and respect your wishes.

What's more, we manage customer personal data in a tightly controlled way to ensure we deliver our products in a safe and reliable fashion, to do all we can to proactively protect our customers from harm, and to ensure our business meets it's legal and regulatory obligation and is protected against attack, crime and other potential risks. 

1.2.2. Our key privacy protection principles

To meet these commitments, we employ the following 5 principles at tombola. These principles are at the heart of everything we do and ensure that your rights are considered at every stage. 

  1. Keeping your data secure: We recognise that online security and data protection is an area of vital importance for all our customers, so it is important to us that you have confidence in the security of your personal details before you register an account. We are committed to employing best-in-class security measures to protect your information and out technological security solutions are governed by a mature framework. 
  2. Data Protection by design and default: We are committed to implementing technical and organisational measures, at the earliest stages of the the design of our Services, in such a way that safeguards your privacy and Data Protection rights from the start ('Data Protection by design'). By Default we ensure that personal data is processed with the highest level of privacy protection and that data is made accessible only to those who need it. ('Data Protection by default'). We also routinely use pseudonymisation and encryption when processing your data internally and where data is shared externally. 
  3. Transparency: Transparency is a key principle of data protection, and we believe in being up front and honest with you about how we use your data. Our Privacy Notice provides you with everything you need to know about how your information will be used by tombola, and we embed -ad-hoc privacy notices when you are using our site to let you know when we might be using your data in ways you don't expect. 
  4. Giving you the choice: We believe that respecting your privacy begins with giving you a say in how it's used. Where you have rights in respect of the data we process relating to you, we will do everything we can to make it easy to exercise these choices. We also endeavour to give real choice over how you hear from us, and how we use cookies and other technologies. 
  5. Using your data to keep you safe: At tombola we do all we can to proactively protect our customers from harm, and that includes using your data to identify, prevent and react to risky behaviour. Using out industry-leading levels of customer insight and our passion to do the right thing by our customers, we are committed to using your data and patterns of play to ensure a safe experience for every person. 

We have designed the Notice so that you can easily access the information that you need. It is split into four parts as follows:

  • PERSONAL DATA TYPES WE USE explains the different types of personal data that you provide to us when you use our Services, that is generated when you use our Services and that we collect from our sources.
  • HOW AND WHY WE USE YOUR PERSONAL DATA explains what we use your personal data for. It contains different sections for each type of personal data usage, with each section providing information on the preposes and legal basis for using the data, as well as on any sharing of the data that may occur. Our use of personal data is not the same for all types of individuals (e.g. web visitors, customers, etc), so please see "Who the section applied to" at the beginning of each section to find out the ones that relate to you and your personal data.
  • GENERAL PROCESSING INFORMAITON contains information about our personal data processing that is relevant to all individuals who engage with our services.
  • YOUR DATA SUBJECT RIGHTS provides you with information on the right you have in relation to your personal data and how to exercise those rights. 

For information on cookies, please see our onsite Cookie Banners, Onsite Cookie Management centre (located at the bottom of our websites or visit our Cookie Policy

1.4 Changes to the Notice

It is important to check back often for updates to this Privacy Notice, (the "last updated" reference tells you when we last updated this Privacy Notice). If we make material and important changes, we will let you know by making a customer service announcement via email and placing a notice on our website or app.

 

2. PERSONAL DATA TYPES WE USE

We gather and use different types of personal data that you provide to us, that is generated through your use of our Services or is which we have collected from other sources. This data includes your registration information, verification and know your customer documentation, your interactions with our Customer Experience teams, marketing, payment information, gaming and transactional information, financial information, Safe Play information, device, tracking and other online information, profiling and analytical information, as well as information from other sources including public sources and trusted parties.

Below, you can find out more about the personal data submitted by you, the personal data generated from your use of our Services, and the personal data obtained from other sources

 

2.1 Data provided by you

When using our Services, we collect the following types of information provided by you:

 

Registration Information:

When you register an account with us, you are required to provide us with your name, date of birth, postal address, e-mail address, phone number, security questions, marketing preferences and any other details as might be requested from you for the purposes of registration and/or continued use of our Services. 

 

As a condition to using our Services, we restrict access based on Geolocation so that we can ensure that we are authorised to provide the licenced service to you in your location.

 

Verification and Know Your Customer ('KYC') Documentation:

In order to verify your identity, you may be required to provide documents such as a copy of your passport or driver's licence, national ID, documentation establishing your address such as utility bills, or any other information we deem necessary to confirm your age and/or identity.

 

Interactions with Customer Experience:

When you interact with our Customer Experience via Live Chat, phone, email or social media platforms we retain a record of your conversations with our staff, as well as notes relating to these interactions and their outcomes. 

When you contact us through a social media account, we will be provided with a copy of the social media profile details (name, profile photo and other information) you make available to us as well as the content of your messages to us.

 

Payment Information:

Information in relation to your chosen payment method such as debit / credit card details, cardholder name, e-wallet details, or information in relation to your alternative payment method. All such information is processed in accordance with the Payment Card Industry Data Security Standard. 

 

Financial Information:

Bank statements or other documents proving your source of wealth including but not limited to proof of earnings, payslips and evidence of business ownership.

 

Safe Play Information:

Data you provide to us in relation to concerns you may have about gambling risk, harm or safety, or as part of a vulnerability assessment. Some other Safe Play Information is also created while you use our Services - see Data Created by using our Services below.

 

Forum Posts and In-Game Comments:

Information about the way you contribute to and communicate with, and through, our Services. for example when you post comments via our social media channels or chat functionalities such as forums, chat rooms and message boards, profile comments, in-game challenges and chat messaging with game operators or other users. 

 

Responses to Surveys and Market Research:

Responses to surveys or market research that we conduct.

 

Special Category Data:

Special category data is personal data that needs more protection because it is sensitive. It includes biometric data that may be used for identification purposes, genetic data, data concerning an individual's health, sex life or sexual orientation, or personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs.

In the course of your contacts with Customer Experience, if you provided information to us on health conditions that you may have, we may retain this information and use it to add further protections to your account, where appropriate.

Especially, where you have vulnerabilities which may effect you ability to safely use our Services, we may request further information or may take extra steps to enhance protection for you. This may involve health information.

We will only ever use special category data when absolutely necessary and where lawful to do so. Where possible, we will always ask for your consent before we proactively request or use this information. In limited circumstances where consent is not possible, we may need to use this information to protect your vital interests or for reasons of substantial public interest in accordance with the law.

 

 

 

 

 

 

2.2 Data created by using our services

Some of the personal data we process relating to you is generated by your use of the Services.

 

Gaming and Transactional Information:

Your stakes, winnings, deposits, deposit failures, withdrawals, and other account transactions

 

Safe Play Information:

Safe Play controls that you decide to apply through your use of our Services, such as deposit limits, cool off periods, or self-exclusions, account self-closure or controls that we pro-actively decide to apply in order to prevent harm, such as spend limits or enforced exclusions. 

 

Device Information:

Details relating to your device and communication data, not restricted to but including IP address, browser type, unique device identifier, IDFA, IDFV, hardware model, operating system and version, software, preferred language, serial numbers, device motion information, mobile network information and location data. 

 

Server Logs and Traffic Information:

Information such as the dates and times of access, the app features or pages you view, app crashes and other system activity, along with any referring website you were using prior to visiting our site. 

 

Cookie and Tracking Information:

When you access or use our content, products, and Services, we may collect information from your devices through the use of 'cookies; and similar technologies.

These technologies can collect a wide variety of information about how you interact with our Services, such as your language preferences, pages visited and content viewed, link and buttons clicked, and URL's visited before and after you use our Services.

For further detail on cookies, please refer to our Cookie Policy. To manage your cookie preferences, please go to our onsite Cookie Management centre. 

 

Information derived from Profiling and Analysis:

We carry out profiling and analysis based upon, but not limited to your name, location data, age, gameplay activity and interactions with any of our Services, as well as other relevant data points.

2.3 Data from other sources

Not all the personal data we hold about you will always come directly from you or from your use of our Services. As detailed below, we may also collect information from third parties such as our partners, service providers and publicly available websites (i.e. social media platforms), to comply with our legal and regulatory obligations, offer Services we think may be of interest, to help us maintain data accuracy and to provide and enhance the Services.  

 

Social media profile details:

Your name, profile photo and other information you make available to us when you connect with or contact us through your social media account.

 

Credit Reference Agencies:

Data provided by trusted credit reference agencies who may perform a soft check for verification and affordability purposes which do not effect your credit score. A record of the outcome of these checks is provided back to us. 

 

Publicly Available Sources:

In accordance with our legal obligations, we may consult publicly available information about you such as your Facebook or other social media pages, property ownership details, the electoral roll, company annual returns for places you have worked, industry bodies of which you may be a member, and insolvency registers. 

 

From other Flutter brands:

In some circumstances, as detailed in the HOW AND WHY WE USE YOUR PERSONAL DATA and Group sharing sections below, we may receive or get access to some personal data from other brands within our Flutter Group. For example, and as detailed in the Safe Play section below, we operate a cross brand self exclusion mechanism between the Flutter Group brands that operate in the UK whereby if you self exclude from Paddy Power, Sky Betting & Gaming, Betfair or PokerStars, that data will be shared with us here in tombola so that the exclusion can be processed in tombola as well. 

 

From your family members or other third party friends or contacts:

Data may be received by us from third party contacts if you ask for a family member to support you with the management of an issue or complaint, if you have legal power of attorney representing you or if someone contacts us to tell us about a customer of ours who they have concerns about. In these instances we will have records of the third party contact details and recordings of the interactions. For the avoidance of doubt, we will also need to obtain and use contact information from these third party family members, friends or contacts in order to manage out communications with them strictly and only for the purpose mentioned above.

 

3. HOW AND WHY WE USE YOUR PERSONAL DATA

We only use your personal data where necessary and where it is lawful to do so. Our use of your personal data is needed to enable us to deliver the Services to you, to meet our legal or regulatory obligations, to meet or protect yours, ours, the wider public's or other third parties' interests, and sometimes for other reasons only where we have you explicit consent to do so.

Below, we explain how and why we need to use your personal data, providing you with information on our different uses of your personal data. This includes detailed information on the reasons for using your data, they types of personal data we use and also information on the legal basis for using your data, which may include your personal data:

  • To enter into or perform a contract with you ('Performance of a contract'), such as delivering our Services in accordance with the terms and conditions;
  • To meet our legal or regulatory obligations ('Legal or regulatory obligations'), such as our taxation, company or data protection law or our licencing obligations;
  • To meet our own legitimate interests or those of a third party ('Legitimate interests'), such as where we use data to protect our business assets or information, to improve our Services or to keep you safe while you use our Services;
  • Where you have provided us with consent to do so ('Consent'), such as where you have provided us with consent to provide you with marketing information;
  • To perform tasks in the interests of the general public ('Public interests'), such as safeguarding the public from gambling related harms; or
  • To protect your or someone else's vital interests ('Vital interests').

Click on each different use of personal data below to find out more about how and why we use your personal data.

 

3.1 Analysing the use of our Services

3.1.1. Who the section applies to

All visitors to tombola websites, apps or other assets are covered by this Notice

 

3.1.2. Overview

We use your personal data to provide you with the Services and ensure that our Services are functioning correctly.

We use technical information about your device, operating system and browser version to present you with the correct version of our website or app and to keep it functioning securely. This information is also used to diagnose system problems, improve and test the features of our Services, and carry out testing.

In order to abide by our legal and regulatory requirements, we will also check your location to ensure users are using Services in licensed countries, and that the correct version of the site is presented to them.

We also perform analysis of the performance and usage of our Services to help improve you user experience. For further information on cookies, please refer to our Cookie Policy.

 3.1.3. The purpose and legal basis for processing your personal data

Purpose

Categories of Personal Data

Legal basis

Diagnostics, research, and development:

To help diagnose system problems, to administer our websites, to improve and test the features and functions of our Services, and to carry out testing and analysis.

 

Device Information

Server Logs and Traffic Information

Information derived from Profiling and Analysis

Legitimate Interests

Site Personalisation/Localisation

Verifying that you are using the site in a licenced jurisdiction and presenting you with the correct version of the site.

 

Registration Information

Device Information

Gaming and Transactional Information

Performance of a contract

Legal and Regulatory Obligations

Reporting and Analysis

Aggregated statistics and analysis on how users interact with our Services.

 

Device Information

Server Logs and Traffic Information

Cookie and Tracking Information

Gaming and Transactional Information

Legitimate Interests

Consent, where required to use non-essential cookie or related information

 

3.1.4. Who we share your personal data with

  • We use a number of tools to assist in performing analytics on our site, such as Google Analytics and Optimizely;
  • Other companies within the Flutter Group, who provide support services as part of the Flutter Group's UK&I division.

 

3.2 Registering & verifying your account

3.2.1. Who this section applies to

All customers that register and verify an account

 

3.2.2. Overview

When you register an account with us, you are required to provide us with certain information in order to set up your account and verify your identity. This allows us to ensure that you are who you claim to be and that you are old enough to use the Services. As part of this process, we rely on trusted third parties to assist us in confirming the details you have provided.

 

To make this process as simple as possible for our customers, we utilise a number of electronic checks to confirm your age, address and identity. Where an electronic check is not sufficient to meet our licensing requirements, you will be required to provide us with a copy of your photographic identification, such as passport, national ID or driver’s licence. We may also ask you to provide us with proof of address, such as a copy of a recent utility bill.

 

Once you provide your identification documentation, we will perform a combination of automatic system and manual matching against information entered when opening an account and if the match is confirmed, verification is successful. Where we have been unable to successfully match a customer’s details, an account suspension may be applied. The process is overseen by our Customer Experience teams. If you have any queries or concerns about the verification process or an account suspension, please get in touch and one of our advisors will be able to assist.

For UK customers, we may also check your details against publicly available information such as electoral rolls, to confirm the accuracy of the details you have provided, and to ensure that you are old enough to use our Services. If we become aware that a minor has attempted to or has submitted personal information via the Websites, we will take action to remove access from compromised accounts.

 

To help us comply with our legal and regulatory obligations, when you use our Service, depending on which jurisdiction you reside, we may perform an affordability check to establish whether you have any indications of financial vulnerability. This assessment is performed on our behalf by a trusted third-party, TransUnion, and will leave a search footprint which will not negatively impact your TransUnion credit score. For further information, please refer to TransUnion’s Privacy Notice: http://www.transunion.co.uk/legal-information/bureau-privacy-notice

 

3.2.3. The purpose and legal basis for processing your personal data

Purpose

Categories of Personal Data

Legal basis

Account Registration

Gathering essential information from you in order to confirm your identity and contact details

Registration Information

 

Performance of a contract

Legal and regulatory obligations

Underage Verification

Verifying a customer's age to prevent underage accounts from being set up. In the UK, we may carry out verification checks using publicly available information, to verify your age.

 

Registration Information

Verification and KYC Documentation

Publicly Available Information

Performance of a contract

Legal and regulatory obligations

KYC Verification

Automatic verification of a customer's identity to prevent anonymous accounts from being set up. In the UK, we may carry out verification checks using publicly available information.

 

 

Registration information

Verification and KYC Documentation

 

Performance of a contract

Legal and regulatory obligations

 

Customer Document Verification – Verifying customer’s identification documents using trusted third parties.

Verification and KYC Documentation

Registration information

 

 

 

Performance of a contract

Legal and regulatory obligations

Affordability Check (UK Customers)

We may perform a soft check, using a trusted Credit Reference Agency, TransUnion, to verify how much you can afford to spend onsite. (Note that this is displayed as a money laundering check on your account but is used for affordability)

Verification and KYC Documentation

Registration information

 

Performance of a contract

Legal and regulatory obligations

 

Reporting and Analysis

Aggregated statistics on users registration.

Registration Information

Device Information

Legitimate Interests

 

3.2.4. Who we share your personal data with 

  • Document checking – We use third parties to help in confirming the legitimacy of the documents you have submitted, such as Hooyu.
  • Electronic verification – We use third parties to verify that the details you have submitted are legitimate and that you are of legal age to gamble. Third parties will vary depending on which jurisdiction you reside.
  • Credit checking – We use credit reference agencies such as TransUnion to verify your details and the amount that you can spend on our Services.
  • Other companies within the Flutter Group, primarily Paddy Power and Sky Betting & Gaming, Betfair who provide customer registration and verification management and technical support services as part of the Flutter Group’s UK&I division.

3.3 Processing your payments & delivering the Services

3.3.1. Who this section applies to

All registered customers who add a payment method to, deposit to or withdraw from their account.

 

3.3.2. Overview

In order to process your payment method addition, deposits and withdrawals, we will use information in relation to your chosen payment methods. These details are used to provide you with swift and secure deposits, to prevent, where possible, fraudulent use of your payment methods, and to monitor trends and performance in relation to our payment Services.

 

When you make a deposit and withdrawal to your account, your card details or details in relation to your bank or e-wallet provider will be used in order to process these transactions. Where card payments are facilitated in tombola is fully compliant with the Payment Card Industry Data Security Standards (‘PCI DSS’), and your card payment information is protected to the highest degree possible.

 

We may from time to time be required to use WorldPay to administer bank transfers, please refer to their Privacy Policy for more information: https://www.worldpay.com/en/privacy

 

If you have concerns in relation to a deposit or withdrawal that you have made, we will investigate your query promptly and may use further information in relation to your account to support this investigation. You may be asked to provide further information, and in certain circumstances, we may contact your bank or payment provider to resolve the issue.

 

In certain circumstances, where we have concerns over payments being made on customer accounts, we may perform additional due diligence to confirm that funds are being sent and received from the true owner of the account.  We may examine details in relation to your location, IP address or device to confirm where payments are being made from. We may also require you to submit additional verification documentation to confirm your ownership of the payment method in question.

 

We also perform monitoring on all payment methods additions, deposits or withdrawals made, in order to rapidly identify errors or suspicious activity. These processes use the minimum personal data necessary to alert the relevant teams who may then investigate further.

 

Finally, we will use your information to deliver the Services and process the stakes and transactions that you make. For these purposes, your gaming and transactional information may be analysed in order to improve the Services we provide and in order to investigate and resolve issues with the functioning of the Services.

 

3.3.3. The purpose and legal basis for processing your personal data

Purpose

Categories of Personal Data

Legal basis

Processing payment method additions, deposits and withdrawals

Using your payment details to process the transactions you request.

 

Registration Information

Payment Information

Device Information

Cookie and Tracking Information

 

Performance of a contract Legitimate business interests

Investigating escalations and complaints relating to payments.

Investigating concerns you or others may raise in relation to payments made on your account, or using your payment information.

Registration Information

Payment Information

Gaming and Transactional Information

Device Information

Cookie and Tracking Information

 

 

Performance of a contract

Legal and regulatory obligations

Consent, where required to use non-essential cookie or related information

 

Monitoring alerts and Reporting

Real-time monitoring of deposits and withdrawals to identify trends and transactions requiring further review

Registration Information

Payment Information

Gaming and Transactional Information

Device Information

Cookie and Tracking Information

 

Performance of a contract

Legal and regulatory obligations

Consent, where required to use non-essential cookie or related information

 

 

Payment proof of ownership

Confirming funds are being sent or received from owner that holds account with us

 

Registration Information

Payment Information

Gaming and Transactional Information

Device Information

Cookie and Tracking Information

Verification and KYC Documentation

 

Legal and regulatory obligations

Performance of a contract

Consent, where required to use non-essential cookie or related information

Delivery of The Services

Providing the services and processing the stakes and transactions that you make

Registration Information

Payment Information

Gaming and Transactional Information

Device Information

Cookie and Tracking Information

 

Performance of a contract

Consent, where required to use non-essential cookie or related information

Reporting and Analysis

Aggregated statistics and analysis on users payment transactions

Registration Information

Device Information
Payment Information
Gaming and Transactional Information

Legitimate Interests

 

3.3.4. Who we share your personal data with

  • Payment providers - Sharing details in order to process your transactions with your registered bank, e-wallet providers including Apple Pay, our payment providers such as, Cybersource, Global Payments, PayPal, iDeal and WorldPay (and their appointed third parties);
  • Fraud prevention service providers, such as CIFAS and Amazon Fraud Detector;
  • Other companies within the Flutter Group, who provide payment and Service delivery support as part of the Flutter Group’s UK&I division.

3.4 Contacting Customer Experience

3.4.1 Who the section applies to

This section applies to any person that contacts Customer Experience via email, live chat, phone, and social media.

 

3.4.2. Overview

When you contact our Customer Experience teams via the contact methods we offer, we will use information relating to your account and activity, as well as the information you provide to our staff, to investigate your query and work towards a resolution.

 

In order to process your query, you may be asked for additional information in relation to the issue you are facing. Any information you provide may be shared internally with other relevant operational teams. For example, if you raise a concern in relation to Safe Play, your details may be shared with our Safe Play teams for further review.

 

Should you decide to raise a complaint, a dedicated complaints procedure will be followed. If you remain dissatisfied by the final outcome of the investigation, and still wish to pursue a dispute or complaint, then you can raise a complaint with one of the Alternative Dispute Resolution (‘ADR’) providers, that tombola engage with. In such circumstances, we may share any information we deem relevant to the dispute with the relevant ADR provider.

 

Please note that all interactions you have with our Customer Experience functions are recorded and retained. We use a number of third-party software tools to help deliver our support functions, and information you share with will be processed and/or stored on these tools.

 

NOTE: For information about contacting Customer Experience for Safe Play reasons, please see the Safe Play section below.

 

3.4.3. The purpose and legal basis for processing your personal data

Purpose

Categories of Personal Data

Legal basis

Resolve queries related to your account, stakes you have placed or games you have played

Investigate and sharing information relating to your Customer Experience contacts

Registration Information

Verification and KYC Documentation

Device Information

Gaming and Transactional Information

Social media profile details

Interactions with Customer Experience

Legal and regulatory obligations

Legitimate business interests

Performance of a contract

 

 

 

Opening and closure of accounts upon request

Processing data to register or close accounts via our Customer Experience team

Registration Information

Verification and KYC Documentation

Social media profile details

Interactions with Customer Experience

 

Legal and regulatory obligations

Performance of a contract

 

Alternative Dispute Resolution

Sharing information to defend complaints made by you to ADR providers

Registration Information

Verification and KYC Documentation

Device Information

Gaming and Transactional Information

Interactions with Customer Experience

Legal and regulatory obligations

Performance of a contract

 

Reporting and Analysis

Aggregated statistics and analysis on user contracts.

Registration Information 

Device Information 

Gaming and Transactional Information 

Interactions with Customer Experience 

Legitimate Interests 

 

 

3.4.4. Who we share your personal data with

  • Alternative Dispute Resolution Providers, including the IBAS (Independent Betting Adjudication Service);
  • Social media partners, such as Facebook, and should you contact our Customer Experience team via their platform;
  • Other companies within the Flutter Group, who provide customer support services as part of the Flutter Group’s UK&I division.

3.5 Marketing

3.5.1. Who the section applies to

Anyone to whom tombola directly or indirectly markets, promotes or advertises its products.

 

3.5.2. Overview

Your marketing preferences with tombola are based on whether you want (i) to receive marketing offers and communications from us (“, and/or (ii) your profile to be used by us in order to market to you (‘Personalised Marketing’).

 (i) Receiving Offers & Communications

The below apply to the marketing choice to receive marketing offers and communications from us or not:

 

Direct Marketing

 

Subject to any consent preferences you have expressed (where applicable), we use personal data to deliver marketing and event communications to you across various channels, such as email, SMS, and push notification.

 

We will do this during the period of your relationship with us and, unless specifically instructed otherwise by you, for a maximum of 2 years after your account has been inactive in order to inform you about products, services, promotions and special offers which we think may be of interest to you.

 

If you wish to opt out of receiving direct marketing through email, SMS and direct mail, you can do so by going to your Contact Preferences within my account when you login to your account and ensuring that the option to receive offers and communications is opted out.  If we send you a marketing email or SMS, they will include instructions on how to opt out of receiving these marketing communications in the future.  You will be prompted to choose to opt in to push notifications when you download a tombola app, however if you later wish to opt out of receiving push notifications you can do this via the settings on your mobile device.

 

Please allow up to 48 hours for any changes you make to your marketing preferences to be fully processed. Please remember that even if you opt out of receiving direct marketing, we may still send you important information related to the Services.

 

Group Direct Marketing

 

If you have indicated your consent to receive marketing from us, we may from time to time send you direct marketing material relating to products offered by other companies within the Flutter Group, as described in the About the Flutter Group section above. If you opt-out of receiving marketing from us, we will not send you marketing relating to the Flutter Group.

 

Please note that if you hold separate accounts within the Group, you should consider your marketing preferences for each separately. For example, if you opted out of marketing for any other product within the Flutter Group and not tombola, you will continue to receive marketing communications directly from tombola unless updated.

(ii) Personalised Marketing

 

Social Marketing

 

We will work with social media companies such as Facebook and Instagram to provide you with information about our Services via their platforms. 

 

If you are opted in to Direct Marketing, we may share limited personal data with the social media companies to enable us to send you information via their platforms, or market to audiences within their platforms who share similar characteristics to you. If you are opted out of Direct Marketing or if you are on an exclusion list, you will not receive targeted marketing from us via these platforms.

 

Please note that you may still see adverts from us on social media platforms, even if you are opted out of profiling with us. This type of display, non-targeted marketing is not based on any personal data held or controlled by tombola. If you do not wish to see these adverts, you can control this easily by disabling preference-based marketing in the privacy and ad settings on each individual social media platform.

 

We may also run untargeted Sponsored marketing within Facebook which you have the option to select “Hide all from tombola” or “Hide post” or “Block tombola’s profile” from within the Facebook environment.

 

Online Advertising (not applicable in Italy)

 

We use a combination of information including, but not limited to, advertising cookies, your email address, your device identifier, phone number, date of birth, address and your onsite activity to show you targeted and relevant advertisements on a selection of websites across the world wide web, apps and social media websites. You can opt out of cookies and of Direct Marketing at any time if you do not wish to receive targeted advertising like this online.

 

You can control the use of cookies via our onsite Cookie Management centre or for further information, please visit our Cookie Policy.

 

 (iii) Other Marketing & Communication Information

 

iOS Users

 

For iOS Users, using versions prior to 14.5 their iOS device is assigned an Identifier for Advertisers (IDFA) which enables app owners and advertisers to track campaigns and deliver personalised advertising. If you are an iOS user and have opted into tracking for tombola, your IDFA (Identifier for Advertisers) is used to deliver you personalised advertising that is relevant to you (based on information we have about you, including browsing history, transactional information, demographic information and behavioural information, predictive information we create about you in each case in relation to our Services and advertising and information about what other people with similar interests, demographics and 

behaviours are looking at) and is used for attribution and analytics purposes to tell us when and how you have interacted with advertisements, including those that have been placed on a third party site or app, and so we can assess the effectiveness of our campaigns.

 

You can opt-out of this at any time by visiting your mobile settings (by going to Settings > Privacy & Security* > Apple Advertising.) *In earlier versions of iOS and iPadOS, this setting is called "Privacy".

 

For those iOS users using versions 14.5 and newer, SKAdnetwork has been implemented by Apple so tombola no longer see or own any personal data. Any requirement to opt-out must be undertaken by the user with Apple directly.

 

Promotional Content and Events


We may publish players aliases and/or chat names, along with any winnings, prizes received and location, on our websites in accordance with our legitimate interests. Similarly, where you attend an event that is organised or sponsored by tombola, we may, at our discretion, use footage recorded at such events as part of future promotional content.

 

Surveys and polls 

 

If you choose to participate in a survey or poll either direct from us (tombola) or via social media platforms, any personal data you provide may be used for marketing or market research purposes in accordance with our legitimate interests.

 

3.5.3. The purpose and legal basis for processing personal data

Purpose

Categories of Personal Data

Legal basis

Direct Marketing

Send tailored communications to you via Email, Telephone, SMS, Post or Push based on the contact preferences you have selected

Registration Information

Gaming and Transactional Information

Device Information

Cookie and Tracking Information

 

Consent

 

Social Targeting:

Deliver tailored content to you, and individuals with a similar profile to you, on social sites with which you may hold an account.

 

Registration Information

Device Information

Cookie and Tracking Information

Legitimate interests

Consent

(Where targeting is delivered using tracking technologies)

Online Advertising

Display banner adverts on trusted third-party websites across the Web.

Registration Information

Device Information

Cookie and Tracking Information

Legitimate interests

Consent

(Where targeting is delivered using tracking technologies)

 

Marketing Personalisation

Using information we hold on you to predict and offer you the type of content and offers that we believe you will enjoy.

 

Device Identifiers

Cookie and Tracking Information

Gaming and Transactional Information

Information derived from profiling and analysis

Legitimate interests

Consent

(Where targeting is delivered using tracking technologies)

 

Promotional Content

Publishing details of your alias and winnings, or footage at promotional events

 

 

Registration Information

Gaming and Transactional Information

Video Footage

Legitimate interests

Surveys and Polls

Using your responses to surveys and requests for feedback to improve the Services we deliver

 

Responses to Surveys and Market Research

Legitimate interests

 

 

3.5.4. Who we share your personal data with

  • Social Media Partners with whom you may hold an account, such as Facebook and Instagram.
  • Third Parties who help us send our marketing communications, such as AWSPinpoint and  Movable Ink.
  • Third-party advertisers – Where you have consented to third-party marketing or targeting cookies, data derived from the cookies placed on your device will be shared with a number of trusted third-party advertisers such as Meta, Instagram, News UK, Google, Apple and our affiliate networks. For more information on cookies, please see our Cookie Management centre or visit our Cookie Policy.
  • Other companies within the Flutter Group – Where you have indicated that you wish to receive offers from other companies in the Flutter Group, we will share with you tailored offers and recommendations relating to these brands.

3.6 Fraud Prevention

3.6.1. Who this section applies to

All customers of tombola.

 

3.6.2. Overview

In order to protect our customers and the wider public from the harms caused by fraud, we employ a range of processes and tools to identify and prevent improper use of our Services.

These systems help us ensure that customers are genuine, haven’t registered more than once, and are not fraudulently trying to access accounts that don’t belong to them.

 

As detailed in the Registering & verifying your account and Processing your payments & delivering the Services sections above, when you set up an account with us, make a deposit  or play our games, we carry out identity verification and fraud prevention checks. These checks help us confirm that you are old enough to use our Services and that the details you have provided are genuine.

 

We may share your personal data with organisations that verify details and transactions and identify potential indicators of illegal activity, which they make available to other organisations using their Services. Where necessary, we share your data with credit reference agencies or fraud prevention agencies, which keep a record of that information and make it available to other organisations for use in credit decisions, identification checks and fraud detection and prevention.

 

While using our Services, we monitor your activity to validate the authenticity of transactions and to ensure no fraudulent behaviours are occurring on our platform. For example, if a login is detected from a device or location other than that normally used on your account, we may conduct a further review or request further information.

 

Where a suspected or actual incidence of fraud or account takeover (‘ATO’) has been identified or reported to us, we may apply restrictions to your account(s) to prevent further fraudulent activity while we perform further investigations, including, where necessary, escalation to our fraud reporting teams, or we may suspend your account(s) and activity entirely. In such cases, we may request further information from you to validate the activity on your account. We may also use information such as your KYC documentation, device information, information sourced from third parties and publicly available sources to support these investigations.

 

If you wish to query or challenge a suspension or restriction on your account, please contact our Customer Experience team.

 

Where appropriate, we will pass information to the police and other law enforcement agencies, debt recovery companies and other similar bodies. This may be at the request of one of these bodies, or proactively.

 

Our fraud team perform regular reporting and analysis to identify trends in fraud activity on our Services, in order to provide the highest degree of protection to our customers. This helps ensure that our fraud prevention processes are performing as efficiently as possible.

 

3.6.3. The purpose and legal basis for processing your personal data

Purpose

Categories of Personal Data

Legal basis

Verification Checks

Performing checks with third party agencies to validate the authenticity of your information and transactions

 

Registration information

Account information

Onsite activity

 Cookie and Tracking Information

 

Legal obligations

Performance of a contract

 

Fraud Detection and Prevention

Information required for analysis, reporting and prevention of fraud and financial crime. Personal data is utilised to validate the authenticity of customer transactions to ensure no fraudulent behaviours.

Registration information

Account information

Onsite activity

Cookie and Tracking Information  

 

Legal obligations

Performance of a contract

 

Fraud Investigations and Escalations

 

Used for customer queries in relation to account takeover and fraud escalations.

Registration information

Account information

Onsite activity

Cookie and Tracking Information  

 

Legal obligation

Performance of a contract

 

Cooperation with Regulators, Government Authorities and Law enforcement Agencies

 

Provide information to authorities.

 

The business is required to notify regulatory bodies whenever an underage customer is identified.

Registration information

Account information

Onsite activity

Cookie and Tracking Information  

 

Legal obligations

Reporting and Analysis

Monitoring the performance and efficacy of our fraud processes and controls and trends in fraud threats.

Registration information

Account information

Device information

Payment information

Gaming and Transactional Information

 

Legal obligation

Performance of a contract

 

Promotion or Bonus Restrictions

Review your use of promotional offers and bonuses to ensure they are in accordance with our Terms and Conditions.

Registration Information

Gaming and Transactional Information

Device Information

 

Performance of a contract

 

3.6.4. Who we share your personal data with

  • Third Party Verification companies including Transunion, Lexis Nexis, GB Group, and Hooyu;
  • Regulatory Authorities and Law Enforcement Agencies;
  • Third party software providers who enable us to deliver the Services to you, including our customer management software providers;
  • Other companies within the Flutter Group, primarily Paddy Power and Sky Betting & Gaming who provide fraud prevention and management support as part of Flutter Group’s UK&I division.

3.7 Safe Play

3.7.1. Who this section applied to

All customers of tombola.

 

3.7.2. Overview

At tombola, our customers are at the heart of everything we do. We specifically design our products and Services with this in mind to facilitate a great customer experience, whilst also ensuring customers are protected.

 

While using our Services, you may be asked for additional information about yourself or the source of your account funding from our Safe Play team. This process assists us to ensure that we can get to know you and provide you with a safe customer experience, as well as helping us fulfil our licencing requirements.

 

Customer Monitoring and Interaction

 

As part of our Safe Play framework, we proactively monitor your activity on our sites in real time and retrospectively so as to identify potentially harmful play, and where necessary, take actions to ensure your safety onsite.

 

We use a combination of machine learning, automated detection systems and manual review to supervise customer activity for the purpose of identifying Safe Play risks, and we also have a dedicated team in Customer Experience to deal with any Safe Play concerns that may be flagged to us by you or other individuals connected to you, such as family or friends. Where potentially dangerous activities are flagged, we may take action. This can range from emailing or calling you to ensure you are comfortable with your level of spend to proactively closing your account for a period of time and opting you out of direct marketing. Where we are unable to interact with you, we may need to take enforced action until such a point where we can communicate with you.

 

As part of these processes, we will use a range of data points taken from your behaviour and attributes to identify potentially problematic activity. We use elements of profiling and automated analysis techniques to identify such activity and to apply account limitations as and where appropriate. This is in accordance with our licensing requirements to conduct pro-active engagements to prevent gambling harm.

 

You can get in touch with our Customer Experience team at any stage if you have concerns about your gambling, concerns about another customer’s gambling or if you wish to challenge any restrictions that have been placed on your account, including those that may have been applied as a result of our automated Safe Play processes. All Safe Play related matters are dealt with by a dedicated Safe Play team with our Customer Experience units. Please see the Contacting Customer Experience section above for information on how we use your data in this regard.

 

Vulnerability

 

If any specific vulnerabilities are identified throughout our standard interaction process, we may take extra steps to enhance protection for our customers by applying restrictions to your tombola account.  

 

Any vulnerability assessment will be subject to customer’s consent where we will ask the appropriate questions necessary to understand any vulnerabilities and impacts. Specific tools may then be recommended to help customers manage their accounts.

 

Customers will be clearly and specifically informed of the process and will have the choice to provide freely given consent. Customers may also withdraw any given consent at any time. If consent is obtained, the personal data will only be retained for as long as is necessary to meet our legal, regulatory or legitimate business requirements, or until such time as you withdraw your consent.

Customers are also free to withhold consent, at which point the assessment will not go ahead. However, in the event that specific vulnerabilities may fall under a wider scope within Safe Play concerns, the business may restrict your account.

 

 

Requesting Supporting Information

 

We may ask for supporting evidence where a request is made to challenge ‘Spend Limits’ (limits applied by us to cap the maximum spend on some accounts for certain customers), ‘Operator Net Deposit Limit (limits placed by us to cap the maximum amount that can be spent on a customers account) and as part of our standard ‘Enhanced Due Diligence’ (‘EDD’) processes.

 

Documents that may be requested include, but are not limited to; proof of identity, proof of earnings, bank statements and evidence of business ownership. If you are unable to provide any of these documents then we may suspend or restrict your account until you provide the requested information.

 

We may also ask for supporting documentation in relation to vulnerability assessments including but not limited to evidence of lasting and enduring power of attorney forms.

 

 

Exclusions

 

tombola offers you the facility to ‘Self-Exclude’ from us as part of our Safe Play control tools. This feature allows you to block yourself from all of our Services for varying periods of time depending on your needs.

 

In certain circumstances, our staff may also make the decision to pro-actively suspend or remove you from our Services, in order to ensure your safety.

 

Where you apply a Self-Exclusion with tombola or where we decide to exclude you from our Services for Safe Play reasons, we will also share your exclusion information with the other Flutter Group brands that operate in the UK - Paddy Power, Betfair, PokerStars and Sky Betting & Gaming.This action is performed by automatically checking whether accounts with your registered details are held on these other brands, and, where accounts are identified, they will be proactively closed. Such processing will always be performed with the highest regard to the privacy and security of your data, and you have the right to challenge if you wish to dispute the match. For further information, please visit our Safe Play Hub or our FAQs on the Self-Exclusion matching process between the Flutter brands.

 

NB: Please note that in circumstances where you apply a permanent Self-Exclusion, your information will be retained indefinitely, in order to prevent you from accessing the Services.

 

Gambling Self Exclusion Schemes

 

Upon registration, login and at regular intervals we perform checks against relevant gambling commission and self exclusion databases depending on which country you are registered with tombola from.  Where a customer self-excludes via one of these methods, our checks will pick this up and we use this to ensure their wish to self-exclude is applied across our sites and apps.  To find out more please refer to the relevant sites via the links below.   We may in future subscribe to similar national self-exclusion schemes in any of the countries in which we operate, and we will update this notice to let you know.

 

Country

Self Exclude Scheme / Gambling Commission

United Kingdom

GAMSTOP

Spain

RGIAJ  (Self Ban)

Denmark

ROFUS

Sweden

Spelstop

Netherlands

CRUKS

Italy

Amministrazione Autonoma dei Monopoli di Stato

 

3.7.3. The purpose and legal basis for processing your personal data

Purpose

Categories of Personal Data

Legal basis

 Monitoring and Interactions

Manual and automated monitoring of customer activity to prevent potentially problematic play.

Proactive communications with you to ensure you are comfortable with current activity levels, and to make any required adjustments to your account.

Managing inbound contacts to our Customer Experience team in relation to Safe Play.

Monitoring the efficacy of SafePlay tools in preventing gambling related harms.

Registration Information

Verification and KYC Documentation

Gaming and Transactional Information

Information derived from profiling and analysis

Customer Experience Interactions

Special Category Data

Safe Play Information

Legal and Regulatory Obligations

Performance of a contract

 

For Special Category Data, consent and, in limited circumstances, vital interests or public interests.

 

 

Challenging Spend Limits

We may ask for supporting evidence where a request is made to challenge Spend Limits (limits applied by us to cap the maximum spend on some accounts for certain customers), Operator Net Deposit Limit (limits placed by us to cap the maximum amount that can be spent on all customer accounts) and as part of our standard Customer Due Diligence processes.

Registration Information

Verification and KYC Documentation

Gaming and Transactional Information

Customer Experience Interactions

 

Legal and Regulatory Obligations

Performance of a contract

 

Vulnerability:

If any specific vulnerabilities are identified throughout our standard interaction process, we may take extra steps to enhance protection for our customers. We will also seek consent before we take such steps, and if obtained, we will ask the appropriate questions necessary to understand any vulnerabilities and impacts. Specific tools may then be recommended to help customers manage their accounts.

Registration Information

Verification and KYC Documentation

Gaming and Transactional Information

Customer Experience Interactions

Special Category Data

Legal and Regulatory Obligations

Consent

Exclusions:

Processing your data to ensure that you cannot access our Services where you elect to exclude from your account, or where a suspension or removal is proactively applied.

 

NB: In circumstances, where you apply for a permanent exclusion, your information will be retained indefinitely.

Registration Information

Verification and KYC Documentation

Gaming and Transactional Information

Customer Experience Interactions

Special Category Data

Legal and Regulatory Obligations

Performance of a contract

 

For Special Category Data, consent and, in limited circumstances, vital interests or public interests.

 

GamStop:

Where a customer self-excludes through a self exclusion scheme (such as ‘GAMSTOP’ national self-exclusion scheme in the UK), or via their local Gambling Commission, we will receive a notification of this, which we will use only to ensure their wish to self-exclude is applied across our sites and apps. We may in future subscribe to similar national self-exclusion schemes in any of the countries in which we operate, and we will update this Notice to let you know.

Registration Information

Verification and KYC Documentation

Gaming and Transactional Information

Customer Experience Interactions

 

Legal and Regulatory Obligations

Performance of a contract

 

Reporting and Analysis

Aggregated statistics and analysis on Safeplay features usage.  Highlighting potentially vulnerable customers.

Registration Information

Account Information

Payment Information

Gaming and Transactional Information

 

Legal and regulatory obligations Legitimate Interest

 

3.7.4. Who we share your personal data with

  • Credit reference agencies, such as Experian. and TransUnion, who we share data with as part of our Safe Play controls;
  • Third party software providers who enable us to deliver the Services to you, including customer management software providers (e.g. Connect);
  • Other members of the Flutter Group, including Paddy Power, Poker Stars, Betfair, and Sky Betting & Gaming who provide tombola with Safe Play support, as part of the Flutter Group’s UK&I division, and with Flutter Group members who operate in the UK where you apply a Self-Exclusion or we apply a Safe Play related exclusion to a tombola account registered in the UK, British Crown Dependencies or Gibraltar;
  • Law enforcement and regulatory bodies, as required per our legal or regulatory obligations;
  • In rare circumstances where there is a threat to life, we may act in order to protect an individual’s vital interests and share personal data, including special category data, with the police.

3.8 Risk Management and Customer Analysis

3.8.1 Who this section applied to

All customers of tombola.

 

3.8.2. Overview

In order to provide the Services to you and for our legitimate purposes, we process your personal data to evaluate our commercial performance and manage risks to our business.

 

We carry out basic analytics to help us understand, how, when, where and why our customers use our Services, and how our business is performing for example the effectiveness of our advertising  It also gives us a much clearer picture of our customers generally, the broad demographic groups they fit into (e.g. age group, gender, location, etc.) and the products and Services they use, which in turn helps us to develop better and more relevant features, products and Services.  Where possible we perform analysis in a way that does not identify individual customers, so there is minimal impact on the privacy of any one person.

 

Most people use our products and Services fairly, but we carry out monitoring and basic analytics of how our customers place stakes, play and interact with our products and Services, to identify behaviour that is not in line with our Terms & Conditions or that could be prejudicial to our commercial interests.

 

At our discretion, we have the right to use this information in making decisions about whether to place restrictions on people’s accounts or to close their accounts. We take this very seriously, and consider a wide variety of factors in making such a decision, taking into account the information we hold about you as well as any information obtained from industry databases. The processes may involve an element of profiling, upon which decisions to restrict or close an account may be made. These decisions are made in accordance with our terms and conditions. If you wish to query or challenge any restriction, decisions are always made with human intervention; the process is never wholly automated.

 

3.8.3. The purpose and legal basis for processing your personal data

Purpose

Categories of Personal Data

Legal basis

Customer Analysis

Monitoring and analysing customer behaviour to improve the performance of our business

 

Registration Information

Account Information

Payment Information

Gaming and Transactional Information

Information derived from profiling and analysis

Legitimate interests

Risk Management & Account Restrictions

Manual and automated oversight of your activity to evaluate and manage commercial risk to our business. This may include, where appropriate, placing restrictions on your account or, closing your account.

Registration Information

Gaming and Transactional Information

 

 

Performance of a contract

 

3.8.4 Who we share your personal data with

  • Limited data is shared with other companies within the Flutter Group for risk management support purposes. However, this data is pseudonymised by tombola, meaning the other members of the Flutter Group cannot identify you from the data.

3.9 Anti-Money Laundering and Counter-Terrorist Financing

3.9.1. Who this section applies to

All customers of tombola.

 

3.9.2. Overview

As a betting and gaming company we have certain legal obligations we need to abide by. One of those rules is that we must do everything we can to prevent money laundering. At tombola, we will use your personal data to ensure the proceeds of crime are not being used on our Platform, and to identify and tackle such behaviours.

 

As outlined in the Registering & verifying your account section above, where you initially register an account with us, we are required to gather certain information about you in order to verify your identity, as part of our EDD requirements.  For this purpose you may be required to submit documentation establishing your identity and address, and where required, any other information as may be deemed necessary to confirm your identity.

 

tombola adopts a risk-based approach to compliance with its Anti-Money Laundering obligations, and, depending on your personal characteristics and activity levels, we may be required to gather further information on you, in order to meet requirements under applicable legislation. This is known as ‘Enhanced Due Diligence’ (‘EDD’), and as part of this process, we may collect and store financial information in relation to you, as well as information gathered from publicly available sources such as the land registry, the register of companies and social media.

 

In certain circumstances, we may require you to provide additional documents proving your source of wealth including but not limited to proof of earnings, bank statements, payslips and evidence of business ownership. Such processing will always be conducted with due regard to your privacy.

 

As part of our obligations, we also regularly screen our customer base against databases of publicly available information. This ensures that we are not offering our Services to individuals who have been the subject of sanctions since registration.

 

Where suspicious activities, behaviours or characteristics are identified, further investigation will be conducted by our Anti-Money Laundering team, and where necessary, actions may be taken in relation to your account. This may result in your account being suspended until such time as further information is provided by you, or your account being permanently closed. We may also be required to inform local law enforcement authorities or government agencies, as mandated by law.

 

In order to improve the effectiveness of our Anti-Money Laundering controls and processes, we regularly perform reporting and analysis on customer data. This may involve an element of profiling of customer personal data.

 

We may also share information with the Flutter Group in order to help prevent fraud, money laundering and other criminal activity across our wider group. Where appropriate, such information may be passed to the police and other law enforcement agencies, and other similar bodies directly by the Flutter Group.

 

3.9.3. The purpose and legal basis for processing your personal data

Purpose

Categories of Personal Data

Legal basis

Customer Due Diligence

Verifying your identity upon registration using documentation you submit

Registration Information

Verification Documents

Legal obligation

Enhanced Due Diligence

Gathering further information on you and your financial background where higher levels of risk are identified.

Registration Information

Verification Documents

Financial Information

Gaming and Transactional Information

Publicly Available Information

Legal obligation

Source of Wealth

Collecting information from you evidencing the source of funds used on our site

Financial Information

Registration Information

 

Legal obligation

Screening

Comparing our customer database against publicly available lists of individuals with sanctions or adverse media reports, and to identify politically exposed persons

Registration Information

Publicly Available Information

Legal obligation

AML Investigations and Taking Action

Investigating potential instances of money laundering, and where necessary, taking appropriate actions

Registration Information

Verification Documents

Financial Information

Gaming and Transactional Information

Information derived from profiling and analysis

Publicly Available Information

Legal obligation

Group Sharing

Sharing information with other brands in order to help prevent fraud, money laundering and other criminal activity across our wider group

Registration Information

Verification Documents

Financial Information

Staking and Transactional Information

Publicly Available Information

Legal obligation

 

3.9.4. Who we share your personal data with

  • Providers of databases for screening purposes and verification and Due Diligence such as LexisNexis and GB Group;
  • Courts, law enforcement agencies, regulatory agencies, and other public and government authorities.
  • Other companies within the Flutter Group who provide Anti-Money Laundering support as part of the Flutter Group’s UK&I division operations.

 

3.10 Service Personalisation

3.10.1 Who the section applied to

All visitors to tombola websites, apps or other assets covered by this Notice.

 

3.10.2. Overview

We use personal data to deliver and suggest tailored content to personalise your experience with our Services. This is processing which is necessary for the purpose of our legitimate interests in delivering or presenting relevant content to our customers.

 

Whichever Services you use, wherever and however you interact with us, we want to give you the same great level of service and make it personal to you.  We will tailor your experience, personalising the layout and content of our sites according to what we know about you, your preferences and the way you like to play.  For example, we will present you with features we know you have used or think you are likely to use or show you the type of game content that best suits your style of play.

 

We also look at aggregated (non-identifiable) data showing how our customers use our products and features and which games they tend to enjoy.  We use this information to suggest games we think you’ll enjoy because they are popular with others who play the same games as you.

 

We believe this personalised experience makes betting and gaming better and we want to give you the best customer experience we can.  Using your personal data in this way enables us to do that in a way that we believe does not have an impact on your privacy.  If you don’t want your data used in this way your option is to not use our Services and to close your account.

Please note that some aspects of your customer experience are provided via cookies.  If you have provided consent for these cookies, we will personalise certain aspects of our site, such as remembering your username. You can change these preferences at any time via our Cookie Management centre located at the bottom of our websites. For more information visit our Cookie Policy.

 

3.10.3. The purpose and legal basis for processing your personal data

Purpose

Categories of Personal Data

Legal basis

Onsite Personalisation

Tailoring your onsite experience to match your preferences

 

Registration Information

Gaming and Transactional Information

Cookie and Tracking Information

Device Information

 

Legitimate Interests

Consent, where required to use non-essential cookie or related information

 

3.10.4. Who we share your personal data with

  • Other companies within the Flutter Group, primarily Paddy Power, Betfair and Sky Betting & Gaming who provide technical support as part of the Flutter Group’s UK&I division.

3.11 Other purposes

3.11.1. Who the section applied to

All individuals who engage with tombola or use its Services.

 

3.11.2. Overview

In addition to the purposes described above, there are other circumstances in which we are required to process your personal data, as described below:

 

Information/Disclosure Requests and Regulatory Submissions

 

Apart from the functions set out in this Notice, we do not share your personal data with third parties except where we are compelled or permitted by law to do so. These circumstances are rare but may require us to share information in response to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside your country of residence.

 

Whenever we share personal data, and whatever the circumstances, we will always do so legally and with due regard to your privacy. If we receive a request from law enforcement or other statutory bodies, we do not disclose personal data without a warrant, court order or other legally valid proof of authority.

 

Protecting and defending our rights and interests


Where necessary to protect or defend our rights and interests, defend against legal claims, resolve disputes, respond to what we consider to be incorrect or misleading information provided to a media outlet, or enforce our agreements, we reserve the right to share personal data with regulators, external legal advisors, debt recovery and tracing agencies, and media outlets.

 

Information Security and Loss Prevention

 

We may be required to use and retain personal data in order to protect our rights, information, privacy, safety, or property, or those of other persons in accordance with our legitimate interests, or in some instances, with our legal obligations. For example, we are legally obliged under data protection law to secure and protect the personal data of customers, employees and all other individuals whose personal data we use.  

 

Restructuring

 

If ownership of all or part of our business changes or we undergo a reorganisation or restructure, we will transfer your personal data to the new owner or successor company so we or they can continue to provide the Services you have requested.

 

Financial Reporting and Analysis

 

In accordance with our obligations under company law and other similar regulations we are required to keep a record of your transactions in order to maintain proper financial records to meet and to ensure all transactions are being performed in accordance with the Terms and Conditions of our Services.

 

We utilise data including transaction records, staking and behavioural trends, and financial specifics exclusively for the purpose of accurate financial reporting. These data points enable us to evaluate tombola's financial health, identify trends, and make informed strategic decisions to enhance our operations.

 

In some instances, we may share anonymized and aggregated data with our parent company (Flutter) and trusted consultants, all operating under stringent confidentiality constraints. This collaborative effort contributes to strategic planning and informed decision-making across the organization. Any shared data will be either stripped of personal identifiers and therefore cannot be linked back to individual users or be pseudonymised.

 

Chat Rooms, Messaging and Community Forums

 

A number of our Services provide features including game chat rooms, messaging Services, and community forums for collaboration, peer connection, games, and information exchange purposes. Depending upon the Service, the personal data you choose to post, share, upload, or make available may be public and visible to others who use those Services. You should never post or share any information that is confidential or about others unless you have permission to do so. We may use information you provide in community and event profiles and forums to personalise your experience and to make content and peer connection recommendations. These Services may have their own Terms of Use.

 

3.11.3. The purpose and legal basis for processing your personal data

Purpose

Categories of Personal Data

Legal basis

Information/Disclosure Requests and Regulatory Submissions

Responding to valid requests from courts, law enforcement agencies, regulatory agencies, auditors, and other public and government authorities, or submitting information to regulatory agencies.

Any personal data held, as required to meet the purpose

 

Legal and regulatory obligations

Protecting and defending our rights and interest

Responding to incorrect or misleading claims in media outlets or other public fora

Any personal data held, as required to meet the purpose

 

Legitimate interests

Legal and regulatory obligations

Information Security and Loss Prevention

Protecting our rights, privacy, safety, or property, or those of other persons in accordance with our legitimate interests.

Registration Information

Gaming and Transactional Information

Device Information

Correspondence with Customer Experience

 

Legitimate interests

Legal and regulatory obligations

Restructuring

Transferring your personal data to the new owner or successor company so we or they can continue to provide the Services you have requested.

All personal data held

Legitimate interests

Financial Reporting and Analysis

Maintaining financial records in accordance with company law

Registration Information

Gaming and Transactional Information

Information derived from profiling and Analysis

 

Legal and regulatory obligations

Chat rooms, messaging, and community forums

Provide chat, messaging and forum functionality as a component of certain elements of our Services

Registration Information

Device Information

(Your posts and comments on these Services)

Legitimate interests

Reporting and Analysis

Aggregated statistics and analysis of chat data

Gaming and Transactional Information

Forum Posts and In-Game Comments

Legitimate interests

 

3.11.4. Who we share your personal data with

  • Courts, law enforcement agencies, regulatory agencies, and other public and government authorities.
  • News and media outlets.
  • Other companies within the Flutter Group who provide support services as part of the Flutter Group’s UK&I division.
  • If ownership of all or part of our business changes or we undergo a reorganisation or restructure, we may transfer your personal data to the new owner or successor company so we or they can continue to provide the Services you have requested.

 

4. GENERAL PROCESSING INFORMATION

This section provides you with some other important information you need to be aware of in relation to how we use your personal data, including information on how we share your personal data with the Flutter Group, international transfers of your personal data, how we keep your personal data secure and how long we need to keep your personal data for. Click any of the topics below for more details.

 

4.1 Group sharing

As explained in the About the Flutter Group section above, tombola is part of the wider Flutter Group and sits within the UK&I division.

 

We have explicitly called out a number of specific situations in this Privacy Notice where the Flutter Group companies may use your information, including where Sky Betting & Gaming, Poker Stars, Paddy Power and/or Betfair are providing support to tombola as part of the UK&I division’s operations and to other Flutter Group members for marketing purposes, customer services purposes, the prevention of crime, helping to reduce gambling related harm, the provision of staking and gaming services, and to meet legal and regulatory obligations.

 

Additionally, we may share personal data with the Flutter Group as part of our group internal reporting and assurance in order to facilitate business efficiency and improvements including, but not limited to research across our group, testing of systems and/or suppliers, risk management, the provision of technology, finance or security support, and the development of new products and tools.

 

We may also in the future share personal data with other members of the Flutter Group for purposes that are related to and compatible with those set out in this Notice. Finally, where we are required by law or regulation to share personal data to members of the Flutter Group for reasons beyond those set out in this Notice, we will be required to do this.

4.2 International transfers

Some of the third-party providers we use, as well as companies within the Flutter Group, are based in, or carry out their activities in, countries outside the European Economic Area (‘EEA’) and/or outside the UK.

 

Countries outside the EEA and UK do not always have strong data protection laws. This means that, unless your personal data is being transferred to a country where the European Commission or UK has determined there to be an adequate level of protection, we have to put in place additional protections to ensure that your personal data is protected to the same level as it is within Europe or the UK.

 

We put these additional protections in place by using standardised contractual clauses that have been approved by the European Commission (for transfers outside the EEA) and the Information Commissioner’s Office (for transfers outside the UK). Where necessary, we also put in place any additional contractual measures required by local law in any of the countries in which we operate. As and when required, we will also put additional technical or organisational measures in place to ensure that your data is kept safe.

4.3 Keeping your personal data secure

We recognise that online security and data protection is an area of vital importance for all our customers, so it is important to us that you have confidence in the security of your personal details before you register an account. We are committed to employing security measures to protect your information from access by unauthorised persons and to prevent accidental or unlawful processing, disclosure, destruction, loss, alteration and damage. Our technological security solutions are very advanced and are governed by a mature framework. Our approach is focused on preventing risks. In order to help us in this regard, we employ pseudonymisation and encryption whenever possible to reduce the impact of any potential incidents. As the security of some communications via the internet is not completely secure, we cannot guarantee the security of any information that you disclose using your internet connection. You accept the inherent security implications of using the internet and the Group will accept no liability for any direct, consequential, incidental, indirect, or punitive losses or damages arising out of such an occurrence.

4.4 How long we keep your personal data for

A key principle of data protection is ‘storage limitation’, which means that organisations should only hold onto your personal data for as long as is needed.

 

At tombola, we have taken steps to ensure that we hold your personal data only as long as we have a valid legal basis or reason to do so, which includes providing you with the Services you have requested, meeting our legal and regulatory obligations, resolving disputes and enforcing our agreements. 

The length of time for which we keep different types of personal data can vary, depending on why we originally obtained them, the reason we process them and the legal requirements that apply to them.  When setting our data retention and deletion timescales we take into account a range of factors including applicable regulations and standards relating to gambling and gaming, anti-money laundering, taxation, payment processing and complaint handling, the need to prevent or detect crime or other misuses of our Services, and audit requirements.

 

To fulfil our requirements, some of your personal data will need to be retained for a period of time after you cease to be a customer.  When we no longer need it to fulfil the purposes and legal bases set out in this Notice, we delete it securely.   Subject to us not having a legal or regulatory requirement or a risk management reason for retaining your information for a longer period, your information will not be kept for longer than 7 years from your last login or expiry of a self-exclusion. This allows us to meet our record-keeping obligations in applicable legislation, as well as allowing us to defend ourselves against potential legal claims.

 

Please note that if you opt to apply an exclusion to your account, your data will be retained for the period of that exclusion, plus a further seven years from the date of the expiry of that exclusion.

 

In certain circumstances we may be required to retain your information indefinitely. For example, where you elect to permanently exclude yourself from accessing our Services under our procedures on Safe Play, we are obliged to retain your data indefinitely to prevent you from creating new accounts.

 

We will take all necessary steps to ensure that the privacy of information is maintained for the period of retention. Where we wish to retain any information for analysis purposes, we first anonymise it to the standards approved by the UK Information Commissioner’s Office, so that it can no longer be linked back to an individual.

 

5. YOUR DATA SUBJECT RIGHTS

Under data protection law, you have a number of rights which are detailed below. We want to be clear about what those rights mean in practice and how you can exercise them. Please note that some of these rights only apply in specific circumstances and are qualified in several respects by exemptions in Data Protection legislation. We will advise you in our response to your request if we are relying on any such exemptions.

 

For any queries related to your personal data or any of your rights referenced below, please feel free to contact us at: [email protected] or telephone free on 0800 298 8873.

 

5.1 Access

You have a right to request a copy of the personal data that we hold about you. Should you wish to make such a request, you should submit a request to [email protected].uk.

 

You will be asked to provide adequate information to identify yourself such as a copy of your photographic identification (ID Card, Driving License or Passport) and any other relevant information such as your account username and email address that will assist us in fulfilling your request.

 

We may also ask you to complete and return a form, which is not compulsory but helps us to help you by providing the information you are looking for.

 

Where you request a copy of your personal data, you will be provided with:

 

  • Your personal details that you provided to us upon registration;
  • A copy of all deposits and transactions;
  • A copy of your interactions with Customer Experience (including live chats, emails, calls, complaints and notes);
  • Information on the Safe Play self-help tools that you have used (if any);
  • Marketing and opt-out information.

 

If there is additional information that you believe we hold on you, please let us know and we will gladly investigate further.

 

We will fulfil requests wherever possible, but there are occasional situations in which the law requires or permits us to withhold some information (such as where it would involve disclosing information about another person or information which is commercially sensitive), If either of these applies, we will explain this to you.

 

We will provide our response within one month however if your request is unusually complex and likely to take longer than a month, we will inform you of this and how long the request will take to complete.

5.2 Rectification

You can request us to rectify and correct any personal data that we are processing about you that you believe is incorrect. To make things easier, we provide you with account settings and tools to access the information associated with your account.

 

You can update your personal details at any time by visiting your ‘My Account’ section online.

 

If it is something you cannot correct yourself online, such as your name or date of birth (which, for identity verification, account security and fraud prevention reasons, cannot be changed using self-service methods), you should contact our Customer Experience team. Alternatively, please email [email protected].

 

We’ll update inaccuracies promptly, and within a month if you are requesting a more complex change. If we take the decision not to make a change you have requested, we will explain why and make a note on your account to show that you requested the change.  If you disagree with our decision, you have the right to complain to the regulator.

5.3 Erasure, or 'Right to be Forgotten'

You have the right to request us to erase your personal data where we have no compelling reasons to continue storing or processing your data, and specifically, where one of the following grounds applies:

 

  • Where the courts or our regulators have found us to be processing it unlawfully;
  • Where our original purpose for collecting the data has been completed and we have no other valid legal grounds for continuing to hold it;
  • Where you have withdrawn your consent for processing and asked us to delete the information we previously used for those purposes; or
  • Where you have successfully exercised your ‘right to object’ and there are no overriding legitimate grounds to continue processing.

 

Please note this right only applies in certain circumstances, it is not a guaranteed or absolute right. Personal data on our customers is retained for as long as is reasonably required for our legitimate legal purposes.  These include, but are not limited to;

 

  • Anti-Money Laundering/Counter-Terrorist Financing
  • Defence of legal claims
  • Safe Play
  • Taxation

 

As is outlined in the How long we keep your personal data for section we have legal obligations and other lawful reasons to retain your data after your account is inactive. Generally, your data will be retained for a period of 7 years, so, if you request your data to be erased during this time, we may not be able to uphold your request.

 

If you still wish to exercise your right, you should contact us on [email protected].  Alternatively, please contact our Customer Experience team.

 

We will respond to your request within a month, and if we uphold your request and erase your data we will also notify any third parties to which the data has been passed, where we are able to do so, and tell you who they are.  If we do not uphold your request, we will tell you why.  If you disagree, you have the right to complain to the regulator.

5.4 Restriction

You have the right in certain circumstances to request that we suspend our processing of your personal data, where one of the following grounds applies:

 

  • The accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data;
  • The processing is unlawful, and you oppose the erasure of the personal data and requests the restriction of their use instead;
  • We no longer need your personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or
  • You have objected to processing that we perform on the basis of our legitimate interests, and we are verifying whether our legitimate grounds override yours as a data subject.

 

Where we suspend our processing of your personal data, we will still be permitted to store your personal data, but any other processing of this information will require your consent, subject to certain exemptions.

 

Where you have obtained the restriction of processing you will be informed by us before the restriction of processing is lifted.

 

In order to make a request for the restriction of your processing, please contact us on [email protected].Alternatively, please contact our Customer Experience team.

 

You will receive a response within one month.

5.5 Portability

The right of portability allows you to re-use some of your personal data online by making it available in a commonly used, machine-readable format that can be passed to and used by other organisations. This right applies to data that you have provided to us with your consent, or which was necessary for us to provide you with our products and Services.

 

You may also have the right to have your personal data transferred by us directly to the other organisation if this is technically feasible.

 

This is a new initiative, and it is not yet possible to ‘port’ data directly between providers in the betting and gaming industry.  If you wish to exercise this right, you should submit your request to [email protected] . Alternatively, please contact our Customer Experience team here and we will provide you with the following information as a CSV file: 

 

  • the personal and contact details held in your online account
  • your gaming history
  • a list of payments made, and funds withdrawn

 

Before responding to your request, we will ask you to provide valid proof of identity, and we will provide our response within one month of receiving it.

 

In future, it may become possible to transfer (or ‘port’) data directly between organisations.  In the meanwhile, if you would like to take your tombola data to another provider you should first check that your chosen provider is able to upload data from a CSV file before making your request as above and passing the file to the provider yourself.

5.6 Object

You have the right to object to our use of your personal data which is processed on the basis of our legitimate interests. However, we may continue to process your personal data, despite your objection, where there are compelling legitimate grounds to do so or where we need to process your personal data in connection with any legal claims.

 

To exercise your right to object please contact us on [email protected]. Alternatively, please contact our Customer Experience team here and we will respond to you within one month. If we refuse to uphold your request and disagree with our decision on this, you have the right to complain to the regulator.

5.7 Rights relating to automated-decision-making and profiling

You have the right not to be subject to a decision which is based solely on automated processing (without human involvement) where that decision produces a legal effect or has a similarly significant affect on you. This right does not apply where you have provided your explicit consent for us to use your data in this way, where the decisions are needed to enter or perform a contract with us (for example, the terms and conditions of our Services), or where the decision is needed to meet our legal or regulatory obligations.

 

Where the decisions are made based on your explicit consent, or they are needed to enter or perform a contract with us, you have the right to request human involvement in the decision, to express your point of view or to contest the decision made.

 

If you have any concerns in relation to automated processing that we may perform you can contact us at any time.

5.8 Rights to complain to the regulator

If you believe your data protection or privacy rights have been infringed, or you disagree with a decision we have made about your data protection or privacy rights, you have the right to complain to the data protection regulator for the jurisdiction in which you are based

 

United Kingdom: Information Commissioners Office – http://ico.org.uk

Spain: Agencia Espanola Proteccion Datos – https://www.aepd.es

Italy: Garante per la Protesione dei Dati Personali – https://garanteprivacy.it

Denmark: Datailsynet – https://www.datatilsynet.dk

Netherlands: Autoriteit Persoonsgegevens – https://www.autoriteitpersoonsgegevens.nl/

Sweden: Integritetsskydds myndigheten – https://www.imy.se 

 

 

feedback