Privacy Notice
Last Update: 26th September 2024
1. OVERVIEW
At tombola, we like to make things easier for our customers and that includes being clear and open about how and why we use your personal data. We know there's nothing more off-putting than the sight of a lot of boring small print, so this privacy notice ("Notice") is designed for you to easily access the information you need, when you need it. It's also written in plain English, to make it clear, simple, and easy to read.
This Notice applies to our websites, application, products or services that link to this Notice or that do not have a separate privacy notice (collectively our "Services").
In the first section of the Notice, we provide an Introduction to tombola (including our contact details), we provide information on Privacy and Data Protection at tombola, we explain How to navigate and read this document and we also explain how to stay abreast of Changes to the Notice.
We hope that you find this Notice helpful but if you have any concerns or questions please feel free to share feedback via the contact methods listed in the Contact details, including DPO section below.
1.1 Introduction to tombola
References in this document to "us", "our", "we", “tombola”, “Tombola” or “TOMBOLA” are references to the following data controllers:
- tombola International Plc (“TIP”), is a company registered at, Floor 4, 55 Line Wall Road, Gibraltar, GX11 1AA and COMPANY registration number 105556 with offices based in Gibraltar and the UK. tombola International Plc (TIP) is licensed and regulated by the Gambling Commission of the United Kingdom (licence numbers 038613-R-319397-012 and 038613-R-319397-012) in respect of customers located in the UK, Denmark and Sweden.
- tombola International Malta (“TIM”), is a company registered at Spinola Park - Level 2, Triq Mikiel Ang Borg, St Julian's, SPK 1000 Malta and COMPANY registration number C92843 with offices based in Malta, Italy, Spain and the Netherlands. tombola International Malta (TIM) is licensed and regulated by the Gambling Commission of Malta (general licence number 209-11/GO/N0440880A/SGR and single licence numbers 210-11/BNG/N0440880A/SGR and MAZ/2018/043) In respect of customers located in Italy, Spain and The Netherlands.
A data controller is the main decision-maker and exercises overall control over the purposes and means of the processing of personal data and must demonstrate compliance with all data protection principles as well as other GDPR requirements
1.1.2. About the Flutter Group
tombola is a member of the Flutter Group of Companies. Any reference to the "Group" within this Notice includes Flutter Entertainment plc and all or any of it's direct or indirect subsidiary undertakings, joint venture partners, and their related companies wherever located in the world as may exist from time to time including, but not limited to, Paddy Power, Betfair, Sportsbet, BetEasy, FanDuel, TVG, Adjarbet, Sky Betting and Gaming, Full Tilt, and PokerStars.
The Flutter Group is split into four regional divisions, namely UK & Ireland ("UK&I"), US, Australia and International, with each one housing a number of the abovementioned Flutter Group brands. tombola is within the UK&I division, alongside Paddy Power, Betfair UK&I and Sky Betting and Gaming.
Please note that the Flutter Group also operates other gambling companies and your use of those products and services will be subject to privacy notices that may differ to the one contained herein. Any exercise of your privacy or data protection rights in accordance with this Notice will only relate to the personal data being processed by the tombola companies listed in the Controller details section and will not apply in regard to any products or services operated directly by the Flutter Group unless otherwise stated in this Notice.
The Flutter Group operates separate privacy policies for individuals residing in the UK which are available at:
https://www.pokerstars.uk/privacy/
https://www.paddypower.com/aboutUs/Privacy.Policy/
https://www.betfair.com/en/aboutUs/Privacy.Policy/
http://support.skybet.com/s/article/Privacy-Policy
1.1.3 Contact details, including DPO
If you have any concerns about how tombola handles your personal data, you can contact our Data Protection Officer (DPO) and Data Protection Team at [email protected]. If you wish to exercise your Data Protection rights, please see YOUR DATA SUBJECT RIGHTS.
1.2 Privacy and Data Protection at tombola
Data protection is all about keeping your personal data safe and secure, and ensuring that your legal rights in relation to your data are respected. Privacy is a fundamental right, and you are entitled to have your personal data protected, used in a fair way, and made available to you when you ask for a copy.
1.2.1. Our commitment
At tombola, we take the protection of our customers' personal data and privacy very seriously, and we never lose sight of the fact that your personal data is YOUR personal data.
We believe in using your personal data to make things simpler and better for you, and we will always keep your personal data safe using the highest standards of security. We'll be clear and open with you about why we collect your personal data and how we use it, and where you have choices or rights, we'll explain them to you and respect your wishes.
What's more, we manage customer personal data in a tightly controlled way to ensure we deliver our products in a safe and reliable fashion, to do all we can to proactively protect our customers from harm, and to ensure our business meets it's legal and regulatory obligation and is protected against attack, crime and other potential risks.
1.2.2. Our key privacy protection principles
To meet these commitments, we employ the following 5 principles at tombola. These principles are at the heart of everything we do and ensure that your rights are considered at every stage.
- Keeping your data secure: We recognise that online security and data protection is an area of vital importance for all our customers, so it is important to us that you have confidence in the security of your personal details before you register an account. We are committed to employing best-in-class security measures to protect your information and out technological security solutions are governed by a mature framework.
- Data Protection by design and default: We are committed to implementing technical and organisational measures, at the earliest stages of the the design of our Services, in such a way that safeguards your privacy and Data Protection rights from the start ('Data Protection by design'). By Default we ensure that personal data is processed with the highest level of privacy protection and that data is made accessible only to those who need it. ('Data Protection by default'). We also routinely use pseudonymisation and encryption when processing your data internally and where data is shared externally.
- Transparency: Transparency is a key principle of data protection, and we believe in being up front and honest with you about how we use your data. Our Privacy Notice provides you with everything you need to know about how your information will be used by tombola, and we embed -ad-hoc privacy notices when you are using our site to let you know when we might be using your data in ways you don't expect.
- Giving you the choice: We believe that respecting your privacy begins with giving you a say in how it's used. Where you have rights in respect of the data we process relating to you, we will do everything we can to make it easy to exercise these choices. We also endeavour to give real choice over how you hear from us, and how we use cookies and other technologies.
- Using your data to keep you safe: At tombola we do all we can to proactively protect our customers from harm, and that includes using your data to identify, prevent and react to risky behaviour. Using out industry-leading levels of customer insight and our passion to do the right thing by our customers, we are committed to using your data and patterns of play to ensure a safe experience for every person.
1.3 How to navigate and read this document
We have designed the Notice so that you can easily access the information that you need. It is split into four parts as follows:
- PERSONAL DATA TYPES WE USE explains the different types of personal data that you provide to us when you use our Services, that is generated when you use our Services and that we collect from our sources.
- HOW AND WHY WE USE YOUR PERSONAL DATA explains what we use your personal data for. It contains different sections for each type of personal data usage, with each section providing information on the preposes and legal basis for using the data, as well as on any sharing of the data that may occur. Our use of personal data is not the same for all types of individuals (e.g. web visitors, customers, etc), so please see "Who the section applied to" at the beginning of each section to find out the ones that relate to you and your personal data.
- GENERAL PROCESSING INFORMAITON contains information about our personal data processing that is relevant to all individuals who engage with our services.
- YOUR DATA SUBJECT RIGHTS provides you with information on the right you have in relation to your personal data and how to exercise those rights.
For information on cookies, please see our onsite Cookie Banners, Onsite Cookie Management centre (located at the bottom of our websites or visit our Cookie Policy
1.4 Changes to the Notice
It is important to check back often for updates to this Privacy Notice, (the "last updated" reference tells you when we last updated this Privacy Notice). If we make material and important changes, we will let you know by making a customer service announcement via email and placing a notice on our website or app.
2. PERSONAL DATA TYPES WE USE
We gather and use different types of personal data that you provide to us, that is generated through your use of our Services or is which we have collected from other sources. This data includes your registration information, verification and know your customer documentation, your interactions with our Customer Experience teams, marketing, payment information, gaming and transactional information, financial information, Safe Play information, device, tracking and other online information, profiling and analytical information, as well as information from other sources including public sources and trusted parties.
Below, you can find out more about the personal data submitted by you, the personal data generated from your use of our Services, and the personal data obtained from other sources
2.1 Data provided by you
When using our Services, we collect the following types of information provided by you:
Registration Information:
When you register an account with us, you are required to provide us with your name, date of birth, postal address, e-mail address, phone number, security questions, marketing preferences and any other details as might be requested from you for the purposes of registration and/or continued use of our Services.
As a condition to using our Services, we restrict access based on Geolocation so that we can ensure that we are authorised to provide the licenced service to you in your location.
Verification and Know Your Customer ('KYC') Documentation:
In order to verify your identity, you may be required to provide documents such as a copy of your passport or driver's licence, national ID, documentation establishing your address such as utility bills, or any other information we deem necessary to confirm your age and/or identity.
Interactions with Customer Experience:
When you interact with our Customer Experience via Live Chat, phone, email or social media platforms we retain a record of your conversations with our staff, as well as notes relating to these interactions and their outcomes.
When you contact us through a social media account, we will be provided with a copy of the social media profile details (name, profile photo and other information) you make available to us as well as the content of your messages to us.
Payment Information:
Information in relation to your chosen payment method such as debit / credit card details, cardholder name, e-wallet details, or information in relation to your alternative payment method. All such information is processed in accordance with the Payment Card Industry Data Security Standard.
Financial Information:
Bank statements or other documents proving your source of wealth including but not limited to proof of earnings, payslips and evidence of business ownership.
Safe Play Information:
Data you provide to us in relation to concerns you may have about gambling risk, harm or safety, or as part of a vulnerability assessment. Some other Safe Play Information is also created while you use our Services - see Data Created by using our Services below.
Forum Posts and In-Game Comments:
Information about the way you contribute to and communicate with, and through, our Services. for example when you post comments via our social media channels or chat functionalities such as forums, chat rooms and message boards, profile comments, in-game challenges and chat messaging with game operators or other users.
Responses to Surveys and Market Research:
Responses to surveys or market research that we conduct.
Special Category Data:
Special category data is personal data that needs more protection because it is sensitive. It includes biometric data that may be used for identification purposes, genetic data, data concerning an individual's health, sex life or sexual orientation, or personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs.
In the course of your contacts with Customer Experience, if you provided information to us on health conditions that you may have, we may retain this information and use it to add further protections to your account, where appropriate.
Especially, where you have vulnerabilities which may effect you ability to safely use our Services, we may request further information or may take extra steps to enhance protection for you. This may involve health information.
We will only ever use special category data when absolutely necessary and where lawful to do so. Where possible, we will always ask for your consent before we proactively request or use this information. In limited circumstances where consent is not possible, we may need to use this information to protect your vital interests or for reasons of substantial public interest in accordance with the law.
2.2 Data created by using our services
Some of the personal data we process relating to you is generated by your use of the Services.
Gaming and Transactional Information:
Your stakes, winnings, deposits, deposit failures, withdrawals, and other account transactions
Safe Play Information:
Safe Play controls that you decide to apply through your use of our Services, such as deposit limits, cool off periods, or self-exclusions, account self-closure or controls that we pro-actively decide to apply in order to prevent harm, such as spend limits or enforced exclusions.
Device Information:
Details relating to your device and communication data, not restricted to but including IP address, browser type, unique device identifier, IDFA, IDFV, hardware model, operating system and version, software, preferred language, serial numbers, device motion information, mobile network information and location data.
Server Logs and Traffic Information:
Information such as the dates and times of access, the app features or pages you view, app crashes and other system activity, along with any referring website you were using prior to visiting our site.
Cookie and Tracking Information:
When you access or use our content, products, and Services, we may collect information from your devices through the use of 'cookies; and similar technologies.
These technologies can collect a wide variety of information about how you interact with our Services, such as your language preferences, pages visited and content viewed, link and buttons clicked, and URL's visited before and after you use our Services.
For further detail on cookies, please refer to our Cookie Policy. To manage your cookie preferences, please go to our onsite Cookie Management centre.
Information derived from Profiling and Analysis:
We carry out profiling and analysis based upon, but not limited to your name, location data, age, gameplay activity and interactions with any of our Services, as well as other relevant data points.
2.3 Data from other sources
Not all the personal data we hold about you will always come directly from you or from your use of our Services. As detailed below, we may also collect information from third parties such as our partners, service providers and publicly available websites (i.e. social media platforms), to comply with our legal and regulatory obligations, offer Services we think may be of interest, to help us maintain data accuracy and to provide and enhance the Services.
Social media profile details:
Your name, profile photo and other information you make available to us when you connect with or contact us through your social media account.
Credit Reference Agencies:
Data provided by trusted credit reference agencies who may perform a soft check for verification and affordability purposes which do not effect your credit score. A record of the outcome of these checks is provided back to us.
Publicly Available Sources:
In accordance with our legal obligations, we may consult publicly available information about you such as your Facebook or other social media pages, property ownership details, the electoral roll, company annual returns for places you have worked, industry bodies of which you may be a member, and insolvency registers.
From other Flutter brands:
In some circumstances, as detailed in the HOW AND WHY WE USE YOUR PERSONAL DATA and Group sharing sections below, we may receive or get access to some personal data from other brands within our Flutter Group. For example, and as detailed in the Safe Play section below, we operate a cross brand self exclusion mechanism between the Flutter Group brands that operate in the UK whereby if you self exclude from Paddy Power, Sky Betting & Gaming, Betfair or PokerStars, that data will be shared with us here in tombola so that the exclusion can be processed in tombola as well.
From your family members or other third party friends or contacts:
Data may be received by us from third party contacts if you ask for a family member to support you with the management of an issue or complaint, if you have legal power of attorney representing you or if someone contacts us to tell us about a customer of ours who they have concerns about. In these instances we will have records of the third party contact details and recordings of the interactions. For the avoidance of doubt, we will also need to obtain and use contact information from these third party family members, friends or contacts in order to manage out communications with them strictly and only for the purpose mentioned above.
3. HOW AND WHY WE USE YOUR PERSONAL DATA
We only use your personal data where necessary and where it is lawful to do so. Our use of your personal data is needed to enable us to deliver the Services to you, to meet our legal or regulatory obligations, to meet or protect yours, ours, the wider public's or other third parties' interests, and sometimes for other reasons only where we have you explicit consent to do so.
Below, we explain how and why we need to use your personal data, providing you with information on our different uses of your personal data. This includes detailed information on the reasons for using your data, they types of personal data we use and also information on the legal basis for using your data, which may include your personal data:
- To enter into or perform a contract with you ('Performance of a contract'), such as delivering our Services in accordance with the terms and conditions;
- To meet our legal or regulatory obligations ('Legal or regulatory obligations'), such as our taxation, company or data protection law or our licencing obligations;
- To meet our own legitimate interests or those of a third party ('Legitimate interests'), such as where we use data to protect our business assets or information, to improve our Services or to keep you safe while you use our Services;
- Where you have provided us with consent to do so ('Consent'), such as where you have provided us with consent to provide you with marketing information;
- To perform tasks in the interests of the general public ('Public interests'), such as safeguarding the public from gambling related harms; or
- To protect your or someone else's vital interests ('Vital interests').
Click on each different use of personal data below to find out more about how and why we use your personal data.
3.1 Analysing the use of our Services
3.1.1. Who the section applies to
All visitors to tombola websites, apps or other assets are covered by this Notice
3.1.2. Overview
We use your personal data to provide you with the Services and ensure that our Services are functioning correctly.
We use technical information about your device, operating system and browser version to present you with the correct version of our website or app and to keep it functioning securely. This information is also used to diagnose system problems, improve and test the features of our Services, and carry out testing.
In order to abide by our legal and regulatory requirements, we will also check your location to ensure users are using Services in licensed countries, and that the correct version of the site is presented to them.
We also perform analysis of the performance and usage of our Services to help improve you user experience. For further information on cookies, please refer to our Cookie Policy.
3.1.3. The purpose and legal basis for processing your personal data
Purpose | Categories of Personal Data | Legal basis |
Diagnostics, research, and development: To help diagnose system problems, to administer our websites, to improve and test the features and functions of our Services, and to carry out testing and analysis.
| Device Information Server Logs and Traffic Information Information derived from Profiling and Analysis | Legitimate Interests |
Site Personalisation/Localisation Verifying that you are using the site in a licenced jurisdiction and presenting you with the correct version of the site.
| Registration Information Device Information Gaming and Transactional Information | Performance of a contract Legal and Regulatory Obligations |
Reporting and Analysis Aggregated statistics and analysis on how users interact with our Services.
| Device Information Server Logs and Traffic Information Cookie and Tracking Information Gaming and Transactional Information | Legitimate Interests Consent, where required to use non-essential cookie or related information |
3.1.4. Who we share your personal data with
- We use a number of tools to assist in performing analytics on our site, such as Google Analytics and Optimizely;
- Other companies within the Flutter Group, who provide support services as part of the Flutter Group's UK&I division.
3.2 Registering & verifying your account
3.2.1. Who this section applies to
All customers that register and verify an account
3.2.2. Overview
When you register an account with us, you are required to provide us with certain information in order to set up your account and verify your identity. This allows us to ensure that you are who you claim to be and that you are old enough to use the Services. As part of this process, we rely on trusted third parties to assist us in confirming the details you have provided.
To make this process as simple as possible for our customers, we utilise a number of electronic checks to confirm your age, address and identity. Where an electronic check is not sufficient to meet our licensing requirements, you will be required to provide us with a copy of your photographic identification, such as passport, national ID or driver’s licence. We may also ask you to provide us with proof of address, such as a copy of a recent utility bill.
Once you provide your identification documentation, we will perform a combination of automatic system and manual matching against information entered when opening an account and if the match is confirmed, verification is successful. Where we have been unable to successfully match a customer’s details, an account suspension may be applied. The process is overseen by our Customer Experience teams. If you have any queries or concerns about the verification process or an account suspension, please get in touch and one of our advisors will be able to assist.
For UK customers, we may also check your details against publicly available information such as electoral rolls, to confirm the accuracy of the details you have provided, and to ensure that you are old enough to use our Services. If we become aware that a minor has attempted to or has submitted personal information via the Websites, we will take action to remove access from compromised accounts.
To help us comply with our legal and regulatory obligations, when you use our Service, depending on which jurisdiction you reside, we may perform an affordability check to establish whether you have any indications of financial vulnerability. This assessment is performed on our behalf by a trusted third-party, TransUnion, and will leave a search footprint which will not negatively impact your TransUnion credit score. For further information, please refer to TransUnion’s Privacy Notice: http://www.transunion.co.uk/legal-information/bureau-privacy-notice
3.2.3. The purpose and legal basis for processing your personal data
Purpose | Categories of Personal Data | Legal basis |
Account Registration Gathering essential information from you in order to confirm your identity and contact details | Registration Information
| Performance of a contract Legal and regulatory obligations |
Underage Verification Verifying a customer's age to prevent underage accounts from being set up. In the UK, we may carry out verification checks using publicly available information, to verify your age.
| Registration Information Verification and KYC Documentation Publicly Available Information | Performance of a contract Legal and regulatory obligations |
KYC Verification Automatic verification of a customer's identity to prevent anonymous accounts from being set up. In the UK, we may carry out verification checks using publicly available information.
| Registration information Verification and KYC Documentation
| Performance of a contract Legal and regulatory obligations
|
Customer Document Verification – Verifying customer’s identification documents using trusted third parties. | Verification and KYC Documentation Registration information
| Performance of a contract Legal and regulatory obligations |
Affordability Check (UK Customers) We may perform a soft check, using a trusted Credit Reference Agency, TransUnion, to verify how much you can afford to spend onsite. (Note that this is displayed as a money laundering check on your account but is used for affordability) | Verification and KYC Documentation Registration information
| Performance of a contract Legal and regulatory obligations
|
Reporting and Analysis Aggregated statistics on users registration. | Registration Information Device Information | Legitimate Interests |
3.2.4. Who we share your personal data with
- Document checking – We use third parties to help in confirming the legitimacy of the documents you have submitted, such as Hooyu.
- Electronic verification – We use third parties to verify that the details you have submitted are legitimate and that you are of legal age to gamble. Third parties will vary depending on which jurisdiction you reside.
- Credit checking – We use credit reference agencies such as TransUnion to verify your details and the amount that you can spend on our Services.
- Other companies within the Flutter Group, primarily Paddy Power and Sky Betting & Gaming, Betfair who provide customer registration and verification management and technical support services as part of the Flutter Group’s UK&I division.
3.3 Processing your payments & delivering the Services
3.3.1. Who this section applies to
All registered customers who add a payment method to, deposit to or withdraw from their account.
3.3.2. Overview
In order to process your payment method addition, deposits and withdrawals, we will use information in relation to your chosen payment methods. These details are used to provide you with swift and secure deposits, to prevent, where possible, fraudulent use of your payment methods, and to monitor trends and performance in relation to our payment Services.
When you make a deposit and withdrawal to your account, your card details or details in relation to your bank or e-wallet provider will be used in order to process these transactions. Where card payments are facilitated in tombola is fully compliant with the Payment Card Industry Data Security Standards (‘PCI DSS’), and your card payment information is protected to the highest degree possible.
We may from time to time be required to use WorldPay to administer bank transfers, please refer to their Privacy Policy for more information: https://www.worldpay.com/en/privacy
If you have concerns in relation to a deposit or withdrawal that you have made, we will investigate your query promptly and may use further information in relation to your account to support this investigation. You may be asked to provide further information, and in certain circumstances, we may contact your bank or payment provider to resolve the issue.
In certain circumstances, where we have concerns over payments being made on customer accounts, we may perform additional due diligence to confirm that funds are being sent and received from the true owner of the account. We may examine details in relation to your location, IP address or device to confirm where payments are being made from. We may also require you to submit additional verification documentation to confirm your ownership of the payment method in question.
We also perform monitoring on all payment methods additions, deposits or withdrawals made, in order to rapidly identify errors or suspicious activity. These processes use the minimum personal data necessary to alert the relevant teams who may then investigate further.
Finally, we will use your information to deliver the Services and process the stakes and transactions that you make. For these purposes, your gaming and transactional information may be analysed in order to improve the Services we provide and in order to investigate and resolve issues with the functioning of the Services.
3.3.3. The purpose and legal basis for processing your personal data
Purpose | Categories of Personal Data | Legal basis |
Processing payment method additions, deposits and withdrawals Using your payment details to process the transactions you request.
| Registration Information Payment Information Device Information Cookie and Tracking Information
| Performance of a contract Legitimate business interests |
Investigating escalations and complaints relating to payments. Investigating concerns you or others may raise in relation to payments made on your account, or using your payment information. | Registration Information Payment Information Gaming and Transactional Information Device Information Cookie and Tracking Information
| Performance of a contract Legal and regulatory obligations Consent, where required to use non-essential cookie or related information
|
Monitoring alerts and Reporting Real-time monitoring of deposits and withdrawals to identify trends and transactions requiring further review | Registration Information Payment Information Gaming and Transactional Information Device Information Cookie and Tracking Information
| Performance of a contract Legal and regulatory obligations Consent, where required to use non-essential cookie or related information
|
Payment proof of ownership Confirming funds are being sent or received from owner that holds account with us
| Registration Information Payment Information Gaming and Transactional Information Device Information Cookie and Tracking Information Verification and KYC Documentation
| Legal and regulatory obligations Performance of a contract Consent, where required to use non-essential cookie or related information |
Delivery of The Services Providing the services and processing the stakes and transactions that you make | Registration Information Payment Information Gaming and Transactional Information Device Information Cookie and Tracking Information
| Performance of a contract Consent, where required to use non-essential cookie or related information |
Reporting and Analysis Aggregated statistics and analysis on users payment transactions | Registration Information Device Information | Legitimate Interests |
3.3.4. Who we share your personal data with
- Payment providers - Sharing details in order to process your transactions with your registered bank, e-wallet providers including Apple Pay, our payment providers such as, Cybersource, Global Payments, PayPal, iDeal and WorldPay (and their appointed third parties);
- Fraud prevention service providers, such as CIFAS and Amazon Fraud Detector;
- Other companies within the Flutter Group, who provide payment and Service delivery support as part of the Flutter Group’s UK&I division.
3.4 Contacting Customer Experience
3.4.1 Who the section applies to
This section applies to any person that contacts Customer Experience via email, live chat, phone, and social media.
3.4.2. Overview
When you contact our Customer Experience teams via the contact methods we offer, we will use information relating to your account and activity, as well as the information you provide to our staff, to investigate your query and work towards a resolution.
In order to process your query, you may be asked for additional information in relation to the issue you are facing. Any information you provide may be shared internally with other relevant operational teams. For example, if you raise a concern in relation to Safe Play, your details may be shared with our Safe Play teams for further review.
Should you decide to raise a complaint, a dedicated complaints procedure will be followed. If you remain dissatisfied by the final outcome of the investigation, and still wish to pursue a dispute or complaint, then you can raise a complaint with one of the Alternative Dispute Resolution (‘ADR’) providers, that tombola engage with. In such circumstances, we may share any information we deem relevant to the dispute with the relevant ADR provider.
Please note that all interactions you have with our Customer Experience functions are recorded and retained. We use a number of third-party software tools to help deliver our support functions, and information you share with will be processed and/or stored on these tools.
NOTE: For information about contacting Customer Experience for Safe Play reasons, please see the Safe Play section below.
3.4.3. The purpose and legal basis for processing your personal data
Purpose | Categories of Personal Data | Legal basis |
Resolve queries related to your account, stakes you have placed or games you have played Investigate and sharing information relating to your Customer Experience contacts | Registration Information Verification and KYC Documentation Device Information Gaming and Transactional Information Social media profile details Interactions with Customer Experience | Legal and regulatory obligations Legitimate business interests Performance of a contract
|
Opening and closure of accounts upon request Processing data to register or close accounts via our Customer Experience team | Registration Information Verification and KYC Documentation Social media profile details Interactions with Customer Experience
| Legal and regulatory obligations Performance of a contract
|
Alternative Dispute Resolution Sharing information to defend complaints made by you to ADR providers | Registration Information Verification and KYC Documentation Device Information Gaming and Transactional Information Interactions with Customer Experience | Legal and regulatory obligations Performance of a contract
|
Reporting and Analysis Aggregated statistics and analysis on user contracts. | Registration Information Device Information Gaming and Transactional Information Interactions with Customer Experience | Legitimate Interests
|
3.4.4. Who we share your personal data with
- Alternative Dispute Resolution Providers, including the IBAS (Independent Betting Adjudication Service);
- Social media partners, such as Facebook, and should you contact our Customer Experience team via their platform;
- Other companies within the Flutter Group, who provide customer support services as part of the Flutter Group’s UK&I division.
3.5 Marketing
3.5.1. Who the section applies to
Anyone to whom tombola directly or indirectly markets, promotes or advertises its products.
3.5.2. Overview
Your marketing preferences with tombola are based on whether you want (i) to receive marketing offers and communications from us (“, and/or (ii) your profile to be used by us in order to market to you (‘Personalised Marketing’).
(i) Receiving Offers & Communications
The below apply to the marketing choice to receive marketing offers and communications from us or not:
Direct Marketing
Subject to any consent preferences you have expressed (where applicable), we use personal data to deliver marketing and event communications to you across various channels, such as email, SMS, and push notification.
We will do this during the period of your relationship with us and, unless specifically instructed otherwise by you, for a maximum of 2 years after your account has been inactive in order to inform you about products, services, promotions and special offers which we think may be of interest to you.
If you wish to opt out of receiving direct marketing through email, SMS and direct mail, you can do so by going to your Contact Preferences within my account when you login to your account and ensuring that the option to receive offers and communications is opted out. If we send you a marketing email or SMS, they will include instructions on how to opt out of receiving these marketing communications in the future. You will be prompted to choose to opt in to push notifications when you download a tombola app, however if you later wish to opt out of receiving push notifications you can do this via the settings on your mobile device.
Please allow up to 48 hours for any changes you make to your marketing preferences to be fully processed. Please remember that even if you opt out of receiving direct marketing, we may still send you important information related to the Services.
Group Direct Marketing
If you have indicated your consent to receive marketing from us, we may from time to time send you direct marketing material relating to products offered by other companies within the Flutter Group, as described in the About the Flutter Group section above. If you opt-out of receiving marketing from us, we will not send you marketing relating to the Flutter Group.
Please note that if you hold separate accounts within the Group, you should consider your marketing preferences for each separately. For example, if you opted out of marketing for any other product within the Flutter Group and not tombola, you will continue to receive marketing communications directly from tombola unless updated.
(ii) Personalised Marketing
Social Marketing
We will work with social media companies such as Facebook and Instagram to provide you with information about our Services via their platforms.
If you are opted in to Direct Marketing, we may share limited personal data with the social media companies to enable us to send you information via their platforms, or market to audiences within their platforms who share similar characteristics to you. If you are opted out of Direct Marketing or if you are on an exclusion list, you will not receive targeted marketing from us via these platforms.
Please note that you may still see adverts from us on social media platforms, even if you are opted out of profiling with us. This type of display, non-targeted marketing is not based on any personal data held or controlled by tombola. If you do not wish to see these adverts, you can control this easily by disabling preference-based marketing in the privacy and ad settings on each individual social media platform.
We may also run untargeted Sponsored marketing within Facebook which you have the option to select “Hide all from tombola” or “Hide post” or “Block tombola’s profile” from within the Facebook environment.
Online Advertising (not applicable in Italy)
We use a combination of information including, but not limited to, advertising cookies, your email address, your device identifier, phone number, date of birth, address and your onsite activity to show you targeted and relevant advertisements on a selection of websites across the world wide web, apps and social media websites. You can opt out of cookies and of Direct Marketing at any time if you do not wish to receive targeted advertising like this online.
You can control the use of cookies via our onsite Cookie Management centre or for further information, please visit our Cookie Policy.
(iii) Other Marketing & Communication Information
iOS Users
For iOS Users, using versions prior to 14.5 their iOS device is assigned an Identifier for Advertisers (IDFA) which enables app owners and advertisers to track campaigns and deliver personalised advertising. If you are an iOS user and have opted into tracking for tombola, your IDFA (Identifier for Advertisers) is used to deliver you personalised advertising that is relevant to you (based on information we have about you, including browsing history, transactional information, demographic information and behavioural information, predictive information we create about you in each case in relation to our Services and advertising and information about what other people with similar interests, demographics and
behaviours are looking at) and is used for attribution and analytics purposes to tell us when and how you have interacted with advertisements, including those that have been placed on a third party site or app, and so we can assess the effectiveness of our campaigns.
You can opt-out of this at any time by visiting your mobile settings (by going to Settings > Privacy & Security* > Apple Advertising.) *In earlier versions of iOS and iPadOS, this setting is called "Privacy".
For those iOS users using versions 14.5 and newer, SKAdnetwork has been implemented by Apple so tombola no longer see or own any personal data. Any requirement to opt-out must be undertaken by the user with Apple directly.
Promotional Content and Events
We may publish players aliases and/or chat names, along with any winnings, prizes received and location, on our websites in accordance with our legitimate interests. Similarly, where you attend an event that is organised or sponsored by tombola, we may, at our discretion, use footage recorded at such events as part of future promotional content.
Surveys and polls
If you choose to participate in a survey or poll either direct from us (tombola) or via social media platforms, any personal data you provide may be used for marketing or market research purposes in accordance with our legitimate interests.
3.5.3. The purpose and legal basis for processing personal data
Purpose | Categories of Personal Data | Legal basis |
Direct Marketing Send tailored communications to you via Email, Telephone, SMS, Post or Push based on the contact preferences you have selected | Registration Information Gaming and Transactional Information Device Information Cookie and Tracking Information
| Consent
|
Social Targeting: Deliver tailored content to you, and individuals with a similar profile to you, on social sites with which you may hold an account.
| Registration Information Device Information Cookie and Tracking Information | Legitimate interests Consent (Where targeting is delivered using tracking technologies) |
Online Advertising Display banner adverts on trusted third-party websites across the Web. | Registration Information Device Information Cookie and Tracking Information | Legitimate interests Consent (Where targeting is delivered using tracking technologies)
|
Marketing Personalisation Using information we hold on you to predict and offer you the type of content and offers that we believe you will enjoy.
| Device Identifiers Cookie and Tracking Information Gaming and Transactional Information Information derived from profiling and analysis | Legitimate interests Consent (Where targeting is delivered using tracking technologies)
|
Promotional Content Publishing details of your alias and winnings, or footage at promotional events
| Registration Information Gaming and Transactional Information Video Footage | Legitimate interests |
Surveys and Polls Using your responses to surveys and requests for feedback to improve the Services we deliver
| Responses to Surveys and Market Research | Legitimate interests
|
3.5.4. Who we share your personal data with
- Social Media Partners with whom you may hold an account, such as Facebook and Instagram.
- Third Parties who help us send our marketing communications, such as AWSPinpoint and Movable Ink.
- Third-party advertisers – Where you have consented to third-party marketing or targeting cookies, data derived from the cookies placed on your device will be shared with a number of trusted third-party advertisers such as Meta, Instagram, News UK, Google, Apple and our affiliate networks. For more information on cookies, please see our Cookie Management centre or visit our Cookie Policy.
- Other companies within the Flutter Group – Where you have indicated that you wish to receive offers from other companies in the Flutter Group, we will share with you tailored offers and recommendations relating to these brands.
3.6 Fraud Prevention
3.6.1. Who this section applies to
All customers of tombola.
3.6.2. Overview
In order to protect our customers and the wider public from the harms caused by fraud, we employ a range of processes and tools to identify and prevent improper use of our Services.
These systems help us ensure that customers are genuine, haven’t registered more than once, and are not fraudulently trying to access accounts that don’t belong to them.
As detailed in the Registering & verifying your account and Processing your payments & delivering the Services sections above, when you set up an account with us, make a deposit or play our games, we carry out identity verification and fraud prevention checks. These checks help us confirm that you are old enough to use our Services and that the details you have provided are genuine.
We may share your personal data with organisations that verify details and transactions and identify potential indicators of illegal activity, which they make available to other organisations using their Services. Where necessary, we share your data with credit reference agencies or fraud prevention agencies, which keep a record of that information and make it available to other organisations for use in credit decisions, identification checks and fraud detection and prevention.
While using our Services, we monitor your activity to validate the authenticity of transactions and to ensure no fraudulent behaviours are occurring on our platform. For example, if a login is detected from a device or location other than that normally used on your account, we may conduct a further review or request further information.
Where a suspected or actual incidence of fraud or account takeover (‘ATO’) has been identified or reported to us, we may apply restrictions to your account(s) to prevent further fraudulent activity while we perform further investigations, including, where necessary, escalation to our fraud reporting teams, or we may suspend your account(s) and activity entirely. In such cases, we may request further information from you to validate the activity on your account. We may also use information such as your KYC documentation, device information, information sourced from third parties and publicly available sources to support these investigations.
If you wish to query or challenge a suspension or restriction on your account, please contact our Customer Experience team.
Where appropriate, we will pass information to the police and other law enforcement agencies, debt recovery companies and other similar bodies. This may be at the request of one of these bodies, or proactively.
Our fraud team perform regular reporting and analysis to identify trends in fraud activity on our Services, in order to provide the highest degree of protection to our customers. This helps ensure that our fraud prevention processes are performing as efficiently as possible.
3.6.3. The purpose and legal basis for processing your personal data
Purpose | Categories of Personal Data | Legal basis |
Verification Checks Performing checks with third party agencies to validate the authenticity of your information and transactions
| Registration information Account information Onsite activity Cookie and Tracking Information
| Legal obligations Performance of a contract
|
Fraud Detection and Prevention Information required for analysis, reporting and prevention of fraud and financial crime. Personal data is utilised to validate the authenticity of customer transactions to ensure no fraudulent behaviours. | Registration information Account information Onsite activity Cookie and Tracking Information
| Legal obligations Performance of a contract
|
Fraud Investigations and Escalations
Used for customer queries in relation to account takeover and fraud escalations. | Registration information Account information Onsite activity Cookie and Tracking Information
| Legal obligation Performance of a contract
|
Cooperation with Regulators, Government Authorities and Law enforcement Agencies
Provide information to authorities.
The business is required to notify regulatory bodies whenever an underage customer is identified. | Registration information Account information Onsite activity Cookie and Tracking Information
| Legal obligations |
Monitoring the performance and efficacy of our fraud processes and controls and trends in fraud threats. | Registration information Account information Device information Payment information Gaming and Transactional Information
| Legal obligation Performance of a contract
|
Promotion or Bonus Restrictions Review your use of promotional offers and bonuses to ensure they are in accordance with our Terms and Conditions. | Registration Information Gaming and Transactional Information Device Information
| Performance of a contract |
3.6.4. Who we share your personal data with
- Third Party Verification companies including Transunion, Lexis Nexis, GB Group, and Hooyu;
- Regulatory Authorities and Law Enforcement Agencies;
- Third party software providers who enable us to deliver the Services to you, including our customer management software providers;
- Other companies within the Flutter Group, primarily Paddy Power and Sky Betting & Gaming who provide fraud prevention and management support as part of Flutter Group’s UK&I division.
3.7 Safe Play
3.7.1. Who this section applied to
All customers of tombola.
3.7.2. Overview
At tombola, our customers are at the heart of everything we do. We specifically design our products and Services with this in mind to facilitate a great customer experience, whilst also ensuring customers are protected.
While using our Services, you may be asked for additional information about yourself or the source of your account funding from our Safe Play team. This process assists us to ensure that we can get to know you and provide you with a safe customer experience, as well as helping us fulfil our licencing requirements.
Customer Monitoring and Interaction
As part of our Safe Play framework, we proactively monitor your activity on our sites in real time and retrospectively so as to identify potentially harmful play, and where necessary, take actions to ensure your safety onsite.
We use a combination of machine learning, automated detection systems and manual review to supervise customer activity for the purpose of identifying Safe Play risks, and we also have a dedicated team in Customer Experience to deal with any Safe Play concerns that may be flagged to us by you or other individuals connected to you, such as family or friends. Where potentially dangerous activities are flagged, we may take action. This can range from emailing or calling you to ensure you are comfortable with your level of spend to proactively closing your account for a period of time and opting you out of direct marketing. Where we are unable to interact with you, we may need to take enforced action until such a point where we can communicate with you.
As part of these processes, we will use a range of data points taken from your behaviour and attributes to identify potentially problematic activity. We use elements of profiling and automated analysis techniques to identify such activity and to apply account limitations as and where appropriate. This is in accordance with our licensing requirements to conduct pro-active engagements to prevent gambling harm.
You can get in touch with our Customer Experience team at any stage if you have concerns about your gambling, concerns about another customer’s gambling or if you wish to challenge any restrictions that have been placed on your account, including those that may have been applied as a result of our automated Safe Play processes. All Safe Play related matters are dealt with by a dedicated Safe Play team with our Customer Experience units. Please see the Contacting Customer Experience section above for information on how we use your data in this regard.
Vulnerability
If any specific vulnerabilities are identified throughout our standard interaction process, we may take extra steps to enhance protection for our customers by applying restrictions to your tombola account.
Any vulnerability assessment will be subject to customer’s consent where we will ask the appropriate questions necessary to understand any vulnerabilities and impacts. Specific tools may then be recommended to help customers manage their accounts.
Customers will be clearly and specifically informed of the process and will have the choice to provide freely given consent. Customers may also withdraw any given consent at any time. If consent is obtained, the personal data will only be retained for as long as is necessary to meet our legal, regulatory or legitimate business requirements, or until such time as you withdraw your consent.
Customers are also free to withhold consent, at which point the assessment will not go ahead. However, in the event that specific vulnerabilities may fall under a wider scope within Safe Play concerns, the business may restrict your account.
Requesting Supporting Information
We may ask for supporting evidence where a request is made to challenge ‘Spend Limits’ (limits applied by us to cap the maximum spend on some accounts for certain customers), ‘Operator Net Deposit Limit (limits placed by us to cap the maximum amount that can be spent on a customers account) and as part of our standard ‘Enhanced Due Diligence’ (‘EDD’) processes.
Documents that may be requested include, but are not limited to; proof of identity, proof of earnings, bank statements and evidence of business ownership. If you are unable to provide any of these documents then we may suspend or restrict your account until you provide the requested information.
We may also ask for supporting documentation in relation to vulnerability assessments including but not limited to evidence of lasting and enduring power of attorney forms.
Exclusions
tombola offers you the facility to ‘Self-Exclude’ from us as part of our Safe Play control tools. This feature allows you to block yourself from all of our Services for varying periods of time depending on your needs.
In certain circumstances, our staff may also make the decision to pro-actively suspend or remove you from our Services, in order to ensure your safety.
Where you apply a Self-Exclusion with tombola or where we decide to exclude you from our Services for Safe Play reasons, we will also share your exclusion information with the other Flutter Group brands that operate in the UK - Paddy Power, Betfair, PokerStars and Sky Betting & Gaming.This action is performed by automatically checking whether accounts with your registered details are held on these other brands, and, where accounts are identified, they will be proactively closed. Such processing will always be performed with the highest regard to the privacy and security of your data, and you have the right to challenge if you wish to dispute the match. For further information, please visit our Safe Play Hub or our FAQs on the Self-Exclusion matching process between the Flutter brands.
NB: Please note that in circumstances where you apply a permanent Self-Exclusion, your information will be retained indefinitely, in order to prevent you from accessing the Services.
Gambling Self Exclusion Schemes
Upon registration, login and at regular intervals we perform checks against relevant gambling commission and self exclusion databases depending on which country you are registered with tombola from. Where a customer self-excludes via one of these methods, our checks will pick this up and we use this to ensure their wish to self-exclude is applied across our sites and apps. To find out more please refer to the relevant sites via the links below. We may in future subscribe to similar national self-exclusion schemes in any of the countries in which we operate, and we will update this notice to let you know.
Country | Self Exclude Scheme / Gambling Commission |
United Kingdom | |
Spain | RGIAJ (Self Ban) |
Denmark | |
Sweden | |
Netherlands | |
Italy | Amministrazione Autonoma dei Monopoli di Stato |
3.7.3. The purpose and legal basis for processing your personal data
Purpose | Categories of Personal Data | Legal basis |
Monitoring and Interactions Manual and automated monitoring of customer activity to prevent potentially problematic play. Proactive communications with you to ensure you are comfortable with current activity levels, and to make any required adjustments to your account. Managing inbound contacts to our Customer Experience team in relation to Safe Play. Monitoring the efficacy of SafePlay tools in preventing gambling related harms. | Registration Information Verification and KYC Documentation Gaming and Transactional Information Information derived from profiling and analysis Customer Experience Interactions Special Category Data Safe Play Information | Legal and Regulatory Obligations Performance of a contract
For Special Category Data, consent and, in limited circumstances, vital interests or public interests.
|
Challenging Spend Limits We may ask for supporting evidence where a request is made to challenge Spend Limits (limits applied by us to cap the maximum spend on some accounts for certain customers), Operator Net Deposit Limit (limits placed by us to cap the maximum amount that can be spent on all customer accounts) and as part of our standard Customer Due Diligence processes. | Registration Information Verification and KYC Documentation Gaming and Transactional Information Customer Experience Interactions
| Legal and Regulatory Obligations Performance of a contract
|
Vulnerability: If any specific vulnerabilities are identified throughout our standard interaction process, we may take extra steps to enhance protection for our customers. We will also seek consent before we take such steps, and if obtained, we will ask the appropriate questions necessary to understand any vulnerabilities and impacts. Specific tools may then be recommended to help customers manage their accounts. | Registration Information Verification and KYC Documentation Gaming and Transactional Information Customer Experience Interactions Special Category Data | Legal and Regulatory Obligations Consent |
Exclusions: Processing your data to ensure that you cannot access our Services where you elect to exclude from your account, or where a suspension or removal is proactively applied.
NB: In circumstances, where you apply for a permanent exclusion, your information will be retained indefinitely. | Registration Information Verification and KYC Documentation Gaming and Transactional Information Customer Experience Interactions Special Category Data | Legal and Regulatory Obligations Performance of a contract
For Special Category Data, consent and, in limited circumstances, vital interests or public interests.
|
GamStop: Where a customer self-excludes through a self exclusion scheme (such as ‘GAMSTOP’ national self-exclusion scheme in the UK), or via their local Gambling Commission, we will receive a notification of this, which we will use only to ensure their wish to self-exclude is applied across our sites and apps. We may in future subscribe to similar national self-exclusion schemes in any of the countries in which we operate, and we will update this Notice to let you know. | Registration Information Verification and KYC Documentation Gaming and Transactional Information Customer Experience Interactions
| Legal and Regulatory Obligations Performance of a contract
|
Reporting and Analysis Aggregated statistics and analysis on Safeplay features usage. Highlighting potentially vulnerable customers. | Registration Information Account Information Payment Information Gaming and Transactional Information
| Legal and regulatory obligations Legitimate Interest |
3.7.4. Who we share your personal data with
- Credit reference agencies, such as Experian. and TransUnion, who we share data with as part of our Safe Play controls;
- Third party software providers who enable us to deliver the Services to you, including customer management software providers (e.g. Connect);
- Other members of the Flutter Group, including Paddy Power, Poker Stars, Betfair, and Sky Betting & Gaming who provide tombola with Safe Play support, as part of the Flutter Group’s UK&I division, and with Flutter Group members who operate in the UK where you apply a Self-Exclusion or we apply a Safe Play related exclusion to a tombola account registered in the UK, British Crown Dependencies or Gibraltar;
- Law enforcement and regulatory bodies, as required per our legal or regulatory obligations;
- In rare circumstances where there is a threat to life, we may act in order to protect an individual’s vital interests and share personal data, including special category data, with the police.
3.8 Risk Management and Customer Analysis
3.8.1 Who this section applied to
All customers of tombola.
3.8.2. Overview
In order to provide the Services to you and for our legitimate purposes, we process your personal data to evaluate our commercial performance and manage risks to our business.
We carry out basic analytics to help us understand, how, when, where and why our customers use our Services, and how our business is performing for example the effectiveness of our advertising It also gives us a much clearer picture of our customers generally, the broad demographic groups they fit into (e.g. age group, gender, location, etc.) and the products and Services they use, which in turn helps us to develop better and more relevant features, products and Services. Where possible we perform analysis in a way that does not identify individual customers, so there is minimal impact on the privacy of any one person.
Most people use our products and Services fairly, but we carry out monitoring and basic analytics of how our customers place stakes, play and interact with our products and Services, to identify behaviour that is not in line with our Terms & Conditions or that could be prejudicial to our commercial interests.
At our discretion, we have the right to use this information in making decisions about whether to place restrictions on people’s accounts or to close their accounts. We take this very seriously, and consider a wide variety of factors in making such a decision, taking into account the information we hold about you as well as any information obtained from industry databases. The processes may involve an element of profiling, upon which decisions to restrict or close an account may be made. These decisions are made in accordance with our terms and conditions. If you wish to query or challenge any restriction, decisions are always made with human intervention; the process is never wholly automated.
3.8.3. The purpose and legal basis for processing your personal data
Purpose | Categories of Personal Data | Legal basis |
Customer Analysis Monitoring and analysing customer behaviour to improve the performance of our business
| Registration Information Account Information Payment Information Gaming and Transactional Information Information derived from profiling and analysis | Legitimate interests |
Risk Management & Account Restrictions Manual and automated oversight of your activity to evaluate and manage commercial risk to our business. This may include, where appropriate, placing restrictions on your account or, closing your account. | Registration Information Gaming and Transactional Information
| Performance of a contract |
3.8.4 Who we share your personal data with
- Limited data is shared with other companies within the Flutter Group for risk management support purposes. However, this data is pseudonymised by tombola, meaning the other members of the Flutter Group cannot identify you from the data.
3.9 Anti-Money Laundering and Counter-Terrorist Financing
3.9.1. Who this section applies to
All customers of tombola.
3.9.2. Overview
As a betting and gaming company we have certain legal obligations we need to abide by. One of those rules is that we must do everything we can to prevent money laundering. At tombola, we will use your personal data to ensure the proceeds of crime are not being used on our Platform, and to identify and tackle such behaviours.
As outlined in the Registering & verifying your account section above, where you initially register an account with us, we are required to gather certain information about you in order to verify your identity, as part of our EDD requirements. For this purpose you may be required to submit documentation establishing your identity and address, and where required, any other information as may be deemed necessary to confirm your identity.
tombola adopts a risk-based approach to compliance with its Anti-Money Laundering obligations, and, depending on your personal characteristics and activity levels, we may be required to gather further information on you, in order to meet requirements under applicable legislation. This is known as ‘Enhanced Due Diligence’ (‘EDD’), and as part of this process, we may collect and store financial information in relation to you, as well as information gathered from publicly available sources such as the land registry, the register of companies and social media.
In certain circumstances, we may require you to provide additional documents proving your source of wealth including but not limited to proof of earnings, bank statements, payslips and evidence of business ownership. Such processing will always be conducted with due regard to your privacy.
As part of our obligations, we also regularly screen our customer base against databases of publicly available information. This ensures that we are not offering our Services to individuals who have been the subject of sanctions since registration.
Where suspicious activities, behaviours or characteristics are identified, further investigation will be conducted by our Anti-Money Laundering team, and where necessary, actions may be taken in relation to your account. This may result in your account being suspended until such time as further information is provided by you, or your account being permanently closed. We may also be required to inform local law enforcement authorities or government agencies, as mandated by law.
In order to improve the effectiveness of our Anti-Money Laundering controls and processes, we regularly perform reporting and analysis on customer data. This may involve an element of profiling of customer personal data.
We may also share information with the Flutter Group in order to help prevent fraud, money laundering and other criminal activity across our wider group. Where appropriate, such information may be passed to the police and other law enforcement agencies, and other similar bodies directly by the Flutter Group.
3.9.3. The purpose and legal basis for processing your personal data
Purpose | Categories of Personal Data | Legal basis |
Customer Due Diligence Verifying your identity upon registration using documentation you submit | Registration Information Verification Documents | Legal obligation |
Enhanced Due Diligence Gathering further information on you and your financial background where higher levels of risk are identified. | Registration Information Verification Documents Financial Information Gaming and Transactional Information Publicly Available Information | Legal obligation |
Source of Wealth Collecting information from you evidencing the source of funds used on our site | Financial Information Registration Information
| Legal obligation |
Screening Comparing our customer database against publicly available lists of individuals with sanctions or adverse media reports, and to identify politically exposed persons | Registration Information Publicly Available Information | Legal obligation |
AML Investigations and Taking Action Investigating potential instances of money laundering, and where necessary, taking appropriate actions | Registration Information Verification Documents Financial Information Gaming and Transactional Information Information derived from profiling and analysis Publicly Available Information | Legal obligation |
Group Sharing Sharing information with other brands in order to help prevent fraud, money laundering and other criminal activity across our wider group | Registration Information Verification Documents Financial Information Staking and Transactional Information Publicly Available Information | Legal obligation |
3.9.4. Who we share your personal data with
- Providers of databases for screening purposes and verification and Due Diligence such as LexisNexis and GB Group;
- Courts, law enforcement agencies, regulatory agencies, and other public and government authorities.
- Other companies within the Flutter Group who provide Anti-Money Laundering support as part of the Flutter Group’s UK&I division operations.
3.10 Service Personalisation
3.10.1 Who the section applied to
All visitors to tombola websites, apps or other assets covered by this Notice.
3.10.2. Overview
We use personal data to deliver and suggest tailored content to personalise your experience with our Services. This is processing which is necessary for the purpose of our legitimate interests in delivering or presenting relevant content to our customers.
Whichever Services you use, wherever and however you interact with us, we want to give you the same great level of service and make it personal to you. We will tailor your experience, personalising the layout and content of our sites according to what we know about you, your preferences and the way you like to play. For example, we will present you with features we know you have used or think you are likely to use or show you the type of game content that best suits your style of play.
We also look at aggregated (non-identifiable) data showing how our customers use our products and features and which games they tend to enjoy. We use this information to suggest games we think you’ll enjoy because they are popular with others who play the same games as you.
We believe this personalised experience makes betting and gaming better and we want to give you the best customer experience we can. Using your personal data in this way enables us to do that in a way that we believe does not have an impact on your privacy. If you don’t want your data used in this way your option is to not use our Services and to close your account.
Please note that some aspects of your customer experience are provided via cookies. If you have provided consent for these cookies, we will personalise certain aspects of our site, such as remembering your username. You can change these preferences at any time via our Cookie Management centre located at the bottom of our websites. For more information visit our Cookie Policy.
3.10.3. The purpose and legal basis for processing your personal data
Purpose | Categories of Personal Data | Legal basis |
Onsite Personalisation Tailoring your onsite experience to match your preferences
| Registration Information Gaming and Transactional Information Cookie and Tracking Information Device Information
| Legitimate Interests Consent, where required to use non-essential cookie or related information |
3.10.4. Who we share your personal data with
- Other companies within the Flutter Group, primarily Paddy Power, Betfair and Sky Betting & Gaming who provide technical support as part of the Flutter Group’s UK&I division.
3.11 Other purposes
3.11.1. Who the section applied to
All individuals who engage with tombola or use its Services.
3.11.2. Overview
In addition to the purposes described above, there are other circumstances in which we are required to process your personal data, as described below:
Information/Disclosure Requests and Regulatory Submissions
Apart from the functions set out in this Notice, we do not share your personal data with third parties except where we are compelled or permitted by law to do so. These circumstances are rare but may require us to share information in response to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside your country of residence.
Whenever we share personal data, and whatever the circumstances, we will always do so legally and with due regard to your privacy. If we receive a request from law enforcement or other statutory bodies, we do not disclose personal data without a warrant, court order or other legally valid proof of authority.
Protecting and defending our rights and interests
Where necessary to protect or defend our rights and interests, defend against legal claims, resolve disputes, respond to what we consider to be incorrect or misleading information provided to a media outlet, or enforce our agreements, we reserve the right to share personal data with regulators, external legal advisors, debt recovery and tracing agencies, and media outlets.
Information Security and Loss Prevention
We may be required to use and retain personal data in order to protect our rights, information, privacy, safety, or property, or those of other persons in accordance with our legitimate interests, or in some instances, with our legal obligations. For example, we are legally obliged under data protection law to secure and protect the personal data of customers, employees and all other individuals whose personal data we use.
Restructuring
If ownership of all or part of our business changes or we undergo a reorganisation or restructure, we will transfer your personal data to the new owner or successor company so we or they can continue to provide the Services you have requested.
Financial Reporting and Analysis
In accordance with our obligations under company law and other similar regulations we are required to keep a record of your transactions in order to maintain proper financial records to meet and to ensure all transactions are being performed in accordance with the Terms and Conditions of our Services.
We utilise data including transaction records, staking and behavioural trends, and financial specifics exclusively for the purpose of accurate financial reporting. These data points enable us to evaluate tombola's financial health, identify trends, and make informed strategic decisions to enhance our operations.
In some instances, we may share anonymized and aggregated data with our parent company (Flutter) and trusted consultants, all operating under stringent confidentiality constraints. This collaborative effort contributes to strategic planning and informed decision-making across the organization. Any shared data will be either stripped of personal identifiers and therefore cannot be linked back to individual users or be pseudonymised.
Chat Rooms, Messaging and Community Forums
A number of our Services provide features including game chat rooms, messaging Services, and community forums for collaboration, peer connection, games, and information exchange purposes. Depending upon the Service, the personal data you choose to post, share, upload, or make available may be public and visible to others who use those Services. You should never post or share any information that is confidential or about others unless you have permission to do so. We may use information you provide in community and event profiles and forums to personalise your experience and to make content and peer connection recommendations. These Services may have their own Terms of Use.
3.11.3. The purpose and legal basis for processing your personal data
Purpose | Categories of Personal Data | Legal basis |
Information/Disclosure Requests and Regulatory Submissions Responding to valid requests from courts, law enforcement agencies, regulatory agencies, auditors, and other public and government authorities, or submitting information to regulatory agencies. | Any personal data held, as required to meet the purpose
| Legal and regulatory obligations |
Protecting and defending our rights and interest Responding to incorrect or misleading claims in media outlets or other public fora | Any personal data held, as required to meet the purpose
| Legitimate interests Legal and regulatory obligations |
Information Security and Loss Prevention Protecting our rights, privacy, safety, or property, or those of other persons in accordance with our legitimate interests. | Registration Information Gaming and Transactional Information Device Information Correspondence with Customer Experience
| Legitimate interests Legal and regulatory obligations |
Restructuring Transferring your personal data to the new owner or successor company so we or they can continue to provide the Services you have requested. | All personal data held | Legitimate interests |
Financial Reporting and Analysis Maintaining financial records in accordance with company law | Registration Information Gaming and Transactional Information Information derived from profiling and Analysis
| Legal and regulatory obligations |
Chat rooms, messaging, and community forums Provide chat, messaging and forum functionality as a component of certain elements of our Services | Registration Information Device Information (Your posts and comments on these Services) | Legitimate interests |
Reporting and Analysis Aggregated statistics and analysis of chat data | Gaming and Transactional Information Forum Posts and In-Game Comments | Legitimate interests |
3.11.4. Who we share your personal data with
- Courts, law enforcement agencies, regulatory agencies, and other public and government authorities.
- News and media outlets.
- Other companies within the Flutter Group who provide support services as part of the Flutter Group’s UK&I division.
- If ownership of all or part of our business changes or we undergo a reorganisation or restructure, we may transfer your personal data to the new owner or successor company so we or they can continue to provide the Services you have requested.
4. GENERAL PROCESSING INFORMATION
This section provides you with some other important information you need to be aware of in relation to how we use your personal data, including information on how we share your personal data with the Flutter Group, international transfers of your personal data, how we keep your personal data secure and how long we need to keep your personal data for. Click any of the topics below for more details.
4.1 Group sharing
As explained in the About the Flutter Group section above, tombola is part of the wider Flutter Group and sits within the UK&I division.
We have explicitly called out a number of specific situations in this Privacy Notice where the Flutter Group companies may use your information, including where Sky Betting & Gaming, Poker Stars, Paddy Power and/or Betfair are providing support to tombola as part of the UK&I division’s operations and to other Flutter Group members for marketing purposes, customer services purposes, the prevention of crime, helping to reduce gambling related harm, the provision of staking and gaming services, and to meet legal and regulatory obligations.
Additionally, we may share personal data with the Flutter Group as part of our group internal reporting and assurance in order to facilitate business efficiency and improvements including, but not limited to research across our group, testing of systems and/or suppliers, risk management, the provision of technology, finance or security support, and the development of new products and tools.
We may also in the future share personal data with other members of the Flutter Group for purposes that are related to and compatible with those set out in this Notice. Finally, where we are required by law or regulation to share personal data to members of the Flutter Group for reasons beyond those set out in this Notice, we will be required to do this.
4.2 International transfers
Some of the third-party providers we use, as well as companies within the Flutter Group, are based in, or carry out their activities in, countries outside the European Economic Area (‘EEA’) and/or outside the UK.
Countries outside the EEA and UK do not always have strong data protection laws. This means that, unless your personal data is being transferred to a country where the European Commission or UK has determined there to be an adequate level of protection, we have to put in place additional protections to ensure that your personal data is protected to the same level as it is within Europe or the UK.
We put these additional protections in place by using standardised contractual clauses that have been approved by the European Commission (for transfers outside the EEA) and the Information Commissioner’s Office (for transfers outside the UK). Where necessary, we also put in place any additional contractual measures required by local law in any of the countries in which we operate. As and when required, we will also put additional technical or organisational measures in place to ensure that your data is kept safe.
4.3 Keeping your personal data secure
We recognise that online security and data protection is an area of vital importance for all our customers, so it is important to us that you have confidence in the security of your personal details before you register an account. We are committed to employing security measures to protect your information from access by unauthorised persons and to prevent accidental or unlawful processing, disclosure, destruction, loss, alteration and damage. Our technological security solutions are very advanced and are governed by a mature framework. Our approach is focused on preventing risks. In order to help us in this regard, we employ pseudonymisation and encryption whenever possible to reduce the impact of any potential incidents. As the security of some communications via the internet is not completely secure, we cannot guarantee the security of any information that you disclose using your internet connection. You accept the inherent security implications of using the internet and the Group will accept no liability for any direct, consequential, incidental, indirect, or punitive losses or damages arising out of such an occurrence.
4.4 How long we keep your personal data for
A key principle of data protection is ‘storage limitation’, which means that organisations should only hold onto your personal data for as long as is needed.
At tombola, we have taken steps to ensure that we hold your personal data only as long as we have a valid legal basis or reason to do so, which includes providing you with the Services you have requested, meeting our legal and regulatory obligations, resolving disputes and enforcing our agreements.
The length of time for which we keep different types of personal data can vary, depending on why we originally obtained them, the reason we process them and the legal requirements that apply to them. When setting our data retention and deletion timescales we take into account a range of factors including applicable regulations and standards relating to gambling and gaming, anti-money laundering, taxation, payment processing and complaint handling, the need to prevent or detect crime or other misuses of our Services, and audit requirements.
To fulfil our requirements, some of your personal data will need to be retained for a period of time after you cease to be a customer. When we no longer need it to fulfil the purposes and legal bases set out in this Notice, we delete it securely. Subject to us not having a legal or regulatory requirement or a risk management reason for retaining your information for a longer period, your information will not be kept for longer than 7 years from your last login or expiry of a self-exclusion. This allows us to meet our record-keeping obligations in applicable legislation, as well as allowing us to defend ourselves against potential legal claims.
Please note that if you opt to apply an exclusion to your account, your data will be retained for the period of that exclusion, plus a further seven years from the date of the expiry of that exclusion.
In certain circumstances we may be required to retain your information indefinitely. For example, where you elect to permanently exclude yourself from accessing our Services under our procedures on Safe Play, we are obliged to retain your data indefinitely to prevent you from creating new accounts.
We will take all necessary steps to ensure that the privacy of information is maintained for the period of retention. Where we wish to retain any information for analysis purposes, we first anonymise it to the standards approved by the UK Information Commissioner’s Office, so that it can no longer be linked back to an individual.
5. YOUR DATA SUBJECT RIGHTS
Under data protection law, you have a number of rights which are detailed below. We want to be clear about what those rights mean in practice and how you can exercise them. Please note that some of these rights only apply in specific circumstances and are qualified in several respects by exemptions in Data Protection legislation. We will advise you in our response to your request if we are relying on any such exemptions.
For any queries related to your personal data or any of your rights referenced below, please feel free to contact us at: [email protected] or telephone free on 0800 298 8873.
5.1 Access
You have a right to request a copy of the personal data that we hold about you. Should you wish to make such a request, you should submit a request to [email protected].uk.
You will be asked to provide adequate information to identify yourself such as a copy of your photographic identification (ID Card, Driving License or Passport) and any other relevant information such as your account username and email address that will assist us in fulfilling your request.
We may also ask you to complete and return a form, which is not compulsory but helps us to help you by providing the information you are looking for.
Where you request a copy of your personal data, you will be provided with:
- Your personal details that you provided to us upon registration;
- A copy of all deposits and transactions;
- A copy of your interactions with Customer Experience (including live chats, emails, calls, complaints and notes);
- Information on the Safe Play self-help tools that you have used (if any);
- Marketing and opt-out information.
If there is additional information that you believe we hold on you, please let us know and we will gladly investigate further.
We will fulfil requests wherever possible, but there are occasional situations in which the law requires or permits us to withhold some information (such as where it would involve disclosing information about another person or information which is commercially sensitive), If either of these applies, we will explain this to you.
We will provide our response within one month however if your request is unusually complex and likely to take longer than a month, we will inform you of this and how long the request will take to complete.
5.2 Rectification
You can request us to rectify and correct any personal data that we are processing about you that you believe is incorrect. To make things easier, we provide you with account settings and tools to access the information associated with your account.
You can update your personal details at any time by visiting your ‘My Account’ section online.
If it is something you cannot correct yourself online, such as your name or date of birth (which, for identity verification, account security and fraud prevention reasons, cannot be changed using self-service methods), you should contact our Customer Experience team. Alternatively, please email [email protected].
We’ll update inaccuracies promptly, and within a month if you are requesting a more complex change. If we take the decision not to make a change you have requested, we will explain why and make a note on your account to show that you requested the change. If you disagree with our decision, you have the right to complain to the regulator.
5.3 Erasure, or 'Right to be Forgotten'
You have the right to request us to erase your personal data where we have no compelling reasons to continue storing or processing your data, and specifically, where one of the following grounds applies:
- Where the courts or our regulators have found us to be processing it unlawfully;
- Where our original purpose for collecting the data has been completed and we have no other valid legal grounds for continuing to hold it;
- Where you have withdrawn your consent for processing and asked us to delete the information we previously used for those purposes; or
- Where you have successfully exercised your ‘right to object’ and there are no overriding legitimate grounds to continue processing.
Please note this right only applies in certain circumstances, it is not a guaranteed or absolute right. Personal data on our customers is retained for as long as is reasonably required for our legitimate legal purposes. These include, but are not limited to;
- Anti-Money Laundering/Counter-Terrorist Financing
- Defence of legal claims
- Safe Play
- Taxation
As is outlined in the How long we keep your personal data for section we have legal obligations and other lawful reasons to retain your data after your account is inactive. Generally, your data will be retained for a period of 7 years, so, if you request your data to be erased during this time, we may not be able to uphold your request.
If you still wish to exercise your right, you should contact us on [email protected]. Alternatively, please contact our Customer Experience team.
We will respond to your request within a month, and if we uphold your request and erase your data we will also notify any third parties to which the data has been passed, where we are able to do so, and tell you who they are. If we do not uphold your request, we will tell you why. If you disagree, you have the right to complain to the regulator.
5.4 Restriction
You have the right in certain circumstances to request that we suspend our processing of your personal data, where one of the following grounds applies:
- The accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data;
- The processing is unlawful, and you oppose the erasure of the personal data and requests the restriction of their use instead;
- We no longer need your personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or
- You have objected to processing that we perform on the basis of our legitimate interests, and we are verifying whether our legitimate grounds override yours as a data subject.
Where we suspend our processing of your personal data, we will still be permitted to store your personal data, but any other processing of this information will require your consent, subject to certain exemptions.
Where you have obtained the restriction of processing you will be informed by us before the restriction of processing is lifted.
In order to make a request for the restriction of your processing, please contact us on [email protected].Alternatively, please contact our Customer Experience team.
You will receive a response within one month.
5.5 Portability
The right of portability allows you to re-use some of your personal data online by making it available in a commonly used, machine-readable format that can be passed to and used by other organisations. This right applies to data that you have provided to us with your consent, or which was necessary for us to provide you with our products and Services.
You may also have the right to have your personal data transferred by us directly to the other organisation if this is technically feasible.
This is a new initiative, and it is not yet possible to ‘port’ data directly between providers in the betting and gaming industry. If you wish to exercise this right, you should submit your request to [email protected] . Alternatively, please contact our Customer Experience team here and we will provide you with the following information as a CSV file:
- the personal and contact details held in your online account
- your gaming history
- a list of payments made, and funds withdrawn
Before responding to your request, we will ask you to provide valid proof of identity, and we will provide our response within one month of receiving it.
In future, it may become possible to transfer (or ‘port’) data directly between organisations. In the meanwhile, if you would like to take your tombola data to another provider you should first check that your chosen provider is able to upload data from a CSV file before making your request as above and passing the file to the provider yourself.
5.6 Object
You have the right to object to our use of your personal data which is processed on the basis of our legitimate interests. However, we may continue to process your personal data, despite your objection, where there are compelling legitimate grounds to do so or where we need to process your personal data in connection with any legal claims.
To exercise your right to object please contact us on [email protected]. Alternatively, please contact our Customer Experience team here and we will respond to you within one month. If we refuse to uphold your request and disagree with our decision on this, you have the right to complain to the regulator.
5.7 Rights relating to automated-decision-making and profiling
You have the right not to be subject to a decision which is based solely on automated processing (without human involvement) where that decision produces a legal effect or has a similarly significant affect on you. This right does not apply where you have provided your explicit consent for us to use your data in this way, where the decisions are needed to enter or perform a contract with us (for example, the terms and conditions of our Services), or where the decision is needed to meet our legal or regulatory obligations.
Where the decisions are made based on your explicit consent, or they are needed to enter or perform a contract with us, you have the right to request human involvement in the decision, to express your point of view or to contest the decision made.
If you have any concerns in relation to automated processing that we may perform you can contact us at any time.
5.8 Rights to complain to the regulator
If you believe your data protection or privacy rights have been infringed, or you disagree with a decision we have made about your data protection or privacy rights, you have the right to complain to the data protection regulator for the jurisdiction in which you are based
United Kingdom: Information Commissioners Office – http://ico.org.uk
Spain: Agencia Espanola Proteccion Datos – https://www.aepd.es
Italy: Garante per la Protesione dei Dati Personali – https://garanteprivacy.it
Denmark: Datailsynet – https://www.datatilsynet.dk
Netherlands: Autoriteit Persoonsgegevens – https://www.autoriteitpersoonsgegevens.nl/
Sweden: Integritetsskydds myndigheten – https://www.imy.se