Skip to main content
Legal

GDPR Compliance

Last updated April 18, 2026

This statement explains how Gamblish complies with the General Data Protection Regulation (GDPR) when processing personal data of individuals in the European Economic Area (EEA). Gamblish operates an online gaming platform and is committed to protecting your data rights under applicable law.

Legal Basis for Processing

  • Contract , Processing your account data, wallet balance, and transactions is necessary to provide the gaming services you registered for.
  • Legal obligation , Gambling regulations and anti-money laundering laws require us to verify identity, record transactions, and retain gaming records for a minimum of 7 years.
  • Legitimate interests , Error monitoring (Sentry), fraud prevention, and platform security. We balance these interests against your privacy rights.
  • Consent , Push notifications (Firebase Cloud Messaging) and promotional emails are only sent with your explicit opt-in consent.

Data We Process

  • Identity data , Name, email address, avatar, account role and status
  • Location data , Country, city, postal code, coordinates (required for jurisdictional gambling compliance)
  • Financial data , Wallet balance, deposit/withdrawal history, payment processor references (Stripe, PayPal, MTN, Orange, NowPayments). We do not store card numbers.
  • Gaming data , Wager history, game outcomes, session records, raffle participation
  • Technical data , IP address, browser type, device information, error logs (Sentry), session replay samples

Data Processors (Sub-processors)

Gamblish engages the following sub-processors:

  • Supabase Inc. , Database hosting (PostgreSQL), user authentication. Data stored in Supabase's cloud infrastructure.
  • Vercel Inc. , Website hosting and CDN.
  • Stripe Inc. , Card payment processing and payouts.
  • PayPal Holdings Inc. , Payment processing.
  • NOWPayments , Cryptocurrency payment processing.
  • Functional Software Inc. (Sentry) , Error tracking and performance monitoring.
  • Google LLC (Firebase) , Push notification delivery.
  • Resend Inc. , Transactional email delivery.

Data Retention

  • Account data , Duration of account plus 30 days after deletion request (soft-delete period), then permanently purged.
  • Transaction and gaming records , 7 years (regulatory requirement).
  • Audit trail , Immutable records retained indefinitely for regulatory compliance. These cannot be modified or deleted.
  • Error logs , 90 days (Sentry default retention).

Your GDPR Rights

  • Right of access (Art. 15) , Request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16) , Correct inaccurate data via account settings or by contacting us.
  • Right to erasure (Art. 17) , Request deletion of your data. Note: gambling regulations require us to retain transaction records for 7 years; erasure applies to non-regulated data only.
  • Right to restriction (Art. 18) , Request that we limit processing while a dispute is resolved.
  • Right to portability (Art. 20) , Request your data in a structured, machine-readable format (JSON).
  • Right to object (Art. 21) , Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to withdraw consent (Art. 7) , Withdraw consent for notifications or marketing at any time via account preferences.

To exercise your rights, email dpo@gamblish.com. We will respond within one month. Complex requests may be extended by two additional months with notice.

International Data Transfers

Your data may be transferred to and processed in countries outside the EEA. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, and only use sub-processors that maintain equivalent data protection standards.

Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of it (Art. 33). If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay (Art. 34).

Data Protection Officer

Our Data Protection Officer can be contacted at dpo@gamblish.com. The DPO oversees GDPR compliance, advises on data protection impact assessments, and acts as the contact point for supervisory authorities.

Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing infringes GDPR.

Contact

General inquiries: support@gamblish.com

Data protection: dpo@gamblish.com

Agent connected · 6 tools