Scope, controller status, and regulatory context

This Privacy policy sets out the principles and rules governing the processing of personal data in connection with Pelican Casino and its website at pelicancasinogames.com, including access, account functionality, and related services. The document is intended for a global audience and is written to reflect generally applicable data protection standards, including transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability as reflected in the GDPR framework where relevant. Where local law imposes higher or additional requirements, those requirements prevail to the extent applicable, and this document is interpreted accordingly. This text applies to personal data processed through the website, associated communications channels, and operational systems used to support lawful service delivery.

Pelican Casino acts as a data controller for the personal data processed for its own purposes and may act as a joint controller or processor for specific activities where third party services determine or co determine means and purposes. The allocation of roles is determined by the factual circumstances of each processing activity and by contractual arrangements, including data processing agreements where required. This document does not address third party sites that may be linked from the website, as those third parties determine their own privacy practices. Any interaction with external providers is subject to their own notices, and responsibility is limited to the extent required by applicable law and contract. The present policy is drafted to support compliance oversight, audit readiness, and demonstrable governance for data protection obligations.

Definitions, interpretation, and application

For the purposes of this policy, personal data means any information relating to an identified or identifiable natural person, including identifiers, online identifiers, or factors specific to identity. Processing means any operation performed on personal data, whether automated or not, including collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, disclosure, or erasure. Special category data refers to data revealing racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data used for identification, health data, or data concerning sex life or sexual orientation, recognising that regulatory definitions may vary by jurisdiction. Where the term GDPR principles is used, it refers to a standard of safeguards and governance applied as a benchmark when local law does not provide a more specific framework.

This Privacy policy applies to individuals who access the website, create accounts, participate in verification procedures, submit requests, or otherwise interact with Pelican Casino through customer support, compliance channels, or transactional processes. The policy governs processing carried out in the context of offering services to individuals in multiple jurisdictions and includes processing necessary for security monitoring, fraud prevention, and compliance with legal obligations. Where a conflict arises between this policy and mandatory law, the mandatory law prevails, while the remainder of the policy continues to apply. Interpretation shall favour lawful, fair, and transparent outcomes, and shall not be construed as waiving statutory rights. The policy is designed to be read together with cookie disclosures, security notices, and any jurisdiction specific addenda that may be published.

Categories of personal data processed

Personal data may include identification and contact information such as name, date of birth, postal address, email address, telephone number, and account identifiers. It may also include verification and due diligence records, including copies of identity documents, proof of address, and outcomes of screening checks conducted to meet legal and regulatory requirements. Transaction and payment related data may be processed, including deposit and withdrawal records, payment instrument tokens, partial card numbers, bank account details where applicable, chargeback indicators, and transaction timestamps. Technical data may include IP address, device identifiers, browser characteristics, operating system, language settings, and logs relating to authentication and access events.

Depending on applicable law and the nature of services used, Pelican Casino may process data associated with responsible participation measures, risk scoring, self exclusion status, and related compliance assessments. Communications data may include correspondence with support, records of complaints, dispute submissions, and call or chat logs where recording is lawful and proportionate. Preference data may include settings selected in the account and consent choices for optional features, including marketing preferences where permitted. The service is not intended for children, and data relating to persons under 18 years of age is not knowingly collected, with age thresholds adjusted where local law sets a higher minimum. Where special category data is incidentally provided within a support interaction, it will be handled with strict access controls and processed only to the extent necessary to address the request and comply with law.

Operational sources and methods of collection

Data is collected through operational interactions when an individual registers an account, submits verification materials, initiates transactions, or contacts support, and such collection is necessary to provide and secure the service. Technical data is collected through server logs and security tooling as part of maintaining availability, detecting malicious activity, and ensuring integrity of access controls. Data may also be generated by the service, including unique account identifiers, authentication records, and risk flags arising from compliance screening and fraud detection. Collection occurs through web forms, secure upload workflows, application programming interfaces used to process payments, and automated signals derived from device and session behaviour.

Data may be obtained from third parties where legally permitted and proportionate, such as payment service providers, identity verification providers, fraud prevention vendors, and regulatory or law enforcement bodies. Public sources and sanction lists may be used to conduct screening required by anti money laundering and counter terrorism financing obligations, with screening parameters designed to minimise erroneous matches. Information may also be received from dispute resolution channels or card schemes in the event of a chargeback or contested transaction. Where third party data is used, Pelican Casino takes steps to ensure the source is legitimate and that appropriate contractual and organisational safeguards are in place. If personal data is provided about another person, responsibility remains with the disclosing party to ensure a lawful basis exists, and the data will be processed only to the extent strictly required.

Legal bases for processing

Processing is carried out on one or more lawful bases recognised under applicable law and aligned with GDPR principles where relevant, including performance of a contract, compliance with legal obligations, legitimate interests, and consent for optional processing. Contractual necessity applies where data is required to create and administer an account, process deposits and withdrawals, provide customer support, and maintain transactional records. Legal obligations apply to identity verification, age assessment, anti fraud controls, anti money laundering procedures, tax or accounting duties, and responses to legally binding requests by competent authorities. Legitimate interests may be relied upon for security monitoring, service improvement, prevention of misuse, and protection of legal claims, subject to balancing against individual rights and expectations.

Consent is used where required for certain cookies, optional analytics, and certain communications, and it may be withdrawn at any time without affecting processing already carried out on a lawful basis. Where consent is withdrawn, related processing will be discontinued within a reasonable operational timeframe and subject to any legal obligation to retain records. Where sensitive verification steps are required by law, processing is not dependent on consent because refusal may prevent the service from being lawfully provided. Pelican Casino maintains records of legal basis assessments and applies data protection by design and by default to limit processing to what is necessary. Where a change in purpose occurs, compatibility assessments and updated notices are used as required.

Purposes of processing and functional accountability

Personal data is processed to establish and manage accounts, authenticate access, provide requested services, and ensure that transactions are accurately recorded and executed. It is also processed to conduct identity verification, age assessment, and screening steps required for regulatory compliance and prevention of unlawful activity. Security and integrity purposes include detection of unauthorised access, account takeover attempts, bot traffic, and fraud patterns, including review of login events and device signals. Administrative purposes include handling support requests, managing complaints, documenting outcomes, and maintaining service communications necessary for operational continuity.

Pelican Casino may process personal data to meet governance and risk requirements, including internal audits, incident response, and maintenance of evidence for disputes and legal claims. Where permitted by law, limited processing may be used to evaluate service performance and to improve reliability, including analysis of aggregated or pseudonymised data. If optional communications are enabled, contact details may be used to send information consistent with the selected preferences and applicable consent requirements. Processing is designed to reduce data exposure by applying role based access controls and restricting internal use to personnel with a demonstrated need. Where automated decision making is used for security or fraud prevention, it is applied with safeguards intended to minimise false positives and to support review mechanisms.

Retention periods and deletion standards

A retention schedule is applied to ensure that personal data is stored only for as long as necessary for the purposes described and to comply with legal obligations. Account and transactional records are generally retained for 5 years following account closure or the last transaction, where such retention is required for financial, anti money laundering, or audit obligations, subject to jurisdiction specific rules. Verification records may be retained for up to 5 years after the end of the business relationship or completion of an occasional transaction, where required by anti money laundering frameworks. Security logs are retained for a shorter period, commonly between 90 days and 12 months, unless extended retention is necessary to investigate incidents or support legal claims.

Where a dispute, chargeback, complaint, or regulatory inquiry is ongoing, retention may be extended until final resolution and for an additional limitation period where necessary to protect legal rights. Data minimisation controls are applied during retention, including truncation, tokenisation, or pseudonymisation where feasible, to reduce exposure while preserving evidential value. When retention expires, data is deleted, anonymised, or securely archived in a manner that prevents further routine processing, subject to legal hold procedures. Backups may persist for a limited period consistent with disaster recovery requirements, and they are protected with access restrictions and encryption. Requests to erase data will be assessed against overriding legal obligations and legitimate grounds for retention, and refusals will be reasoned and documented.

Cookies, device identifiers, and online tracking

This Privacy policy is supplemented by cookie disclosures describing how technical identifiers and similar technologies are used to support website functionality. Cookies and comparable technologies may be used to maintain sessions, preserve security states, prevent fraud, and enable core features necessary for the operation of the service. Where analytics or personalisation cookies are used, they are subject to applicable consent requirements, and consent signals are honoured in accordance with the jurisdictional rules relevant to the visitor. Device and browser data may be processed to detect anomalies, enforce rate limiting, and reduce automated abuse, with controls designed to avoid intrusive profiling beyond what is necessary.

Identifiers may include cookie IDs, advertising or device identifiers where supported by the device, and event metadata reflecting navigation or interaction patterns. Pelican Casino does not seek to infer sensitive attributes from browsing behaviour and limits tracking to purposes compatible with security, compliance, and service provision. Where third party tags are used, the selection is restricted to providers that offer appropriate contractual safeguards and transparency regarding their own processing. Retention of cookie data varies according to purpose, with some session identifiers expiring when the browser is closed and others persisting for defined periods such as 30 days or 180 days. Preferences may be changed by adjusting consent settings and browser controls, acknowledging that blocking strictly necessary cookies may affect service availability.

Disclosure to service providers and authorities

Personal data may be shared with carefully selected processors and independent controllers as necessary to provide the service, maintain security, and comply with legal obligations. Recipients may include payment processors, banking partners, identity and age verification providers, fraud prevention vendors, hosting and cloud infrastructure providers, customer support tooling providers, and professional advisers such as auditors and legal counsel. Disclosure is limited to the minimum required dataset, and contractual measures are used to impose confidentiality, security, and purpose limitation obligations. Where a vendor acts as a processor, processing is governed by written instructions and audit or assurance rights, and the vendor is required to notify relevant incidents without undue delay.

Personal data may be disclosed to regulators, law enforcement, courts, or competent authorities where a legally binding request is received or where disclosure is necessary to establish, exercise, or defend legal claims. Disclosures are assessed for validity, scope, and proportionality, and the response is limited to what is legally required. Where permitted, affected individuals may be notified of disclosures, except where prohibited or where notification would undermine an investigation. Business restructurings may involve transfer of data as part of due diligence and transaction execution, subject to confidentiality obligations and continued application of this policy. Pelican Casino does not sell personal data and does not permit recipients to use personal data for their own unrelated marketing purposes without a lawful basis.

International transfers and cross border safeguards

Given the global audience, processing may involve cross border transfers of personal data to jurisdictions where Pelican Casino or its vendors maintain operations. Transfers are implemented with safeguards designed to provide a level of protection essentially equivalent to the origin jurisdiction when such requirements apply. Safeguards may include standard contractual clauses, data processing agreements, vendor risk assessments, and supplementary technical measures such as encryption with key management controls. Where an adequacy decision or equivalent legal mechanism is available, it may be relied upon in accordance with applicable law.

Transfer impact considerations include the nature of the data, the purpose of the transfer, access control arrangements, and the legal environment of the recipient country. Where enhanced protections are necessary, additional measures such as pseudonymisation, strict access logging, and separation of duties are implemented. Cross border incident response procedures are designed to ensure timely containment, investigation, and notification obligations where required. Data subjects may request information about applicable transfer safeguards, subject to limitations necessary to protect security and confidentiality of contractual terms. International transfers are reviewed periodically and when material changes occur to vendors, processing purposes, or legal requirements.

Security controls and incident management

Security of processing is approached through risk based measures calibrated to the sensitivity of the data and the likelihood and severity of potential harm. Organisational measures include access governance, confidentiality obligations, staff training, segregation of duties, and role based access control with periodic reviews. Technical measures may include encryption in transit using modern protocols, encryption at rest where appropriate, multi factor authentication for administrative access, and continuous monitoring of critical systems. Vulnerability management, patching, and configuration hardening are applied in line with internal standards, and external providers are expected to maintain comparable safeguards.

Pelican Casino applies security testing and assurance practices to support a target of 99.9% service availability where operationally feasible, while recognising that availability metrics do not guarantee uninterrupted access. Incident response procedures define detection, containment, eradication, recovery, and post incident review steps, with escalation paths and documented decision making. Where a personal data breach occurs, the assessment considers risk to rights and freedoms and determines whether notification to supervisory authorities and affected individuals is required. Where notification is required, it is performed without undue delay and within statutory deadlines where applicable, such as 72 hours under GDPR aligned rules. Records of incidents and remedial actions are maintained to support accountability and continuous improvement.

Rights of individuals and how requests are handled

This Privacy policy recognises the rights afforded under applicable data protection laws, which may include the right of access, rectification, erasure, restriction, data portability, and objection, as well as rights related to automated decision making where relevant. The scope of rights depends on the individual’s jurisdiction, the legal basis relied upon, and the nature of the processing. Requests are handled through identity verified channels to prevent unauthorised disclosure and to protect account security, and additional information may be requested where necessary to confirm identity. Where a request concerns data subject to legal retention obligations, the response will explain the limitation and the lawful grounds for continued storage.

Operationally, Pelican Casino aims to respond to valid requests within 30 days of receipt, with permissible extensions where requests are complex or numerous and where the law allows such extensions. Where an extension is necessary, reasons and expected timelines are communicated in accordance with applicable requirements. Where consent is the basis for a processing activity, withdrawal will be respected, while processing necessary for contract performance or legal compliance may continue. Individuals may lodge a complaint with a competent supervisory authority where they consider that processing infringes applicable law, and they may seek judicial remedies where available. Records of requests are retained for an appropriate period, such as 24 months, to evidence compliance and to prevent abuse of the request process.

Additional transparency for casino Pelican operations

Operational compliance within casino Pelican environments may require enhanced verification, monitoring, and record keeping to meet licensing, fraud prevention, and financial integrity expectations. In casino Pelican workflows, identity verification providers may be engaged to validate documents, confirm age thresholds, and check consistency of registration data against authoritative sources. Payment processing in casino Pelican contexts may involve tokenisation and third party risk controls that reduce direct handling of full payment instrument data by Pelican Casino. Support interactions for casino Pelican services may be logged to evidence complaint handling, responsible participation actions, and security decisions, subject to lawful recording standards.

Where responsible participation measures are applied in casino Pelican processes, data may be used to implement limits, self exclusion, or harm prevention interventions required by law or policy. Such processing is designed to be proportionate and to avoid using data for unrelated purposes, with access restricted to authorised compliance and support staff. Where local rules impose specific reporting or audit obligations on casino Pelican activities, disclosures may be made to competent authorities within the prescribed scope. Data used for these functions is retained in line with the retention section and is subject to strict confidentiality and integrity safeguards. Where an individual challenges a compliance decision, Pelican Casino will document the review and apply governance controls to ensure fair handling.

Contact channels, verification, and procedural requirements

Data protection enquiries and requests may be submitted through the contact channels published on pelicancasinogames.com, and submissions should include sufficient detail to enable identification of the relevant processing activity. Identity verification is required before account data is disclosed, corrected, or erased, and verification may involve matching account details and requesting additional documentation proportionate to the risk. Where an authorised agent submits a request, proof of authority may be required, such as a signed authorisation, and additional safeguards may be applied to prevent fraudulent requests. Communications are handled with confidentiality and are logged for compliance purposes, with access restricted to personnel involved in privacy, security, or legal functions.

Where requests are manifestly unfounded or excessive, Pelican Casino may charge a reasonable fee or refuse to act, consistent with applicable law, and reasons will be provided. If a request concerns technical identifiers or cookie consent, guidance may be provided on how to adjust settings, while recognising that certain identifiers are strictly necessary for security and session management. If an individual seeks copies of data, the response will be provided in a commonly used electronic form where feasible, unless otherwise requested and legally permissible. Where third party data is implicated, disclosures may be limited to protect the rights of others and to preserve trade secrets and security controls. Request handling is designed to meet accountability standards and to ensure consistent outcomes across jurisdictions.

Amendments, governance, and Privacy policy updates

This Privacy policy is maintained as a controlled compliance document and may be amended to reflect changes in law, regulatory guidance, security practices, operational processes, or vendor arrangements. Updates may also be required following audit findings, incident learnings, or changes in the services offered through pelicancasinogames.com, with governance approvals recorded to support accountability. Where changes materially affect rights or the manner in which personal data is processed, Pelican Casino will provide an appropriate notice through the website or account channels and, where required, will seek renewed consent for activities that depend on consent. The effective date of revisions will be indicated within the policy publication context, and prior versions may be retained for a limited period to evidence compliance evolution.

This Privacy policy confirms an ongoing commitment to lawful, fair, and transparent processing, including adherence to data minimisation and storage limitation, and to implementing proportionate technical and organisational measures. Where individuals submit requests or complaints concerning the Privacy policy, the matter will be assessed under applicable law, with internal escalation to privacy and legal functions as needed, and with documented outcomes. Responses to verified requests are intended to be issued within 30 days, subject to lawful extensions, and urgent security related matters may be prioritised where risk indicates. If jurisdiction specific requirements impose different timelines, such timelines will be applied without reducing statutory protections, and any limitation will be explained with reference to the applicable legal basis. Continued use of the website after an update is treated as acknowledgement of the published terms only to the extent permitted by law, and it does not override consent requirements or mandatory rights. This policy amendment procedure is intended to preserve regulatory alignment across a global audience while maintaining consistent safeguards for personal data.