Legal
Privacy Policy
What we collect, why we collect it, who we share it with, how long we keep it, and the rights you have over your data.
Last updated
1. Who we are
Ultimate Poker Holdings N.V. (“we”, “us”) is the controller of the personal data described in this policy. Our registered office is at Heelsumstraat 51, E-Commerce Park, Curaçao. You can reach our privacy team at legal@theultimatepokergame.com.
2. Scope
This policy explains how we handle personal data when you visit our marketing site, register an account, deposit, play, contact us, or interact with any other part of the Service. It does not cover third-party websites we link to.
3. Personal data we collect
We collect only what we need to operate a regulated poker service. Specifically:
3.1 Account data
- Email address, password hash, screen name.
- Two-factor authentication secrets (where you enable them).
- Sign-in timestamps, IP addresses, user-agent strings, device identifiers.
3.2 Identity (KYC) data
- Full legal name, date of birth, residential address, nationality.
- Government-issued photo ID images (passport, driver’s licence, national ID).
- Selfie / liveness video.
- Proof-of-address documents (utility bill, bank statement).
- Source-of-funds documents when required (payslips, bank statements, sale contracts).
3.3 Financial data
- Deposit and withdrawal records (amount, method, instrument identifier).
- Crypto wallet addresses you use to deposit or withdraw.
- Last four digits and brand of any card used.
- Bank account number / IBAN for wire transfers.
3.4 Gameplay data
- Hands played, decisions made, results, hand histories.
- Tournament entries, finishes, prize amounts.
- Chat messages at the table and in support.
- Session length, table choices, lobby filters.
3.5 Responsible-gambling data
- Limits you set, self-exclusion status, self-assessment quiz interactions (server-side analytics only — answers are not retained).
- Sign-up declarations (age, jurisdiction).
3.6 Support and correspondence
- Emails you send us and our replies.
- Tickets submitted through the contact form.
- Phone or chat transcripts where applicable.
4. Why we collect it (legal bases)
For each category, the lawful basis under GDPR (Article 6) and equivalent Curaçao law:
| Purpose | Lawful basis |
|---|---|
| Operate your account, take deposits, pay winnings | Contract (Art. 6(1)(b)) |
| Verify your identity (KYC) | Legal obligation (Art. 6(1)(c)) |
| AML monitoring, sanctions screening | Legal obligation |
| Fraud prevention, account-takeover defence | Legitimate interests (Art. 6(1)(f)) |
| Responsible-gambling monitoring | Legal obligation + legitimate interests |
| Marketing communications | Consent (Art. 6(1)(a)), withdrawable at any time |
| Cookies (essential) | Legitimate interests |
| Cookies (any non-essential, if ever introduced) | Consent |
5. Who we share it with
We share personal data only with third parties that are necessary to deliver the Service, and only the minimum required.
- Sumsub — KYC and AML screening (identity documents, selfie, AML watchlist match).
- NOWPayments — cryptocurrency deposit and withdrawal processing.
- Banking partners — for bank wire deposits and withdrawals (name, account number, amount, reference).
- Email infrastructure — transactional and marketing email delivery (email address, name, message content).
- Customer support tooling — to manage tickets and chats (email, account ID, ticket content).
- Hosting and infrastructure — encrypted at rest, in a country meeting Curaçao adequacy.
- Professional advisers — legal counsel, auditors, accountants under confidentiality.
- Regulators and law enforcement — where required by law or to comply with a binding order.
We do not sell personal data. We do not run advertising trackers on the marketing site.
6. International transfers
Some processors operate outside Curaçao. Where personal data is transferred, we use standard contractual clauses or equivalent safeguards and limit data to what is strictly necessary.
7. Retention
We retain personal data for as long as we are legally required to and no longer than necessary for the purpose for which it was collected. See the Data Retention Schedule for category-by-category periods. KYC and financial transaction records are typically retained for seven (7) years from account closure; hand histories for seven (7) years for game-integrity purposes.
8. Your rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you.
- Receive a copy in a portable format.
- Correct inaccurate data.
- Erase data where there is no overriding legal basis to retain it (notably AML retention obligations).
- Restrict processing in certain circumstances.
- Object to processing based on legitimate interests.
- Withdraw consent (for marketing).
- Complain to a supervisory authority — the Curaçao data protection authority is the first port of call for players whose data we control.
To exercise any of these rights, email legal@theultimatepokergame.com. We respond within 30 days. We may need to verify your identity before disclosing data.
9. Automated decision-making
We use automated tools for fraud detection, sanctions screening, and responsible-gambling monitoring. Where an automated decision produces legal or similarly significant effects (such as a withdrawal hold), a human reviewer is involved before action is taken.
10. Security
Personal data is encrypted in transit (TLS 1.3) and at rest (AES-256 volumes, with envelope encryption for KYC and payment-instrument metadata). Access is limited to staff who need it and is logged. See our Security page.
11. Children
The Service is restricted to adults. We do not knowingly collect personal data from anyone under 18. If you believe we have, contact legal@theultimatepokergame.com and we will delete it.
12. Changes
We will post any material change at least seven (7) days before it takes effect and notify registered users by email.
13. Contact
Privacy questions: legal@theultimatepokergame.com.