Privacy Policy

Lottomart operates under Maple International Ventures Limited, registered at Suite 23, Portland House, Gibraltar GX11 1AA. Maple International Ventures Limited acts as the controller of personal data for the services described in this policy.
Processing takes place under data protection rules and the standards expected from a regulated operator under the Gibraltar Regulatory Authority. Internal rules require data minimisation, access controls, and documented procedures for security and compliance. Any questions related to this policy or personal data use can be raised through the platform support routes or by email to [email protected].

Lottomart collects information needed to support account access, service delivery, fraud prevention, and regulatory duties. Data may come from forms, documents, communication records, technical logs, or third-party sources used for compliance checks. Personal data categories may include the following:

• Identity information: Full name, date of birth, residential address, gender, proof of identity documents, proof of address documents, and verification status records.
• Contact information: Email address and mobile number used for login security, support contact, and account notices.
• Account and authentication data: Player ID, username, password, security settings, account preferences, and account status indicators.
• Financial and payment data: Deposit and withdrawal records, payment method details, payment network references, transaction timestamps, transaction amounts in GBP, chargeback details, and payment risk indicators.
• Gaming and purchase data: Lottery bet selections, ticket purchases, scratch card purchases, casino game participation, game transactions, wins and losses, and bonus claim history.
• Communication records: Live chat transcripts, email exchanges, call records where permitted, text messages, in-app messages, and interactions through public review channels or social platforms.
• Device and access data: IP address, device type, operating system, browser details, app version, language settings, cookies, and permitted tracking identifiers.
• Verification and compliance data: KYC checks, AML screening outcomes, sanctions screening results, PEP and close associate screening results, identity match results, address match results, and risk scores where used.
• Self-exclusion data for GB: GAMSTOP check results used to confirm national self-exclusion status during registration and periodic review.
• Public domain information: Information available publicly where lawful access exists and where use supports fraud prevention or compliance duties.
• Additional submissions: Any other information shared voluntarily during support conversations or supplied after a request for documentation.

Lottomart must rely on a valid legal basis to use personal data. Depending on the situation, processing may rely on one or more of the following:

• Consent: Permission given for specific purposes, primarily marketing communication and certain cookie categories.
• Contract performance: Actions required to provide platform services, manage accounts, and process deposits and withdrawals.
• Legal obligations: Duties related to regulated gambling services, AML controls, safer gambling frameworks, record retention, and reporting.
• Legitimate interests: Business needs such as fraud prevention, service security, account management, and improvement, where these interests do not override individual rights.

Where consent applies, consent withdrawal remains possible through account settings or support contact. Consent withdrawal does not change the lawfulness of processing that took place before the withdrawal.

Personal data supports regulated operations and practical account functions. Use depends on service type, account activity, and legal duties.

Registration, identity checks, and eligibility

Data supports age confirmation, identity checks, address checks, and eligibility verification for GB services. These checks help confirm that accounts belong to real individuals and meet legal age requirements. Legal grounds:

• Legal obligations
• Legitimate interests

Deposits, withdrawals, and account funding in GBP

Payment data supports deposit acceptance, withdrawal processing, refund checks, and payment security reviews. Transaction records also support AML duties and dispute handling. Legal grounds:

• Contract performance
• Legal obligations
• Legitimate interests

Platform activity and product access

Gaming data supports the ability to place lottery bets, purchase scratch cards, and take part in casino products. Account data supports authentication and secure access. Legal grounds:

• Contract performance
• Legal obligations
• Legitimate interests

Customer support and complaint handling

Support interactions rely on personal data relevant to the query, such as payment records for failed deposits, account details for login issues, or verification status for withdrawal delays. Communication records may remain stored for audit, training, and dispute support. Legal grounds:

• Contract performance
• Legal obligations
• Legitimate interests

Safer gambling duties

Data supports player protection actions, including monitoring for harm indicators, setting limits, and applying restrictions where required. In some cases, specialist providers may support vulnerability assessment and risk evaluation. Legal grounds:

• Legal obligations

Fraud prevention and platform security

Data supports fraud detection, account security checks, device and IP review, payment risk checks, and prevention of unauthorised access. Legal grounds:

• Legal obligations
• Legitimate interests

Legal claims and regulatory matters

Data may support legal claims, regulatory reviews, crime investigation support, or protection of platform rights, staff safety, and customer safety. Legal grounds:

• Legal obligations
• Legitimate interests

Marketing communication relies on permission given during registration. Marketing may relate to promotions, competitions, product updates, and feature notices. Communication channels may include email, text messages, push notifications, or in-app messages, depending on settings.

Marketing activity may involve:

• Use of account activity to select relevant content
• Measurement of campaign performance
• Review of interaction data to reduce irrelevant messages

Opt-out routes include:

• Unsubscribe links in marketing emails
• Account settings adjustments
• Support contact requests

Service notices remain necessary even after marketing opt-out. Service notices may cover security alerts, identity verification requests, policy updates, payment processing messages, or account status changes.

Legal grounds:

• Consent
• Legitimate interests

Lottomart shares personal data only where necessary for service delivery, compliance, or security. Contracts and due diligence checks apply to suppliers where personal data processing takes place.

Personal data may be shared with:

• Payment and banking partners: Support for deposits, withdrawals, refunds, chargeback handling, and fraud checks.
• Identity verification and due diligence providers: Support for identity confirmation, address confirmation, and ongoing compliance checks.
• Fraud prevention services: Support for fraud detection, risk scoring, account protection, and crime prevention.
• Communication providers: Support for the delivery of email, text messages, and push notifications.
• Analytics and technical partners: Support for performance analysis and system maintenance.
• Gaming and lottery service providers: Support for lottery betting, ticket purchase services, scratch card delivery, and game operation. For large wins, identity disclosure may apply as part of claim processes.
• Self-exclusion services: GAMSTOP checks for GB accounts.
• Legal and professional advisers: Support for dispute handling, legal claims, and regulatory engagement.

Personal data may also be shared with government bodies, law enforcement, and tax authorities where legal duties apply. Independent adjudication entities may receive data during escalated complaint reviews, usually after consent. Authorised third parties may receive information when permission exists, and identity checks confirm authority.

Limited data may be shared with advertising platforms for audience targeting controls, such as exclusion from adverts for existing customers or selection of audiences similar to existing customers. Such sharing focuses on limited identifiers rather than full account data.

Emergency services may receive personal data where a serious safety risk is identified.

Business transfers may involve disclosure during sale or acquisition processes under confidentiality requirements.

Most data storage occurs in the UK, Gibraltar, and the European Economic Area. Transfers outside these areas may occur where a supplier operates in another region. Contractual safeguards and security controls apply to such transfers. Security controls include:

• Access restriction based on role requirements
• Encrypted transmission through HTTPS
• Account security measures and monitoring
• Supplier screening and contractual standards
• Incident response procedures for suspected breaches

Account holders should also protect data by following these steps:

• Keep login details private and never share passwords
• Lock devices when not in use
• Avoid sharing sensitive data through public posts
• Check sender domains and official channels
• Treat urgent payment requests as suspicious

Data retention follows legal duties and operational needs. In most cases, account data remains stored for 7 years after account closure. Retention may continue where required for regulatory records, tax duties, legal claims, or crime investigation support.
Where retention exceeds the standard period, storage remains limited to what the law allows and what the situation requires.

Cookies store small text files on device storage to support platform operation. Cookie preferences remain adjustable through browser settings and site controls. Cookie categories may include:

• Essential cookies are used for secure login and core site functions
• Performance cookies are used for traffic measurement and service improvement
• Functional cookies are used for preference storage and enhanced features
• Targeting cookies are used for advertising relevance outside the platform

Blocking essential cookies may prevent access to secure areas of the site.

Data protection law provides rights that support transparency, accountability, and fair treatment of personal data. Rights may apply differently depending on legal duties, regulatory limits, and the purpose of processing. Rights include:

• Right to be informed: Access to clear information about data collection, use, sharing, and retention through this policy and related notices.
• Right of access: Ability to request confirmation of personal data held and to request a copy of that data.
• Right to rectification: Ability to request correction of inaccurate personal data. Changes may require verification, and self-service updates may exist through account settings.
• Right to erasure: Ability to request deletion of personal data. Regulatory duties often require retention of specific records, so deletion requests may not succeed in full.
• Right to restrict processing: Ability to request limitation of processing in certain cases, including disputes over accuracy, unlawful processing claims, or where data remains needed for legal claims.
• Right to data portability: Ability to request transfer of certain data in a structured, commonly used, machine-readable format, where technical feasibility and regulatory rules permit transfer.
• Right to object: Ability to object to processing that relies on legitimate interests. Continued processing may still apply where overriding grounds exist or where legal claims require it.
• Right to manual review of automated decisions: Ability to request a human review where automated decisions significantly affect account status or access.
• Right to withdraw consent: Ability to withdraw permission where consent is the legal basis, including marketing communication. Processing remains lawful up to the withdrawal time.

Requests may be submitted through the app or by email to [email protected]. Identity confirmation may be required to protect account security. Where a third party submits a request, proof of authority and identity checks may apply.
Fees do not normally apply. A fee may apply, or a request may be refused where a request is manifestly unfounded or excessive, or where legal obligations prevent the action requested.
Complaints may be raised with the Gibraltar Regulatory Authority through its data protection complaint process.

Policy updates may occur to reflect changes in law, technology, or operational practice. Material changes will be presented during platform access before the updated policy applies.
The most current policy version remains available on the website. Where changes prove unacceptable, account closure remains available.