burger icon
Rembrandt Casino
Log In

Privacy Policy

OBSERVE: This Privacy Policy explains how rembrandt-casino at https://rembrandt-ca.com collects, uses, discloses, transfers, and protects personal information for players and website/app visitors in Canada.

EXPAND: It applies to account holders, prospective users, affiliates and marketing recipients, and covers cookies/online identifiers. It reflects Canadian privacy laws (PIPEDA and relevant provincial laws) and industry standards for online gambling.

REFLECT: By using our services, you acknowledge this Policy. Effective date: 01 October 2025.

Who We Are

OBSERVE: Operator: Condor Malta Ltd, company no. C 70089. Registered office: 13, "Paolo Court", Giuseppe Cali Street, Ta' Xbiex XBX 1423, Malta. Licensed by the Malta Gaming Authority: MGA/B2C/340/2016 (status: active, last verified 2025-10). Irish Remote Bookmakers licence 1020370.

EXPAND: For Canada, rembrandt-casino operates offshore from the EU (Malta). The brand for this site is used solely with rembrandt-ca.com. Ontario users should note we are not AGCO-licensed.

REFLECT: Data Protection Contact: Data Protection Officer, Condor Malta Ltd. Email: [email protected]. Postal: address above (attention: DPO). We recommend contacting us in writing for privacy requests.

What Personal Data We Collect

OBSERVE: We collect only what we need to deliver and safeguard our services.

  • Identity and contact: name, date of birth, address, email, phone, province/territory, language.
  • KYC/verification: ID documents, proof of address, payment ownership proofs; sanctions/self-exclusion checks.
  • Account and behavioral: username, preferences, session data, game play logs, betting/wagering history, deposits/withdrawals, responsible-gambling settings.
  • Technical and usage: IP address, device/OS/browser, app identifiers, timestamps, referrers, geolocation approximations, crash/error logs, anti-fraud signals.
  • Payment and financial: payment instrument type (masked), transaction identifiers, card/BIN tokens from payment processors, IBAN/wallet IDs where applicable.
  • Marketing and communications: opt-in/out flags, campaign interactions, click/open rates, preferences.
  • Cookies and similar tech: session/persistent cookies, SDKs, pixels, and local storage for functionality, analytics, and advertising (see Cookies section).

EXPAND: We do not intentionally collect sensitive data (e.g., health, religion). Self-exclusion and RG information is processed only to meet legal and player-protection obligations.

REFLECT: Failure to provide mandatory data (e.g., age, identity) may prevent account creation or payouts.

Legal Basis for Processing

OBSERVE: In Canada, we obtain meaningful consent under PIPEDA (and Alberta/BC PIPA and Quebec's private-sector law where applicable), and process what a reasonable person would consider appropriate in the circumstances.

  • Consent: account sign-up, marketing subscriptions, cookies beyond strictly necessary.
  • Contractual necessity: creating/managing your account, enabling play, processing payments/payouts, customer support.
  • Legitimate interests / appropriate purposes: security, fraud/abuse prevention, service analytics, network integrity, service improvements (balanced against your privacy rights).
  • Legal obligations: KYC/AML, record-keeping, responsible gambling measures, regulatory reporting under MGA and applicable laws.

EXPAND: If you are in the EEA/UK, we rely on GDPR/UK GDPR bases: consent, contract, legitimate interests, legal obligation, and, where applicable, public interest in gambling controls.

REFLECT: You may withdraw marketing consent at any time. Where we rely on legitimate interests, we perform interest-balancing and apply safeguards.

Purpose of Processing

OBSERVE: We use personal data to operate a safe, compliant, and enjoyable gaming service.

  • Service delivery: registration, authentication, gameplay, wallet operations, payouts, support.
  • Compliance: age/identity verification, AML/CTF screening, responsible gambling tools, dispute handling, audits.
  • Security and integrity: fraud detection, bot/abuse mitigation, incident response, access controls.
  • Analytics and improvement: performance monitoring, game optimization, UI/UX research using aggregated or de-identified data where possible.
  • Marketing and personalization: newsletters, offers, and recommendations (with consent where required), frequency capping and measurement.

EXPAND: We avoid using data for unrelated purposes without notifying you and, where needed, obtaining consent.

REFLECT: We maintain purpose limitation, data minimization, and proportionality.

Disclosure & Sharing

OBSERVE: We disclose data only as necessary and under contracts requiring confidentiality and adequate safeguards.

  • Payments and banking: acquirers, issuers, PSPs, AML/CTF screening tools.
  • KYC/AML and RG providers: identity verification, sanctions/PEP lists, self-exclusion registries.
  • Technology vendors: hosting, cloud/CDN, security, analytics, customer support tools, game studios/platforms.
  • Marketing partners: email/SMS platforms, affiliates, ad networks (only with consent where required; opt-out available).
  • Corporate and legal: auditors, legal advisors, prospective buyers (in a merger/sale), regulators, law enforcement upon lawful request.

EXPAND: We do not sell personal information. Ad partners may receive identifiers with your consent for interest-based advertising.

REFLECT: We perform vendor due diligence, execute data processing agreements, and monitor compliance.

International Transfers

OBSERVE: Your data may be processed in Malta (primary), the EEA (e.g., Ireland, Germany), the UK, and, for specific services (e.g., CDN, email), the United States or other countries.

  • For Canadian users: We notify you of cross-border transfers and ensure comparable protections via contractual, technical, and organizational measures consistent with PIPEDA and OPC guidance.
  • For EEA/UK data: We use EU Standard Contractual Clauses (SCCs) and/or UK IDTA/Addendum, plus transfer impact assessments and supplemental safeguards (encryption in transit/at rest, access controls).

EXPAND: We restrict access on a need-to-know basis and prefer EEA/Canada processing where feasible.

REFLECT: You can contact us for a copy of applicable transfer safeguards (with redactions where necessary).

Data Retention

OBSERVE: We retain data only for as long as needed for the purposes stated, legal obligations, and dispute resolution.

CategoryTypical Retention
Account and identity (KYC)Up to 5 years after account closure (longer if required by AML/CTF laws)
Transaction and gameplay logs5-7 years from transaction/date of record
Support tickets and call/chat logs2 years from last interaction
Marketing preferences and logsUntil opt-out plus 24 months for proof of consent/opt-out
Device/technical logs12-24 months (security logs may be retained up to 24 months)
Cookies/advertising IDsFunctional: session; Analytics: up to 24 months; Advertising: up to 13 months

EXPAND: We securely delete or irreversibly anonymize data once retention ends, unless needed for legal claims, audits, or regulatory inquiries.

REFLECT: You may request deletion; we will honor it where no overriding obligation applies.

Your Rights

OBSERVE: We facilitate rights under Canadian laws and, where applicable, GDPR/UK GDPR and Mexican law.

  • Canada (PIPEDA; AB/BC PIPA; Quebec Law 25): access and obtain copies, request corrections, withdraw consent (e.g., marketing), challenge compliance, portability in Quebec for certain computerized data, and de-indexation in limited cases.
  • EEA/UK (GDPR/UK GDPR): access, rectification, erasure, restriction, portability, objection (including to profiling/marketing), and rights related to automated decision-making.
  • Mexico (LFPDPPP - ARCO): access, rectification, cancellation (erasure), and opposition; consent withdrawal.

Procedure (applies to all regions):

  1. Submit a request to [email protected] or via your account (identify the right you wish to exercise).
  2. Verify identity (we may request limited additional information).
  3. We respond within 30 days (Mexico: 20 business days to respond, 15 more to fulfill if applicable).
  4. Requests are free of charge unless manifestly unfounded/excessive (we will explain any fee).

EXPAND: Some rights may be limited by legal/regulatory obligations (e.g., AML, security logs). We will explain any denial or limitation.

REFLECT: You can always opt-out of marketing without affecting service functionality.

Cookies & Tracking Technologies

OBSERVE: We use cookies/SDKs to run our site, measure performance, secure accounts, and (with consent) personalize offers.

  • Session cookies: essential login and gameplay continuity; deleted when you close the browser/app.
  • Persistent cookies: preferences, analytics, fraud prevention; stored for defined periods.
  • Third-party cookies/SDKs: analytics, ad measurement, anti-fraud, support chat.

Purposes: functional/strictly necessary, analytics (aggregated where possible), advertising/personalization (subject to consent where required).

Management: use the Cookie Settings link in the site footer or your browser settings to block/clear cookies. For interest-based ads in Canada, see AdChoices (https://youradchoices.ca/). We honor feasible browser signals (e.g., GPC) for applicable purposes.

EXPAND: Blocking certain cookies may affect service functionality.

REFLECT: Your cookie choices can be changed at any time.

Data Security

OBSERVE: We employ administrative, technical, and physical safeguards.

  • Encryption: TLS 1.2+ in transit; strong encryption (e.g., AES-256) at rest for key data.
  • Access controls: least privilege, MFA for privileged accounts, role-based segregation, logs/monitoring.
  • Secure development: code reviews, dependency scanning, vulnerability management, periodic penetration testing.
  • Operational security: vendor risk assessments, DPA/SCCs, backups, change management.
  • People/process: staff vetting where appropriate, confidentiality obligations, regular privacy/security training.
  • Incident response: triage, containment, remediation, post-mortems; breach notifications to affected individuals and the OPC/competent authorities where required (e.g., RROSH under PIPEDA).

EXPAND: Our controls are aligned with recognized frameworks (e.g., ISO 27001/SOC 2 principles). This is not a certification claim.

REFLECT: No system is 100% secure; we continuously improve our controls and encourage strong passwords and MFA where available.

Complaints & Contacts

OBSERVE: Contact us first so we can resolve your concern quickly.

  • DPO email: [email protected]
  • Postal: Data Protection Officer, Condor Malta Ltd, 13, "Paolo Court", Giuseppe Cali Street, Ta' Xbiex XBX 1423, Malta
  1. Step 1 - Contact us: Write to the DPO with details of your concern and desired outcome. We acknowledge within 5 business days.
  2. Step 2 - Investigation: We investigate and respond within 30 days with findings and actions.
  3. Step 3 - Escalation: If unresolved, you may complain to a supervisory authority.

Supervisory authorities (examples):

  • Canada (federal): Office of the Privacy Commissioner of Canada, https://www.priv.gc.ca/, 1-800-282-1376, 30 Victoria Street, Gatineau, QC K1A 1H3
  • Alberta: Office of the Information and Privacy Commissioner, https://www.oipc.ab.ca/
  • British Columbia: Office of the Information and Privacy Commissioner, https://www.oipc.bc.ca/
  • Quebec: Commission d'accès à l'information, https://www.cai.gouv.qc.ca/
  • EU (if GDPR applies): Lead authority in Malta (IDPC) https://idpc.org.mt/ or your local DPA (see EDPB list: https://edpb.europa.eu/about-edpb/board/members_en)
  • Mexico (if LFPDPPP applies): INAI, https://www.inai.org.mx/

EXPAND: We will cooperate with authorities and follow their guidance.

REFLECT: Using our internal process first often enables faster, satisfactory resolution.

Updates

OBSERVE: We may update this Policy to reflect legal, technical, or business changes.

  • Notifications: for material changes, we provide at least 30 days' advance notice via email (where available), in-account notices, and/or site banners.
  • Version control: a "Last updated" timestamp appears below. We keep a summary of material changes.
  • Your options: if you object to changes, you may adjust privacy settings, withdraw marketing consent, or close your account before the effective date.

Changelog (material changes only):

  • 2025-10: Clarified Canadian cross-border transfer notice; added Quebec Law 25 portability; refined breach notification language.

EXPAND: Non-material editorial updates may occur without advance notice but will be reflected in the timestamp.

REFLECT: Last updated: October 2025.