Privacy Policy

1. About Us

1.1 KTO.COM is operated by Bravalla B.V., with registration number 147847 and registered address: Korporaalweg 10, Curaçao. KTO is authorized and regulated by the Government of Curaçao. Throughout this Privacy Policy, whenever we mention “KTO.COM”, “KTO“, “we”, “our” and “us”, we are referring to Bravalla B.V., the data controller and the entity responsible for this platform.

2. Scope

2.1 Your privacy is important to us, and we are committed to protecting your personal data according to the Brazilian Data Protection Law (Law No. 13,709 of August 14, 2018). The purpose of this Privacy Policy is to explain how KTO.COM uses the personal information collected when you access or use our services. We will clarify the purposes for collecting your personal data, describe the data processing activities we conduct, and explain how you can exercise your rights.

2.2 ACCEPTANCE AND AGREEMENT WITH THIS PRIVACY POLICY ARE NECESSARY FOR YOU TO ACCESS AND UTILIZE OUR SERVICES. If you do not agree to any of the conditions and/or statements outlined in this Privacy Policy, we kindly request that you refrain from registering an account with us or cease accessing and using our platform and services.

2.3 Please be aware that we reserve the right to refuse registration to any player who does not accept our Terms and Conditions, Privacy Policy and/or fails to provide the necessary information to complete the identification process.

2.4 Please be aware that by using our platform and/or utilizing our services, you hereby provide your express consent for the international transfer of your data to the following countries: United Kingdom, Malta, Cyprus, Georgia, Hungary, Bulgaria, Latvia, Isle of Man, Australia, United Sates (California), Poland, Sweden, Uruguay and Curaçao

3. Definitions

For the purposes of this Policy, the following definitions apply:

Personal Data: Information relating to an identified or identifiable natural person;

Sensitive Personal Data: Personal data concerning racial or ethnic origin, religious belief, political opinion, union membership, or membership in a religious, philosophical, or political organization, data regarding health or sexual life, genetic or biometric data, when linked to a natural person;

Anonymized Data: Data related to a data subject who cannot be identified, considering the use of reasonable and available technical means at the time of processing;

Database: A structured set of personal data, established in one or multiple locations, in electronic or physical format;

Data Subject: The natural person to whom the personal data subject to processing refers, i.e. you as a user of our platform and services;

Controller: The natural or legal person, whether public or private, responsible for decisions regarding the processing of personal data;

Processor: The natural or legal person, whether public or private, who processes personal data on behalf of the controller;

Data Protection Officer (DPO): The person designated by the controller and processor to act as a communication channel between the controller, the data subjects, and the National Data Protection Authority (ANPD);

Data processing agents: The controller and the processor;

Processing: Any operation carried out with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination, or extraction;

Anonymization: The use of reasonable and available technical means at the time of processing, through which data lose the possibility of association, directly or indirectly, with an individual;

Pseudonymization: A procedure whereby the data can no longer be associated, directly or indirectly, with an individual, except through the use of additional information stored separatelyby the controller in a controlled and secure environment.

Consent: A free, informed, and unequivocal expression through which the data subject agrees to the processing of their personal data for a specific purpose;

Deletion: The removal of data or a set of data stored in a database, regardless of the procedure used;

International data transfer: The transfer of personal data to a foreign country or international organization of which the country is a member;

Brazilian General Data Protection Law or LGPD: Law No. 13,790/2018, which establishes rules for processing personal data.

Brazilian National Data Protection Authority or ANPD: The public administration body responsible for ensuring, implementing, and overseeing the enforcement of the LGPD throughout the national territory.

Linked Companies: Associated companies, subsidiaries, companies under common control, “coligadas”, controlling companies, affiliated companies (according to corporate law in Brazil), and companies that are part of KTO corporate group.

4. Data Collection and Processing

4.1 The information and Personal Data we collect and process include: 

• Identification data: full name, identification documents (including National Identity Card – CIN, General Registry – RG, National Driver’s License – CNH, Individual Taxpayer Registry – CPF, date of birth, passport and scanned copy of valid photo ID), biometric data (including facial recognition, with proof of life);

• Contact information: full name, email address, home address, proof of address, mobile number, telephone number;
  
• Demographic data: date of birth, nationality, gender, location, geolocation, country of domicile;
  
• Financial information: registered deposit or prepaid payment accounts, proof of income, source of wealth, payment information, transaction history, credit reports, and/or verifying the information provided by you against third-party databases;
  
• Browsing data: IP address (including IP address registered at the time of registration), cookies, device data, browser data (i.e. access time, date of access, visited web pages), website usage preferences (i.e. selected language, type of browser used, software error reports), and interactivity;
  
• Gambling activities: bet identification number, bet date and time, bet status, session identifier, session status, betting and gaming history.

4.1.1 Please be aware that we also have a legal and regulatory obligation to collect and process Personal Data and information regarding the sports betting, of betting markets and sporting events that have been the subject of bets, online games, and related to your account on our platform.

4.2 We collect Personal Data and information from users who access our platform and/or utilize our services. Data collection is essential for the provision of our services, and occurs in various stages, including but not limited to the initial account creation process, during financial transactions, when engaging in sports betting and/or online games, as well as when utilizing any other services made available on our platform.

4.3 Additionally, certain Personal Data may be collected if you choose to provide information voluntarily while browsing our website, disclose information in public areas of our platform, and/or provide data when contacting our Customer Support and/or when contacting us through our social media accounts.

4.3.1 Please be aware that due to regulatory duties, which establishes, among others, the technical and security requirements for betting systems, it is prohibited to transfer any data between yourself and other players on the platform.

4.4 If you provide us with your consent, we will send you offers and promotions via email, SMS, push notifications and/or online channels. We may also send gifts or promotional items to you as part of marketing campaigns or any other customer relationship initiatives. You have the right to withdraw your consent or update your Marketing preferences at any time. For more details on how to exercise your rights, please consult the “Data Subject Rights” section of this Privacy Policy.

4.5 We are committed to making our platform as user-friendly as possible, aiming to facilitate access and usage, and we are continually working to enhance the user experience. To achieve this goal, we collect information and data about your interaction with our platform. This is an essential action to ensure the provision and quality of our services.

4.6 The collection of information and data takes place during the use of our platform, and our servers maintain records of activities, including but not limited to the originating IP address, access time, date of access, visited web pages, selected language, software error reports, location, geolocation, and the type of browser used.

4.6.1 Please be aware that we are obligated to detect and block any programs that could circumvent the detection of your location (such as remote desktop software, rootkits, virtualization, and similar tools) to prevent any attempt to manipulate location data before the conclusion of any bet.

4.7 Please be aware that biometric data identification technology refers to utilizing unique physical or behavioural characteristics for individual identification and authentication. Through service providers acting as controllers of this process, we employ facial recognition, whenever deemed necessary to meet and implement preventive controls. The procedure includes requesting a photograph from you eventually holding your identification document, which will be submitted to a pattern recognition algorithm that analyses trait samples obtained from various sensors. Your biometric data is Sensitive Personal Data, processed according to the applicable rules and under the appropriate security standards.

4.7.1 In accordance with Law, and related ordinances, we are obligated to request facial recognition from you in cases of: account information changes, password reset, withdrawal of funds at your request, periodic account verification, or account closure.

4.8 KTO employs biometric technology to gather facial traits information for user registration, identity verification, user authentication, impersonation deterrence and crime prevention. KTO utilizes the services of a Provider, CAF, to facilitate these functions. CAF’s facial recognition technology analyses photos you submit to gather biometric data, such as measurements of your facial geometry (e.g., the distance between eyes, height of forehead, frontal breadth, biogonia breadth, width of nose, upper face height etc.). Subsequently, the technology compares this biometric data with that of a distinct reference photo you provide, ensuring identity verification and preventing unauthorized access to your account. We strongly encourage you to review CAF’s Privacy Policy.

4.9 With the aim of ensuring the security of our customers, preventing any fraudulent activity, as well as promoting responsible gaming practices and to comply with legal and/or regulatory obligations, we may conduct a security review at any time to validate the personal data and information provided by and from you.  We also may verify your use of our services and our platform to prevent and/or identify violations to our Terms and Conditions, fraud against KTO, fraud in betting through match-fixing or bribery and corruption in sports events and our Anti-Money Laundering (AML), Countering the Financing of Terrorism (CFT), and Countering the Financing of Proliferation of Weapons of Mass Destruction (FPWMD) measures. Security reviews may include but are not limited to requesting proof of address, proof of income, source of wealth, credit reports, and/or verifying the information provided by you against third-party databases. Please also be aware that we are obliged to request an annual update or validation of your personal data.

4.10 We are legally obliged to conduct these activities to deliver our services in a lawful, responsible, and compliant manner, adhering to the required legal standards and regulations. Our ability to provide our services depend on these actions. If you would rather your Personal Data not be used in this manner, your alternative is to abstain from using our services and/or to deactivate your account on the platform. Even if you decide to deactivate your account, please note that we might still need to store your Personal Data to comply with the applicable laws and regulations – your Personal Data will not be processed for any other purposes, besides law compliance.

4.11 The collection and processing of information is essential to our business and align with the purposes and legal bases outlined as follows:

PURPOSE	INFORMATION	LEGAL BASES
To provide our services	– Identification data – Contact information – Demographic data – Financial information – Gambling Activities	-Contract execution -Compliance with legal or regulatory obligation
To provide customer support	– Identification data – Contact information	– Contract execution – Compliance with legal or regulatory obligation
To prevent fraud	– Identification data – Contact information – Demographic data – Financial information – Browsing Data	– Compliance with legal or regulatory obligation
To analyse and monitor activities on our platform	– Browsing Data – Gambling Activities – Demographic data	-Contract execution -Compliance with legal or regulatory obligation
To protect the rights and guarantee safety of our company, our customers, and/or third parties	– Identification data – Contact information – Financial Information  – Browsing Data – Gambling Activities	– Contract execution – Exercise of rights  – Compliance with legal or regulatory obligation
For marketing purposes	– Contact information – Demographic data – Gambling activities	– Consent

4.12 In accordance with our policies and legal obligations, minors are prohibited to create an account with us, and we do not process any minors’ data. However, if, by any chance, we receive data from minors through our Customer Support channels as a result of a breach of our Terms and Conditions, we will proceed with the deletion of such data.

4.13 Please be aware that to use our platform, create your account, make financial transactions, participate in sports betting and online games, contact our Customer Support, and/or utilize our services in any other way, we need to collect your information and, in some cases, share it with third parties. For more details on how we share your data and for what purposes, please consult the “Information Sharing” section of this Privacy Policy. If you do not agree with how your information is used, we recommend refraining from using our platform.

4.14 In accordance with Law we are obligated to maintain a database of all our players, including any updated information. This includes retaining replaced details, along with the IP address associated with each change made to your account. Additionally, we also have an obligation to maintain the data we collect in data centers located in Brazil. Please be aware that the data we collect can also be stored in data centers outside Brazil in countries that provide a degree of data protection similar to or greater than what was provided by KTO, or to companies that contractually undertake to adopt a degree of protection similar to that provided for in the applicable legislation.  For more details on data transfers, please consult the “International Data Transfer” section of this Privacy Policy.

4.15 Please be aware that by using our platform and/or utilizing our services, you provide your express consent for the processing of your personal data across all our Linked Companies.

5.0 International Data Transfer

5.1 KTO implements preventive controls for data transfer, including standard contractual clauses, specific contractual clauses, and global corporate standards, as the information and Personal Data collected within our services may be stored and processed in any country where we, our affiliates, suppliers, providers, Linked Companies, and/or agents maintain facilities. Linked Companies shall mean associated companies, subsidiaries, companies under common control, “coligadas”, controlling companies, affiliated companies, and companies with which we have significant business relationships. By utilizing our services, you explicitly provide your consent for the transfer of information outside of your country.

5.2 The international transfer of personal data will occur to countries or international organizations that provide adequate personal data protection upon recognition of suitability by the ANPD. In the event that transfers to non-adequate jurisdictions are necessary, we will take reasonable steps to ensure that the information is processed with the same level of security. These steps include but are not limited to standard contractual clauses approved by the ANPD, specific contractual clauses and global corporate standards. 

5.3 For further information on how we transfer your Personal Data outside Brazil, please refer to the table below:

FORM, DURATION AND PURPOSE OF THE INTERNATIONAL DATA TRANSFER	Form: Standard Contractual Clauses and Explicit Consent.
	Duration: The duration will be for a period compatible with the purposes of rendering our services to you and in accordance with applicable legal, regulatory, or contractual requirements.
	Purpose: Rendering our online games and betting services.
DESTINATION COUNTRY(IES) OF TRANSFERRED DATA	Destination: United Kingdom, Malta, Cyprus, Georgia, Hungary, Bulgaria, Latvia, Isle of Man, Australia, United Sates (California), Poland, Sweden, Uruguay and Curaçao.
DATA SHARING AND PURPOSE	Data Sharing: To enable a data importer and us (as separate entities) to operate and conduct business on an international basis across multiple jurisdictions, including allowing them to provide gambling services. Comply with the applicable laws.Conduct analysis, assessments and create strategic operational plans.

6. Information Sharing

6.1 We may share information and data, including Personal Data, with Linked Companies and/or third parties in order to be able to provide our services. This sharing occurs when needed and involves the following third parties and/or serves the purposes described below:

• With Linked Companies to provide our services in accordance with our Terms and Conditions.
• With payment providers for processing financial transactions in order to execute our services in accordance with our Terms and Conditions.
• With sportsbook providers to execute sports betting services. We strongly advise you to review the privacy policy of our sportsbook provider and data processor ALTENAR.
• With gaming providers for the execution of our services.
• With helpdesk software to assist with customer support and issue resolution in order to execute our services in accordance with our Terms and Conditions.
• With anti-fraud software to help detect and prevent fraudulent activities and protect our users.
• With data analysis software and web analytics platforms for analytical purposes for the execution of our services.
• With cloud services for data storage and management.
• With competent authorities for compliance with legal or regulatory obligations.
• With competent authorities or entities if we identify an attempt at cheating, fraud, or any form of game or payment manipulation, whether by you or other users of the service.
• To protect the rights and guarantee the safety of our company, our customers, and/or third parties.
• With your consent for specific data-sharing instances.
  

6.2 Please be aware that as you engage with our platform by making financial transactions, placing bets, and participating in online gaming activities, the privacy policies and terms and conditions of the respective providers of these products and services may apply to you.

6.3 We may also share information for research purposes, specifically related to our Responsible Gambling policy. We may also share information related to betting activities in line with our anti-corruption policies, with the intention of combating betting-related corruption and safeguarding the integrity of sports and our business operations.

6.3.1 Please be aware we may need to share information and Personal Data with authorities (including, but not limited to, the police) if required to report any incidents that triggers concerns related to our Responsible Gambling Policy, with the aim of protecting integrity of our customers.

6.4 We collect and share analytical information through services provided by Google, such as Google Analytics and Google Tag Manager. Google Analytics is a web analysis service that uses the collected data to track and analyse the usage of our platform, to generate reports on its activities, and to share these reports with other Google services. Google may also utilize the collected data to tailor and personalize advertisements within its advertising network.

6.5 We also share information with partners for the purpose of analysing and monitoring engagement and interactivity, as well as identifying your preferences. This includes, among other methods, web and mobile analytics, conversion optimization features (heatmaps, session recording, AB testing, funnels, and form analytics), and the utilization of behavioural metrics. These efforts aim to enhance our services, facilitate site optimization, address fraud and security concerns, and support advertising initiatives.

6.6 We will ensure that third parties with whom we share such information are committed to maintaining the confidentiality and security of the shared data, and wherever possible and feasible, we will implement Pseudonymization measures to protect the privacy of your Personal Data before sharing it.

6.7 Please be aware that we may need to share your information, including Personal Data, with external legal service providers when necessary to conduct and respond to situations or cases related to consumer protection, responsible gaming, and any other judicial or extrajudicial matters associated with our platform and/or services. This sharing aims to protect the rights and guarantee the safety of our company, our customers, and/or third parties.

6.8 Please be aware that we are obligated to comply with requests from competent public authorities regarding access to the registration data of our players and other users of our platform. We also have to store access logs for a 6-month period to meet the requirements provided by the Brazilian Internet Act (Law 12,965 or Abril 23, 2014). 

7. Cookies

7.1 Cookies are text files containing a small amount of information that are downloaded to your device when you visit a website. This information might be about you, your preferences or your device and is mostly used to improve your online experience and to ensure that relevant content and functions are delivered and used more effectively. Your browser retrieves cookies each time you visit our websites.

7.2 Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

7.3 We utilize cookies and traffic analysis to enhance the performance and ensure the efficiency of our platform while continually improving our services. We do not use cookies containing malicious code. For details on how we use cookies, please consult our Cookie Policy. Please be aware that by using our platform and/or utilizing our services, you expressly accept our Cookie Policy.

7.4 We use the following types of cookies:

Necessary Cookies: These cookies are used to ensure that the platform performs basic functions and operates correctly. Therefore, the collection of this information is essential to ensure the proper functioning of the platform and/or the adequate provision of the service, without them, the user would not be able to perform the core activities on the platform.

Advertising Cookies: These are used to collect information from you with the purpose of displaying advertisements. More specifically, by collecting data related to the user’s browsing habits, advertising cookies enable the identification of the user, the creation of profiles, and the display of personalized ads tailored to user interests.

Performance Cookies: These allow the collection of data and information on how users interact with the website, including which pages are visited most frequently, the occurrence of errors, or information about the platform’s overall performance.

7.5 You have the option to accept or reject cookies at any time through various methods, including managing your preferences in the “Cookie Settings” menu, adjusting your browser settings, and/or clearing existing cookies. For instructions on updating your browser settings, please refer to the official website of the respective browser developer. 

7.6 Please be aware that if you adjust your cookies settings via your web browser then, unless you delete or block each cookie individually, the changes will apply to all websites that you visit – not just our websites. You will also need to adjust your cookies on a browser-by-browser basis.

7.7 Please also note that deleting our cookies or disabling our cookies means that you may not be able to access certain areas or features of our platform (for example, if your browser is set to disable session cookies, you won’t be able to log on to your account). Additionally, you will not be able to place bets or play online games whenever accepting cookies is required for these activities.

8. Security Measures

8.1 At KTO.COM, we are committed to safeguarding your Personal Data and ensuring the utmost privacy and security of your data. This section of our Privacy Policy outlines the measures we take to protect your personal information when it is shared with us.

8.2 We employ state-of-the-art end-to-end encryption protocols to ensure that any data you transmit to us is securely protected during its transfer. This means that your information is encrypted into an unreadable format before leaving your device and can only be unscrambled by us upon arrival. This encryption method helps to prevent unauthorized access, interception, or eavesdropping during data transmission.

8.3 Your Personal Data is stored in password-protected databases with stringent access controls, and we employ multi-factor authentication for access by authorised personnel. Only authorized personnel who require access for legitimate business purposes are granted permission to access this data. We regularly review and update our security measures to stay ahead of emerging threats and maintain the confidentiality and integrity of your information.

8.4 We take the privacy and security of your personal information seriously. Therefore, we ensure that our subsidiaries, Linked Companies, agents, affiliates, and suppliers also employ similar robust security measures to protect your data when they are entrusted with it. We have established contractual obligations, including Data Protection Agreements, and data protection standards that all such entities must adhere to, as stipulated in our agreements with them. This is done to maintain consistency in the protection of your Personal Data, regardless of where or how it is processed within our ecosystem.

8.5 While we do our utmost to protect your personal information, it’s important to remember that no method of data transmission or storage can guarantee 100% security. If you ever have concerns about the security of your personal information, please don’t hesitate to contact us using the contact information provided in this Privacy Policy.

8.6 By using our services, you acknowledge and accept the security measures described in this Privacy Policy. We are committed to continuously improving and adapting our security measures to meet evolving threats and industry best practices, all in the interest of safeguarding your personal information.

9. Data Subjects Rights

9.1 As a data subject, you possess certain rights that safeguard and protect your privacy. Your Personal Data protection rights include:

• Right to confirm the existence of processing of your Personal Data.
• Right to access your Personal Data.
• Right to rectify incomplete, inaccurate, or outdated data.
• Right to data portability.
• Right to the deletion, anonymization or blocking of Personal Data in specific situations (e.g., when processed with your consent).
• Right to information about data sharing and with whom it is shared.
• Right to information about the possibility of not providing consent and the consequences of refusal.
• Right to withdraw consent.
• Right to submit a petition regarding the processing of your Personal Data to the ANPD.
• Right to object to the processing carried out if we do not comply with Brazilian law.
• Right to review automated decisions-making that affect your interests, including decisions aimed at defining your personal, professional, consumer and credit profile or aspects of your personality.
• Right to obtain additional information about international transfers of your Personal Data and access the contractual provisions that regulates such transfers. 

9.2 To confirm the existence of the processing of your Personal Data, please access the “My Account” menu on our platform or contact our Data Protection Officer (DPO) Glaucia Goelzer at the email address: [email protected].

9.3 To rectify your Personal Data, please access the “My Account” menu on our platform. If you wish to rectify information that is not possible to update through the mentioned menu, please contact our DPO via email at [email protected].

9.4 To access the Personal Data we hold about you, please contact our DPO via the email address: [email protected].

9.5 You have the right to discontinue using our platform at any time. You can exercise this right by deactivating your account utilizing the self-exclusion tools or by making a request to our Customer Support team. However, we may retain your information for as long as is reasonably necessary to meet any potential obligations and requirements. For more details on the retention period, please consult the “Data Retention” section of this Privacy Policy.

9.6 You have the right to object to the processing activities carried out for our legitimate interests.

9.7 If you provide us with your consent, we will send you offers and promotions via email, SMS, push notifications and/or online channels. We may also send gifts or promotional items to you as part of marketing campaigns or any other customer relationship initiatives. You have the right to withdraw your consent or update your Marketing preferences at any time. To exercise your rights, please access the “Settings” option in the “My Account” menu or contact our Customer Support. By choosing not to provide your consent for receiving offers and promotions, you will cease to receive communications of such nature. Consequently, this decision may result in your ineligibility to participate in and/or access exclusive promotions and offers.

9.8 If you wish to file a complaint, provide feedback, seek clarification, ensure your data protection rights, and/or express any concerns regarding this Policy, our procedures, and/or any other matter related to Personal Data processing activities conducted by us, please contact our Data Protection Officer (DPO) Glaucia Goelzer at the following email address: [email protected]. 

9.9 You can exercise your rights free of charge and in an easy way. We are committed to promptly addressing your requests within the stipulated timeframes. When necessary, in order to ensure the security of our customers information, we may request proof of identity to process your request. Please be aware that the timeline for addressing your requests will commence only after your identity has been verified.

10. Data Retention

10.1 The personal data and information collected and processed by us are stored and retained for the necessary period to fulfil the purposes outlined in this Privacy Policy.

10.2 In accordance with the Law we are obligated to maintain and back up all recorded data for a minimum period of 5 (five) years. 

10.3 Please be aware that we may be obligated to retain information for a longer period considering statute of limitation periods in applicable laws, as well as regulations regarding Anti-Money Laundering (AML), Countering the Financing of Terrorism (CFT), and Countering the Financing of Proliferation of Weapons of Mass Destruction (FPWMD) measures, along with any other legal obligations that may be deemed necessary, and/or to comply with orders from judges or any other competent authorities. 

10.4 Once the data retention period has passed or when your personal information is no longer required, we will proceed with the data deletion process.

11. Changes

11.1 We reserve the right to update, amend, or undertake any other action to this Privacy Policy whenever necessary to align with legal trends and/or ensure compliance with regulations.

11.2 Any changes made become effective upon update of this Privacy Policy. The current version and the last update date can be verified at the end of this page.

Last updated on 5 November 2024.