Go Back

Privacy Policy

GDC Media Limited, a subsidiary of Gambling.com Group Limited (Nasdaq: GAMB) (“GAMB“), is the owner of the websites operated by and on behalf of the Group.

The terms “GDC“, “we“, “us“, or “our“ refer collectively to GAMB, and its current and future subsidiaries (“Group Members“).

GDC Media Limited has licensed the operation of certain GDC’s websites in certain geographic locations to other Group Members, including:

  • all GDC websites operating in the United States to GDC America Inc., a GAMB subsidiary;
  • certain GDC websites operating in the area of the United States to Roto Sports, Inc., a GAMB subsidiary, under a sub-license from GDC America; and
  • certain GDC websites operating worldwide (excluding the United States), to NDC Media Limited, a GAMB subsidiary.

This Privacy and Cookies Policy (“Policy“) describes the practices of GDC Media Limited, including the Group Members involved in the operation of the GDC’s websites in different geographic locations and the rights and choices available to individuals regarding personal data.

1. PURPOSE OF THIS POLICY

GDC respects your privacy and is committed to protecting your personal data. Personal data means any information that relates to an identifiable individual. It does not include data where the ability to identify an individual has been removed (anonymous data).

This Policy describes the rights and choices regarding your personal data. It is important that you read the Policy carefully. If you have any questions about this Policy, including any requests to exercise your legal rights, please contact us using the details set out below.

We may alter this Policy as needed for certain services of GDC and to abide by local laws or regulations around the world, such as by providing supplemental information in certain countries. This Privacy Notice does not apply to GDC’s processing of the personal data of its personnel, such as employees and contractors.

We also provide important additional information in paragraph 8 that is solely applicable to individuals located within the Member States of the European Union, countries in the European Economic Area, the United Kingdom, and Switzerland (collectively, “Europe“ or “European“) and for individuals located in the State of California, United States:

  • European users should read the important information provided below about transfer of personal data outside of Europe.
  • California residents should read the important information provided below regarding our handling of the personal data.

Our websites may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect, use or otherwise handle data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave any of our websites, we encourage you to read the privacy policy of every website you visit.

2. THE PERSONAL DATA WE COLLECT

We collect personal data about individuals from various sources described below. Where applicable, we indicate whether and why individuals must provide us with personal data, as well as the consequences of failing to do so. We may collect, use, store and transfer different kinds of personal data about you (“Personal Data“) which we have grouped as follows:

Personal Information“ includes any information from which you can be personally identified, including your name, surname, email address, telephone number or mobile number.

Profile Data“ includes a username, password and a profile image that an individual may establish and upload on one of our websites or mobile applications, along with any other information that an individual enters into their account profile;

Financial account data“ includes payment card details or bank account details;

Recruitment Process Data“ includes the CV and any covering letter of a job applicant and notes taken for the duration of your recruitment process relating to a job application and interview of a job applicant; Other information supplied by a job applicant, such as professional credentials and skills, educational and work history, and other information of the type included on a CV or covering letter;

Technical Data“ includes internet protocol (IP) address, browser type and version, time zone setting and location, operating system and platform, and other technology on the devices you use to access our websites;

Usage Data“ includes information about how you use our websites.

We also may collect, use and share “Aggregated Data” such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity.

We do not collect any information about your race, ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data. However, if you are applying for a job with us, we will collect information about criminal convictions and offences.

We automatically collect Technical Data and Usage Data. If you are using a mobile device, we collect data that identifies your mobile device, device-specific settings and characteristics, app crashes and other system activity.

  1. COLLECTION OF PERSONAL DATA

We may use different methods to collect data from and about you including the following:

  • Via direct interactions. You may give us your Personal Information and Recruitment Process Data by: a) filling in any a job application form on our Career Page, b) providing an email address to register with our websites and/or receive our newsletter, or c) providing your contact details via our registration and/or newsletters form.
  • Automated technologies. As you interact with our websites, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this data by using cookies, server logs and other similar technologies.
  • Third parties or publicly available sources. We may partner with third parties (such as content providers and analytics companies including Google Analytics, OptInMonster, Hotjar, and Convert.com) to help us improve the services of our website, including to provide you with relevant and interesting content and to conduct analytics and measurement to understand how our services are used. These companies may collect information from you automatically in connection with your visit.

Generally, our websites can be accessed and used without registration and without having to provide us any Personal Data (Personal Information, Profile Data, and/or Recruitment Process Data). You may opt in to receive information about promotions, bonuses, bets, tips and strategy by subscribing to our mailing list by providing your email address. You may any time opt out from receiving such communications by writing to us or clicking the “unsubscribe” button in any of our emails to you. In case you contact us, whether by email, through contact forms, or in other writings, we may keep a copy of that correspondence. We will not share your Personal Data with third parties for marketing purposes unless you have provided us with your express consent to do so.

  1. USE OF PERSONAL DATA

We may use your Personal Data for the purposes of:

Providing our services, which may include:

  • Operating, evaluating, maintaining, improving, and providing the features and functionality of our services;
  • Fulfilling a payment transaction initiated by you;
  • Communicating with you regarding your account with us, if you have one, including by sending you service-related emails or messages (e.g., messages regarding account verification, changes or updates to the functionality of our services, technical and security notices and alerts, and support messages)
  • Personalizing the manner in which we provide our services;
  • Administering and protecting our business; and
  • Providing support and maintenance for our services, including responding to your service-related requests, questions, and feedback.

For research and development

We use the information we collect for our own research and development purposes, which include:

  • Developing or improving our services; and
  • Developing and creating analytics and related reporting.

Marketing

We may use your Personal Data to form a view on what services we think you may want or need or what may be of interest to you.

We may contact you with marketing communications using the Personal Data you have provided to us if you have actively expressed your interest in availing of our services or have availed of our services and, in any case, you have not opted out of receiving that marketing, to the extent permitted by applicable law.

You can ask us to stop sending you marketing messages at any time by contacting us using the details below or clicking on the opt-out link included in each marketing message.

Should you choose to opt out of receiving our marketing messages, we will continue to conduct our other relevant activities using your Personal Data, including sending non-marketing messages.

Managing our recruiting and processing employment applications

We process Personal Data, such as information submitted to us in a job application, to facilitate our recruitment activities and process employment applications, such as by evaluating a job candidate for an employment activity, and monitoring recruitment statistics.

Complying with law

We use your Personal Data as we believe necessary and appropriate to comply with applicable laws, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities.

Compliance, fraud prevention and safety

We use your Personal Data as we believe necessary or appropriate to (a) enforce the terms and conditions that govern our services; (b) protect our rights, privacy, safety or property, and/or that of you or others; and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

With your consent

In some jurisdictions, applicable law may require us to request your consent to use your Personal Data in certain contexts, such as when we would like to send you certain marketing messages. If we request your consent to use your Personal Data, you have the right to withdraw your consent any time in the manner indicated when we requested the consent or by contacting us. If you have consented to receive marketing communications from our third-party partners, you may withdraw your consent by contacting those partners directly.

To create anonymous data

We may create anonymous data from your Personal Data and other individuals whose Personal Data we collect. We make Personal Data into anonymous data by excluding information that makes the data personally identifiable to you and use that anonymous data for our lawful business purposes.

  1. To whom do we provide Personal Data

We may have to share your data to the following parties:

Group Members

We may disclose your Personal Data to other Group Members for purposes consistent with this Policy.

Service providers

We may employ third parties to administer and provide services on our behalf (such as third parties that provide customer support, third parties that we engage to host, manage, maintain, and develop our websites, mobile applications, and IT systems, and third parties that help us process payments). These third parties may use your information only as directed by us and in a manner consistent with this Policy. These third parties are prohibited from using or disclosing your information for any other purpose.

Participants in the transaction processing chain

We may share your Personal Data with companies in the transaction processing chain in connection with processing a payment transaction, such as merchants, banks or other card issuers, card associations, debit network operators and their members.

Professional advisors

We may disclose your Personal Data to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary, in the course of the professional services that they render to us.

Compliance with Laws and Law Enforcement; Protection and Safety

GDC may disclose information about you to government or law enforcement officials or private parties as required by law, and disclose and use such information as we believe necessary or appropriate to (a) comply with applicable laws and lawful requests and legal process, such as to respond to subpoenas or requests from government authorities; (b) enforce the terms and conditions that govern our services; (c) protect our rights, privacy, safety or property, and/or that of you or others; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

  1. DATA SECURITY AND DATA RETENTION

We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors, subsidiaries, affiliates and other third parties who have a business need to know. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality. We have put in place commercially reasonable procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

We will process and store the relevant Personal Data for as long as it is necessary or required in order to fulfil our legal, contractual, or statutory obligations and/or for the establishment, exercise or defence of legal claims.

  1. YOUR RIGHTS AND CHOICES

In this section, we describe the rights and choices available to all users. Users who are located in Europe may read additional information about their rights in paragraph 8 below.

Marketing communications

You can ask us to stop sending you marketing messages at any time by contacting us or clicking on the opt-out link included in each marketing message. You may continue to receive service-related and other non-marketing messages.

Choosing not to provide your Personal Data

Where we request Personal Data directly from you, you do not have to provide it to us. If you decide not to provide the requested information, in some circumstances we may be unable to provide services to you. For example, we may be unable to process your transaction.

Accessing, modifying or deleting your information

In some jurisdictions, applicable law may provide a right for individuals to access, modify, or delete their Personal Data in some. You may contact GDC directly to request access to, modify or delete your information. We may not be able to provide access to, modify, or delete your information in all circumstances.

Complaints

If you have a complaint about our handling of your Personal Data, you may contact our data protection officer using the contact information below. We request that a complaint be made in writing. Please provide details about your concern or complaint so that we can investigate it. We will determine whether to take action in response to your complaint, which, if we do so, may include conducting internal discussions with relevant business representatives. We may contact you for additional details or clarification about your concern or complaint. We will contact you to inform you of our response to your complaint. You also may have a right to file a complaint with a national or local regulatory agency.

  1. ADDITIONAL INFORMATION FOR EUROPEAN USERS

Data Controller

GDC is the data controller for the purpose of the General Data Protection Regulation (“GDPR“), and other applicable data protection laws. This means that GDC is principally responsible for looking after your Personal Data and this Policy determines the means and purposes of processing of Personal Data.

Legal bases for processing

We are required to inform you of the legal bases of our processing of your Personal Data, which are described in the table below. If you have questions about the legal basis of how we process your Personal Data, please contact us at dataprotection@gdcgroup.com.

Processing purposeLegal basis
Providing our servicesProcessing is necessary to perform the contract governing our provision of the services.
MarketingFor research and developmentTo manage our recruiting and process employment applicationsFor compliance, fraud prevention and safetyTo create anonymous dataThese processing activities constitute our legitimate interests. We make sure we consider and balance any potential impact on you and your rights before we process your Personal Data for our legitimate interests. We do not use your Personal Data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
To comply with lawProcessing is necessary to comply with our legal obligations.
With your consentProcessing is based on your consent. Where we rely on your consent, you have the right to withdraw it anytime in the manner indicated at the time we collect your information or by contacting us at dataprotection@gdcgroup.com

Use for new purposes

We may use your Personal Data for reasons not described in this Policy where permitted by law and the reason is compatible with the purpose for which we collected it.

How long will we use your Personal Data?

We will use your Personal Data for as long as necessary based on why we collected it and what we use it for. This may include our need to satisfy a legal, regulatory, accounting, or reporting requirement.

To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In general terms, we will retain your Personal Data for the duration of your involvement/engagement with us and for as long as reasonably necessary afterwards. There are also certain types of information which are required to be retained for a certain period by law.

Your individual legal rights

You have the right to obtain accessrectificationerasurerestriction of Personal Dataportability of Personal Data and to object to the processing of your Personal Data, under the conditions and restrictions laid out in Chapter III of the GDPR as follows:

  • Access. You are entitled to ask us if we are processing your Personal Data and, if so, for a copy of the Personal Data we hold about you, as well as obtain certain other information about our processing activities.
  • Correction. If any Personal Data we hold about you is incomplete or inaccurate, you can require us to correct it, though we may need to verify the accuracy of the new data you provide to us.
  • Erasure. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it.
  • Object. Where our reason for processing your Personal Data is legitimate interest, you may object to processing as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes.
  • Restriction. You may ask us to suspend our use of your Personal Data in the following scenarios:
    • if you want us to establish the data’s accuracy;
    • where our use of your Personal Data is unlawful but you do not want us to erase it;
    • where you need us to hold your data for a longer period than we usually would, because you need it to establish, exercise or defend legal claims; or
    • you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
  • Transfer. Where it is possible, we will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to Personal Data provided by you which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent. Where our reason for processing is based on your consent, you may withdraw that consent at any time. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.
  • Automated decision making. You have the right not to be subject to automated decision making (e.g., profiling) that significantly affects you. The exercise of this right is not available to you in the following cases:
    • The automated decision is required to enter into, or perform, a contract with you.
    • We have your explicit consent to make such a decision.
    • The automated decision is authorised by local law of an EU member state.

However, in the first two cases set out above, you still have the right to obtain human intervention in respect of the decision, to express your point of view and to contest the decision.

If you have any questions about this Policy or wish to exercise any of the rights set out above, please contact us at dataprotection@gdcgroup.com.

We may need to request specific information from you to help us confirm your identity and ensure you are entitled to exercise a right in respect of your Personal Data. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

There may be legal or other reasons why we cannot, or are not obliged to, fulfil a request to exercise your rights. We will use available lawful exemptions to your individual rights to the extent appropriate. If we decline your request, we will tell you why, subject to legal restrictions.

You also have the right to make a complaint at any time to a supervisory authority (for more information go to https://edpb.europa.eu/about-edpb/board/members_en).

9. INFORMATION FOR CALIFORNIA RESIDENTS

We are required by the California Consumer Privacy Act of 2018 (“CCPA“) to provide California residents with an information of how we collect, use and share their Personal Data, and of the rights and choices we offer California residents regarding our handling of the Personal Data.

Your California privacy rights

As a California resident, you have the rights listed below. However, these rights are not absolute, and we may decline your request as permitted by the CCPA.

  • Information. You can request the following information about how we have collected and used your Personal Data during the past 12 months:
    • The categories of Personal Data that we have collected.
    • The categories of sources from which we collected Personal Data.
    • The business or commercial purpose for collecting Personal Data.
    • The categories of third parties with whom we may share your Personal Data.
    • Whether we have disclosed your Personal Data for a business purpose, and if so, the categories of Personal Data received by each category of recipient.
    • Whether we’ve sold your Personal Data; and, if so, the categories of Personal Data received by each category of recipient.
  • Access. You can request a copy of the Personal Data that we maintain about you.
  • Deletion. You can ask us to delete the Personal Data that we maintain about you.
  • Non-discrimination. You are entitled to exercise the rights described above free from discrimination. This means that we will not penalize you for exercising your rights by taking actions such as by denying you goods or services, increasing the price/rate of goods or services, decreasing the service quality, or suggesting that we may penalize you as described above for exercising your rights. However, the CCPA allows us to charge you a different price or provide a different service quality if that difference is reasonably related to the value of the Personal Data we are unable to use.

How to exercise your rights

You may exercise your California privacy rights as follows:

Right to information, access and deletion

You can request to exercise your information, access and deletion rights by:

  • Contacting us at dataprotection@gdcgroup.com
  • Identify verification. The CCPA requires us to verify the identity of the individual submitting the request before providing a substantive response to the request. A request must be provided with sufficient detail to allow us to understand, evaluate and respond. The requester must provide sufficient information to allow us to reasonably verify that the individual is the person about whom we collected information. A request may also be made on behalf of your child under 13.
  • Authorized agents. California residents can empower an “authorized agent” to submit requests on their behalf. We will require the authorized agent to have a written authorization confirming that authority.

Sale of Personal Information

We do not sell your Personal Information to third parties as defined in the CCPA.

Personal information that we collect, use and share

The table below summarizes what data we may collect or what data may have been collected from California residents during the last 12 months before the effective date of this Policy.

Please note that the categories and examples provided in the list below are those defined in the CCPA. This does not mean that all examples of that category of personal information were in fact collected by GDC but reflects our good faith belief to the best of our knowledge that some of that information from the applicable category may be and may have been collected. For example, certain categories of personal information would only be collected if you provided such personal information directly to us.