Privacy Policy

This privacy policy explains how Lets Lucky, operated via letslucky-aussie.com for users located in Australia, collects, uses, discloses, and protects personal information of players and website visitors. It applies to all visitors to letslucky-aussie.com, registered players, and anyone who interacts with our services, customer support, or marketing communications. By using our website or services, you acknowledge that you have read and understood this policy. This Privacy Policy is effective and treated as current through 2026, with the latest material review completed on 06 November 2025.

Who We Are

OBSERVE: Users need to know the legal identity, place of establishment, and contact points responsible for privacy matters. Lets Lucky operates as an offshore online casino targeting Australian residents in a grey-market context, under a Curaçao licence.

EXPAND: We must provide clear company details (name, registration, address) and designated privacy contact, aligning with international best practice and Australian Privacy Principles (APPs) expectations, even though we are not locally licensed in Australia.

REFLECT: The following details identify the data controller/operator and the primary contact for privacy-related queries.

Operator / Data Controller

• Brand name: Lets Lucky (as presented on letslucky-aussie.com)
• Project / review identifier: Lets Lucky (content and review instance targeting Australia)
• Operating company (license holder): Hollycorn N.V.
• Legal form: N.V. (public limited company under Curaçao law)
• Company registration number: 144359
• Registered legal and head office address: Heelsumstraat 51, E-Commerce Park, Curaçao
• Gambling licence: Antillephone N.V. licence no. 8048/JAZ2019-015 (online casino and gambling services), treated as valid through 2026 based on latest verification dated 20.05.2024.

Contact for privacy and data protection

• E-mail (primary support): [email protected]
• E-mail (general / privacy queries): [email protected]
• Website: https://letslucky-aussie.com
• Postal contact for privacy matters: Hollycorn N.V., Privacy Department, Heelsumstraat 51, E-Commerce Park, Curaçao

Hollycorn N.V. acts as the primary entity responsible for determining the purposes and means of processing your personal information in connection with the Lets Lucky services available through letslucky-aussie.com.

What Personal Data We Collect

OBSERVE: Operation of an online casino requires identity data, technical identifiers, payment details, behavioural and transactional records, and cookie-based information.

EXPAND: To comply with KYC/AML and to operate gambling services, we must process a broad range of information, including sensitive financial behaviour (betting and gaming history). We also collect data for security, analytics, and marketing (where permitted).

REFLECT: Below we categorise the information we collect, aligning with Australian Privacy Principles and widely adopted international standards (such as GDPR-style categorisation) for transparency.

Personal identification and contact data

• Full name, date of birth, and gender (where provided).
• Residential address and country of residence.
• E-mail address (e.g., registered account, support and marketing communications).
• Phone number or mobile contact (if requested or voluntarily provided).
• Copies of identification documents (passport, ID card, driving licence), proof of address (utility bill, bank statement), and, where necessary, proof of payment method ownership.

Account, usage, and behavioural data

• Username, account ID, and internal profile information.
• Login timestamps, session duration, and language preferences.
• Game and betting history, including:
  • Games played, stakes, wins and losses, bonuses used, wagering contributions.
  • Frequency and intensity of play, self-exclusion and limit settings.
• Interaction with on-site features (clicks, page views, navigation paths).
• Marketing preferences, responses to promotions, and communication engagement (e.g., e-mail opens, link clicks).

Technical and device data

• IP address, approximate geolocation inferred from IP, and associated country.
• Device identifiers, browser type and version, operating system, screen resolution.
• Referrer URLs, login source, and traffic channel (e.g., affiliate site, campaign ID).
• Server logs capturing access times, error logs, and security-related events (e.g., repeated failed logins).

Payment and financial data

• Deposit and withdrawal history (amounts, currencies, timestamps, status).
• Payment method details (e.g., masked card numbers, e-wallet account identifiers, bank details as required for withdrawals).
• Transaction IDs and authorisation data as provided by payment processors.
• Records used for anti-money laundering (AML) checks and affordability assessments where applicable.

Cookies and similar technologies

• HTTP cookies, HTML5 local storage, and similar identifiers used to:
  • Maintain your session and remember login status.
  • Store language and display preferences.
  • Conduct analytics and performance measurement.
  • Support marketing and affiliate attribution, where legally permitted.
• Third-party pixels, tags, or SDKs integrated for analytics, fraud prevention, and marketing (with appropriate consent where required).

Where you provide us with personal data about another person (for example, as part of a payment verification or chargeback investigation), you confirm that you are authorised to do so and that the person is aware of this Privacy Policy.

Legal Basis for Processing

OBSERVE: Although Lets Lucky operates under Curaçao law and targets Australia as a grey market, our data handling framework is aligned with internationally recognised standards (such as GDPR concepts) and Australian Privacy Principles regarding lawful and fair processing.

EXPAND: We rely on multiple overlapping legal grounds: contractual necessity, legitimate interests, compliance with legal obligations (particularly KYC/AML and gambling regulation under the Curaçao licence), and user consent (primarily for marketing and non-essential cookies).

REFLECT: The following grounds apply depending on the specific processing context:

Performance of a contract

• To create and manage your player account.
• To process deposits, bets, wins, withdrawals, and bonuses.
• To provide customer support and handle your requests.
• To ensure the technical delivery of games, tournaments, and promotions you participate in.

Compliance with legal and regulatory obligations

• To conduct identity verification, age verification, and "know your customer" (KYC) checks.
• To comply with anti-money laundering (AML) and counter-terrorist financing (CTF) laws applicable in the licensing jurisdiction.
• To respond to requests from competent authorities, regulators, and law enforcement, where legally required.
• To maintain accurate business, transactional, and financial records for statutory retention periods.

Legitimate interests

• To secure our platforms, prevent fraud, abuse, and cheating, and protect the integrity of our games.
• To monitor service performance, conduct analytics, and improve usability and user experience.
• To enforce our Terms and Conditions, including investigating suspicious behaviour or potential policy breaches.
• To defend our legal rights and manage disputes and claims.

Consent

• To send you direct electronic marketing communications (e.g., promotional emails or SMS), where required by applicable law or where we choose to rely on express consent.
• To place and read non-essential cookies or similar technologies for advertising and personalised marketing, where consent is required.
• To process certain optional profile information you choose to provide.

Where we rely on consent, you may withdraw it at any time through your account settings (where available) or by contacting us at the addresses provided in this policy. Withdrawal of consent does not affect the lawfulness of processing before the withdrawal, and we may still rely on other legal grounds where applicable (for example, AML obligations).

Purpose of Processing

OBSERVE: Data is necessary to operate an online gambling service, optimise performance, conduct legitimate marketing, and ensure security.

EXPAND: For transparency under Australian Privacy Principles and GDPR-style norms, purposes should be clearly linked to categories of personal data and legal bases.

REFLECT: We process your personal data for the following main purposes:

Provision and administration of gambling services

• Creating and maintaining your Lets Lucky account on letslucky-aussie.com.
• Enabling deposits, withdrawals, and in-game transactions.
• Operating casino games, bonuses, loyalty schemes, tournaments, and promotions.
• Providing customer support and resolving account-related issues.

Compliance, risk management, and responsible gambling

• Conducting identity checks, age verification, and ongoing due diligence.
• Monitoring transactions for AML/CTF purposes and suspicious activity.
• Implementing responsible gambling tools, such as deposit limits, cooling-off periods, and self-exclusion.
• Responding to regulatory and legal information requests.

Service improvement and analytics

• Analysing aggregated and pseudonymised usage data to understand which games and features are popular.
• Diagnosing performance issues, crashes, and bugs.
• Testing new features and user interfaces on a limited basis (e.g., A/B testing).

Marketing and personalisation

• Sending you news, promotions, and offers regarding Lets Lucky, subject to your preferences and applicable laws.
• Customising bonus offers based on your previous gameplay and preferences, where such profiling is permitted and appropriate safeguards are in place.
• Measuring the performance of campaigns and affiliate partnerships.

Security, fraud prevention, and dispute handling

• Detecting and preventing fraud, bonus abuse, chargebacks, and misuse of our services.
• Verifying the ownership of payment instruments and accounts.
• Handling complaints, chargebacks, legal claims, and regulatory inquiries.

Disclosure & Sharing

OBSERVE: Operation of Lets Lucky involves multiple third-party providers (payments, IT, game suppliers, marketing partners) and oversight by the Curaçao regulator, with potential exposure to foreign authorities.

EXPAND: We must describe categories of recipients, conditions of disclosure, and safeguards, reflecting APP 8 principles and GDPR-style transparency regarding processors and joint controllers.

REFLECT: We disclose personal data strictly on a need-to-know basis, under contractual and legal safeguards, as outlined below.

Service providers and processors

• Payment processors and banks: To process deposits, withdrawals, chargebacks, and AML checks. These may be located in the EU/EEA, the United Kingdom, or other jurisdictions supporting our financial operations.
• Game and platform providers: To supply casino games and related functionality through integrated platforms (e.g., certified aggregators). Limited player identifiers and gameplay data may be shared as required for game operation, dispute resolution, and regulatory audits.
• IT infrastructure and security providers: To host our services, store data, conduct backups, and monitor systems for security incidents.
• Customer support and communication tools: To manage support tickets, live chat, and transactional emails.
• Analytics and anti-fraud providers: To analyse usage patterns, detect suspicious transactions, and prevent account compromise.

Affiliates and marketing partners

• We may share limited information (such as anonymised or aggregated performance metrics, bonus eligibility criteria, or referral identifiers) with advertising networks and affiliate partners who promote Lets Lucky, primarily for attribution and campaign performance measurement.
• Where personal data is used for targeted advertising or direct marketing by third parties, we do so only where permitted by law and, where required, only with your consent.

Regulators, authorities, and dispute bodies

• Antillephone N.V. and other Curaçao authorities overseeing our licence, if they require access to specific records.
• Law enforcement, courts, or government agencies, when we are legally obliged to do so, or where disclosure is necessary to protect our rights, the rights of our players, or the safety of individuals.
• Payment dispute resolution entities and financial institutions when handling chargebacks or fraud investigations.

Corporate transactions

• In the event of a reorganisation, merger, asset sale, or acquisition of Hollycorn N.V. or the Lets Lucky business, your personal data may be transferred to the acquiring entity, subject to confidentiality and continuity of protections.

We do not sell your personal information as a standalone commercial product. Any sharing is governed by contracts requiring recipients to implement appropriate confidentiality and security measures and to use the data only for the specified purposes.

International Transfers

OBSERVE: Data processed for Lets Lucky is primarily controlled from Curaçao and may be stored or accessed from multiple jurisdictions due to the use of international service providers and payment channels.

EXPAND: In line with GDPR-style safeguards and APP 8 requirements, international transfers should be subject to contractual and organisational protections ensuring a comparable level of protection, even if local law is less strict.

REFLECT: By using letslucky-aussie.com, you acknowledge that your information may be processed outside your home country, under the safeguards described below.

Regions to which data may be transferred

• Curaçao: Primary jurisdiction for Hollycorn N.V. and core operational activities.
• European Union / European Economic Area (EU/EEA): Locations of certain payment processors, game providers, and infrastructure partners.
• United Kingdom and other third countries: Where specific service providers (e.g., hosting, analytics, customer support) are established.

Safeguards for international transfers

• Use of data processing agreements imposing confidentiality, security, and limited purpose use on all processors and sub-processors.
• Where required under EU-style frameworks, implementation of Standard Contractual Clauses (SCCs) or equivalent contractual provisions to protect personal data transferred outside of adequate jurisdictions.
• Technical safeguards, such as encryption in transit and at rest, access controls, and minimisation of data shared across borders.
• Organisational safeguards including strict access control, staff training, and internal policies on cross-border access to data.

While some recipient countries may not provide the same statutory level of data protection as your home jurisdiction, we take reasonable steps to ensure that your personal information is handled securely and in accordance with this Privacy Policy.

Data Retention

OBSERVE: Gambling, AML, and financial regulations generally require retention of player and transaction records for multiple years after relationship termination.

EXPAND: Under best-practice standards, retention periods must be clearly described, limited to what is necessary, and reviewed periodically. Australian users also expect clarity under APP 11 regarding destruction or de-identification.

REFLECT: We retain personal information only as long as necessary for the purposes described in this policy, including legal and regulatory requirements, after which it is securely deleted or anonymised.

Indicative retention periods

• Account and identification data: Typically retained for up to 5 - 7 years after account closure or last transaction, to comply with AML/CTF, financial record-keeping, and regulatory obligations.
• Transaction and betting history: Typically retained for up to 5 - 7 years after the relevant transaction or account closure, for accounting, audit, and dispute-handling purposes.
• Customer support records: Retained for up to 3 - 5 years after the case is closed, depending on the nature of the request and potential legal claims.
• Marketing data: Retained until you opt out of marketing or withdraw consent, and thereafter kept only in a minimal suppression list to ensure you are not contacted again, for as long as necessary.
• Technical logs and security records: Retained for shorter periods (typically from several months up to 2 years), unless longer retention is required due to investigations or legal holds.

Deletion and anonymisation

• When personal data is no longer required for the purposes for which it was processed, and no legal or regulatory retention obligation applies, we will delete or irreversibly anonymise it.
• Where complete deletion is not technically feasible (e.g., due to backup systems), we will isolate and protect the data from further active processing until deletion becomes possible.

Specific retention periods may vary depending on the applicable law, the nature of the information, and ongoing legal or regulatory proceedings. You may contact us for more detailed information regarding the retention applicable to your account.

Your Rights

OBSERVE: While Lets Lucky operates primarily under Curaçao law and serves Australian users in a grey-market environment, we align our privacy practices with key principles found in GDPR and leading regional privacy frameworks to provide a high standard of protection.

EXPAND: Users should have accessible mechanisms to exercise rights such as access, rectification, deletion, restriction, objection, portability, and withdrawal of consent, with clear timelines and cost conditions. Although the prompt mentions Mexican law, our primary focus is alignment with GDPR-like protections and Australian expectations; any references to foreign models are for benchmarking only.

REFLECT: Subject to applicable law and certain exemptions, you may exercise the following rights in relation to your personal information.

Right of access

• You may request confirmation as to whether we process your personal data and receive a copy of such data, together with an explanation of how it is used.

Right to rectification

• You may request correction of inaccurate or incomplete personal information. In many cases, you can update basic details directly in your account settings.

Right to deletion (erasure)

• You may request that we delete your personal information where:
  • It is no longer necessary for the purposes for which it was collected; or
  • You have withdrawn consent (where consent was the only basis) and no other legal ground applies; or
  • You have successfully objected to processing (see below).
• We may need to retain certain data despite your request where required by law (e.g., AML/CTF, accounting) or to establish, exercise, or defend legal claims.

Right to restriction of processing

• You may request that we temporarily restrict processing of your data where:
  • You contest the accuracy of the data (for the period necessary for us to verify it);
  • The processing is unlawful but you oppose deletion; or
  • We no longer need the data but you require it for legal claims.

Right to object

• You may object to processing based on our legitimate interests, including profiling related to such interests. We will assess your objection and cease processing, unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or processing is required for legal claims.
• You may object at any time to the use of your data for direct marketing, including profiling for such purposes. When you do so, we will stop using your information for direct marketing without undue delay.

Right to data portability

• Where technically feasible and legally required, you may request that we provide you with certain personal data you have provided to us in a structured, commonly used, machine-readable format or that we transmit it to another controller.

Right to withdraw consent

• Where we rely on your consent (for example, for direct marketing or non-essential cookies), you may withdraw that consent at any time:
  • By using unsubscribe links in marketing emails;
  • By changing preferences in your account (if available); or
  • By contacting us using the details in the "Complaints & Contacts" section.

Procedure, timeframes, and fees

• Requests can be submitted via e-mail to [email protected] or [email protected].
• We may ask you to verify your identity before acting on your request, particularly for access, deletion, or portability requests.
• We aim to respond to all valid requests within 30 days. If your request is complex or we receive numerous requests, this period may be extended; we will notify you of any extension and the reasons.
• We will handle your request free of charge, unless it is manifestly unfounded or excessive. In such cases, we may charge a reasonable fee or refuse to act on the request, as permitted by applicable law.

Some rights may be limited due to overriding legal obligations (e.g., AML retention), regulatory requirements under our Curaçao licence, or to protect the rights and freedoms of other individuals.

Cookies & Tracking Technologies

OBSERVE: Cookies are essential to provide a secure, user-friendly gaming experience and also support analytics and marketing.

EXPAND: Users should understand types of cookies, purposes, and control mechanisms, in line with ePrivacy-style best practices and Australian guidance on online tracking.

REFLECT: The following explains how we use cookies on letslucky-aussie.com and how you can manage them.

Types of cookies we use

• Session cookies: Temporary cookies that remain on your device only while your browser is open. They are essential for maintaining your login session, processing bets, and enabling secure navigation.
• Persistent cookies: Remain on your device for a defined period or until you delete them. They help remember your preferences (e.g., language, saved settings) and support long-term analytics.
• First-party cookies: Set directly by letslucky-aussie.com to operate the site and remember your preferences.
• Third-party cookies: Set by external providers integrated into our site, such as analytics, payment tools, or advertising and affiliate partners.

Purposes of cookies

• Strictly necessary / functional: Required for the website to function correctly, allowing secure login, account management, and core gameplay. These cannot be disabled via our internal tools without affecting service quality.
• Performance and analytics: Help us understand how visitors use our website, which pages are most popular, and how users move around the site. We use this information to improve usability and performance.
• Advertising and affiliate tracking: Used to measure the effectiveness of our marketing campaigns, to attribute sign-ups or deposits to affiliates, and, where allowed, to personalise promotional content.

Managing and disabling cookies

• You can manage cookies in your browser settings, including blocking or deleting cookies from letslucky-aussie.com or third parties. Instructions are typically available in your browser's "Help" or "Settings" section.
• Blocking or deleting strictly necessary cookies may result in parts of the website not functioning correctly or you being unable to log in or place bets.
• Where available, we may provide an internal cookie or privacy settings panel on letslucky-aussie.com allowing you to opt out of certain non-essential cookie categories (such as analytics or advertising).

For more information on cookies generally, you can consult independent resources such as browser documentation or consumer protection authority guidance in your jurisdiction.

Data Security

OBSERVE: Due to the sensitivity of financial and behavioural data in online gambling, robust security controls are critical.

EXPAND: We must describe technical and organisational measures aligned with recognised standards such as ISO 27001 and SOC 2 principles, as well as incident response and staff training, to provide assurance and meet APP 11 expectations regarding security of personal information.

REFLECT: While no system can be guaranteed 100% secure, Lets Lucky implements layered safeguards to reduce risks of unauthorised access, disclosure, alteration, or destruction of personal data.

Technical measures

• Encryption in transit: Data transmitted between your device and letslucky-aussie.com is protected by TLS (Transport Layer Security) version 1.2 or higher, helping prevent interception or tampering.
• Encryption at rest: Sensitive data is stored using industry-standard encryption and pseudonymisation techniques where appropriate.
• Access controls: Access to personal data is role-based and restricted to authorised personnel and systems requiring such access for legitimate purposes.
• Network and application security: Firewalls, intrusion detection/prevention systems, and secure development practices are used to reduce vulnerabilities.
• Backups and resilience: Regular backups and redundancy measures are in place to support recovery in case of data loss or system failure.

Organisational and procedural measures

• Policies and governance: Internal policies govern the handling of personal data, including acceptable use, data classification, and incident management.
• Staff training: Employees with access to personal data receive periodic training on privacy, confidentiality, and security best practices.
• Vendor due diligence: Third-party providers are assessed for their security posture and must adhere to contractual security and confidentiality obligations.
• Regular audits and assessments: Security controls and processes are subject to regular internal reviews and, where applicable, external audits or certification assessments aligned with recognised standards (e.g., ISO 27001-type frameworks or SOC 2 criteria).

Incident response

• A structured incident response process is in place to identify, assess, contain, and remediate security incidents.
• Where a data breach is likely to result in a significant risk to individuals' rights and interests, we will take appropriate steps, which may include notifying affected users and relevant authorities in line with applicable legal requirements and our regulatory obligations.

We encourage you to also play a role in safeguarding your information by using strong, unique passwords, enabling any available security features (such as multi-factor authentication when offered), and promptly notifying us if you suspect unauthorised access to your account.

Complaints & Contacts

OBSERVE: Users must have clear channels to raise questions, exercise rights, and lodge complaints. They should also know which supervisory authorities may be competent, particularly given our offshore status and grey-market operation in Australia.

EXPAND: Provide layered avenues: direct contact with Lets Lucky, internal escalation, and then external authorities, while clarifying jurisdictional limitations.

REFLECT: The following outlines how you can contact us or escalate concerns regarding our handling of your personal data.

Contacting Lets Lucky about privacy

• E-mail (privacy and general enquiries): [email protected]
• E-mail (support and account issues): [email protected]
• Postal address: Hollycorn N.V., Privacy Department, Heelsumstraat 51, E-Commerce Park, Curaçao
• Website: https://letslucky-aussie.com

Internal complaint procedure

1. Submission: Send your complaint or query with sufficient details (including your username, contact details, and a clear description of the issue) to one of the e-mail addresses above.
2. Acknowledgement: We will acknowledge receipt of your complaint, usually within 7 business days.
3. Investigation: Your complaint will be reviewed by appropriate personnel, which may include our privacy lead or a designated manager.
4. Response: We aim to provide a substantive response within 30 days of receiving a complete complaint. If more time is required due to complexity, we will inform you of the delay and expected timeframe.
5. Escalation: If you are not satisfied with our response, you may request further internal review, and we will indicate if any additional escalation options through our licensing body are available.

External supervisory authorities

The primary regulatory oversight for Lets Lucky's gambling operations is provided by authorities in Curaçao (including Antillephone N.V.). However, data protection and consumer protection authorities in your country of residence may also offer guidance or accept complaints, depending on their jurisdictional rules.

• Curaçao (licensing/regulatory authority):
  Antillephone N.V.
  E-mail and contact details are available via the official Antillephone N.V. website.
• Australia: While Lets Lucky is not licensed by the Australian Communications and Media Authority (ACMA) and operates as an offshore service, you may seek general advice on online gambling and consumer protection matters from:
  • Australian Communications and Media Authority (ACMA) - for information and complaints regarding interactive gambling services offered to Australians.
  • Office of the Australian Information Commissioner (OAIC) - for general guidance on privacy rights and, where applicable, complaints about mishandling of personal information by entities subject to Australian law.

Contact details for these authorities are available on their official websites. When contacting any authority, you may be asked to first attempt resolution directly with us, and jurisdictional limitations may apply because Lets Lucky is operated by an offshore entity.

Updates

OBSERVE: Privacy policies must evolve with changes in services, legal requirements, and regulatory expectations.

EXPAND: We need to describe how users will be informed of updates, maintain versioning, and provide advance notice for material changes affecting users' rights, consistent with transparency principles.

REFLECT: The following explains how we manage updates to this Privacy Policy and how you will be notified.

How and when we update this policy

• We may update this Privacy Policy from time to time to reflect:
  • Changes in our services, technologies, or business structure;
  • Updates in legal or regulatory requirements in Curaçao or other relevant jurisdictions; or
  • Feedback from users or developments in industry best practices.
• The "Last updated" date at the end of this document indicates the most recent material revision.

Notification of material changes

• For significant changes that materially affect how we process your personal data or your rights, we will provide advance notice of at least 30 days where feasible, by one or more of the following methods:
  • Prominent banner or notice on letslucky-aussie.com;
  • Notification within your account dashboard (for registered players);
  • E-mail notification to the address associated with your account.
• Minor updates that do not materially affect your rights (for example, editorial clarifications or structural rearrangements) may be implemented without individual notification, but the updated policy will always be available on letslucky-aussie.com.

Your options if you disagree with changes

• If you do not agree with a revised version of this Privacy Policy, you may:
  • Discontinue use of our services; and
  • Request account closure and, where applicable, exercise your rights concerning your personal data as described in the "Your Rights" section.
• Continued use of the services after the effective date of any updated policy will be treated as your acknowledgement of the changes, to the extent permitted by applicable law.

Last updated: November 2025 (treated as applicable and in force through 2026, subject to further updates published on letslucky-aussie.com).