Last updated: 15. January 2026
“GAMBLIO” LLC PODGORICA (hereinafter “Gamblio”, “we”, “us”, or “our”) Registered office: Miloja Pavlovića Street No. 110, Podgorica, Montenegro TIN: 03683923 If you are a customer or user of a gambling operator that uses Gamblio, your relationship regarding personal data will typically involve three parties: (1) the player / end user; (2) the gambling operator (our direct customer, often the data controller); and (3) Gamblio (the data processor or, depending on the service, a joint controller). This Privacy Policy explains how Gamblio collects, uses, stores, shares, and protects personal data in connection with the Gamblio Platform and Services. For the purposes of applicable data protection laws, Gamblio acts primarily as a data processor on behalf of its Licensees (gambling operators), who determine the purposes and essential means of processing player personal data. Gamblio processes personal data solely on documented instructions of the Licensee, as set out in the applicable License Agreement and related documentation. Gamblio does not independently determine the purposes of player profiling, segmentation, scoring, responsible gaming actions, or AML-related measures. Any analytics, predictions, scores, segments, or signals generated by Gamblio are provided as decision-support tools for the Licensee. Gamblio may act as an independent controller only in limited circumstances, such as processing personal data related to its own website, marketing activities, recruitment, or internal business operations, as described in this Privacy Policy. Where applicable, such processing is clearly separated from Licensee-controlled player data.
This Privacy Policy applies to personal data processed by Gamblio in the provision of the Gamblio Platform and Services, which include: * Gamblio Analytics (BI and reporting); * Gamblio Predict (player behavior modeling, segmentation, VIP, churn, bonus-hunter, responsible gaming signals); * Gamblio uChoose (game recommendation engine); * Gamblio Care (AI chat agent and Customer Care console); * Integrations, widgets, SDKs, and managed streaming endpoints (Kafka / RabbitMQ); and * Professional services (deployment, onboarding, custom integrations, support). It covers personal data provided directly by our Licensee (the gambling operator), data generated by end users interacting with Licensee platforms and Gamblio widgets, and certain information we collect when you interact with Gamblio’s own websites, support channels or marketing materials. Our handling of personal data is guided by strict management and security standards, including ISO 9001:2015 for quality management, ISO/IEC 27001:2022 for information security, and ISO/IEC 42001:2023 for responsible AI management, ensuring processes are robust, controlled, and continually improved.
We commit to: * Processing personal data only for specified, explicit, and legitimate purposes; * Minimizing the amount of personal data collected and processed; * Implementing reasonable technical and organizational measures to protect personal data, in line with our ISO 9001, ISO 27001, and ISO 42001 certified management systems; * Assisting customers (Licensees) in meeting their legal obligations (e.g. responding to data subject rights requests, recordkeeping); and * Not using personal data for secondary purposes incompatible with the original purpose without appropriate legal basis or consent.
Data types processed depend on the service and the integration model used by the Licensee. Data may be provided directly by the Licensee via streaming (Kafka/RabbitMQ), API, or widgets, or derived from those inputs. ### Player / End-user data * Identifiers: player ID, First name, Last name, username (if provided by operator), email address (hashed or plain depending on configuration), phone number (if provided by operator), external identifiers (CRM ID). * Authentication & access data: authentication token metadata, session IDs, last login times, date the player has registered on the platform. * Contact & account info: name (if provided), billing name, IP address, country/region, language, timezone (as sent by operator). * Personal attributes: date of birth or age bracket (if provided), country, city, gender (if provided), KYC status, verification status. * Financial & transactional data: deposits, withdrawals, payment method identifiers, amounts, transaction timestamps, transaction IDs, payout requests, refunds. * Gaming & behavioral data: bets, wins, losses, stake sizes, game IDs, round IDs, game provider/vendor ID, product vertical (casino, sports, virtual), session start/end, play patterns, device and client information, game choices, in-game events. * Bonus & promotions data: bonuses awarded, redeemed, wagering progress, promotions participation, promotional codes. * Support & communication data: chat transcripts (AI and agent), support tickets, feedback, complaint history, agent notes. * Risk & compliance signals: suspicious activity flags, fraud scores, AML/RG indicators, deposit spikes, self-exclusion flags. * Derived data / models: churn scores, VIP scores, prediction outputs, segment labels (e.g., “Bonus Seeker”, “Chaser”, “Bonus Enthusiast”, “Bonus Abuser”), propensity scores, and other profiling outputs generated by Gamblio models. ### Gamblio Website / Marketing / Admin data * Contact forms, business contact details (for licensees or prospects), job applicant data, cookies and analytics from our public site, IP addresses, and correspondence records. ### Logs and metadata * System logs, audit trails, diagnostic data, timestamps, and other metadata needed for security, monitoring, billing, and troubleshooting. Such segment labels and model outputs are technical and statistical classifications used internally within the platform and do not represent factual statements, value judgments, or assertions about an individual’s intent, character, or compliance. These labels are configurable by the Licensee and are intended solely to describe observed behavioral patterns within defined datasets.
Gamblio is committed to complying with the European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) in all processing of personal data originating from the EU/EEA. As part of this commitment: * Lawful processing: All personal data is processed lawfully, fairly, and transparently, with clear legal bases such as performance of contract, consent, legitimate interests, or legal obligations. * Data subject rights: Individuals have the right to access, rectify, erase, restrict, or object to processing of their personal data, as well as the right to data portability and to lodge complaints with supervisory authorities. Gamblio cooperates with Licensees to facilitate these rights. * Data minimization and purpose limitation: Only data necessary for the defined services and purposes is collected and processed, in line with GDPR principles. * Data security and risk management: Technical and organizational measures follow ISO/IEC 27001:2022, ISO 9001:2015, and ISO/IEC 42001:2023 standards to ensure confidentiality, integrity, and availability of personal data. * International transfers: Transfers of personal data outside the EU/EEA are conducted under appropriate safeguards such as Standard Contractual Clauses, encryption, and isolated hosting arrangements. * Accountability and transparency: Gamblio maintains documentation and records demonstrating GDPR compliance and ensures that all subprocessors adhere to equivalent standards for protection and lawful processing. This ensures that Gamblio’s services are fully aligned with GDPR obligations while supporting Licensees in maintaining their own compliance responsibilities.
We obtain personal data from: * Licensees / Operators — primary source: via streaming (Kafka/RabbitMQ), REST APIs, direct database import (historical data import only, optional), or widget SDKs/snippets embedded in the operator’s platform; * End users — when interacting with operator platforms that use Gamblio widgets (e.g., chat widget or recommendation widget) or when providing data to the operator; * Third parties — payment processors, identity verification vendors, fraud and AML providers, public sources or partners, as authorized by our Licensee; and * Gamblio systems — automatically generated logs and model outputs.
We process personal data to provide and improve our Services, including but not limited to: * Service delivery & platform operation: ingesting events, powering dashboards, generating reports, storing and querying transactional data required to deliver the contracted functionality. * Analytics & BI: aggregating and analyzing transactional and behavioral data to provide KPIs, reports, visualizations, and insights. * Predictions & segmentation: training and running ML models to produce VIP scores, churn risk, bonus-hunter classification, RG signals, and other segments used by Licensees to improve operations. * Recommendations: generating personalized game suggestions to increase engagement and monetization (uChoose). * Customer support: powering AI chat responses, storing chat transcripts, enabling agent takeover with context, and running ticketing and monitoring systems (Care). * Fraud, risk & compliance: detecting suspicious patterns, triggering alerts, and supporting Responsible Gaming/AML actions. * Security & reliability: protecting systems from abuse, monitoring performance, debugging, and incident response. * Billing, invoicing & contract management: calculating usage metrics, issuing invoices, managing billing disputes. * Legal & regulatory obligations: responding to lawful requests from authorities, retaining records required by law, and legal defense. * Product improvement & research: improving models, debugging, and developing features (using pseudonymized / aggregated data where possible). * Marketing & communications: contacting Licensee contacts about the Services (with appropriate lawful basis). Gamblio does not qualify as an obligated entity under gambling, AML, or counter-terrorism financing laws and does not replace the Licensee’s regulatory responsibilities. Any fraud, AML, or responsible gaming indicators provided by Gamblio are informational and advisory in nature and must be independently assessed and acted upon by the Licensee in accordance with applicable law.
Where applicable (e.g., under EU/EEA data protection laws), Gamblio relies on the following legal bases: * Performance of contract: processing necessary to perform the Agreement with the Licensee (e.g., ingesting transaction events, providing dashboards, model outputs). * Legitimate interests: for operations, security, fraud detection, and system improvement (we balance interests against individuals’ rights). * Consent: where required for optional marketing or certain tracking cookies on Gamblio websites. * Legal obligation: to comply with legal or regulatory requirements. * Legal necessity for compliance or defense: where needed to respond to legal claims or investigations. Note: Typically, Licensees (operators) act as the data controller for player data; Gamblio acts as a processor acting on the Licensee’s instructions. Where Gamblio acts as a controller (e.g., for our own website or as otherwise specified), we will identify the legal basis for that processing individually.
To deliver the Services, Gamblio may share personal data with: * Our subprocessors / service providers, including but not limited to: cloud hosting providers, managed Kafka/RabbitMQ services, CDN and SDK providers, payment and identity service integrators (as instructed by Licensee), analytics and monitoring services, and outsourced support providers. * Licensee-authorized third parties (e.g., affiliates, consultants) with prior authorization. * Law enforcement, regulators or courts when legally required. * Prospective buyers, advisors in the event of M&A (with contractual safeguards). We maintain a current list of subprocessors and will update Licensees whenever we add or materially change subprocessors. We require subprocessors to implement appropriate technical and organizational measures compatible with this Policy and any relevant agreements (e.g., Service License Agreement or adequate Appendix).
Gamblio operates globally. Personal data may be transferred or accessed outside the Licensee’s jurisdiction, including to countries that may not provide the same level of data protection as the country of origin. Where transfers occur, we implement appropriate safeguards such as: * Standard Contractual Clauses (SCCs) or other approved transfer mechanisms; * Adequate technical and organizational safeguards (encryption, access controls); * Hosting in customer-specific, isolated environments when requested and agreed; and * Where required by local law, additional contractual assurances. Licensees requiring specific transfer mechanisms (e.g., on-premise, EU-only hosting) should agree to such terms in the contractual documentation.
We retain personal data only as long as necessary to fulfill the purposes described in this Policy, or as required by contract or law. Retention specifics: * Operational / transactional data: retained for the period required by the Licensee and for billing, auditing, and dispute resolution (default: 5 years, but dependable on terms signed in SLA). * Model training data & derived models: retained in pseudonymized or aggregated form as needed to improve services (subject to Licensee instructions and License Agreement/Service License Agreement). * Support & chat transcripts: retained for a configurable period to meet operational and compliance needs. * Marketing & website cookies: retention depends on cookie type; consented cookies are retained per user selection. Upon termination of the Agreement, Gamblio will, at the Licensee’s choice, either return the Licensee’s data or delete it after a reasonable grace period; deletion procedures and timelines are set out in the Agreement. After deletion, we may retain non-identifying aggregate or anonymized data for product analytics.
We maintain industry-standard technical and organizational measures to protect personal data, including: * ISO 27001 certified information security management; * Network and application firewalls, intrusion detection and prevention; * Encryption of data in transit (TLS) and at rest (AES-256 or equivalent); * Role-based and least privilege access controls (RBAC); * Strong authentication mechanisms for administrative access (2FA); * Regular security testing, vulnerability scanning, and patch management; * Logging, monitoring, and incident response processes; and * Data minimization and pseudonymization where possible. * AI model management per ISO 42001. Despite these measures, no system is perfectly secure. In the event of a data breach, Gamblio will follow incident response procedures and notify affected Licensees and authorities in accordance with applicable law and contractual obligations.
Gamblio uses automated processing and profiling (machine learning models) to score and segment players (e.g., churn prediction, VIP scoring, bonus-hunter classification, RG risk). These outputs are used to inform operator actions (e.g., targeted offers, agent interventions). * Human oversight & transparency: Gamblio surfaces model explanations, confidence levels, and the features that contributed to a prediction to help Licensees understand model outputs. * Automated decision making and profiling: The outputs generated by Gamblio’s models are designed to support human decision-making by the Licensee and do not, by default, constitute decisions producing legal or similarly significant effects within the meaning of Article 22 of the GDPR. Gamblio does not autonomously apply restrictions, grant or deny bonuses, impose limits, suspend accounts, or take any other action that would directly affect a player’s legal position or access to services. * Operator control & overrides: Licensees retain the ability to review, adjust, or override automated decisions (for example, by manual tagging, threshold changes, or disabling automated actions). * Rights: Where local law grants individuals the right not to be subject to solely automated decision-making producing legal or similarly significant effects, Licensees (controllers) and Gamblio (as processor) will ensure appropriate safeguards, human review, and appeal mechanisms.
Depending on applicable law, data subjects (players / end users) may have rights including, but not limited to: * Right to access their personal data; * Right to rectification; * Right to erasure (“right to be forgotten”); * Right to restriction of processing; * Right to data portability; * Right to object to processing (including profiling) based on legitimate interests; * Right to withdraw consent where consent is the legal basis; and * Right to lodge a complaint with a supervisory authority. How to exercise rights: In most cases, players should contact the gambling operator (the data controller) to exercise their rights. Gamblio will cooperate with Licensees to facilitate responses and will process direct requests from data subjects where applicable (e.g., for Gamblio-controlled data such as website contacts). Contact details are provided below.
Gamblio’s website and widgets may use cookies and similar technologies for: * Essential functionality (session cookies); * Performance and analytics (e.g., platform usage metrics that help us improve services); * Marketing and personalization (only with consent where required). Our widgets can be configured by Licensees to pass identifiers or session tokens so Gamblio can provide personalized recommendations or chat history. Cookie and tracking details for Gamblio’s public site are documented in our Cookie Policy and cookie banner/consent flow.
The Services are intended for use by adults in regulated gambling environments. We do not knowingly collect personal data of children under the legal gambling age applicable in the player’s jurisdiction. If we become aware that we have collected personal data of a person under the applicable legal gambling age, we will take steps to delete that data and notify the Licensee.
Licensees are typically the data controllers for player data. Licensees must: * Provide appropriate legal bases for collecting and sharing personal data with Gamblio; * Ensure they have valid consents (where required), lawful grounds, and appropriate notices for data collection and sharing; * Configure widget and API integration in a privacy-compliant manner; * Direct Gamblio on processing instructions via the LA and SLA; and * Cooperate with Gamblio to honor data subject requests, security incidents, and regulatory inquiries. Gamblio’s processing of player data is performed on documented instructions from the Licensee and under the License Agreement executed between Gamblio and the Licensee. Licensees are solely responsible for providing transparent privacy notices to players, identifying the appropriate lawful bases for profiling and AI-assisted personalization, and ensuring compliance with restrictions on automated decision-making under applicable law.
Gamblio may use third-party vendors (subprocessors) to host data, provide analytics, or deliver support. We vet subprocessors and contractually require them to protect data. Our website may contain links to third-party sites; Gamblio is not responsible for their privacy practices.
We maintain incident response plans and will notify Licensees without undue delay after discovering a security incident affecting Licensee data. Notifications will include relevant information to support Licensee obligations (e.g., data breach notifications to regulators or data subjects), subject to applicable law and contractual terms.
Gamblio is an international service. Data may be processed in Montenegro or other jurisdictions. Where personal data is transferred outside the EEA/UK or other applicable regions, we rely on appropriate safeguards (e.g., SCCs, adequacy decisions, encryption, and contractual protections) or operate isolated tenant deployments where contractually agreed.
If you have questions about this Privacy Policy, to request records, or to exercise data subject rights, contact us at: Email: legal@gamblio.ai Postal: GAMBLIO LLC, Miloja Pavlovića Street No. 110, Podgorica, Montenegro For operational or technical enquiries (Licensees / integrators), please use your assigned Customer Success contact. If you are an end user (player), please contact the operator (the platform where you play) in the first instance to exercise rights; Gamblio will cooperate with the operator to fulfill lawful requests.
If you are not satisfied with our response to a privacy concern, you may lodge a complaint with the relevant supervisory authority in your jurisdiction. Gamblio will cooperate with supervisory authorities and Licensees in any investigation.
We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or services. We will publish updated policies on our website and update the “last updated” date. Material changes affecting Licensees’ processing will be communicated in advance and included in contractual updates where required.
Licensees and Gamblio enter into a License Agreement that sets out: * Roles and responsibilities (controller vs processor); * Detailed processing instructions; * Subprocessor lists and notification procedures; * Security measures and breach notification obligations; * Data retention, return and deletion procedures; and * International transfer mechanisms. The LA supplements this Privacy Policy and prevails to the extent of any conflict concerning the Licensee-specific processing.
Glossary / quick definitions: * Licensee / Operator: Gambling operator contracting with Gamblio. * Player / End user: Person who plays on the Licensee’s platform. * Controller: Entity that determines purposes and means of processing personal data. * Processor: Entity that processes personal data on behalf of a controller. * Subprocessor: Third party engaged by Gamblio to process data on its behalf.
Gamblio’s models are developed to improve player experience and protect business integrity. We use explainability tools, manual overrides, and human review to minimize bias. Model performance and thresholds can be tuned by Licensees to respect local market conditions and fairness requirements.