Privacy Policy

We collect the following categories of personal data:

• Account Information. Name, email, date of birth, phone number, country of residence, residential address.
• Identity Verification. Government-issued photo ID, proof of address, optional liveness selfie. Held under our KYC Policy.
• Financial Data. Payment-method details (only the last four digits of cards are stored — full PAN handled by PCI-DSS-compliant payment providers), transaction history, wallet balances, and source-of-funds information where Enhanced Due Diligence is triggered.
• Technical Data. IP address, device fingerprint, browser type, operating system, screen size, time-zone, and referrer.
• Behavioural Data. Login times, gameplay activity, session duration, click and tap patterns, betting patterns, and other interaction telemetry used for fraud-detection and responsible-gambling indicators.
• Communication Data. Support tickets, emails, in-app messages, complaint submissions, and the records of our responses.
• Marketing Preferences. Your opt-in or opt-out status for email, SMS, push, and in-app marketing channels.

• Providing and maintaining the gaming platform.
• Processing deposits, withdrawals, and wagers.
• Verifying your identity (KYC) and ongoing AML obligations.
• Detecting and preventing fraud, money laundering, and bonus abuse — including automated risk scoring (see §10).
• Operating responsible-gambling tools, enforcing self-exclusion, and supporting family-member concerns.
• Communicating account updates, security alerts, regulatory notices, and — where you have opted in — promotional offers.
• Improving our services through aggregated analytics and performance monitoring.
• Complying with legal and regulatory obligations (Anjouan licensing, AML, tax, consumer-protection rules, regulator information requests).

We process your data on these legal bases:

• Contractual necessity— to provide the Service we’ve contracted to provide.
• Legal obligation — KYC, AML, sanctions screening, audit-log retention, regulator reporting.
• Legitimate interest — fraud prevention, account security, integrity of games, and business operation. Where we rely on legitimate interest, we balance it against your rights and document the analysis.
• Consent — for marketing communications and for non-essential cookies. Consent is freely given and you can withdraw it at any time without affecting other processing.

We share your data only with the following categories of recipient:

• Licensed payment providers (e.g. Stripe, NowPayments, cryptocurrency processors) — to process your transactions. Providers are independent controllers under their own privacy notices.
• Game-content providers (e.g. ST8 Platform and other licensed studios) — minimum data required to render gameplay (anonymous session token, currency, jurisdiction); never your name, email, or KYC documents.
• Identity verification services — to perform KYC checks. We disclose only the data necessary for the check.
• Regulators — the Anjouan Offshore Financial Authority (AOFA) and other regulators on lawful demand, including pillar-7 immutable audit access for the AOFA on the licensee dashboard.
• Law enforcement — in response to valid legal process.
• Alternative-Dispute-Resolution (ADR) provider — if you escalate a complaint under our Complaints & Disputes procedure, we share your case file with the ADR provider.
• Affiliated group companies, where the operator is part of a licensed group, on a need-to-know basis under written contract.

We never sell your personal data to third parties. We do not run programmatic advertising on the Service and do not share your data with ad-tech vendors for re-targeting purposes.

Different categories of data are retained for different periods, by law:

• Account data — duration of the account plus 5 years after closure (anti-money-laundering requirement).
• Transaction records — 7 years.
• KYC documents — 5 years after account closure.
• Immutable audit trail (every regulated decision and event on the platform) — 7 years per License Conditions §13. The trail is append-only and hash-chained; even after primary KYC documents are deleted, a cryptographic hash remains as evidence that verification occurred.
• Complaint files — 7 years after the complaint is closed.
• Marketing-preference data — held until you change your preferences. Opt-out records are retained for evidence of compliance.

You may request deletion of data not covered by a legal retention obligation at any time — see §6.

Subject to applicable law, you have the right to:

• Access — request a copy of your personal data.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of data not subject to legal retention requirements.
• Restriction — limit how we process your data.
• Portability — receive your data in a structured, machine-readable format and have it transferred to another controller where technically feasible.
• Objection — object to processing based on legitimate interest. We balance the objection against operational needs.
• Withdrawal of consent — for marketing communications and non-essential cookies. Withdrawal does not affect processing already done.
• Human review of automated decisions — see §10.
• Complain to a supervisory authority — to the AOFA data office (contact TBC) and, where you are resident in a jurisdiction with its own privacy regulator, to that authority too.

To exercise these rights, contact our Data Protection Officer at privacy@huli.bet. We respond within 30 days; complex requests may take up to 60 days with written notice to you.

We implement industry-standard security measures, including:

• Encryption of data in transit (TLS 1.3 minimum) and at rest (AES-256).
• JWT-based authentication with short-lived access tokens, HttpOnly / Same-Site / Secure cookies, and refresh-token rotation.
• Device fingerprinting and behavioural analytics for fraud and bot detection.
• Rate limiting, IP blocking, and 24/7 security monitoring.
• Segregated KYC store with role-based access; every access logged in the immutable audit trail.
• Regular external penetration tests and an internal vulnerability programme.
• Mandatory security training for all staff with access to player data.

No method of transmission over the Internet or method of electronic storage is 100% secure. We use commercially reasonable means to protect your data but cannot guarantee absolute security. Notify us immediately at support@huli.bet if you suspect unauthorised access to your Account.

We use essential cookies for authentication, session management, and basic security. We use device fingerprinting and behavioural analytics for fraud prevention. We do not use third-party advertising cookies and do not run programmatic ad-tech on the Service.

A full breakdown of every cookie category, the vendors involved, retention periods, and consent options is on our Cookies page.

Your data may be processed in jurisdictions outside your country of residence. The principal processing locations are:

• Anjouan / hosting region — primary application hosting and primary data store.
• European Union — payment-processing partners (Stripe and equivalent) under their own data-protection compliance.
• United States — backups, anti-fraud telemetry processing, and selected business tooling.

Where data is transferred outside your jurisdiction, we apply appropriate safeguards: Standard Contractual Clauses (or equivalent transfer mechanism) with the receiving party, encryption-only transfers for sensitive payloads, and data-minimisation to limit the data crossing the border to what is strictly necessary.

Some decisions on the Service are made or assisted by automated systems — notably fraud detection (where device-fingerprint and behavioural-telemetry signals produce a risk score that may pause a deposit or flag an Account for review) and responsible-gambling indicators (where unusual play patterns may surface a recommended-limit prompt).

You have the right to:

• Human review of any decision that materially affects you, on request to privacy@huli.bet.
• An explanation of the principal factors that drove the decision (we cannot reveal the precise model thresholds, which are confidential and would compromise the controls).
• Contest the decision through our Complaints & Disputes procedure.

Our Data Protection Officer is to be appointed and named here, contactable at privacy@huli.bet. The DPO is independent, reports to the operator’s board, and is the point of contact for any data-protection question, request, or complaint.

If we cannot resolve your concern, you have the right to escalate to the AOFA data office (contact TBC) or to the data-protection authority in your jurisdiction of residence.

The Service is for adults only. We do not knowingly collect personal data from anyone under the age of 18 (or higher local age of majority). If we discover that we have collected data from a minor, we delete it from primary stores immediately, retaining only the cryptographic-hash record required for our immutable audit trail.

If you are a parent, guardian, or other responsible adult and you believe we may hold data on a minor, please contact underage@huli.bet immediately. See our Underage Gambling policy for the broader procedure.

We may update this Privacy Policy at any time. For material changes (new data categories, new processing purposes, new sharing categories, retention changes) we notify you via email or in-app notification at least 30 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance.

Prior versions are superseded but retained in our immutable audit trail; you can request a copy of any prior version from privacy@huli.bet.

For privacy-related inquiries, contact our Data Protection Officer at privacy@huli.bet. For other questions, support is at support@huli.bet.

This policy mirrors Anjouan Offshore Financial Authority (AOFA) License Conditions APR-2026 §13 (audit retention), applicable AML rules, and mainstream privacy frameworks. It is drafted in good faith but is subject to final review by qualified counsel before relied upon for any specific legal purpose.