Bombay Group_Privacy Policy

Privacy Policy

Owner and Proprietor

The  Bombay  Group,  hereafter  referred  to  interchangeably  as  "Bombay",  "Bombay  Group”,
"Company",  "Group",  "we",  "our",  "us",  “House”,  or  the  “Organiser”,  is  the  sole  proprietor  and
owner of the Bombay Group brand and its associated entities, which includes our subsidiaries,
sister  companies,  and  associated  brands,  including  Chesterfield  Poker Club, and the Bombay
Club. Additionally, it will extend to any new casinos and or entities registered under the Bombay
Group.

Registered Address: Harju maakond, Tallinn, Kesklinna linnaosa, Rataskaevu tn 5, 10123
Company Registration Number: 16132057

For the purposes of data control and processing in accordance with applicable laws and
regulations related to your use of our services, both Bombay Group OÜ and Kopikas
Entertainment OÜ act as Joint Controllers of your personal data. Within the context of this
notice, these entities will be collectively referred to as “Bombay,” “Club,” “we,” “our,” or “us

We value our guests ("you") and your privacy, ensuring the highest standards to protect your
personal data.

Compliance with Data Protection Laws

We process personal data in accordance with applicable personal data protection laws,
including the Regulation of the European Parliament and the Council (EU) 2016/679 ("GDPR")
and the Personal Data Protection Act of Estonia.

Bombay Group OÜ respects your right to privacy and ensures that you can exercise your rights.
Further details on how to do so are provided below.

Please note that we may update this Privacy Policy from time to time, and we will notify you of
any changes. The latest version will always be available on our website.

Terms and Definitions

Data Subject: Identified or identifiable natural person whose data is processed.

Personal Data: Any information concerning an identified or identifiable natural person ("data
subject"). An identifiable natural person is someone who can be identified, directly or indirectly,

using attributes such as name, personal identification code, location information, network
identifier, or physical, physiological, genetic, mental, economic, cultural, or social characteristics.

Processing of Personal Data: Any automated or non-automated operation or set of operations
performed on personal data, including collection, documentation, organisation, structuring,
storage, modification, querying, reading, use, transfer, distribution, joining or combining,
restriction, deletion, or destruction.

Profiling: Any automated processing of personal data to evaluate certain personal aspects of
an individual, particularly regarding performance, financial status, health, personal preferences,
interests, reliability, behaviour, location, or movements.

Controller: A natural or legal person, public entity, agency, or body that determines the
purposes and means of processing personal data.

Processor: A natural or legal person, public entity, agency, or body processing personal data
on behalf of the controller.

Special Categories of Personal Data: Personal data revealing racial or ethnic origin, political
opinions, religious or philosophical beliefs, or trade union membership, as well as processing
genetic data, biometric data for unique identification, health data, or data concerning an
individual’s sex life or sexual orientation.

Third Party: A natural or legal person, public entity, agency, or body, other than the data
subject, controller, processor, or those authorised to process personal data under the direct
responsibility of the controller or processor.

Consent: A voluntary, specific, informed, and unambiguous statement by which a data subject
agrees to the processing of their personal data.

Data Controller

Company Name: Bombay Group OÜ (16132057)
Address: Suur-Patarei 13, 10415 Tallinn, Estonia
Contact Email: [email protected]

Cookies

Our website utilises cookies, which are small data files exchanged between your computer's
browser and our web server. Some cookies are essential for the website's functionality and
cannot be opted out of, while others can be controlled by you. You may change your cookie
preferences at any time. Further details can be found in our Cookie Policy.

Categories of Personal Data

We collect and retain personal data according to the following categories and retention periods:

Category

Data Included

Retention

Period

Member,
Guest /
Service User

Name, Date of Birth, Identity Documentation (Image), Gender,
Nationality, Ethnicity, Biometric Data, Address, Email Contact,
Telephone Contact, Visits, Interactions with us (including Emails
and Phone Calls).

7 years

Finance &
Due
Diligence

Name, Date of Birth, Identity Documentation (Image), Gender,
Nationality, Ethnicity, Biometric Data, Address, Winnings,
Invoices, Applications, Financial Transaction History, Bank
Account Details, Bank Card Details, Payment Service, Wealth
Profiles, 3rd Party Wealth Referencing Data, 3rd Party Adverse
Media Referencing Data, Records of Civil and Criminal
Proceedings, Data from Regulatory or Government Authorities,
Gaming Complaints or Disputes, Source of Wealth and Funds,
Lifestyle and Social Circumstances, Occupation, Employment
and Educational History, Family and/or Political Connections.

7 years

Marketing

Personal data and gaming preferences.

7 years

Gaming
History

Visits, Gaming Transactions, Payment Transactions, Gaming
Complaints and Disputes, Financial Transactions, Gaming
Behaviour.

7 years

Complaints
& Issues

Complaints and evidence of unlawful activities.

7 years

AV
Recordings

Audio Recordings within operational areas, CCTV of Gaming
Tables and the Premises, Facial Recognition and Incident
Management.

7 years

AV Recordings: CCTV, Facial Recognition as well as audio recording software is active upon
entry to the Club and throughout the casino premises, to enable the effective monitoring and
traceability of individuals. We do this in order to prevent and investigate any crime, breaches of
regulations, uphold our License conditions, or Club Rules. We also use CCTV across premise
perimeters.

Data we may process under a legal obligation

Basis: We have a legal obligation to collect and process specific Personal Data on each Guest
and/or  Entrant,  and  each  candidate  for  membership  pursuant  to  the  Money  Laundering  and
Terrorist  Financing  Prevention  Act,  the  Gambling Act 2008, and as a condition of our licence
granted  by  the  Estonian  Tax  and  Customs  Board,  the  List  of  persons  with  restrictions  on
gambling (HAMPI), which has been operational since 1 January 2016. Please visit HAMPI for
further information.

Type of Data: Member, Guest / Service User; Complaints & issues; Finance & Due Diligence;
Gaming History and AV Recordings.

When Data is Processed: We may collect and process this Personal Data in circumstances
including, but not limited to, the following:

● When you apply for membership / access to services, enter the Club, use its facilities,

or when you update your personal details or ID documents with us.

● When we verify your identity and personal details, or when we conduct security, due

diligence, gaming dispute and/or compliance checks.

Your Rights: Because the Personal Data referred to above is processed pursuant to a legal
obligation, there is no right to erase or object to this data, or have this data made portable.

Data we may process under our contract with you

Basis:  When  you  become  a  member  and/or  access  our  services,   you  enter into a contract
with  us  to  provide  certain  services  to  you.  This  contract  includes  relevant  Club/Premise
Rules.  It  is  necessary  for  us  to  process  certain  Personal Data about you in order to provide
those services to you, including to maintain our accounts and records, to support and manage
our staff, our customer services, and for the purposes of administration.

Type of Data: Member, Guest / Service User; Finance & Due Diligence; Gaming History;
Complaints & issues and AV Recordings.

We  process  source  of  revenue  and  source  of  wealth  in  order  to  carry  out  risk  reduction
assessments  and  to  provide  you  with  additional  account  services,  applied  for  as  a  Guest
accessing our Services.

When Data is Processed: We may collect and process this data:

● When you apply for Membership, access our Services, use our Facilities, or when you

update your personal details or ID documents with us; and

● When we verify your identity and personal details, or when we conduct customer due

and enhanced diligence checks (including checks with 3rd parties); and

● ·When you contact us, request services, report a problem, or wish to make a complaint.

Your Rights: You have the right to ask us to erase such Personal Data collected pursuant to
our contract with you, and we will delete any such Data (other than data we are required to

retain in accordance our Legal Obligations). In relation to this Data, you also have the right to
data access and data portability.

Data we may process with your specific consent

Basis:  When  you  become  a  Member  or  Access  our  Services,  we  will  ask  your  express
permission  to  contact  you  in  relation  to  some  of  our  additional  services,  events,  general
updates  about  the  Club  or  other  marketing  materials  (“Global  Marketing  Communications”).
You  do  not  have  to  give  your  consent,  and  we  will  not  contact  you  with  Marketing
Communications unless you do so.

Type of Data: Marketing.

When Data is Processed: We may collect and process this data:

● If you give us your express permission to do so when you either apply for Membership,

and/or access our Services, or you ask us to update your marketing preferences.

● In the event that the Group, one of its entities, or substantially all of its assets are

acquired by a third party, Personal Data held by Us may be one of the transferred
assets.

Your  Rights:  You  are  entitled  to  qualify,  vary  or  withdraw  your  consent  in  relation  to
Marketing  whenever  you  want  to.  You  also  have  the right to ask us to erase such Personal
Data  collected  with  your  consent.  In  relation  to  Data  obtained in this way, you also have the
right to data access and data portability.

Data we may process for a legitimate interest

Basis:  We  process  specific  data  in  order  to  protect  the  legitimate interests of our Company,
our  employees,  our  Members,  Guests,  and  Service  users.  Our  legitimate  interests  include
securing our premises, counter-fraud measures and investigations, conducting and managing
our  business,  the  maintenance  of  records,  such  as  gaming,  hospitality  and  financial  details
obtained  throughout the course of our relationship. Our Members, Guests, Service users and
employees,  have  a  legitimate  interest  in  feeling  safe  and  secure  whilst  on  our  premises  in
accordance with the Club Rules.

Type of Data: Member, Guest / Service User; Finance & Due Diligence; Gaming History;
Complaints & issues and AV Recordings.

When  Data  is  Processed:  This  Data  is  used  upon  entry  to  one  of  our  premises,  as  your
transact  with  us  and  throughout  the  casino  premises  and  surrounding areas, specifically the
Club’s perimeter, to enable the effective monitoring and traceability of individuals.

Your  Rights:  Whilst  you  are  entitled  to  object  to  some  of  this  processing  and  correct,
incorrect  data,  the  only  way  you  can  exercise  an  objection to processing is by not entering
our  Premises.  Any  Personal  Data  will  be  deleted  after  the  expiry  of  the  retention  period,
provided it is not being actively used in any Legal and/or ongoing investigations.

Where your personal data may be stored

The information that you provide to us will be held in our systems, which are located on our
premises or those of an appointed third party. We are based in Estonia and your information will
be accessed and used here and elsewhere in the European Economic Area (EEA) where we
enable the provision of the contracted services.

While countries within the EEA all ensure a high standard of data protection law, some parts of
the world may not provide the same level of legal protection of your personal data. In each case,
your data may, for purposes described in this notice or otherwise approved by you, be
transferred to, processed by and stored by persons operating outside of the EEA and the third
party may require access to all or some of your data. For example:

● other Bombay Group trading companies based outside the EEA may need to use data in

accordance with this notice;

● our staff, suppliers or agents located outside of the EEA may need to access and

process personal data to fulfil requested and or contracted services or provide other
support services;

● we may use cloud-based technology hosted outside of the EEA to host some of our

applications;

● we may use service providers based outside of the EEA to help us support some of our

information technology infrastructure and these service providers may need to access
your personal data in order to provide and support that infrastructure.

When we send personal data outside of the EEA we take steps to put in place appropriate
safeguards to protect the information from being accidentally lost, used or accessed in an
unauthorised way, altered or disclosed in accordance with applicable data protection laws. We
protect your personal data, for example, by:

● transferring to a jurisdiction which the European Commission recognises as providing

adequate protection for the rights and freedoms of data subjects in connection with the
processing of their personal data;

● where possible, putting in place standard contractual clauses (SCC`s) in accordance

with European Commission decisions on transferring personal data.

● requiring all Bombay Group, subsidiaries, and sister companies to be subject to group

data protection policies, designed to protect data in accordance with EU data protection
law;

● ensuring access controls which limit access to your personal information to those

employees, agents, contractors and other third parties who have a business need to
know; and

● ensuring they will only process your personal information on our instructions, for the

reasons we specify.

We may also from time to time rely on one or more of the ‘derogations’ available in applicable
data protection laws, for example:

●  The transfer is necessary for the establishment, exercise or defence of legal claims; or
●  We have the individual’s explicit consent; or
●  The transfer is necessary for the conclusion or performance of a contract in the interest

of the individual concerned, and we are party to that contract; or

● The transfer is necessary in order to perform a contract between us and the individual

concerned, or the implementation of pre-contractual measures taken at the individual’s
request.

We may also be compelled by law to disclose your personal data to a third party and will have
limited control over how it is protected by that party in such circumstances.

Access to your personal data

When you ask to see a copy of your personal data as permitted under data protection laws we
will supply you with all the personal data to which you are entitled, promptly and normally no
later than one month after the receipt of your data subject access request. In rare cases,
where the requests are complex or contain multiple requests, the period of compliance may
be extended by a further two months, but we will write to you and explain why any extension
is required within one month of your request.

We will want to ensure that we have properly identified anyone making a data subject access
request and may therefore ask to see additional identification.

Any access request is normally free, although in some cases we may charge a reasonable fee
based purely on our administrative costs when a request is clearly unfounded, is made
excessively, or is made repetitively.

You may also have the right to Data Portability which allows you to move, copy or transfer
personal data easily from one IT environment to another in a safe and secure way, without
affecting its usability. If you wish to exercise this right, we will transmit such data to you in a
machine-readable code where it is technically feasible to do so.

How long do we keep your personal data?

Generally, we comply with the retention periods specified above although there may be
exceptions, such as where there is an ongoing legal enquiry. Your personal data may also be
subject to increased internal restrictions on accessing. For example, personal data may be
removed from front office functions and only accessible by senior management with specific
reasons.

Who do we disclose your personal data to?

In accordance with this Privacy Policy and for specific purposes, we may share some of your
information with the following categories of third parties.

any trading company within the Bombay Group, which includes the Bombay Club, and our
sister companies (“other companies with close affiliations to us, owned by the same ultimate

parent company”), and their respective subsidiaries and or trading brands for the purposes set
out in this notice (for example, information and customer relationship management; software
and service compatibility and improvements; and to provide you with any information,
applications or services that you have requested);

● authorised representatives or agents acting on our behalf with respect to the promotion

of our services in particular territories;

● suppliers where necessary, in performance of services which you have contracted, with

or through us (which may include sharing data in order to perform and process
payments associated with performance of such services);

● information technology companies undertaking services for us in connection with

maintenance, support, development or enhancement of our websites or our other
information technology platforms and infrastructure;

● third parties that we may engage to perform market surveys/client feedback surveys,

subject to your selected preferences;

● third parties which we engage to securely host communication services (emails and

SMS) and act as suppliers to distribute our notifications and other marketing
communications on our behalf, both where you have requested information and where
we believe that information will be of interest to you;

● companies used to facilitate payment transactions arising from engagement of our

services;

● credit reference agencies for the purposes of supporting mechanisms which assist us

in safer gambling and affordability assessments;

●  fraud prevention agencies;
●  recruitment agencies or website recruitment platforms in the context employment;
●  law  enforcement  agencies,  regulators  or  other  applicable  third  parties,  where

necessary to enable us to comply with our regulatory and legal obligations (including
statutory or regulatory reporting or the detection or prevention of unlawful acts ), or
where necessary to assist them in the conduct of their investigations;

● authorised third parties engaged to support us in performing customer and enhanced

customer due diligence checks;

● our clients (if you are a supplier), in the course of performing any engagement for

services;

● relevant third parties in the context of actual or potential legal proceedings (for example

in response to a court order, enforcement of the terms of a contract and debt recovery);

● our own professional advisors and auditors for the purpose of seeking professional

advice or to meet our legal, regulatory and auditing responsibilities; and

● another organisation if we sell or buy (or negotiate to sell or buy) any of our companies,

business or assets.

We  may  compile  statistics  about  the  use  of  our  websites  including  data  on  traffic,  usage
patterns,  user  numbers,  and  other  information.  All such data will be anonymised and will not
include any data which can be used to identify you either by itself or when combined with other
data.  We  may  share  non-personally  identifiable  information  about  the  use  of  our  website,

applications, products or services publicly or with third parties, but this will not include
information that can be used to identify you.

Your Rights: You have the right to object to this and to correct any incorrect data. Please
note that access to our Services may be conditional on allowing us to share this personal data.

Changes to this policy

From  time  to  time  we  will  need  to  update,  change  or  supplement  this  Policy,  including  by
altering  the  types  of  Personal  Data  that  may  be  collected,  processed  or  shared.  If  this
happens, we will update this Policy on our website, in our literature before such changes come
into  effect.  If  you  do  not  agree  to  these  changes  then  you  will  have  to  inform  us  and  by
continuing to access our Services, you consent to those changes.

Your rights

You have the following rights (“Data Rights”):

● The right to be informed: This privacy policy is intended to meet our obligation to

provide “fair processing information”.

● The right of access: You have the right at any time to ask to see a copy of the

personal data we hold about you.

● The right to withdraw consent: Where you have given your consent to our

processing you may withdraw this at any time.

● The right to rectification and data quality: If your personal data is incorrect or

incomplete then you may ask us to remedy that.

● The right to erasure including retention and disposal: You may ask us to delete or

remove your personal data where there is no compelling reason for its continued
processing but this may affect any services we provide to you which relies on that
personal data.

● The right to restrict processing: Where you have highlighted an issue with the data.
● The right to data portability: This allows you to request that your personal data be

shared with other processors at your request.

● The right to object: Where you have an objection to our processing you may do so.

You may also have the right to lodge a complaint with the Estonian Data Protection
Inspectorate if you believe we are in breach of our legal obligations under data protection
laws.

Contact us

If you wish to exercise any of your Data Rights, if you have any questions, complaints, or
comments regarding this Policy, please contact us:

● by email to: [email protected]