logo pelican casino
logo pelican casino
EN PL DE DE LT LV
EN
EN PL DE DE LT LV
EN
EN PL DE DE LT LV
EN

Scope, regulatory context, and controller information

This Privacy Policy sets out how Pelican Casino processes personal data and applies personal data protection principles for visitors, account holders, and other users interacting with pelicanonlinecasino.com. The Pelican Casino Privacy policy is intended for a global audience and is drafted to reflect widely applicable privacy and data security expectations, including GDPR aligned principles where relevant to the circumstances of processing. This document applies to data processing carried out through the website, associated files, customer support channels, and operational systems used to provide gaming related services. The policy is written in a formal legal style and is not intended to replace mandatory notices that may be provided at the point of collection. Where local laws impose additional or conflicting requirements, those rules may apply to the extent required by the applicable jurisdiction.

The administrator responsible for determining the purposes and means of processing is the entity operating the website under the Pelican Casino brand. The administrator may act as controller, or as a joint controller with specifically identified partners, depending on the functional allocation of responsibilities. The controller maintains procedures designed to evidence lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality. Where the operation relies on processors, the administrator seeks contractual assurances and organisational measures appropriate to the assessed risk. Questions regarding this Privacy Policy and any data request procedures are addressed in the dedicated contact section of this document.

Definitions and interpretative provisions

For the purposes of this policy, personal data means any information relating to an identified or identifiable natural person, including identification data and online identifiers. Data processing means any operation performed on personal data, such as collection, recording, organisation, storage, alteration, retrieval, consultation, disclosure, or erasure. Users refers to individuals who access the website, create an account, participate in games, or communicate with customer support. Cookies are small text files placed on a device and used to enable basic functions, preferences, and certain analytics activities, subject to applicable consent requirements. Security refers to technical and organisational measures, including encryption and access controls, designed to protect confidentiality, integrity, and availability.

References to GDPR in this policy are used as a shorthand for globally recognised standards of lawful processing and rights based safeguards, and may apply directly where the administrator is subject to EU or UK data protection law. Where the term consent is used, it refers to a freely given, specific, informed, and unambiguous indication of wishes, recorded in a verifiable manner. Where legitimate interests are referenced, the balancing of interests is considered in light of the nature of services and reasonable expectations of users. Time periods described in this policy are measured in calendar days unless a different interpretation is expressly stated. Any examples are illustrative and do not expand the scope of processing beyond what is described.

Categories of personal data processed

The administrator processes registration data necessary to create and maintain an account, including name, date of birth, nationality where required, email address, and telephone number. Identification data may be processed to meet legal obligations, such as verifying identity and age, and may include government issued document details and visual likeness data where permitted. Login data is processed to secure access, such as account identifiers, authentication tokens, password hashes, and device related signals used to detect unauthorised access attempts. Financial data may be processed for deposits, withdrawals, chargeback management, and fraud prevention, including payment instrument details, transaction references, and limited billing information. Customer support communications and related records may be processed, including message content and metadata needed to evidence service actions.

Operational and technical data may be processed when users interact with the website, including IP address, time stamps, device type, operating system, browser configuration, and performance logs. Data generated through gameplay and responsible gaming controls may be processed, including session duration, game activity history, and risk indicators used to comply with legal and safety duties. Where permitted and proportionate, the administrator may process aggregated or pseudonymised data to improve stability and monitor service performance. Special categories of personal data are not intentionally requested for ordinary use of the services, and if such data is provided in support communications it may be handled with additional restrictions. The administrator aims to limit categories to what is relevant for the stated purposes and to align processing with data minimisation.

Methods and sources of collection

Personal data may be collected directly when an account is created, when registration data is updated, or when users submit identification data for verification. Operationally, the website collects certain technical information automatically through files, cookies, and similar mechanisms, to enable core functionality and to support data security controls. Payment related information may be collected through payment service providers, with the administrator receiving only the data necessary to reconcile transactions and manage account funding. Information may be collected through customer support interactions, including when a user reports an issue, requests account assistance, or contests a transaction. Where legally required, information may also be collected to carry out self exclusion or risk based checks associated with responsible gaming obligations.

The administrator may receive personal data from third parties such as identity verification providers, fraud prevention services, payment intermediaries, and compliance screening partners, subject to contractual and legal safeguards. Publicly available sources may be consulted only where necessary for legal compliance, dispute prevention, or to protect the integrity of services, and only to the extent permitted by applicable law. If data is obtained from a third party, the administrator endeavours to ensure that appropriate notice is provided and that the data is processed consistently with the described purposes. Automated collection mechanisms may be adjusted based on consent settings and browser level controls, recognising that some controls may not be available in all jurisdictions. The administrator does not knowingly collect personal data of individuals under 18 years of age, and age verification measures may be applied to enforce this restriction.

Regulatory compliance is a primary basis for data processing where the administrator must meet obligations related to anti money laundering, counter fraud, and age verification, as applicable. Performance of a contract is relied upon where processing is necessary to provide services requested through account creation and use, including maintaining account balances and executing deposits and withdrawals. Consent may be relied upon for certain cookies, preference settings, and where direct marketing is permitted and requires opt in under local rules. Legitimate interests may be relied upon for security monitoring, service improvement, and prevention of abuse, provided that such interests are not overridden by the rights and freedoms of users. Vital interests may be relevant in limited circumstances where processing is necessary to protect an individual from serious harm.

Contractual necessity and account administration

Where services are accessed through an account, processing of registration data and login data is generally necessary to authenticate sessions, prevent unauthorised access, and enable account level features. The administrator applies access controls and session management to reduce the risk of credential compromise, and may apply step up verification where anomalous patterns are detected. Failure to provide certain data may result in inability to complete account creation or to access functions that depend on verified information. In such circumstances, the administrator seeks to limit the impact to what is proportionate and necessary. Contractual processing is limited to the scope of service provision and related administrative actions.

Where laws require identity checks, sanctions screening, or transaction monitoring, identification data and financial data may be processed to comply with those mandates. Processing may include verification against third party databases, assessment of document validity, and record keeping for audit readiness. Compliance screening may involve risk scoring and flags that are reviewed through operational procedures, with attention to minimising false positives. The administrator retains evidence of compliance decisions for legally mandated periods and for the defence of legal claims. Where a jurisdiction provides specific notice requirements for such checks, supplemental notices may be used.

Purposes of processing and practical use cases

The administrator processes personal data to operate and maintain the website, including user authentication, account management, transaction execution, and delivery of requested services. The Pelican Casino Privacy policy describes processing undertaken for fraud prevention, chargeback handling, and the protection of platform integrity through monitoring of suspicious activity patterns. Data processing is also carried out to maintain accurate records, respond to inquiries, manage complaints, and provide customer support documentation. Technical data is processed to diagnose incidents, correct errors, and preserve availability, including through load balancing and performance monitoring. Certain processing supports responsible gaming measures, including the detection of potentially harmful usage patterns and the administration of exclusions where applicable.

The administrator may process personal data to meet governance and accountability requirements, including audit logging and internal controls. Where consent is provided, limited data may be used to deliver communications aligned with the selected preferences, subject to withdrawal rights and local e privacy rules. Data may be processed to enforce terms, to investigate misuse, and to prevent prohibited conduct, including multiple account abuse. When disputes arise, data may be processed to establish, exercise, or defend legal claims, including preservation of relevant records. Processing for analytics is designed to use aggregated outputs where feasible and to reduce unnecessary identification.

Retention and storage limitation

Personal data is retained only for as long as necessary to achieve the purposes described, taking into account legal obligations, limitation periods, and operational requirements. Account related records may be kept while the account remains active and for a defined period thereafter, such as 5 years, where legal compliance or dispute risk requires extended retention. Certain technical logs may be retained for shorter periods, such as 90 days, to support security investigations and incident analysis, unless a longer period is justified by an active investigation. Verification records may be retained to demonstrate compliance, and access is restricted to authorised personnel with a business need. Where local rules require longer retention, the administrator applies those periods to the extent applicable.

Retention triggers and deletion handling

Retention periods may be extended where necessary to establish, exercise, or defend legal claims, including where chargeback processes remain open beyond ordinary timelines. In routine cases, customer support records may be retained for 24 months to evidence service outcomes and to maintain consistent handling of recurring issues. Once retention periods expire, data is deleted, anonymised, or otherwise rendered inaccessible, subject to technical constraints and backup cycles. Backup copies may persist for a limited time, such as 30 days, and are protected by access restrictions and encryption where supported. Deletion requests are assessed against legal retention duties, and restricted processing may be applied where erasure cannot be completed immediately.

Disclosure to third parties and onward processing

Personal data may be disclosed to processors acting on behalf of the administrator for hosting, identity verification, payment processing, customer support tooling, security monitoring, and compliance services. Such disclosures are limited to the minimum data required for the contracted function and are governed by confidentiality, data processing, and security obligations. The administrator may disclose personal data to professional advisers, auditors, or insurers where necessary for governance, risk management, or legal advice. Where a business transfer occurs, personal data may be transferred as part of the transaction, subject to notice and appropriate safeguards consistent with applicable law. The Pelican Casino Privacy policy recognises that third parties may operate under their own legal duties, particularly payment institutions subject to financial regulation.

Data may be disclosed to competent authorities, courts, regulators, or law enforcement where required by applicable law, lawful request, or to protect rights and safety. In such cases, the administrator seeks to verify the validity and scope of the request and to disclose only what is legally required. Where permitted, the administrator may challenge overbroad requests and may seek protective orders or confidentiality protections. The administrator does not sell personal data as a standalone business activity, and data sharing is tied to the purposes described in this policy. Relationships with key providers are periodically reviewed in view of evolving risks and regulatory expectations.

Cross border transfers and global operations

Given the global audience, personal data may be processed in jurisdictions other than the one in which a user resides, including locations where service providers operate infrastructure. Cross border transfers are assessed to ensure that an adequate level of protection is maintained, using contractual measures and risk assessments consistent with applicable frameworks. Where GDPR applies, transfers may rely on adequacy decisions, standard contractual clauses, or other recognised transfer tools, supplemented by technical controls where necessary. The administrator seeks to ensure that access to personal data from outside relevant jurisdictions is limited and auditable. Where local laws restrict international transfers, the administrator applies those restrictions to the extent they are applicable.

Operationally, global processing can involve distributed hosting, support operations, and fraud prevention networks that operate across multiple regions. The administrator applies role based access and controls to ensure that personnel access is limited to the functional need and is subject to confidentiality obligations. Where processors engage sub processors, the administrator requires transparency and appropriate contractual safeguards. Transfer assessments are reviewed when material changes occur, such as onboarding a new provider or changing hosting locations. Any transfer related requests may be directed through the contact procedures described in this policy.

Information security and confidentiality controls

Operational explanation of security measures is provided to inform users and regulators of the approach taken to protect personal data and to maintain data security. The administrator uses administrative, technical, and physical safeguards proportionate to risk, including encryption in transit using TLS and encryption at rest where supported by the storage layer. Access is restricted through role based permissions, multifactor authentication for privileged accounts, and logging designed to support monitoring and investigation. Vulnerability management processes are applied, including patching cycles and periodic review of exposed services, with priority given to high risk issues. The administrator aims to maintain service availability and integrity, including controls to reduce denial of service impacts.

Incident response and accountability

Security incidents are assessed under documented procedures, including triage, containment, eradication, and recovery steps. Where a personal data breach is likely to result in a risk to rights and freedoms, notification obligations may apply, and the administrator evaluates reporting to authorities and affected individuals in accordance with applicable law. Internal access to personal data is logged and subject to review to support accountability and detect misuse. As a security benchmark, the administrator targets at least 99.5% availability for core services where feasible, while recognising that maintenance and unexpected events may affect uptime. Staff and contractors are subject to confidentiality requirements and receive guidance relevant to handling personal data in operational contexts.

Cookies, similar technologies, and device identifiers

The website uses cookies and similar technologies to enable essential functions, to manage sessions, and to support security features such as anomaly detection and abuse prevention. The casino Pelican platform may use cookies to remember preferences, to maintain login state, and to help protect accounts against unauthorised access. Certain cookies may be classified as strictly necessary for the requested service, while others may support analytics or preference management depending on configuration and jurisdictional requirements. Where consent is required, non essential cookies are placed only after a valid consent signal is recorded, and consent can be withdrawn through available settings. Browser controls can restrict cookies; however, restricting essential cookies may impair core features.

Cookie lifetimes vary, with session cookies expiring when the browser session ends and persistent cookies lasting up to 12 months unless deleted earlier. Server side logs associated with cookie identifiers may be retained for limited periods to support security investigations and performance troubleshooting. Where analytics tools are used, the administrator seeks to configure them to reduce collection and to prioritise aggregated reporting. The administrator does not attempt to use cookies to collect special categories of personal data, and any accidental capture is addressed through minimisation and deletion processes. The casino Pelican operational team reviews cookie usage periodically to ensure alignment with legal requirements and internal governance.

Rights of individuals and request handling

Rights based framing applies to the processing described in this policy, and individuals may have enforceable rights depending on their jurisdiction. These may include the right of access to personal data, the right to rectification of inaccurate data, the right to erasure in appropriate circumstances, and the right to restriction of processing. Individuals may also have the right to data portability where processing is based on consent or contract and is carried out by automated means, and the right to object where processing is based on legitimate interests. Where consent is the legal basis, withdrawal does not affect the lawfulness of processing carried out before withdrawal. The Pelican Casino Privacy policy recognises that some requests may be limited by legal obligations, including requirements to retain records for compliance.

Verification, response periods, and limitations

Requests are processed through an identification and verification step designed to prevent unauthorised disclosure, and the administrator may request additional information where necessary to confirm identity. The administrator aims to respond to valid requests within 30 days, and this period may be extended where the request is complex or numerous, consistent with applicable law. Where a request is refused or limited, reasons are recorded and, where required, information is provided on available complaint routes. The casino Pelican support function may be used as an intake channel, but substantive decisions are handled under compliance oversight to ensure consistent application of rights. Where automated decision making materially affects an individual, information about the logic and significance may be provided to the extent required and feasible.

Contact channels and data request procedures

Data protection inquiries are handled through designated contact routes made available on pelicanonlinecasino.com, and requests should be submitted with sufficient detail to enable retrieval, including account identifiers and the nature of the request. The administrator may require that requests be submitted from a verified channel associated with the account to reduce impersonation risk and to protect confidentiality. Where a representative is authorised to act on behalf of an individual, evidence of authorisation may be requested to ensure lawful disclosure. Communications are retained as part of compliance records for a defined period consistent with the retention section, and access to those records is restricted. The casino Pelican operation applies internal escalation rules for security related or regulatory sensitive requests.

Where a complaint relates to data processing, the administrator seeks to investigate promptly and to document the outcome. If an individual believes rights have been infringed, a complaint may also be made to a competent supervisory authority where such a right is available under the applicable framework. Contact procedures are designed to support structured handling, including timestamps, internal reference numbers, and audit trails. Requests involving financial data, identification data, or high risk changes may require additional checks and may take longer due to legal obligations. The administrator maintains documentation of request outcomes to demonstrate compliance with accountability principles.

Updates, governance, and Pelican Casino Privacy policy notice

The Pelican Casino Privacy policy may be amended to reflect changes in legal requirements, regulatory guidance, operational practices, or risk assessments, and the administrator maintains governance procedures to control such updates. Where material changes occur, notice may be provided through the website or account communications, and the effective date of the updated version will be indicated within the policy text. The administrator applies review intervals targeted at least every 12 months, while also conducting interim reviews when significant processing changes are introduced. The casino Pelican governance function documents amendments, including the rationale and the scope of changes, to support accountability and audit readiness. Continued use of services after the effective date may indicate acceptance where permitted, but mandatory consent requirements for specific processing activities remain subject to applicable laws.

The Pelican Casino Privacy policy confirms a commitment to lawful, fair, and transparent data processing, including principles aligned with GDPR where relevant to the global audience and the actual place of establishment or targeting. Where this policy is updated, the administrator will seek to preserve prior protections and will not reduce rights without a legally justified basis and appropriate notice. Any change affecting cookies or tracking technologies will be implemented in a manner consistent with consent obligations, and records of consent will be retained to evidence compliance. Data request procedures remain available following amendments, and requests received before an update are handled under the version applicable at the time of receipt unless the law requires otherwise. For clarity, the administrator maintains internal controls to ensure that security, encryption, and access governance remain effective as systems evolve, and this commitment is reviewed against measurable objectives and incident learnings.