GDPR Statement
Last updated: 14 Sep 2025
1. Controller / Processor Roles
For casino operator data you upload, you are the Data Controller and we act as Data Processor. For limited account metadata and platform security telemetry we act as independent Controller.
2. Lawful Bases
We rely on contract performance, legitimate interests in operating a secure service, and legal obligation (AML / tax) where applicable. Marketing communications are strictly consent-based.
3. Data Subject Rights
Access, rectification, erasure, restriction, portability, objection, and withdrawal of consent: requests are actioned within 30 days (or legally permitted extension) via privacy@custosadvisory.club.
4. Sub‑processors
We maintain a list of sub‑processors (hosting, email, analytics, identity) and require GDPR-compliant Data Processing Agreements with each.
5. International Transfers
Transfers outside the U.K./EEA use adequacy decisions or SCCs plus encryption, access minimisation, and continuous monitoring.
6. Security Measures
Network segmentation, encryption in transit/at rest, vulnerability scanning, penetration testing, MFA, principle of least privilege, tamper-evident audit logs, disaster recovery tested quarterly.
7. Breach Notification
We notify affected customers without undue delay (target <24h initial notice) upon confirmed personal data breach, providing scope, impact, and remediation steps.
8. Data Retention & Deletion
Upon termination or written request we delete or return personal data (except where retention is mandated) following secure wipe controls.
9. DPIAs & Assistance
We provide necessary information to support Data Protection Impact Assessments and regulator inquiries relating to platform processing.
10. Contact
Data Protection queries: privacy@custosadvisory.club.