Privacy Policy

1. Who We Are and How to Contact Us

YourFreeLottos B.V. ("YourFreeLottos", "we", "us", "our") is the data controller responsible for your personal data collected through yourfreelottos.nl and all associated services.

Registered Office: Herengracht 182, 1016 BR Amsterdam, The Netherlands
Privacy enquiries: privacy@yourfreelottos.nl
Data Protection Officer: dpo@yourfreelottos.nl
Response time: We respond to all privacy requests within 30 days as required by GDPR Article 12.

If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

2. What Personal Data We Collect

We collect the following categories of personal data:

Account Data

• Full name (first and last name)
• Username (publicly displayed on leaderboards)
• Email address
• Date of birth (for age verification — users must be 18+)
• Country of residence
• Hashed and salted password (we never store passwords in plain text)

Financial Data (Premium Subscribers & Prize Recipients Only)

• Bank account number (IBAN) for prize payments via SEPA bank transfer
• PayPal email address (if PayPal payment method is chosen)
• Billing address (for invoicing premium subscriptions)
• Payment card details are processed by our PCI-DSS certified payment processor (Stripe); we do not store full card numbers

Usage Data

• IP address and approximate geographic location (city level)
• Device type, operating system, and browser
• Pages visited, time on site, and navigation paths
• Contest entries, lineup selections, and points history
• Login timestamps and session duration

Communication Data

• Messages sent to our support team via email or contact form
• Survey responses (where you voluntarily participate)

3. How We Collect Your Data

We collect personal data through the following means:

• Account registration: Data you provide when creating your free account.
• Profile updates: Data you provide when updating your account settings.
• Contest participation: Lineup selections and contest entry data generated through your use of the platform.
• Payment processing: Financial data provided when subscribing to Premium or Elite plans, or when claiming prizes above the minimum payout threshold.
• Cookies and tracking: Technical and analytics data collected automatically through cookies and similar technologies. See Section 10 and our Cookie Policy.
• Third-party authentication: If you register or log in via Google or Facebook, we receive your name and email address from those providers under their respective privacy policies.
• Customer support interactions: Data you provide when contacting our support team.

4. Legal Bases for Processing

Under GDPR Article 6, we process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide our platform services, manage your account, process contest entries, and pay prizes.
• Legal obligation (Art. 6(1)(c)): Processing required to comply with Dutch law, tax regulations, anti-money laundering rules, and KSA compliance requirements.
• Legitimate interests (Art. 6(1)(f)): Fraud prevention, platform security, analytics to improve our service, and anti-abuse measures.
• Consent (Art. 6(1)(a)): Marketing emails, non-essential cookies, and optional personalisation features. You may withdraw consent at any time.

5. How We Use Your Data

Your personal data is used exclusively for the following purposes:

• Creating and managing your player account
• Processing your contest entries and calculating fantasy points
• Displaying your username and score on leaderboards (username only — no other personal data is publicly visible)
• Paying out prizes to winners via bank transfer or PayPal
• Processing premium subscription payments and issuing invoices
• Sending transactional emails (account confirmation, password reset, contest results, prize payment notifications)
• Sending marketing emails if you have given consent (opt-out available at any time)
• Verifying your age (18+ requirement) in compliance with Dutch gaming and consumer protection law
• Detecting and preventing fraud, cheating, and abuse of the platform
• Analysing platform usage to improve features and user experience
• Complying with legal and regulatory obligations
• Responding to customer support requests

6. Data Sharing and Third-Party Processors

We do not sell your personal data. We may share data with the following categories of trusted processors who are bound by GDPR-compliant data processing agreements:

• Stripe B.V. (payment processing): For premium subscription billing. Stripe is PCI-DSS Level 1 certified.
• Amazon Web Services EMEA SARL (hosting): Our platform infrastructure is hosted on AWS EU-West (Ireland and Frankfurt) data centres.
• Postmark / SparkPost (transactional email): For sending account and contest notifications.
• Google Analytics 4 (anonymised web analytics): We use IP anonymisation. Data is processed under a GDPR-compliant Data Processing Addendum.
• Sports data providers: We share anonymised contest ID data (not personal data) with our ATP/WTA official data partner for score verification purposes.
• Legal authorities: We may disclose data to Dutch law enforcement or regulatory bodies (including the Autoriteit Persoonsgegevens) where legally compelled to do so.

7. International Data Transfers

All primary data storage occurs within the European Economic Area (EEA). Where any sub-processors are located outside the EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions under GDPR Article 45 where applicable
• Binding corporate rules where applicable

You may request details of the specific safeguards in place for any transfer by contacting privacy@yourfreelottos.nl.

8. Data Retention Periods

We retain personal data only as long as necessary for the stated purpose:

• Active account data: Retained for the duration of your account plus 2 years after your last login.
• Financial / prize payment data: Retained for 7 years to comply with Dutch tax law (Wet op de omzetbelasting).
• Contest and scoring history: Retained for 3 years for platform integrity and dispute resolution purposes.
• Marketing consent records: Retained for 3 years from the date of consent or last engagement, whichever is later.
• Support communications: Retained for 2 years from the date of resolution.
• Server logs (IP addresses): Retained for a maximum of 90 days and then automatically deleted.
• Age verification data: Retained for the life of the account as required by Dutch gaming compliance obligations.

9. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights. To exercise any of these rights, contact us at privacy@yourfreelottos.nl:

• Right of access (Art. 15): Request a copy of all personal data we hold about you (data subject access request).
• Right to rectification (Art. 16): Request correction of any inaccurate or incomplete data.
• Right to erasure / "right to be forgotten" (Art. 17): Request deletion of your personal data where it is no longer necessary, subject to legal retention obligations.
• Right to restriction of processing (Art. 18): Request that we limit how we use your data while a dispute is being resolved.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON or CSV) for transfer to another service.
• Right to object (Art. 21): Object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time via your account settings or by contacting us.
• Right to lodge a complaint: Complain to the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl) if you believe your rights have been infringed.

10. Cookies and Tracking Technologies

We use cookies and similar technologies on our platform. For full details of every cookie category, specific cookies deployed, and your management options, please read our dedicated Cookie Policy.

In summary, we use: essential cookies (always active), functional cookies (session memory), analytics cookies (with consent), and marketing cookies (with consent). You can manage your cookie preferences at any time via the cookie banner or your browser settings.

11. Marketing Communications

We send marketing emails only to users who have explicitly opted in during registration or via their account settings. Every marketing email contains a clear, one-click unsubscribe link. Opt-out requests are processed within 2 business days.

Opting out of marketing communications does not affect transactional emails such as contest results, password resets, or prize payment notifications, which are sent on the legal basis of contract performance.

12. Children and Age Verification

YourFreeLottos is strictly for users aged 18 and over. We collect date of birth at registration and implement automated age-gate checks. If we discover that an account has been created by a person under 18, we will immediately:

• Suspend and delete the account
• Void any prizes won
• Delete all personal data associated with the underage account within 72 hours
• Notify the email address on file of the account closure

We do not knowingly collect personal data from persons under 18 years of age. If you believe a minor has registered, please contact us immediately at privacy@yourfreelottos.nl.

13. Data Security Measures

We implement industry-standard technical and organisational security measures, including:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for sensitive data at rest
• bcrypt password hashing with per-user salt (passwords are never stored in plain text)
• Multi-factor authentication (MFA) available for all user accounts
• Regular penetration testing by an independent cybersecurity firm
• Role-based access control — staff can only access data necessary for their role
• Automated intrusion detection and 24/7 security monitoring
• ISO 27001-aligned information security management practices

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours and affected users without undue delay, as required by GDPR Article 33 and 34.

14. Automated Decision-Making and Profiling

Fantasy points are calculated automatically by our scoring engine based on published formulas. This does not constitute profiling under GDPR Article 22 as it does not produce legal effects or similarly significant effects on users — it is the core mechanics of a skill-based game with published, transparent rules. You may contest any points calculation by contacting our support team with specific match references.

We do not use automated decision-making to restrict or terminate accounts without human review, except in cases of clear, automated fraud or bot detection, which are subject to a manual review process within 48 hours.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Displaying a prominent notice on our platform for 30 days following the change
• Sending an email notification to all registered users
• Updating the "Last Updated" date at the top of this page

Your continued use of YourFreeLottos after the effective date of a revised policy constitutes your acceptance of the changes. If you do not agree with the revised policy, you may close your account by contacting privacy@yourfreelottos.nl.