Hoppa till innehåll
Privacy & GDPR

Privacy Policy

We process your personal data under GDPR and Swedish data protection law. Here we describe what we collect, from where, why, and what rights you have.

Effective date: July 2026

Data controller and contact

Casinostugan Ltd, 3rd Floor, Spinola Park, Triq Mikiel Ang Borg, SPK 1000 St Julian's, Malta, is the controller for the processing. Our data protection contact can be reached at dataskydd@casinostugan.co.

What data we process

  • Identity and contact details (name, personal ID number, address, email, phone).
  • Verification data and identity documents (KYC/AML).
  • Account, transaction and gaming activity.
  • Payment details (e.g. payment method, account reference, deposits and withdrawals).
  • Customer support communications (messages, email, chat).
  • Marketing preferences and consents.
  • Device and browser information (IP address, device ID, browser) and behaviour via cookies.
  • Geolocation where required to ensure play takes place from Sweden.

Sources of the data

We collect data:

  • directly from you when you register, play and contact us,
  • from BankID and other identity providers,
  • from payment services processing your deposits and withdrawals,
  • from KYC and fraud-prevention providers,
  • from game providers whose games you use,
  • from public registers where applicable.

Purposes and legal basis

PurposeLegal basis
Provide games and account (contract)Performance of a contract
Age/identity check, anti-money-launderingLegal obligation
Responsible gambling, duty of careLegal obligation / legitimate interest
Fraud prevention and securityLegitimate interest / legal obligation
Statistics and improvementLegitimate interest / consent
MarketingConsent

Automated decision-making

We do not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you. Certain anti-money-laundering, fraud and responsible-gambling checks may, however, involve automated processing to flag cases for manual review.

Recipients and transfers outside the EU/EEA

We only share data where necessary for the purposes above. Categories of recipients:

  • payment processors,
  • KYC and identity providers,
  • game providers,
  • hosting providers,
  • analytics providers,
  • fraud detection providers,
  • legal advisers and auditors,
  • authorities when required by law (e.g. the Swedish Gambling Authority, the Tax Agency).

We primarily process data within the EU/EEA. For transfers outside the EU/EEA we ensure a lawful transfer mechanism — an adequacy decision or the European Commission's standard contractual clauses (SCC) with supplementary safeguards.

Retention periods

We keep data for as long as required for the purpose and thereafter as required by law. Guidelines:

  • Anti-money-laundering (AML): as a rule 5 years after the business relationship ends.
  • Accounting: 7 years under the Swedish Bookkeeping Act.
  • Disputes and legal claims: until the claim is time-barred or resolved.
  • Taxation: for as long as tax legislation requires.

When the retention period expires, the data is deleted or anonymised.

Marketing

Direct marketing (newsletters, email, SMS and push notifications) is only carried out with your consent. You can unsubscribe or object to marketing at any time — via the unsubscribe link in the message, in your account settings or by contacting us. Withdrawing consent does not affect processing already carried out on the basis of the consent.

Children's data

The Service is intended only for persons aged 18 or over. We do not knowingly collect personal data from persons under 18 years of age. If we discover that this has happened, we delete the data.

Your rights

You have the right to access, rectification, erasure, restriction, data portability and to object to certain processing. You can withdraw consent at any time. You also have the right to:

  • lodge a complaint with the supervisory authority, the Swedish Authority for Privacy Protection (IMY),
  • seek a judicial remedy before a court if your rights have been infringed.

Security and personal data breaches

We apply technical and organisational security measures, including encryption of data in transit and at rest, access control and authorisation, logging and monitoring, and backups. In the event of a personal data breach we report it to the Swedish Authority for Privacy Protection (IMY) within 72 hours where required, and inform you when appropriate.

Cookies

We use cookies in accordance with our Cookie Policy. Please see our Cookie Policy for details about each cookie, its purpose and retention period.

Legal references

  • The EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679.
  • The Swedish Data Protection Act (Act 2018:218 with supplementary provisions to the GDPR).

Contact and complaints

Contact our data protection contact at dataskydd@casinostugan.co. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY), imy.se.