Mon–Fri · 09:00–18:00 CET · hello@lottoluckaustralia.com +34 91 432 7820
Last updated · 2026-05-20 · version 1.0

Privacy Policy

We process personal data because we have to — to run a regulated platform, to verify identities, to pay out winnings, and to keep the leagues clean. This page explains every piece of that, in plain English. The Spanish original is the binding version where local law requires it.

1. Who we are

Lottoluck S.L., a Spanish limited liability company (Sociedad Limitada) registered with the Registro Mercantil de Madrid under CIF B-87234561, VAT number ESB87234561, registered office at Calle de Velázquez 86, 4º planta, 28006 Madrid, Spain. We are the data controller for the personal data described in this policy.

Our Data Protection Officer can be reached at privacy@lottoluckaustralia.com or by post at the registered office above, marked "DPO — Privacy".

2. What data we collect

We collect only data that we actually need to run the service. There is no opportunistic collection.

  • Account data — name, email, password hash, date of birth, country of residence, language preference.
  • Identity data — government ID or passport scan, recent proof of address (collected only for the first cash entry).
  • Wallet and payment data — wallet balance, deposit and withdrawal records, payment method tokens (we never store full card numbers).
  • Gameplay data — leagues joined, lineups, scores, prize-pool winnings, dispute records.
  • Technical data — IP address, device type, browser fingerprint (for fraud detection only), session timestamps.
  • Support data — messages you send to support, chat transcripts, email correspondence with our team.

3. Purposes and legal basis

Under Article 6 of the GDPR, we rely on the following legal bases:

  • Performance of contract — to operate your account, host leagues, settle prize pools, process withdrawals.
  • Legal obligation — KYC and AML checks, tax reporting, retention of financial records, mandatory player welfare reporting under Spanish gaming law.
  • Legitimate interest — fraud detection, platform security, dispute investigation, integrity-of-result audits. Our balancing test is available on request to privacy@.
  • Consent — optional marketing emails, optional analytics cookies. Always opt-in, never bundled with sign-up.

4. Identity verification (KYC)

Before your first cash entry, we collect a national ID or passport scan and a recent proof of address. This is processed by our KYC partner Onfido B.V., an EU-incorporated provider that operates under the GDPR and the EU AML Directive. The scan is encrypted in transit and at rest, retained only for the legally mandated period (currently 5 years from account closure under Spanish AML law), then destroyed.

We do not run any biometric processing beyond the document liveness check used by Onfido. You have a right to a human review of an automated KYC decision; contact privacy@ to invoke it.

5. Payments and wallet

Wallet deposits and withdrawals are processed by Stripe Payments Europe Ltd., an EU-licensed Payment Service Provider. Stripe handles your card or bank credentials directly; we never see and never store the full card number. We retain only a tokenised reference, the amount, and the timestamp.

The wallet balance itself is held with a Spanish credit institution in a segregated client-money account, protected under the Fondo de Garantía de Depósitos de Entidades de Crédito up to the statutory limit. The balance is not a deposit and does not earn interest.

6. Cookies and tracking

We use a minimum set of cookies. The detailed table — what each cookie does, its retention, and how to opt out — lives on the cookies page. In short: essential cookies are always on (they keep your session alive); analytics cookies require your opt-in; we use no third-party advertising cookies of any kind.

7. Sharing with processors

We share personal data only with the following categories of processors, each bound by a written Data Processing Agreement under Article 28 GDPR:

  • Cloud infrastructure — Hetzner Online GmbH (Germany), our primary hosting partner.
  • KYC and identity verification — Onfido B.V. (Netherlands).
  • Payments — Stripe Payments Europe Ltd. (Ireland).
  • Transactional email — Postmark (Wildbit, USA — under SCCs plus supplementary measures).
  • Customer support tooling — Help Scout (USA — under SCCs).
  • Analytics — Plausible Analytics (Estonia), cookieless by default.

We never share personal data with sportsbooks, odds providers, affiliate networks, or data brokers. The full list of sub-processors is published at /legal/sub-processors and updated within 30 days of any change.

8. International data transfers

Personal data is processed in the European Union by default. Two processors (Postmark and Help Scout) operate from the United States; transfers to those processors are governed by Standard Contractual Clauses with supplementary technical measures (transport encryption, at-rest encryption, key custody in the EU).

We perform a transfer impact assessment every 12 months and document the result. You can request a redacted copy from privacy@.

9. How long we keep your data

Retention is the shortest period that satisfies our legal obligations and our legitimate interests:

  • Account data — for as long as the account is active, plus 12 months.
  • KYC documents — 5 years from account closure (Spanish AML statutory minimum).
  • Financial records — 8 years from the relevant tax year (Spanish accounting statutory minimum).
  • Support correspondence — 24 months from the last message.
  • Marketing consent records — 36 months after withdrawal of consent.
  • Server logs — 14 days, except for security-relevant events retained 12 months.

10. Your rights under GDPR

You have the right to:

  • Access the personal data we hold about you (Article 15);
  • Have inaccurate data corrected (Article 16);
  • Have data erased in the circumstances allowed (Article 17);
  • Restrict processing in the circumstances allowed (Article 18);
  • Receive your data in a portable format (Article 20);
  • Object to processing based on legitimate interest (Article 21);
  • Withdraw consent at any time for processing based on consent;
  • Lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos, AEPD).

To exercise any of these rights, write to privacy@lottoluckaustralia.com. We respond within 30 days, usually within 5 working days.

11. Marketing communications

We send marketing email only with explicit opt-in at registration or later. We never send marketing via SMS or push. You can withdraw consent from one-click unsubscribe in every email, from the profile settings, or by writing to privacy@.

Players in cool-down, self-exclusion, or welfare review automatically receive no marketing of any kind, regardless of consent state. Marketing resumes only on their explicit request.

12. Security measures

We apply the security measures appropriate to the sensitivity of the data we hold. The main ones:

  • TLS 1.2 or higher for all data in transit;
  • AES-256 encryption at rest for personal data and KYC documents;
  • Passwords hashed with bcrypt (cost 12) and a per-user salt;
  • Two-factor authentication available for every account, mandatory for staff;
  • Role-based access for staff, with quarterly access reviews;
  • Independent penetration test every 12 months, remediation tracked publicly in our security changelog;
  • Breach notification within 72 hours to AEPD and within the same window to affected players, per Article 33 / 34 GDPR.

13. Children and minors

The service is not directed at children. We require date of birth at registration; accounts of users under 18 are blocked and personal data is deleted on confirmation, except where Spanish law requires retention of the registration record itself.

If you believe a minor has registered an account, write to privacy@ and we will investigate and delete promptly.

14. Profile of an active player

We build a minimal behavioural profile for each active player. It is used for two purposes only: detection of suspicious or fraudulent activity, and the welfare-review trigger described on the responsible-play page. The profile is not used for marketing personalisation, not used to set prices, and not shared externally.

The profile includes: aggregate deposit pattern (daily / weekly / monthly), aggregate entry frequency, average lineup score, and the self-imposed limit history. You can request a full export of your profile under Article 15.

15. Updates and how to reach us

We review this policy every 12 months and update it when our processing changes. Material updates are emailed to every registered player at least 30 days before they take effect. Minor clarifications (typo, formatting) are made without notice but tracked in the public changelog at /legal/changelog.

Questions about this policy: privacy@lottoluckaustralia.com. Postal address: Lottoluck S.L., Calle de Velázquez 86, 4º planta, 28006 Madrid, Spain, marked "DPO — Privacy".