Privacy Policy

This Privacy Policy explains how Level Up, operated via the website https://levelup-aussie.com (the "Website"), collects, uses, discloses, and protects your personal information. It applies to all Website visitors and users, including players who register, deposit, or otherwise interact with Level Up services. By accessing or using the Website, you acknowledge that you have read and understood this Privacy Policy. This Privacy Policy is effective as of 1 January 2026 and remains in force until replaced or updated in accordance with the "Updates" section below.

Who We Are

OBSERVE: The operator, corporate structure, and contact details must be clearly identified for transparency and accountability.

EXPAND: We integrate all available company and contact data, including operational subsidiaries, while clarifying which entity is responsible for data processing.

REFLECT: The following information sets out the legal identity of the controller and how you can contact us regarding privacy matters.

The Website levelup-aussie.com (referred to as "Level Up", "we", "us", or "our") is operated by:

Operator (Data Controller): Dama N.V., a public limited company incorporated under the laws of Curaçao
Registration number: 152125
Registered / legal address: Scharlooweg 39, Willemstad, Curaçao
Primary gambling licence: Antillephone N.V. licence no. 8048/JAZ2020-013 (Curaçao)

For certain payment processing activities, we may act together with or through our subsidiary:

Payments processing subsidiary: Strukin Ltd, a limited company established in Cyprus (exact address not specified)
Role: Processing fiat payment transactions and related financial operations on our behalf

Data Protection Contact

Data Protection Contact / DPO function: Data Protection Team, Level Up
E-mail (primary): [email protected]
E-mail (general information): [email protected]
Website: https://levelup-aussie.com

If you have any questions or requests regarding this Privacy Policy or your personal data, you should primarily contact us at [email protected].

What Personal Data We Collect

OBSERVE: Online casino operations require multiple categories of data to provide services, comply with law, and ensure integrity.

EXPAND: We classify data into personal, technical, transactional, behavioural, and tracking categories to clarify scope and legal implications.

REFLECT: The list below explains what data we collect and typical examples for each category.

1. Identification and Contact Data

Account registration data: Full name, username, password (stored in hashed form), date of birth, country of residence.
Contact details: E-mail address, phone number (if provided), postal address (if requested for verification or payments).
Verification / KYC data: Copies or details of identity documents (e.g., passport, ID card, driving licence), proof of address (utility bill, bank statement), and any other information you provide to verify your identity or source of funds.

2. Technical and Usage Data

Log and device data: IP address, device identifiers, operating system, browser type and version, language settings, time zone, and approximate location derived from IP (e.g., country).
Usage information: Dates and times of access, pages visited, clicks and navigation paths, session duration, and interaction with site features.
Security logs: Login attempts, password reset requests, changes to security settings, and similar events.

3. Payment and Financial Data

Transaction data: Deposit and withdrawal amounts, currency, payment method, transaction timestamps, transaction identifiers, and payment status.
Limited payment instrument data: Depending on the method, partially masked card numbers, card type, and issuing country; wallet identifiers; bank account details where required for withdrawals.
Payment provider data: Information received from or shared with payment processors and banks when verifying and executing transactions, including risk and fraud flags.

4. Behavioural and Gaming Data

Gameplay and betting history: Games played, stakes, wins and losses, bonuses used, frequency and duration of play, session history.
Account activity: Changes to profile details, bonus opt-ins, self-exclusion actions, limit-setting behaviour, communications with support.
Marketing and preference data: Newsletter subscriptions, communication preferences, response to promotional offers, and participation in loyalty or VIP programs.

5. Cookies and Similar Technologies

Cookies: Small text files stored on your device that contain identifiers and other information described in the "Cookies & Tracking Technologies" section.
Similar technologies: Local storage, pixel tags, and tracking scripts used for security, fraud detection, analytics, and advertising (where permitted).

6. Communication Data

Support communications: Content of e-mails or messages sent to [email protected] or via any on-site chat or contact form (if offered), including attachments and metadata.
Complaint and dispute data: Correspondence relating to complaints, responsible gambling requests, or disputes, including any evidence you provide.

Legal Basis for Processing

OBSERVE: We must link each processing activity to a recognised legal basis under applicable data protection principles (including GDPR-aligned standards) and sector regulation.

EXPAND: Although Level Up targets Australian users as an offshore operator, we follow GDPR-style principles and comparable international standards, while acknowledging local gambling regulation such as the Interactive Gambling Act 2001 (Cth) in Australia for compliance context.

REFLECT: The main legal grounds we rely on are contract, legal obligation, legitimate interests, and consent.

1. Contract Performance and Pre-Contractual Steps

Purpose: To register and manage your player account, provide access to games, process deposits and withdrawals, and deliver customer support.
Scope: We process identification, contact, transaction, and behavioural data as necessary to execute the Terms and Conditions that you accept when signing up.
Justification: Without this data, we cannot open or maintain your account or provide casino services.

2. Compliance with Legal and Regulatory Obligations

Purpose: To comply with anti-money laundering (AML), counter-terrorism financing, fraud prevention, taxation, accounting, and responsible gambling obligations applicable in our operating jurisdictions (primarily Curaçao) and to respond to lawful requests from competent authorities.
Scope: Identity verification, transaction monitoring, record-keeping, reporting, sanctions screening, and responsible gambling measures.
Justification: We are legally required to perform KYC/AML checks and maintain certain records for minimum periods.

3. Legitimate Interests

Security and fraud prevention: Monitoring logins, device fingerprints, and transaction patterns to detect and prevent fraud, abuse, bonus misuse, and unauthorised access.
Service improvement and analytics: Analysing aggregated usage and behavioural data to improve site performance, game offerings, and user experience.
Enforcement of our rights: Protecting our legal claims, defending against disputes, and ensuring compliance with our Terms and Conditions.
Balancing test: We have assessed that our legitimate interests are not overridden by your privacy rights, especially where processing is expected and limited to what is necessary.

4. Consent

Marketing communications: Sending you promotional e-mails, SMS, or push notifications about Level Up offers, bonuses, and news, where you have actively opted in or where such communication is otherwise permitted.
Cookies and advertising technologies: Using certain analytics or advertising cookies and similar tools (especially third-party) that are not strictly necessary for site operation.
Withdrawal: You can withdraw your consent at any time (see "Your Rights" and "Cookies & Tracking Technologies"). Withdrawal does not affect processing that occurred before withdrawal.

Purpose of Processing

OBSERVE: Data must not be used in an incompatible way with the purposes for which it was collected.

EXPAND: We align each major processing purpose with concrete examples relevant to an online casino operating offshore while targeting Australian players.

REFLECT: The main purposes for which we use your personal data are set out below.

Provision of casino services: To create and maintain your account, enable you to play games, process deposits, wagers, and withdrawals, manage bonuses, and provide multilingual customer support.
Account administration: To communicate account-related information (e.g., changes to Terms, policy updates, game interruptions, security alerts), manage verification requests, and record your preferences.
Regulatory compliance and risk management: To conduct KYC and AML checks, monitor transactions, enforce age restrictions, manage responsible gambling measures, and comply with record-keeping and reporting obligations.
Fraud detection and security: To detect and deter fraudulent behaviour, multiple account abuse, chargebacks, bonus misuse, and unauthorised access, and to protect system integrity.
Service optimisation and analytics: To analyse website performance, identify technical issues, measure campaign effectiveness, optimise user flows, and improve our games portfolio and features.
Marketing and personalisation: To send you promotional content (where permitted), tailor offers based on your playing behaviour, and run loyalty/VIP programs subject to your preferences and applicable law.
Dispute resolution and legal defence: To investigate complaints, respond to claims, manage chargebacks, and defend or establish legal rights in case of disputes with players, partners, or authorities.

Disclosure & Sharing

OBSERVE: Providing casino services relies on a network of third-party providers and authorities; data sharing must be controlled and transparent.

EXPAND: We describe categories of recipients, conditions of disclosure, and safeguards to demonstrate compliance with international privacy standards.

REFLECT: We share your data only when necessary, based on legal grounds described above, and subject to appropriate protection measures.

1. Group Companies and Operators

Operator and subsidiary: Dama N.V. and its payments processing subsidiary Strukin Ltd may access and process your data for operational, payment, and compliance purposes.

2. Payment and Financial Service Providers

Payment processors and banks: To process deposits, withdrawals, and refunds; verify payment instruments; and comply with AML and fraud-prevention requirements.
Card schemes and wallet providers: To facilitate secure card or wallet transactions and risk scoring.

3. Technical and Security Service Providers

Hosting and IT providers: Data centres, cloud infrastructure, and content delivery networks that host our systems and data.
Security and anti-fraud tools: Providers offering device fingerprinting, risk scoring, or anti-bot solutions.
Analytics providers: Tools that help us understand how our site is used and improve performance (subject to cookie settings).

4. Gaming and Content Providers

Game studios and platform providers: To provide you with games and to validate gameplay results, betting history, and fairness. For instance, some games may be provided by studios such as BGaming, whose RNGs are independently tested (e.g., by iTech Labs) but which do not act as data controllers for your account.

5. Professional Advisors and Business Partners

Legal, financial, and compliance advisors: To obtain professional advice, conduct audits, and ensure regulatory and financial compliance.
Affiliates and marketing partners: To track referrals and measure performance of affiliate marketing, and, where you consent, to support targeted advertising.

6. Authorities and Regulators

Regulatory bodies: Licensing and supervisory authorities in Curaçao or other relevant jurisdictions that may require access to certain records.
Law enforcement and public bodies: When required by applicable law, lawful request, court order, or to protect our or others' rights, safety, or property.

7. Corporate Transactions

Mergers and acquisitions: In connection with any proposed or actual merger, sale of assets, restructuring, or acquisition involving Dama N.V., your data may be shared with and transferred to relevant third parties, subject to confidentiality and continuity of protection.

We do not sell your personal data for monetary consideration. Any sharing for advertising or analytics occurs under strict contracts and, where required, your consent.

International Transfers

OBSERVE: Data collected from users, including those in Australia, may be processed in multiple jurisdictions.

EXPAND: We identify key data flows and safeguards commonly recognised in international privacy practice, even where specific regional transfer mechanisms (such as EU SCCs) apply mainly to EEA-related data.

REFLECT: We implement contractual and technical measures to ensure an adequate level of protection regardless of location.

Primary processing locations: Your data is processed in Curaçao (where Dama N.V. is established) and in other countries where our technical, payment, and support providers operate, which may include member states of the European Union, the United Kingdom, Cyprus, and other jurisdictions.
Australian context: Level Up operates as an offshore online casino targeting Australian players without a local Australian gambling licence. Data may therefore be transferred from Australia to countries with different data protection regimes.
Contractual safeguards: Where required by applicable law (e.g., for transfers from the EEA or the UK), we use Standard Contractual Clauses or comparable data transfer agreements, combined with technical and organisational measures such as encryption and access controls.
Need-to-know access: Access to your data by foreign recipients is limited to what is strictly necessary for the purposes described in this Policy and is governed by confidentiality obligations.

Data Retention

OBSERVE: Different categories of data require different retention periods driven by legal, operational, and security needs.

EXPAND: We balance AML/record-keeping obligations with data minimisation principles and provide indicative retention periods.

REFLECT: We keep personal data no longer than necessary for the purposes described, subject to statutory retention requirements and legitimate interests.

Player account data (core profile): Retained for the life of your account and generally for up to 5 - 7 years after account closure, to comply with AML, accounting, and dispute-handling obligations.
KYC and verification records: Retained for at least 5 years from the date of the last transaction or account closure, or longer if required by applicable AML or regulatory rules.
Transaction and financial records: Retained for 5 - 7 years to meet accounting, tax, and AML obligations and to manage chargebacks and disputes.
Gameplay and behavioural data: Retained while your account is active and then typically for up to 5 years after closure, in line with dispute limitation periods and regulatory expectations.
Marketing and consent records: Retained while you remain subscribed and for a limited period (usually up to 2 years) after you opt out, to evidence compliance with your preferences.
Technical logs and security data: Retained for 6 - 24 months depending on the nature of the logs and security needs, unless longer retention is necessary for investigation of incidents or legal proceedings.

Deletion and anonymisation criteria:

When retention periods expire and no longer justified by legal obligations or ongoing disputes, data is securely deleted or irreversibly anonymised.
If you request deletion and no overriding legal ground exists to retain your data, we will erase or pseudonymise it in line with applicable law.

Your Rights

OBSERVE: Users should have clear, practical rights regarding their personal information, based on internationally recognised standards similar to the GDPR and, where relevant, Mexican data protection principles (e.g., ARCO rights: access, rectification, cancellation, opposition).

EXPAND: Although Level Up is primarily focused on Australian players and operates under Curaçao law, we voluntarily align our practices with these standards where technically and legally feasible.

REFLECT: The rights below describe what you can generally expect from us, subject to limitations imposed by AML, gambling, and other regulatory obligations.

1. Right of Access

You can request confirmation of whether we process your personal data and, if so, receive a copy of such data and additional information about our processing.

2. Right to Rectification (Correction)

You can request that inaccurate or incomplete personal data be corrected or updated. In many cases you can update data directly in your account profile, but critical KYC data may require supporting documentation and manual review.

3. Right to Erasure (Deletion / Cancellation)

You may request deletion of your personal data where:
- the data is no longer necessary for the purposes for which it was collected;
- you withdraw consent and there is no other legal basis for processing; or
- the data has been unlawfully processed or must be deleted to comply with a legal obligation.
We may not be able to delete data that we must retain to meet AML, gambling, or record-keeping laws, or to establish, exercise, or defend legal claims.

4. Right to Restriction of Processing

You can request that we restrict processing of your data, for example while we verify its accuracy or assess an objection.
During restriction, we will store your data but generally not use it except for legal claims, protecting third parties, or with your consent.

5. Right to Object

You may object, on grounds relating to your particular situation, to processing based on our legitimate interests, including profiling related to such interests.
You always have the right to object to processing of your data for direct marketing purposes, including profiling to the extent it is related to such marketing.

6. Right to Data Portability

Where technically feasible and where processing is based on consent or contract and carried out by automated means, you can request to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller where possible.

7. Right to Withdraw Consent

If processing is based on your consent (e.g., marketing communications or non-essential cookies), you may withdraw that consent at any time using the tools provided (such as unsubscribe links, account settings, or contacting support).
Withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.

8. Rights under Mexican Data Protection Regulations

Where Mexican data protection laws apply, you may have ARCO rights (access, rectification, cancellation, and opposition) similar to the rights listed above. We will handle such requests in line with those principles to the extent compatible with our regulatory obligations and technical capacity.

Procedures, Timeframes, and Cost

How to exercise your rights: Send a clear request to [email protected], stating:
- your full name and registered e-mail address;
- the specific right(s) you wish to exercise; and
- any relevant details to help us locate your data.
Verification: We may ask for additional information to verify your identity (e.g., login verification or confirmation via registered e-mail) before responding.
Response time: We aim to respond to all valid requests within 30 days of receipt. If your request is complex or we receive multiple requests from you, we may extend this period by a further 30 days, and we will inform you of any such extension.
Fees: Requests are generally handled free of charge. We may charge a reasonable fee or refuse to act when a request is manifestly unfounded, excessive, or repetitive, as permitted by applicable law.

Cookies & Tracking Technologies

OBSERVE: Cookies and related technologies are essential for secure operation, analytics, and (where permitted) advertising.

EXPAND: We distinguish cookie types and purposes, and explain management options suitable for Australian and international users.

REFLECT: You should understand how cookies affect your experience and how to control them.

Types of Cookies We Use

Session cookies: Temporary cookies that exist only during your browsing session and are deleted when you close your browser. They are used to maintain your login state and secure navigation.
Persistent cookies: Remain on your device for a specified period or until you delete them. They help remember your preferences (e.g., language, cookie choices) and improve user experience.
First-party cookies: Set by levelup-aussie.com to support core functionality, security, and basic analytics.
Third-party cookies: Set by external providers (e.g., analytics, anti-fraud, or advertising partners) to help us measure performance, secure the platform, and, where allowed, offer personalised content.

Purposes of Cookies

Strictly necessary / functional: Required for the Website to function, including maintaining sessions, security protections, and access to restricted areas. These cannot be disabled via our systems.
Performance / analytics: Help us understand how visitors use the Website, which pages are popular, and how users navigate, so we can improve layout and performance.
Advertising and marketing (where used): Support measurement of campaign effectiveness and, if authorised, delivery of relevant promotional content. These may involve third-party partners and tracking across sites.

Managing Cookies

Browser settings: Most browsers allow you to block or delete cookies via their settings. Doing so may impact certain features and overall site performance.
On-site tools: Where available, you may manage cookie preferences via our on-site cookie banner or settings to opt in or out of non-essential cookies.
Third-party opt-outs: Some third-party providers offer their own opt-out mechanisms, which you may use in addition to our tools.

Data Security

OBSERVE: Online gambling involves sensitive financial and identity information; strong security controls are critical.

EXPAND: We employ layered technical and organisational measures consistent with recognised industry standards (such as ISO 27001 or SOC 2 principles, where applicable) even if we are not formally certified to all such frameworks.

REFLECT: Our goal is to reduce security risks to an acceptable level, while acknowledging that no system is fully immune to threats.

Technical Measures

Encryption in transit: Data exchanged between your browser and our servers is protected using TLS 1.2+ (or higher) to mitigate interception and tampering.
Encryption at rest: Sensitive data fields are stored using strong encryption or hashing algorithms and are segregated where appropriate.
Access controls: Access to production systems and personal data is restricted based on roles and least-privilege principles, with authentication and authorisation controls.
Network and application security: Firewalls, intrusion detection/prevention systems, and security hardening practices help protect against unauthorised access and common web threats.

Organisational Measures

Staff training: Personnel with access to personal data receive training on confidentiality, data protection, and security best practices.
Policies and procedures: We maintain internal policies on data handling, access, incident management, and retention.
Vendor due diligence: We assess key service providers for their security posture and require appropriate contractual commitments on data protection.

Monitoring and Incident Response

Monitoring: Systems and logs are monitored for signs of unusual activity or potential security incidents.
Incident response: We maintain procedures for identifying, investigating, and mitigating security incidents. Where required by applicable law, we will notify relevant authorities and affected users of data breaches without undue delay.

Despite these measures, no website or Internet transmission is entirely secure. You are responsible for keeping your login credentials confidential and for using appropriate security measures on your own devices.

Complaints & Contacts

OBSERVE: Users must have clear channels to raise concerns or complaints and clear escalation routes to supervisory authorities, including those recognised in EU and Mexican contexts, where applicable.

EXPAND: We describe internal and external complaint options, timelines, and key contact details.

REFLECT: This framework ensures transparency and accountability in how privacy concerns are handled.

How to Contact Us

Primary e-mail for privacy and support: [email protected]
General information e-mail: [email protected]
Postal address (operator headquarters): Dama N.V., Scharlooweg 39, Willemstad, Curaçao

Internal Complaint Procedure

Submission: Send your complaint or query to [email protected], clearly describing the issue, the impact on you, and the outcome you seek.
Acknowledgment: We aim to acknowledge receipt of your complaint within 5 business days.
Investigation: We will investigate the matter, which may include reviewing logs, consulting relevant departments, and contacting you for further information.
Resolution: We aim to provide a substantive response within 30 days of receiving your complaint. For complex issues, we may extend this period and will inform you of the extension and reasons.

Escalation to Supervisory Authorities

If you believe that we have not adequately resolved your concern or have infringed your data protection rights, you may have the right to lodge a complaint with a competent data protection authority:

Mexican Data Protection Authority (INAI): Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI). Website: https://home.inai.org.mx (Spanish).
EU / EEA authorities (where applicable): If EU data protection law applies to your situation, you may contact the supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement. A list of authorities is available via the European Data Protection Board: https://edpb.europa.eu/about-edpb/board/members_en.

Nothing in this Policy limits your right to seek judicial remedy or lodge a complaint with any other competent authority in your country of residence, where such rights exist.

Updates

OBSERVE: Privacy practices evolve due to regulatory changes, technological developments, and business needs.

EXPAND: We specify how we will inform users about changes, maintain version control, and respect users' choices in light of material updates.

REFLECT: Transparent update procedures support ongoing trust and compliance.

Policy Changes and Version Control

This Privacy Policy may be updated from time to time to reflect changes in our practices, technologies, legal obligations, or other factors.
Each version of the Privacy Policy will be identified by an effective date and, where relevant, a version number.
Last updated: January 2026.

Notification of Material Changes

Advance notice: For material changes that significantly affect how we process your personal data (e.g., new processing purposes or categories of recipients), we will provide advance notice, typically at least 30 days before the changes take effect, unless immediate implementation is required by law or security needs.
Notification channels: We may inform you by:
- e-mail to the address associated with your account;
- prominent notice or banner on the Website; and/or
- alerts within your account dashboard.

User Options in Case of Changes

If you do not agree with the updated Privacy Policy, you may choose to:
- adjust your privacy or marketing preferences where available; and/or
- close your account and request deletion or restriction of your data, subject to our legal obligations to retain certain information (e.g., AML and accounting records).
By continuing to use levelup-aussie.com after changes take effect, you acknowledge the updated Privacy Policy, to the extent permitted by applicable law.