Privacy Policy

This Privacy Policy explains how personal information is collected, used, disclosed, and protected when you use the online gaming and betting services offered under the brand "Canplay Casino" at https://canplaybet-ca.com (referred to as "Canplay Casino", "we", "us", or "our"). It applies to players, registered account holders, and visitors who access or interact with our website, mobile interfaces, games, and related services.

By creating an account, placing bets, using our games, or otherwise interacting with our services, you acknowledge that you have read and understood this Privacy Policy.

This Privacy Policy is effective and deemed current as of 1 January 2026, and supersedes any earlier versions published on our websites, including legacy URLs associated with Canplay Casino.

Who We Are

OBSERVE: Users must know who operates the site and how to contact the entity responsible for personal data. We therefore identify the operator, gaming license context, and data protection contact channels.

EXPAND: The Canplay Casino brand is operated on the Pala Interactive platform under a Kahnawake Gaming Commission licence. While some corporate details are managed at group level (Boyd Gaming Corporation), this Privacy Policy focuses on the operational entity responsible for canplaybet-ca.com and Canadian (non-Ontario) players.

REFLECT: We provide clear contact points for privacy inquiries even where certain corporate registration particulars are not publicly listed in the supplied data.

Operator of the Service
The online gaming services marketed as "Canplay Casino" and accessible at https://canplaybet-ca.com are operated using the platform of Pala Interactive under Interactive Gaming Licence No. 885 issued by the Kahnawake Gaming Commission to Abenakis of Wolinak / Pala Interactive in the Mohawk Territory of Kahnawà:ke, Quebec, Canada.

Certain corporate governance and financial oversight functions are provided at the level of Boyd Gaming Corporation, the parent company of Pala Interactive, but day-to-day operation of Canplay Casino is undertaken under the Kahnawake licence indicated above.

Registered / Legal Address
The exact legal mailing address and company registration number are not specified in the data provided. For all legal and privacy-related correspondence, you may contact us through the channels below. Where necessary, we will provide our full legal details in response to your formal request or in the course of resolving a complaint or regulatory inquiry.

Data Protection Contact
We have appointed a dedicated contact point for privacy and data protection matters ("Data Protection Officer" or "DPO" function):

• Email (primary privacy contact): [email protected]
• Support email (general inquiries): [email protected]
• General information email: [email protected]
• Press / media: [email protected] (not for data subject requests)

Telephone numbers and physical mailing addresses for privacy matters are not specified in the available data. Where a postal address is required by law or by a supervisory authority, it will be communicated directly to the requesting party.

What Personal Data We Collect

OBSERVE: Operating a real-money online casino requires identification, payment, technical, and behavioural data to meet regulatory, security, and service obligations.

EXPAND: We collect information you provide directly, information generated by your use of the services, data received from third parties (such as payment providers and verification services), and cookies or similar technologies.

REFLECT: The categories below are described in a way that helps you understand what is collected and why, while aligning with Canadian privacy expectations and industry standards.

Account and Identity Data

• Identification details: full name, date of birth, gender (where provided), place of residence, and nationality where needed for eligibility checks.
• Contact details: email address, telephone number(s), preferred language, and communication preferences.
• Verification data (KYC): government-issued ID (such as passport or driver's licence), proof of address (utility bill, bank statement), and, where necessary, additional documentation supporting source of funds or income.

Technical and Usage Data

• Device information: IP address, device type, operating system, browser type and version, screen resolution, and similar device identifiers.
• Log data: login timestamps, session durations, pages visited, referral URLs, clickstream data, and error logs.
• Geolocation data: non-precise location inferred from your IP address to determine eligibility (e.g., outside Ontario) and apply geo-restrictions.

Payment and Financial Data

• Transaction data: deposits, withdrawals, bet stakes, wins and losses, bonuses credited and used, payment method used, currency, and transaction history.
• Payment instrument details: limited card details or e-wallet identifiers, as allowed and required by payment partners. Full card numbers are typically processed and stored securely by payment processors rather than by Canplay Casino directly.
• Anti-fraud and AML data: risk scores, verification outcomes, sanctions and politically exposed person (PEP) screening results where applicable, and internal risk flags.

Behavioural and Gaming Data

• Gameplay data: game titles played, session length, bet sizes, outcomes, return-to-player (RTP) metrics at account level, and game preferences.
• Interaction data: clicks, navigation paths, engagement with promotions, and interactions with on-site messages or pop-ups.
• Responsible gambling data: self-exclusion status, deposit or loss limits, cool-off periods, and records of responsible gambling contacts and interventions.

Communications and Support Data

• Customer support interactions: emails, live chat transcripts, internal notes concerning your queries or complaints, and any attachments you choose to send.
• Marketing communications: records of consent to receive offers, newsletters, and notifications, as well as your unsubscribes and preferences.

Cookies and Similar Technologies

• Cookies: small text files stored on your device to support functionality, analytics, and advertising (see "Cookies & Tracking Technologies" section below).
• Tracking technologies: web beacons, pixels, tags, SDKs, and similar tools used to measure performance, prevent fraud, and personalise content and offers.

Legal Basis for Processing

OBSERVE: As a Canadian-facing operator under Kahnawake regulation, we align with Canadian privacy principles (such as those in PIPEDA) and, where relevant, comparable international standards (e.g., GDPR concepts of consent, contract, legitimate interests, and legal obligation).

EXPAND: Casino operations require us to process data for core service delivery, regulatory compliance, and risk management. Marketing and analytics rely on balancing our business needs with your privacy expectations.

REFLECT: The following legal grounds reflect how and why we process your information and help you understand when you may withdraw consent or object to certain uses.

Contractual Necessity

• To create, maintain, and manage your player account.
• To provide access to games, accept bets, settle wagers, and process deposits and withdrawals.
• To verify your identity and age where necessary to open or maintain your account.
• To communicate with you about your account, transactions, service changes, and security notices.

Compliance with Legal and Regulatory Obligations

• To comply with Kahnawake Gaming Commission requirements and any other competent regulatory or law enforcement authorities.
• To meet anti-money laundering (AML), counter-terrorist financing (CTF), fraud prevention, and "know your customer" (KYC) obligations, including ongoing monitoring.
• To maintain records for tax, accounting, dispute resolution, and reporting obligations applicable to our operations.

Legitimate Interests

• To protect the integrity and security of our platform, including:
  • monitoring for suspicious activity or cheating;
  • preventing unauthorised access, misuse, or cyberattacks; and
  • maintaining backups and logs for security and continuity.
• To analyse the performance of our games and services and improve user experience.
• To tailor certain content, offers, or recommendations based on your use of the service, within reasonable expectations.
• To establish, exercise, or defend legal claims and manage complaints or disputes.

Consent

• For sending you electronic marketing communications (such as promotional emails or SMS) where required by law or where you have opted in.
• For placing and accessing non-essential cookies and similar technologies on your device (particularly for advertising and some analytics activities).
• For certain optional data processing activities that are not strictly necessary for service provision or legal compliance, where such activities are presented to you with a clear choice.

You may withdraw your consent for marketing or non-essential cookies at any time as described in the sections "Your Rights" and "Cookies & Tracking Technologies" below. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

Purpose of Processing

OBSERVE: Users must understand how their data is used across the gaming lifecycle - from registration to account closure.

EXPAND: The purposes go beyond simple account management, encompassing compliance, risk management, service optimisation, and marketing.

REFLECT: By grouping purposes, we clarify which uses are essential and which are optional, supporting informed decisions and rights exercise.

Service Provision and Account Management

• To register you as a player and maintain your account with up-to-date information.
• To verify your identity, age, and eligibility to use our services (including geographical eligibility for Canadian provinces outside Ontario).
• To facilitate gameplay, process bets, compute results, and credit or debit your account balances.
• To process deposits, withdrawals, and bonus credits, and keep accurate transaction records.
• To provide customer support, respond to your inquiries, and handle technical issues.

Regulatory Compliance and Risk Management

• To comply with gaming regulations, AML/CTF obligations, and other applicable laws.
• To monitor for fraudulent behaviour, account misuse, and potential money laundering.
• To enforce our Terms and Conditions, bonus rules, and game rules.
• To support responsible gambling measures, including self-exclusion, limits, and intervention.

Service Improvement and Analytics

• To analyse aggregated or pseudonymised data about usage patterns, game performance, and site navigation.
• To optimise our site's speed, reliability, and usability.
• To develop new features, promotions, or game offerings aligned with user preferences.

Marketing and Personalisation

• To send you promotional communications about bonuses, tournaments, and special offers, where permitted by law and your preferences.
• To personalise certain on-site content and offers based on your previous activity.
• To manage loyalty programs and targeted incentives, where applicable.

Security, Disputes, and Legal Claims

• To monitor, detect, and prevent security incidents and maintain the integrity of our systems.
• To investigate and resolve disputes, chargebacks, or complaints.
• To establish, exercise, or defend legal claims and cooperate with regulators, law enforcement, or courts.

Disclosure & Sharing

OBSERVE: To deliver a regulated online gambling service, we must work with payment providers, platform partners, regulatory bodies, and specialised service vendors.

EXPAND: Data sharing is limited to what is necessary, subject to contractual protections, and often mandated by regulation (e.g., gaming oversight, anti-fraud).

REFLECT: We outline typical recipient categories and conditions under which personal data is shared, to enhance transparency and trust.

Service Providers and Processors

• Platform and hosting providers: companies providing the Pala Interactive platform, server hosting, cloud infrastructure, and maintenance services.
• Payment and banking partners: banks, card schemes, e-wallets, payment gateways, and other financial institutions processing your deposits and withdrawals.
• Verification and AML service providers: identity verification companies, sanctions and PEP screening providers, fraud prevention services, and credit and risk assessment tools where permitted.
• IT and security vendors: providers of cybersecurity solutions, monitoring tools, backup services, and incident response support.
• Analytics providers: third parties supplying analytics and performance measurement tools, often in pseudonymised or aggregated form.

Regulators and Authorities

• Kahnawake Gaming Commission: we may share account, transaction, and investigation data necessary to demonstrate compliance with our licence and applicable gaming regulations.
• Law enforcement and public authorities: where required by law or in response to valid legal requests (e.g., subpoenas, court orders, statutory reporting obligations).
• Tax and financial regulators: where applicable in connection with financial reporting and anti-money laundering requirements.

Group and Corporate Structure

• Parent and related companies: personal data may be shared within the Boyd Gaming Corporation group and entities associated with Pala Interactive, only as necessary for governance, compliance, risk management, or consolidated reporting, and always subject to appropriate safeguards.
• Business transfers: in the event of a merger, acquisition, reorganisation, or sale of assets related to Canplay Casino, personal data may be transferred to the acquiring or successor entity subject to continued protection consistent with this Privacy Policy.

Affiliates and Advertising Networks

• Marketing affiliates: limited information (for example, registration and conversion data) may be shared with affiliate partners in aggregate or pseudonymised form to measure campaign performance.
• Advertising and remarketing partners: we may share cookie and device identifiers with advertising networks for targeted advertising, only where you have consented to the use of such cookies or technologies.

Other Recipients

• Professional advisors: lawyers, auditors, and consultants who require access to personal data for legitimate business reasons and are subject to confidentiality obligations.
• Other players or third parties: ordinarily, we do not disclose your identity to other players. In exceptional cases (e.g., fraud investigations, chargeback disputes), limited data may be shared where strictly necessary.

We do not sell your personal data as a standalone asset for unrelated third-party marketing.

International Transfers

OBSERVE: Data may be processed in or accessed from jurisdictions outside your province or outside Canada, particularly in connection with hosting, support, and group-level services.

EXPAND: While our primary regulatory anchor is within the Mohawk Territory of Kahnawà:ke, some service providers (including platform, analytics, or security vendors) may be located in or operate from the United States or other countries.

REFLECT: We apply contractual and organisational safeguards to protect your data when transferred internationally, in line with Canadian privacy principles and recognised international frameworks.

Destinations of Transfers

• Canada: primary operational and regulatory environment, including Kahnawà:ke-based infrastructure and oversight.
• United States: for certain group-level functions under Boyd Gaming Corporation, some platform services, technical support, and analytics providers.
• Other countries: on a limited basis, where specialised vendors (e.g., cloud infrastructure, security, or verification services) host data or provide support from other jurisdictions.

Safeguards for International Transfers

• Transfers are limited to what is necessary to provide our services, fulfil our contractual obligations to you, or comply with law.
• We use contractual safeguards such as data protection agreements requiring service providers to:
  • process personal data only on our documented instructions;
  • implement appropriate technical and organisational security measures; and
  • not disclose your data to additional third parties without authorisation, unless required by law.
• Where our partners are subject to robust data protection laws or recognised frameworks in their own jurisdictions, we take such factors into account when selecting and assessing them.

By using our services, you understand that your personal data may be processed in countries that may have different data protection laws than those in your home jurisdiction. However, we will always protect your personal data in accordance with this Privacy Policy and applicable Canadian privacy principles.

Data Retention

OBSERVE: Gaming and AML regulations require retention of certain records for defined periods, even after an account is closed.

EXPAND: We balance legal retention obligations with the principle of retaining data only as long as necessary for the purposes described in this Privacy Policy.

REFLECT: The retention periods below are indicative and may be extended where required by law, regulation, or ongoing disputes, but we strive to minimise data kept beyond what is necessary.

General Retention Principles

• We retain personal data for as long as:
  • you maintain an active account with us; or
  • we require the data to fulfil the purposes described in this Privacy Policy; or
  • we are legally obliged to keep it (for example, under gaming or AML laws); or
  • it is necessary to resolve disputes, enforce our agreements, or defend legal claims.

Indicative Retention Periods

• Account and identification data: generally retained for up to 5 - 7 years after account closure, to comply with gaming and AML requirements and for dispute resolution.
• Transaction and financial records: retained for at least 5 - 7 years from the date of the relevant transaction, or longer if required by financial or tax regulations.
• Gameplay and behavioural data: retained for the duration of the account and for a period of up to 5 years thereafter, in pseudonymised or aggregated form where feasible for analytics and compliance reporting.
• Marketing data and preferences: retained until you withdraw consent or object to marketing, plus a short period (usually up to 2 years) to record and demonstrate that you have opted out.
• Customer support records: retained for up to 5 years after resolution of the query or complaint, or longer where necessary for ongoing disputes.

Deletion and Anonymisation

• When personal data is no longer required, we will securely delete or irreversibly anonymise it.
• In some cases, we may retain non-identifiable, aggregated information for statistical or analytical purposes without further notice to you.

Your Rights

OBSERVE: While our primary legal framework is Canadian, we recognise key principles found in modern privacy laws, including the GDPR. The brief in your request also referenced Mexican law; even though we do not target Mexican residents, we acknowledge comparable rights-based frameworks.

EXPAND: You have rights to access, correct, delete, restrict, or object to certain processing of your personal data, and to control marketing and cookies.

REFLECT: We describe practical procedures, timelines, and costs (if any) for exercising rights, and we commit to reasonable alignment with global best practices (e.g., 30-day response time), without creating rights beyond those recognised in our applicable law.

Right of Access

• You may request confirmation as to whether we process your personal data and obtain a copy of such data, together with relevant information about the processing.

Right to Rectification

• You may request correction of inaccurate or incomplete personal data. In many cases, you can update your details directly in your account profile.

Right to Erasure (Deletion)

• You may request deletion of your personal data where:
  • the data is no longer necessary for the purposes for which it was collected; or
  • you have withdrawn consent (where processing was based on consent) and we have no other legal basis; or
  • you have successfully objected to processing.
• We may not be able to delete data that we must retain under gaming, AML, financial, or other legal obligations. In such cases we will restrict processing to the extent possible.

Right to Restriction of Processing

• You may request that we restrict processing of your data (for example, while we verify its accuracy or consider an objection) so that we store it but do not otherwise use it.

Right to Object

• You may object at any time to:
  • processing of your personal data for direct marketing (we will stop such processing); and
  • processing based on our legitimate interests, where you believe such interests are overridden by your rights and freedoms. We will consider your objection and either cease processing or explain why we are permitted to continue.

Right to Data Portability

• Where technically feasible and where required under applicable law, you may request to receive personal data you have provided to us in a structured, commonly used, and machine-readable format, and to have that data transmitted to another controller.

Right to Withdraw Consent

• You may withdraw any consent you previously gave (for example, for marketing or non-essential cookies) at any time, without affecting the lawfulness of processing prior to withdrawal.

Procedures, Timelines, and Cost

• How to submit a request:
  • Contact our DPO function at [email protected], or
  • Contact our support team at [email protected] clearly indicating that your message concerns a data protection right.
• Verification: we may ask you for additional information or documentation to verify your identity before acting on your request.
• Response timeframe: we aim to respond to all valid requests within 30 days of receipt. If the request is complex or numerous, we may extend this period by an additional 30 days, informing you of the reasons for the delay.
• Fees: we will handle your request free of charge, unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act.

These rights are interpreted and applied in light of applicable Canadian privacy principles and relevant regulatory guidance. References to GDPR or Mexican-style rights in this section are used to explain the nature of rights we recognise, not to indicate that EU or Mexican law directly governs our relationship with Canadian players.

Cookies & Tracking Technologies

OBSERVE: Cookies are used for technical functionality, security, analytics, and marketing.

EXPAND: We differentiate cookie types and purposes, and explain control options through browser settings and, where available, in-site tools.

REFLECT: Transparency around tracking enables informed choices and supports compliance with consent requirements for non-essential cookies.

Types of Cookies We Use

• Session cookies: temporary cookies that are erased when you close your browser. They are used to maintain your session, keep you logged in, and manage security tokens.
• Persistent cookies: remain on your device for a defined period or until you delete them. They remember your preferences, device, and choices to improve your experience.
• First-party cookies: set directly by canplaybet-ca.com for core functionality and analytics.
• Third-party cookies: set by external services, such as analytics, advertising networks, and social media platforms, where such services are integrated with our site.

Purposes of Cookies

• Strictly necessary / functional cookies: required for:
  • logging into your account and navigating secure areas;
  • processing transactions and maintaining your session state;
  • preventing fraud and securing the platform.
  These cookies cannot be disabled via our systems, but you may control them through your browser (which may affect site functionality).
• Analytics and performance cookies: used to understand how visitors use our site and games, measure performance, and improve user experience. Data is generally aggregated or pseudonymised.
• Advertising and targeting cookies: used by us or our partners to deliver relevant advertisements, limit the number of times you see an ad, and measure campaign effectiveness. These are only used where permitted by law and subject to your consent.

Managing Cookies

• Browser settings: you can usually configure your browser to:
  • block all cookies;
  • accept only certain types of cookies; or
  • delete cookies when you close your browser.
  For details, consult your browser's help or settings menus.
• In-site controls: where available, we may provide a cookie banner or preference centre on canplaybet-ca.com that allows you to manage non-essential cookies.

Disabling or blocking certain cookies may impact your ability to use some features of our site, including secure login and gameplay.

Data Security

OBSERVE: Online gaming involves sensitive personal and financial data and must be protected against unauthorised access, loss, or misuse.

EXPAND: We combine technical, organisational, and procedural safeguards consistent with industry best practices and recognised security standards.

REFLECT: While no system is absolutely secure, we design our security programme to reduce risk and respond promptly to potential incidents.

Technical Security Measures

• Encryption in transit: data transmitted between your browser and our servers is protected using TLS 1.2 or higher, as supported by modern browsers.
• Encryption at rest: sensitive data, including certain account and transaction details, is stored in encrypted form using industry-standard algorithms where appropriate.
• Access controls: data access is limited to authorised personnel and service providers based on the principle of least privilege.
• Multi-factor authentication (MFA): MFA and strong authentication mechanisms are used for sensitive internal systems and administrative interfaces, and may be offered or required for certain account operations where supported by the platform.
• Network and infrastructure security: firewalls, intrusion detection and prevention systems, and other security tools are used to monitor and protect our infrastructure.

Organisational and Procedural Measures

• Security policies and training: staff receive training on data protection, information security, and responsible handling of personal data.
• Access management: user accounts and permissions are regularly reviewed, and access is revoked when no longer necessary.
• Vendor due diligence: we assess service providers' security practices and require contractual safeguards as a condition of processing personal data on our behalf.

Audits, Standards, and Incident Response

• Security assessments: regular internal reviews and, where appropriate, independent audits or assessments are carried out on the platform and supporting systems.
• Standards: the platform providers we work with, such as Pala Interactive, utilise infrastructure and controls designed with reference to recognised security standards (for example, ISO 27001 and comparable frameworks). Where RNG and game fairness are tested by independent bodies such as eCOGRA and GLI, this supports our overall governance, though it is not a substitute for data security controls.
• Incident response: we maintain procedures to detect, investigate, and respond to potential data breaches or security incidents. Where required by law, we will notify relevant authorities and affected individuals without undue delay.

Complaints & Contacts

OBSERVE: Players need clear avenues to raise privacy concerns, and regulators expect accessible complaint mechanisms.

EXPAND: We describe internal complaint handling and external escalation options, including gaming regulators and privacy oversight bodies relevant to our operations.

REFLECT: Clear contact channels and timelines help ensure issues are resolved promptly and transparently.

Contacting Us About Privacy

• Primary privacy contact (DPO function): [email protected]
• Customer support: [email protected]
• General information: [email protected]

Online contact forms and telephone numbers are not specified in the current data. If such channels are introduced or updated, details will be made available on https://canplaybet-ca.com.

Internal Complaint Procedure

1. Submit your complaint: send a detailed description of your concern or complaint to [email protected], including:
   • your name and registered email address;
   • your account ID or username (if applicable);
   • a clear description of the issue and the right(s) you believe are impacted; and
   • any supporting documentation.
2. Acknowledgment: we will acknowledge receipt of your complaint, typically within 5 business days.
3. Investigation: your complaint will be reviewed by our compliance or privacy team, who may contact you for additional information.
4. Response: we aim to provide a substantive response within 30 days of receiving your complaint. If more time is required due to complexity, we will inform you of the delay and provide an updated timeframe.
5. Further steps: if you are not satisfied with our response, you may escalate your complaint to the relevant supervisory or regulatory authority as described below.

Regulatory and Supervisory Authorities

• Kahnawake Gaming Commission (Gaming Complaints):
  If your complaint relates to gaming conduct, fairness, or other regulatory matters under the Kahnawake Gaming Commission's remit, you may contact:
  • Online complaint form: https://gamingcommission.ca/complaints
  • General information on interactive gaming: https://gamingcommission.ca/interactive-gaming
• Privacy oversight (Canada):
  For privacy-specific concerns, you may contact the federal privacy regulator:
  • Office of the Privacy Commissioner of Canada (OPC)
    Website: https://www.priv.gc.ca
    Complaint information: available via the OPC website.

Where other regional or national privacy authorities may be competent (for example, provincial privacy commissioners in Canada), you may seek their guidance according to your place of residence. The brief for this policy referenced Mexican and EU authorities; however, as we target Canadian players outside Ontario, such authorities will typically not be the primary point of escalation for our services.

Updates

OBSERVE: Our services, legal obligations, and technologies may evolve, requiring updates to this Privacy Policy.

EXPAND: We commit to transparent communication of material changes, including advance notice where feasible, and we give you options if you do not agree with new terms.

REFLECT: Clear versioning and effective dates support accountability and inform your continued use of the service.

How We Will Inform You

• Website publication: the latest version of this Privacy Policy will always be available at https://canplaybet-ca.com and may also reference legacy URLs such as https://canplaycasino.com/privacy-policy for historical purposes.
• Email notifications: for material changes, we may notify you by email using the address registered on your account.
• On-site notices: banner messages, pop-ups, or dashboard alerts may be displayed when you log in after a change has been implemented.

Advance Notice for Significant Changes

• Where we make material changes that significantly affect how we process your personal data or your rights, and where feasible, we will provide at least 30 days' advance notice before the changes take effect.
• If you do not agree to the updated Privacy Policy, you may:
  • stop using our services and request closure of your account; and
  • exercise your data protection rights as described in the "Your Rights" section.

Version Control

• Last updated: January 2026
• Previous versions: earlier policies applicable to Canplay Casino, including those accessible via https://canplaycasino.com/privacy-policy, are superseded by this version for services provided at canplaybet-ca.com.
• Changelog (material changes):
  • Clarified operator structure (Abenakis of Wolinak / Pala Interactive under Licence No. 885, Kahnawake Gaming Commission).
  • Expanded explanation of data categories, AML/CTF-compliance processing, and security measures.
  • Added detailed rights, complaint procedures, and reference to Canadian privacy oversight (OPC).
  • Aligned retention and international transfer descriptions with current operational practices through 2026.