Owner and Proprietor

Bombay Group OÜ, registration number 16132057, with its registered address at Rataskaevu tn 5, 10123 Tallinn, Harju maakond, Kesklinna linnaosa, Estonia (the “Group”), is a company incorporated in Estonia.

Where activities constitute the organisation or provision of gambling services, such activities are operated by Bombay Club and Resorts OÜ, registration number 14045680, with its registered address at Rataskaevu tn 5, 10123 Tallinn, Estonia, the licensed gambling operator.

Bombay Club & Resorts OÜ is licensed in Estonia and regulated by the Estonian Tax and Customs Board, and provides games under a perpetual operating licence for organising games of chance pursuant to Activity Licence No. HKT000031 and Operating Permit No. HKL000404.

For the purposes of applicable data protection laws, the terms “we,” “our,” “Group” or “us” refer collectively to Bombay Group OÜ, Bombay Club & Resorts OÜ, and, where applicable, other entities within the same corporate group, including sister companies owned by the same ultimate parent company, and their respective subsidiaries and/or trading brands.

This specifically includes, but is not limited to:

  • YOLO.com
  • YoloWallet.com
  • YoloClub.com
  • YoloPoker.com

These entities may act as joint controllers or processors of your personal data, depending on the context, and may process information for the provision of services, compliance with legal and regulatory obligations, customer relationship management, product development, software and service compatibility, and related business purposes.

We value our guests (“you”) and your privacy, ensuring the highest standards to protect your personal data.

Compliance with Data Protection Laws

We process personal data in accordance with applicable personal data protection laws, including the Regulation of the European Parliament and the Council (EU) 2016/679 (“GDPR”) and the Personal Data Protection Act of Estonia.

Bombay Group OÜ respects your right to privacy and ensures that you can exercise your rights. Further details on how to do so are provided below.

Please note that we may update this Privacy Policy from time to time, and we will notify you of any changes. The latest version will always be available on our website.

Terms and definitions

Data Subject: Identified or identifiable natural person whose data is processed.

Personal Data: Any information concerning an identified or identifiable natural person (“data subject”). An identifiable natural person is someone who can be identified, directly or indirectly, using attributes such as name, personal identification code, location information, network identifier, or physical, physiological, genetic, mental, economic, cultural, or social characteristics.

Processing of Personal Data: Any automated or non-automated operation or set of operations performed on personal data, including collection, documentation, organisation, structuring, storage, modification, querying, reading, use, transfer, distribution, joining or combining, restriction, deletion, or destruction.

Profiling: Any automated processing of personal data to evaluate certain personal aspects of an individual, particularly regarding performance, financial status, health, personal preferences, interests, reliability, behaviour, location, or movements.

Controller: A natural or legal person, public entity, agency, or body that determines the purposes and means of processing personal data.

Processor: A natural or legal person, public entity, agency, or body processing personal data on behalf of the controller.

Special Categories of Personal Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as processing genetic data, biometric data for unique identification, health data, or data concerning an individual’s sex life or sexual orientation.

Third Party: A natural or legal person, public entity, agency, or body, other than the data subject, controller, processor, or those authorised to process personal data under the direct responsibility of the controller or processor.

Consent: A voluntary, specific, informed, and unambiguous statement by which a data subject agrees to the processing of their personal data.

Cookies

Our website utilises cookies, which are small data files exchanged between your computer’s browser and our web server. Some cookies are essential for the website’s functionality and cannot be opted out of, while others can be controlled by you. You may change your cookie preferences at any time. Further details can be found in our Cookie Policy

Categories of Personal Data

The following table sets out the categories of personal data we process across the Group (including our gaming and lifestyle/wellness brands), the types of data included, the purposes of processing, and standard retention periods.

Note: Health-related data is collected only where necessary and is limited to the provision of lifestyle, wellness, and hospitality services (such as spa treatments or guest services). It is not routinely processed in relation to gaming or financial services.

Category Data Included Purpose of Processing Retention Period
A

Membership, Guest & Service User Records

 Name, Date of Birth, Identity Documentation (including images), Gender, Nationality, Citizenship, Ethnicity, Biometric Data, Address, Email Contact, Telephone Contact, Names and Dates of Birth of accompanying spouse or minors, Visits, Interactions with us (in-person, digital, social media, email, and telephone communications). Provision of services; identity verification; KYC and AML compliance; customer relationship management; account administration; service improvement; legal and regulatory compliance. 7 years
B

Health & Guest Services

 Health-related information (e.g., Pregnancy, High Blood Pressure, Heart Conditions, Skin Allergies/Conditions, Recent Surgery within 6 months, Other Health Concerns relevant to services). Provision of safe and appropriate wellness, hospitality, or guest services; duty of care obligations; consent-based service provision. (Only applicable to lifestyle and wellness services; not collected for gaming activities.) 7 years
C

Finance & Due Diligence

 Name, Date of Birth, Identity Documentation (including images), Gender, Nationality, Ethnicity, Biometric Data, Address, Winnings, Invoices, Applications, Financial Transaction History, Bank Account Details, Bank Card Details, Payment Service Details, Source of Wealth/Funds, Wealth Profiles, 3rd Party Wealth Referencing Data, 3rd Party Adverse Media Data, Records of Civil/Criminal Proceedings, Regulatory or Government Data, Complaints/Disputes, Lifestyle and Social Circumstances, Occupation, Employment and Education History, Family and/or Political Connections. Compliance with AML/CTF laws and regulations; financial administration; due diligence; fraud prevention; tax and audit obligations; contractual performance. 7 years
D

Gaming & Service Activity

 Gaming visits and interactions, Gaming Transactions, Payment Transactions, Gaming Behaviour, Service Preferences, Complaints and Disputes. Provision of gaming and entertainment services; responsible gaming monitoring; fraud prevention; AML/CTF compliance; dispute resolution; service and product development. 7 years
E

Marketing & Preferences

 Personal data, contact details, service and gaming preferences, customer profiles, promotional engagement, loyalty programme data. Marketing and promotional communications (where legally permitted and/or consented to); customer profiling; loyalty and rewards programme administration; product and service optimisation. 7 years
F

Complaints & Issues

 Complaints, disputes, supporting evidence, records of unlawful activities, regulatory investigation records, customer service case files. Customer support and dispute resolution; legal claims and defence; compliance with regulatory and contractual obligations; prevention and detection of unlawful activities. 7 years
G

Audio-Visual Recordings

 Audio recordings within operational and guest service areas; CCTV recordings of gaming tables, premises, and entry points; Facial Recognition (where deployed); Incident Management Records. Security and safety of premises and guests; fraud prevention; responsible gaming monitoring; dispute resolution; incident management; regulatory compliance. 7 years

Data we may process under our contract with you

Basis:When you become a member or use our services, you enter into a contractual relationship with us. This contract may include, depending on the service you choose, our Club Rules, Premises/Website/Product Terms & Conditions. To fulfil this contract, we must process certain Personal Data about you. This includes data needed to deliver the services, maintain accurate accounts and records, provide customer support, manage our staff, and carry out essential administrative functions

Data Categories: A, B, C, D, E, F, and G

We may process source of revenue and source of wealth in order to carry out risk reduction assessments and to provide you with additional account services, applied for when accessing our Services.  

When Data is Processed: We may collect and process this data:

  • When you apply for and or use our services, our facilities, or when you update your personal details or ID documents with us; and
  • When we verify your identity and personal details, or when we conduct customer due and enhanced diligence checks (including checks with 3rd parties); and
  • When you contact us, request services, report a problem, or wish to make a complaint.

Your Rights: You have the right to ask us to erase such Personal Data collected pursuant to our contract with you, and we will delete any such Data (other than data we are required to retain in accordance our Legal Obligations). In relation to this Data, you also have the right to data access and data portability.

Data we may process for a legitimate interest

Basis: We process specific data in order to protect the legitimate interests of our Company, our employees, our members, guests, and service users. Our legitimate interests include securing our premises, counter-fraud measures and investigations, conducting and managing our business, the maintenance of records, such as gaming, hospitality and financial details obtained throughout the course of our relationship. Our members, guests, service users and employees, have a legitimate interest in feeling safe and secure whilst on our premises in accordance with any applicable rules and or terms & conditions..

Data Categories: A, B, C, D, E, F, and G

When Data is Processed: This data may be used upon entry to one of our premises, accessing our services, as you transact with us and throughout our premises, our surrounding areas, specifically at licensed premise perimeters, to enable the effective monitoring and traceability of individuals. 

Your Rights: Whilst you are entitled to object to some of this processing and correct, incorrect data, the only way you can exercise an objection to processing is by not entering our Premises or accessing our services. Any personal data will be deleted after the expiry of the retention period, provided it is not being actively used in any legal and/or ongoing investigations.

Where your personal data may be stored

The information that you provide to us will be held in our systems, which are located on our premises or those of an appointed third party. We are based in Estonia and your information will be accessed and used here and elsewhere in the European Economic Area (EEA) where we enable the provision of the contracted services.

While countries within the EEA all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection of your personal data. In each case, your data may, for purposes described in this notice or otherwise approved by you, be transferred to, processed by and stored by persons operating outside of the EEA and the third party may require access to all or some of your data. For example:

  • other Group trading companies based outside the EEA may need to use data in accordance with this notice;
  • our staff, suppliers or agents located outside of the EEA may need to access and process personal data to fulfil requested and or contracted services or provide other support services;
  • we may use cloud-based technology hosted outside of the EEA to host some of our applications;
  • we may use service providers based outside of the EEA to help us support some of our information technology infrastructure and these service providers may need to access your personal data in order to provide and support that infrastructure.

When we send personal data outside of the EEA we take steps to put in place appropriate safeguards to protect the information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed in accordance with applicable data protection laws. We protect your personal data, for example, by:

  • transferring to a jurisdiction which the European Commission recognises as providing adequate protection for the rights and freedoms of data subjects in connection with the processing of their personal data;
  • where possible, putting in place standard contractual clauses (SCC`s) in accordance with European Commission decisions on transferring personal data.
  • requiring all Group, subsidiaries, and sister companies to be subject to group data protection policies, designed to protect data in accordance with EU data protection law;
  • ensuring access controls which limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know; and
  • ensuring they will only process your personal information on our instructions, for the reasons we specify.

We may also from time to time rely on one or more of the ‘derogations’ available in applicable data protection laws, for example:

  • The transfer is necessary for the establishment, exercise or defence of legal claims; or
  • We have the individual’s explicit consent; or
  • The transfer is necessary for the conclusion or performance of a contract in the interest of the individual concerned, and we are party to that contract; or
  • The transfer is necessary in order to perform a contract between us and the individual concerned, or the implementation of pre-contractual measures taken at the individual’s request.

We may also be compelled by law to disclose your personal data to a third party and will have limited control over how it is protected by that party in such circumstances.

Access to your personal data

When you ask to see a copy of your personal data as permitted under data protection laws we will supply you with all the personal data to which you are entitled, promptly and normally no later than one month after the receipt of your data subject access request. In rare cases, where the requests are complex or contain multiple requests, the period of compliance may be extended by a further two months, but we will write to you and explain why any extension is required within one month of your request.

We will want to ensure that we have properly identified anyone making a data subject access request and may therefore ask to see additional identification.

Any access request is normally free, although in some cases we may charge a reasonable fee based purely on our administrative costs when a request is clearly unfounded, is made excessively, or is made repetitively

You may also have the right to Data Portability which allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. If you wish to exercise this right, we will transmit such data to you in a machine-readable code where it is technically feasible to do so.

How long do we keep your personal data?

Generally, we comply with the retention periods specified above although there may be exceptions, such as where there is an ongoing legal enquiry.  Your personal data may also be subject to increased internal restrictions on accessing.  For example, personal data may be removed from front office functions and only accessible by senior management with specific reasons.

Who do we disclose your personal data to?

In accordance with this Privacy Policy and for specific purposes, we may share some of your information with the following categories of third parties.

any trading company within the Group, and our sister companies (“other companies with close affiliations to us, owned by the same ultimate parent company”), and their respective subsidiaries and or trading brands for the purposes set out in this notice (for example, information and customer relationship management; software and service compatibility and improvements; and to provide you with any information, applications or services that you have requested);

  • authorised representatives or agents acting on our behalf with respect to the promotion of our services in particular territories;
  • suppliers where necessary, in performance of services which you have contracted, with or through us (which may include sharing data in order to perform and process payments associated with performance of such services);
  • AI-based service providers engaged to support client management, customer support, and operational efficiency, where such systems process personal data strictly under our instructions and subject to appropriate technical standards and safeguards;
  • information technology companies undertaking services for us in connection with maintenance, support, development or enhancement of our websites or our other information technology platforms and infrastructure;
  • third parties that we may engage to perform market surveys/client feedback surveys, subject to your selected preferences;
  • third parties which we engage to securely host communication services (emails and SMS) and act as suppliers to distribute our notifications and other marketing communications on our behalf, both where you have requested information and where we believe that information will be of interest to you;
  • companies used to facilitate payment transactions arising from engagement of our services;
  • credit reference agencies for the purposes of supporting mechanisms which assist us in safer gambling and affordability assessments;
  • fraud prevention agencies;
  • recruitment agencies or website recruitment platforms in the context employment;
  • law enforcement agencies, regulators or other applicable third parties, where necessary to enable us to comply with our regulatory and legal obligations (including statutory or regulatory reporting or the detection or prevention of unlawful acts ), or where necessary to assist them in the conduct of their investigations;
  • authorised third parties engaged to support us in performing customer and enhanced customer due diligence checks;
  • our clients (if you are a supplier), in the course of performing any engagement for services;
  • relevant third parties in the context of actual or potential legal proceedings (for example in response to a court order, enforcement of the terms of a contract and debt recovery);
  • our own professional advisors and auditors for the purpose of seeking professional advice or to meet our legal, regulatory and auditing responsibilities; and
  • another organisation if we sell or buy (or negotiate to sell or buy) any of our companies, business or assets.

We may compile statistics about the use of our websites including data on traffic, usage patterns, user numbers, and other information. All such data will be anonymised and will not include any data which can be used to identify you either by itself or when combined with other data. We may share non-personally identifiable information about the use of our website, applications, products or services publicly or with third parties, but this will not include information that can be used to identify you.

Your Rights:  You have the right to object to this and to correct any incorrect data.  Please note that access to our Services may be conditional on allowing us to share this personal data.

Changes to this policy

From time to time we will need to update, change or supplement this Policy, including by altering the types of Personal Data that may be collected, processed or shared. If this happens, we will update this Policy on our website, in our literature before such changes come into effect. If you do not agree to these changes then you will have to inform us and by continuing to access our Services, you consent to those changes.

Your rights

You have the following rights (“Data Rights”):

  • The right to be informed: This privacy policy is intended to meet our obligation to provide “fair processing information”.
  • The right of access: You have the right at any time to ask to see a copy of the personal data we hold about you.
  • The right to withdraw consent:  Where you have given your consent to our processing you may withdraw this at any time.
  • The right to rectification and data quality:  If your personal data is incorrect or incomplete then you may ask us to remedy that.
  • The right to erasure including retention and disposal:  You may ask us to delete or remove your personal data where there is no compelling reason for its continued processing but this may affect any services we provide to you which relies on that personal data.
  • The right to restrict processing:  Where you have highlighted an issue with the data.
  • The right to data portability:  This allows you to request that your personal data be shared with other processors at your request.
  • The right to object:  Where you have an objection to our processing you may do so.

You may also have the right to lodge a complaint with the Estonian Data Protection Inspectorate if you believe we are in breach of our legal obligations under data protection laws.

Contact us

f you wish to exercise any of your Data Rights, if you have any questions, complaints, or comments regarding this Policy, please:

  • Contact Us through Our Websites or Service Platforms.

To further query your rights regarding your Personal Data, to lodge a complaint, raise a concern about how your complaint has been handled and / or appeal against any decision made following your complaint, in accordance with your rights, you may contact the Estonian Data Protection Inspectorate.

Customer Guide to Gaming Complaints & Dispute Resolution

Bombay Club & Resorts OÜ, registration number 14045680, with its registered address at Rataskaevu 5, 10123 Tallinn, Estonia (the “Operator”), is a company incorporated in Estonia and the Operator of the Website.

We, the Operator, is licensed in Estonia and regulated by the Estonian Tax and Customs Board. It provides games under the perpetual operating licence for organising games of chance under; Activity license no. HKT000031, operating permit no. HKL000404.

We  are committed to ensuring that all gaming activities are conducted fairly and transparently. While we strive to provide an excellent customer experience, we recognise that disputes may arise. This guide outlines how we handle complaints and disputes, ensuring a fair and structured resolution process.

1. Making a Complaint

If you have a concern regarding a gaming transaction, we encourage you to raise it immediately with a us at the time of the incident. Our trained staff will attempt to resolve the issue promptly.

 

For non-gaming complaints (e.g., service-related matters), please speak to onsite members of the management team, or support for online services, who will address your concerns in line with our customer service standards.

2. Internal Resolution Process

Stage 1: Initial Complaint Handling

  • Raise your complaint with us immediately so we can assess the situation at the time of the event.
  • If there is clear supporting evidence (e.g., Data logs), the complaint may be resolved at this stage.
  • If the issue cannot be resolved immediately, it will be escalated to a member of the management team.

Stage 2: Review by Management

If your complaint is not resolved in Stage 1, the Senior Manager will conduct a detailed review, considering:

  • Staff accounts
  • Surveillance footage (where appropriate)
  • Communication Channels
  • Your gaming history and play style

Possible Outcomes:

  • If your claim is upheld, an appropriate resolution will be provided.
  • If your claim is not upheld, you will be informed in writing and given details on how to proceed to Stage 3: Appeal.

Stage 3: Appeal

If you remain dissatisfied, you may submit a formal appeal in writing to:

The Chief Executive Officer
Bombay Club & Resorts OÜ: Rataskaevu tn 5, 10123 Tallinn

The matter will be subject to formal review by the CEO and Executive Committee, whom will consider all relevant evidence and records prior to determining, documenting and communicating its final decision.

 

Alternatively, you may “Contact Us” through the Website.

 

Key Points to Remember

All gaming-related complaints should be raised immediately at the time of the incident.
 Our team will ensure a fair and transparent review at each stage.