The Owner and Proprietor of Bombay Club and Collection and this website is Bombay Group OÜ (“Bombay”, “we”, “our” or “us”) with its subsidiary companies.

Protection of personal data is very important for us at Bombay and we take it very seriously. This Privacy Policy, the principles of which Bombay Group follows, provides detailed information on the personal data collected by Bombay about you when you use our website or otherwise interact with us, the purposes this data is used for and who has access to the data. Please take the time to read this Privacy Policy and feel free to contact Bombay Group directly with any questions or suggestions concerning the Policy.

We process personal data in compliance with applicable personal data protection laws, including the Regulation of the European Parliament and the Council (EU) 2016/679 (“GDPR”) as well as the Personal Data Protection Act of Estonia.

Bombay Group OÜ respects your right to control your privacy. It is important for us that you can exercise your rights. Below you will find details on how to do this.

Please be aware that we can update our Privacy Policy and in that case we will notify you about the changes. You can always find the current version of the Privacy Policy on our webpage.

Terms and definitions

The Privacy Policy of Bombay Group OÜ (hereinafter also as “we”) is based on GDPR. The Privacy Policy we apply must be clear and understandable to our customers. In order to ensure that all the parties understand their rights in the same way, we explain the most important terms here.

Data subject: Identified or identifiable natural person whose data is processed;

Personal Data: Any information concerning an identified or identifiable natural person (“data subject”); identifiable natural person means a person who can be identified directly or indirectly, in particular on the basis of identifying attribute, including name, personal identification code, location information, network identifier, or on the basis of one or more physical, physiological, genetic, mental, economic, cultural or social characteristics of the natural person;

Processing of Personal Data: Automated or non-automated operation or set of operations, including collection, documentation, organizing, structuring, storing, customizing and modifying, querying, reading, using, transferring, distributing, or making otherwise available, joining or combining, restricting, deleting or destructing of personal data or set of them;

Profile analysis: Any automated processing of personal data involving the use of personal data for the assessment of certain personal aspects of the natural person. In particular, for analyzing or forecasting aspects related to the performance, financial situation, health, personal preferences, interests, reliability, behaviour, location or movement of the natural person concerned;

Controller: Natural or legal person, public entity, agency or other body which alone or in cooperation with others determines the objectives and means of the processing of personal data; if the objectives and means of such processing are determined in the law of the Union or the Member State, the specific criteria for the Responsible Processor or for assigning the one may be established in the law of the Union or the Member State;

Processor: Natural or legal person, public entity, agency or other body processing personal data on behalf of the controller;

Set of data: Any organized set of personal data from which data can be derived on the basis of certain criteria, regardless of whether the set of data is functionally or geographically centralized, decentralized or distributed;

Special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation;

Recipient: Natural or legal person, public entity, agency or other body to whom personal data is disclosed, whether or not it is a third party. The public entities which can obtain personal data as a result of specific inquiry in accordance with the law of the Union or the Member State, are not deemed to be recipients; these public entities process such data in accordance with applicable data protection standards in the basis of the processing purposes;

Third Party: Natural or legal person, public entity, agency or body, excluding the Data Subject, Controller, Processor and persons who can process personal data under the direct responsibility of the Controller or Processor;

“Consent” of the Data Subject: Voluntary, specific, conscious and unambiguous statement by which the Data Subject in the form of an application or by explicit consent, agrees with the processing of his/her personal data.

Data controller

Company name: Bombay Group OÜ (16132057)
Address: Suur-Patarei 13, 10415 Tallinn, Estonia

We can be contacted by e-mail at .

What personal data Bombay collects and how is the data used? Providing service to the customers

When Bombay provides service to you, personal data is also processed and therefore sharing of your personal data with us is necessary.

For the purpose of concluding your customer agreement, Bombay processes the following personal data:

  • name;
  • e-mail address;
  • telephone number;
  • personal identification number or date of birth;
  • country of residence and origin;
  • a visual image (photo) of the person;
  • type and number of an identification document;
  • the date of issuance and validity of the identification document.

This personal data is processed as long as the customer agreement is valid and in addition to Bombay employees, the data is also accessible for our contractual accountant. The legal basis for such processing of the personal data is processing of personal data for the performance of the contract entered into with the data subject or for taking measures prior to the conclusion of a contract, in accordance with the data subject’s request (GDPR, Sec. 6(1)(b)). Additionally, in regards to the purpose of verifying your identity, the legal basis for such processing of personal data is processing necessary for compliance with a legal obligation to which the controller is subject (GDPR, Sec. 6(1)(c)).

During the customer relationship and 10 years afterwards, we process this personal data of our customers for archiving the customer contracts. Bombay has a legitimate interest (GDPR, Sec. 6(1)(f)) for maintaining the customer related documents.

Please note that Bombay does not process special categories of personal data regarding its customers.

The use of video cameras

At Bombay’s venues, Bombay uses video cameras for security and surveillance purposes. Video cameras monitor the area in front of the main entrance of Bombay Club and the entire customer and gaming area. The personal data processed by using video cameras is the visual image of the person.

Bombay Group’s licensed partner Kopikas Entertainment OÜ has a statutory obligation arising from the Gambling Act to employ video surveillance in order to ensure the safety of the customers and employees of Bombay Club and to ensure that customers do not use forbidden measures to gain an illegal advantage in gaming. As a result, the legal basis for the processing video recordings as personal data is processing necessary for compliance with a legal obligation to which the controller is subject (GDPR, Sec. 6(1)(c)).

The recordings from the video cameras are processed and retained for at least 14 days, but not more than 30 days.


For the purposes of marketing and communications Bombay Group processes the following personal data:

  • name
  • e-mail address;
  • telephone number;
  • your language of communication.

In certain cases, when natural persons are concerned, we must ask for the consent of the data subject for sending email marketing communications. If you have not given your consent for such processing of personal data, we will not process your personal data for this purpose. Your consent will not expire, but if you no longer want to receive marketing communications, you can conveniently exit from the mailing list by using the link (“remove from the list” or “unsubscribe”) found at the end of the message. You are also entitled at any time to object the processing of your personal data for direct marketing purposes. This means that the legal basis for such processing of personal data is that the data subject has given consent to the processing of his or her personal data for one or more specific purposes (GDPR, Sec. 6(1)(a)).

When Bombay sends you an e-mail, Bombay can collect statistics about your activities on the message, for example, did you open the message and which links did you click. Sometimes, before sending a newsletter, we evaluate the behaviour of our contacts (opening of previous newsletters, attending Bombay’ events, etc.). This is necessary for sending more personalized e-mail communications to you. Bombay has a legitimate interest (GDPR, Sec. 6(1)(f)) to understand the needs and preferences of its contacts in order to provide more relevant information to them.

For the purpose of processing personal data listed in this section, Bombay’s employees can access the data. The personal data can also be accessed by the partner providing IT services for us. We implement appropriate technical and organizational measures to ensure safety of the personal data.

What are your rights and how you can exercise them?

By contacting Bombay by e-mail at , you can exercise the following rights, taking into account restrictions stipulated in relevant and applicable data protection related legal acts:

  • The right to access your personal data;
  • The right to correct your personal data;
  • The right to delete your personal data;
  • The right to exercise your right to data portability your personal data;
  • The right that no decisions will be made about you solely on the basis of automated decisions;
  • The right to withdraw your consent in cases where your personal data is being processed based on consent.

In certain cases, you have the right to demand restriction for processing of your personal data and the right to object processing of your personal data.

You can exercise your rights in accordance with the terms and conditions based on GDPR and other local regulations.

If you believe that your privacy has been compromised, please contact us by the email address below. You also have the right to file a complaint to the data protection supervisory authority of the country of your residence. In Estonia, this is the Estonian Data Protection Inspectorate.

With any questions, please feel free to contact us at .

This privacy policy is effective from 03.07.2024.