burger icon
Lukki Casino Australia
Log In

Privacy Policy

This Privacy Policy explains how Lukki Casino, as offered to Australian players via https://lukkibet-au.com and related mirror domains (together, "the Website"), collects, uses, discloses and protects your personal information. It applies to all players, account holders and visitors who access or use the Website, whether or not they register an account. By using the Website, you acknowledge that your data will be processed as described in this Privacy Policy. This Privacy Policy is effective from 1 January 2026 and supersedes any earlier versions published on the Website.

Who We Are

OBSERVE: Lukki Casino is provided to Australian users as a grey-market offshore online casino. EXPAND: Your contract is with the operator in Curaçao, not with any Australian entity. REFLECT: We clearly identify the controller of your personal data and how to contact us.

Operator and Legal Entity

  • Legal name: Dama N.V.
  • Trading name (brand): Lukki Casino (including the Australian-facing version available at lukkibet-au.com, referred to here as "Lukki Casino").
  • Registered address: Scharlooweg 39, Willemstad, Curaçao.
  • Company registration number: 152125, registered with the Curaçao Chamber of Commerce & Industry.
  • Gaming licence: E-gaming sub-licence No. 8048/JAZ2020-013, issued by Antillephone N.V. under the authority of the Government of Curaçao.

Contact Details and Data Protection Contact

  • Website (AU-facing mirror): https://lukkibet-au.com
  • Primary global domain: https://lukki.com
  • Data Protection Officer / Privacy Team: [email protected]
  • Postal contact for privacy matters: Data Protection Officer, Dama N.V., Scharlooweg 39, Willemstad, Curaçao.

If you have any questions about this Privacy Policy or how we handle your data, you can contact our Data Protection Officer (DPO) using the details above.

What Personal Data We Collect

OBSERVE: Operating an online casino requires identification, payments, and technical security. EXPAND: We collect both information you provide and information generated by your use of the Website. REFLECT: Below we categorise these data types for transparency.

Identification and Contact Data

  • Full name, date of birth, gender (where provided).
  • Residential address, country of residence, billing address.
  • Email address and telephone number.
  • Identity verification data (e.g., copies or details of passports, ID cards, driver licences, utility bills, bank statements, or other KYC documents).

Account and Gameplay Data

  • Username, password (stored using secure hashing), security questions and answers.
  • Account settings, language and currency preferences (including AUD where available).
  • Game activity and behavioural data: bets placed, game rounds, wins and losses, bonus usage, session duration, in-game decisions, and interaction history.
  • Responsible gambling settings: deposit limits, loss limits, session reminders, self-exclusion status and related notes.

Payment and Financial Data

  • Payment method details (e.g., partially masked card numbers, e-wallet identifiers, bank account details, cryptocurrency wallet identifiers where applicable).
  • Transaction history: deposits, withdrawals, chargebacks, refunds, bonus credits and wagering status.
  • Fraud and risk data: internal risk scores, flags, notes relating to AML/KYC checks and transaction monitoring.

Technical and Usage Data

  • IP address, approximate geolocation inferred from IP, device identifiers, browser type, operating system, language and time zone settings.
  • Log data: access dates and times, pages viewed, clicks, referral URLs, crash reports and performance data.
  • Information about how you interact with emails and notifications (e.g., opens, clicks, unsubscribes).

Cookies and Similar Technologies

  • Cookies: Small files stored on your device to remember your preferences, authenticate sessions and analyse site usage.
  • Web beacons / pixels: Small code snippets in pages or emails to measure interactions and campaign performance.
  • Local storage and similar: Browser or app-based storage used for preferences and security features.

Special Categories and Sensitive Data

  • We generally do not intentionally collect special category data (e.g., health, religion). However, responsible gambling interactions may incidentally reveal sensitive information (for example, if you disclose health-related issues to customer support), which we treat with enhanced confidentiality.

Legal Basis for Processing

OBSERVE: Our players may be located in the EU, Mexico, Australia and other regions. EXPAND: We therefore explain our processing under the GDPR concepts of "legal basis" while also aligning with Mexican law and Australian privacy principles. REFLECT: The main legal bases are contract, consent, legal obligation and legitimate interests.

Performance of a Contract

  • Creating, maintaining and managing your player account.
  • Processing deposits and withdrawals and providing casino games and related services.
  • Verifying your identity where necessary to provide services and pay out winnings.
  • Providing customer support and resolving operational issues.

Compliance with Legal Obligations

  • Carrying out "know your customer" (KYC) and anti-money laundering (AML) checks as required by Curaçao laws, our licence conditions and applicable international standards.
  • Preventing, detecting and reporting suspected fraud, money laundering, terrorism financing or other unlawful activities.
  • Keeping records for accounting, taxation, regulatory reporting and audit purposes.

Legitimate Interests

  • Maintaining and improving the security and integrity of our systems and games.
  • Monitoring gameplay to detect collusion, bonus abuse, bots and other violations of our Terms and Conditions.
  • Analysing usage statistics to improve our services, game offering, website design and performance.
  • Defending our legal rights, handling disputes and responding to complaints.

Consent

  • Sending marketing communications (email, SMS, push notifications) where required by law or where you have opted in.
  • Using non-essential cookies and similar technologies for analytics and advertising, depending on your consent and browser settings.
  • Processing certain special or sensitive information you choose to provide (for example, in responsible gambling communications), to the extent permitted by law.

Where we rely on consent, you may withdraw it at any time, without affecting the lawfulness of processing before withdrawal.

Purpose of Processing

OBSERVE: Players need clarity on why their data is used. EXPAND: We group purposes by function. REFLECT: Each purpose is tied to one or more legal bases described above.

Provision and Management of Casino Services

  • Registering and managing your account, including verification and authentication.
  • Providing access to games, tournaments, bonuses and loyalty programs.
  • Processing deposits, wagers, winnings and withdrawals.
  • Providing customer support via chat, email or other channels.

Improvement, Analytics and Personalisation

  • Analysing gameplay and website usage to optimise game selection, site layout and user experience.
  • Personalising content and offers (for example, recommending games you may like based on your playing history).
  • Aggregating and anonymising data for long-term business analytics and statistics.

Marketing and Promotions

  • Sending promotional communications about bonuses, tournaments, new games and other offers, subject to your preferences and applicable laws.
  • Running loyalty programs, VIP schemes and targeted promotions.
  • Measuring the effectiveness of marketing campaigns and affiliate relationships.

Security, Fraud Prevention and Compliance

  • Monitoring transactions and gameplay to detect and prevent fraud, chargebacks, collusion, money laundering and other abuse.
  • Enforcing our Terms and Conditions and Bonus Terms.
  • Complying with regulatory and licensing requirements in Curaçao and responding to lawful requests from competent authorities.

Disclosure & Sharing

OBSERVE: Operating an online casino requires a network of third-party providers and regulators. EXPAND: We share only what is necessary and subject to appropriate safeguards. REFLECT: Below we list typical categories of recipients.

Service Providers and Business Partners

  • Payment processors and banks: To process deposits, withdrawals and other financial transactions (including card processors, e-wallets, crypto payment gateways and banking partners).
  • Game providers: Software studios and platform providers that supply games or run game servers and may need limited player identifiers and gameplay data to operate those games and resolve technical issues.
  • IT and security providers: Providers of hosting, DDoS protection, content delivery networks, analytics, security monitoring and technical support.
  • Marketing and affiliate partners: Email service providers, advertising networks and affiliate platforms, but only where permitted by law and subject to your marketing preferences.

Corporate Group and Affiliates

  • Other companies within the Dama group and related entities acting as payment agents, support entities or back-office processors, where necessary to provide services or for internal administration.

Regulators, Authorities and Dispute Resolution Bodies

  • Licensing and regulatory bodies in Curaçao (such as Antillephone N.V.) when required by our licence or applicable law.
  • Law enforcement and other competent public authorities where we are legally required to disclose information or where disclosure is necessary to protect our rights or the rights of others.
  • Independent dispute resolution or Alternative Dispute Resolution (ADR) bodies (for example, sector-recognised mediation services) when you escalate a complaint and consent to our sharing relevant data.

Advertising Networks and Social Media

  • Where you have consented or where allowed by law, we may share limited pseudonymised identifiers (such as cookie IDs or hashed email addresses) with advertising networks, analytics providers or social media platforms to measure campaign performance and avoid showing you irrelevant adverts.

Business Transfers

  • In the event of a merger, acquisition, sale of assets, restructuring or insolvency, your data may be transferred to a new entity as part of the transaction, subject to confidentiality obligations and continuity of protection.

International Transfers

OBSERVE: Lukki Casino is operated from Curaçao and uses global infrastructure. EXPAND: Your data may therefore be processed and stored outside your country, including outside the EU and Australia. REFLECT: We apply contractual and technical safeguards to mitigate these risks where required.

Locations of Processing

  • Curaçao, where Dama N.V. is registered and licensed.
  • European Economic Area (EEA) countries, where some of our service providers or corporate affiliates may be located.
  • Other countries (for example, cloud hosting locations or support centres) where our carefully selected processors operate.

Safeguards for International Transfers

  • Where required by the GDPR, we use appropriate transfer mechanisms such as:
    • Standard Contractual Clauses (SCCs) approved by the European Commission; and/or
    • Other legally recognised safeguards or derogations under Articles 46 - 49 GDPR.
  • We seek to ensure that non-EEA providers offer a level of data protection substantially equivalent to that required in the EU, through contractual obligations, technical measures and due-diligence assessments.
  • For Mexican users, we handle cross-border transfers consistently with the principles of the Mexican Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP), including informing you of transfers and limiting them to the stated purposes.

Regional Compliance Note: As an offshore operator, we are not licensed in Australia and Australian consumer protections may not directly apply. However, we endeavour to handle personal information in a manner consistent with key principles found in the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), to the extent reasonably practicable.

Data Retention

OBSERVE: Gaming and AML regulations require us to keep some data for minimum periods. EXPAND: We also avoid keeping data longer than necessary. REFLECT: Retention periods vary by category and purpose.

General Retention Principles

  • We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to meet legal, accounting and reporting requirements.
  • Where laws or regulators specify minimum retention periods (for example, AML/KYC data), we retain data for at least those periods.
  • When data is no longer needed, we delete it or irreversibly anonymise it according to our data retention and deletion procedures.

Indicative Retention Periods

  • Account and identification data: Typically kept for the duration of your account and up to 5 - 7 years after account closure, to comply with AML, licensing and record-keeping obligations.
  • Transaction and gameplay records: Retained for up to 7 years from the date of the relevant transaction or event, for regulatory, tax and dispute-resolution purposes.
  • Marketing data: Retained while you remain subscribed to marketing communications and for a short period after opt-out (generally not more than 2 years) to document your preferences and demonstrate compliance.
  • Customer support communications: Retained for up to 5 years after the interaction, depending on the nature of the request and any ongoing disputes.
  • Technical logs and security data: Retained for shorter periods, usually between 6 months and 3 years, unless required longer for security investigations or legal proceedings.

Deletion Criteria

  • Expiry of the applicable retention period.
  • Fulfilment of the purpose for which the data was collected and no other lawful basis requires continued retention.
  • Successful completion of a verified erasure request, where applicable and not overridden by legal obligations.

Your Rights

OBSERVE: Users located in different jurisdictions may have different rights. EXPAND: We structure our approach primarily in line with GDPR standards, while aligning with Mexican LFPDPPP rights and, where relevant, Australian privacy expectations. REFLECT: We strive to honour these rights wherever it is technically and legally feasible.

GDPR-Style Rights (EU/EEA and, where feasible, Globally)

  • Right of access: You can request confirmation of whether we process your personal data and receive a copy of that data together with information about how it is used.
  • Right to rectification: You can ask us to correct inaccurate or incomplete personal data. For many fields, you may update information directly in your account.
  • Right to erasure: You can request deletion of your personal data where there is no compelling reason for us to keep it (for example, where it is no longer necessary, or you withdraw consent and no other legal basis applies). We may retain data required for legal or regulatory purposes.
  • Right to restriction of processing: You can ask us to restrict processing of your data in certain circumstances, such as when you contest its accuracy or object to our use of it.
  • Right to object: You can object to processing based on our legitimate interests, including profiling for security or marketing, and we will stop unless we have overriding legitimate grounds or need the data for legal claims.
  • Right to data portability: Where processing is based on consent or contract and carried out by automated means, you can request to receive your data in a structured, commonly used and machine-readable format or ask us to transfer it to another controller where technically feasible.
  • Right to withdraw consent: Where processing is based on your consent (e.g., marketing), you may withdraw consent at any time by adjusting your account settings, using unsubscribe links, or contacting us.

Mexican Privacy Law Alignment (LFPDPPP)

  • Under the Mexican Federal Law on Protection of Personal Data Held by Private Parties and its regulations, individuals have the so-called ARCO rights:
    • Access: To know what data we have and how we use it.
    • Rectification: To correct inaccurate or incomplete data.
    • Cancellation: To request that we stop processing and delete data when appropriate.
    • Opposition: To oppose certain processing in legitimate cases.
  • We aim to handle requests from Mexican users in line with ARCO principles, subject to our regulatory obligations in Curaçao and other applicable laws.

Procedures, Timeframes and Cost

  1. Submitting a request: You can exercise your rights by:
    • Contacting us at [email protected], or
    • Using any dedicated privacy or contact form available on the Website.
  2. Verification: To protect your account and personal data, we may request additional information to verify your identity before responding (for example, confirming account details or asking for ID).
  3. Response time: We aim to respond to all valid requests within 30 days of receipt. In complex cases, this may be extended by a further 30 days, in which case we will inform you of the extension and reasons.
  4. Fees: We generally handle requests free of charge. We may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive, particularly if they are repetitive.

Cookies & Tracking Technologies

OBSERVE: Cookies help us run the site securely and efficiently. EXPAND: Different cookies serve different purposes, from login stability to analytics and marketing. REFLECT: You have options to manage or disable cookies.

Types of Cookies We Use

  • Strictly necessary (functional) cookies: Essential for the Website to function (for example, to log in, maintain sessions, process payments and remember your cookie preferences). These cannot be switched off via our systems.
  • Preference cookies: Remember your choices such as language, currency and interface settings, improving your experience.
  • Analytics and performance cookies: Help us understand how visitors use the Website (e.g., which pages are most popular, error messages encountered) so we can improve functionality and content.
  • Advertising and targeting cookies: Used to deliver more relevant adverts to you, limit how often you see an advert and measure the effectiveness of campaigns, often set by third-party partners.

Third-Party Cookies

  • Some cookies are placed by third parties such as analytics providers, fraud-prevention tools and advertising networks. These parties may collect information about your online activities over time and across different websites, in accordance with their own privacy policies.

Managing Cookies

  • You can manage cookie preferences through:
    • Your browser settings (e.g., blocking or deleting cookies); and
    • Any cookie banners or preference tools provided on the Website.
  • Blocking or deleting cookies may affect your ability to use certain features of the Website, including secure login and gameplay.

Data Security

OBSERVE: Online gambling platforms are attractive targets for fraud and cyber-attacks. EXPAND: We combine technical, organisational and procedural controls to mitigate these risks. REFLECT: While no system is completely secure, we aim to maintain a level of security appropriate to the risks.

Technical Measures

  • Encryption in transit: We use modern cryptographic protocols (such as TLS 1.2 or higher) to protect data transmitted between your browser and our servers.
  • Encryption at rest: Sensitive data, including authentication credentials and certain financial information, is stored using industry-standard encryption or hashing algorithms.
  • Access controls: Access to personal data is restricted to authorised personnel and service providers who need it to perform their duties, and is governed by role-based access controls.
  • Network and application security: We implement firewalls, intrusion detection or prevention systems and other security technologies to protect our infrastructure.

Organisational and Procedural Measures

  • Security policies and training: Staff with access to personal data are subject to confidentiality obligations and receive training on information security and data protection.
  • Vendor management: We assess the security posture of key third-party processors and include data protection clauses in our contracts.
  • Incident response: We maintain processes to detect, investigate and respond to suspected security incidents. Where required by law, we will notify relevant authorities and affected individuals of data breaches within applicable timeframes.
  • Standards alignment: We aim to align our security controls with recognised best practices and international standards such as ISO 27001 and SOC 2, where appropriate for our size and risk profile, even if we may not hold formal certifications.

Complaints & Contacts

OBSERVE: Players must have clear channels to raise concerns about privacy. EXPAND: We outline internal handling and external escalation options. REFLECT: This supports accountability and transparency for multiple jurisdictions.

Internal Complaint Procedure

  1. Step 1 - Contact our DPO/Privacy Team: If you have concerns or complaints about how we process your personal data, contact us at [email protected] or write to Data Protection Officer, Dama N.V., Scharlooweg 39, Willemstad, Curaçao, describing your issue in as much detail as possible (including your username and relevant dates).
  2. Step 2 - Acknowledgement: We aim to acknowledge receipt of your complaint within 5 business days.
  3. Step 3 - Investigation: We investigate your complaint, which may involve contacting you for further information. We typically provide a substantive response within 30 days of receipt.
  4. Step 4 - Outcome: We will inform you in writing of the outcome and any steps taken to address your complaint. If we cannot resolve the matter to your satisfaction, you may escalate to external authorities, as described below.

Escalation to Supervisory Authorities

  • EU/EEA users: If you are located in the EU/EEA, you have the right to lodge a complaint with your local data protection authority or with the authority of the EU Member State of your habitual residence, place of work or place of the alleged infringement.
  • Mexican users: You may submit a complaint to the Mexican data protection authority:
    • Authority: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI).
    • Website: https://www.inai.org.mx
    • INAI provides guidance on how to exercise ARCO rights and how to file complaints concerning private-sector data controllers.
  • Other jurisdictions (including Australia): Depending on your location and local laws, you may have the right to complain to your national privacy or data protection regulator. As Lukki Casino is operated offshore by Dama N.V. in Curaçao, some local regulators may have limited jurisdiction, but you can still seek guidance from them.

Updates

OBSERVE: Privacy laws and our operations evolve over time. EXPAND: We may update this Privacy Policy to reflect changes in law, technology or our services. REFLECT: We commit to transparent change management and reasonable notice for significant changes.

How We Will Inform You

  • Policy updates on the Website: We will publish the updated Privacy Policy at https://lukkibet-au.com with a revised "Last updated" date.
  • Email notifications: For material changes that significantly affect your rights or how we process your data, we will, where feasible, notify you by email to the address linked to your account.
  • On-site notices: We may display banners, pop-ups or account dashboard alerts to highlight important changes.

Advance Notice and Your Options

  • Where we make significant changes that require your consent or that materially affect your rights, we will endeavour to provide at least 30 days' advance notice before the changes take effect, unless immediate implementation is required by law or to protect the security of the service.
  • If you do not agree with the updated Privacy Policy, you may choose to stop using the Website and request account closure and, where applicable, deletion of your personal data (subject to our legal retention obligations).

Version control: Last updated: January 2026. Material changes from prior versions may include clarifications on international data transfers, expanded information on user rights under GDPR and Mexican law, and updates to security and retention practices to reflect current industry standards.