This Data Processing Agreement ("DPA") forms part of the Terms of Service and applies where CasinoComm processes personal data on your behalf. It reflects Article 28 of the UK/EU GDPR. Where you are an EU/UK casino, this DPA governs that processing.
1. Roles
For player personal data you upload or generate (e.g. names, phone numbers, segments, message history), you are the controller and CasinoComm is the processor. For our own account, billing, and security data, CasinoComm is the controller (see the Privacy Policy).
2. Scope and instructions
- Subject matter: provision of the messaging Service. Duration: the term of your subscription.
- Nature/purpose: storing contacts, sending messages you initiate, tracking delivery and redemptions, and providing support.
- Data types: player names, phone numbers, opt-in/opt-out status, tags, message and redemption records.
- Data subjects: your players/contacts.
- We process this personal data only on your documented instructions (these Terms and your use of the Service), unless required by law.
- We will not use your players' personal data for our own purposes, sell it, or repurpose it.
3. Confidentiality
We ensure that personnel authorised to process the data are bound by confidentiality.
4. Security
We implement appropriate technical and organisational measures, including encryption of sensitive credentials, access controls and least-privilege access, network isolation, and logging. Measures are reviewed periodically.
5. Subprocessors
You authorise us to engage the subprocessors below to provide the Service. We impose data-protection obligations on each and remain responsible for their performance. We will give notice of intended changes so you can object.
- Neon — managed PostgreSQL database hosting.
- Railway — application hosting.
- Clerk — authentication.
- Stripe — payment processing (billing data).
- Resend — transactional and alert email.
- Meta Platforms / WhatsApp — message delivery to recipients you choose.
6. Data-subject requests
Where a player exercises their rights (access, erasure, objection, etc.), requests should be directed to you as controller; we will provide reasonable assistance and the tools to fulfil them, taking into account the nature of the processing.
7. Personal-data breaches
We will notify you without undue delay after becoming aware of a personal-data breach affecting your data, and provide information reasonably required for you to meet your own notification obligations.
8. Audits
We will make available information necessary to demonstrate compliance with this DPA and allow for reasonable audits, on reasonable notice and subject to confidentiality.
9. International transfers
Where data is transferred outside the EEA/UK, we rely on an appropriate transfer mechanism, such as the Standard Contractual Clauses, together with any required supplementary measures.
10. Deletion and return
On termination, we will delete or return your players' personal data within 30 days, except where retention is required by law.