burger icon
Sesame Сasino
Log In

Privacy Policy

This Privacy Policy explains how sesame collects, uses, discloses, and safeguards personal information for visitors and players who access or use sesame-ca.com. It applies to website visitors, registered account holders, and recipients of our communications. By using our services, you acknowledge this Policy. Effective date: October 31, 2025.

Who We Are

Observe: Identify the data controller and contact channels. Expand: Include registration/licensing details and a contact point for privacy matters. Reflect: Provide precise yet non-invented facts only.

  • Operator: Sesame Online EOOD, a single-owner limited liability company registered in Bulgaria (EIK/UIC: 205723651).
  • Licensing: Licensed for online gambling operations by the National Revenue Agency (NRA) of Bulgaria (see public NRA registers).
  • Registered office/legal address: The company is registered in Bulgaria. The full registered address will be provided upon verified request for privacy or legal purposes.
  • Websites: Official: https://sesame-ca.com. Legacy (reference): https://sesame.bg.
  • Privacy contact (Data Protection Team): [email protected]; Tel: +359 2 493 0008 (BG). Please write "Privacy request" in the subject line.

What Personal Data We Collect

Observe: List data categories. Expand: Cover operational, technical, and compliance data. Reflect: Clarify optional vs. required data.

  • Identity and contact: full name, date of birth, address, nationality, e-mail, phone, document identifiers collected for KYC/AML (e.g., ID/passport details, proof of address), and account credentials.
  • Account and behavioral data: registration details, session history, game/betting history, deposits/withdrawals, responsible gambling settings, interactions (clickstream, features used), preferences.
  • Payment and financial: payment method details (tokenized where possible), transaction records, payout details, chargeback information.
  • Technical data: IP address, device and browser data, OS/version, language, screen resolution, time zone, cookie IDs, advertising IDs, log files, security event logs.
  • Communications: customer support chats, e-mails, calls (where applicable), marketing preferences and consents.
  • Cookies and similar tech: session and persistent cookies, SDKs, pixels, and local storage for functionality, analytics, personalization, and advertising (see "Cookies & Tracking Technologies").

Legal Basis for Processing

Observe: Identify lawful grounds. Expand: Align with Canadian laws (PIPEDA/CASL) and cross-border standards (GDPR, where applicable). Reflect: Map grounds to typical processing.

  • Consent: We obtain express or implied consent under PIPEDA for collection, use, and disclosure where required, and express opt-in consent under Canada's Anti-Spam Legislation (CASL) for commercial electronic messages.
  • Contract necessity: Processing needed to create and operate your account, verify identity, process payments and payouts, provide customer support, and deliver games and features you request.
  • Legitimate interests / appropriate purposes: Fraud prevention, security, service analytics, service improvement, and personalization, implemented with safeguards and proportionality. For individuals in the EEA/UK, we rely on legitimate interests under GDPR where appropriate.
  • Legal obligations: Compliance with KYC/AML/CTF requirements, sanctions screening, recordkeeping, tax and regulatory reporting, dispute management, and requests from competent authorities.

Purpose of Processing

Observe: State concrete purposes. Expand: Include service, compliance, security, analytics, and marketing. Reflect: Tie purposes to user benefit and risk controls.

  • Service delivery: Account registration and management, identity verification, enabling gameplay and transactions, customer support, responsible gambling tools.
  • Compliance and risk: AML/KYC checks, sanctions screening, transaction monitoring, auditing, and regulatory reporting.
  • Security: Detecting and preventing fraud, abuse, cheating, multi-accounting, and cyber threats; ensuring platform integrity.
  • Analytics and improvement: Usage measurement, performance monitoring, A/B testing, product development.
  • Personalization and marketing: Tailoring content, recommendations, and offers; sending marketing communications where you have consent (you may withdraw at any time).

Disclosure & Sharing

Observe: Identify categories of recipients. Expand: Include legal, operational, and optional disclosures. Reflect: Add safeguards and conditions.

  • Payment and banking partners: card processors, payment gateways, banks, payout providers (to process deposits/withdrawals and verify transactions).
  • Verification and risk vendors: identity/KYC providers, sanctions/PEP screening, fraud detection, cybersecurity services.
  • Technology and operations: hosting/cloud, content delivery networks, analytics platforms, CRM/helpdesk tools, communication service providers.
  • Affiliates and group entities: For centralized operations, anti-fraud, compliance, and customer support-only as necessary and under contractual safeguards.
  • Marketing and advertising partners: only where permitted by law and your consent; includes ad networks and measurement partners.
  • Regulators and authorities: courts, law enforcement, tax bodies, gambling regulators and financial intelligence units, when legally required or to protect rights, users, or the platform.
  • Business transactions: In a merger, acquisition, financing, or asset sale, subject to confidentiality and continued protection of personal information.

International Transfers

Observe: Identify destinations outside Canada. Expand: Explain safeguards for cross-border flows. Reflect: Address Quebec Law 25 and GDPR alignment.

  • Destinations: Your data may be transferred to Bulgaria and other EEA countries (for operations and compliance), and to the United States or other jurisdictions (for cloud/CDN, analytics, communications, or support tools).
  • Safeguards: We use contractual and organizational measures to ensure comparable protection, including data processing agreements, confidentiality controls, access restrictions, and security standards.
  • EEA safeguards: Where GDPR applies, we implement the European Commission's Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms with risk assessments and supplementary measures.
  • Quebec (Law 25): Before communicating personal information outside Quebec, we assess the privacy risks, consider the legal framework of the destination, and apply appropriate contractual measures.
  • U.S. vendors: Where applicable, preference for providers certified under the EU-U.S. Data Privacy Framework or bound by SCCs and additional safeguards.

Data Retention

Observe: State durations. Expand: Reflect regulatory and operational needs. Reflect: Define deletion criteria.

  • Account and identity data: Kept for the life of the account and generally up to 5 years after closure to address legal, regulatory, and anti-fraud obligations.
  • KYC/AML records: Typically retained for 5 years from the date of last transaction or account closure, subject to applicable law.
  • Payment and transaction records: 5-7 years for auditing, tax, accounting, and AML purposes.
  • Technical logs and security events: 12-24 months, unless needed longer for investigations or legal purposes.
  • Marketing data: Until consent is withdrawn or after 24 months of inactivity, whichever occurs first.
  • Cookies: Session cookies expire on logout/close; persistent cookies typically 3-24 months (see Cookie settings).
  • Deletion criteria: Expiry of retention period, withdrawal of consent where applicable, successful objection, or when purposes end and no legal obligation requires further retention.

Your Rights

Observe: Outline rights under Canadian law; align with GDPR and Mexican frameworks. Expand: Provide procedures and timelines. Reflect: Ensure clarity and free-of-charge assurance.

  • Canada (PIPEDA and provincial laws): Access your personal information; request corrections; withdraw consent (subject to legal/contractual limits); request information about our policies and practices; challenge compliance. Quebec Law 25 adds rights related to automated decision-making explanations and data portability in certain cases.
  • GDPR alignment (EEA/UK residents): Rights to access, rectification, erasure, restriction, portability, objection (including to profiling/marketing), and to not be subject to solely automated decisions producing legal effects, subject to exceptions.
  • Mexico (LFPDPPP): ARCO rights-Access, Rectification, Cancellation, and Opposition-plus withdrawal of consent and limitation of use/disclosure, subject to legal exceptions.
  • How to exercise: Submit a request to [email protected] or via your account. We may require identity verification. Indicate the right(s) you wish to exercise and relevant details to locate your data.
  • Timelines and fees: We aim to respond within 30 days. Requests are free of charge unless manifestly unfounded or excessive, in which case a reasonable fee or refusal (with reasons) may apply.
  • Marketing withdrawals: Use the "unsubscribe" link in emails or adjust preferences in your account. Withdrawing marketing consent does not affect service messages.

Cookies & Tracking Technologies

Observe: Classify cookies. Expand: State purposes and controls. Reflect: Provide practical management options.

  • Types:
    • Session cookies: essential, expire when you close your browser.
    • Persistent cookies: remain for a set period for preferences, analytics, or advertising.
    • Third-party cookies/SDKs/pixels: analytics, anti-fraud, and advertising partners.
  • Purposes:
    • Functional: login, security, load balancing, preferences.
    • Analytics: usage metrics, performance, diagnostics.
    • Advertising/personalization: tailored offers and measurement (with consent where required).
  • Controls: Manage via your browser settings and the "Cookie Settings" link in our site footer (where available). Blocking certain cookies may impact functionality.

Data Security

Observe: Describe safeguards. Expand: Cover technical, organizational, and vendor measures. Reflect: Avoid over-claiming certifications.

  • Encryption: TLS 1.2+ for data in transit; industry-standard encryption (e.g., AES-256) for data at rest where applicable.
  • Access controls: Role-based access, least-privilege, MFA for administrative access, network segmentation, key management.
  • Secure development: SDLC with code reviews, dependency scanning, and vulnerability management; change control and segregation of environments.
  • Monitoring and testing: Logging and alerting, periodic penetration tests, regular security assessments and audits.
  • Staff and process: Background checks where lawful, confidentiality agreements, and recurring security/privacy training.
  • Standards: Controls aligned with recognized frameworks (e.g., ISO/IEC 27001). We require key vendors to maintain appropriate certifications such as SOC 2 or ISO 27001 where relevant.
  • Incidents: We maintain incident response procedures and will notify affected individuals and regulators as required by applicable law.

Complaints & Contacts

Observe: Provide clear channels and escalation. Expand: Include Canadian, EU, and Mexican authorities. Reflect: Set expectations and timelines.

Contact sesame

  • Data Protection Team (primary): [email protected]; Tel: +359 2 493 0008.
  • Online: Use on-site support/live chat when available at sesame-ca.com.
  • Postal: If you require postal submission, contact us by email to obtain the current address and reference "Privacy request."

Complaint procedure

  1. Submit your concern to us with details and any supporting information.
  2. We acknowledge receipt and investigate. We strive to respond within 30 days.
  3. If unresolved, you may escalate to a supervisory authority (see below).

Supervisory authorities

  • Canada (OPC): Office of the Privacy Commissioner of Canada, 30 Victoria Street, Gatineau, QC K1A 1H3; Tel: 1-800-282-1376; priv.gc.ca.
  • EU (if GDPR applies): You may contact your local authority or our EU regulator. Bulgaria: Commission for Personal Data Protection (CPDP), 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria; Tel: +359 2 915 3580; cpdp.bg. EU authority list: edpb.europa.eu.
  • Mexico (LFPDPPP): Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI); inai.org.mx.

Updates

Observe: Describe how we notify changes. Expand: Provide timing, method, and options. Reflect: Track versioning for transparency.

  • Notification methods: We will post updates on this page and, for material changes, provide additional notice via e-mail, account notifications, and/or a prominent site banner.
  • Advance notice: For material changes that reduce your rights or expand processing purposes, we will provide at least 30 days' advance notice where legally required.
  • User options: You may review changes, adjust preferences, withdraw marketing consent, or close your account if you do not agree with the updated terms.
  • Version control: Last updated: October 2025. Material changes since the prior version: clarified international transfer safeguards; added Quebec Law 25 references; expanded ARCO rights alignment.