Privacy Policy

This Privacy Policy explains how Royal Panda Casino, operated via the website royalpanda-ca.com, collects, uses, discloses, and protects your personal data when you visit our website, register an account, or use our online casino services. It applies to all players, prospective players, and other visitors from Canada (including Ontario and the rest of Canada) who interact with our services online, whether or not they complete registration. By using our services, you acknowledge that you have read and understood this Privacy Policy. This Privacy Policy is effective as of 01 January 2026 and remains in force until replaced or updated as described below.

Who We Are

For players in Canada, Royal Panda Casino is provided through the brand "Royal Panda Casino" accessible at royalpanda-ca.com. The brand is operated within the LeoVegas Group, ultimately owned by MGM Resorts International. Operations for Canadian players are carried out under the following regulatory frameworks:

• Rest of Canada (outside Ontario): The services are operated under the Malta Gaming Authority (MGA) licence number MGA/CRP/237/2013, held by LeoVegas Gaming plc, a company incorporated and regulated in Malta.
• Ontario: The services are provided under Alcohol and Gaming Commission of Ontario (AGCO) licence number OPIG1233813, with gaming conducted in partnership with iGaming Ontario.

Although certain corporate registration details are not specified in this document, LeoVegas Gaming plc is the primary operating entity for the Royal Panda Casino brand in Canada under the identified licences.

Contact for privacy matters (Data Protection):

• Email (primary): [email protected] (please include "Privacy request" in the subject line)
• Email (support-related privacy questions): [email protected]
• Press and public queries: [email protected] (not for rights requests, but may be used for clarifications)

You may use any of the above contact details to reach our data protection function. Your request will be handled by our internal data protection team or the person responsible for data protection within the group.

What Personal Data We Collect

We observe and process various categories of personal data in order to provide secure, compliant, and responsible iGaming services to Canadian players. The data we collect depends on how you interact with Royal Panda Casino.

Identity and Contact Data

• Full name, date of birth, and gender (where required for KYC).
• Residential address, billing address, country and province/territory of residence (including confirmation of Ontario residency where applicable).
• Contact details such as email address, mobile number, and other communication identifiers you provide.
• Copies or details of identification documents (e.g., passport, national ID, driving licence) and proof of address documents (e.g., utility bill, bank statement) used for verification.

Account and Behavioural Data

• Username, encrypted password, security questions and answers, and account preferences.
• Gaming history, including games played, session durations, stakes, wins and losses, bonuses claimed, and wagering patterns.
• Responsible gambling data such as deposit limits, loss limits, cool-off periods, self-exclusion history, and interactions with responsible gaming tools (including via leosafeplay.com where relevant).
• Communication history with customer support (e.g., emails, live chat logs, complaint records).
• Clickstream data, page views, interaction logs, and other usage statistics within the website or app.

Technical and Device Data

• IP address, approximate geolocation derived from IP (country, province, city-level where available), and related session identifiers.
• Device information such as device type, operating system, browser type and version, preferred language, and screen resolution.
• Log files, error logs, and diagnostic information to ensure technical performance and security.

Payment and Financial Data

• Details relating to your deposits and withdrawals, including transaction amounts, currencies (CAD), timestamps, and methods used (e.g., Interac e-Transfer, iDebit/Instadebit, Visa, Mastercard, bank wire).
• Partial payment card details (masked), payment account identifiers, and bank account IBAN or transit numbers as required for withdrawals and compliance checks.
• Records relating to our closed-loop withdrawal policy and monthly withdrawal limits (for example, the currently applicable CAD 50,000 standard monthly withdrawal limit, unless special arrangements apply).
• Records of chargebacks, payment disputes, and AML/CTF-related payment monitoring.

Compliance, Risk and Fraud Data

• Results of Know Your Customer (KYC), Anti-Money Laundering (AML), counter-terrorist financing (CTF), and affordability checks.
• Information from publicly accessible sources, sanctions lists, politically exposed person (PEP) lists, and credit or identity verification providers, where legally permitted.
• Internal risk scores, device fingerprinting identifiers, and fraud-prevention indicators.

Marketing and Preference Data

• Preferences regarding email, SMS, push notifications, and other marketing channels.
• Responses to surveys, feedback forms, and participation in promotions.
• Data relating to your interaction with our marketing communications (e.g., email open and click rates).

Cookies and Similar Technologies

• Unique identifiers stored in cookies or similar technologies (e.g., local storage, pixels, device IDs) to recognise you between sessions and provide consistent service.
• Information related to third-party analytics and advertising cookies used, where consented, to understand how users interact with royalpanda-ca.com and to tailor marketing.

We only collect data that is necessary for the purposes set out in this Privacy Policy, and we strive to minimise data collection wherever possible in line with applicable Canadian privacy standards and recognised international best practices.

Legal Basis for Processing

We process personal data of users of Royal Panda Casino under several legal grounds recognised by applicable privacy and gambling laws. Although Canadian law does not always refer to "legal bases" in the same way as the EU GDPR, we align our practices with those principles as a matter of best practice.

• Performance of a contract: We process your personal data where it is necessary to enter into or perform our agreement with you, including:
  • Creating and managing your player account and verifying your eligibility to use our services.
  • Processing deposits, bets, and withdrawals using your chosen payment methods.
  • Providing customer support and resolving operational issues related to your account.
• Compliance with legal and regulatory obligations: We are legally required under MGA, AGCO, iGaming Ontario, and applicable Canadian law to:
  • Verify your identity and age and ensure you are located in a permitted jurisdiction.
  • Comply with KYC/AML/CTF obligations, including transaction monitoring and reporting of suspicious activities to relevant authorities.
  • Retain records for specified statutory periods for audit, tax, licensing, and regulatory reporting purposes.
  • Ensure responsible gambling measures, such as self-exclusion and limits, are effectively applied and recorded.
• Legitimate interests: Where permitted by applicable law, we process data because we have a legitimate business interest that is not overridden by your privacy rights, including:
  • Protecting the integrity and security of our platform, preventing fraud, abuse, and cheating.
  • Improving our services, user experience, and website performance through analytics and A/B testing.
  • Defending and exercising legal claims, including in relation to disputes, chargebacks, and regulatory investigations.
• Consent: In certain cases, we rely on your consent, which you may withdraw at any time:
  • Sending direct marketing communications (e.g., promotional emails or SMS) where required by law.
  • Using non-essential cookies and similar technologies for analytics and advertising.
  • Sharing data with certain advertising partners or affiliates for targeted marketing, where legally required.

Where we rely on consent and you choose not to provide or later withdraw it, this will not affect the lawfulness of prior processing but may limit certain optional features, such as personalised offers.

Purpose of Processing

We observe your interactions with Royal Panda Casino and process personal data strictly for defined purposes. These purposes are interrelated but distinct and are designed to ensure lawful, secure, and responsible provision of our services.

• Provision and operation of casino services:
  • To register and maintain your player account, including authentication and security controls.
  • To process deposits, bets, game outcomes, and withdrawals in CAD, following our closed-loop payment policies.
  • To manage bonuses, promotions, loyalty rewards, and any associated wagering or eligibility conditions.
• Regulatory compliance and responsible gambling:
  • To meet KYC/AML/CTF obligations required by MGA, AGCO, and iGaming Ontario, including monitoring transactions and reporting where required.
  • To implement responsible gambling tools, such as deposit limits, cool-offs, and self-exclusions, and to monitor play patterns for signs of gambling-related harm.
  • To respond to regulatory audits, licence conditions, and formal information requests from competent authorities.
• Security, fraud prevention, and risk management:
  • To detect and prevent fraudulent activities, misuse of bonuses, account takeovers, money laundering, and other illegal activities.
  • To protect the integrity of games and ensure fairness, including through monitoring of gameplay and technical logs.
  • To investigate and resolve security incidents and enforce our Terms & Conditions.
• Service improvement and analytics:
  • To analyse usage and performance metrics so that we can optimise website design, load times, and navigation.
  • To develop new features, games, and promotions based on aggregated player behaviour and preferences.
  • To compile statistics for internal reporting, forecasting, and business planning.
• Marketing and personalisation (where permitted):
  • To send you offers, promotions, and news about Royal Panda Casino, subject to your marketing preferences and applicable law.
  • To tailor content and promotions displayed on royalpanda-ca.com to your profile and previous interactions.
  • To measure the effectiveness of our campaigns and improve future marketing activities.
• Customer support and dispute resolution:
  • To respond to inquiries, complaints, and feedback submitted via email or our support channels.
  • To document and manage dispute resolution processes, including referrals to ADR bodies such as eCOGRA for MGA markets or iGaming Ontario dispute channels for Ontario.
  • To maintain records of communications for training, quality assurance, and legal purposes.

Disclosure & Sharing

We do not sell your personal data. We may, however, share your personal data with carefully selected third parties where this is necessary for the purposes described above, or where we are legally required to do so. We ensure that such parties are bound by appropriate confidentiality and data protection obligations.

Service Providers and Business Partners

• Payment processors and banking partners: Including providers of Interac e-Transfer, iDebit/Instadebit, Visa, Mastercard, and bank wire processing, for the purpose of handling deposits, withdrawals, and fraud prevention.
• Technology and hosting providers: Companies that host our servers, provide cloud infrastructure, content delivery networks, communications tools, and security services.
• Game providers: Third-party game studios and platform providers supplying casino content, where limited data is needed to enable gameplay, betting, and risk management.
• Verification and compliance providers: Identity verification, AML/CTF screening, geolocation, and responsible gambling service providers that support our regulatory obligations.

Group Companies and Affiliates

• Other entities within the LeoVegas Group and, where relevant, corporate functions within MGM Resorts International, for centralised risk management, compliance, internal audit, and reporting.
• Affiliate partners and marketing networks, solely where you have consented (if required by law) and where necessary to attribute traffic, measure campaigns, or manage affiliate relationships.

Regulators, Authorities, and ADR Bodies

• Regulatory bodies such as the Malta Gaming Authority (MGA), the Alcohol and Gaming Commission of Ontario (AGCO), iGaming Ontario, and other competent Canadian or international authorities, where required by law or licence conditions.
• Alternative dispute resolution (ADR) providers, including eCOGRA for MGA markets and iGaming Ontario dispute channels for Ontario players, when you raise a formal dispute that is escalated.
• Law enforcement agencies, courts, and legal advisers where disclosure is necessary for the prevention, detection, or prosecution of crimes, or for the establishment, exercise, or defence of legal claims.

Advertising and Analytics Partners

• Certain analytics and advertising partners may receive limited pseudonymous data via cookies and tracking technologies for measurement and, where you consent, targeted advertising.
• Such sharing will only occur in accordance with applicable laws and your selected cookie and marketing preferences.

Whenever we share personal data, we apply the principle of data minimisation and only provide what is necessary for the recipient to perform their function. We also employ contractual protections such as data processing agreements and, where required, appropriate transfer safeguards.

International Transfers

Royal Panda Casino serves players in Canada, but many of our systems, group entities, and service providers operate across borders. As a result, your personal data may be transferred to and processed in countries outside your province, territory, or Canada, including within the European Economic Area (EEA) and other jurisdictions.

• EU/EEA and Malta: A substantial portion of our gaming operations, including compliance, risk, and support functions, is conducted from or through entities in Malta and other EEA countries under MGA licence number MGA/CRP/237/2013.
• Other jurisdictions: Certain cloud hosting, analytics, and technical service providers may be located or may process data in non-EEA countries. These locations can change over time as we optimise our infrastructure.

When personal data is transferred internationally, we apply robust safeguards to ensure a level of protection that is consistent with applicable Canadian and international data protection standards:

• Use of standard contractual clauses (SCCs) or equivalent contractual mechanisms approved by relevant authorities where required.
• Implementation of technical and organisational measures, such as strong encryption, strict access controls, and data minimisation, to reduce risks associated with cross-border transfers.
• Regular assessment of the legal environment in destination countries and additional protective steps where necessary.

By using our services, you understand that your data may be processed in these jurisdictions. However, such processing will always be carried out in line with this Privacy Policy and our regulatory obligations.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal and regulatory requirements, and to protect our legitimate interests. Retention periods may vary depending on your province, regulatory regime, and the nature of the data.

• Player account and identity data: Typically retained for at least 5 years after account closure or after your last transaction or interaction, whichever is later, in line with AML/CTF and gaming regulations. In some cases, this period may be extended where required by applicable law or where legal claims are anticipated.
• Transaction and financial records: Retained for a minimum of 5 - 7 years from the date of the relevant transaction, depending on tax, AML, and accounting obligations.
• Responsible gambling and self-exclusion data: Retained for the duration of any active limits, cool-off, or self-exclusion period and for an additional period required by regulation to ensure effective enforcement and to demonstrate compliance.
• Technical logs and security data: Retained for security, diagnostics, and fraud-prevention purposes for periods usually ranging from 6 months to 5 years, depending on the log type and regulatory requirements.
• Marketing and preference data: Retained until you withdraw consent or object to such processing, and for a reasonable period thereafter to document your request and ensure it is respected.
• Complaints and dispute records: Retained for the duration of the complaint or dispute and for as long as necessary thereafter to comply with legal obligations or limitation periods.

When personal data is no longer required for the purposes for which it was collected and we are not legally obliged to retain it, we will take reasonable steps to securely delete, anonymise, or irreversibly de-identify it. If we are unable to fully delete or anonymise certain data (for example, because it is stored in backup archives), we will isolate it and restrict access so that it is only used for essential legal or security purposes.

Your Rights

We align our privacy practices with principles comparable to the EU General Data Protection Regulation (GDPR) and relevant Canadian privacy standards. Although GDPR and Mexican law do not directly govern all Canadian processing, we adopt many of their concepts as best practice. Accordingly, you have the following rights in relation to your personal data, subject to applicable law and certain limitations:

• Right of access: You can request confirmation of whether we process your personal data and receive a copy of such data, along with an explanation of how it is used.
• Right to rectification: You can ask us to correct inaccurate personal data and to complete incomplete data. We may request supporting documentation where appropriate (e.g., updated proof of address).
• Right to erasure (right to be forgotten): You can request deletion of your personal data where:
  • It is no longer necessary for the purposes for which it was collected; or
  • You withdraw consent (where processing was based on consent); or
  • You successfully object to processing and there are no overriding legitimate grounds.
  We may not always be able to delete data immediately due to legal retention obligations (e.g., AML or gaming regulations) but will restrict its use where deletion is not legally permissible.
• Right to restriction of processing: You can request that we temporarily limit the processing of your data, for example while we assess a rectification or objection request or where processing is unlawful and you oppose erasure.
• Right to object: You may object at any time to:
  • Processing based on our legitimate interests, on grounds relating to your particular situation; and
  • Processing for direct marketing purposes (including profiling related to such marketing). If you object to direct marketing, we will stop using your data for that purpose.
• Right to data portability: Where technically feasible and required by law, you may request a copy of certain data you have provided to us in a structured, commonly used, machine-readable format and ask that we transmit it to another service provider, where processing is based on consent or contract.
• Right to withdraw consent: Wherever we rely on your consent (for example, for marketing or non-essential cookies), you may withdraw that consent at any time. This will not affect the lawfulness of prior processing but may affect your experience (for instance, you may stop receiving promotional offers).

How to Exercise Your Rights

1. Submit your request: Contact us via [email protected] or [email protected] with a clear description of your request and sufficient information to identify your account.
2. Verification: For your security, we may ask you to confirm certain account details, provide identification, or respond from your registered email address so we can verify your identity.
3. Response time: We aim to respond to all valid requests within 30 days of receipt. If your request is complex or numerous, we may extend this period, but we will inform you of any such extension and explain the reasons.
4. Cost: We will process your request free of charge. However, where requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act, as permitted by law.

Certain rights may be limited by our need to comply with gaming, AML, tax, and other regulatory requirements, or by the rights and freedoms of other individuals. Where we cannot fully comply with your request, we will explain the reasons, unless prohibited by law.

Cookies & Tracking Technologies

Royal Panda Casino uses cookies and similar technologies to ensure the proper functioning of our website, improve performance, and, where allowed, provide personalised experiences and marketing. Cookies are small text files stored on your device when you visit our site.

Types of Cookies We Use

• Strictly necessary (functional) cookies: These are essential for the operation of royalpanda-ca.com, such as enabling basic navigation, secure login, session management, and payment completion. Without these cookies, the website and games cannot function correctly.
• Preference cookies: These remember your choices (such as language, region, or layout preferences) to provide a more personalised experience.
• Analytics and performance cookies: These help us understand how visitors use the site (e.g., which pages are visited most often, whether users encounter errors) so we can improve performance and usability.
• Advertising and targeting cookies: Where permitted, these cookies track your browsing habits on royalpanda-ca.com and, in some cases, on third-party sites, to show you more relevant advertisements and to measure campaign effectiveness.
• Third-party cookies: Some cookies are set by third-party services integrated into our site (for example, analytics providers or embedded content). These third parties may process data in accordance with their own privacy policies.

Managing Cookies

• You can manage or disable cookies through your browser settings. Most browsers allow you to:
  • View which cookies are stored on your device.
  • Delete all or selected cookies.
  • Block cookies from all sites or specific domains.
• Some features of royalpanda-ca.com may not function properly if you disable certain cookies, particularly strictly necessary cookies required for login and gameplay.
• Where we provide an internal cookie or privacy settings panel, you can use it to adjust your preferences for non-essential cookies (such as analytics and advertising) at any time.

For more detailed instructions on controlling cookies, please consult your browser's help documentation. Your choices regarding cookies may affect the personalisation of our services and the relevance of marketing you receive.

Data Security

We take the security of your personal data extremely seriously. Royal Panda Casino employs a combination of technical, organisational, and administrative measures to protect information against unauthorised access, loss, misuse, alteration, or disclosure.

• Encryption in transit and at rest: Data transmitted between your device and royalpanda-ca.com is protected using industry-standard TLS (Transport Layer Security) protocols, version 1.2 or higher. We also apply strong encryption for sensitive data stored at rest.
• Access controls and authentication: We limit access to personal data to authorised personnel who need the information for their job functions. Multi-factor authentication, role-based access controls, and strict user management policies are applied where appropriate.
• Secure infrastructure: Our servers and systems are hosted in secure data centres with physical access controls, environmental protections, and robust network security measures, including firewalls, intrusion detection and prevention systems, and continuous monitoring.
• Security audits and testing: We regularly conduct internal and external security assessments, including vulnerability scans and penetration tests, to identify and address potential weaknesses. Our security practices are aligned with internationally recognised standards such as ISO 27001 and SOC 2, where applicable within the group.
• Staff training and confidentiality: Employees and contractors who handle personal data receive ongoing training on privacy, data protection, and information security. They are bound by confidentiality obligations and are subject to disciplinary measures for non-compliance.
• Incident response: We maintain incident response procedures to address potential data breaches or security incidents. In the event of a breach that may pose a significant risk to your rights and freedoms, we will notify you and relevant authorities as required by law and take steps to mitigate potential harm.

While we strive to use strong and appropriate safeguards, no system can be guaranteed to be 100% secure. You also play an important role in protecting your account: choose a unique, strong password, keep your login details confidential, and immediately inform us if you suspect unauthorised access to your account.

Complaints & Contacts

If you have questions, concerns, or complaints about how Royal Panda Casino handles your personal data, or if you wish to exercise your rights, you can contact us using the details below.

How to Contact Us

• Primary privacy contact: [email protected]
• Customer support for account-related privacy questions: [email protected]
• Press and general corporate queries (not for formal rights requests): [email protected]

Internal Complaint Procedure

1. Submit your complaint: Email us at [email protected] or [email protected] with a detailed description of your concern, any relevant account identifiers, and supporting documentation.
2. Acknowledgement: We will acknowledge receipt of your complaint as soon as reasonably possible, generally within a few business days.
3. Investigation: Your complaint will be reviewed by the appropriate team (e.g., data protection, compliance, customer support). We may contact you for additional information if required.
4. Response time: Our goal is to provide a substantive response within 30 days of receiving your complaint. If we need more time due to complexity, we will notify you and keep you informed of progress.

Escalation to Authorities and ADR Bodies

If you are not satisfied with our response or believe that we have not handled your personal data in accordance with applicable laws, you may have the right to escalate your complaint:

• Ontario players: For issues related to your gaming account and dispute handling (including privacy aspects tied to gaming disputes), you may contact iGaming Ontario via its player dispute resolution page: https://igamingontario.ca/en/player/player-disputes.
• Rest of Canada (MGA-licensed markets): You may escalate certain disputes to eCOGRA as an Approved Alternative Dispute Resolution (ADR) provider via: https://ecogra.org/forms/adr-dispute-step-1.
• Other privacy regulatory authorities: Depending on your location in Canada, you may be able to file a complaint with the Office of the Privacy Commissioner of Canada or your provincial/territorial privacy commissioner. Their contact details are publicly available on respective official websites.

We encourage you to contact us first so that we can attempt to resolve your concern directly and efficiently. However, you are free to contact a supervisory authority at any time where this right exists under applicable law.

Updates

We may update this Privacy Policy from time to time to reflect changes in our services, legal or regulatory developments, or best practices. When we make changes, we will take appropriate steps to inform you.

• Notification methods: We may notify you of material changes via:
  • Email sent to the address registered in your player account;
  • Prominent notices or banners on royalpanda-ca.com;
  • Messages or alerts within your account dashboard.
• Advance notice: For significant changes that materially affect your rights or the way we process your data, we will endeavour to provide at least 30 days' advance notice before the changes take effect, unless an earlier implementation is required by law or regulatory directive.
• Changelog: We may summarise key material changes (such as new categories of data collected, new purposes of processing, or updated sharing practices) in a dedicated section or notice.
• Your options: If you do not agree with an updated Privacy Policy, you may choose to close your account and stop using Royal Panda Casino. Continued use of our services after the effective date of an update will be deemed acceptance of the revised Privacy Policy, to the extent permitted by law.

Last updated: January 2026