burger icon
NorthStar Bets Сasino
Log In

Privacy Policy

OBSERVE: This Privacy Policy explains how north-star-bets at https://north-star-bets-ca.com collects, uses, discloses, and protects personal information of players and site visitors in Canada.

EXPAND: It applies to account holders, prospective users, and visitors who interact with our website, apps, customer support, or marketing communications.

REFLECT: We publish this policy to meet Canadian privacy and gaming regulations and to help you make informed choices about your data. Effective date: October 1, 2025.

Who We Are

OBSERVE: Operator: NorthStar Gaming Holdings Inc. (publicly listed on the TSX Venture Exchange, ticker "BET"). Headquarters: 220 King Street West, Toronto, Ontario, Canada.

EXPAND: Licences: (i) Ontario-Alcohol and Gaming Commission of Ontario (AGCO) / iGaming Ontario (iGO), licence no. OPIG1226485 (active, as of October 2025); (ii) Canada (outside Ontario)-Kahnawake Gaming Commission, licence no. 00930, held under Conseil des Abénakis de Wôlinak (active, as of October 2025).

REFLECT: Contact: +1-855-218-7827; support@north-star-bets-ca.com; vipsupport@north-star-bets-ca.com. Privacy inquiries: please write "Privacy" in the subject line to support@north-star-bets-ca.com or mail to the address above, Attn: Privacy Office (Data Protection).

What Personal Data We Collect

OBSERVE: We collect only what is necessary for lawful gaming operations, regulatory compliance, and service delivery.

  • Identity and contact: full name, date of birth, address, email, phone, government ID/KYC data.
  • Account and usage: username, preferences, communication history, responsible gaming settings.
  • Technical: IP address, device and browser data, OS, language, referral URLs, session logs, crash diagnostics.
  • Payment and verification: payment instrument details (tokenized where possible), deposits/withdrawals, verification snapshots, chargeback records.
  • Behavioral and transactional: betting and gameplay history, stakes, outcomes, bonuses, clickstream and interaction metadata.
  • Risk and compliance: sanctions/PEP screening results, fraud signals, AML monitoring outputs.
  • Cookies and similar tech: session and persistent cookies, SDKs, pixels, local storage, as detailed in Cookies & Tracking.

EXPAND: Some data is provided by you; some is generated by systems (logs, analytics); some may be obtained from service providers for KYC/AML and fraud prevention.

REFLECT: We do not knowingly collect data from individuals under the legal gambling age (19 in Ontario; 18/19 elsewhere as applicable). Accounts for underage persons are closed and data is deleted or retained only as legally required.

Legal Basis for Processing

OBSERVE: In Canada, we follow PIPEDA's fair information principles and applicable provincial and gaming/AML laws.

  • Consent: for activities such as marketing communications, non-essential cookies, and optional features. You may withdraw consent at any time.
  • Contractual necessity: to create and operate your account, provide games and sportsbook services, process payments, and deliver support.
  • Legal obligations: to meet KYC/AML duties under the PCMLTFA/FINTRAC rules, AGCO/iGO and KGC requirements, tax and recordkeeping laws, and sanctions screening.
  • Legitimate interests (reasonableness test under PIPEDA): fraud detection, platform security, service analytics and improvement, and safeguarding our users, where such interests are proportionate and privacy-protective.

EXPAND: We may use automated tools to detect fraud, bonus abuse, self-exclusion conflicts, or AML risks; human review is applied for material effects.

REFLECT: Where consent is required, we seek it in clear language and provide manageable choices; where required by law or contract, processing may proceed without consent.

Purpose of Processing

OBSERVE: We use personal information to run a compliant, secure, and user-centered gaming service.

  • Service delivery: account setup, geolocation, age/identity verification, game access, payments, customer support.
  • Regulatory compliance: KYC/AML screening, reporting to regulators/FINTRAC, responsible gaming tools and monitoring.
  • Security and fraud prevention: authentication, access controls, risk scoring, incident detection.
  • Analytics and improvement: performance measurement, A/B testing, error diagnostics, product development.
  • Marketing (with consent): offers, promotions, and service updates via email/SMS/push, with opt-out options.

EXPAND: We minimize data use and apply purpose limitation; secondary use occurs only if compatible, consented, or required by law.

REFLECT: We document purposes before or at collection and update notices when purposes change materially.

Disclosure & Sharing

OBSERVE: We share data strictly on a need-to-know basis under contracts imposing confidentiality, security, and lawful-use limits.

  • Payment and KYC/AML partners: processors, banks, identity and sanctions-screening vendors.
  • Technology providers: platform and content vendors (including Playtech PLC as platform provider and Kambi as sportsbook technology provider), hosting/CDN, analytics, customer support tools.
  • Marketing partners (with consent): email/SMS providers, affiliated marketing partners, and Torstar Corporation for permitted marketing services.
  • Regulators and authorities: AGCO/iGO, KGC, FINTRAC, tax authorities, law enforcement or courts when required or permitted by law.
  • Corporate transactions: in a merger, acquisition, financing, or sale of assets, subject to statutory safeguards.

EXPAND: We do not sell personal information. We may disclose aggregated or de-identified data that cannot reasonably identify you.

REFLECT: All disclosures are recorded and reviewed for compliance with PIPEDA and gaming/AML rules.

International Transfers

OBSERVE: Some service providers process data in Canada and other countries (e.g., EEA, UK, US).

  • Safeguards: data processing agreements; EU Standard Contractual Clauses (and UK IDTA/Addendum) for EEA/UK transfers; technical and organizational measures; transfer impact assessments where appropriate.
  • Canada adequacy: Organizations subject to PIPEDA benefit from the EU's adequacy decision (limited scope) for certain commercial processing.
  • US transfers: where applicable, vendors may participate in the EU-U.S. Data Privacy Framework or we rely on SCCs plus supplementary measures.

EXPAND: Cross-border processing may expose data to foreign laws and lawful access requests; we assess and mitigate these risks.

REFLECT: You may contact us for a copy of relevant transfer safeguards (subject to confidentiality).

Data Retention

OBSERVE: We keep personal information only as long as necessary for stated purposes or as required by law.

  • Account and identity (KYC) records: typically 5 years after account closure (PCMLTFA/FINTRAC), unless longer required for legal claims.
  • Transactions, bets, payouts: typically 6 years from the end of the relevant tax year (tax/accounting laws).
  • Compliance reports (e.g., AML): at least 5 years or as prescribed by law.
  • Customer support communications: 2-3 years after resolution, or longer if needed for disputes.
  • Marketing data: until consent is withdrawn or after defined inactivity thresholds.
  • Cookies/analytics: per cookie type and browser settings (see Cookies & Tracking).

EXPAND: Deletion or anonymization occurs on schedule or upon valid request, subject to legal holds.

REFLECT: When deletion is not immediately feasible, we securely archive and restrict access until destruction.

Your Rights

OBSERVE: We comply with PIPEDA and align with international standards to facilitate user rights.

  • Access and explanation: obtain a copy of your personal information and how it is used/disclosed.
  • Correction/rectification: request updates to inaccurate or incomplete data.
  • Deletion/cancellation: request deletion where permitted; certain records must be retained by law (e.g., AML, transactional).
  • Restriction/objection: object to certain processing (e.g., marketing) or request limits where appropriate.
  • Portability: where technically feasible, receive data in a commonly used format.
  • Withdraw consent: opt out of marketing or non-essential cookies at any time without affecting core services.
  • Automated decisions: request human review for decisions with significant effects (e.g., fraud flags).

EXPAND: GDPR-aligned users in the EEA/UK and ARCO rights in Mexico (LFPDPPP: Access, Rectification, Cancellation, Opposition) will be respected where applicable, subject to legal limitations and service availability. Our primary legal framework is Canadian law.

REFLECT: To exercise rights, email support@north-star-bets-ca.com with "Privacy Request" and your registered email/phone. We verify identity and respond within 30 days (free of charge for standard requests; reasonable fees may apply for excessive or manifestly unfounded requests).

Cookies & Tracking Technologies

OBSERVE: We use cookies and similar tech to operate and improve our services.

  • Session cookies: essential authentication and security; expire on browser close.
  • Persistent cookies: preferences, remembering settings, and performance; fixed lifetimes (e.g., 30-365 days).
  • Third-party cookies/SDKs: analytics, fraud prevention, and, with consent, advertising/attribution.

EXPAND: Purposes include functionality, analytics (traffic, performance), security/abuse prevention, and consent-based marketing.

REFLECT: Manage cookies via browser settings and our on-site cookie controls (where available). Disabling essential cookies may impair site functionality.

Data Security

OBSERVE: We implement layered security controls to protect confidentiality, integrity, and availability.

  • Encryption: TLS 1.2+ in transit; strong encryption for sensitive data at rest; modern cipher suites.
  • Access controls: MFA for privileged access, role-based access, least privilege, session timeouts, secure key management.
  • Monitoring and testing: logging, SIEM, vulnerability scanning, regular penetration tests, vendor risk assessments.
  • Governance: policies aligned with ISO/IEC 27001 and SOC 2 controls where applicable; secure SDLC; change management.
  • Workforce: background checks as permitted, security and privacy training, confidentiality obligations.
  • Incident response: triage, containment, notification consistent with Canadian breach reporting obligations (PIPEDA), post-incident review.

EXPAND: We evaluate suppliers' security posture and bind them by contract to adequate safeguards.

REFLECT: No system is perfectly secure; we continuously improve controls and promptly address identified risks.

Complaints & Contacts

OBSERVE: We aim to resolve privacy concerns quickly and transparently.

  1. Contact us: support@north-star-bets-ca.com (subject line "Privacy Complaint"), +1-855-218-7827, or mail: Privacy Office, NorthStar Gaming Holdings Inc., 220 King Street West, Toronto, Ontario, Canada.
  2. Our process: we acknowledge within 5 business days, investigate, and respond with findings and actions within 30 days.
  3. Escalation in Canada: If unresolved, you may contact the Office of the Privacy Commissioner of Canada (OPC): https://www.priv.gc.ca, 1-800-282-1376, 30 Victoria Street, Gatineau, QC K1A 1H3.

EXPAND: EEA/UK users may contact their local data protection authority: see the EDPB list at https://edpb.europa.eu/about-edpb/board/members_en. Mexico users may contact the INAI via https://www.inai.org.mx.

REFLECT: For gaming-specific concerns, Ontario users may also consult AGCO/iGO guidance; however, privacy oversight remains with the OPC (and provincial authorities where applicable).

Updates

OBSERVE: We may update this policy to reflect legal, technical, or business changes.

  • Notification: material changes notified at least 30 days in advance via email (where possible), account dashboard alerts, or a site banner.
  • Version control: the top of this page shows the effective date. Last updated: October 2025.
  • Your options: if you object to material changes, you may adjust preferences or close your account before the changes take effect; we will honor accrued legal obligations.
  • Changelog (summary): clarified licences and regulators; expanded international transfer safeguards; refined retention timelines; added rights alignment for EEA/UK and Mexico.

EXPAND: We maintain internal records of prior versions for accountability.

REFLECT: Continued use after the effective date means you accept the updated terms to the extent permitted by law.