1. Who we are
The controller of personal data processed through GamClaim.org is Association GAMSOL, a Swiss association. GamClaim.org, GamClaim, we, us and our refer to Association GAMSOL operating the GamClaim.org website.
Postal address: Postfach 8008 Zurich, Switzerland. The designated electronic contact route for privacy requests, support requests, legal notices and complaints is the Contact us page. Telephone support is not provided unless expressly offered for a specific service.
The operator has not published a named data protection officer, UK representative or EU/EEA representative. Privacy requests are handled by the operator through the designated contact route. If a formal representative or data protection officer is appointed or becomes legally required, the details will be published in this policy or the legal notice.
You do not need to use any specific form of words to make a privacy request. We may ask for proportionate information needed to verify identity, especially where uploaded files, financial records, sensitive data or complaint files are involved.
2. Laws this policy is designed to cover
GamClaim.org is operated from Switzerland. This policy is designed to support transparency and information duties under the Swiss Federal Act on Data Protection and its implementing rules.
Where we offer services to, monitor behaviour of, or otherwise process personal data of individuals in the United Kingdom, this policy is also designed to support compliance with the UK GDPR, Data Protection Act 2018, Privacy and Electronic Communications Regulations, and applicable amendments.
Where we offer services to, monitor behaviour of, or otherwise process personal data of individuals in the EU/EEA, this policy is also designed to support compliance with the EU GDPR where applicable.
If more than one law applies, we will apply the mandatory protection required by applicable law.
3. What GamClaim.org does
GamClaim.org provides practical information, document organisation, account tools, paid personalised reports, report-preparation support, report explanation sessions, support workflows and related digital services concerning gambling-related issues.
We do not provide legal advice, claims-management services, litigation representation, financial advice, debt advice, medical advice, therapy, crisis support, gambling treatment or emergency assistance unless expressly agreed in writing and lawfully provided.
Because of the nature of the services, users may choose to upload sensitive material such as gambling records, self-exclusion records, complaint files, SAR/export files, operator correspondence, bank records, payment records, vulnerability information, debt information and health or addiction-related information.
4. Personal data we collect
- Account and identity data: email address, name, telephone number where supplied, account status, login-token metadata, account activity, communication preferences, user ID, role, settings and authentication records.
- Order, checkout and payment data: selected service, price, currency, checkout status, Stripe or payment-provider identifiers, payment status, refund status, chargeback status, invoice records, tax records, coupon codes, affiliate or campaign attribution, order timestamps and payment-related communications. We do not store full payment-card numbers.
- Uploaded files and case data: files, screenshots, SAR/export records, gambling history, deposits, withdrawals, losses, account restrictions, operator names, operator websites, jurisdictions, complaint history, chat transcripts, emails, letters, self-exclusion records, affordability records, responsible-gambling interactions, dispute chronology, user statements, extracted data, summaries, report drafts, final reports and internal review notes.
- Consultation data: purchased time blocks, booking records, selected report sections, user questions, preferred slots, scheduled time, attendance status, rescheduling history, follow-up notes and consultation-related messages.
- Support and complaints data: support messages, attachments, refund requests, privacy requests, complaints, admin replies, AI-assisted drafts, internal notes, delivery records, audit history and status updates.
- Technical, device and security data: IP address, user agent, browser, device type, operating system, session identifiers, cookies, CSRF tokens, login attempts, hCaptcha or anti-abuse signals, rate-limit records, error logs, audit logs, security logs and fraud-prevention signals.
- Marketing and preference data: marketing consent, newsletter preferences, opt-in and withdrawal records, suppression records, referral source, campaign parameters, affiliate identifiers, page interactions and marketing communications history.
- Analytics and usage data: page visits, guide downloads, service-page views, click paths, consent status, product-funnel events, error events, approximate location derived from IP address, device/browser information and aggregated service-performance metrics.
- Vulnerability and safeguarding data: information you choose to provide, or that is reasonably inferred from your communications, about gambling harm, addiction, financial distress, debt, mental-health difficulty, disability, coercion, crisis risk, support needs, communication needs or reasonable adjustments.
- Third-party data contained in files: uploaded material may include personal data about gambling-operator employees, bank staff, family members, advisers, support workers, payment recipients, referees, counterparties or other people. You should redact unnecessary third-party data before uploading files where reasonably possible.
5. Sensitive personal data
We may process sensitive personal data because users may provide gambling-harm, addiction, health, vulnerability, financial, debt, self-exclusion, complaint and dispute material.
Under Swiss law, sensitive personal data may include data concerning health, intimate matters, social assistance measures, and administrative or criminal proceedings and sanctions. Under UK/EU data-protection law, special-category data may include health data and information from which health, addiction, disability or mental-health status may be inferred.
We process sensitive data only where necessary and proportionate for the purposes described in this policy, and where an appropriate legal basis, condition, consent or other justification applies.
For UK/EU users, possible Article 9 conditions for special-category data may include explicit consent where requested, establishment, exercise or defence of legal claims, vital interests, substantial public interest where permitted by law and supported by required safeguards, archiving/research/statistical purposes where lawful and safeguarded, or another lawful condition where clearly explained before use.
Where UK law requires an appropriate policy document for special-category or criminal-offence data, we will maintain one and keep it under review. You should not upload sensitive personal data that is irrelevant to the requested service.
6. Criminal-offence, allegation and regulatory data
Some User Material may contain allegations of fraud, unlawful gambling conduct, money laundering, regulatory breach, identity misuse, theft, deception, criminal complaint, investigation, enforcement action or sanctions.
We do not ask you to upload criminal-offence data unless it is reasonably necessary for the requested service.
Where criminal-offence or equivalent allegation data is processed, we process it only where lawful, necessary and proportionate, including where needed to provide the requested service, prevent fraud, maintain security, comply with law, or establish, exercise or defend legal rights.
7. Where we get personal data from
- You, when you use the website, create an account, upload files, buy a service, book a consultation, contact support or make a privacy request.
- Your authorised representative, such as a solicitor, adviser, support worker or family member, where you authorise them.
- Payment providers, such as Stripe, which provide payment identifiers, status and transaction information.
- Technical systems, such as hosting, security, analytics, logging, consent-management and anti-abuse tools.
- Affiliates or referral sources, where a referral link or campaign parameter is used.
- Public sources, where you direct us to them or where they are necessary for the requested service.
- Third parties whose information is contained in documents you upload.
8. Purposes and lawful bases
For Swiss users, we process personal data transparently, proportionately and for the purposes described in this policy. Where UK/EU GDPR applies, we rely on the lawful bases described below.
Account creation and login: email, login tokens, account status and security logs are processed for contract performance and legitimate interests.
Checkout and payment: order, price, currency, payment identifiers and invoice records are processed for contract performance, legal obligations and legitimate interests.
Paid reports, consultations, support, complaints, corrections, refunds, chargebacks and legal-rights defence: uploaded files, case data, extracted data, report drafts, final reports, booking records, messages, internal notes, audit trail and delivery evidence are processed for contract performance, legitimate interests, legal obligations and legal claims. Sensitive-data processing may rely on explicit consent, legal claims or another lawful condition where applicable.
Security and fraud prevention: IP addresses, device data, rate limits, audit logs, hCaptcha signals and suspicious activity are processed for legitimate interests, recognised legitimate interests where applicable, legal obligations, substantial public interest or legal claims where relevant.
Service improvement, quality control, research and benchmarking: workflow data, error logs, support records and anonymised or aggregated learnings are processed for legitimate interests, consent where required, research bases where applicable, and safeguards for sensitive or identifiable data.
AI-assisted extraction and drafting: uploaded readable text, report context, support context, prompts and outputs are processed for contract performance, legitimate interests and consent where required. Sensitive data may rely on explicit consent, legal claims or another lawful condition where applicable.
Analytics, marketing, affiliate attribution and harm-reduction referral: analytics uses consent where required or legitimate interests for low-risk permitted analytics where lawful; marketing uses consent, soft opt-in or legitimate interests where lawful; affiliate attribution uses limited referral/order data; harm-reduction referral uses consent, vital interests or another lawful basis where applicable.
We do not use sensitive gambling, health, addiction, debt or vulnerability data for marketing without explicit consent.
9. Where data is required
Some personal data is required to create an account, provide a service, process a payment, deliver a report, secure the website, respond to requests or comply with law.
If you do not provide required data, we may be unable to provide the relevant service, verify your identity, process payment, prepare a report, deliver an output, respond to a request or comply with legal duties.
Optional data, such as additional background detail, vulnerability information, marketing consent or referral preferences, is not required unless clearly stated.
You may use the service without consenting to non-essential analytics or direct marketing.
10. AI and automated tools
We may use AI Tools and software tools to assist with text extraction, file classification, document organisation, summarisation, translation, issue spotting, draft report sections, internal quality control, support triage, security and abuse detection, and service improvement.
AI Tools may process uploaded readable text, account context, support context, report context, prompts, outputs and review notes where necessary for the requested service or another purpose described in this policy.
We will not knowingly use identifiable User Material to train third-party general AI models unless you have expressly opted in, the use is clearly explained before the processing, and applicable law permits the processing.
We use reasonable contractual, technical and organisational measures to restrict AI providers from using identifiable User Material for their own model-training purposes unless this has been expressly permitted.
We may retain prompts, outputs and review notes where needed for service delivery, audit, quality control, safety, correction, dispute handling, legal protection or evidence of service delivery.
AI outputs can be incomplete, inaccurate or misleading. We use AI as a support tool and do not treat AI output as final legal, financial, medical or therapeutic advice.
We do not make final legally binding, financial, medical, therapeutic or similarly significant decisions about users solely by automated processing.
If we introduce solely automated decisions that have legal or similarly significant effects, we will update this policy and provide information about the logic involved, significance, consequences and available safeguards, including human review.
We will assess AI-supported processing for data-protection risk and carry out a data protection impact assessment where required.
11. Anonymised, aggregated and de-identified data
We may create anonymised, aggregated or de-identified learnings from uploaded files, outcomes, settlement patterns, operator behaviour, user updates, service use, support history and report workflows.
We may use this non-identifying information for internal analysis, service improvement, product development, operator-behaviour intelligence, research, benchmarking, risk management and commercial planning.
We will not knowingly attempt to re-identify anonymised data except to test anonymisation controls, investigate misuse, comply with law or protect legal rights.
Where a dataset is small or unusual, we will apply additional controls before using or sharing aggregated insights.
Pseudonymised data is still personal data. Where data can still be linked to an individual, this policy applies.
12. Cookies and similar technologies
We use cookies, scripts, pixels, local storage, session identifiers and similar technologies.
Essential technologies are necessary for login, session management, CSRF protection, checkout, consent state, security, fraud prevention, account access and core website functions.
Security technologies help us detect bots, abuse, rate-limit breaches, suspicious access, malicious uploads and unauthorised activity.
Analytics technologies may be used to understand how users use the website, improve service pages, detect errors and measure performance. We will obtain consent where required. Where law permits low-risk statistical cookies or similar technologies without consent, we will provide clear information and a simple objection route.
We will not use non-essential marketing pixels, behavioural advertising cookies or cross-site tracking technologies unless we have consent or another lawful basis clearly explained to you.
If you arrive through a referral link, affiliate link or campaign link, we may record referral parameters to calculate attribution, prevent fraud and manage partner payments. We will not share sensitive case details with affiliates unless you have consented or another lawful basis applies.
You can manage non-essential cookies through available cookie controls and through your browser settings.
13. Direct marketing
We may send transactional emails about accounts, login links, purchases, service delivery, consultations, support, privacy requests, legal notices, security and refunds. These are not marketing emails.
We will send newsletters, promotions, service updates or marketing emails only where we have consent or another lawful basis.
You may withdraw marketing consent or unsubscribe at any time using the unsubscribe link, account settings where available, or the designated contact route.
We may keep a suppression record to ensure that we do not send marketing to people who have opted out.
We do not use sensitive gambling, health, addiction, debt or vulnerability data for marketing profiling without explicit consent.
14. Who we share personal data with
- Payment providers, including Stripe or another provider shown at checkout, for payment, refund, fraud-prevention, dispute and chargeback processing. Payment providers may act as independent controllers for some payment processing.
- Hosting, cloud, database, storage, backup, content-delivery, monitoring and infrastructure providers needed to operate the website and services.
- Email, transactional-message, support-ticket and notification providers that process contact details, messages and delivery metadata.
- Operational software providers such as database, spreadsheet, CRM, project-management, scheduling, support and workflow systems that may process working copies or operational data.
- AI and automation providers that may process prompts, outputs, uploaded readable text or contextual information where configured and necessary for the service.
- Security, logging, bot-detection, hCaptcha, fraud-prevention, rate-limiting, malware-scanning and audit providers that process technical and security data.
- Analytics providers that may process usage data, device/browser data, approximate location and event data where configured and lawful.
- Professional advisers, including lawyers, accountants, auditors, insurers, tax advisers, security advisers and other professional advisers, where needed for advice, compliance, audit, insurance, disputes or legal rights.
- Courts, regulators, tax authorities, law-enforcement authorities, public bodies or dispute bodies where required or permitted by law.
- User-authorised recipients, including solicitors, advisers, support workers, family members, representatives or other people where you authorise us to do so.
- Gambling-blocking, harm-reduction, debt, mental-health or emergency-support providers only where you consent, where necessary to protect vital interests, where required by law, or where another lawful basis applies.
- Affiliates and referral partners only for limited attribution data unless you consent or another lawful basis applies. We will not share report content, uploaded files, sensitive case details or vulnerability information with affiliates without an appropriate basis.
- A successor or replacement operator if GamClaim.org or Association GAMSOL is reorganised, merged, transferred or replaced, subject to confidentiality, security and applicable data-protection safeguards.
15. International transfers
We may process or make personal data accessible in Switzerland, the United Kingdom, the EEA, the United States and other countries where our providers, support systems, infrastructure, payment systems, AI tools or security tools operate.
Where Swiss law applies, we transfer personal data abroad only where the destination country provides adequate protection, suitable safeguards apply, a recognised exception applies, or another legally recognised transfer mechanism is available.
Where UK GDPR applies, restricted transfers are covered by UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU SCCs, other appropriate safeguards, or a lawful exception.
Where EU GDPR applies, restricted transfers are covered by an adequacy decision, EU standard contractual clauses, other appropriate safeguards, or a lawful derogation.
Where data is transferred to or accessed from a country without adequate protection, we will assess whether supplementary technical, contractual or organisational measures are required.
You may request information about transfer safeguards relevant to your personal data through the designated contact route. We may redact commercially sensitive or security-sensitive information.
16. Retention
We keep personal data only for as long as reasonably necessary for the purposes described in this policy, including service delivery, account management, security, accounting, tax, complaints, refunds, chargebacks, legal defence, audit and compliance.
The default retention periods below apply unless a shorter or longer period is required by law, security, dispute, fraud, tax, accounting, limitation, investigation or user-request reasons.
We may retain data longer where necessary for legal claims, fraud prevention, regulatory enquiries, tax/accounting obligations, unresolved disputes, chargebacks, security incidents or preservation obligations. Swiss accounting records may need to be retained for 10 years.
When data is no longer required, we will delete, anonymise, aggregate or securely archive it. Deletion from active systems may not immediately remove data from backups. Backup copies are protected and overwritten according to backup schedules.
- Account data: while the account exists, then normally 2 years after closure or last activity.
- Login-token and session metadata: normally 90 days to 12 months, unless needed for security investigation.
- Security, rate-limit and access logs: normally 12 to 24 months; longer for incidents or abuse investigations.
- Order, invoice, payment and tax records: normally 10 years where required for Swiss accounting or tax purposes.
- Stripe/payment identifiers and refund records: normally 6 to 10 years, depending on accounting, chargeback and legal requirements.
- Raw uploaded files: normally until service completion plus 18 months, unless longer retention is needed for updates, dispute handling, legal defence or compliance.
- Extracted report data and working notes: normally 6 years after final delivery or last substantive contact.
- Final reports and delivery records: normally 6 years after delivery; longer where required for legal defence or compliance.
- Consultation records: normally 3 years after the consultation; longer if linked to a complaint, dispute or legal record.
- Support tickets and complaint records: normally 3 to 6 years after closure.
- Privacy requests and responses: normally 6 years after closure.
- Consent and withdrawal records: for as long as needed to evidence consent and normally 6 years after the relevant processing ends.
- Marketing data: until withdrawal, then suppression data retained as needed to respect opt-out.
- Affiliate attribution records: normally 2 to 6 years, depending on payment, fraud and accounting needs.
- Analytics data: normally 14 to 26 months unless aggregated or anonymised earlier.
- Backups: normally overwritten or deleted within 30 to 180 days.
- Anonymised data: may be retained indefinitely if it no longer identifies an individual.
17. Data subject rights
Depending on applicable law and the circumstances, you may have rights to be informed about how your data is used, request access, request correction, request deletion, request restriction, object to processing, withdraw consent, request data portability, complain to a supervisory authority, receive information about automated decision-making, and request human review where a relevant automated decision exists.
Where we rely on legitimate interests or carry out direct marketing, you may object to processing. Direct marketing objections will be honoured unless we are legally entitled to continue a limited suppression record.
Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect processing already carried out before withdrawal.
You may make a request through the designated contact route, by post to Postfach 8008 Zurich, Switzerland, or from your account if you have one. You do not need to use any specific wording. If your request is unclear, we may ask you to clarify it.
We may ask for information needed to verify your identity, especially where uploaded files, financial records, sensitive data or complaint files are involved.
We will respond within the legal deadline. For UK/EU requests, this is usually one month, subject to permitted extensions or stop-the-clock rules where clarification or identity verification is required.
We may refuse, limit or defer a request where permitted by law, including where necessary to protect another person, preserve evidence, prevent fraud, protect security, maintain legal privilege, comply with law, or establish, exercise or defend legal claims. If we refuse or limit a request, we will explain why unless legally prevented from doing so.
18. Privacy complaints
You may complain about how we use personal data through the designated contact route or by post to Postfach 8008 Zurich, Switzerland.
We will acknowledge data-protection complaints within 30 days where UK data-protection complaint rules apply, and otherwise within a reasonable period.
We will take appropriate steps to investigate privacy complaints without undue delay, keep you informed where the complaint cannot be resolved promptly, and tell you the outcome without undue delay.
Privacy complaints are separate from service complaints, refund requests and legal disputes, although the same facts may be relevant to more than one process.
19. Supervisory authorities
If Swiss data-protection law applies, you may contact the Federal Data Protection and Information Commissioner.
If UK data-protection law applies, you may contact the Information Commissioner's Office.
If EU/EEA data-protection law applies, you may contact the supervisory authority in the EU/EEA country where you live, work, or where you believe an infringement occurred.
We encourage you to contact us first so we can assess and respond to your concern, but you are not required to do so before contacting a supervisory authority.
20. Security
We use technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, disclosure or destruction.
These measures may include HTTPS and encryption in transit, encryption at rest where appropriate, access controls, role-based permissions, administrator authentication controls, session protection, CSRF protection, hCaptcha or bot controls on selected forms, upload validation and malware-risk controls, hashed tokens, restricted admin routes, security headers, audit logs, rate limits, least-privilege access, processor due diligence, confidentiality obligations, backup controls, incident-response procedures and periodic review of access rights.
No internet service is risk-free. You must protect your email account, devices, passwords, login links and uploaded files.
You should contact us promptly if you suspect unauthorised access, account compromise, accidental disclosure or misuse.
21. Personal data breaches
We maintain procedures to assess and respond to personal data breaches.
Where Swiss law requires notification to the FDPIC, we will notify the FDPIC as soon as possible.
Where UK GDPR requires notification to the ICO, we will notify the ICO without undue delay and, where feasible, within 72 hours after becoming aware of the breach.
Where EU GDPR requires notification to an EU supervisory authority, we will notify the relevant authority in accordance with applicable law.
We will inform affected individuals where required by law, where necessary to protect them, or where a supervisory authority requires us to do so.
We keep internal records of data-security incidents and breach assessments.
22. Children
GamClaim.org is not intended for children. Users must be at least 18 years old.
We do not knowingly provide paid services to children. If we discover that we have collected personal data from a child without appropriate legal basis, we will delete it or take other appropriate steps.
23. Vulnerable users and urgent risk
GamClaim.org users may be affected by gambling harm, addiction, mental-health difficulties, debt, distress or other vulnerability.
You may tell us if you need reasonable adjustments, a slower process, accessible communication, support-person involvement or a pause in communications.
We may process limited vulnerability information to provide reasonable adjustments, avoid harm, manage communication, protect vital interests, prevent misuse, or provide appropriate signposting.
We are not an emergency, medical, mental-health, debt or crisis service. If you are in immediate danger, at risk of self-harm, or experiencing a medical or mental-health emergency, you should contact emergency services or an appropriate crisis-support organisation in your country.
24. Third-party websites and services
The website may link to third-party websites, tools, payment pages, support services, gambling-blocking providers, harm-reduction resources, regulators, ombudsmen or professional advisers.
Third-party services have their own privacy policies and terms. We are not responsible for third-party privacy practices unless we are legally responsible for the relevant processing.
25. Operational privacy safeguards
- We maintain documented purposes for sensitive-data processing and review lawful bases and special-category conditions where UK/EU GDPR applies.
- We use explicit consent wording for optional sensitive uploads where appropriate and assess legal-claims bases where complaint or dispute material is processed.
- We restrict sensitive-data access to personnel or contractors who need access and apply confidentiality obligations, audit logs, retention controls and secure deletion controls.
- We maintain controls against using sensitive data for marketing without explicit consent and against identifiable AI model training without express opt-in.
- We apply small-sample re-identification controls before using or sharing aggregated data.
- We maintain privacy request, identity-verification, deadline-tracking, secure-delivery, third-party-authority, refusal/exemption and breach-escalation workflows.
26. Changes to this policy
We may update this policy to reflect legal, operational, security, AI, vendor, service or technical changes.
The latest version published on GamClaim.org applies from the stated update date unless mandatory law requires otherwise.
Where changes are material and affect registered users or paid services, we will take reasonable steps to notify affected users.
We will keep previous versions where reasonably necessary for audit and legal purposes.