burger icon
Pinnacle Casino Canada
Log In

Privacy Policy

OBSERVE: This Privacy Policy explains how pinnacle-casino-canada, available at https://pinnacle-ca-play.com, collects, uses, discloses, stores, and protects personal information of players and site visitors in Canada.

EXPAND: It applies to account holders, prospective players, and any visitor interacting with our services, including cookies and support channels. If you access the Ontario-regulated site (pinnacle.ca), a different policy governed by AGCO/iGaming Ontario applies.

REFLECT: Effective date: 01 November 2025. By using our services, you acknowledge this Policy and, where required, provide consent consistent with Canadian law (including PIPEDA and provincial requirements such as Quebec Law 25).

Who We Are

OBSERVE: Operator identity and contacts are needed for accountability and rights exercise.

EXPAND: The online brand pinnacle-casino-canada (pinnacle-ca-play.com) is operated for Canadian players (outside Ontario) by the following corporate entities for gaming and payment processing.

REFLECT: Details and contacts are provided to meet PIPEDA and provincial obligations (including identifying the person in charge in Quebec).

  • Operator: Ragnarok Corporation N.V., Registration No. 79358, Curaçao. Online gaming licence: OGL/2023/105/0084 (Gaming Control Board of Curaçao).
  • Payment services (as applicable): Impyrial Holdings Ltd (Gibraltar) acting as a payments facilitator for Ragnarok Corporation N.V.
  • Ontario note: Ontario players must use pinnacle.ca (AGCO/iGO regulated) under a separate privacy framework.
  • Data Protection Officer (DPO) / Person in charge of personal information (Quebec): Data Protection Officer, Ragnarok Corporation N.V. Email: [email protected]. Postal: Data Protection Officer, c/o Ragnarok Corporation N.V., Curaçao (Registration No. 79358). We provide phone support upon request via email.

What Personal Data We Collect

OBSERVE: We minimize collection to what is necessary for lawful gaming, compliance, security, and support.

EXPAND: Categories reflect PIPEDA necessity, FINTRAC AML/KYC rules, and operational needs.

REFLECT: We clearly outline sources, types, and examples below.

  • Identity and contact data: Full name, date of birth, address, email, phone, nationality, government ID/KYC documents, selfies/biometrics for liveness/verification (where permitted by law).
  • Account and behavioral data: Username, preferences, responsible gaming settings, self-exclusion, session durations, game interactions, betting history, wins/losses, bonus usage, clicks/navigation paths.
  • Technical and usage data: IP address, device identifiers, OS/browser, language, time zone, referrers, log files, fraud/abuse indicators.
  • Financial and transactional data: Deposits, withdrawals, payment instrument type (last four digits where applicable), billing address, transaction IDs, currency, chargebacks, AML flags. We do not store full card PANs; processing follows PCI DSS through vetted providers.
  • Communications: Support tickets, live chat, email correspondence, call notes, complaints, surveys.
  • Cookies and similar technologies: Session and persistent cookies, local storage, pixels, SDKs for functionality, analytics, and (with consent) advertising.
  • Inferences/automated signals: Risk scores, fraud probabilities, bonus abuse indicators, and AML profiles generated by our systems and vendors.

Legal Basis for Processing

OBSERVE: Canadian privacy law (PIPEDA) requires appropriate purposes and consent; AML/KYC have statutory bases.

EXPAND: We align with PIPEDA principles, FINTRAC obligations, and provincial rules (e.g., Quebec Law 25 - transparency and governance).

REFLECT: Our primary legal grounds are:

  • Consent: Marketing emails/SMS/push; non-essential cookies/ads; certain optional profiling; identity verification methods where consent is required by law. Consent may be withdrawn at any time (CASL-compliant).
  • Contractual necessity: To create and manage your account, verify eligibility, provide games, process payments, pay winnings, and deliver support.
  • Legitimate interests: Fraud prevention, platform security, service analytics, service improvements, and enforcement of terms-balanced against your reasonable expectations and privacy.
  • Legal obligations: KYC/AML under the PCMLTFA and FINTRAC guidance (e.g., identity verification, transaction monitoring, record-keeping, reporting), responsible gambling duties, tax and regulatory reporting, and responding to lawful requests.

Purpose of Processing

OBSERVE: We state clear, limited purposes.

EXPAND: Purposes map to service delivery, compliance, security, and user choice.

REFLECT: We use your data to:

  • Operate accounts, verify age/identity, enable gameplay, process deposits/withdrawals, pay winnings.
  • Provide support, resolve complaints and disputes, and manage responsible gaming tools and self-exclusion.
  • Prevent, detect, and investigate fraud, chargebacks, money laundering, bonus abuse, and security incidents.
  • Improve performance and usability, conduct analytics and A/B testing using aggregated/ pseudonymized data where possible.
  • Send service notifications and (with consent) marketing communications; personalize content and offers.
  • Comply with audits, regulatory reporting, and record-keeping requirements.

Disclosure & Sharing

OBSERVE: Sharing is limited, proportionate, and governed by contracts.

EXPAND: We perform vendor due diligence and require confidentiality, security, and use-limitations.

REFLECT: We may disclose data to:

  • Payment and banking partners: Card processors, e-wallets, banks for deposits/withdrawals and fraud/chargeback handling.
  • KYC/AML and risk vendors: Identity verification, sanctions/PEP screening, fraud/risk scoring, device fingerprinting.
  • Technology and security providers: Hosting, DDoS/CDN, analytics, logging/monitoring, SIEM, customer support platforms.
  • Marketing and affiliates: Email/SMS providers, affiliate tracking, and ad networks only with applicable consents and opt-out controls.
  • Regulators and authorities: FINTRAC, law enforcement, courts, gaming regulators (e.g., AGCO/iGO for Ontario-related inquiries if applicable), tax authorities, as required by law.
  • Corporate transactions: In connection with merger, acquisition, financing, or sale, subject to confidentiality and notice as required.
  • Aggregated/anonymized data: Non-identifiable insights for reporting and product improvement.

International Transfers

OBSERVE: Cross-border transfers require adequate safeguards and transparency.

EXPAND: Data may be processed in Canada, Curaçao, Gibraltar, the EEA/UK, and the United States (cloud/services). Quebec and other provinces may require transfer assessments and contractual protections.

REFLECT: We implement:

  • Contractual safeguards: Standard Contractual Clauses (EU), UK IDTA/Addendum, and PIPEDA-compliant agreements ensuring comparable protection and limited use.
  • Transfer impact assessments: For high-risk transfers (including Quebec Law 25), assessing legal environment and vendor practices.
  • Technical measures: Encryption in transit and at rest, access controls, and minimization/pseudonymization where feasible.
  • Transparency: You can request a summary of applicable safeguards for your data.

Data Retention

OBSERVE: Retention must be no longer than necessary, subject to legal requirements.

EXPAND: AML and audit laws often require multi-year retention after account closure.

REFLECT: Typical periods (unless longer required by law or for disputes):

  • Account and identity/KYC records: 7 years after the later of account closure or last transaction.
  • Transaction and AML records: 7 years from record creation.
  • Support communications and complaints: 3 years after resolution.
  • Responsible gambling/self-exclusion: Duration of exclusion plus 5 years (or regulator-required period).
  • Technical logs and device data: 24 months (shorter where feasible).
  • Marketing preferences and consent logs: For as long as marketing is active, and for 24 months after last activity or until consent is withdrawn (whichever is sooner).
  • Cookies: Session cookies: during session; persistent cookies: typically 3-24 months (see cookie settings panel).

Upon expiry, we delete or irreversibly anonymize data unless retention is needed for legal claims, investigations, or regulatory duties.

Your Rights

OBSERVE: We respect rights under Canadian law and, where relevant, comparable rights under other regimes.

EXPAND: Under PIPEDA and provincial laws (including Quebec Law 25), you have robust access, correction, and consent controls. CASL governs marketing consent. For EEA/UK users, GDPR-equivalent rights are honored if applicable; for Mexico, ARCO rights apply.

REFLECT: You can exercise the following:

  • Access: Obtain confirmation and a copy of your personal information and a list of disclosures.
  • Correction: Update inaccurate or incomplete data.
  • Deletion: Request deletion where no longer necessary, where consent is withdrawn and no other legal basis exists, or where required by law (subject to AML/legal holds).
  • Restriction/Objection: Restrict or object to processing for legitimate interests or marketing. You can opt out of marketing at any time.
  • Portability: Where technically feasible and applicable (e.g., Quebec Law 25, GDPR contexts), receive data you provided in a structured, commonly used, machine-readable format.
  • Automated decisions: Request meaningful information about automated decisions that significantly affect you (e.g., fraud/AML), and contest decisions where permitted by law.
  • Marketing consent withdrawal (CASL): Use unsubscribe links, in-account settings, or contact us to stop marketing without affecting service messages.
  • Mexico (LFPDPPP) ARCO rights: Access, Rectification, Cancellation, and Opposition-available to data subjects interacting with our services from Mexico. We will verify identity and respond per statutory timelines.

How to exercise: Email [email protected] with your request and sufficient identity details. Response time: within 30 days; we may extend once with notice where permitted. Requests are free of charge unless manifestly unfounded or excessive. Certain requests may be denied or partially fulfilled due to legal/AML obligations, security, or third-party rights.

Cookies & Tracking Technologies

OBSERVE: Cookies support core functionality and optional analytics/ads.

EXPAND: We separate necessary from non-essential cookies and provide controls aligned with Canadian guidance and Quebec Law 25.

REFLECT: Types and controls:

  • Session cookies: Essential for login, security, and transactions; expire when you close your browser.
  • Persistent cookies: Remember preferences, maintain sessions, and support performance; typical lifespan 3-24 months.
  • Third-party cookies/SDKs: Analytics (e.g., performance metrics) and, with consent, advertising/retargeting.
  • Purposes: Functional (site operation), analytics (service improvement), advertising (personalized offers with consent).
  • Controls: Manage via our cookie banner/preferences panel and your browser settings (blocking, deleting, or limiting cookies). Blocking essential cookies may impact service functionality.

Data Security

OBSERVE: Security safeguards must be commensurate with sensitivity and risk.

EXPAND: We apply layered, defense-in-depth controls, vetted vendors, and ongoing assurance.

REFLECT: Key measures include:

  • Encryption: TLS 1.2+ in transit; strong encryption (e.g., AES-256) at rest for key stores and sensitive datasets.
  • Access controls: Role-based access, least privilege, MFA for administrators, privileged access monitoring, and periodic access reviews.
  • Secure development and testing: SDLC with code reviews, SAST/DAST, dependency scanning, and regular penetration testing.
  • Operational security: Firewalls/WAF, DDoS protection, IDS/IPS, SIEM with alerting, backup/restore testing, and change management.
  • Vendor management: Security and privacy due diligence, contractual safeguards, and ongoing monitoring.
  • Training and awareness: Staff privacy/security training, phishing simulations, and confidentiality obligations.
  • Standards alignment: Controls aligned with ISO/IEC 27001 and SOC 2 principles; PCI DSS maintained by payment partners.
  • Incident response and breach notification: 24/7 monitoring and defined playbooks. Where a breach creates a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada (and relevant provincial authorities, e.g., Quebec CAI) as soon as feasible and in accordance with applicable law.

Complaints & Contacts

OBSERVE: Clear complaint channels support accountability and dispute resolution.

EXPAND: We provide staged escalation, timelines, and supervisory authority contacts.

REFLECT: How to complain:

  1. Contact us first: Email [email protected] with details and supporting evidence. We acknowledge within 5 business days and aim to resolve within 30 days.
  2. Escalation: If unresolved, request escalation to the DPO. We will conduct a further review and respond within 30 days.
  3. Supervisory authorities (Canada): Office of the Privacy Commissioner of Canada (OPC) - https://www.priv.gc.ca; Quebec: Commission d'accès à l'information - https://www.cai.gouv.qc.ca; British Columbia: OIPC - https://www.oipc.bc.ca; Alberta: OIPC - https://www.oipc.ab.ca.
  4. EEA/UK (if applicable): You may lodge a complaint with your local supervisory authority.
  5. Mexico (if applicable): Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) - https://home.inai.org.mx.

Additional contact options: You may also use in-account messaging (Help/Contact) where available. Postal: Data Protection Officer, c/o Ragnarok Corporation N.V., Curaçao (Registration No. 79358). We can arrange a telephone call upon request.

Updates

OBSERVE: Policies evolve with services and law.

EXPAND: We commit to transparent versioning and notice periods for significant changes.

REFLECT: Update process and notice:

  • Notification methods: Email notices (where we have your email), in-account alerts, and website banner on https://pinnacle-ca-play.com.
  • Advance notice: For material changes (e.g., new processing purposes, new categories of data, new international transfers), we provide at least 30 days' advance notice where feasible.
  • Your options: You may object to changes that materially affect your rights or close your account. Continued use after the effective date constitutes acceptance of the updated Policy.
  • Version control: Last updated: November 2025. We maintain a changelog summarizing material changes upon request.

If any part of this Policy conflicts with mandatory law or regulator-imposed terms, the latter will prevail to the extent of the conflict.