Privacy Policy

BetFlow Payments Ltd ("BetFlow", "we", "us", or "our") is a payment gateway service provider specialising in the sports betting and iGaming industry. We are incorporated and registered in Malta under company registration number C 98412, with our registered office at Level 3, Quantum House, 75 Abate Rigord Street, Ta' Xbiex XBX 1120, Malta.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you interact with our payment processing services, visit our website, or otherwise engage with BetFlow. This policy applies to all individuals whose data we process, including sportsbook operators, their players and end users, business contacts, and website visitors.

We are committed to processing personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Malta Data Protection Act (Cap. 586), and all other applicable data protection legislation. By using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please discontinue use of our services immediately.

We collect and process several categories of personal data depending on your relationship with BetFlow and the services you use. The types of information we collect include personal identification data, financial and transaction data, technical and device data, and communications data.

Personal identification data includes your full name, date of birth, nationality, government-issued identification numbers, email address, phone number, and residential or business address. For sportsbook operators, we also collect company registration details, beneficial ownership information, and details of key management personnel. This information is necessary for regulatory compliance, including Know Your Customer (KYC) and Anti-Money Laundering (AML) obligations.

Financial and transaction data encompasses bank account details, payment card information (processed in PCI DSS-compliant environments), transaction histories, deposit and withdrawal records, betting account balances, and settlement information. We process this data to facilitate payment transactions between players and sportsbook operators, and to fulfil our obligations as a licensed payment service provider.

Technical and device data includes IP addresses, browser type and version, operating system, device identifiers, geolocation data, referring URLs, and session information. We collect this data automatically through cookies and similar tracking technologies when you visit our website or interact with our payment pages. This data is used for fraud prevention, security monitoring, and service optimisation.

Communications data covers records of correspondence between you and BetFlow, including emails, support tickets, chat transcripts, telephone call recordings (where notified), and any feedback or survey responses you provide.

We use your personal data for a variety of purposes, all of which are grounded in a lawful basis for processing under the GDPR. Our primary use of your data is to facilitate payment processing for sports betting transactions, including deposits, withdrawals, refunds, and chargebacks between players and licensed sportsbook operators.

We also use your information for regulatory compliance and legal obligations, including identity verification (KYC), anti-money laundering (AML) screening, sanctions list checking, politically exposed persons (PEP) screening, and reporting to regulatory authorities such as the Malta Gaming Authority (MGA) and the Financial Intelligence Analysis Unit (FIAU). These obligations are non-negotiable and form a core part of our operations as a regulated payment service provider in the iGaming sector.

Your data is further used for fraud prevention and security purposes, including transaction monitoring, pattern analysis, velocity checks, device fingerprinting, and behavioural analytics. We employ sophisticated fraud detection systems that analyse transactions in real time to identify potentially fraudulent or suspicious activity, protecting both operators and their players.

Additionally, we process personal data for service improvement and analytics, including analysing transaction success rates, optimising payment routing, improving user experience on our hosted payment pages, and generating anonymised and aggregated statistical reports for our operator clients. We may also use your contact information to communicate with you about service updates, security notices, policy changes, and, where you have opted in, marketing communications about new features and products.

Under the GDPR, we must have a valid legal basis for processing your personal data. Depending on the specific processing activity, we rely on one or more of the following lawful bases:

Performance of a contract (Article 6(1)(b) GDPR): We process personal data where it is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. This applies to the processing of operator account data, transaction data, and settlement information necessary to provide our payment gateway services under our merchant services agreements.

Legal obligation (Article 6(1)(c) GDPR): We process certain personal data where it is necessary for compliance with a legal obligation to which we are subject. This includes KYC and AML obligations under the Prevention of Money Laundering Act (Cap. 373 of the Laws of Malta), the 4th and 5th Anti-Money Laundering Directives (EU 2015/849 and EU 2018/843), PCI DSS compliance requirements, and tax reporting obligations.

Legitimate interests (Article 6(1)(f) GDPR): We process personal data where it is necessary for our legitimate interests or the legitimate interests of a third party, provided that such interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include fraud prevention and detection, network and information security, service optimisation, and business analytics. We conduct legitimate interest assessments (LIAs) for all processing activities that rely on this basis.

Consent (Article 6(1)(a) GDPR): In limited circumstances, we may process your personal data based on your freely given, specific, informed, and unambiguous consent. This applies primarily to marketing communications and the use of non-essential cookies. Where we rely on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal.

We share your personal data with third parties only where necessary for the purposes described in this policy, and subject to appropriate contractual and security safeguards. We do not sell your personal data to any third party.

We share data with acquiring banks and payment processors who process card transactions and bank transfers on our behalf. These entities act as independent data controllers in respect of certain processing activities and are subject to their own regulatory obligations, including PCI DSS compliance. Our acquiring partners include licensed financial institutions within the European Economic Area (EEA) and, where necessary for multi-currency processing, in other regulated jurisdictions.

We share data with regulatory and law enforcement authorities as required by law, including the Malta Gaming Authority (MGA), the Financial Intelligence Analysis Unit (FIAU), card scheme networks (Visa, Mastercard), and other competent authorities. Such disclosures may include transaction records, KYC documentation, and suspicious activity reports (SARs). We cannot notify you of such disclosures where doing so would constitute tipping off under applicable anti-money laundering legislation.

We engage third-party service providers who process data on our behalf as data processors under Article 28 GDPR. These include cloud hosting providers, identity verification services, fraud detection platforms, customer support tools, and analytics providers. All data processors are bound by data processing agreements (DPAs) that require them to process personal data only on our documented instructions and to implement appropriate technical and organisational security measures.

We may also share data with sportsbook operators who are our clients, to the extent necessary for them to manage their player relationships, settle transactions, handle disputes, and meet their own regulatory obligations. Operators receive transaction data, settlement reports, and fraud alerts relevant to their players through our merchant portal and API.

As a Malta-based company operating within the European Economic Area (EEA), we primarily store and process personal data within the EEA. However, certain processing activities may involve the transfer of personal data to countries outside the EEA that may not provide an equivalent level of data protection.

Where we transfer personal data outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards include transfers to countries that have been granted an adequacy decision by the European Commission under Article 45 GDPR, meaning the Commission has determined that the country ensures an adequate level of data protection. For transfers to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission under Article 46(2)(c) GDPR, supplemented by transfer impact assessments (TIAs) where required.

In specific cases, we may rely on derogations under Article 49 GDPR, including where the transfer is necessary for the performance of a contract between you and BetFlow, or where the transfer is necessary for the establishment, exercise, or defence of legal claims. We regularly review our international data transfer mechanisms to ensure ongoing compliance with evolving regulatory requirements, including the guidance issued by the European Data Protection Board (EDPB).

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law and regulation. Our retention periods vary depending on the category of data and the legal basis for processing.

Transaction records and financial data are retained for a minimum of five (5) years from the date of the transaction, in accordance with the Prevention of Money Laundering Act (Cap. 373) and applicable anti-money laundering regulations. This retention period may be extended to ten (10) years where required by specific regulatory directives or ongoing investigations. Card payment data subject to PCI DSS requirements is retained in accordance with PCI DSS standards, with full card numbers never stored post-authorisation.

KYC and identity verification records are retained for a minimum of five (5) years following the termination of the business relationship with the relevant operator or the last transaction involving the relevant player, whichever is later. This is in line with the requirements of the 4th and 5th Anti-Money Laundering Directives and the FIAU Implementing Procedures.

Technical and device data, including server logs and access records, are generally retained for twelve (12) months unless a longer retention period is required for fraud investigation or legal proceedings. Marketing and communications data is retained for the duration of the business relationship plus two (2) years, or until consent is withdrawn, whichever occurs first. Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised.

Under the GDPR, you have a number of rights in relation to your personal data. These rights are not absolute and may be subject to certain conditions and exceptions as provided by law.

Right of access (Article 15 GDPR): You have the right to obtain confirmation as to whether we are processing your personal data and, where that is the case, to request access to your personal data together with supplementary information about the processing. We will provide a copy of your personal data free of charge, although we may charge a reasonable administrative fee for additional copies or manifestly unfounded or excessive requests.

Right to rectification (Article 16 GDPR): You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data. Right to erasure (Article 17 GDPR): You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent (and there is no other legal basis), or where the data has been unlawfully processed. Please note that this right does not apply where processing is necessary for compliance with a legal obligation, such as AML record-keeping requirements.

Right to restriction of processing (Article 18 GDPR): You have the right to request the restriction of processing in certain circumstances, including where you contest the accuracy of the data or where you have objected to processing pending verification of our legitimate interests. Right to data portability (Article 20 GDPR): Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

Right to object (Article 21 GDPR): You have the right to object to processing based on legitimate interests, including profiling, and to processing for direct marketing purposes. Where you object to processing for direct marketing, we will cease such processing without exception. To exercise any of these rights, please contact our Data Protection Officer using the details provided in Section 11 below. We will respond to your request within one (1) month of receipt, and this period may be extended by a further two months where necessary, taking into account the complexity and number of requests.

Our website and hosted payment pages use cookies and similar tracking technologies to enhance your experience, ensure security, and analyse usage patterns. A cookie is a small text file placed on your device that allows us to recognise your device and store certain information about your preferences and interactions.

We use strictly necessary cookies that are essential for the operation of our website and payment pages, including session management, security tokens, and load balancing. These cookies cannot be disabled as they are required for our services to function correctly. We also use analytics and performance cookies to collect anonymised data about how visitors use our website, enabling us to improve site performance and user experience.

For comprehensive details about the specific cookies we use, their purposes, and how to manage your cookie preferences, please refer to our dedicated Cookie Policy available at betflow.io/legal/cookies. You can manage your cookie preferences at any time through your browser settings or through the cookie consent mechanism displayed on our website.

Our services are not directed at, and we do not knowingly collect personal data from, individuals under the age of eighteen (18). Sports betting is an age-restricted activity, and our payment processing services are designed exclusively for use by adults of legal gambling age in their respective jurisdictions.

The sportsbook operators who use our payment gateway are contractually required to implement robust age verification measures and to ensure that their services are not accessible to minors. If we become aware that we have inadvertently collected personal data from a person under 18, we will take immediate steps to delete such data from our systems and notify the relevant operator.

If you are a parent or guardian and believe that your child has provided personal data to us through a sportsbook operator's platform, please contact us immediately using the details in Section 11 below, and we will take prompt action to investigate and delete the data.

BetFlow Payments Ltd has appointed a Data Protection Officer (DPO) in accordance with Article 37 of the GDPR. Our DPO is responsible for overseeing our data protection strategy and ensuring compliance with applicable data protection laws.

You may contact our Data Protection Officer for any questions, concerns, or requests relating to this Privacy Policy or our processing of your personal data using the following details:

Data Protection Officer BetFlow Payments Ltd Level 3, Quantum House 75 Abate Rigord Street Ta' Xbiex XBX 1120, Malta Email: dpo@betflow.io

If you are unsatisfied with our response to a data protection concern, you have the right to lodge a complaint with the Office of the Information and Data Protection Commissioner (IDPC) in Malta, which is the supervisory authority responsible for data protection in Malta. The IDPC can be contacted at idpc.org.mt. You also have the right to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

This Privacy Policy was last updated on January 15, 2026 and will be reviewed at least annually to ensure it remains accurate and up to date. We will notify you of any material changes to this policy by posting the updated version on our website and, where appropriate, by email.