burger icon
Sesame United Kingdom
Log In

Privacy Policy

Effective date: 6 November 2025.

This Privacy Policy explains how Sesame on https://sesamerz.com collects, uses, stores, and shares personal data. It applies to (i) website visitors and (ii) individuals who attempt to register for or use our gambling-related content and services. A privacy policy is required to provide transparency, to explain your rights, and to meet applicable data protection laws and industry standards.

OBSERVE: We provide content for a UK audience, while the underlying operator identified in source information is based in Bulgaria and is not licensed by the UK Gambling Commission. EXPAND: This increases the need for clear disclosures about controller identity, international transfers, and complaint routes. REFLECT: This document is structured to clearly separate (a) data protection obligations and (b) gambling-regulatory limitations relevant to UK users.

Who We Are

OBSERVE: The available profile data identifies the operator as Sesame Online EOOD, headquartered in Sofia, Bulgaria, but does not provide a full street address, postal code, company registration number, tax number, or direct email/phone contacts. EXPAND: UK GDPR requires the controller to provide identity and contact details (and DPO contact details where applicable). Where information is missing, we must not invent it; instead we must (i) state what is known, (ii) provide a functional contact route, and (iii) direct users to authoritative references. REFLECT: We provide all verified identifiers and a rights-request channel via the website, and we commit to supplying missing statutory details upon verified request.

  • Data Controller (operator): Sesame Online EOOD (legal entity type: EOOD).
  • Headquarters: Sofia, Bulgaria (street address and postal code not specified in the provided source data).
  • Registration details: Company registration number and tax identification number are not specified in the provided source data.
  • Licensing (for context): Licensed in Bulgaria by the National Revenue Agency (NRA) for:
    • Online Betting (licence no. 000030-5837, active as last verified Feb 2025);
    • Casino Games (licence no. 000030-8233, active as last verified Feb 2025).

How to contact our Data Protection function

OBSERVE: No DPO/data protection email or phone is included in the source data. EXPAND: A compliant policy must still provide a practical contact method for privacy requests. REFLECT: Until a dedicated DPO address is published, we provide a web-based contact route and postal routing via the headquarters city.

  • Privacy requests (web): Submit a request via https://sesamerz.com (use the site's support/contact route available at the time of submission).
  • Postal routing (controller): Sesame Online EOOD, Sofia, Bulgaria (full address to be provided on request once verified internally).
  • Regulator reference (Bulgaria): National Revenue Agency (NRA) contacts: https://nra.bg/wps/portal/nra/contacts.

What Personal Data We Collect

OBSERVE: We may process data from users interacting with sesamerz.com, and - where account creation or service access is attempted - data needed to provide services and comply with KYC/AML requirements typical of gambling operations. EXPAND: Under UK GDPR, we must describe categories clearly, including special-case data (e.g., verification documents) and behavioural data associated with responsible gambling and fraud detection. REFLECT: Below is a category-based description designed to be complete and understandable.

  • Identity & contact data: full name, date of birth (where required), username, email address, telephone number, and correspondence with support.
  • Verification (KYC) data: copies/records of identity documents, proof of address, age verification results, source-of-funds/source-of-wealth information where required by AML controls.
  • Financial & payment data: deposit/withdrawal amounts, transaction references, payment method tokens/identifiers, bank/payment provider metadata. We do not intentionally store full card numbers in plain form; card handling is typically performed by regulated payment processors.
  • Technical data: IP address, device identifiers, browser type/version, operating system, time zone, language, referral URLs, crash logs, and server logs.
  • Usage & behavioural data: pages viewed, clicks, session duration, feature usage, betting/game history, timestamps, bonus usage, and interaction patterns that may indicate fraud, collusion, or harmful gambling.
  • Location data: approximate location derived from IP and/or device signals to enforce geo-restrictions and prevent prohibited-jurisdiction access.
  • Cookie and similar technology data: identifiers set by first-party and third-party cookies, SDKs, pixels, and local storage (see "Cookies & Tracking Technologies").

Legal Basis for Processing

OBSERVE: UK GDPR requires a lawful basis for each processing purpose and transparency about how bases apply to gambling-specific obligations (KYC/AML, fraud prevention, safer gambling). EXPAND: Some processing is mandatory to provide services or comply with law; other processing (notably marketing/advertising cookies) requires consent. REFLECT: We map bases to practical gambling operations while keeping user choice clear.

  • Contract (UK GDPR Art. 6(1)(b)): to create and manage accounts, provide access to services, process deposits/withdrawals, apply bonuses under applicable terms, provide customer support, and enforce site rules.
  • Legal obligation (Art. 6(1)(c)): to comply with applicable gambling, accounting, and anti-money laundering/counter-terrorist financing obligations (e.g., KYC checks, record keeping, regulatory reporting where applicable).
  • Legitimate interests (Art. 6(1)(f)): to prevent fraud and abuse, protect the security of systems, maintain service integrity, perform limited analytics to improve performance, and defend/bring legal claims. Where we rely on legitimate interests, we balance these against your rights and expectations.
  • Consent (Art. 6(1)(a)): for optional marketing communications and non-essential cookies/advertising technologies. You may withdraw consent at any time (see "Your Rights").

Purpose of Processing

OBSERVE: Purposes must be specific, explicit, and legitimate, and aligned with the data categories collected. EXPAND: Gambling operations require additional purposes such as age/KYC checks, geo-blocking, risk management, and dispute handling. REFLECT: We present purposes as a clear list, separating essential from optional processing.

  • Provide and operate services: account creation, identity checks, customer support, gameplay access, deposits/withdrawals, bonus administration, and service communications.
  • Compliance and risk management: KYC/AML controls, safer-gambling risk controls (where applicable), geo-restriction enforcement, and audit logging.
  • Security and fraud prevention: detecting suspicious activity, preventing account takeover, collusion, bonus abuse, and payment fraud.
  • Service improvement and analytics: understanding usage, fixing bugs, performance monitoring, and improving user experience.
  • Marketing (where permitted and with consent when required): promotional emails/SMS/push notifications, personalised offers, and advertising measurement.
  • Legal and dispute handling: responding to complaints, managing disputes, and establishing/exercising/defending legal claims.

Disclosure & Sharing

OBSERVE: Data sharing is common in gambling ecosystems (payment providers, KYC vendors, hosting, analytics) and must be disclosed transparently, including advertising partners where consent applies. EXPAND: For UK users, we must also avoid implying UKGC protections where the operator is not UK-licensed; however, disclosure to regulators may still occur in the operator's licensing jurisdiction (Bulgaria). REFLECT: We list recipient categories, the reasons for sharing, and the controls applied.

  • Payment partners and financial service providers: to process deposits/withdrawals, handle chargebacks, and conduct fraud screening.
  • Identity verification and AML/KYC providers: to verify identity/age/address, screen sanctions/PEP lists, and meet compliance obligations.
  • IT and infrastructure providers: hosting, content delivery networks, customer support platforms, email delivery services, security tooling, and log management.
  • Analytics providers: to measure performance and improve services. Where analytics involve non-essential cookies or similar tech, we ask for consent.
  • Advertising networks and affiliates (consent-based where required): to attribute referrals and measure campaigns. We will not place non-essential advertising cookies without an appropriate consent signal.
  • Regulators and public authorities: where required by law, court order, or regulatory request. For the operator's primary licensing jurisdiction, the relevant authority is the Bulgarian NRA (see: https://nra.bg).
  • Corporate transactions: if a merger, acquisition, reorganisation, or asset sale occurs, data may be shared under confidentiality and minimisation controls.

International Transfers

OBSERVE: The operator is based in Bulgaria (EEA), while users may be in the UK; service providers may be global. UK GDPR requires safeguards for transfers outside the UK. EXPAND: UK adequacy regulations (including the UK's adequacy decision for the EEA) and contractual safeguards (UK IDTA/Addendum to EU SCCs) may apply depending on destination. References to "Privacy Shield" are generally not appropriate as a transfer mechanism under UK/EU regimes. REFLECT: We describe likely transfer regions and the safeguards we apply.

  • Where data may be processed: United Kingdom; European Economic Area (including Bulgaria); and, where vendors are located, other jurisdictions such as the United States or other countries where our service providers operate.
  • Safeguards for restricted transfers:
    • Adequacy arrangements: where the destination is recognised by the UK as providing an adequate level of protection (e.g., EEA).
    • Contractual measures: the UK International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU Standard Contractual Clauses, as appropriate.
    • Risk-based supplementary measures: encryption in transit and at rest, access controls, and vendor security due diligence.
  • Access limitations for UK users: The official operator site https://sesame.bg is reported to use strict geo-blocking for UK IPs (checked Jan 2025). Attempting to circumvent geo-restrictions may result in account action under operator rules; this may involve processing location and security data to enforce restrictions.

Data Retention

OBSERVE: Retention must be limited to what is necessary, while gambling operators often have mandatory recordkeeping for AML, payments, and disputes. EXPAND: UK-facing transparency should provide meaningful periods; where exact statutory periods differ by jurisdiction, we can state a baseline and explain extensions (e.g., ongoing investigations, legal claims). REFLECT: We provide practical retention ranges with clear deletion triggers.

  • Account and core profile data: kept for the life of the account and typically up to 5 years after account closure, unless a longer period is required to comply with legal obligations or to establish/defend legal claims.
  • KYC/AML and verification records: typically retained for 5 years after the end of the customer relationship (or longer where legally required or where an investigation is ongoing).
  • Payment and transaction records: typically retained for 5 - 7 years (to meet accounting, audit, chargeback, and fraud-prevention needs).
  • Technical logs and security records: typically retained from 90 days to 12 months, extended where needed for security investigations or incident response.
  • Marketing preferences and consent records: retained while marketing is active and for up to 5 years to evidence consent/withdrawal and compliance.

Deletion criteria: OBSERVE: data should be deleted/anonymised when no longer necessary. EXPAND: some data cannot be erased immediately due to legal obligations. REFLECT: We delete or anonymise data when (i) the purpose expires, (ii) retention periods end, (iii) you validly request erasure (and no exemption applies), or (iv) processing is unlawful.

Your Rights

OBSERVE: UK users are protected by UK GDPR and the Data Protection Act 2018. The prompt also requests "Mexican privacy law alignment" and references to Mexican regulations "where relevant." EXPAND: For a UK-targeted page, Mexican law is generally not applicable unless the service is established in Mexico or targets individuals in Mexico; however, providing an informational alignment can help users understand comparable rights if they are in Mexico. We must avoid misrepresenting jurisdictional applicability. REFLECT: We present UK GDPR rights as primary, and provide a clearly labelled Mexico information note referencing the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) and ARCO rights, only as a supplementary framework.

Your UK GDPR rights

  • Right of access: obtain confirmation of processing and a copy of your personal data.
  • Right to rectification: correct inaccurate or incomplete personal data.
  • Right to erasure: request deletion of your data where processing is no longer necessary or otherwise unlawful (subject to legal/AML recordkeeping and other exemptions).
  • Right to restrict processing: ask us to suspend processing in certain circumstances (e.g., contested accuracy).
  • Right to object: object to processing based on legitimate interests; object at any time to direct marketing.
  • Right to data portability: receive certain data you provided in a structured, commonly used, machine-readable format, and transmit it to another controller where technically feasible.
  • Right to withdraw consent: where we rely on consent (e.g., optional marketing and non-essential cookies), you can withdraw it at any time without affecting prior lawful processing.

How to exercise your rights (procedure and timeframes)

  1. Submit a request: use the privacy contact route on https://sesamerz.com. Clearly state the right you want to exercise and provide enough information for us to locate your account/records.
  2. Identity verification: we may request additional information to verify your identity (to prevent unauthorised disclosure). We will only request what is proportionate for verification.
  3. Response timeframe: we aim to respond within 30 days of receipt (or within the statutory period), and will inform you if an extension is required due to complexity or volume.
  4. Fees: requests are generally handled free of charge. We may charge a reasonable fee or refuse requests only where permitted by law (e.g., manifestly unfounded or excessive requests), and we will explain our decision.

Mexico (informational alignment only, where relevant)

OBSERVE: Users may reside in Mexico even when reading UK-facing content. EXPAND: Mexico's private-sector regime (LFPDPPP) recognises ARCO rights (Acceso, Rectificación, Cancelación, Oposición) and consent principles. REFLECT: If you are in Mexico and believe the LFPDPPP applies to your situation, you may request exercise of ARCO-style rights through the same contact procedure above, and we will evaluate applicability and respond accordingly.

Cookies & Tracking Technologies

OBSERVE: UK users are covered by the Privacy and Electronic Communications Regulations (PECR) and UK GDPR for cookies and similar technologies. EXPAND: Non-essential cookies (analytics/advertising) generally require consent; essential cookies can be set without consent but must be explained. REFLECT: We categorise cookies by purpose and provide control options.

  • Strictly necessary (functional) cookies: enable core site functions such as security, load balancing, session management, and preference storage. These are required for the site to operate properly.
  • Analytics cookies: help us understand how visitors use the site (e.g., pages viewed, errors, performance). These are used to improve services and are set only where the required consent is obtained.
  • Advertising/targeting cookies: used to measure campaigns, limit repeated ads, and - where enabled - support personalised marketing. These require consent.
  • Session cookies: temporary cookies that expire when you close your browser.
  • Persistent cookies: remain on your device for a defined period or until deleted.
  • Third-party cookies/trackers: set by service providers (e.g., analytics or advertising partners) acting as separate controllers or processors depending on the tool.

Managing cookies

  • Cookie banner/settings: use the cookie consent controls presented on sesamerz.com to accept, reject, or customise non-essential cookies.
  • Browser controls: you can delete or block cookies via your browser settings; note that blocking strictly necessary cookies may impair site functionality.
  • Device controls: on some devices, you can reset advertising identifiers or limit ad tracking in system settings.

Data Security

OBSERVE: Gambling-related data (identity, financial, behavioural) is sensitive from a risk perspective; UK GDPR requires appropriate technical and organisational measures. EXPAND: Security must cover encryption, access governance, auditing, incident response, and staff training; claims about certifications must be qualified if not verified. REFLECT: We describe concrete controls and use "where applicable" for standards not confirmed in source data.

  • Encryption in transit: we use TLS 1.2+ (or higher where supported) to protect data transmitted between your device and our servers.
  • Encryption at rest: sensitive data is protected using encryption and key-management controls appropriate to risk.
  • Access controls: role-based access, least-privilege principles, logging/monitoring of administrative access, and periodic access reviews.
  • Authentication protections: multi-factor authentication (MFA) for privileged accounts and security hardening against credential stuffing and account takeover.
  • Secure development & testing: vulnerability management, patching routines, and change control to reduce introduction of security flaws.
  • Security audits: regular internal reviews and, where applicable, third-party assessments. Where adopted, controls may align with frameworks such as ISO/IEC 27001 or SOC 2; specific certification status is not provided in the source data.
  • Staff training: privacy and security awareness training, including handling of identity/financial data and phishing resistance.
  • Incident response: documented procedures to detect, respond to, and recover from security incidents, including assessment of whether notification to individuals and/or regulators is required within legal timeframes.

Complaints & Contacts

OBSERVE: UK GDPR requires users to be informed of complaint rights to a supervisory authority. The prompt also asks for escalation to Mexican and EU authorities "where applicable," and direct contact information. EXPAND: For UK users, the relevant authority is the UK ICO. For Bulgaria/EEA establishment, the Bulgarian data protection authority is relevant. For Mexico, the relevant authority is INAI. For gambling disputes (not privacy), the profile references the Bulgarian NRA contact route; we must distinguish privacy complaints from gambling disputes. REFLECT: We provide a step-by-step privacy complaint process and clear escalation options, including authoritative links.

Contact us first (privacy)

  1. Submit your complaint/request: use the privacy contact route available on https://sesamerz.com and include: your username (if any), the issue, relevant dates, and what outcome you seek.
  2. Verification (if needed): we may request proportionate information to confirm identity.
  3. Acknowledgement: we aim to acknowledge within 7 days.
  4. Substantive response: we aim to respond within 30 days (or notify you of any lawful extension).

Escalation to data protection authorities

  • United Kingdom (ICO): Information Commissioner's Office - https://ico.org.uk (complaints: https://ico.org.uk/make-a-complaint).
  • Bulgaria (CPDP): Commission for Personal Data Protection - https://www.cpdp.bg (authority relevant to the controller's jurisdiction).
  • Mexico (INAI): Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales - https://home.inai.org.mx (where Mexican law applies to your situation).
  • EU/EEA authorities (where applicable): You may also contact your local EEA supervisory authority; directory: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

Gambling/regulatory dispute route (not a privacy authority)

OBSERVE: The profile states the Bulgarian NRA is the dispute resolution body for players under the operator's regime. EXPAND: UK users should not be led to believe UKGC/IBAS routes apply, because the operator is not UKGC-licensed. REFLECT: For non-privacy disputes involving the operator's licensed activities, the referenced contact route is:

  • Bulgarian NRA contact page: https://nra.bg/wps/portal/nra/contacts (authority site: https://nra.bg).

Updates

OBSERVE: Policies must be kept current, and users should be notified of material changes. The task requires version control with "Last updated" and a changelog, and minimum 30 days' notice for significant changes. EXPAND: For UK GDPR fairness, notice should be clear and allow users to stop using services if they disagree. REFLECT: We provide a transparent update mechanism and a simple changelog format tied to the effective date.

Last updated: November 2025.

How we will notify you

  • Email notice: where we have your email and the change is material.
  • Website banner: prominent notice on sesamerz.com for material changes.
  • Account/dashboard alert: where an account area exists and you are logged in.

Advance notice for significant changes

For significant changes (for example, new purposes of processing, new categories of recipients, or material changes to international transfer safeguards), we will provide at least 30 days' advance notice where reasonably possible. If you object to the updated terms, you should stop using Sesame on sesamerz.com and may request account closure (subject to retention obligations described above).

Changelog (material changes)

  • November 2025: Initial publication for Sesame on sesamerz.com; added UK-facing disclosures on geo-restrictions, international transfers safeguards (UK IDTA/Addendum), and clarified complaint escalation routes (ICO/CPDP/INAI) based on user location and applicability.