Privacy Notice for Online Sports Betting of ODDSET Sportwetten GmbH

V 1.0 valid from 01 March 2023

1. General information

1.1 Introduction

ODDSET Sportwetten GmbH attaches particular importance to the protection of your personal data. In this Privacy Policy, we wish to inform you of whether and how the information and data you entrust us with is collected, processed, stored and protected. Compliance with applicable law, especially the General Data Protection Regulation (GDPR), is our top priority.

1.2 Terminology

Personal data means any information relating to the personal and factual circumstances of an identified or identifiable natural person. This includes information such as first and last name, address, telephone number and dates of birth. It may also include a copy of your identity card or financial information.

1.3 Data controller

As the operator of the website https://sports.oddset.de in relation to ODDSET sports betting, ODDSET Sportwetten GmbH (ODDSET GmbH), registered offices at Konrad-Zuse-Platz 12, D-81829 Munich, is the data controller within the meaning of the GDPR.

1.4 Service providers

We engage Entain Operations Limited ("Entain") to operate this website and customer service. Entain acts as one of our sub-processors. We have carefully selected and regularly monitor our service providers, in particular the careful handling and safeguarding of data stored by any these providers. Our service providers have been obligated to us to maintain confidentiality and to comply with legal requirements. If ODDSET GmbH forwards your personal data to other third parties, it is ensured that these third parties comply with the applicable data protection standards.

1.5 Compliance with legal regulations

The collection, processing and storage of your personal data is carried out in accordance with the provisions of the European GDPR and any other national laws that may apply.

1.6 Use of the services provided on the website

Continued use of the ODDSET GmbH services after the publication of this Privacy Policy shall be deemed to be a confirmation that you are aware of and have understood this Privacy Policy.

1.7 Changes to the Privacy Policy

The provisions in this Privacy Policy may be subject to change from time to time, in particular due to changes in case law, the adoption of new laws or changes in the offers, of which you will be informed by us making the updated Privacy Policy available at sports.oddset.de In addition, it is recommended to regularly read the Privacy Policy.

1.8 Obligation to provide personal data

You must provide all personal data required for the establishment and implementation of a business relationship and for the performance of the associated contractual obligations, or which ODDSET GmbH is legally obliged to process. In the various forms and functions, such personal data are marked with an *. Please note that if you do not provide such personal data, ODDSET GmbH will not be able to enter into or perform a contract with you. In this case, the online offers (see section 2 “How, for what purposes and with whom does ODDSET GmbH collect your data, incl. information on the legal basis") cannot be used.

2. How, for what purposes and with whom does ODDSET GmbH collect your data, incl. information on the legal basis

When you use the website and the services provided via the website, ODDSET GmbH collects the following data about you:

2.1 Technical access data (log files)

Each time you access the website, certain information is automatically transmitted by your internet browser and stored by ODDSET GmbH in so-called log files. The log files are stored to identify malfunctions and for security reasons (e.g. to clarify attempted attacks) and will be deleted as once they are no longer required for this purpose. Log files may in individual cases  be forwarded to investigating authorities for evidentiary purposes.

Log files may contain the following data in particular:

• Origin of the IP address
• Access time and date
• Device type
• Websites visited
• Languages used
• Customer’s location
• Roaming tracking
• Software crash reports
• Browser used

The processing of this access data is necessary to enable you to use our online services and to ensure the permanent functionality and security of the systems. Access data will also be stored temporarily in internal log files for the purposes described above, in order to compile statistical information on the use of the services, to further develop the services with regard to the visitors’ usage habits and for the purpose of general administrative maintenance. The legal basis is Art. 6 (1) 1b) GDPR.

The information stored in the log files does not allow any direct conclusions about you – in particular, IP addresses are only stored in an abbreviated, anonymised form.

2.2 How to contact us

You have various options for contacting ODDSET GmbH. This includes contacting customer service via email, telephone or the live chat function on the website.

The following personal data is collected in this context: Last name, first name, customer number, email address, telephone number (if applicable), the reason for you contacting us, your message and, if applicable, documents that you send to customer service. The legal basis is Art. 6 (1) 1b) and c) GDPR.

When you contact us, your request will be identified and all necessary data will be logged for subsequent forwarding to the responsible contact person at ODDSET GmbH, if necessary.

2.3 Consent to direct marketing measures

As part of the registration process, you have the option of signing up for some or all of the marketing channels mentioned there for receiving offers, freebets or bonus bets. Once settings have been made, they can be changed, or consent to direct advertising once given can be revoked, both at any time and without giving reasons. These changes or a revocation of consent have no effect on the provision of our online sports betting offers otherwise.

Through direct advertising, you will receive sports betting offers such as FreeBets or bonus bets from ODDSET GmbH at regular intervals and to the extent permitted by gambling law.

2.4 Subscription to the email newsletter

You have the option of ordering the ODDSET GmbH email newsletter, in which you will be regularly informed about the betting programmes, online and offline product innovations as well as promotions, bonus campaigns and participation in sweepstakes. The data collected is only used to send the newsletter and to document your consent, and is stored for this purpose exclusively.

ODDSET GmbH uses the so-called double opt-in procedure for ordering the email newsletter, i.e. you will only be sent the newsletter by email if you have given your consent to this, e.g. during registration. The storage of this data only serves the purpose of sending you the newsletter and of being able to prove that you have opted in. You can unsubscribe from the newsletter at any time. A corresponding unsubscribe link can be found in every newsletter. A message to the contact details given above or in the newsletter (e.g. by email or letter) naturally also is sufficient for this purpose. The legal basis for this processing is your consent in accordance with Art. 6 (1) a) GDPR.

In order to send newsletters, ODDSET GmbH processes your email address, your first name and, if applicable, your last name as well as other data that you have optionally provided. This data is required for sending the newsletter and is used for this purpose exclusively.

 2.5 Participation in sweepstakes

You have the option of participating in sweepstakes via the ODDSET GmbH services. For this purpose, ODDSET GmbH collects and processes your name, address and contact data as well as content data such as text entries, photographs, videos and analysed results of tests and surveys that are relevant for determining the winners, for the purpose of conducting the sweepstakes and, if applicable, for the purpose of sending the prizes.

If the sweepstakes take place within an online platform or a social network (e.g. Facebook), the terms of use and privacy provisions of the respective platform or social network shall also apply. Please note that in such cases ODDSET GmbH is responsible for the participants’ personal data disclosed in the context of the participation in the sweepstakes. Therefore, please direct any enquiries regarding the sweepstakes directly to ODDSET GmbH.

The legal basis is Art. 6 (1) 1b) GDPR. The participant data collected will be deleted as soon as the sweepstakes have ended and the data is no longer required to notify the winners or to answer inquiries about the sweepstakes.

2.6 Registration and login; resending username and password

Participation in the online sports betting offers requires prior registration in the system. You can register for this in a separate user area on the sports.oddset.de website. The information you provide as part of the registration process is required to create and manage your customer account and to fulfil legal identification obligations. In addition, ODDSET GmbH processes the data provided for fraud prevention and for the functionality of the login area.

You must provide all personal data required to set up a player account, to place ODDSET sports bets and for the performance of the associated contractual obligations, or which ODDSET GmbH is legally obliged to process. In the various forms and functions, such personal data are marked with an *. Please note that if you do not provide such personal data, ODDSET GmbH will not be able to enter into or perform a contract with you. In this case, the online offers or the other services (see “Purposes of processing and legal bases”) cannot be used.

If you wish to participate (again) in ODDSET GmbH online sports betting offers after having registered and set up your player account, this is done via the log-in button.

The following data is collected and processed during registration and login:

• IP address of the device from which the website is accessed;
• Internet address of the website from which the ODDSET GmbH website was accessed (so-called URL of origin or referrer URL);
• Name of the service provider through whom the website is accessed;
• Name of the retrieved files or information;
• Date and time as well as duration of the retrieval;
• Volume of data transferred;
• Operating system and information on the internet browser used, including installed add-ons (e.g. for Flash Player);
• http status code (e.g. "request successful" or "requested file not found").
• Data required to set up the player account, fulfil customer identification obligations, combat fraud, troubleshoot or maintain the functions of the online service, such as last name, first name, name at birth, date of birth, place of birth, address, federal state, email address, mobile-phone-number, gender, nationality, risk classification under money laundering legislation, betslips/betting history and, where applicable, other data on a voluntary basis. Mandatory information is marked with an *.

If you have forgotten your password, you can click the "Forgot password" link in the login window. You will then receive an e-mail to your registered e-mail address. If you click the "Create new password" button in the e-mail, you can enter a new password. You will immediately receive an e-mail confirming the password change. In addition, ODDSET GmbH offers the possibility to change your password after login to your player account. To do so, click on "Change password" under "Settings" and enter both your old and your new password in the window that then opens. You will immediately receive an e-mail confirming the password change. Within the scope of this password change, your email address, your new password, your old password, if applicable, and your IP address are collected. This data will only be used to resend the forgotten password. 

The legal basis for this processing is Art. 6 (1) 1a), b), c), f) GDPR.

2.7 Payment service providers

ODDSET GmbH uses various payment service providers for the deposit of funds to or withdrawal of funds from your player account. The transaction data, which may contain verification data about your identity, is stored in the systems of both ODDSET GmbH and the payment service providers. In relation to the transaction data processed, each party acts as an independent data controller pursuant to Art. 4 no. 7 GDPR.

The personal data collected in connection with the respective deposit or withdrawal of funds is generally the following data, which is necessary for the processing of payments:

• Deposit/withdrawal amount
• Description of purpose of payment
• First name
• Last name
• Address
• Transaction number
• IP address
• Email address, if applicable
• Telephone number/mobile phone number, if applicable

Payment service providers as separate data controllers are responsible for the acceptance and settlement of payment transactions, including the secure forwarding and settlement of credit card transactions with international credit card companies. They process your personal data and transmit it to other data controllers in order to effect payment or to comply with legal requirements.

When making a deposit or withdrawal, you will be redirected to a website of the selected payment service provider. The processing of data then takes place through the payment service provider. Please check with the respective payment service provider for their applicable privacy policies. If you have questions about the payment service providers’ privacy policies, please contact them directly.

The legal basis for data processing in connection with payment processing is Art. 6 (1) 1b) GDPR.

Payment service providers and their privacy policies:

1. PayPal (Europe) S.a.r.l. et Cie S.C.A. ("PayPal"), 22-24 Boulevard Royal L-2449, Luxembourg. For more information on how PayPal processes your personal data, please go to: https://www.paypal.com/myaccount/privacy/privacyhub.

2. Sofort GmbH (Klarna), Theresienhöhe 12, 80339 Munich, Germany ("Klarna"). Klarna offers SOFORT-Überweisung, an online direct transfer procedure. For more information on how Sofort GmbH (Klarna) processes your personal data, please go to: https://www.sofort.com/datenschutz.html.

3. Paysafe Prepaid Services Limited, Grand Canal House, Upper Grand Canal Street, Dublin 4, Ireland ("Paysafecard"). For more information on how Paysafecard processes your personal data, please go to: https://www.paysafe.com/de-de/paysafegroup/comprehensive-privacy-notice/.

4. Trustly Malta Limited, Tagliaferro Business Center, High Street c/w Gaeity Lane, Sliema, Malta ("Trustly"). For more information on how Trustly processes your personal data, please go to: https://www.trustly.net/de-DE/uber-uns/privacy-policy.

5. Worldpay B.V., De Entrée 248, 1101 EE, Amsterdam, The Netherlands ("Worldpay"). For more information on how Worldpay processes your personal data, please go to: https://online.worldpay.com/terms/privacy.
6. Nuvei Limited, 9 Kafkasou Street, Treppides Tower, Aglantzia, 2112 Nicosia, Cyprus ("Nuvei"). For more information on how Nuvei processes your personal data, please go to: https://nuvei.com/privacy-notice/.

7. AiB Merchant Services, Block 6, Belfield Office Park, Clonskeagh, Co. Dublin, Ireland ("AIBMS"). For more information on how AIBMS processes your personal data, please go to: https://www.aibms.com/wp-content/uploads/2021/08/AIBMS-Privacy-Notice-16.06.2021.pdf.

2.8 Service providers for the processing of credit card payments

If you pay with your credit card and enter your bank, card and/or authorisation data, ODDSET GmbH commissions external service providers, so-called “gateway payment providers” as well as payment service providers with the processing of your credit card-based payment. Gateway payment providers act as data processors and ensure the technical processing of card-based payments via a technical infrastructure. ODDSET GmbH uses the following gateway payment providers:

1. PXP Accept GmbH, Jakov-Lind-Straße 15G/Top 2, 1020 Vienna, Austria ("PXP Accept"). For more information on how PXP Accept processes your personal data, please go to: https://www.pxpfinancial.com/privacy-policy.

2. Worldpay B.V., De Entrée 248, 1101 EE, Amsterdam, The Netherlands ("Worldpay"). For more information on how Worldpay processes your personal data, please go to: https://online.worldpay.com/terms/privacy.

3. Nuvei Limited, 9 Kafkasou Street, Treppides Tower, Aglantzia, 2112 Nicosia, Cyprus (“Nuvei”). For more information on how Nuvei processes your personal data, please go to: https://nuvei.com/privacy-notice/.

If you wish to use your credit card for payment, the card payment must first be authorised. Authorisation takes place automatically using the following data:

• Payment amount
• Place of payment
• Payment history
• Merchant
• Purpose of payment.

Card payment is not possible without authorisation.

The legal basis for this processing is Art. 6 (1) 1b) GDPR.

2.9 Identification and verification services

Within the framework of the contractual relationship, ODDSET GmbH is legally obligated to clearly identify the customers. Thereto, the data you provide (last name, first name, place of birth, date of birth, address, nationality) will be submitted to the companies listed below for the purposes of identification and verification. The data processed as part of the identification and verification process is also used to determine false information, for age checks and age verification, to comply with legal requirements relating, for example, to gambling law, money laundering law, tax law, protection of minors and other regulatory obligations to supervisory authorities, as well as for fraud prevention and the identification of legal violations or breaches of the ODDSET GmbH Terms and Conditions.

The legal bases for this processing are Art. 6 (1) 1b and c) GDPR.

In addition, ODDSET GmbH reserves the right to have your creditworthiness verified by the companies listed below in order to protect its legitimate interests. As part of the verification of the player’s identity and creditworthiness, the customer’s first name, last name, name at birth, date and place of birth, address, IP address, email address, nationality and gender are processed.

The legal basis for this processing is Art. 6 (1) 1f) GDPR.

Personal data may only be transferred on this basis if this is necessary to protect the legitimate interests of ODDSET GmbH or third parties and only if such interests do not overweigh the interests or fundamental rights and freedoms of the data subject requiring protection of personal data. The exchange of data within the scope of the credit report serves to verify the customer’s economic capacity for sports betting (e.g. within the scope of an intended limit increase).

ODDSET GmbH uses the following providers to carry out the verification of identity and creditworthiness:

1. SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany ("SCHUFA"). The exchange of data with SCHUFA serves, in particular, to initiate and execute the contractual relationship with you, to fulfil legal obligations for player protection and to verify the customer’s economic capacity for sports betting.
   
    SCHUFA shall process the data it receives and also use this for profiling purposes, in order to provide its contractual partners in the European Economic Area, in Switzerland and any other third countries ( provided the European Commission has declared such countries as appropriate or standard contractual clauses have been agreed, which can be viewed at schufa.de) with information used for credit rating checks on natural persons and other purposes. More detailed information on SCHUFA’s activities can be found in the SCHUFAInformation and online at www.schufa.de/datenschutz.

2. IDnow GmbH, Auenstraße 100, 80469 Munich, Germany ("IDnow"). IDnow offers services for identification verification. All personal data (first name, last name, date and place of birth, nationality, identity card or passport ID number, issuing authority and address) collected by IDnow or forwarded to IDnow by us or our service provider Entain will only be used to verify ID documents and/or an user´s age and/or to identify the user. This can be done via the following procedures: (1) via an app ("Idnow AutoIdent") by matching your personal data with a photo of your identification document; or (2) via video chat ("IDnow VideoIdent"), in which an agent of IDnow verifies your identity and/or age against your identification documents. You can find more information about IDnow's procedures online at https://go.idnow.de/privacy/.

3. Sofort GmbH (Klarna), Theresienhöhe 12, 80339 Munich, Germany ("Klarna"). Klarna offers the SOFORT-Ident procedure, an online system for age and identity verification. SOFORT Ident allows fast activation of age-protected content on the internet. This will be matched using the names stored in your bank account with the name you provided to ODDSET GmbH. Subsequently, the name, address and date of birth are verified via a SCHUFA query. Further information is available online at https://www.sofort.com/datenschutz.html.

In addition, ODDSET GmbH uses the following provider to carry out necessary origin checks on assets and financial resources:

• Jumio Corporation, 395 Mill Road, Suite 150, Palo Alto, CA 94306, USA ("Jumio"). Jumio verifies the credit and debit cards used for deposits to the player account to ensure that the holder of the credit or debit card is also the holder of the player account as required by law. More information about Jumio is available online at jumio.com.

In order to carry out the verification of identity, creditworthiness and origin, ODDSET GmbH transmits the personal data entered by you to the companies designated above (“Verification Service Providers"). The Verification Service Providers then carry out the appropriate checks and verification procedures. The information obtained in this way forms the basis for ODDSET GmbH’s decision on the establishment, performance, or termination of the contractual relationship. Furthermore, it is in the legitimate interest of ODDSET GmbH to further process the data received from the Verification Service Providers for investigative purposes, fraud prevention and to fulfil requests from or to make submissions to regulatory authorities.

ODDSET GmbH also reserves the right to have security checks carried out by the Verification Service Providers at any time to confirm the correctness of the customer´s identity, age and registration details and to verify whether the use of the ODDSET GmbH services and the financial transactions may be in breach of the General Terms and Conditions and/or applicable law. Security checks may include, but are not limited to, information on potentially fraudulent activities or other validations of customer information by using third-party databases.

Requests to Verification Service Providers as part of the security checks or identity checks may be stored by the Verification Service Providers. For this storage, the respective Verification Service Provider is a (separate) data controller within the meaning of Art. 4 no.7 GDPR. Regarding questions about data protection at the Verification Service Providers, please directly contact the relevant Verification Service Provider.

The processing of personal data in connection with the security checks or the identity verification is carried out on the basis of Art. 6 (1) 1b), c) and/or f) GDPR.

2.10 Prevention of betting manipulation

ODDSET GmbH works with early detection systems to prevent betting manipulation attempts and to stop betting manipulation. In the event of suspected manipulation or fraud, ODDSET GmbH is entitled to forward the necessary data to Sportradar AG, Feldlistrasse 2, 9000 St. Gallen, Switzerland.

The legal basis for this processing is Art. 6 (1) 1c) GDPR.

2.11. Player protection

2.11.1. OASIS player blocking system

Within the scope of its sports betting licence, ODDSET GmbH is legally obligated to carry out a cross-check with the OASIS player blocking system of the responsible gambling supervisory authority for player protection purposes when a customer registers and logs into the player account. In addition, before advertising material is sent out and before bonuses and discounts are awarded, a legally required cross-check is made against the OASIS player blocking system ("OASIS"). As part of this cross-check, your first name, last name, date of birth, place of birth and current address are processed and transmitted to the operator of the OASIS system. As part of the transmission, a check is made to see whether you are listed in OASIS as a blocked player.

Pursuant to section 23 (1) 1 in conjunction with section 8 (1) of the German Inter-State Treaty on Gambling (GlüStV), the operator of the nationwide OASIS player blocking system is the Darmstadt Regional Council (Regierungspräsidium Darmstadt), Wilheminenstraße 1-3, 64283 Darmstadt, Germany. All queries and the information disclosed are logged by the Darmstadt Regional Council. For more information on OASIS, please go to https://rp-darmstadt.hessen.de/sicherheit-und-kommunales/gluecksspiel/spielersperrsystem-oasis.

The legal basis for this processing is Art. 6 (1) 1a), b) and c) GDPR. The data transfer is necessary for the fulfilment of statutory player protection obligations (section 8 (1), (2) GlüStV) and for the conclusion of a sports betting contract. For the sending of advertising material, the data transfer takes place on the basis of your consent given when subscribing to the newsletter. If data is transmitted from and to OASIS which contains customer health data or from which customer health data can be derived, such data may be processed by us in accordance with Art. 9 (2) g) or h).

If you are listed as a blocked player in OASIS, this status will be taken over into your player account. As a consequence, participation in ODDSET GmbH sports betting is no longer possible. Deposits to your player account are no longer possible either. However, you can have any remaining funds paid to your bank account. Should you apply for an indefinite gambling ban on the website or via ODDSET customer service, this ban will automatically be entered in OASIS. For information on help services, please visit the player protection page.

If you are a registered ODDSET customer and not listed in OASIS, your email address may be used to send you newsletters with information about services and other promotional messages if you have consented to this or if a legitimate interest justifies the transmission without affecting your right to privacy. You can unsubscribe from such newsletters or advertising messages at any time; for details, please refer to clause 2.4.

2.11.2. Connection to the LUGAS files of the competent gambling supervisory authority

According to the requirements of the GlüStV 2021, ODDSET GmbH is legally obligated to transmit information (so-called “central files”) about you and your gambling activities to the nationwide gambling analysis system (LUGAS). LUGAS is operated by the “Gemeinsame Glücksspielbehörde der Länder”, Hansering 15, 06108 Halle (Saale), Germany, acting on its own responsibility under data protection law. The central files consist of one file for monitoring the cross-provider deposit limit (“limit file”) and one file for preventing parallel play with several gambling providers (“activity file”).

The objective of the limit file is to enable compliance across providers with a monthly deposit limit set by the customer himself/herself. This amount may not exceed EUR 1,000 per month and applies to all gambling providers in Germany. ODDSET GmbH must transmit to the limit file the deposit limit set by you, together with the amounts deposited by you via the website during a calendar month, as well as the following personal data:

• Last name, first name, name at birth
• Date of birth
• Place of birth
• Address
• Customer identifier (Player ID)
• Email address
• Amount of the cross-provider deposit limit set by the customer
• Date when the limit was set
• Amount of the individual deposits
• Date of the individual deposits
• Total amount of all deposits made

The legal basis for the date transfer to and the collection of information from the limit file is Art. 6 (1) c) GDPR in conjunction with section 6c GlüStV 2021. Furthermore, since a gambling contract with you may only be performed if the transmissions have taken place, the processing is justified under Art. 6 (1) 1b) GDPR.

With the activity file, parallel gambling with several gambling providers is prevented. As soon as a customer wants to play an ODDSET sports bet, he/she must be marked by ODDSET GmbH as "active" in the central files. If the central file reports to ODDSET GmbH that the customer has already been marked as “active” by another gambling provider, ODDSET GmbH must not allow this customer to carry out the desired gambling activity as long as the existing “active” setting continues. If you are not yet marked as an "active" customer, this will also be reported to ODDSET GmbH, and you can play an ODDSET sports bet. The following personal data must be transmitted by ODDSET GmbH to the activity file:

• Last name, first name, name at birth
• Date of birth
• Place of birth
• Address
• Customer identifier (Player ID)
• Information as to whether you are an “active” customer in the ODDSET GmbH betting system.

The information that you are set as an "active" customer is removed five minutes after you have finished playing. This happens either when you end your active time yourself, or automatically after expiry of 30 minutes after you have logged out of your player account (log-out) or have been inactive for more than 30 minutes (session timeout).

The legal basis for the data transfer to and the collection of information from the activity file is Art. 6 (1) 1c) GDPR in conjunction with section 6h GlüStV as well as Art. 6 (1) 1b) GDPR, as a gambling contract with you may only be performed if the data transfer has taken place beforehand.

If data is transmitted from and to LUGAS which contains customer health data or from which customer health data can be derived, such data may be processed by us in accordance with Art. 9 (2) g) or (h).

 2.11.3. Early detection systems

ODDSET GmbH is legally obligated to work with early detection systems to ensure player protection and to prevent addiction.

The legal basis for this processing is Art. 6 (1) 1c) GDPR and – insofar as customer health data are affected – Art. 9 (2) h) GDPR, insofar as data is transmitted by and from the LUGAS system to the competent gambling supervisory authority which contains information on the customer’s racial and ethnic origin or customer health data or from which the customer’s racial and ethnic origin or customer health data can be derived.

2.12 Legal obligations

ODDSET GmbH may be obligated to share your personal data with authorities or other competent bodies. This is based on a legal obligation to which ODDSET GmbH is subject, e.g. in the case of criminal investigations or regulatory proceedings, in order to investigate or prevent fraud, or to protect the interests of the ODDSET GmbH employees.

3. Use of cookies, marketing- and web analytics services

ODDSET GmbH uses so-called cookies to make navigation and use of the services offered on this website as user-friendly as possible, to enable certain functionalities and to show you interest-related offers based on an analysis of your usage behaviour. Cookies are small files with text information that are stored on your device when you access the website. Some of the cookies we use will be deleted at the end of the browser session, i.e. when your browser is closed (so-called session cookies). Other cookies remain on your device and enable us to recognise your browser when you visit the website again (so-called persistent cookies).

The following categories of cookies are used:

3.1 Cookies that are technically necessary for the operation of the website:

These cookies are technically necessary for the operation and functionality of the website and cannot be switched off in the ODDSET GmbH systems. They make the website technically accessible, secure and usable, and provide essential and basic functionalities, such as navigation on the website, correct display of the website in the internet browser or consent management. You can set your browser to notify you about these cookies or to block them; however, in this case some parts of the site will not work. These cookies do not store any personal data that could be used to identify you.

3.2 Functional cookies:

These cookies enable the website to provide better functionality and personalisation options. They may be stored by ODDSET GmbH or by third-party providers whose services ODDSET GmbH has added to its pages. If you do not allow these cookies, some or all of these services may not function properly.

3.3 Performance cookies:

ODDSET GmbH uses these cookies to count visits and traffic sources to improve site performance. Performance cookies help to identify which pages are the most and least popular and how visitors move around the ODDSET GmbH site. The data collected via these cookies is aggregate information and therefore anonymous. If you do not allow these cookies, ODDSET GmbH will not be able to know when you visited the site and accordingly will not be able to measure site performance.

3.4 Advertising cookies

These cookies may be stored on the ODDSET GmbH website by advertising partners. They help advertising partners profile your interests and display suitable advertisements on other sites. Personal data is not stored directly, but is based only on the identification of your browser and internet device. If you do not allow these cookies, the advertisements displayed to you will be less targeted.

3.5 Legal Bases

The legal basis for the use of technically necessary cookies is section 25 (2) no. 2 of the Telecommunications Telemedia Data Protection Act (TTDSG) or Art. 6 (1) f) GDPR for the purpose of protecting the legitimate interests of ODDSET GmbH. The legitimate interests of ODDSET GmbH lie in particular in being able to provide you with a technically optimised website that is user-friendly and tailored to your needs, as well as to ensure the security of the ODDSET GmbH systems.

The legal basis for the use of functional, performance and advertising cookies is section 25 (1) TTDSG with regard to the storage and reading of data, and Art. 6 (1) a) GDPR with regard to the processing of personal data.

Your consent includes all cookies selected by you and the associated storage of information on your device as well as the subsequent reading of such information and the ensuing processing of personal data.

If ODDSET GmbH uses cookies on the basis of your consent, you can revoke your consent at any time with effect for the future, e.g. by adjusting your cookie settings here.

Your revocation does not affect the lawfulness of any processing of data carried out prior to the revocation. 

3.6. Marketing and web analytics services

The use of marketing cookies and tracking mechanisms enables ODDSET GmbH and its partners to show you interest-related offers based on an analysis of your usage behaviour.

The following mechanisms and providers are used on this website:

• Web analytics: When using the services of ODDSET GmbH, data is collected and stored using technologies of web analytics service providers, and usage profiles are created from this data using pseudonyms. These usage profiles serve to analyse visitor behaviour and are evaluated in order to improve and design our offers in line with requirements. Cookies may be used for this purpose and log files may be analysed. The pseudonymised usage profiles are only merged with personal data about the bearer of the pseudonym if a separate expressed declaration of consent has been given.

• Conversion tracking: Our conversion tracking partners place a cookie on your computer (“conversion cookie”) if you have accessed the ODDSET GmbH website via an advertisement of the relevant partner. If you visit certain pages of ODDSET GmbH, ODDSET GmbH and the respective conversion tracking provider can recognise that a certain user has clicked on the advertisement and thus been redirected to the ODDSET GmbH website. This can also be done across devices. The information obtained using the conversion cookie is used to compile conversion statistics and to record the total number of users who clicked on the relevant advertisement and were redirected to a page furnished with a conversion tracking tag.

• Retargeting: Retargeting tools use advertising cookies or third-party advertising cookies, so-called web beacons (invisible graphics also called pixels or tracking pixels) or similar technologies to create usage profiles. These are used for interest-based advertising and to control the frequency with which the user sees certain advertisements.

3.7 Third-party cookies and web analytics services.

Third-party providers may set cookies on your computer in order to provide you with their services. The cookie policy of the respective third-party provider is relevant for the settings of these cookies. We use the following plugins and active script content from third-party providers:

3.7.1 Google (Universal) Analytics web analytics service

The services of ODDSET GmbH use Google (Universal) Analytics, a web analytics service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”)  (www.google.de). Google (Universal) Analytics uses methods that enable an analysis of your use of the ODDSET GmbH services. The information generated regarding your use of the services is normally transferred to a Google server in the USA, and is stored there.

By activating IP masking in the ODDSET GmbH services, the IP address is shortened before transmission within the Member States of the European Union or to other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA, and will be abbreviated there. The masked IP address transmitted by your browser within the framework of Google (Universal) Analytics will not be combined with other Google data.

You can prevent the collection of the data generated by the cookie and related to your use of the website (incl. your IP address) via this opt-out link.

Alternatively, you can prevent the use of data on the websites by installing a browser plugin. The browser plug-in can be downloaded here: https://tools.google.com/dlpage/gaoptout.

The storage of Google Analytics cookies is based on your consent in accordance with Art. 6 (1) a) GDPR. You can revoke your consent at any time with effect for the future, e.g. by adjusting your cookie settings here.

Your revocation does not affect the lawfulness of any processing of data carried out prior to the revocation.

3.7.2 Sportradar / Betradar

When you use the website, a JavaScript code provided by SPORTRADAR AG, Feldlistrasse 2, 9000 St. Gallen, Switzerland (hereinafter: Betradar) is reloaded. Betradar provides the website with live scores and statistics. If you have activated JavaScript in your browser and have not installed a JavaScript blocker, your browser may transmit the IP address as well as information about the browser and the operating system to Betradar to be able to deliver the content (live scores, statistics). In order to prevent the execution of the Betradar JavaScript code altogether, you can install a JavaScript blocker (e.g., www.noscript.net or www.ghostery.com). Storage of the above-mentioned data by Betradar is based on Art. 6 (1) f) GDPR. ODDSET GmbH has a legitimate interest in providing its users with up-to-date live scores and statistics for an optimised sports information service.

Furthermore, Betradar uses Google Analytics within the framework of the presentation of the content in order to analyse access to and use of the content. For further details regarding Google Analytics, please refer to clause 4.2 of this Privacy Policy.

3.8 Management of cookies and web analytics services

We use the cookie consent management tool of OneTrust Technology Limited, 82 St John Street, London, England, EC1M 4JN, in the context of which your consent to the use of cookies, or to the processing and providers named in the cookie consent management procedure, can be obtained, managed and revoked by you. Here, the declaration of consent is stored in order not to have to repeat its query and to be able to prove the consent in accordance with the legal obligation. The storing can be done on the server side and/or in a cookie in order to be able to assign the consent to you or your device.

You can manage your cookie and tracking mechanism settings as follows:

If you wish to disable and/or manage cookies, please go to either your cookie consent management tool or to your browser settings and disable the setting of cookies which you want to disable, or give your consent to the use of functional, performance and/or advertising cookies or tracking mechanisms. Please note that disabling technically necessary cookies may affect the functionality of the website.

In the privacy settings, you can revoke your consent already given with effect for the future, or can give your consent at a later date.

Please note: If you make settings in the browser, the settings you make only apply to the browser you are using.

The duration of storing your consent can be up to two years. In this case, a pseudonymous user identifier is formed and stored with the time of consent, information on the scope of consent (e.g., which categories of cookies and/or service providers), as well as the browser, system, and end device used.

4. Automated decisions in individual cases

Through the processing of your data, you may be subject to an automated decision in individual cases, including profiling in accordance with Art 22 GDPR. This may be done in order to admit you as a customer or to decide on your continued eligibility to play, applying legal and regulatory requirements of player protection, anti-money laundering, anti-terrorism and/or fraud prevention. In this context, your deposit and gambling behaviour (also in the past) and score values which ODDSET GmbH receives from credit agencies may be taken into account. This may result in a restriction of services, the complete or partial blocking of your player account, the non-acceptance of an offer to conclude a sports betting contract or the refusal to open a player account, depending on the achievement or non-achievement of certain values. As this automated decision-making may have a legal effect on you or may significantly affect you in a similar manner, you may contest it, request its manual review and submit your own opinion.

5. Data security

5.1 Technical and organisational measures

ODDSET GmbH maintains technical and organisational measures to ensure data security, in particular to protect your personal data against risks during data transmission and against third parties gaining knowledge of, changing, destroying or losing it. They are continuously adapted according to the current state of the art.

5.2 Information on electronic mail

Information that you send to us unencrypted by electronic mail (email), e.g. as part of a data protection inquiry, may be read by third parties during transmission. As a rule, ODDSET GmbH furthermore is unable to verify your identity and does not know who is behind an email address. Legally secure communication by ordinary email is therefore not guaranteed. ODDSET GmbH – like many email providers – uses filters against unsolicited advertising ("spam filters"), which in rare cases also erroneously automatically classify normal emails as unsolicited advertising and delete them. Emails containing harmful programmes ("viruses") will be deleted automatically by ODDSET GmbH in any case.

If you wish to send messages to ODDSET GmbH that need to be protected, it is recommended that you encrypt and sign them in order to prevent unauthorised access and falsification during transmission or send the message to ODDSET GmbH by conventional post.

6. Storage period and deletion of your data

ODDSET GmbH stores and processes your personal data as long as this is necessary to achieve the purpose for which it was collected. After the end of your use of the website, your data will be used exclusively for the complete processing of the contract and will be blocked for any further use and deleted after the expiry of the retention periods under tax and commercial law, unless you have expressly consented to a further use of your data or ODDSET GmbH reserves the right to a further use of data which is permitted by law and about which information is provided in this Privacy Policy. The deletion of your data is possible at any time, except if legal storage obligations apply, and can be initiated by sending an informal message to the contact option described above.

7. What data protection rights do you have?

You have the following rights vis-à-vis ODDSET GmbH under the respective legal conditions:

• Right of access (Art. 15 GDPR):

You can request information about whether ODDSET GmbH processes personal data concerning you and what this data is.

• Right to rectification (Art. 16 GDPR):

If your data is incorrect or has changed, you can request rectification. If the data is incomplete, you can ask for it to be completed.

• Right to erasure (Art. 17 GDPR):

You have the right to obtain the erasure of your personal data if the conditions for this are met.

• Right to restriction of processing (Art. 18 GDPR):

You have the right to apply for the restriction of the processing of your personal data.

• Right to data portability (Art. 20 GDPR):

You have the right to receive your personal data in a structured, commonly used and machine-readable format or to have it transmitted to a recipient to be designated by you.

• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR):

You have the right to lodge a complaint with the supervisory authorities of the member states of the European Union, in particular with the following supervisory authority: the Bavarian State Office for Data Protection Supervision (Bayrisches Landesamt für Datenschutzaufsicht, BayLDA).

• Revocation of your consent (Art. 7 (3) GDPR):

You have the right to withdraw any consent you may have given for the processing of personal data at any time. The withdrawal of consent will result in ODDSET GmbH no longer continuing the data processing based on this consent in the future. The withdrawal of consent will not affect the lawfulness of any processing carried out on the basis of the consent before its withdrawal.

8. How can you exercise your data protection rights?

If you wish to exercise any of your data protection rights, such as the right to access your personal data or to have data erased, either yourself or by a third party on your behalf, please contact privacy(at)online.oddset.de*.

If you have any questions about this Privacy Policy or require further information about your rights, please contact the ODDSET GmbH data protection officer by email: datenschutz(at)oddset-gmbh.de*. Alternatively, you can also send your request by post to ODDSET Sportwetten GmbH, Datenschutzbeauftragter, Konrad-Zuse-Platz 12, 81829 Munich, Germany.

*Please note that these channels are not used for customer service requests.

Insofar as ODDSET GmbH processes your data on the basis of legitimate interests pursuant to Art. 6 (1) 1f) GDPR, you have the right to object to the processing of your data pursuant to Art. 21 GDPR, insofar as there are grounds for doing so that arise from your particular situation, or the objection is directed against direct marketing purposes. In the latter case, you have a general right to object, which will also be implemented by ODDSET GmbH without you giving reasons.

If you wish to exercise your right of withdrawal or the right to object, it is sufficient to send an informal message to the above contact details.

SCHUFA-Information based on Art. 14 of the GDPR

1. Name and contact details of the responsible body and its Data Protection Officer:

SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany, phone: +49 (0) 6 11-92 78 0

SCHUFA’s Data Protection Officer can be reached by contacting the Data Protection Department at the above address or via email at datenschutz@schufa.de.

2. Data processing by SCHUFA

2.1 Purpose of data processing and legitimate interests pursued by SCHUFA or a third party

SCHUFA processes personal data in order to provide authorised recipients with information for assessing the creditworthiness of natural persons and legal entities. For this purpose, score values are also determined and transmitted. SCHUFA only makes the information available if a legitimate interest in this has been credibly demonstrated in the individual case and processing is permissible after weighing up all interests. The legitimate interest is given in particular before entering into transactions with a financial default risk. The creditworthiness check serves to protect recipients from losses in the credit business and at the same time opens up the possibility of protecting borrowers from excessive indebtedness through consulting. The data is also processed for fraud prevention, creditworthiness checks, money laundering prevention, identity and age checks, address determination, customer services or risk management as well as pricing or conditioning. In addition to the aforementioned purposes, SCHUFA also processes personal data for internal purposes (e.g. assertion of legal claims and defence in legal disputes, further development of services and products, research and development, in particular for the implementation of internal research projects (e.g. SCHUFA Credit Compass) or for participation in national and international external research projects in the area of the aforementioned processing purposes as well as ensuring IT security and safe IT operations). The legitimate interest in this arises from the respective purposes and is otherwise of an economic nature (efficient fulfilment of tasks, avoidance of legal risks). Anonymised data may also be processed. SCHUFA will inform you of any changes to the purposes of data processing in accordance with Article 14 (4) of the GDPR.

2.2 Legal grounds for data processing

SCHUFA processes personal data on the basis of the provisions of the General Data Protection Regulation and the Federal Data Protection Act. Processing is carried out on the basis of consent (Art. 6 (1) (a) GDPR) as well as on the basis of Art. 6 (1) (f) GDPR, insofar as the processing is necessary to protect the legitimate interests of the controller or a third party and the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, are not overridden.

Consent can be revoked at any time vis-à-vis the contractual partner concerned. This also applies to grants of consent already made before the entry into force of the GDPR. The revocation of consent does not affect the lawfulness of the personal data processed until the revocation.

2.3 Source of data

On the one hand, SCHUFA receives its data from its contractual partners. These are institutions, financial companies and payment service providers located in the European Economic Area and in Switzerland as well as, if applicable, in other third countries (insofar as a corresponding appropriateness decision of the European Commission exists for these), which bear a financial default risk (e.g. banks, savings banks, cooperative banks, credit card, factoring and leasing companies) as well as other contractual partners who use SCHUFA products for the purposes stated in section 2.1, in particular from the regular or mail-order trade, e-commerce, service, rental, energy supply, telecommunications, insurance or collection sectors. In addition, SCHUFA processes information from generally accessible sources such as public directories and official announcements (e.g. debtor directories, insolvency announcements) or compliance lists (e.g. lists of politically exposed persons and sanctions lists) as well as from data suppliers. SCHUFA may also store personal data of data subjects after appropriate notification and verification.

2.4 Categories of personal data processed

Personal data, e.g. surname (if applicable, also previous names that are reported on a separate application), first name, date of birth, place of birth, address, previous addresses | Information on the commencement and contractual performance of a transaction (e.g. current accounts, instalment loans, credit cards, garnishment protection accounts, basic accounts) | Information on unfulfilled payment obligations, such as e.g. undisputed, due and repeatedly reminded or titled claims as well as their settlement | Information on abusive or other fraudulent behaviour such as e.g. deception of identity or creditworthiness | Information from generally accessible sources (e.g. debtor directories, insolvency notices) | Data from compliance lists | Information whether and in which function an entry exists in generally accessible sources for a public figure with matching personal data | Address data | Score values.

2.5 Categories of personal data recipients

Recipients are contracting partners domiciled in the European Economic Area, Switzerland and, if applicable, other third countries (insofar as a corresponding appropriateness decision of the European Commission exists for these or standard contractual clauses have been agreed, which can be viewed at www.schufa.de) in accordance with section 2.3. Further recipients may be external contractors of SCHUFA in accordance with Art. 28 of the GDPR as well as external and internal SCHUFA offices. SCHUFA is also subject to government agencies’ statutory powers of intervention.

2.6 Duration of data retention

SCHUFA only stores information about individuals for a certain period of time. The decisive criterion for determining this period is the necessity of the processing for the above-mentioned purposes. The storage periods are specified in detail in a Code of Conduct of the association „DieW irtschaftsauskunfteien e. V.“ (available at www.schufa.de/loeschfristen). Information on enquiries is deleted after twelve months on a daily basis.

3. Rights of data subjects

Every data subject has the right to information from SCHUFA pursuant to Article 15 of the GDPR, the right to rectification pursuant to Article 16 of the GDPR, the right to deletion pursuant to Article 17 of the GDPR and the right to restriction of processing pursuant to Article 18 of the GDPR. SCHUFA has set up a Private Client ServiceCenter for concerns of data subjects, which can be contacted in writing at SCHUFA Holding AG, Private Client ServiceCenter, Postfach [PO box] 10 34 41, 50474 Cologne, Germany, by telephone at +49 (0) 6 11-92 78 0 and via a query form at www.schufa.de/rueckfrageformular. In addition, there is the possibility of contacting the supervisory authority responsible for SCHUFA, the Hessian Commissioner for Data Protection and Freedom of Information. Consent can be revoked at any time vis-à-vis the contractual partner concerned.

Art. 21 Par. 1 of the GDPR states that consent for data processing may be revoked for reasons relatedto the specific circumstances of an affected party.

Such revocations may be lodged informally and should be addressed to: SCHUFA Holding AG, Privatkunden ServiceCenter, Postfach [PO box] 10 34 41, 50474 Cologne, Germany.

4. Profiling (Scoring)

In addition to providing details about the information stored on a person, SCHUFA supports its contractual partners in their decision-making by profiling them, in particular by means of so-called score values. This helps, for example, by making it possible to process everyday credit transactions quickly.

The generic term profiling refers to the processing of personal data by analysing certain aspects of a person. Particular importance is attached to so-called scoring in the context of credit assessment and fraud prevention. However, scoring can also serve the fulfilment of other purposes mentioned in section 2.1 of this SCHUFA information.

Scoring involves using information and experience gathered in the past to make a forecast about future events or behaviour. On the basis of the information stored on a person at SCHUFA, an allocation is made to statistical groups of persons who had a similar data basis in the past.

In addition to the logistic regression method, which has been established for many years in the area of credit scoring, SCHUFA can also use scoring methods from the areas of so-called complex non-linear methods or expert-based methods. It is always of particular importance to SCHUFA that the methods used are mathematically and statistically recognised and scientifically sound. Independent external experts confirm the scientific nature of these procedures. In addition, the procedures used are disclosed to the responsible supervisory authority. For SCHUFA, it is a matter of course to regularly check the quality and up-to-dateness of the procedures used and to make appropriate updates.

SCHUFA calculates creditworthiness scores on the basis of the data it has stored on a person, which is also shown in the data copy in accordance with Art. 15 GDPR. On the basis of this information stored at SCHUFA, an assignment is then made to statistical groups of persons who had a similar data basis in the past. For the determination of score values on creditworthiness, the stored data is summarised in so-called data types which can be viewed at www.schufa.de/scoring-faq. When determining score values for other purposes, other data or data types may also be included. Information on nationality or particularly sensitive data according to Art. 9 GDPR (e.g. ethnic origin or information on political or religious attitudes) is not stored at SCHUFA and is therefore not available for profiling. The assertion of the data subject‘s rights under the GDPR, such as the right to inspect personal data stored by SCHUFA in accordance with Art. 15 of the GDPR, has no influence on profiling. In addition, when scoring SCHUFA takes into account the provisions of Section 31 BDSG.

The probability with which a person will repay a mortgage loan, for example, does not have to correspond to the probability with which he or she will pay a mail-order invoice on time. For this reason, SCHUFA offers its contractual partners different sector-specific or even customer-specific score models. Score values are constantly changing because the data stored at SCHUFA is also constantly changing. New data is added, while other data is deleted due to prescribed storage periods. In addition, the data itself also changes over time (e.g. the duration of the existence of a business relationship), so that changes can occur even without new data.

It is important here to know that SCHUFA itself does not make any decisions. It merely supports the affiliated contractual partners with its information and profiling in the decision-making process. The decision for or against a transaction, on the other hand, is made solely by the direct business partner. This applies even if the latter relies solely on the information provided by SCHUFA. Further information on profiling and scoring at SCHUFA (e.g. on the procedures currently in use can be viewed at www.schufa.de/scoring-faq.