burger icon
Luna Casino
Log In

Privacy Policy

This Privacy Policy explains how luna-casino collects, uses, discloses, and protects personal information of players and website visitors of luna-ca.com. It applies to individuals in Canada (excluding Ontario) who access our services and to visitors of our site. By using our services, you acknowledge this Policy. Effective date: October 1, 2025.

Who We Are

luna-casino is operated for Canada (excluding Ontario) via the website luna-ca.com by the following data controller:

  • Legal entity: SkillOnNet Ltd
  • Legal address: Office 1/5297 Level G, Quantum House, 75, Abate Rigord Street, Ta' Xbiex, XBX 1120, Malta
  • Gaming licences:
    • Malta Gaming Authority (MGA) Licence No. MGA/CRP/171/2009/01 (online gaming operations)
    • UK Gambling Commission Licence No. 39326 (UK operations only)
  • Website: https://luna-ca.com

Data Protection Office: You may contact our Data Protection Office by writing to the above postal address (Attn: Data Protection Office) or via the contact options published on https://luna-ca.com. Where an in-site privacy request form is available in your account, please use it for the fastest handling.

What Personal Data We Collect

  • Identification and contact data: full name, date of birth, residential address, email, phone number, government-issued ID details (for KYC), selfies/photographs for verification, nationality, and proof-of-address documents.
  • Account and service data: username, account IDs, preferences, responsible gambling settings (deposit/loss/time limits, self-exclusion status), support communications, complaint records.
  • Payment and financial data: payment instrument details (masked where possible), transaction/balance history, withdrawal and payout records, billing and tax information, chargeback and fraud flags.
  • Gaming and behavioral data: game session data, betting history, wins/losses, game interactions, clicks, referral source, promotions/bonus usage and compliance checks.
  • Technical and device data: IP address, device identifiers, browser type/version, operating system, language, time zone, app version (if applicable), log files, crash diagnostics, performance metrics.
  • Location data: approximate geo-location inferred from IP and device settings for eligibility, fraud and compliance checks (we do not collect precise GPS unless explicitly enabled and necessary).
  • Cookies and similar technologies: cookies, SDKs, pixels, beacons for functionality, analytics, fraud prevention and (with consent) advertising measurement.
  • Regulatory screening data: results of sanctions/PEP/Adverse Media checks, affordability and AML risk assessments, and information received from verification service providers and regulators as required.

We do not knowingly collect data from individuals under the legal gambling age in their province/territory (18 or 19). If we learn we have inadvertently collected such data, we will delete it.

Legal Basis for Processing

  • Consent: We rely on your consent for activities such as sending marketing communications, placing non-essential cookies, and certain optional data uses. You can withdraw consent at any time.
  • Contractual necessity: Processing necessary to create and manage your account, verify identity, provide games, process deposits/withdrawals, apply bonuses, provide support, and enforce the Terms.
  • Legitimate interests: Fraud prevention, network and information security, service analytics, service improvement, ensuring game integrity, and establishing/defending legal claims. We balance these interests against your privacy rights.
  • Legal and regulatory obligations: KYC/AML checks, record retention, self-exclusion enforcement, responsible gambling measures, tax and accounting, and responses to lawful requests by competent authorities (e.g., gaming regulators, law enforcement).
  • Jurisdictional alignment: For Canadian users, we comply with PIPEDA and applicable provincial privacy laws (e.g., Quebec's Law 25, Alberta/BC PIPA) principles of consent, purpose limitation, and safeguards. Where EU/UK data protection laws apply (e.g., if interacting from the EEA/UK), the GDPR/UK GDPR legal bases above also apply.

Purpose of Processing

  • Provide and operate services: account setup and authentication, identity and age verification, game access, payment processing, customer support, responsible gambling tools.
  • Compliance and risk management: AML/KYC screening, transaction monitoring, sanctions/PEP screening, fraud detection and prevention, dispute handling, regulatory reporting.
  • Service improvement and analytics: performance monitoring, troubleshooting, product development, A/B testing, usability analysis, and quality assurance.
  • Marketing and communications: service announcements, promotional offers, bonuses and surveys, subject to consent and CASL requirements. You can manage preferences or unsubscribe at any time.
  • Security and integrity: protecting accounts, systems and data; detecting bots or abuse; ensuring fair play; enforcing our Terms.

Disclosure & Sharing

  • Service providers (processors): identity verification/KYC vendors, payment processors, anti-fraud tools, analytics providers, cloud hosting, customer support platforms. They act under contractual confidentiality and data protection terms.
  • Payment partners and banks: to process deposits, payouts and chargebacks, and to perform AML/CTF controls.
  • Regulators and authorities: gaming regulators (e.g., Malta Gaming Authority) and competent law enforcement or tax authorities where disclosure is required by law or to protect our rights or users.
  • Affiliates and marketing partners: limited data for attribution/measurement where you arrived via an affiliate link; advertising networks or social platforms only with your consent and subject to applicable laws.
  • Corporate transactions: in connection with mergers, acquisitions, restructuring, financing, or asset transfers, under appropriate safeguards.
  • Independent auditors/certifiers: e.g., iTech Labs for RNG/game fairness audits (not for marketing), under confidentiality.

International Transfers

Your data may be processed in, or transferred to, countries outside your province/territory and outside Canada, including Malta (EU/EEA), the United Kingdom, the United States and other jurisdictions where our providers operate.

  • Contractual safeguards: For transfers from the EEA, we use EU Standard Contractual Clauses and conduct transfer risk assessments; for UK transfers, we use the UK IDTA/Addendum; for Canada, we use contractual protections and require comparable safeguards consistent with PIPEDA and, where applicable, Quebec Law 25 assessments.
  • Technical/organizational measures: encryption, access controls, and strict vendor due diligence to mitigate international transfer risks.

Data Retention

  • Account, KYC and due diligence records: retained for 5 years after account closure (or longer if required by AML, regulatory, or legal obligations).
  • Transaction and payment records: retained for up to 7 years for accounting, tax, AML and audit purposes.
  • Gaming and log data: session logs, device/IP logs and security logs retained for 12-24 months, extendable in case of investigations, disputes or fraud prevention.
  • Marketing data: retained while you remain subscribed and for up to 24 months after last activity to comply with CASL record-keeping, unless you unsubscribe sooner.
  • Complaints and customer support: 3-5 years after resolution, depending on limitation periods.

We delete or anonymize data when retention periods expire, when purposes are achieved, or upon valid request unless retention is legally required or necessary to establish, exercise, or defend legal claims.

Your Rights

Consistent with Canadian privacy laws (PIPEDA and applicable provincial laws), and where relevant with GDPR/UK GDPR, you have the following rights:

  • Access: obtain confirmation and a copy of personal information we hold about you.
  • Correction: request correction of inaccurate or incomplete data.
  • Deletion: request deletion where no longer necessary, where consent is withdrawn, or where processing is unlawful (subject to legal retention requirements, e.g., AML).
  • Restriction/objection: request we limit processing or object to certain processing based on legitimate interests or direct marketing.
  • Portability: where applicable (e.g., GDPR/UK GDPR), receive data in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Withdraw consent: at any time for activities based on consent (e.g., marketing; non-essential cookies).
  • Marketing choices: unsubscribe via email links or manage preferences in your account.

How to exercise: Submit a request via the privacy/contact options on https://luna-ca.com or by postal mail to the address in "Who We Are." We may need to verify your identity. We will respond within 30 days; where permitted, we may extend once by up to 30 additional days due to complexity or volume and will inform you of any extension. Requests are free of charge unless manifestly unfounded or excessive.

Note on other jurisdictions: If you are in the EEA/UK, GDPR/UK GDPR rights apply in full. If Mexican law becomes relevant to your interaction, we will endeavor to honor ARCO rights (access, rectification, cancellation, opposition) under Mexico's LFPDPPP to the extent applicable.

Cookies & Tracking Technologies

  • Types:
    • Session cookies (expire when you close your browser)
    • Persistent cookies (remain for a defined period)
    • Third-party cookies/SDKs (e.g., analytics, payments, fraud prevention; advertising only with consent)
  • Purposes:
    • Functional: sign-in, security, load balancing, remembering preferences
    • Analytics: usage statistics, performance, error diagnostics
    • Advertising: measuring campaigns and personalization (only if you consent)
  • Controls: manage cookies in your browser/device settings; use our on-site consent tools where available to accept/decline non-essential cookies; you may withdraw consent at any time. Blocking some cookies may impact functionality.

Data Security

  • Encryption: TLS 1.2+ for data in transit; strong encryption (e.g., AES-256) for sensitive data at rest where feasible.
  • Access controls: least-privilege, role-based access, MFA for administrative access, secure key management, and session controls.
  • Secure development and testing: code reviews, vulnerability scanning, penetration testing, change management, and segregated environments.
  • Monitoring and incident response: continuous logging and monitoring, defined incident response runbooks, user notification as required by law in case of a breach.
  • Vendor security: due diligence, contractual security obligations, ongoing oversight of processors.
  • Training and governance: staff privacy/security training, background checks where appropriate, policies aligned with recognized frameworks (e.g., ISO/IEC 27001, SOC 2 principles) where applicable.

Complaints & Contacts

Contact luna-casino: For questions, requests, or complaints, contact our Data Protection Office via the privacy/contact options on https://luna-ca.com or by mail to SkillOnNet Ltd, Office 1/5297 Level G, Quantum House, 75, Abate Rigord Street, Ta' Xbiex, XBX 1120, Malta (Attn: Data Protection Office). We aim to acknowledge within 7 days and provide a substantive response within 30 days.

  1. Step 1 - Submit to us: Use the website contact options or write to the postal address. Include your account ID, province/territory, and request details.
  2. Step 2 - Review and resolution: We may request identity verification. Complex cases may require up to one additional 30-day extension (we will notify you).
  3. Step 3 - Escalation: If unresolved, you may complain to a relevant privacy authority:
    • Canada (federal): Office of the Privacy Commissioner of Canada (OPC) - https://www.priv.gc.ca/; Toll-free: 1-800-282-1376; Mail: 30 Victoria Street, Gatineau, QC K1A 1H3.
    • Quebec: Commission d'accès à l'information (CAI) - https://www.cai.gouv.qc.ca/.
    • British Columbia: OIPC BC - https://www.oipc.bc.ca/.
    • Alberta: OIPC Alberta - https://oipc.ab.ca/.
    • EEA (if applicable): Office of the Information and Data Protection Commissioner (Malta) - https://idpc.org.mt/.
    • UK (if applicable): Information Commissioner's Office - https://ico.org.uk/.
    • Mexico (if applicable): INAI - https://home.inai.org.mx/.

Updates

We may update this Privacy Policy to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.

  • Notice methods: email notifications (where appropriate), website banners, and in-account alerts on luna-ca.com.
  • Advance notice: For material changes (e.g., new data uses or new categories of recipients), we will provide at least 30 days' advance notice and, where required, seek renewed consent.
  • User options: If you do not agree with changes, you may object to non-essential processing, adjust your preferences, or close your account (subject to settlement of balances and legal retention obligations).
  • Version control: Last updated: October 2025. We will keep a changelog of material updates on the website or make prior versions available upon request.

Your continued use of luna-ca.com after the effective date of changes signifies acceptance of the updated Policy.