Privacy policy

Last updated: 14/04/2025

1. Introduction

About

This Privacy Policy provides information about how we collect and use Personal Data. For the purpose of this Privacy Policy, Personal Data means any information which relates to an identifiable living person, and is set out in more detail below.

We are committed to the protection of the Personal Data and to maintaining the highest possible standards of privacy. We seek to implement practices, procedures, and systems that comply with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”).

Controller

The Jumbo Interactive UK group of companies (“UK Group”) is made up of different legal entities, including:

Jumbo Interactive UK Limited;
Starvale Technical Systems Limited;
Starvale Management and Technologies Limited;
DDPay Limited; and
Gatherwell Limited.

This Privacy Policy is issued on behalf of the UK Group. As such, when we mention Jumbo UK, or we, us or our in this Privacy Policy, we are referring to the relevant legal entity in the UK Group responsible for processing your Personal Data.

Scope

This Privacy Policy applies to Personal Data which a relevant legal entity in the UK Group processes as a data controller.

We may act as a data processor when we provide our services to our clients, such as when we provide lottery programs under a client’s brand. This Privacy Policy does not apply to such lottery programs, because each lottery program has its own privacy policy, which explains who the data controller is and how and why Personal Data is collected and used for the purpose of that lottery programme.

2. What Personal Data do we collect and hold?

We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped together as follows:

Identity Data includes first name, last name, title and date of birth.
Contact Data includes home or business address, email address and telephone number(s).
Financial Data includes bank account details.
Audio Data includes voice recordings collected during inbound and/or outbound calls.
Marketing and Communications Data includes your preferences in receiving marketing from us and third parties and your communication preferences.
Usage Data includes information about how you use our websites, products and services.
Technical Data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our websites.

We also collect, use and share Aggregated Data, such as statistical or demographic data for any purpose. Aggregated Data could be derived from your Personal Data but is not considered Personal Data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this Privacy Policy.

We do not generally collect Special Categories of Personal Data (this includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). The only exception to this is if you are a job applicant, and we need to collect Special Categories of Personal Data about you in order to verify your right to work, or to comply with employment laws. We also carry out criminal background checks on job applicants when an offer of employment is made.

3. How we collect your Personal Data

We use different methods to collect Personal Data from and about you, including through:

Interacting with us about a potential or existing business relationship. You may give us your Personal Data by filling in online forms or by corresponding with us by post, phone, email or otherwise. This includes Personal Data you provide when you:
- interact with our websites;
- contact us about receiving our products or services, including requesting a quote or for marketing material to be sent to you;
- contact us about providing your products or services to us;
- subscribe to any of our newsletters or publications; or
- enter a survey or give us feedback.
Applying for a job posted on our website. If you wish to apply for a job posting on our website, you will be required to provide Personal Data so that we may process your application.
Automated technologies or interactions. As you interact with our websites, we may automatically collect Technical Data about your equipment, browsing actions and patterns. On certain websites, such as lottery websites that we host on behalf of our clients, we collect Personal Data by using cookies and other similar technologies. Details of cookies that we use are set out in the relevant Cookie Policy.
Identity and Contact Data is collected from:
- publicly available sources, such as Companies House, the Gambling Commission, the Charities Register and the Scottish Charities Register; and
- third party data brokers or aggregators.
Financial Data is collected directly from clients and suppliers as required for us to make payments in accordance with our contractual obligations.
Technical Data is collected from analytics providers, such as Google based outside the UK.

4. How we use your Personal Data

Legal basis

We will only use your Personal Data when the law allows us to. Most commonly, we will use your Personal Data in the following circumstances:

Performance of a contract with you. Where we need to perform the contract we are about to enter into or have entered into with you or the organisation which you represent.
Legitimate interests. We may use your Personal Data where it is necessary to conduct our business and pursue our legitimate interests, for example our interests in:
- the research and development of our services and infrastructure, including testing and upgrading these systems;
- the analysis of and corporate strategy/resource allocation considerations related to business-to-business functions across the UK Group and/or our wider corporate group;
- the marketing and promotion of our products and services on a business-to-business basis;
- quality assurance and training of our staff; and
- for unrelated third parties to enable outsourcing of relevant functions relating to the provision of our services, and marketing products and services, and only for the primary purpose of providing those functions;
Consent. We rely on consent where we have obtained your active agreement to use your Personal Data for a specified purpose, for example:
- you subscribe to a newsletter or publication; or
- you are an individual or unincorporated organisation who wishes to consent to receiving marketing communications from us.
Legal obligation. We may use your Personal Data where it is necessary for compliance with a legal obligation that we are subject to. We will identify the relevant legal obligation when we rely on this legal basis.

Purposes for which we will use your Personal Data

We have set out below a description of all the ways we use various categories of Personal Data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Purpose/Use	Type of Data	Legal Basis
Business development activities, such as providing quotes, marketing materials or participating in tenders that we are invited to by potential clients	(a) Identity Data(b) Contact Data	(a) Performance of a contract with you; and(b) Legitimate interests – marketing and promotion of our products and services.
Relationship and contract management activities in relation to our existing clients	(a) Identity Data(b) Contact Data	Performance of a contract with you.
Procurement activities, such as our communications with potential or existing suppliers	(a) Identity Data(b) Contact Data	(a) Performance of a contract with you; and(b) Legitimate interests – procuring goods or services that we need to operate our business.
Invoicing and payment related matters in relation to:our service fees that we charge to our clients; andfees that we owe to our suppliers.	(a) Identity Data(b) Contact Data(c) Financial Data	(a) Performance of a contract with you; and(b) Legitimate interests – to recover debts owed to us.
Audio recording of inbound and/or outbound calls for training and monitoring purposes	(a) Identity Data(b) Contact Data(c) Audio Data	Legitimate interests – to assess quality of service and facilitate staff training.
To enable participation in surveys and our carrying out of market research	(a) Identity Data(b) Contact Data(c) Usage Data(d) Marketing and Communications Data	Legitimate interests – to assess our clients’ opinion of the products and services that we provide, and how we can make improvements.
To administer and protect our business and websites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	(a) Identity Data(b) Contact Data(c) Technical Data	(a) Legitimate interests – for the operation of our business, provision of administration and IT services, network security and to prevent fraud; and(b) Legal obligation – to comply with the UK GDPR and DPA 2018.
To deliver relevant online advertisements to you and measure or understand the effectiveness of the advertising we serve to you	(a) Identity Data(b) Contact Data(c) Technical Data(d) Usage Data(e) Marketing and Communications Data	(a) Legitimate interests – marketing and promotion of our products and services; OR(b) Consent – having obtained your prior consent to delivering relevant online advertisements.
To use data analytics to improve our websites, products/services, client relationships and experiences and to measure the effectiveness of our communications and marketing	(a) Technical Data(b) Usage Data	Legitimate interests – to define types of clients for our products and services, to keep our website updated and relevant, to develop our business and inform our marketing strategy.
To send relevant marketing communications and make personalised suggestions and recommendations about products or services that may be of interest	(a) Identity Data(b) Contact Data(c) Technical Data(d) Usage Data(e) Marketing and Communications Data	(a) Legitimate interests – to carry out direct marketing, develop of products/services and grow our business; OR(b) Consent – having obtained your prior consent to receiving direct marketing communications.
To receive and assess job applications submitted through our websites in order to carry out our recruitment and talent acquisition activities	(a) Identity Data(b) Contact Data	Legitimate interests – to carry out our recruitment to source the best possible candidates for open job vacancies.

Direct marketing

You will receive marketing communications from us if you have requested information from us about the products and services we provide, if you are an existing client, or if you have otherwise opted in to receiving marketing materials. An unsubscribe option will be provided with all electronic marketing communications that we send.

We do not share your Personal Data with third parties to be used for direct marketing purposes, unless you have given your explicit consent.

Cookies

Our websites may use ‘cookies’. ‘Cookies’ are alphanumeric identifiers that are placed on your computer’s storage drive through your web browser. ‘Cookies’ enable our system to recognise your browser and maintain your purchasing details in your shopping basket. They also allow us to track the user across multiple sessions for analytical purposes.

By disabling ‘cookies’, you will not be able to participate in some of the features offered by us. Most Internet browsers are pre-set to accept cookies. If you prefer not to receive ‘cookies’, you may adjust your Internet browser to disable or to warn you when ‘cookies’ are used. As there are many browsers in the marketplace, the easiest way to change your settings is by searching for ‘cookies’ in your Help/Contents and Index options on your browser. We recommend that you leave your ‘cookies’ enabled; otherwise you may not be able to use some portions of our Service. Our ‘cookies’ don’t send us back any information about your computer (except your IP address) or any other information on your computer’s storage drive.

If you are visiting one of our websites that uses cookies, you can find more information about the cookies we use in the relevant Cookie Policy.

5. Disclosure of your Personal Data

We may share your Personal Data with the third parties set out below for the purposes set out in the section ‘How we use your Personal Data’ above.

Our group companies: Other companies in our corporate group who are based in Australia, the UK and elsewhere, and provide services and undertake reporting, or the furtherance of our legitimate interests.
External third parties: Third party technology services, such as website hosting and data analytics; Service providers acting as contractors, such as marketing agencies and professional advisors; the Courts, governmental and regulatory authorities as required by law.
Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this Privacy Policy.

We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow our third party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions.

6. International transfers

We share your Personal Data within the Jumbo Interactive Group, of which the ultimate parent company is Jumbo Interactive Ltd, an Australian company (ABN 66 009 189 128). This will involve transferring your data outside the UK. We ensure your Personal Data is protected by requiring all our group companies to maintain appropriate safeguards and adhere to the same data protection obligations as us in the handling and processing of our personal data.

Whenever we transfer your Personal Data for processing outside of the UK, whether within our corporate group or to an external third party, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

We will only transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data;
Where we use service providers or related group companies who are located in a country that is not subject to an adequacy decision, we use specific contracts that ensure your Personal Data is subject to the same protections that exist against us in the UK.

Please contact us if you want further information on the specific mechanism used by us when transferring your Personal Data out of the UK to a specific third party.

7. Data security

We use a range of security mechanisms and procedures to protect the Personal Data we hold. We make all reasonable efforts to ensure your Personal Data is stored securely both in electronic and physical forms and these comply with the UK GDPR and the DPA 2018. However, there may be risks associated when transferring your Personal Data to us from other internet facilities or by email.

We will take all reasonable steps to ensure that any third party organisations we deal with are bound by confidentiality and privacy obligations in relation to the protection of our customers’ Personal Data. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality.

8. Data retention

We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

Personal Data that is no longer required will be destroyed in accordance with the UK GDPR and the DPA 2018.

In some circumstances you can ask us to delete your data: see the section ‘Your rights in relation to your Personal Data’ below for further information.

In some circumstances we will anonymise your Personal Data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

9. Your rights in relation to your Personal Data

You have rights under the UK GDPR and DPA 2018 in relation to your Personal Data. This includes a right to:

Request access to your Personal Data;
Request correction of your Personal Data;
Request erasure of your Personal Data (also known as the ‘right to be forgotten’);
Request restriction of processing your Personal Data;
Withdraw consent;
Data portability.

If you wish to exercise any of the rights set out above, please contact our Data Protection Officer. All requests must be made in writing or by email and addressed to the Data Protection Officer at the address listed at the end of this Privacy Policy.

It is our policy to respond to any such request within one (1) month of receipt. Occasionally, it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated as consideration of your request progresses. We will not typically charge you for making requests to access any information held about you, however, we reserve the right to undertake cost recovery for the provision of such information where it is justified.

If there is a reason for not granting you access to your information, we will provide you with a written explanation of the reasons for the refusal (unless unreasonable to do so) and inform you of the mechanisms to complain about the refusal.

10. Enquiries and complaints

Information about the UK GDPR, the DPA 2018, and your legal rights can be found on the Information Commissioner’s website (details below).

If you have a complaint regarding our management of your Personal Data, wish to correct information held by us or require further information, please contact our Data Protection Officer. Our policy is to respond to your complaint, correction request or query within a reasonable period of time after the complaint is received.

If you are not satisfied with the outcome of your complaint, you may refer your complaint to the Information Commissioner by contacting their helpline on 0303 123 1113 or by visiting the website www.ico.org.uk.

11. Updates to this Privacy Policy

We reserve the right to make changes to this Privacy Policy. Any changes made to the Privacy Policy in the future will be posted on this page and such changes will become effective upon posting of the revised Privacy Policy. If we make any material or substantial changes to this Privacy Policy we will use reasonable endeavours to inform you by email, notice on our website or our other communication channels.