Privacy Policy

This Privacy Policy explains how Stake, operated via the website stakebet-au.com (the "Website"), collects, uses, discloses and protects your personal information when you visit the Website or use our services. It applies to players, prospective players, and other visitors to the Website, whether browsing or registering an account. By using the Website, you acknowledge that you have read and understood this Privacy Policy. This Privacy Policy is effective from 1 February 2026 and supersedes all previous versions applicable to stakebet-au.com.

Who We Are

The Website and related online gambling services provided under the name Stake on stakebet-au.com (collectively, the "Services") are operated by:

Operator / Data Controller: Medium Rare N.V.
Legal form: Public limited liability company (N.V.) incorporated under the laws of Curaçao
Registration number: 145353 (Curaçao Chamber of Commerce)
Registered office / legal address: Korporaalweg 10, Willemstad, Curaçao
Gaming licence: Curaçao eGaming / Antillephone sub-licence no. 8048/JAZ (issued in Curaçao; this is not an Australian gambling licence)

For certain payment methods and financial operations, processing may also be carried out by our group subsidiary:

Payment processing entity: Medium Rare Limited
Jurisdiction: Gibraltar (subsidiary responsible for payment processing support)

For the purposes of applicable privacy laws (including the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs") for users in Australia, the EU General Data Protection Regulation ("GDPR") for users in the EEA/UK, and relevant Mexican regulations where applicable), Medium Rare N.V. is the primary controller of your personal information collected through stakebet-au.com.

Data Protection Contact / DPO:

E-mail: [email protected] (Data Protection Officer / privacy team)
Postal address for privacy matters: Data Protection Officer, Medium Rare N.V., Korporaalweg 10, Willemstad, Curaçao
Online contact: via the support or "Contact Us" channels available on stakebet-au.com

What Personal Data We Collect

We collect only the information that is reasonably necessary for, or directly related to, the operation of our Services and compliance with legal obligations (including KYC/AML requirements). The categories of personal data we may collect include:

Identification and Contact Data

Full name, date of birth, and gender (where provided)
Residential address, billing address, and country of residence
E-mail address, telephone number, and preferred language
Government-issued identification data for verification (e.g., ID card, passport, driver's licence number, tax ID where required)

Account and Service Data

Username, account ID, and password (stored in hashed form)
Account settings, preferences, communication choices and consent records
Customer support interactions (chat logs, emails, tickets, call notes)

Financial and Payment Data

Payment instrument details (e.g., partial card details, masked account numbers, IBAN or wallet identifiers as required for deposits/withdrawals)
Deposit and withdrawal history, balances, bonuses, and chargeback information
Billing details and transaction identifiers provided by our payment partners

Behavioural and Usage Data

Betting history and game activity (games played, stakes, wins/losses, session duration)
Log-in and log-out times, pages visited, clicks, referral/affiliate information
Responsible gambling interactions (self-exclusion, limits, cooling-off periods)

Technical and Device Data

IP address, approximate geolocation derived from IP, and time zone
Device identifiers, device type, operating system, browser type and settings
Log files and technical events (crash logs, error reports, performance metrics)

Cookies and Similar Technologies

Session identifiers and authentication tokens
Preferences cookies (language, region, display settings)
Analytics cookies and similar tracking technologies (for traffic statistics and service optimisation)
Advertising and affiliate cookies, pixels or tags (only where permitted by law and, where required, with your consent)

Special Categories and Sensitive Information

We do not intentionally collect sensitive information (e.g., health, religious beliefs) unless required for a clear legal purpose (such as verifying age or investigating fraud) and handled in accordance with applicable law.

Legal Basis for Processing

We process your personal data only where we have a lawful basis to do so. Depending on your location (including Australia, the EEA/UK, and Mexico) and the specific processing activity, the legal bases may include:

Performance of a Contract

To create, administer and maintain your Stake account on stakebet-au.com
To process deposits, bets, withdrawals and bonus allocations
To provide customer support and communicate about your account and transactions

Compliance with Legal Obligations

To comply with anti-money laundering ("AML"), counter-terrorism financing, fraud-prevention and "Know Your Customer" ("KYC") obligations under applicable laws and licence conditions
To comply with tax, accounting, reporting and record-keeping requirements
To respond to lawful requests from courts, law enforcement, regulators, and relevant authorities (including, where applicable, bodies such as the Australian Communications and Media Authority (ACMA), Curaçao Gaming Control Board, or data protection regulators)

Legitimate Interests

To operate, secure and improve the Website and Services
To detect, investigate and prevent fraud, abuse, security incidents or other prohibited activities
To conduct analytics, statistics and service optimisation to better understand usage and enhance user experience
To protect our legal rights, interests and the integrity of our Services

Consent

To send you direct marketing communications (e-mail, SMS, push notifications) where your consent is required by law
To place or access non-essential cookies and similar technologies on your device in jurisdictions where explicit consent is required (e.g., certain EEA/UK jurisdictions)
To share data with third-party advertising networks and affiliates for personalised marketing, where applicable

Where we rely on consent, you may withdraw your consent at any time using the mechanisms provided (for example, in your account settings, through unsubscribe links, or by contacting us). Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Purpose of Processing

We use your personal data for the following purposes, which are closely aligned with the operation of Stake on stakebet-au.com and our legal obligations:

Provision and Management of the Services

Creating and managing your player account
Enabling gameplay, processing bets, and settling wagers
Processing deposits and withdrawals, including verification of payment methods
Managing promotions, bonuses, loyalty and VIP programmes

Compliance, Risk Management and Responsible Gambling

Carrying out identity verification, age checks, and due diligence (KYC)
Monitoring transactions and behaviour for AML, fraud and integrity risks
Implementing responsible gambling tools and interventions (limits, self-exclusion, monitoring potentially harmful behaviour)

Communication and Customer Support

Sending service-related messages (security alerts, account notices, transactional emails)
Responding to your requests, complaints and support queries
Providing updates about changes to our terms, policies or technical issues

Analytics and Service Improvement

Analysing traffic, usage patterns and performance of the Website
Testing, troubleshooting and enhancing site functionality and user experience
Developing new features and products based on aggregated and de-identified information

Marketing and Personalisation

Providing offers, promotions and news about Stake tailored to your profile, where permitted by law
Measuring the effectiveness of our marketing campaigns and affiliate programmes
Displaying relevant content and recommended games based on your preferences and activity

Disclosure & Sharing

We do not sell your personal information. We may, however, share your data with carefully selected third parties where necessary for the purposes described above, in accordance with applicable law and subject to appropriate safeguards.

Service Providers and Group Companies

Payment and banking partners: Financial institutions, payment processors, and wallet providers that facilitate deposits, withdrawals and fraud checks (including Medium Rare Limited in Gibraltar).
IT and infrastructure providers: Hosting, cloud storage, security, content delivery networks, and technical support providers.
Verification and AML providers: Identity verification, KYC/AML and risk-scoring service providers.
Professional advisors: Lawyers, auditors, consultants, and accountants, where necessary for our business operations and legal obligations.

Regulators, Authorities and Dispute Bodies

Gaming regulatory bodies and authorities responsible for overseeing gambling operations in relevant jurisdictions, including the Curaçao Gaming Control Board (consumer complaint portal at gamingcontrolcuracao.org/consumer-complaints).
Data protection and privacy regulators (such as the Office of the Australian Information Commissioner (OAIC), EU/EEA supervisory authorities, and relevant Mexican authorities) where they request information lawfully or we submit information in relation to a complaint.
Law enforcement agencies, courts and other government bodies (including, where applicable, the Australian Communications and Media Authority (ACMA) or other enforcement agencies) where disclosure is required by law or reasonably necessary to protect our rights or those of others.

Marketing, Affiliates and Advertising Networks

Affiliate partners who refer players to Stake and require limited information (e.g., attribution and conversion data) to validate referral and commission arrangements.
Marketing and advertising service providers, including email distribution tools, analytics platforms, and, where permitted by law and with your consent where required, advertising networks and social media platforms for targeted or look-alike campaigns.

Corporate Transactions

In the event of a merger, acquisition, restructuring, sale of assets or similar corporate transaction involving Medium Rare N.V., your personal data may be disclosed to prospective or actual purchasers and their advisors, subject to confidentiality obligations and applicable law.

Whenever we share your personal data with third parties, we require them to use it only for the purposes for which it was provided, to protect it appropriately, and to process it in accordance with this Privacy Policy and applicable legal requirements.

International Transfers

Stake is operated on an international basis, and your personal data may be transferred to, stored in, or accessed from countries outside your country of residence, including:

Curaçao (headquarters and main operational centre of Medium Rare N.V.)
Gibraltar (Medium Rare Limited as payment processing subsidiary)
Countries in the European Economic Area (EEA) and the United Kingdom
Other countries where our hosting providers, technical suppliers or professional advisors are located (which may include the United States and other jurisdictions)

Different countries may have different data protection laws. Where we transfer personal data internationally, we implement appropriate safeguards, such as:

Contractual protections, including Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent mechanisms for personal data originating from the EEA/UK.
Use of providers participating in recognised international transfer frameworks (e.g., the EU - US Data Privacy Framework, where applicable and up to date).
Technical and organisational security measures to protect data during transfer and at the destination (encryption in transit and at rest, strict access controls).
Internal policies and procedures limiting access and use of personal data to what is necessary for the purposes described in this Policy.

By using the Services, you understand that your data may be processed in these locations. Where required by law, we will seek your explicit consent to such transfers or provide you with additional information about the safeguards in place.

Data Retention

We retain your personal data only for as long as reasonably necessary to fulfil the purposes for which it was collected, to comply with our legal and regulatory obligations, to resolve disputes, and to enforce our agreements. Retention periods may vary depending on the type of data and local legal requirements, but typically include:

Account and identification data (KYC records): Generally retained for the lifetime of your account and for 5 - 7 years after account closure, in order to comply with AML/CTF, gaming, tax and record-keeping obligations.
Transaction and betting history: Typically retained for 5 - 7 years from the date of the relevant transaction or account closure, whichever is later, for legal, regulatory and accounting purposes.
Customer support and communications: Retained for up to 5 years from the last contact, unless a longer retention period is required in connection with a dispute, investigation or legal claim.
Technical logs and security data: Retained for approximately 12 - 24 months from the date of collection, unless longer retention is necessary for security incident investigations or legal proceedings.
Marketing data: Retained until you withdraw your consent, opt out of marketing, or your account is closed, and for a limited period thereafter to document your preferences.

When data is no longer required for any permitted purpose, we will either irreversibly anonymise it (so it can no longer be associated with you) or securely delete or destroy it. Where you exercise your right to erasure, we will also retain only the minimum information necessary to demonstrate compliance with your request and our legal obligations.

Your Rights

Depending on your location and subject to applicable law (including the Australian Privacy Principles, the GDPR, and Mexico's Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP)), you may have the following rights in relation to your personal data:

Access and Rectification

The right to request confirmation of whether we process your personal data and to access a copy of such data.
The right to request that we correct or update inaccurate, incomplete or outdated personal information.

Erasure and Restriction

The right to request deletion of your personal data where it is no longer needed for the purposes for which it was collected, where you withdraw consent (where applicable), where you have successfully objected to processing, or where we are required to erase it to comply with law.
The right to request that we restrict the processing of your personal data (for example, while we verify its accuracy or our legitimate interest in processing it).

Objection and Direct Marketing

The right to object, on grounds relating to your particular situation, to processing based on our legitimate interests (including certain profiling).
The right to object at any time to the use of your personal data for direct marketing purposes. If you object, we will stop using your data for marketing. You can exercise this right by using unsubscribe links in emails, adjusting your account settings, or contacting us.

Data Portability (where applicable)

For users subject to the GDPR or similar frameworks, the right to receive certain personal data you have provided to us in a structured, commonly used and machine-readable format, and to request that we transmit it to another controller where technically feasible.

Consent Management

Where processing is based on your consent (e.g., certain marketing, cookies), you have the right to withdraw that consent at any time. Withdrawal does not affect prior lawful processing.

Rights under Mexican Law (ARCO Rights)

Under Mexican law (LFPDPPP), you may have specific rights of Access, Rectification, Cancellation and Opposition ("ARCO rights"). These correspond broadly to the rights described above and can be exercised using the contact channels in this Policy. We will process ARCO requests in accordance with applicable Mexican regulations.

How to Exercise Your Rights

Submit a request: Contact us via [email protected] or through the dedicated privacy or support channels on stakebet-au.com, clearly indicating your identity, the right you wish to exercise, and any relevant details.
Verification: To protect your privacy and security, we may need to verify your identity (for example, by requesting additional information or confirmation from your registered email address).
Response timeframe: We aim to respond to all valid requests within 30 days of receipt, or within any shorter period required by applicable law. If your request is complex or we receive multiple requests, we may extend this period by a reasonable additional time, and we will inform you of any such extension.
Fees: Requests are generally handled free of charge. However, where requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on the request, as permitted by law.

Cookies & Tracking Technologies

We use cookies and similar tracking technologies on stakebet-au.com to provide and enhance the Services, understand usage and tailor content. Cookies are small text files placed on your device when you visit the Website.

Types of Cookies We Use

Session cookies: Temporary cookies that exist only during your browsing session and are deleted when you close your browser. They are used, for example, to keep you logged in as you navigate the Website.
Persistent cookies: Cookies that remain on your device for a defined period or until you delete them. They help us remember your preferences (such as language and region) and recognise you when you return.
First-party cookies: Cookies set by stakebet-au.com directly.
Third-party cookies: Cookies set by third parties, such as analytics providers, advertising networks, or affiliate tracking systems.

Purposes of Cookies

Strictly necessary / functional: Required for the Website to function correctly, enable navigation, basic features and secure areas (e.g., log-in, session management).
Preferences: To remember your choices (such as language, currency, layout) and provide a more personalised experience.
Analytics and performance: To gather aggregated information about how visitors use the Website, enabling us to improve performance, usability and content (e.g., page views, device types, navigation paths).
Advertising and affiliate tracking: To measure the effectiveness of campaigns, ensure affiliates are fairly rewarded, and, where permitted, tailor marketing messages to your interests.

Managing Cookies

You can manage or disable cookies through your browser settings. Most browsers allow you to refuse all or some cookies, or to alert you when websites set or access cookies.
Some features of stakebet-au.com may not function properly if you disable certain cookies, particularly those that are strictly necessary for operation and security.
In certain regions, you may also be presented with a cookie banner or settings panel that allows you to accept or reject non-essential cookies. You can change your preferences at any time using this panel, where available.

Data Security

We take the security of your personal data seriously and implement a combination of technical, organisational and physical measures designed to protect it against unauthorised access, loss, misuse, alteration or destruction.

Technical Measures

Encryption in transit and at rest: Data transmitted between your browser and stakebet-au.com is protected using Transport Layer Security (TLS) protocols (TLS 1.2 or higher). Sensitive data is also protected by appropriate encryption or pseudonymisation at rest where feasible.
Access controls: Access to personal data is restricted to authorised personnel and service providers strictly on a need-to-know basis, using authentication and authorisation mechanisms.
Network and infrastructure security: Firewalls, intrusion detection/prevention systems, secure configuration management and regular updates are used to reduce vulnerabilities.

Organisational and Procedural Measures

Policies and training: Staff members who handle personal data receive training on privacy, data protection, confidential information and security best practices, and are bound by confidentiality obligations.
Risk management and audits: We regularly review our security controls and may conduct internal and external assessments, vulnerability scans or audits. We seek to align our practices with recognised industry standards such as ISO 27001 and SOC 2 principles, where appropriate.
Incident response: We maintain procedures to detect, assess and respond to actual or suspected data breaches. In the event of a breach affecting your personal data, we will take steps to mitigate the impact and, where required by law, notify you and relevant authorities without undue delay.

While no system can guarantee absolute security, we continuously work to enhance our safeguards. You are also responsible for maintaining the confidentiality of your account credentials and for using appropriate security measures (such as strong, unique passwords and enabling multi-factor authentication where offered).

Complaints & Contacts

If you have questions, concerns or complaints about how we handle your personal data, or if you wish to exercise your privacy rights, you can contact us using the following channels:

Contacting Us

E-mail (primary contact): [email protected]
Postal: Data Protection Officer, Medium Rare N.V., Korporaalweg 10, Willemstad, Curaçao
Online: via support or "Contact Us" forms and live chat (where available) on stakebet-au.com

Internal Complaint Procedure

Submit your complaint: Provide as much detail as possible about your concern (including relevant dates, account details and supporting documentation).
Acknowledgement: We will acknowledge receipt of your complaint within a reasonable time (typically within 7 days).
Investigation: We will investigate your complaint, which may involve contacting you for further information and reviewing relevant records and systems.
Response: We aim to provide a substantive response within 30 days of receiving your complaint, or within any shorter period required under applicable law. If we are unable to respond within this time, we will inform you of the reasons and the expected timeframe.
Further steps: If you are not satisfied with our response, you may request that the matter be escalated internally or pursue external remedies as described below.

External Complaint and Supervisory Authorities

Depending on your location, you may have the right to lodge a complaint with a data protection or privacy regulator:

Australia: Office of the Australian Information Commissioner (OAIC)
Website: https://www.oaic.gov.au/privacy/privacy-complaints
European Economic Area / UK: Your local data protection authority or the Information Commissioner's Office (ICO) in the UK. Contact details for EU/EEA authorities are available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
Mexico: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI)
Website: https://www.inai.org.mx

For consumer complaints relating specifically to gaming regulation and our licence in Curaçao, you may also contact the relevant Curaçao authority, including via the consumer complaints portal at https://gamingcontrolcuracao.org/consumer-complaints. Please note that such bodies generally handle gambling-related issues rather than data protection complaints, which are typically addressed by privacy regulators as outlined above.

Updates

We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, regulatory guidance or technical developments. When we make material changes, we will take appropriate steps to inform you in advance.

How We Notify You

Posting the updated Privacy Policy on stakebet-au.com, with a revised "Last updated" date.
Displaying prominent notices on the Website (e.g., banners, pop-ups, or dashboard alerts within your account).
Sending you an e-mail or in-account message where the changes are significant or where required by law.

Effective Date and Advance Notice

Material changes will generally take effect no earlier than 30 days after we notify you, unless a shorter period is required to comply with legal or regulatory obligations or to address urgent security or compliance issues.
Non-material changes (such as clarifications, formatting updates or corrections) may take effect immediately upon posting.

Your Options

If you continue to use the Services after the updated Privacy Policy becomes effective, you will be deemed to have accepted the changes.
If you do not agree with the updated Policy, you may choose to stop using the Services and request account closure at any time through your account settings or by contacting support. We will continue to handle your personal data in accordance with this Policy and applicable law, including our data retention obligations.

Last updated: February 2026