burger icon
Calupoh United Kingdom
Log In

Privacy Policy

This Privacy Policy explains how Calupoh (operating via calapoh.com) collects, uses, shares, and protects personal data. A privacy policy is required to meet transparency obligations under the UK GDPR and the Data Protection Act 2018, and to help website visitors and players understand how their information is handled when using our services. It applies to (i) visitors to our website and (ii) registered players using our gambling services. Effective date: 6 November 2025.

Who We Are

OBSERVE: Calupoh is the Calupoh-branded online gambling service made available at calapoh.com. The operator information provided for this brand identifies an offshore corporate and licensing setup, with operational contacts limited to a single support email address.

EXPAND: Under UK GDPR, we must tell you who the controller is, how to contact the controller and (where applicable) the Data Protection Officer (DPO) or privacy function. Where the operator's public registration details are incomplete, we must still provide the best available identifiers and a clear channel for privacy requests.

REFLECT: For privacy matters, you may contact our data protection function using the details below. If you need additional corporate registration identifiers that are not listed here (e.g., company number, tax ID), you may request them via the same channel and we will respond in line with "Your Rights" timeframes.

  • Data controller / operator (legal name): Lupine Gaming N.V.
  • Registered address (as provided): Willemstad, Curaçao (street address and postal code not specified in source data).
  • Corporate details: Legal entity type: N.V. Company registration number and tax identification number: not specified in source data.
  • Gambling licence (as provided): Curaçao Gaming Control Board (GCB) - Licence No. OGL/2025/882/012 (B2C online gambling operator; validity not specified).
  • Important UK note: The brand is not licensed by the UK Gambling Commission (UKGC). Use by people in the UK may not benefit from UKGC protections and UK ADR frameworks may not apply.
  • Data Protection contact (DPO / privacy function): support@calapoh.com (marked in our records as support / self-exclusion contact; used as the primary operational contact for privacy requests where no separate DPO email is provided).
  • Website: https://calapoh.com
  • Payments-related entity (as provided): Lupine Pay Ltd (Cyprus) - address not specified in source data; described as handling payment processing.

What Personal Data We Collect

OBSERVE: To operate Calupoh at calapoh.com, we must identify users, deliver the service, process payments, secure the platform, and meet licensing/AML expectations. This necessarily involves collecting identity, technical, transactional, and usage information.

EXPAND: UK GDPR requires that we describe categories of data collected, including where data comes from (you, your device, payment providers, verification providers, affiliates) and the use of cookies and similar technologies. Gambling sector expectations also require clear references to KYC/age/identity checks and fraud monitoring.

REFLECT: We collect the following categories (not all categories apply to every user, and some are collected only where required by law or risk controls):

  • Identity & contact data: full name, date of birth, username, email address, telephone number (if provided), residential address and country of residence, and account identifiers.
  • Verification (KYC/AML) data: copies of identity documents, proof of address, age verification results, liveness/selfie checks where used, and screening results (e.g., sanctions/PEP/adverse media indicators where required by our compliance controls).
  • Payment & transaction data: deposit/withdrawal amounts, payment method details (e.g., masked card details, bank or e-wallet identifiers), payment processor reference IDs, chargeback/dispute data, and payout history. We do not intentionally store full card PAN/CVV where a regulated payment processor handles it.
  • Gameplay & behavioural data: betting/wagering history, game session activity, bonuses and promotions used, clicks and navigation events, responsible gambling interactions (e.g., self-exclusion requests sent to support@calapoh.com), and customer support communications.
  • Technical data: IP address, device identifiers, browser type, operating system, language settings, referring URLs, login timestamps, cookie identifiers, and server/application logs.
  • Marketing preference data: subscription status, consent records, campaign interactions, and opt-out records.
  • Cookies and similar technologies: first- and third-party cookies, SDKs/pixels, and comparable tracking technologies as described in "Cookies & Tracking Technologies".

Legal Basis for Processing

OBSERVE: Calupoh processes personal data to provide gambling services via calapoh.com, to secure accounts, to process payments, and to meet regulatory expectations linked to its Curaçao licence.

EXPAND: Under UK GDPR, processing must have a lawful basis. In an online gambling context, the most common bases are: (i) contract, (ii) legal obligation, (iii) legitimate interests, and (iv) consent (especially for optional marketing and non-essential cookies). Some processing (e.g., ID verification) may be required to perform the contract safely and to comply with AML-type obligations.

REFLECT: We rely on the following lawful bases, depending on the activity:

  • Contract (UK GDPR Art. 6(1)(b)): to create and administer your account, provide gameplay and related features, process withdrawals, and provide customer support.
  • Legal obligation (Art. 6(1)(c)): to meet compliance duties linked to anti-money laundering / counter-terrorist financing expectations, record keeping, responding to lawful requests from competent authorities, and licensing-related reporting requirements under the Curaçao framework applicable to our operator.
  • Legitimate interests (Art. 6(1)(f)): to prevent fraud, secure our systems, detect abusive behaviour, maintain platform integrity, measure performance, and improve services (balanced against your rights and expectations).
  • Consent (Art. 6(1)(a)): for direct marketing where required, and for non-essential cookies/advertising technologies (where deployed). You may withdraw consent at any time (see "Your Rights").

Regional compliance note (UK): Even though the operator is not UKGC-licensed, we aim to apply UK GDPR transparency standards for users in the UK accessing calapoh.com. Where UK ePrivacy rules apply to cookies, we use consent/controls for non-essential cookies.

Purpose of Processing

OBSERVE: The operational model described for Calupoh includes offshore licensing (Curaçao), UK-targeted access, affiliate-led acquisition, and a Cyprus-linked payments function. These features require data use for account delivery, payment processing, marketing attribution (where permitted), and heightened fraud controls.

EXPAND: Purposes must be specific, explicit, and legitimate. In gambling, it is important to separate service delivery from marketing, and to explain integrity measures (anti-fraud, AML, KYC) and analytics.

REFLECT: We use personal data for the following purposes:

  • Providing services: account registration, identity checks, access to games, processing deposits/withdrawals, bonus administration, and customer support.
  • Security and platform integrity: account protection, authentication, preventing unauthorised access, detecting suspicious activity, enforcing terms, and reducing payment risk (e.g., chargebacks).
  • Compliance and governance: KYC/AML screening and verification, record keeping, responding to lawful requests, and internal audits consistent with licensing expectations.
  • Service improvement and analytics: performance measurement, troubleshooting, user experience optimisation, and product development (typically using aggregated or pseudonymised data where feasible).
  • Marketing and communications: sending service messages (non-marketing), and - where permitted - marketing emails/SMS and affiliate attribution (subject to your preferences and cookie/marketing consent where required).

Disclosure & Sharing

OBSERVE: The provided profile indicates (i) an operator entity in Curaçao (Lupine Gaming N.V.), (ii) a payments-related subsidiary/entity in Cyprus (Lupine Pay Ltd), and (iii) affiliate marketing and potential advertising network activity. It also notes a "Regulator Complaint Form" exists but no URL is provided, implying potential regulatory interfacing.

EXPAND: UK GDPR requires that recipients/categories of recipients be described, including processors (hosting, KYC vendors, payment processors) and disclosures to authorities. Gambling environments also require clarity on fraud-prevention sharing and legal requests.

REFLECT: We may disclose personal data to the following recipients, only where necessary and subject to contractual and security controls:

  • Payment partners and processors: including entities involved in processing deposits/withdrawals and managing payment risk. This may include Lupine Pay Ltd (Cyprus) as described in our corporate information, and additional payment service providers used for transactions.
  • Identity verification and compliance service providers: KYC/age verification vendors, screening providers, and fraud-prevention services to protect users and meet compliance expectations.
  • IT and hosting providers: cloud hosting, content delivery networks, email delivery, customer support tooling, security monitoring, and analytics providers acting as processors.
  • Affiliates and advertising/analytics networks: where you have provided consent for advertising cookies/trackers, we may share or receive online identifiers and campaign data to measure marketing performance and attribute referrals.
  • Regulators and authorities: the Curaçao Gaming Control Board (GCB) and other competent authorities where we are required to comply with lawful requests or reporting obligations.
  • Corporate transactions: if the business is restructured, merged, or sold, data may be shared with professional advisers and counterparties subject to confidentiality and lawful transfer mechanisms.

Regional compliance note (UK): Because Calupoh is not UKGC-licensed, UK-specific ADR bodies may not have authority over the operator. Data disclosures will follow applicable data protection law and lawful request standards, regardless of user location.

International Transfers

OBSERVE: Calupoh operates at calapoh.com with an operator in Curaçao and a payments-related entity in Cyprus. Technical providers may also process data in other regions depending on hosting and vendor locations.

EXPAND: UK GDPR restricts transfers of personal data outside the UK unless appropriate safeguards apply (e.g., UK International Data Transfer Agreement (IDTA), UK Addendum to EU SCCs, adequacy regulations, or other permitted derogations). Cyprus is within the EEA and benefits from UK adequacy recognition in most practical contexts; Curaçao generally requires safeguards.

REFLECT: Your data may be transferred to and processed in:

  • Curaçao: where the operator (Lupine Gaming N.V.) is registered and licensed.
  • Cyprus (EEA): where payment processing functions may be supported via Lupine Pay Ltd (as described in our corporate information).
  • Other countries/regions: where our hosting, security, analytics, marketing, verification, or support providers operate (depending on vendor selection and service routing).

Where we transfer personal data internationally, we apply appropriate safeguards, which may include:

  • UK transfer mechanisms: the UK IDTA or the UK Addendum to the EU Standard Contractual Clauses, as appropriate for the recipient and transfer route.
  • Risk assessment measures: transfer risk assessments, minimisation, encryption in transit (e.g., TLS 1.2+), and access controls.
  • Vendor due diligence: contractual security requirements and audit rights (where commercially and legally feasible).

Note on "Privacy Shield": We do not rely on the EU - US Privacy Shield (invalidated) as a standalone transfer mechanism. If US-based vendors are used, we implement UK-compatible contractual safeguards and additional protections as needed.

Data Retention

OBSERVE: Gambling operations involve financial transactions, KYC checks, and dispute/chargeback risks. The profile indicates offshore licensing and payment processing structures, implying retention for compliance and auditability. Exact statutory periods may vary by applicable regulator and risk profile.

EXPAND: UK GDPR requires retention to be no longer than necessary, with criteria disclosed. Gambling operators commonly retain KYC and transaction records for multiple years to meet AML and auditing expectations, and to address disputes. The prompt requires example periods (e.g., no more than 5 years after closure) and clear deletion criteria, with timeframes aligned to 2025+.

REFLECT: Unless a longer period is required/justified (e.g., legal claims, regulatory requests), we apply these retention guidelines:

  • Account profile data (identity/contact, account settings): retained while your account is active and for up to 5 years after account closure to handle compliance checks, disputes, and legal claims.
  • KYC/verification data: retained for up to 5 years after account closure (or longer where required to comply with legal obligations or regulator expectations linked to the operator's licensing framework).
  • Transaction and payment records: retained for up to 7 years from the date of the transaction (typical accounting/anti-fraud rationale), unless law requires otherwise.
  • Gameplay and behavioural logs: retained for up to 5 years after account closure for integrity, dispute resolution, and responsible gambling-related record keeping.
  • Customer support communications: retained for up to 3 years after resolution, unless needed longer for complaint handling or legal claims.
  • Technical logs and security events: typically retained for 6 - 24 months depending on security needs and storage constraints (longer if needed to investigate incidents or fraud patterns).
  • Marketing consents and suppression lists: retained as long as needed to evidence consent and ensure you are not contacted after opting out (suppression records may be retained longer to comply with opt-out obligations).

Deletion and anonymisation criteria:

  • Upon valid request: we will delete or anonymise data where the right applies and no overriding legal basis requires retention.
  • End of purpose: when data is no longer necessary for the purposes described and there is no legal obligation to retain it, we will securely delete or anonymise it.
  • Legal holds: we may restrict deletion where data is required to establish, exercise, or defend legal claims, or to comply with lawful authority requests.

Your Rights

OBSERVE: Users accessing Calupoh at calapoh.com are in the UK target market, so UK GDPR rights must be explained clearly with procedures, timelines (30 days), and fee rules. The prompt also requires alignment with Mexican privacy law, while the operator's origin domain references Mexico (calupoh.mx) but the UK-facing domain is calapoh.com; therefore, we should provide an "alignment" explanation without misrepresenting jurisdictional applicability.

EXPAND: UK GDPR grants: access, rectification, erasure, restriction, objection, portability, and rights related to automated decision-making. Additionally, users can withdraw consent for marketing. Mexican law (LFPDPPP) provides ARCO rights (Access, Rectification, Cancellation, Opposition) and mechanisms via INAI. We must avoid claiming Mexican law applies to UK users as a matter of course; instead, describe that we can process requests in a manner consistent with those principles where relevant (e.g., if data is processed in Mexico or through Mexican-affiliated systems - which is not evidenced here), or as a voluntary standard.

REFLECT: Subject to legal limits and identity verification, you have the following rights:

  • Right of access: request confirmation of whether we process your data and receive a copy.
  • Right to rectification: correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten"): request deletion where processing is no longer necessary, consent is withdrawn (and no other lawful basis applies), or processing is unlawful. This right may be limited by record-keeping and compliance duties (e.g., AML/anti-fraud).
  • Right to restriction: ask us to suspend processing in certain cases (e.g., contested accuracy or unlawful processing where you prefer restriction over deletion).
  • Right to object: object to processing based on legitimate interests (including certain profiling). We will stop unless we demonstrate compelling legitimate grounds or the processing is needed for legal claims.
  • Right to data portability: receive certain data you provided to us in a structured, commonly used, machine-readable format and/or have it transferred to another provider where technically feasible.
  • Right to withdraw consent: withdraw consent at any time for consent-based processing (e.g., marketing or non-essential cookies). Withdrawal does not affect prior lawful processing.
  • Rights related to automated decision-making: where applicable, you may request human review and contest a decision that produces legal or similarly significant effects.

How to exercise your rights (procedure)

  1. Submit a request: email support@calapoh.com with the subject line "Privacy Request - Calupoh". Include the email/username on your account and the right you want to exercise.
  2. Verify identity: we may request additional information to confirm identity and protect your account (especially for access/erasure/portability requests).
  3. Response timeframe: we aim to respond within 30 days of verification. If requests are complex or numerous, we may extend the deadline as permitted by law and will inform you of the reason and expected timing.
  4. Fees: requests are generally handled free of charge. We may charge a reasonable fee or refuse a request if it is manifestly unfounded or excessive, as permitted by law.

Mexican privacy law alignment (ARCO rights) - transparency note

Although Calupoh is presented to UK users through calapoh.com and the operator is identified as Lupine Gaming N.V. (Curaçao), Calupoh's historical branding includes a Mexico-associated domain (calupoh.mx). Where relevant to a request (for example, if particular processing is carried out by service providers subject to Mexican law), we will handle requests in a manner consistent with the principles of Mexico's Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP), including ARCO rights (Access, Rectification, Cancellation, Opposition), without reducing your UK GDPR protections.

Cookies & Tracking Technologies

OBSERVE: The profile indicates strong affiliate marketing reliance and UK traffic acquisition, which commonly involves third-party tracking (pixels, tags) and analytics. Cookies can also support essential account functions and security controls.

EXPAND: Under UK GDPR and UK ePrivacy requirements, non-essential cookies typically require consent. Users must be told what types exist, their purposes, and how to manage them via browser settings and any internal preference panel.

REFLECT: We use cookies and similar technologies on calapoh.com to operate Calupoh, improve performance, and (where you choose) personalise marketing.

  • Strictly necessary (functional) cookies: enable core site features such as login sessions, account security, fraud prevention, and load balancing. These cookies are generally required for the service to function.
  • Performance/analytics cookies: help us understand how visitors use the site (e.g., page views, navigation paths, error events) to improve speed and usability.
  • Preference cookies: remember choices such as language, region, and cookie preferences.
  • Advertising/affiliate cookies (third-party): used (where enabled by you) to measure campaign performance, attribute referrals, and tailor advertising across sites/apps.

Cookie duration types

  • Session cookies: expire when you close your browser.
  • Persistent cookies: remain for a set period or until you delete them.
  • Third-party cookies: set by external services (e.g., analytics/advertising partners) and governed by their policies as well.

How to manage cookies

  • Browser controls: you can block or delete cookies using your browser settings (this may affect site functionality, including login and payments).
  • On-site preferences: where available, use the cookie banner or preference controls to accept/reject non-essential cookies.
  • Advertising controls: you can limit interest-based ads through device and browser privacy settings, where supported.

Data Security

OBSERVE: Calupoh involves high-risk processing (financial transactions, identity verification, account access) and is marketed into the UK while operating offshore, increasing the need for clear security controls and incident handling. The profile also notes that UK ISPs sometimes block access, which can lead users to try mirrors/DNS changes; this raises phishing risk and makes brand-domain clarity essential.

EXPAND: UK GDPR requires appropriate technical and organisational measures, and breach response readiness. The prompt requires specific measures: TLS 1.2+, encryption at rest and in transit, MFA, access controls, audits, staff training, incident response, and reference to standards (ISO 27001, SOC 2) "where applicable" without falsely claiming certification.

REFLECT: We implement risk-based safeguards designed to protect confidentiality, integrity, and availability of personal data:

  • Encryption in transit: TLS 1.2+ for data transmitted between your device and our servers.
  • Encryption at rest: sensitive datasets are encrypted at rest where feasible and appropriate, with key management controls.
  • Access controls: role-based access, least-privilege principles, and logging/monitoring of administrative access.
  • Account security: support for multi-factor authentication (MFA) where available; strong password requirements; detection of unusual login behaviour.
  • Secure development and change management: controlled deployment processes, vulnerability management, and patching practices.
  • Security monitoring and audits: periodic security reviews and testing; supplier security due diligence. Where service providers maintain recognised assurance reports (e.g., ISO 27001 certification or SOC 2 reports), we may rely on them as part of vendor assessment where applicable.
  • Staff training and confidentiality: training on data protection, phishing awareness, and incident escalation; confidentiality obligations for relevant staff and contractors.
  • Incident response: documented incident handling procedures, including containment, investigation, remediation, and notifications where legally required.

Anti-phishing notice (UK users): If access issues occur, only use the official domain calapoh.com. Be cautious of "mirror" links distributed via third parties; they may be fraudulent and could compromise your personal data.

Complaints & Contacts

OBSERVE: The provided contact dataset includes one critical email (support@calapoh.com) and mentions a "Regulator Complaint Form" without a URL. The operator is licensed in Curaçao (GCB) and targets UK players, but is not UKGC-licensed. The prompt requires escalation paths including Mexican authority (INAI) and EU authorities where applicable; additionally, UK users should be told about the UK ICO.

EXPAND: UK GDPR requires an accessible complaint route and the right to complain to a supervisory authority. For cross-border contexts, users may complain to the authority of their habitual residence (UK ICO for UK residents). Mexico's INAI is relevant for processing subject to Mexican law; we should include it as requested while clarifying applicability.

REFLECT: If you have questions, concerns, or complaints about privacy at Calupoh (calapoh.com), contact us and we will investigate.

How to contact us

  • Email (privacy/DPO function): support@calapoh.com
  • Website: https://calapoh.com
  • Postal (operator registered location as provided): Lupine Gaming N.V., Willemstad, Curaçao (full street address not specified).
  • Phone: not specified in source data.
  • Online forms: a "Regulator Complaint Form" is referenced in source data, but no URL is available; you may request the current link by emailing support@calapoh.com.

Complaint procedure (step-by-step)

  1. Step 1 - Submit: email your complaint to support@calapoh.com with "Privacy Complaint - Calupoh" in the subject line. Include your account identifier and a description of the issue.
  2. Step 2 - Acknowledgement: we aim to acknowledge within 7 days.
  3. Step 3 - Investigation: we review relevant logs, support history, and vendor interactions as needed, applying access controls and confidentiality safeguards.
  4. Step 4 - Outcome: we aim to provide a substantive response within 30 days of verifying your identity and understanding the complaint, or explain any lawful extension.
  5. Step 5 - Remediation: where appropriate, we correct records, adjust processing, or implement mitigation (e.g., security controls, vendor escalation).

Escalation to supervisory authorities

  • United Kingdom (ICO): Information Commissioner's Office - Website: https://ico.org.uk/ | Phone: +44 303 123 1113 | Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom.
  • European Union/EEA (where applicable): you may contact your local Data Protection Authority (DPA) in your EU/EEA country of residence. A directory is available via the European Data Protection Board: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
  • Mexico (INAI) - where applicable: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) - Website: https://home.inai.org.mx/ | General contact: atencion@inai.org.mx (public contact channel). This route is generally relevant where processing is subject to Mexican data protection law; it does not replace your UK right to complain to the ICO.

Updates

OBSERVE: The policy must show versioning, last-updated timestamp, and clear notice methods. The provided context includes last_updated: 2025-11-06, and the prompt requires a minimum 30-day advance notice for significant changes and user options to object or close accounts.

EXPAND: UK GDPR expects transparency: users should know when terms change and what changed. "Material changes" should be defined, and notification channels should be specified (email, banners, dashboard). Version control and a brief changelog improve accountability.

REFLECT: We may update this Privacy Policy to reflect legal, technical, or operational changes affecting Calupoh at calapoh.com.

  • Notification channels: we may notify you via (i) email to your registered address, (ii) prominent website banners on calapoh.com, and/or (iii) notices within your account dashboard (where available).
  • Advance notice: for significant/material changes (e.g., new sharing categories, new international transfer destinations, new processing purposes, or changes affecting your rights), we will aim to provide at least 30 days' notice before the change takes effect, unless a shorter period is required for security or legal compliance reasons.
  • Your options: if you object to a material change, you may (i) contact us to discuss your concerns, (ii) adjust your consent settings (e.g., marketing/cookies), and/or (iii) close your account and request deletion subject to legal retention limits.

Last updated: November 2025

Changelog of material changes

  • November 2025: Initial publication for Calupoh on calapoh.com, including UK GDPR disclosures, international transfer safeguards (UK IDTA/UK Addendum), updated complaints escalation (ICO/EDPB/INAI), and security measures baseline (TLS 1.2+, encryption, incident response).