pk399 Privacy Policy — How We Protect Your Personal Data

1 Introduction & Scope

1.1 This Privacy Policy describes how pk399 ("the Company", "we", "us", "our") collects, uses, stores, protects, and shares personal data relating to individuals who access or use the pk399 platform, including the website at pk399.org, any associated mobile-optimised interfaces, the pk399 login portal, casino games, sports betting services, live dealer tables, and customer support channels.

1.2 This policy applies to all registered players of pk399, prospective players who browse the platform without registering, and individuals who contact pk399 customer support. It applies to Pakistani players and any other individuals who access pk399 regardless of their geographic location.

1.3 "Personal data" in this policy refers to any information that identifies or could reasonably be used to identify a specific individual — including name, CNIC number, Pakistani mobile number, email address, IP address, device identifiers, and financial transaction records.

1.4 pk399 is committed to handling personal data in a manner that respects individual privacy and complies with applicable data protection legislation, including the requirements imposed by pk399's international gaming licence authority.

2 Who We Are — Data Controller

2.1 For the purposes of applicable data protection law, pk399 acts as the data controller in respect of personal data collected through the pk399 platform. As data controller, pk399 determines the purposes and means of processing your personal data.

2.2 pk399 operates under an international gaming licence that imposes data protection and privacy obligations on the Company as a condition of licence. The Company's data processing practices are subject to review by the relevant licensing authority.

2.3 For all data protection enquiries and requests to exercise your rights under this policy, contact pk399 at:

3 Personal Data We Collect

3.1 pk399 collects personal data through multiple channels: directly from you when you register, make a deposit, contact support, or use platform features; automatically through your interactions with the pk399 website; and from regulated third parties as part of identity and payment verification.

3.2 Data You Provide Directly

• Registration data: Full legal name, date of birth, Pakistani mobile number, email address, chosen username, and password (stored in hashed form — never in plain text);
• KYC documents: CNIC (front and back), and where required, proof of address and source-of-funds documentation;
• Payment data: JazzCash or EasyPaisa account numbers, bank account details for HBL, UBL, or Meezan Bank transfers, Raast ID, and 1LINK identifiers. pk399 does not store full card numbers or payment credentials — payment processing is handled by regulated payment processors;
• Support communications: Content of live chat messages, emails, and any attachments or screenshots you send to pk399 customer support.

3.3 Data Collected Automatically

• Technical data: IP address, device type, operating system, browser type and version, screen resolution, and connection type (4G, Wi-Fi, broadband);
• Usage data: Pages visited on pk399, game sessions played, bet amounts and outcomes, login and logout timestamps, session duration, and navigation patterns;
• Location data: Approximate geographic location derived from IP address — not GPS-level location. This is used for regulatory compliance and fraud prevention, not marketing;
• Cookies and similar technologies: See Section 8 for full details.

3.4 Data from Third Parties

• KYC verification providers: NADRA-linked identity verification services may confirm CNIC authenticity and date of birth;
• Payment processors: JazzCash, EasyPaisa, and linked banking networks confirm transaction status and payment method validity;
• Fraud and AML screening: Regulated third-party screening services may provide risk scores associated with your account based on transaction patterns.

4 How We Use Your Personal Data

4.1 pk399 uses your personal data for the following purposes:

• Account creation and management: To register your pk399 account, maintain your player profile, and manage your PKR wallet balance;
• Identity and age verification: To confirm you are aged 21 or above and to comply with Know Your Customer (KYC) obligations required under our gaming licence;
• Payment processing: To process deposits via JazzCash, EasyPaisa, HBL, UBL, Meezan Bank, Raast, and 1LINK, and to process withdrawal requests back to your verified payment method;
• Regulatory and AML compliance: To monitor transactions for money laundering indicators, comply with Anti-Money Laundering regulations, and report suspicious activity to relevant authorities where legally required;
• Responsible gaming: To identify patterns consistent with problem gambling behaviour and, where appropriate, to contact you proactively or impose protective measures on your account;
• Fraud prevention and platform security: To detect, investigate, and prevent fraudulent activity, multi-accounting, bot usage, and other platform abuse;
• Customer support: To respond to your enquiries, resolve account issues, and maintain records of support communications;
• Platform improvement: Anonymised and aggregated usage data is analysed to improve pk399 platform performance, game selection, and user experience;
• Direct communications: Where you have opted in, to send promotional emails, bonus notifications, and platform updates relevant to Pakistani players. You may opt out at any time.

4.2 pk399 does not use your personal data for automated decision-making that produces legal or similarly significant effects without human review. Fraud flags generated by automated systems are reviewed by a human member of the pk399 compliance team before account action is taken.

5 Legal Basis for Processing

5.1 pk399 processes your personal data only where a valid legal basis exists. The applicable legal bases are:

• Contractual necessity: Processing required to register your account, process your deposits and withdrawals, and provide the pk399 gaming services you have requested. Without this processing, pk399 cannot provide its services;
• Legal obligation: Processing required to comply with KYC and AML regulations, gaming licence conditions, and other applicable laws — including obligations to report suspicious transactions to regulators;
• Legitimate interests: Processing for fraud prevention, platform security, and platform improvement — where our legitimate interests in protecting the platform do not override your privacy rights;
• Consent: Processing for direct marketing communications, where you have provided explicit opt-in consent. You may withdraw consent at any time by contacting support or updating communication preferences in your pk399 account settings.

6 Data Sharing & Third Parties

6.1 pk399 does not sell your personal data. We share personal data with third parties only in the following limited circumstances, and only to the extent strictly necessary:

• KYC and identity verification providers: Regulated services used to verify CNIC authenticity and confirm that you meet the 21+ age requirement. These providers are bound by strict data processing agreements;
• Payment processors: JazzCash, EasyPaisa, and partnered banking networks receive the minimum data required to process your deposit or withdrawal transaction in PKR;
• AML and fraud screening services: Regulated third-party compliance tools that analyse transaction patterns for money laundering and fraud indicators. These services process data under contractual data processing agreements with pk399;
• Game software providers: Certain casino game providers (including those responsible for titles like Mahjong Ways and Wild Bandito) may receive anonymised or pseudonymised session data for game performance and RTP monitoring purposes. Personally identifiable data is not shared with game providers;
• Regulatory authorities: pk399's gaming licence authority, and any financial intelligence or law enforcement authority, may receive data where disclosure is required by law or in response to a valid legal order;
• Customer support tools: Secure, access-controlled customer support platforms used to manage live chat and email communications. Support agents can access only the data necessary to assist your specific query;
• Business successors: In the event of a merger, acquisition, or sale of the pk399 business, personal data may be transferred to the acquiring entity, subject to equivalent privacy protections. Affected players will be notified in advance of any such transfer.

7 Data Retention

7.1 pk399 retains personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law and gaming licence obligations.

7.2 Upon expiry of the applicable retention period, personal data is either permanently deleted from all pk399 systems or irreversibly anonymised so that it can no longer be associated with any individual. Anonymised, aggregated data (which cannot identify you) may be retained indefinitely for statistical and analytical purposes.

8 Cookies & Tracking Technologies

8.1 pk399 uses cookies — small text files placed on your device — and similar tracking technologies (such as local storage objects and session identifiers) to operate the platform, maintain your pk399 login session, and improve your experience.

8.2 The categories of cookies used by pk399 are:

• Strictly necessary cookies: Required for the pk 399 platform to function. These include session cookies that keep you logged into your account and security tokens that protect against cross-site request forgery. These cookies cannot be disabled without breaking platform functionality;
• Functional cookies: Remember your preferences such as language selection (Urdu or English), preferred payment method (JazzCash, EasyPaisa, etc.), and responsible gaming settings you have configured in your account;
• Analytical cookies: Collect anonymised data about how players navigate and use the pk399 platform — which pages are visited most, where players encounter errors, and how long sessions last. This data is used exclusively to improve pk399 and is never sold or shared for advertising purposes;
• Security and fraud prevention cookies: Assist in identifying suspicious patterns such as multiple accounts from a single device, unusual login behaviour, or automated bot activity.

8.3 pk399 does not use third-party advertising cookies, social media tracking pixels, or cross-site behavioural tracking technologies. The cookies deployed by pk399 are confined to operating and improving the pk399 platform itself.

8.4 You may control cookie behaviour through your browser settings. Disabling strictly necessary cookies will prevent you from logging into your pk399 account. Disabling analytical or functional cookies will not prevent platform access but may reduce the quality of your experience.

9 Data Security

9.1 pk399 implements a layered set of technical and organisational security measures designed to protect your personal data against unauthorised access, accidental loss, destruction, alteration, or disclosure. These measures include:

• 256-bit SSL/TLS encryption on all data transmitted between your device and pk399 servers — the same encryption standard used by major Pakistani financial institutions;
• Password hashing using industry-standard one-way hashing algorithms — your plain-text password is never stored by pk399 in any form;
• Two-factor authentication (2FA) available on all pk399 accounts, strongly recommended for all Pakistani players as an additional layer of account security;
• Access controls restricting internal pk399 staff access to personal data on a strict need-to-know basis, with access logs maintained and audited;
• Encrypted data storage on access-controlled servers located in data centres with physical security controls, fire suppression systems, and redundant power supplies;
• Regular penetration testing and security audits conducted by independent third-party security firms to identify and remediate vulnerabilities;
• Incident response procedures that are tested regularly and designed to contain, assess, and notify relevant parties of any data breach within required regulatory timeframes.

9.2 Notwithstanding the measures above, no data transmission over the internet and no data storage system can be guaranteed to be 100% secure. pk399 cannot absolutely guarantee the security of data transmitted to the platform, particularly where a breach originates from a player's own device or network. Players are encouraged to use strong, unique passwords for their pk399 account and to enable two-factor authentication.

9.3 Data Breach Notification. In the event of a personal data breach that is likely to result in a risk to player rights and freedoms, pk399 will notify affected players without undue delay via their registered email address. The notification will describe the nature of the breach, the data involved, the likely consequences, and the steps pk399 has taken to address it.

10 Your Rights Over Your Personal Data

10.1 As a player on pk399, you hold the following rights with respect to your personal data. These rights may be exercised by contacting pk399 at [email protected] with the subject line "Data Rights Request":

• Right of Access: You may request a copy of all personal data pk399 holds about you. pk399 will respond to verified access requests within 30 days, providing data in a structured, commonly used format;
• Right to Rectification: If any personal data pk399 holds about you is inaccurate or incomplete, you may request that it be corrected. For example, if your registered mobile number has changed, you may update this via Account Settings or by contacting support;
• Right to Erasure ("Right to be Forgotten"): You may request that pk399 delete your personal data. This right is subject to limitations — pk399 is legally required to retain certain data for regulatory purposes (see Section 7). Where erasure is not possible in full, pk399 will explain which data must be retained and why;
• Right to Restrict Processing: In certain circumstances, you may request that pk399 pause processing of your data while a dispute or accuracy query is resolved;
• Right to Data Portability: Where processing is based on your consent or on a contract, you may request that your data be transferred to you in a machine-readable format (CSV or JSON);
• Right to Object: You may object to processing of your data for direct marketing purposes at any time. You may also object to processing based on pk399's legitimate interests, though pk399 may continue processing where it can demonstrate compelling legitimate grounds.

10.2 pk399 will respond to all valid rights requests within 30 calendar days. Where requests are complex or numerous, this period may be extended by a further 60 days — in which case pk399 will notify you of the extension and the reason for it within the initial 30-day window.

10.3 pk399 will not charge a fee for handling rights requests unless a request is manifestly unfounded or excessive — in which case a reasonable administrative fee may be applied, or the request may be refused.

11 Children's Privacy — Strict 21+ Policy

11.1 The pk399 platform is strictly for individuals aged 21 years and above. pk399 does not knowingly collect, store, or process personal data belonging to anyone under the age of 21.

11.2 If pk399 discovers or is notified that personal data has been collected from an individual under 21 years of age, the relevant account will be immediately suspended and all associated personal data will be permanently deleted, with the exception of any data that must be retained for regulatory or legal purposes relating to the underage registration event itself.

11.3 Parents and guardians in Pakistan who believe that a minor in their care has registered on pk399 are encouraged to contact pk399 at [email protected] immediately. pk399 will investigate and act on all such notifications as a priority.

12 International Data Transfers

12.1 pk399 operates under an international gaming licence, and some of the third-party service providers it works with — including KYC verification platforms and certain game software providers — may be located outside Pakistan. This means that your personal data may be transferred to, stored in, or processed in countries outside Pakistan.

12.2 Where personal data is transferred internationally, pk399 ensures that appropriate safeguards are in place to protect your data to at least the same standard as would apply in Pakistan. Safeguards include:

• Data processing agreements incorporating standard contractual clauses that bind the recipient to data protection obligations;
• Transfers only to jurisdictions that provide an adequate level of data protection as determined by recognised international standards;
• Contractual obligations on receiving parties to implement appropriate technical and organisational security measures.

12.3 You may request details of the specific safeguards in place for any international transfer of your data by contacting pk399 at [email protected].

13 Changes to This Privacy Policy

13.1 pk399 may update this Privacy Policy from time to time to reflect changes in data processing practices, regulatory requirements, new services offered on the platform, or improvements in our privacy standards.

13.2 Where changes are material — meaning they significantly affect how your data is used or your rights in relation to it — pk399 will notify registered players via email to their registered address, or through a prominent notification displayed upon pk399 login, at least 14 days before the updated policy takes effect.

13.3 Non-material changes, such as corrections to typographical errors or minor clarifications that do not affect the substance of the policy, may be made without prior notice. The "Last Updated" date at the top of this document will always reflect the most recent revision.

13.4 Continued use of the pk399 platform following the effective date of an updated Privacy Policy constitutes your acceptance of that updated policy. If you do not agree with a change, you should cease using the platform and contact customer support to request account closure and data erasure in accordance with your rights under Section 10.

13.5 The current version of the pk399 Privacy Policy is always available at pk399.org/privacy-policy. Previous versions are archived and available upon request by contacting [email protected].

14 Contact & Complaints

14.1 For all privacy-related enquiries, requests to exercise your data rights, or concerns about how pk399 handles your personal data, please contact us using the details below:

14.2 Complaints. If you are dissatisfied with how pk399 has handled your personal data, you are entitled to raise a complaint with pk399 directly in the first instance by contacting [email protected] with the subject line "Privacy Complaint". pk399 will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.

14.3 If your complaint is not resolved to your satisfaction through pk399's internal process, you may escalate the matter to the data protection supervisory authority in the jurisdiction under which pk399 holds its gaming licence, or to any other competent authority under applicable law.