Legal

Privacy Policy

Last updated: April 9, 2026

Who this policy covers. This Privacy Policy applies to personal data processed by Suppostat in the context of its website (suppostat.com) and its B2B services. Suppostat provides outsourced 24/7 player support to iGaming operators. We do not provide services directly to end players and do not store end-player personal data on our own systems. This policy covers data relating to: website visitors; business contacts and representatives of iGaming operators (prospective and current clients); and Suppostat's own employees and agents.

1. Data Controller

The data controller responsible for personal data collected through this website and in connection with our services is:

Suppostat
Website: suppostat.com
Email: privacy@suppostat.com

For any privacy-related queries or to exercise your rights, contact us at privacy@suppostat.com.

2. Scope: What We Process and What We Don't

2.1 What we process

As a B2B service provider, the personal data we process falls into three categories:

Website visitor data — technical and analytics data collected when you browse suppostat.com (see Section 7 on Cookies).
Business contact data — name, work email address, job title, company name, phone number, and business details provided by representatives of iGaming operators when enquiring about or engaging our services.
Operational service data — data necessary to deliver contracted services, such as helpdesk platform access credentials, escalation contact details, and internal documentation shared by the client under a signed Master Service Agreement (MSA). This data is processed on behalf of and under the instructions of the client operator.

2.2 What we do not process

Suppostat agents work within client-owned helpdesk platforms (such as Zendesk, Intercom, or equivalent systems). We do not extract, copy, or store end-player personal data — including names, payment details, identity documents, or gaming histories — on any Suppostat-controlled system. Any access to such data occurs solely within the client's controlled environment and is governed by the client's own privacy framework and any Data Processing Agreement between us.

3. Personal Data We Collect

3.1 Data you provide directly

Enquiry and contact form data — name, work email, company name, estimated ticket volume, monthly revenue range, and any free-text details you provide when submitting a website form.
Email and message correspondence — content of emails, messages, and other communications sent to us.
Service onboarding data — operational information exchanged during client onboarding, including helpdesk access credentials, product documentation, escalation matrices, and account management contacts.

3.2 Data collected automatically

When you visit suppostat.com, we collect limited technical data via Google Analytics 4 (GA4), subject to your cookie consent:

Anonymised IP address, browser type and version, operating system
Pages viewed, time on page, referring URL
Device type and approximate geographic location (country/city level)
Session and interaction data

Analytics data is only collected if you have accepted analytics cookies via our cookie banner. If you decline, GA4 is disabled for your session and no analytics data is sent to Google.

4. Legal Bases for Processing (GDPR Article 6)

Purpose	Legal basis
Responding to website enquiries and pre-sales communications	Legitimate interests (Art. 6(1)(f)) — we have a legitimate interest in responding to business enquiries about our services
Delivering contracted support services and managing the client relationship	Performance of a contract (Art. 6(1)(b)) — processing is necessary to perform our obligations under the MSA/SOW
Internal lead management and CRM record-keeping	Legitimate interests (Art. 6(1)(f)) — we have a legitimate interest in managing our business pipeline
Website analytics and performance measurement	Consent (Art. 6(1)(a)) — collected only with your explicit consent via the cookie banner
Compliance with legal obligations (e.g. tax records, legal proceedings)	Legal obligation (Art. 6(1)(c))
Protecting our legal rights and preventing fraud	Legitimate interests (Art. 6(1)(f))

Where we rely on legitimate interests, you have the right to object to that processing. We will not process your data on this basis where your interests or fundamental rights override ours. Please contact privacy@suppostat.com to raise an objection.

5. How We Use Your Information

To respond to website enquiries and schedule discovery calls or support audits
To assess suitability and scope potential engagements (pre-sales pipeline management)
To deliver, manage, and report on contracted player support services
To send service-related communications (onboarding materials, SLA reports, operational updates)
To manage our internal CRM and lead records
To analyse website traffic and improve the usability of suppostat.com (analytics only, with consent)
To comply with applicable laws and regulatory requirements
To protect our legitimate business interests and legal rights

We do not sell, rent, or trade personal data to any third party. We do not use personal data for automated decision-making that produces legal or similarly significant effects on individuals.

6. Data Sharing and Sub-Processors

We share personal data only as necessary and only with parties that provide appropriate safeguards. The following categories of recipients may receive personal data:

Recipient / Tool	Purpose	Location
Google Analytics 4 (Google LLC)	Website analytics and performance measurement — only with consent	USA (SCCs / adequacy mechanisms in place)
Notion (Notion Labs, Inc.)	Internal CRM and lead management (business contact data only)	USA (SCCs / adequacy mechanisms in place)
Telegram (Telegram Messenger Inc.)	Internal lead notification bot (business contact name and email only)	UAE / distributed (SCCs applied where relevant)
Google Workspace (Google LLC)	Email communication and document storage	USA (SCCs / adequacy mechanisms in place)
Client helpdesk platforms (e.g. Zendesk, Intercom — as directed by clients)	Delivery of contracted player support services — Suppostat acts as a data processor on behalf of the client operator	Varies — governed by client's DPA

All third-party service providers are contractually required to protect personal data and to process it only for the purposes specified. We do not share business contact data with unaffiliated marketing companies or data brokers.

Legal disclosure: We may disclose personal data if required by applicable law, court order, or lawful government authority. Where legally permitted, we will notify the affected individual before disclosure.

Business transfers: In the event of a merger, acquisition, restructuring, or sale of all or substantially all of Suppostat's assets, personal data may be transferred as part of that transaction. We will provide notice of any such transfer and any changes to this policy that result from it.

7. Cookies and Tracking Technologies

We use cookies and similar technologies on suppostat.com. Our Cookie Policy at suppostat.com/cookie.html provides full details of the cookies we use, their purposes, and how to manage your preferences.

Summary

Strictly necessary cookies — required for the website to function. No consent required.
Analytics cookies — Google Analytics 4 (GA4, tag ID: G-PT8QSNP9XW) measures website traffic and user behaviour. These are only set after you accept analytics cookies via our cookie banner.

You can change your cookie preferences at any time by clearing your browser's localStorage and reloading the page to trigger the cookie banner again, or by adjusting your browser settings. Declining analytics cookies does not affect your ability to use or view the website.

8. Data Retention

Data category	Retention period
Website enquiry and contact form data	3 years from last interaction, or until you request deletion
Pre-sales pipeline / CRM records	3 years from last engagement or decision not to proceed
Client service delivery data (under MSA)	Duration of the contract plus 3 years, unless a longer period is required by applicable law or agreed in the MSA
Employee / agent personal data	Duration of employment plus applicable statutory period (minimum 7 years under Estonian accounting law for payroll records)
Analytics data (GA4)	14 months (Google Analytics default retention, configured accordingly)
Email correspondence	3 years, unless the email relates to a contractual engagement (see above)

We review retained data periodically and delete or anonymise data that is no longer needed for the stated purposes.

9. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights with respect to your personal data:

Right of access (Art. 15) — to receive a copy of the personal data we hold about you and information about how it is processed.
Right to rectification (Art. 16) — to have inaccurate or incomplete data corrected.
Right to erasure (Art. 17) — to request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
Right to restriction of processing (Art. 18) — to request that we limit how we process your data in certain circumstances.
Right to data portability (Art. 20) — to receive your data in a structured, machine-readable format and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means.
Right to object (Art. 21) — to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent (Art. 7(3)) — where processing is based on consent (e.g. analytics cookies), you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, email privacy@suppostat.com with a clear description of your request. We will respond within one calendar month. In complex cases or where we receive a high volume of requests, we may extend this by a further two months and will notify you accordingly.

We may need to verify your identity before fulfilling a request. We will not charge a fee for reasonable requests. If requests are manifestly unfounded or excessive, we reserve the right to charge a reasonable fee or refuse the request.

Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. The lead supervisory authority for Suppostat is:

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Website: www.aki.ee
Email: info@aki.ee
Address: Tatari 39, 10134 Tallinn, Estonia

If you are located in another EU/EEA member state, you may also lodge a complaint with your local supervisory authority.

10. International Data Transfers

Some of our service providers (including Google and Notion) are based outside the EEA. Where we transfer personal data to countries not recognised by the European Commission as providing an adequate level of protection, we ensure appropriate safeguards are in place, specifically:

Standard Contractual Clauses (SCCs) — European Commission-approved contractual clauses pursuant to Commission Implementing Decision (EU) 2021/914, incorporated into our agreements with each relevant provider.
Adequacy decisions — where the destination country benefits from a European Commission adequacy decision.

You may request a copy of the applicable safeguards by contacting privacy@suppostat.com.

11. Security

We implement technical and organisational measures appropriate to the risk of processing, including:

Encrypted data transmission using TLS/HTTPS for all web communications
Access controls limiting data access to personnel who need it to perform their role
Mandatory signed non-disclosure agreements (NDAs) for all agents before access to any client environment
No local storage of client helpdesk data — agents operate exclusively within client-controlled platforms
Regular internal security reviews and access audits

In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the Estonian Data Protection Inspectorate within 72 hours of becoming aware of the breach, and will notify affected individuals without undue delay where required by GDPR Article 34.

12. Children's Data

Our website and services are directed at business professionals in the iGaming industry. We do not knowingly collect personal data from individuals under 18 years of age. If you believe we have inadvertently collected such data, please contact privacy@suppostat.com and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will indicate the date of the most recent revision at the top of this page. For material changes, we will take reasonable steps to notify affected individuals (e.g. by email to registered contacts or a prominent notice on the website) prior to the changes taking effect.

Continued engagement with our services after the effective date of a revised policy constitutes acceptance of the changes, to the extent permitted by applicable law.

14. Contact

For all privacy-related questions, requests, or concerns:

Suppostat — Privacy
privacy@suppostat.com

For general enquiries: hello@suppostat.com

See also: Terms of Service · Cookie Policy