Privacy Policy – How gsc33 Handles Your Personal Data

This Privacy Policy ("Policy") is issued by gsc33 ("gsc33", "we", "us", or "our") and applies to all personal data collected, processed, and stored in connection with your use of the gsc33 platform at gsc33.app (the "Platform") and any associated services or communications.

gsc33 is committed to protecting the privacy and security of your personal information. This Policy is intended to inform you — as a registered user or visitor of gsc33 — of the categories of personal data we collect, the purposes for which such data is processed, the legal bases on which we rely, and the rights you hold in relation to your data.

By accessing or using the gsc33 Platform, registering an account, or otherwise interacting with our services, you acknowledge that you have read and understood this Policy and consent to the processing of your personal data as described herein. If you do not agree with this Policy, you must discontinue use of the Platform immediately.

This Policy should be read alongside the gsc33 Terms & Conditions, which are available at gsc33.app/terms-conditions.

gsc33 acts as the data controller in respect of personal data collected from users of the Platform. As data controller, gsc33 determines the purposes and means of processing your personal data in accordance with applicable data protection legislation.

Where gsc33 engages third-party service providers to process personal data on our behalf — such as payment processors, identity verification services, and customer support platforms — such providers act as data processors and are contractually bound to process data solely in accordance with gsc33's documented instructions and applicable data protection law.

For all data protection queries, requests, and complaints, please contact gsc33 at the details set out in Section 14 of this Policy.

gsc33 collects the following categories of personal data from users of the Platform:

Identity Data: Full legal name, date of birth, gender, nationality, and government-issued identification document details (including Identity Card number, passport number, or equivalent) as required for Know Your Customer (KYC) verification.

Contact Data: Email address, Malaysian mobile phone number, and residential address.

Financial Data: Payment instrument details (eWallet identifiers, bank account references, FPX transaction IDs), deposit and withdrawal history, and wallet balance records. Full payment card numbers are not retained by gsc33 and are processed exclusively by PCI-DSS compliant third-party payment processors.

Account & Gaming Data: Username, account creation date, login history (timestamps and IP addresses), game play records, bet history, bonus usage records, and account preference settings.

Device & Technical Data: IP address, browser type and version, operating system, device identifiers, time zone, and referring URL, collected automatically when you access the Platform.

Communications Data: Records of communications between you and gsc33, including live chat transcripts, support ticket content, and email correspondence.

Verification Documents: Copies of identification documents, proof of address, and payment method ownership evidence submitted during KYC.

gsc33 collects personal data through the following means:

(a) Directly from you — when you register an account, complete KYC verification, make a deposit or withdrawal, contact support, participate in promotions, or update your account profile.

(b) Automatically — through server logs, cookies, and similar tracking technologies when you access and interact with the Platform. This includes IP address logging, session tracking, and device fingerprinting used for security and fraud prevention purposes.

(c) From third parties — gsc33 may receive personal data from identity verification providers, payment processors, fraud detection services, and regulatory compliance services engaged to assist in operating the Platform. All such third parties are required to demonstrate adequate data protection practices before any data sharing arrangement is established.

gsc33 processes personal data for the following purposes, relying on the identified legal bases:

Account Management and Service Delivery (Legal basis: Performance of contract) — Processing necessary to create and maintain your gsc33 account, authenticate your identity at login, process deposits and withdrawals, and deliver gaming services.

KYC and Regulatory Compliance (Legal basis: Legal obligation) — Processing necessary to comply with anti-money laundering (AML), counter-terrorist financing (CTF), and know-your-customer (KYC) obligations imposed by applicable law and gsc33's licensing conditions.

Fraud Prevention and Platform Security (Legal basis: Legitimate interests) — Processing of technical and account data to detect, prevent, and investigate fraudulent activity, account misuse, collusion, and security breaches.

Customer Support (Legal basis: Performance of contract / Legitimate interests) — Processing communications data to respond to your queries, resolve disputes, and improve the quality of our support services.

Responsible Gaming (Legal basis: Legal obligation / Legitimate interests) — Monitoring gaming behaviour to identify indicators of problem gambling and to apply responsible gaming tools, including deposit limits, session limits, and self-exclusion measures.

Marketing and Promotions (Legal basis: Consent) — Where you have opted in to receive marketing communications, gsc33 may use your contact details to send information about promotions, new games, and platform updates. You may withdraw this consent at any time through your account settings or by contacting support.

gsc33 does not sell your personal data to third parties. We may share your personal data with the following categories of recipients where necessary and proportionate:

Payment Processors: Malaysian payment service providers including those facilitating Touch 'n Go eWallet, Boost, GrabPay, DuitNow, FPX, Maybank2u, CIMB Clicks, Public Bank Online, and Hong Leong Connect transactions — solely for the purpose of processing your deposit and withdrawal instructions.

Identity Verification Services: Third-party KYC providers who verify the authenticity of identification documents and perform AML screening checks.

Technology Providers: Cloud hosting, database management, customer support, and analytics platforms engaged by gsc33 to support the operation of the Platform, subject to data processing agreements.

Regulatory and Law Enforcement Authorities: gsc33 will disclose personal data to competent regulatory bodies, law enforcement agencies, or courts where required to do so by applicable law, court order, or legal process.

All third-party data processors engaged by gsc33 are contractually required to implement appropriate technical and organisational security measures and to process personal data only on gsc33's documented instructions.

In the course of operating the Platform and engaging third-party service providers, gsc33 may transfer personal data to jurisdictions outside Malaysia. Where such transfers occur, gsc33 ensures that adequate safeguards are in place to protect your personal data, consistent with applicable data protection requirements, including the use of standard contractual clauses or reliance on the adequacy decisions of relevant data protection authorities.

You may request further information regarding the safeguards applicable to specific international transfers by contacting gsc33 at the details in Section 14.

gsc33 retains personal data for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted by applicable law. In particular:

Account and Gaming Records: Retained for a minimum of five (5) years following account closure, in compliance with AML and record-keeping obligations applicable to online gaming operators.

KYC and Identity Documents: Retained for a minimum of five (5) years following the conclusion of the business relationship, as required by applicable AML regulations.

Financial Transaction Records: Retained for seven (7) years for accounting and regulatory compliance purposes.

Marketing Data: Retained until you withdraw consent or object to processing, after which it will be deleted or anonymised within a reasonable timeframe.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised in accordance with gsc33's internal data destruction procedures.

gsc33 uses cookies and similar tracking technologies (including pixel tags and local storage) on the Platform to facilitate its operation and improve user experience. The categories of cookies deployed include:

Strictly Necessary Cookies: Essential for the operation of the Platform — these include session authentication cookies, security tokens, and load-balancing cookies. These cannot be disabled without impairing your ability to use the Platform.

Functional Cookies: Used to remember your preferences, such as language settings and display preferences, to personalise your experience on gsc33.

Analytics Cookies: Used to collect aggregated, anonymised data about how users interact with the Platform — page visit frequency, session duration, and navigation paths — to help gsc33 improve the Platform.

Security Cookies: Used for fraud detection and prevention, including identifying unusual access patterns and bot detection.

You may manage non-essential cookie preferences through your browser settings. Note that disabling certain cookies may affect the functionality of the Platform.

Subject to applicable data protection law, you have the following rights in relation to your personal data held by gsc33:

Right of Access: You have the right to request a copy of the personal data gsc33 holds about you, together with information about how it is processed.

Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data held by gsc33.

Right to Erasure: You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, subject to gsc33's legal retention obligations.

Right to Restrict Processing: You may request that gsc33 restrict the processing of your personal data in certain circumstances, for example while an accuracy dispute is being resolved.

Right to Data Portability: Where processing is based on consent or contract and carried out by automated means, you may request that gsc33 provide your personal data in a structured, commonly used, and machine-readable format.

Right to Object: You have the right to object to processing of your personal data based on gsc33's legitimate interests, including for direct marketing purposes.

Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of the above rights, please submit a written request to gsc33 using the contact details in Section 14. gsc33 will respond to all verified requests within thirty (30) days, or notify you of any extension where the complexity of the request warrants additional time.

gsc33 implements a range of technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include SSL/TLS encryption for all data in transit, encrypted storage for sensitive data at rest, access controls limiting internal data access to authorised personnel with a legitimate operational need, regular security audits and penetration testing, and multi-factor authentication for administrative systems.

In the event of a personal data breach that poses a risk to user rights and freedoms, gsc33 will notify affected users and relevant regulatory authorities in accordance with applicable data protection legislation and within the prescribed notification timeframes.

You are responsible for maintaining the confidentiality of your gsc33 account credentials. gsc33 recommends enabling two-factor authentication (2FA) on your account as an additional security layer.

The gsc33 Platform is strictly intended for users aged twenty-one (21) years and above. gsc33 does not knowingly collect personal data from individuals under the age of 21. Where gsc33 becomes aware that personal data has been collected from an individual under the age of 21, such data will be deleted promptly and the associated account will be closed.

If you have reason to believe that a minor has registered on gsc33, please notify us immediately through the support channels in Section 14 so that appropriate action can be taken.

gsc33 reserves the right to update this Privacy Policy at any time. All amendments take effect upon publication on the Platform. The date at the top of this Policy reflects when it was last revised. We encourage you to review this Policy periodically to remain informed of how gsc33 protects your personal data.

Where a change materially affects the way in which we process your personal data, gsc33 will use reasonable efforts to notify registered users via the email address associated with their account prior to the amendment taking effect. However, such advance notice is provided as a courtesy and does not delay the effective date of the change.

For all data protection queries, rights requests, or complaints, please contact the gsc33 data protection team via the live chat facility on the Platform or by email at [email protected]. Please mark the subject of your communication as "Privacy Request" to ensure it is directed to the appropriate team.

gsc33 aims to resolve all privacy-related requests and complaints within thirty (30) days of receipt. Where a complaint cannot be resolved directly with gsc33, you may have the right to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction.

All formal written notices under this Policy should be addressed to gsc33 through the official communication channels noted above, referencing the specific provision of this Policy to which your communication relates.