grmbet Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how grmbet ("grmbet", "we", "us", "our") collects, uses, discloses, and safeguards the personal data of users ("you", "your") who access or use the grmbet website at grmbet.app and any related services, features, or content offered by grmbet (collectively, the "Platform").

By registering for or using the grmbet Platform, you acknowledge that you have read and understood this Policy and consent to the collection and processing of your personal data as described herein. If you do not agree with any part of this Policy, you should discontinue use of the Platform immediately.

This Policy should be read together with grmbet's Terms & Conditions, which are available at grmbet.app/terms-conditions.

2. Data Controller

For the purposes of applicable data protection law, grmbet acts as the data controller in respect of personal data collected through the Platform. As data controller, grmbet determines the purposes and means by which your personal data is processed. Contact details for data protection enquiries are provided in Section 15 of this Policy.

3. Categories of Personal Data We Collect

grmbet collects the following categories of personal data from users of the Platform:

Category	Examples	Mandatory / Optional
Identity Data	Full legal name, date of birth, gender, nationality	Mandatory (KYC)
Contact Data	Email address, mobile phone number, residential address	Mandatory
Verification Data	Government-issued ID (e.g., MyKad number, passport), selfie for identity verification	Mandatory (withdrawal)
Financial Data	Payment method details, transaction history, deposit and withdrawal records	Mandatory
Account Data	Username, password (hashed), account preferences, VIP tier	Mandatory
Usage Data	Games played, bet history, session duration, feature interactions	Automatic
Technical Data	IP address, device type, browser type, operating system, login timestamps	Automatic
Communications Data	Support chat transcripts, email correspondence, feedback	Where applicable

4. How We Collect Your Personal Data

4.1 Directly from you — when you register an account with grmbet, complete identity verification, make deposits or withdrawals, contact our support team, participate in promotions, or respond to surveys.

4.2 Automatically — when you access and use the Platform, grmbet automatically collects technical and usage data through server logs, cookies, and similar tracking technologies. See Section 11 (Cookies) for further detail.

4.3 From third parties — grmbet may receive personal data about you from identity verification service providers, payment processors (including Touch n Go eWallet, Boost, and banking partners such as Maybank and CIMB), fraud detection agencies, and publicly available sources, where this is necessary to fulfil our legal compliance obligations or to provide the Platform.

5. How We Use Your Personal Data

grmbet uses your personal data for the following purposes:

• Account management: Creating, maintaining, and securing your grmbet account; processing your grmbet login; enabling account recovery;
• Service delivery: Processing deposits and withdrawals via Touch n Go eWallet and other supported payment channels; crediting bonuses; providing access to games and sportsbook features;
• Identity and age verification: Confirming that you are aged 21 or above and are the legitimate owner of the payment methods linked to your account;
• Legal compliance: Meeting our obligations under applicable anti-money laundering ("AML"), counter-terrorist financing ("CTF"), and know-your-customer ("KYC") regulations;
• Fraud prevention and platform security: Detecting and preventing fraudulent activity, account takeover, bonus abuse, and other prohibited conduct;
• Responsible gaming: Monitoring usage patterns to identify potential signs of problem gambling behaviour and applying responsible gaming measures requested by users;
• Communications: Sending transaction confirmations, account notifications, promotional communications (where you have opted in), and responses to support queries;
• Platform improvement: Analysing aggregate usage data to improve the grmbet Platform, game library curation, and user experience;
• Legal proceedings: Establishing, exercising, or defending legal claims involving grmbet.

6. Legal Basis for Processing

grmbet processes your personal data on the following legal bases under applicable data protection legislation:

• Contractual necessity: Processing required to fulfil our agreement with you, including account operation, payment processing, and service delivery;
• Legal obligation: Processing required to comply with AML, KYC, CTF, and other regulatory requirements applicable to grmbet's operations;
• Legitimate interests: Processing for fraud prevention, platform security, responsible gaming monitoring, and Platform improvement, where our interests are not overridden by your fundamental rights;
• Consent: Processing for marketing communications, where you have provided explicit opt-in consent. You may withdraw consent at any time by contacting grmbet support.

7. Disclosure of Your Personal Data

7.1 grmbet does not sell your personal data to third parties. We may disclose your personal data to the following categories of recipients only to the extent strictly necessary for the purposes described in this Policy:

• Payment processors and e-wallet providers (e.g., Touch n Go eWallet, Boost, Maybank, CIMB, Public Bank) — for deposit and withdrawal processing;
• Identity verification and KYC service providers — for age and identity verification;
• Fraud detection and AML compliance partners — for legal compliance and platform security;
• Game content providers — limited technical data may be shared with certified game studios for the purpose of RNG integrity and fair play auditing;
• IT and infrastructure service providers — cloud hosting, data storage, and cybersecurity service providers engaged under contractual data processing agreements;
• Regulatory and law enforcement authorities — where required by law, court order, or regulatory directive, including mandatory suspicious transaction reporting obligations under AML law.

7.2 All third-party service providers engaged by grmbet are subject to contractual data protection obligations consistent with this Policy.

8. International Data Transfers

The operation of the grmbet Platform may involve the transfer of your personal data to servers or service providers located outside of Malaysia. Where such transfers occur, grmbet ensures that appropriate safeguards are in place, including contractual clauses equivalent to internationally recognised data transfer mechanisms, to ensure your personal data receives an equivalent level of protection to that provided under Malaysian data protection law.

9. Data Retention

9.1 grmbet retains your personal data for as long as necessary to fulfil the purposes for which it was collected, including for the duration of your account relationship with grmbet and for such further period as may be required to meet legal, regulatory, audit, or dispute resolution obligations.

9.2 In practice, grmbet retains account and transaction records for a minimum of five (5) years following account closure to satisfy AML and regulatory record-keeping requirements. Communications data is retained for a shorter period commensurate with its purpose. Technical and usage data in anonymised or aggregated form may be retained indefinitely for analytical purposes.

9.3 Upon the expiry of the applicable retention period, personal data is securely deleted or anonymised in accordance with grmbet's data lifecycle management procedures.

10. Security Measures

grmbet implements technical and organisational measures designed to protect your personal data against unauthorised access, disclosure, alteration, and destruction. These measures include:

• 256-bit SSL/TLS encryption for all data in transit between your device and grmbet's servers;
• Encryption of sensitive data at rest, including password hashing using industry-standard algorithms;
• Multi-factor authentication for account access, including device recognition and OTP verification;
• Access controls limiting internal access to personal data to authorised personnel on a need-to-know basis;
• Regular security assessments and penetration testing of Platform infrastructure;
• 24/7 monitoring of Platform systems for anomalous activity and potential security incidents.

11. Cookies and Tracking Technologies

11.1 grmbet uses cookies and similar tracking technologies (including session tokens and local storage) to operate the Platform, remember your preferences, maintain your login session, and collect usage data for analytics and security purposes.

11.2 The following categories of cookies are used on grmbet.app:

• Strictly necessary cookies: Required for the Platform to function. These cannot be disabled without preventing core functionality including the grmbet login session;
• Analytical cookies: Used to understand how users navigate the Platform in aggregate, enabling us to improve the user experience;
• Security cookies: Used to detect and prevent fraudulent activity, including bot detection and session integrity verification;
• Preference cookies: Used to remember your settings and preferences across sessions.

11.3 You may manage cookie preferences through your browser settings. Disabling strictly necessary cookies will impair the functionality of the Platform, including your ability to log in to your grmbet account.

12. Your Data Protection Rights

Subject to applicable data protection legislation and to certain exceptions and conditions, you have the following rights in relation to your personal data held by grmbet:

• Right of access: You may request a copy of the personal data grmbet holds about you;
• Right to rectification: You may request correction of inaccurate or incomplete personal data;
• Right to erasure: You may request deletion of your personal data in certain circumstances, subject to our legal retention obligations;
• Right to restriction of processing: You may request that we limit how we use your personal data in certain circumstances;
• Right to data portability: You may request a copy of personal data you have provided to grmbet in a structured, machine-readable format;
• Right to object: You may object to processing of your personal data based on legitimate interests;
• Right to withdraw consent: Where processing is based on consent (e.g., marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of the above rights, please contact grmbet's support team via live chat or by email. grmbet will respond to verified requests within a reasonable period, and no later than as required by applicable law.

13. Children's Privacy and Age Restriction

The grmbet Platform is strictly for users aged 21 and above. grmbet does not knowingly collect personal data from individuals under the age of 21. If grmbet becomes aware that personal data has been collected from a user under 21, that account will be immediately terminated and the personal data deleted or anonymised in accordance with our data lifecycle procedures. If you believe that a person under 21 has provided personal data to grmbet, please contact our support team immediately.

14. Changes to This Privacy Policy

grmbet reserves the right to update or amend this Privacy Policy at any time. Material changes to the Policy will be communicated to registered users by email and/or by a prominent notice on the Platform prior to the effective date of the change. Your continued use of the Platform following the effective date of any revised Policy constitutes your acceptance of those changes. The date at the top of this Policy indicates when it was last updated.

15. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or grmbet's handling of your personal data, please contact us through the following channels:

• Live chat: Available 24/7 directly on the grmbet Platform;
• Email: support@grmbet.app (plain text — not a clickable link).

grmbet will acknowledge your enquiry and aim to provide a substantive response within a reasonable timeframe.