bolabosku Privacy Policy - Data Protection & Care

This page describes what we collect when you use bolabosku and how we keep that data protected. We collect personal information only to operate our platform, process payments, verify account identity, and respond to support requests. We do not sell your data to third parties and do not use it for marketing beyond account communications.

We run bolabosku live-dealer tables, sportsbook markets, and slot games across supported jurisdictions. Services are available only where local law permits. Account holders access our platform from Jakarta, Surabaya, Bandung, Medan, Semarang, and other regions; our data practices apply uniformly across all users regardless of location.

Our privacy commitments centre on transparency, security, and your control. We explain what we collect, who processes it, how long we keep it, and how you can request access or deletion. We use encryption for data in transit and at rest. We limit staff access to personal data to those who need it for operational reasons. This policy reflects our actual practices, not theoretical minimums.

What We Collect and How We Use It

We collect your email address, phone number, full legal name, and date of birth when you create a bolabosku account. We also collect government ID details (ID type and expiration date—we do not store the full document indefinitely), proof-of-residence document metadata, and your IP address and device details when you log in.

We collect your game activity—which tables you access, bets placed, outcomes, settlement amounts—to calculate winnings, process withdrawals, and generate account statements. We record support interactions (emails, in-app chat transcripts) to resolve disputes and improve our response quality.

We use this data to:

• Verify your identity and comply with anti-money-laundering regulations
• Process deposits and withdrawals to and from your account
• Settle live-dealer bets and track account balance in real time
• Respond to your support requests within agreed timelines
• Detect and prevent fraud or account compromise
• Comply with legal requests from law enforcement or regulators

Data Storage and Third-Party Processors

We store account data, payment records, and game activity on encrypted servers. Our primary servers are located outside Indonesia; this means your data may be processed in jurisdictions with different legal frameworks than Indonesia. We use encryption and access controls to protect data regardless of server location.

We use third-party processors for specific functions. Payment processors (Adyen, Stripe, and local payment gateways supporting mobile banking, local payment, online payment) handle transaction encryption and settlement. We do not control their data practices but require written agreements specifying data protection standards. Email providers (AWS SES) handle our transactional emails (account confirmation, password reset, withdrawal notification). Analytics providers (Mixpanel, Segment) track aggregate user behaviour to identify technical issues; personal identifiers are stripped from analytics data.

We retain account data while your account is active plus 5 years after closure (required by anti-money-laundering law). Payment records are kept for 7 years. Support chat transcripts are deleted after 2 years unless a dispute is under investigation. Game activity logs are retained for 3 years to support settlement disputes and audits.

Cookies and Tracking

We use cookies to keep you logged in, remember your language preference, and track which games you viewed (for technical debugging and feature improvements). Session cookies expire when you close your browser. Persistent cookies (login token, timezone setting) last up to 30 days. You can delete cookies in your browser settings at any time; you will be logged out and asked to log in again.

We do not use cookies for advertising or cross-site tracking. We do not partner with ad networks or data brokers. Our analytics tracking (Mixpanel) is for internal use only—to identify page load errors, table streaming issues, or payment gateway timeouts—and does not tie personal identity to analytics data.

Your Rights and Data Access

You have the right to request a copy of the data we hold about you. Log into your bolabosku account, navigate to Account Settings → Data Request, and click "Download my data". We will compile your account details, transaction history, and game logs into a file and email it to your registered address within 10 business days.

You have the right to request deletion of your account and associated data. Submit an account deletion request via in-app support or email [email protected]. We will delete your account immediately, though we retain payment records and game logs for regulatory and audit purposes (as described above) and cannot delete data already shared with legal authorities.

You can update your personal information (email, phone, address) directly in Account Settings. If you notice a data error or inaccuracy, contact support with specific details; we will correct it and confirm the change within 5 business days.

Account Security Practices

We use SSL 1.3 encryption for all data transmitted between your device and bolabosku servers. Passwords are hashed with bcrypt; we never store plain-text passwords. We offer optional two-factor authentication (SMS OTP) to add a second layer of security. Account lockouts trigger after five failed login attempts; the account unlocks automatically after subject to verification or immediately if you request support.

Our staff can view your account details only for specific purposes: support staff access your account to resolve payment or withdrawal disputes; compliance staff access identity documents to verify KYC compliance; technical staff access server logs to debug streaming or settlement issues. Staff access is logged and monitored.

If you suspect your account is compromised, contact support immediately with your account email. We can freeze your account, reset your password, and review recent login activity within 2 hours of your request.

Data Breaches and Incident Response

If we detect a data breach affecting personal information, we notify affected account holders within 48 hours of confirmation. Notification includes what data was compromised, what steps we took, and what you can do (e.g., change your password). We also notify relevant regulators as required by law.

We conduct annual security audits by third-party penetration testers. We patch known vulnerabilities in our software within 72 hours of disclosure. We maintain offline backups of critical data to ensure we can recover from ransomware attacks.

Contact and Updates

Questions about your data or this policy? Contact our privacy team at [email protected]. We respond to data requests and privacy inquiries within 10 business days. For urgent issues related to account security or potential breaches, email [email protected] or use in-app chat for immediate escalation.

We may update this privacy policy to reflect changes in our practices, new regulations, or technical improvements. Updates are published on this page with a revision date. Material changes (e.g., new data collection practices) are communicated to account holders via email at least 30 days before taking effect. Continued use of bolabosku after a policy update constitutes acceptance of the new terms.

We at bolabosku build data protection into our platform from the ground up. We collect only what is necessary, we secure it with current encryption standards, and we give you clear control over your information. Our privacy practices are not negotiable compliance theatre—they reflect our commitment to account holder trust across all supported regions.