Attention! Gambling can be addictive and does not solve financial problems. Please read the Terms and Conditions and play responsibly. You can find help in case of addiction or problems here.
Hylas Limited (“Hylas”, the “Company”, “We”, “Us” or “Our”) is committed to safeguarding Your (“Registered User”, “Player”, “User”, “You”, or “Yours”) privacy and maintaining Your confidence and trust in Us.
We process personal data (“Personal Data” or “Data”) in line with Our Data Protection Policy and all applicable laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”). The key provisions of Our Data Protection Policy that are relevant for You as an User of Our services, are summarised in this Privacy Policy.
For the purposes of this Policy, “Personal Data” or “Data” means any information that directly or indirectly identifies, contacts, or locates You as a private individual (such as Your name and contact details), while “Services” means the provisioning of the Website and the Games of Chance offered on it.
This Privacy Policy explains how and why We collect and use Your Personal Data when You access and use Our Website onerush.com, and how We keep Your Personal Data secure.
This Privacy Policy applies to every User who registers with the Company and subsequently accesses the Website as a Registered User.
Hylas and Buccone Trading Limited (“Buccone”), Company Number C 81966, with registered address at Ewropa Business Centre, Level 3-701, Triq Dun Karm Street, Birkirkara, BKR 9034, Malta, jointly determine certain key purposes relating to the offering of the Website and the associated brand, and therefore act as joint controllers within the meaning of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
Hylas and Buccone form part of the same corporate group (“Group”), under which shared commercial, brand, and strategic decision-making is carried out. This shared decision-making results in joint determination of certain purposes relating to the offering of the Website and associated brand.
Hylas is responsible for the operation of the Website and the provision of the Services, including the day-to-day processing of Personal Data.
Buccone contributes to the definition and management of the commercial framework and brand under which the Services are offered. This involvement influences the purposes for which Personal Data is processed, but Buccone does not itself access or process Personal Data in the course of these activities.
The essence of the joint controller arrangement can be made available to You upon request by contacting our Data Protection Officer (DPO) at DPO@onerush.com. When You access and use Our Services, the collection, use and sharing of Your Personal Data are governed by this Policy and the overarching Data Protection Policy, together with Our Cookie Policy, as each may be updated from time to time.
When You access and use Our Services, the collection, use and sharing of Your Personal Data are governed by this Policy and the overarching Data Protection Policy, together with Our Cookie Policy, as each may be updated from time to time.
The Company may update or amend this Privacy Policy (and, where applicable, the overarching Data Protection Policy) from time to time. In the event of material changes, We will provide notice through Our services or other appropriate channels, giving You the opportunity to review the revised terms before they take effect.
If You do not agree with the updated Privacy Policy, You may terminate Your contractual relationship with Us by contacting support@onerush.com. By continuing to use Our Services after such changes have been communicated, You acknowledge and agree that Your Personal Data will be collected, used and processed in accordance with the updated Privacy Policy. CONTACTING THE COMPANY
As a data subject, You have certain rights under the General Data Protection Regulation, such as the right to access, correct, erase, restrict, and object to the processing of Your Personal Data. You may also object to processing carried out on the basis of Our legitimate interests, including the use of Your Personal Data for direct marketing. Where technically feasible, You are entitled to request the transfer of Your Personal Data to another controller (“data portability”). To exercise these rights, please contact Our Data Protection Officer (DPO) at dpo@onerush.com.
Notwithstanding the foregoing, please note that these rights apply solely in relation to the processing of Personal Data as defined in the GDPR. Furthermore, the Company may also be legally obliged to retain certain data (including Personal Data) under applicable gambling, anti-money laundering, accounting, or other regulatory requirements, even after the termination of the contractual relationship or Your request for erasure. Such data will, however, be retained strictly for the period required by law.
For general queries, please reach out to Our Customer Care team via live chat, email or telephone, as set out on Our Website.
We collect and process Personal Data at different points throughout Our relationship with You and through various channels. The primary legal basis for this processing is contractual, meaning that certain information must be provided in order for You to enter into a contractual relationship with Us, access the Website, and maintain a Gambling Account. 5.1. Delivery of Service The Company processes Your Personal Data to enable You to use the Website and Games of Chance for activities such as wagering, receiving results, having winnings paid out, and viewing Your activity on Your Gambling Account. In addition, We process certain Personal Data to comply with responsible gambling obligations and other regulatory requirements under applicable law. 5.2. Personalised Services To ensure effective and relevant support when You contact Our Customer Care team, We process Your Personal Data by recording and managing Our interactions with You.
The Company also recognises that You may expect a more tailored gaming experience when using Our Website. Such personalisation is based on the use of Your Personal Data to adapt features, content, and services to Your preferences.
5.3. Personalised Content and Marketing
The Company may process Personal Data to ensure compliance with regulatory requirements on marketing set out in applicable law.
When the Company advertises digitally on other websites, various tracking technologies (e.g., cookies) may be used to recognise You after You have left onerush.com, provided that You have consented to this. This enables Us to deliver advertising that We believe is more relevant to You when You visit a website where We advertise.
If You do not want Us to carry out this tracking, You can disable it by following the instructions in Our Cookie Policy. However, You may still see Our advertisements on other websites; the difference is that they may not be tailored to Your interests.
The Company is also keen to inform You about new games, jackpots, features, offers, and other updates that We believe may be of interest to You. We do this primarily by contacting You through different channels. You can choose whether to receive such marketing and information in Your Account Settings. 5.4. Business Analysis and Statistics To analyze how Our Services are used and to monitor Our financial performance, We compile large volumes of data. Such data may, for example, originate from participation in games and wagering, but, in this context, it is anonymised and typically aggregated. 5.5. Legal Requirements and Case Handling The Company is subject to the Estonian Money Laundering and Terrorist Financing Prevention Act (MLTFPA). We therefore process Your Personal Data to manage and mitigate the risks of money laundering and terrorist financing. Among other things, We are required to request and collect Know Your Customer (KYC) information, which You may recognise from interactions with banks that are subject to the same law.
The Company also actively works to prevent fraud in relation to Our services to ensure that You and Our other customers can enjoy Our Services in a safe environment. This means that We may process Your Personal Data in cases of suspected irregularities or breaches of Our Rules. In some circumstances, We may also be required to disclose certain Personal Data to authorities that are legally entitled to access such information.
5.6. System Management and Security
To ensure the proper maintenance, development, and testing of Our IT systems, We may use only anonymised or otherwise non-identifiable data in test environments. Identifiable Personal Data is never processed for testing purposes.
For internal testing purposes, We may use test Gambling Accounts registered by employees or other non-customer datasets, provided that such data is supplied on a voluntary basis and in accordance with applicable rules and regulations.
Please be advised that Our systems are continuously monitored to protect against unauthorised access, misuse, and other security threats. For this purpose, We may process Information such as IP addresses, login attempts, and other technical identifiers. This processing is limited to what is necessary to sageguard our systems and is carried out on the basis of Our legitimate interest in ensuring information security.
The Company will retain Your Personal Data only for as long as necessary to fulfil the purposes for which it was collected and to comply with legal, contractual, and regulatory obligations.
While You actively engage with Us, We must retain Your Personal Data to comply with applicable laws (including but not limited to the MLTFPA and the Estonian Gambling Act) and to perform Our contractual obligations. Following the discontinuation of Our services or the closure of Your Gambling Account, certain Personal Data may still be retained for specific purposes, including but not limited to: 6.1. Contractual Obligations To honour rights and obligations connected with Our delivery of the Services. 6.2. Legal Compliance To meet obligations under EU and local laws. 6.3. Legitimate Interests To safeguard Our legitimate business interests (such as fraud prevention, responsible gambling measures, and internal risk management). 6.4. Regulatory Requirements To comply with binding instructions or guidelines from competent authorities.
Your Personal Data will generally be retained for a period of five to ten years, depending on the nature of the Personal Data and applicable legal requirements, including obligations under the MLTFPA. Personal Data will not be retained beyond what is strictly necessary for these purposes.
The Company forms part of the Nordplay Group (“Group”). We may share Your personal Data with other Nordplay companies within the Group, trusted service providers acting on Our behalf, and competent regulatory or law enforcement authorities where required by law. In the event of a merger, acquisition, or business transfer, Your Personal Data may also be disclosed, in which case You will be notified in advance. All such disclosures will be strictly limited to the purposes described in this Privacy Policy.
7.1. Intragroup disclosures Personal Data may be shared with other companies within the Group for purposes including:
Delivering Services and notifying You of material updates or changes; Handling enquiries, complaints, and customer services; Administering offers, promotions, and competitions; Ensure secure access to the Website and the Games of Chance offered; Updating, consolidating and improving the accuracy of records; Analysing payment transactions, wagering, and use of Our Services; Detecting, preventing, and prosecuting fraud or other unlawful activity, in compliance with regulatory obligations. Supporting responsible gambling measures, including the sharing of self-exclusion and related information with the competent authorities, as required by law. 7.2. Third-party disclosures The Company may disclose Personal Data to third parties in the following circumstances:
Where disclosure is required under applicable laws or licensing obligations, or upon the lawful request of competent supervisory or law enforcement authorities; For fraud prevention and risk management purposes, which may involve sharing Personal Data with payment service providers, financial institutions, address verification services, and fraud prevention systems; When engaging carefully selected service providers acting as data processors under Our instructions and contractual safeguards, including providers of gambling platforms, game service providers, data hosting and analytics tools, payment service providers, AML/CFT tools, Customer Care software, and advertising services; In connection with audits and certifications, where independent auditors require access to ensure compliance with regulatory, supervisory or accreditation requirements; As part of business transfers, where Our business, assets, or rights are acquired by another organisation, provided that equivalent safeguards are applied. To ensure information security, by sharing information (which may include Personal Data) with relevant service providers to safeguard and strengthen the resilience of Our systems; To support responsible gambling measures, by sharing Personal Data with competent authorities where mandated by applicable law or regulatory requirements.
Please note that the Company does not disclose Your Personal Data to external parties for their own marketing purposes. Any use of Your Personal Data for marketing is strictly limited to the Company and other companies within the Group, and always in line with this Privacy Policy.
The Personal Data We collect from You may be transferred to, and stored in, jurisdictions outside the European Economic Area (“EEA”). It may also be processed by entities located outside the EEA that act on Our behalf or on behalf of Our service providers. For example, certain technical systems or software used to ultimately provide Our Services, such as those operated by game service providers, may be hosted or managed from outside the EEA. Such jurisdictions may not provide the same level of data protection as within the EEA. All entities within Nordplay Group are located within the EEA.
To ensure that Your Personal Data remains protected, any transfer outside the EEA will only take place in compliance with applicable data protection laws and subject to appropriate safeguards. These may include:
Reliance on Standard Contractual Clauses adopted by the European Commission (or other recognised contractual safeguards). Transfers to jurisdictions covered by an adequacy decision of the European Commission, confirming an adequate level of protection. Reliance on derogations under Article 49 GDPR, such as where the transfer is necessary for the performance of Our contractual obligations with You or where You have provided Your explicit consent. Assessments of the legal framework of the destination jurisdiction and, where necessary, supplementary measures to ensure an adequate level of protection.
Where such transfers occur, access to Your Personal data is appropriately restricted and limited to the purposes described in this Privacy Policy.
The Company implements appropriate technical and organisational measures to ensure the confidentiality, integrity and availability of Your Personal Data, taking into account the risks associated with processing and the sensitivity of the information. These measures are designed to protect against unauthorised access, alteration, disclosure, or destruction of Personal Data.
A significant portion of the processing of Your Personal Data takes place through Our gambling platform, which is the core software system supporting Our Games of Chance offering, payment services integration, Gambling Account management and responsible gambling features such as self-exclusion and loss limit settings. To ensure that such processing is carried out securely, the gambling platform and its operations are certified against the ISO/IEC 27001 standard. In addition, the Nordplay Group’s overall Information Security Management System (ISMS) is independently audited and certified by an accredited body.
Access to Personal Data is restricted to authorised personnel only and governed by role-based access controls. Employees receive ongoing training and guidance from senior management and are required to act in accordance with internal policies and instructions designed to ensure the secure processing of Personal Data. To further protect Personal Data, Our gambling platform and auxiliary software are subject to regular monitoring and testing, including vulnerability assessments and penetration testing. We also apply recognised security techniques, including encryption and pseudonymisation, where appropriate.
While We apply industry-standard safeguards, no method of transmission or storage can be guaranteed to be fully secure. We therefore cannot ensure absolute security of Personal Data, but We regularly review and update Our security practices to address evolving threats and industry standards. In the unlikely event of a Personal Data breach, We have procedures in place to detect, respond to, and notify the relevant authorities and affected individuals, where required by law.