Leon Privacy Policy: Your Personal Data Rights & Protection Explained for Greek Players
Understanding how an online betting and casino operator handles your personal data is not just a legal formality — it’s your right as a user. At Leon, data protection is taken seriously, and this guide breaks down exactly what information is collected, why it’s used, who it’s shared with, and how you can exercise your rights under Greek and EU law. Whether you’re signing up for the first time or you’ve been a member for years, knowing the details of Leon’s privacy practices gives you full control over your digital footprint.
1. What Personal Data Leon Collects
Registration & Identity Data
When you create an account at Leon, you provide a set of standard identity details. This includes your full legal name, date of birth, residential address, email address, and phone number. These are essential for account creation, age verification, and ensuring you’re a real person — not a bot or a fraudster trying to exploit welcome bonuses. For Greek players, this also means confirming you’re of legal gambling age (21+ in Greece under the HGC framework).
Financial & Payment Data
To process your deposits and withdrawals, Leon collects payment-related information. This covers card numbers (typically masked after entry), e-wallet account IDs (Skrill, Neteller, ecoPayz), bank account details for wire transfers, and transaction records. Importantly, full card numbers are never stored in plain text — they’re tokenised using PCI DSS-compliant systems. USDT and crypto wallet addresses are also logged for crypto users transacting through platforms like Binance or Kraken.
Behavioural & Usage Data
Beyond your identity, Leon also tracks how you interact with the platform. This includes your betting history on sports markets (Super League Greece matches, Champions League, etc.), casino game sessions at the online casino, login timestamps, device type and operating system, IP address, browser type, and session duration. This data helps personalise your experience, detect unusual activity, and improve the platform overall.
| Data Category | Examples | Purpose |
|---|---|---|
| Identity | Name, DOB, address, email | Account creation, age verification |
| Financial | Card/wallet info, transaction history | Payment processing, fraud prevention |
| Behavioural | Betting history, game sessions, login times | Personalisation, responsible gambling monitoring |
| Technical | IP address, device, browser | Security, geo-compliance, analytics |
| KYC Documents | Passport, utility bill, selfie | Identity verification, AML compliance |
2. Why Your Data Is Collected & Legal Basis
Contractual Necessity
The primary legal basis for most data processing at Leon is contractual necessity — in other words, Leon needs this data to provide you with the service you signed up for. Without your name and payment details, there’s no way to run your account, process a deposit via Visa/Mastercard, or pay out a withdrawal to your Skrill wallet. This is the most straightforward and non-negotiable basis for data collection.
Legal Obligation
Online gambling operators licensed through jurisdictions recognised across the EU — including operators accessing the Greek market — are legally required to verify user identities under Anti-Money Laundering (AML) directives. The 4th and 5th EU AML Directives impose strict Know Your Customer (KYC) requirements. Failure to collect and process identity data would put Leon in breach of these obligations. Greek regulators (ΕΕΕΠ / HGC) also require operators to maintain detailed records for auditing purposes.
Legitimate Interests & Consent
Some data processing — particularly for marketing communications and analytics — is based on either your consent or Leon’s legitimate business interests. For example, if you’ve opted in to promotional emails, Leon will use your email and preference data to send you relevant bonus offers. You can withdraw this consent at any time through your account settings or by contacting support. Behavioural analytics for platform improvement also fall under legitimate interests, provided they don’t override your fundamental privacy rights.
3. Data Sharing with Third Parties
Payment Processors & Financial Institutions
To handle your transactions, Leon shares relevant financial data with payment processors. When you deposit via Skrill or Neteller, those platforms receive transaction data from Leon’s end to authorise the payment. Similarly, card issuers and acquiring banks receive masked card data for Visa and Mastercard transactions. These partners operate under their own privacy policies and are typically GDPR-compliant entities operating within the EEA or under adequacy decisions.
Regulatory & Law Enforcement Bodies
Leon is obligated to share certain data with regulatory authorities upon request. In Greece, this means potential disclosures to ΕΕΕΠ (HGC), financial intelligence units, and law enforcement agencies if there’s a suspicion of money laundering, fraud, or other illegal activity. This is non-negotiable and does not require your consent — it’s a legal obligation that overrides the standard privacy protections in specific circumstances.
Technology & Service Providers
Leon works with a range of third-party technology providers — game studios (Pragmatic Play, Evolution Gaming, etc.), fraud detection systems, cloud hosting providers, and analytics tools. These vendors act as data processors under GDPR, meaning they can only use your data in ways Leon instructs. Data processing agreements (DPAs) are in place with all key vendors. Leon does not sell your personal data to third-party advertisers or data brokers — full stop.
Did you know? Under GDPR Article 28, any company that processes personal data on behalf of another organisation must sign a Data Processing Agreement (DPA). This means Leon’s game providers and payment partners are contractually bound to protect your data to the same standard.
4. Cookies & Tracking Technologies
Types of Cookies Used
Leon uses several categories of cookies across its website and mobile app. Strictly necessary cookies keep your session alive and ensure security features function correctly — these cannot be disabled. Performance cookies collect anonymous statistics on how users navigate the site (page views, bounce rates, load times). Functional cookies remember your preferences like language and display settings. Marketing cookies (only active with your consent) track whether you arrived via a specific promotional link and enable retargeted advertising.
| Cookie Type | Requires Consent? | Can Be Disabled? | Examples |
|---|---|---|---|
| Strictly Necessary | No | No | Session tokens, CSRF protection |
| Performance / Analytics | Yes | Yes | Google Analytics, Hotjar |
| Functional | Yes | Yes | Language preferences, UI settings |
| Marketing / Targeting | Yes | Yes | Affiliate tracking, retargeting pixels |
Managing Your Cookie Preferences
When you first visit leonbet-gr.com, a cookie consent banner appears. You can accept all categories, reject non-essential cookies, or customise your preferences category by category. You can revisit these preferences at any time via the privacy settings link in the site footer. Browser-level controls (Chrome, Firefox, Safari) also let you block or delete cookies, though disabling strictly necessary cookies will impair your ability to log in and use the site properly.
Tracking in the Mobile App
The Leon mobile app for Android and iOS uses similar tracking technologies, including device identifiers (advertising IDs) and in-app analytics SDKs. iOS users can opt out of tracking via Apple’s App Tracking Transparency (ATT) framework — when the app requests permission to track, you can simply decline. Android users can reset or opt out of their advertising ID via Google settings. These controls are independent of Leon’s own cookie settings.
5. Data Retention Periods
Account & Identity Records
Leon retains your account data for the duration of your active membership plus an additional period following account closure. Under EU AML regulations, gambling operators are required to keep customer identity records and transaction logs for a minimum of five years after the end of a business relationship. In practice, this means even if you close your Leon account today, your KYC documents and betting history will remain on file until that five-year window expires.
Marketing & Communication Data
If you’ve opted in to marketing emails or SMS notifications, that preference data is retained for as long as you remain subscribed. Once you unsubscribe, your marketing preferences are updated immediately, but a suppression record (essentially a note that says “don’t contact this person”) is kept indefinitely to ensure you don’t accidentally get re-subscribed. This is standard practice across the industry and actually protects you from receiving unwanted communications.
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Identity & KYC documents | 5 years post-account closure | AML Directive, legal obligation |
| Transaction records | 5 years post-transaction | AML Directive, legal obligation |
| Active account data | Duration of account + 5 years | Contract, legal obligation |
| Marketing preferences | Until opt-out + suppression record | Consent |
| Analytics / cookies | Up to 24 months | Legitimate interests / consent |
| Support communications | 3 years post-resolution | Legitimate interests |
6. Your Rights Under GDPR & Greek Law ️
The Eight Core GDPR Rights
As a resident of Greece, you benefit from the full suite of rights under the EU General Data Protection Regulation (GDPR), which has been directly incorporated into Greek law. These rights are not just theoretical — you can actively exercise each one by contacting Leon’s Data Protection Officer. Here’s the complete list of what you’re entitled to:
- Right of Access (Article 15): Request a copy of all personal data Leon holds about you.
- Right to Rectification (Article 16): Correct inaccurate or incomplete data in your profile.
- Right to Erasure (Article 17): Request deletion of your data — the “right to be forgotten” — where no legal obligation requires it to be kept.
- Right to Restriction (Article 18): Temporarily limit how your data is processed while a dispute is resolved.
- Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format (CSV, JSON) and transfer it to another service.
- Right to Object (Article 21): Object to processing based on legitimate interests, including direct marketing.
- Right Not to Be Subject to Automated Decisions (Article 22): Request human review of any automated decision that significantly affects you.
- Right to Withdraw Consent: Pull back any consent-based permissions at any time without penalty.
How to Submit a Data Request
To exercise any of the above rights, contact Leon’s Data Protection Officer via the details listed in the contact page. Requests are typically acknowledged within 72 hours and fully responded to within 30 days — the GDPR standard. For complex requests or those involving large volumes of data, the deadline can be extended by up to two additional months, but you’ll be notified in advance. Always submit your request from the email address linked to your Leon account to speed up the identification process.
Complaints & the Hellenic DPA
If you believe Leon has mishandled your personal data and internal resolution hasn’t satisfied your concern, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA / Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα). The HDPA is the independent Greek supervisory authority responsible for enforcing GDPR at the national level. Their website (dpa.gr) provides a formal complaint submission process. This is a free process and is completely independent of any action you take directly with Leon.
7. Data Security Measures
Technical Safeguards
Leon employs multiple layers of technical security to protect your personal data from unauthorised access, disclosure, or loss. All data transmitted between your browser/app and Leon’s servers is encrypted using TLS 1.2 or TLS 1.3 — the modern standard for secure communications. Data at rest (stored on servers) is encrypted using AES-256, which is the same standard used by financial institutions. Payment card data is handled in a PCI DSS Level 1 compliant environment, the highest certification in the card industry.
Organisational Security Controls
Beyond technical measures, Leon maintains strict internal policies around who can access your data. Staff access is governed by role-based permissions — meaning a customer support agent can see your account details but not your full KYC documents unless specifically required. Access to sensitive systems is logged and audited. Regular penetration testing is carried out by external security firms, and all staff who handle personal data receive mandatory privacy training annually.
Data Breach Response
In the event of a data breach that poses a risk to individuals’ rights, Leon is obligated under GDPR Article 33 to notify the supervisory authority within 72 hours of becoming aware. If the breach is likely to result in high risk to affected individuals, you will also be personally notified without undue delay. The notification will describe the nature of the breach, the data categories involved, approximate numbers of affected individuals, and the measures taken to address it. This is a legal requirement, not a courtesy.
Did you know? Under GDPR, a company that fails to report a data breach to the supervisory authority within 72 hours can be fined up to €10 million or 2% of global annual turnover — whichever is higher. This creates a strong incentive for operators like Leon to act fast and transparently when incidents occur.
8. KYC, AML & Regulatory Compliance
What KYC Involves at Leon
Know Your Customer (KYC) verification is a regulatory requirement, not a choice. When you register at Leon, you’ll eventually need to verify your identity before making significant withdrawals or after reaching certain deposit thresholds. The standard KYC process requires a government-issued photo ID (passport or Greek national ID card), proof of address (utility bill or bank statement dated within the last three months), and sometimes a payment method verification (photo of card or e-wallet screenshot). The whole process typically takes 10–30 minutes once documents are submitted, assuming they’re clear and legible.
Enhanced Due Diligence (EDD)
For high-value players or those whose transaction patterns trigger AML monitoring systems, Leon may apply Enhanced Due Diligence. This can involve requests for source of funds documentation (payslips, tax returns, bank statements), source of wealth information (investment records, business ownership documentation), or more frequent re-verification of identity documents. EDD is triggered automatically by AML risk scoring systems and is not a personal accusation — it’s a standard regulatory control applied across the industry.
Responsible Gambling Data Use
Leon uses your behavioural data specifically to monitor for signs of problem gambling as part of its responsible gambling framework. Patterns like extended session times, rapid deposit sequences, or sudden increases in bet size can trigger interventions — automated alerts, cooling-off period suggestions, or direct outreach from the responsible gambling team. This data is not shared externally for this purpose; it’s purely an internal safeguard to protect players. You can also view your own deposit and play history at any time through your account dashboard.
9. International Data Transfers
Transfers Within the EEA
Most of Leon’s data processing infrastructure is based within the European Economic Area (EEA), where GDPR applies uniformly. Transfers of your personal data between EEA member states — say, from a server in Malta (where many online gambling operators hold MGA licences) to a service provider in Germany — do not require special safeguards beyond GDPR compliance. Greece is an EEA member, so your data as a Greek player stays within this protective framework by default wherever EEA-based processing is used.
Transfers Outside the EEA
When data must be transferred outside the EEA — for example, to a cloud provider with servers in the United States or a fraud detection system based in Canada — GDPR requires that adequate protections are in place. The primary mechanisms used are Standard Contractual Clauses (SCCs), which are pre-approved GDPR-compliant contract templates that bind the recipient to EU data protection standards. For countries with an EU adequacy decision (such as the UK, Japan, or Canada for certain data), transfers can proceed without SCCs.
Your Transparency Rights on Transfers
You have the right to be informed about any international transfers of your data, the safeguards in place, and the countries involved. If you submit a Subject Access Request (SAR), the response will include details of any third countries involved in processing your data and the legal mechanism used to authorise that transfer. This level of transparency is a core GDPR requirement and is not something Leon can opt out of providing when asked.
10. Contact & Data Protection Officer
Who Is the Data Protection Officer?
Under GDPR Article 37, organisations that process personal data at scale — which online gambling operators certainly do — are required to appoint a Data Protection Officer (DPO). The DPO at Leon is an independent internal or external appointee responsible for overseeing GDPR compliance, training staff, conducting Data Protection Impact Assessments (DPIAs), and acting as the primary contact for data subjects (i.e., you) and the supervisory authority. The DPO operates independently of commercial pressures and reports directly to senior management.
How to Contact the DPO
You can reach Leon’s Data Protection Officer by using the contact information available on the contact page — specifically through the privacy/data protection enquiry channel. When contacting the DPO, clearly state that your enquiry is a data protection matter and include your registered email address and account username so your identity can be verified efficiently. For formal Subject Access Requests or erasure requests, it helps to put “GDPR Request — [Your Request Type]” in the subject line. The DPO is obligated to respond within 30 days.
Updates to This Privacy Policy
Privacy policies evolve as regulations change and as services develop. Leon will notify you of any material changes to this privacy policy via email (to the address registered on your account) and/or through a prominent notice on the website. Minor updates — such as adding a new third-party processor or updating contact details — may be made without individual notification, though the revised policy will always reflect the update date at the top. For the full terms and conditions governing your account, see the dedicated terms page. For questions about the licensing framework, visit the licence page.
Did you know? The Hellenic Data Protection Authority (HDPA) can impose fines of up to €20 million or 4% of global annual turnover for serious GDPR violations — including failure to honour data subject rights within the required timeframes. This is why operators like Leon treat privacy compliance as a business-critical function, not just a legal checkbox.
Frequently Asked Questions — Leon Privacy Policy
Leon is committed to transparent, lawful, and fair handling of your personal data — not just because GDPR requires it, but because trust is the foundation of any long-term relationship between a player and an operator. For any privacy-related queries, use the contact page. For the full account terms, check the terms and conditions. If you’re new and want to see what Leon offers before diving into the small print, the main overview page is a good starting point.