Request a presentation and discover the full potential of our ecosystem.
Cactus Ecosystem
Schedule a live demo
Schedule Now

Privacy Policy and Protection of Personal Data

Publication DateUpdate DateVersion
31/03/202519/02/20262.0

1 – Introduction

Cactus Gaming (“Cactus” or “Company”) is a technology provider specializing in the development of solutions for the gaming and betting industry, which values transparency, integrity, and security in the handling of personal data. In carrying out its activities, Cactus is committed to ensuring the protection of the information to which it has access, including data from customers, end users, employees, partners, and other third parties, in accordance with applicable legislation, especially the General Data Protection Law (LGPD – Law No. 13.709/2018).

This Privacy and Personal Data Protection Policy describes how personal data is collected, used, stored, shared, and protected, as well as defining the roles and responsibilities involved in these operations.

With regard to the personal data of its employees, Cactus Gaming acts in the capacity of Data Controller, being responsible for decisions related to the processing of this information, in accordance with the General Data Protection Law (LGPD – Law No. 13.709/2018).

In other activities related to the technological solutions it develops and operates, the Company may act as Data Operator or under a joint responsibility agreement., in accordance with the purpose of the processing, the instructions received and the contracts signed with third parties, as per Articles 5, VI and 39 of the LGPD (Brazilian General Data Protection Law).

Cactus maintains an appropriate governance structure to ensure the correct definition of responsibilities, the adoption of controls proportionate to the risks involved, and the continuous improvement of its personal data processing practices.

2 – Objective

This Policy aims to establish the guidelines, responsibilities, and essential information for the Personal Data Subject regarding how Cactus processes their information, what their rights are and how they can be exercised, as well as the security measures adopted to guarantee the protection of Personal Data during its processing, following the guidelines of the LGPD (Brazilian General Data Protection Law) and best practices in governance, risk management, and information security.

3 – Application and Scope

This Privacy and Personal Data Protection Policy applies to data subjects whose personal data is processed by Cactus, through physical or digital means, within the scope of its activities and operations.

The application of this Policy covers the processing of data carried out by reason of contractual, legal, regulatory, commercial, institutional and labor relationships, observing, in each case, the role played by Cactus Gaming as Controller or Operator Data, in accordance with the General Data Protection Law (LGPD – Law No. 13.709/2018).

4 – Definitions and Abbreviations

For a proper interpretation of this Policy, the following are some essential definitions:

Personal Data: Any information relating to an identified or identifiable natural person.

Sensitive Data: Data relating to racial or ethnic origin, religious beliefs, political opinions, trade union membership, health, sex life, genetic or biometric data.

Personal Data Processing: Any operation performed with personal data, such as those relating to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction.

Data Subject: The individual to whom the processed personal data refers.

Controller: A natural or legal person responsible for making decisions regarding data processing.

Operator: Person who processes data on behalf of the controller.

Data Protection Officer (DPO): A professional designated to act as a communication channel between the company, data subjects, and data protection authorities.

General Data Protection Law (LGPD): Federal Law No. 13.709, of August 14, 2018, which provides for the Processing of Personal Data, including in digital media, by natural persons or legal entities under public or private law, with the objective of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person.

National Data Protection Authority (ANPD): A special type of autonomous agency, linked to the Presidency of the Republic, which has responsibilities related to the protection of personal data and privacy and oversees compliance with Law No. 13.709/2018 (LGPD).

Privacy Incident: According to Article 46 of the LGPD (General Data Protection Law or Law No. 13.709/2018), it can be understood as any accidental or unlawful situations that result in the destruction, loss, alteration, unauthorized access, unlawful or inappropriate processing of personal data.

Elimination: This refers to the deletion of personal data or sets of personal data stored in databases, regardless of the method used.

AML (Anti-Money Laundering): A set of procedures and controls adopted to prevent the use of a company's structure or services to conceal or disguise the illicit origin of financial resources, so that they can be integrated into the formal economy with a legal appearance.

CFT (Combating the Financing of Terrorism): Measures and practices adopted to prevent and detect the use of financial resources in carrying out or supporting terrorist acts.

PEP (Politically Exposed Person): Any individual who currently holds or has held, within the last five years, a relevant public function, as well as their representatives, family members, and other individuals with whom they have a close relationship.

SPA/MF (Secretariat of Prizes and Betting – Ministry of Finance): The body within the Ministry of Finance responsible for the areas of fixed-odds betting, commercial promotions, philanthropic raffles, lotteries, and advance collection of popular savings. Its function is to authorize, grant, regulate, standardize, monitor, supervise, inspect, and sanction companies in the sector, in accordance with current legislation.

International data transfer: Transfer of personal data to a foreign country or international organization of which the country is a member.

 5 – Data Processing in the Role of Controller

To establish and maintain its direct relationship with data subjects, Cactus may act in the capacity of Personal Data Controller, being responsible for decisions regarding the purposes and means of processing, in accordance with Article 5, VI, of the General Data Protection Law (LGPD).

Under these conditions, the Company may process personal data provided directly by the data subject, by legitimately authorized third parties, or collected automatically through technologies, proprietary systems, data bureaus, and similar tools.

The processing of personal data, when carried out under your responsibility as the Controller, includes all operations involving personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, storage, sharing, processing, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction.

These operations are carried out based on the legal hypotheses foreseen in the LGPD (Brazilian General Data Protection Law), observing legitimate, specific, explicit purposes informed to the data subject, as well as the principles of necessity, adequacy, and transparency.

Whenever acting as a Data Controller, Cactus may process different categories of personal data, according to the nature of the relationship established with the data subject, as described below, but not limited to the examples given in this Policy.

ActivityData TypesTreatment Hypothesis
Meeting requests via web, WhatsApp, and email.Full name, email address, phone number, and any other personal information provided by the data subject.Consent (Art. 7, I, LGPD)
Talk to us via Web, Whatsapp and E-mail.  Full name, email address, phone number, and any other personal information provided by the data subject.Consent (Art. 7, V, LGPD)
Data for hiring new employees.Full name, email address, phone number, CPF (Brazilian tax identification number), LinkedIn profile, country, city, salary expectations, and any other personal data provided by the applicant (resume).Execution of a contract or preliminary procedures (Art. 7, I, LGPD)  
Data from Cactus Gaming employees during their contractual period.Identification data: Full name, social name, General Registry (RG), Individual Taxpayer Registry (CPF), National Driver's License (CNH), professional registration (when applicable), military service certificate (when applicable), voter registration card, gender, color/race, and whether the person has a disability.Contact information: Email address and phone number.Emergency information: Relationship to the employee, name of the emergency contact, phone number of the emergency contact, and email address of the emergency contact.Professional and educational information: Work and Social Security Card (CTPS) and proof of academic qualifications.Address details: Proof of residence.Marital status information: Marriage certificate (when applicable).Dependents: Name, type of relationship with the employee, CPF (Brazilian tax identification number), date of birth, education level, email address, information about work incapacity, mother's full name, SUS (Brazilian National Health System) card number (CNS), and children's birth certificates (when applicable).  Execution of a contract or preliminary procedures (Art. 7, I, LGPD)
Cookies.We only collect cookies that are necessary for your browsing experience on the website.Consent (Art. 7, I, LGPD)
Report to the Authorities.Registration Data; Contact Data.Compliance with legal or regulatory obligation (Art. 7, II, LGPD)  
Measures to Prevent Fraud, Financial Crimes and Illicit Activities.Registration Data; Contact Data; Financial Information; Location Information.Compliance with legal or regulatory obligation (Art. 7, II, LGPD)

6 – Data Processing in the Role of Operator (White Label Model)

In the context of providing technological infrastructure, digital platforms, system integrations, and API connections for operators authorized to operate fixed-odds betting lotteries, Cactus acts predominantly in the capacity of: Personal Data Operator, pursuant to Article 5, VII, of the General Data Protection Law (LGPD).

In this capacity, the Company processes personal data. exclusively on behalf of and in accordance with the documented instructions of the respective Controller., which corresponds to the licensed operator responsible for directly offering services to end users (bettors).

When acting as Operator:

  • A Cactus does not define the purposes of the treatment of end users' personal data;
  • It does not independently determine the legal bases applicable to the processing;
  • We do not use personal data for our own purposes, commercial purposes, or purposes other than those established contractually;
  • Data processing is performed only to the extent necessary to enable the technical operation of the platform, including hosting, data processing, transaction records, fraud monitoring, integration with payment providers, and compliance with technical and regulatory obligations imposed on the Controller.

The processing may involve, according to instructions received from the Controller, registration data, contact data, financial data, transactional data, betting records, location information, access logs, data related to fraud prevention, AML/CFT and other categories necessary for the operation of the gaming platform.

Cactus may also use sub-operators to provide infrastructure services, cloud storage, information security, monitoring, and technical support, always through contractual instruments that ensure compliance with the obligations set forth in the LGPD (Brazilian General Data Protection Law) and in accordance with the guidelines established by the Controller.

The relationship between the Company and the respective Controller is formalized through specific contractual instruments, including Data Processing Agreements (DPAs), which establish the parties' obligations regarding confidentiality, information security, subcontracting, international data transfer, cooperation in addressing the rights of data subjects, and response to security incidents, in accordance with the General Data Protection Law (LGPD).

Any requests to exercise rights by data subjects should be directed to the respective Controller responsible for the direct relationship with the end user, with Cactus being responsible for providing the necessary technical support to meet these demands, as contractually stipulated.

ActivityData TypesTreatment Hypothesis (described by the Controller)
Receipt of the bettor's registration data (Art. 31, SPA/MF Ordinance No. 1,231/24 and SPA/MF Ordinance No. 2,579/25).Full name; Nationality; Individual Taxpayer Registry Number – CPF; Date of birth; Gender identification; Full address, which cannot be a post office box; Country of residence; Telephone number; Email address; Details of registered deposit or prepaid payment accounts; Prudential betting limit per elapsed time, linked to daily, weekly, monthly or other periods; Prudential betting limit per financial loss, linked to daily, weekly, monthly or other periods; IP address registered at the time of registration; Geolocation; and Scanned copy of a valid photo identification document (National Identity Card, General Registry – RG, National Driver's License – CNH or Passport).Execution of a contract or preliminary procedures (Art. 7, I, LGPD)
Authentication of Ownership (Art. 31, § 3°, I, SPA/NF Ordinance No. 1,231).Facial Biometrics; Personal Identification Data; Contact Information; Financial Data.Compliance with a legal or regulatory obligation (Art. 11, II, LGPD)
Monitoring of Behavior and Integrity Assessment of Betting (Ordinance SPA/MF No. 1,231/2024. Article 4, Item VI:)Registration Data; Financial Data; Game and Betting Information; Data on the implementation of tools for bettor protection; Betting History; Connection Information; Location Information.Compliance with legal or regulatory obligation (Art. 7, II, LGPD)
Handling requests (Ordinance SPA/MF No. 827/2024, Article 12, Item III)Registration Data; Financial Data; Game and Betting Information; Connection Information.Compliance with legal or regulatory obligation (Art. 7, II, LGPD)
Report to the Authorities (Ordinance SPA/MF No. 722/2024, Art. 42)Registration Data; Contact Data; Game and Betting Information; Financial Information; Connection Information.  Compliance with legal or regulatory obligation (Art. 7, II, LGPD)
Measures for the Prevention of Fraud, Financial Crimes and Illicit Activities (Ordinance SPA/MF No. 1,231/2024, Art. 30)Registration Data; Contact Data; Games and Betting Information; Financial Information; Location Information; Connection Information  Compliance with legal or regulatory obligation (Art. 7, II, LGPD)
Integration with payment gateways (Normative Ordinance SPA/MF No. 615/2024, Art. 3º)Registration Data/Financial Information.  Execution of a contract or preliminary procedures (Art. 7, I, LGPD)

7. Purposes of Processing Personal Data as a Data Controller

Cactus may process personal data for the following purposes:

Scheduling meetings and institutional contact.
Receive and respond to requests for meetings, business or institutional contacts made through the website, email, or messaging applications.

Customer service requests (“Contact Us”)
To process and respond to questions, communications, and requests submitted by data subjects through the company's official channels.

Recruitment and selection
Analyze candidate data for participation in selection processes and potential formalization of a contractual relationship.

Managing the relationship with employees
To manage the contractual relationship, including compliance with legal, labor, and administrative obligations, during the hiring period.

Website functionality (necessary cookies)
We use essential cookies to ensure proper browsing and correct website functionality.

Compliance with legal and regulatory obligations
To communicate and provide information to the relevant authorities when required.

Fraud and illegal activity prevention
Adopt control and monitoring measures aimed at preventing fraud, financial crimes, and other illegal practices.

7.1Purposes of Processing Personal Data as a Data Processor

Personal data may be processed, according to the Controller's instructions and in compliance with SPA/MF regulations applicable to the betting sector, for the following purposes:

Registration and qualification of the bettor
Receipt, validation, and registration of registration data for the creation and maintenance of the bettor's account, as per article 31 of SPA/MF Ordinance No. 1,231/2024.

Authentication and identity verification
Confirmation of account ownership, including through facial recognition, in accordance with applicable regulations.

Monitoring and integrity of bets
Analysis of registration, financial, transnational, and connection data to ensure the integrity of the betting environment and meet regulatory requirements.

Customer service and regulatory obligations
Data processing for handling requests, communications, and reports to the competent authorities, in accordance with SPA/MF regulations.

Prevention of fraud and financial crimes
Implementation of controls to mitigate illegal practices foreseen in the sector's regulations.

Payment processing
Integration with gateways and financial institutions to enable deposits and withdrawals linked to the bettor's account.

8- Storage and Retention of Personal Data

To ensure the confidentiality, integrity, and availability of the personal data we process, Cactus adopts technical and organizational measures aimed at guaranteeing that the information collected is securely stored on internal servers and systems or contracted cloud services. 

Furthermore, our internal and external systems have security features, defense mechanisms, and continuous monitoring in order to prevent unauthorized access and security incidents.

Furthermore, personal data is stored for the time necessary to fulfill the purposes for which it was collected. After the processing ends, the data will only be retained in the permitted cases, as provided for in Article 16 of the LGPD (Brazilian General Data Protection Law):

● Compliance with a legal or regulatory obligation by the controller;

● Study by a research body, ensuring, whenever possible, the anonymization of personal data;

● Transfer to a third party, provided that the data processing requirements set forth in the LGPD are respected;

● Exclusive use by the controller, access by third parties is prohibited, and the data is anonymized.

8.1 – Sharing of Personal Data

Cactus shares personal data with third parties, always limited to what is necessary and in accordance with applicable legislation, especially the LGPD (Brazilian General Data Protection Law). This sharing occurs in the following situations:

● Third-party service providers, business partners, and subcontractors for the execution of services and technical support;

● Regulatory bodies, government authorities, oversight entities, or judicial authorities, whenever there is a legal or regulatory obligation, or by express determination of these authorities.

  • When Cactus acts as a Data Processor, any sharing of personal data with third parties will occur exclusively upon documented instruction from the respective Controller and within the limits necessary for the execution of the contracted services. In these cases, Cactus will not share data on its own initiative or for purposes other than those defined by the Controller, limiting itself to technically enabling integrations, API connections, infrastructure services, processing, storage, or contracting previously authorized sub-operators, always observing the applicable contractual provisions and the requirements of the General Data Protection Law (LGPD).

8.2 – International Data Transfer

Cactus may transfer personal data internationally whenever necessary for the performance of its activities, including for the use of technological infrastructure services, cloud storage, processing systems, security tools, monitoring and communication, which may be located outside of Brazilian territory.

International transfers carried out by Cactus will comply with the authorization requirements set forth in Article 33 of the General Data Protection Law (LGPD), including, where applicable:

  • Transfer to countries or international organizations that provide a level of personal data protection adequate to that stipulated in the LGPD (Brazilian General Data Protection Law);
  • The execution of specific contractual clauses or standard clauses approved by the National Data Protection Authority (ANPD);
  • The adoption of contractual instruments with sub-operators and suppliers that ensure compliance with the provisions of the LGPD (Brazilian General Data Protection Law) and adequate guarantees of security and confidentiality;
  • other valid mechanisms provided for in applicable legislation.

When acting as a Data Processor, Cactus will only carry out international transfers upon instruction from the respective Controller or as contractually stipulated, ensuring the implementation of appropriate technical, administrative and legal safeguards for the protection of personal data.

8.3 – Legal Basis for Treatment

The LGPD (Brazilian General Data Protection Law) establishes that all data processing activities must be supported by a valid legal basis, adequate to the purpose of the processing. Below, we list the legal bases used by Cactus for processing personal data:

● Compliance with a legal or regulatory obligation;

● Execution of a contract or preliminary procedures related to a contract;

● Regular exercise of rights;

● Consent of the data subject;

● Fraud prevention and data subject security; 

● Credit protection;

● Legitimate interest.

9 – Rights of Data Subjects

The data subject has the following rights regarding the processing of their personal data by the Controller, as stipulated by the LGPD (Brazilian General Data Protection Law):

● Confirmation of the existence of treatment;

● Access to data;

● Correction of incomplete, inaccurate, or outdated data;

● Anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data;

● Data portability to another service or product provider, upon express request;

● Deletion of personal data processed with the consent of the data subject, except in the cases provided for in Article 16 of this Law;

● Information on the public and private entities with which the controller has shared data;

● Information about the possibility of not providing consent and the consequences of refusal;

● Revocation of consent at any time.

10 – Cookies

Cactus, through its website, uses and collects 'cookies'. These cookies are used to store information, including visitor preferences and the pages of the website that the visitor accessed or visited. The information is used to optimize the user experience, personalizing the content of our page based on the visitor's browser type and/or other information.

11 – Security Measures

To ensure the security of Personal Data processed by Cactus, rigorous security measures are implemented, including technical, administrative, organizational, and physical measures, considered suitable to protect personal data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure of or access to the Personal Data we process or use, including:

● Internal information security policies, reviewed periodically and aligned with best market practices;

● Regular employee training on information security and data protection; Access control and user authentication;

● Encryption and protection of stored and transmitted data;

● Continuous monitoring and periodic audits to detect vulnerabilities.

11.1 – Privacy Incidents

In the event of security incidents that may pose a significant risk or harm to data subjects, Cactus will take appropriate action and notify the ANPD (Brazilian National Data Protection Authority) and the affected data subjects, in accordance with the deadlines and procedures (SLA) defined by Resolution CD/ANPD No. 15/2024.

12 – Contact information for the Data Protection Officer (DPO)

Cactus informs that, in accordance with Resolution CD/ANPD No. 18/2024, we provide an email address to contact the Data Protection Officer (DPO): [email protected], responsible for acting as a communication channel between the data subject, Cactus, and the National Data Protection Authority (ANPD).

If you have any questions regarding this Personal Data Privacy Policy, or to exercise your rights, you can contact us via the respective email address.

13 – Record Keeping

All internal documents must be updated every 12 (twelve) months or in a shorter period if necessary.

14 – Assessment of Security and Privacy Violations

The Information Security and Privacy area will be responsible for auditing the controls adopted in this policy, as well as for the appropriate monitoring of these controls.

Any violation of this Policy will be evaluated by the Information Security and Privacy area.