Privacy Policy for Carnival

Last Updated: May 10, 2025

Toast Studios, Inc. ("Toast," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Carnival application ("Carnival" or the "App" ) and related services (collectively, the "Services"). By using the Services, you agree to the terms of this Privacy Policy.

1. Information We Collect

We collect information that identifies, relates to, describes, or is reasonably capable of being associated with you (“Personal Information”). This includes:

• Account Information: When you create an account, we collect your name, email address, username, password, date of birth, and profile picture. This allows us to register you and comply with age restrictions.
• Payment and Financial Information: To facilitate deposits and withdrawals, we (via our payment processors) collect payment details such as credit/debit card numbers, bank account information, billing address, and transaction history. We may also record deposit and withdrawal amounts and dates. Note: Carnival itself does not store full card numbers – these are handled by our PCI-compliant processor – but we retain transaction records. All entry fees and pending prizes are maintained in a segregated, FDIC-insured player-funds account. They are never commingled with operating capital.
• Identity Verification Data: For compliance and security (Know-Your-Customer and Anti-Money Laundering) purposes, we may collect additional data such as government-issued ID numbers (e.g., driver's license or last four of SSN) or verification documents you provide. This information is used strictly to confirm your identity and eligibility (e.g., age and state) and to satisfy legal obligations.
• Usage Data: We gather information about your interactions with Carnival, including your game play history (games played, scores, wins/losses), tournament entries, rankings, in-app preferences, and the amount of time spent on the app. We also log events like deposits, withdrawals, and promotional bonuses for your account. This data helps us operate the competitions, match you with opponents, and improve our Services.
• Device and Technical Information: We collect data about the device and software you use to access the App. This includes IP address, device identifiers (e.g., IDFA/GAID for mobile), operating system version, device type/model, browser type (if applicable), network information, and app version. We use this information for debugging, optimizing performance, and verifying that you're in an eligible location (see Geolocation below).
• Geolocation Data: Because Carnival's real-money contests are only available in certain jurisdictions, we collect your precise geolocation data when you use the App. For example, we may use GPS or IP address lookup to confirm you are located in a permitted state when entering a cash tournament. Location data is only collected during gameplay or cash transactions, and not when you are not actively using Carnival.
• Communications Data: If you contact us for support or feedback, or participate in surveys or promotions, we collect the information you provide. This may include your correspondence, email address, phone number (if used for SMS verification or support), and any attachments/screenshots. We use this to address your inquiries and improve customer service.
• Cookies and Similar Technologies: We (and our analytics providers) use cookies, beacons, and SDKs in the App to automatically collect certain usage data. This may include pages or screens you view, actions you take (like button clicks), and error reports. For more details, see Cookies and Tracking below.

2. How We Use Your Information

We use Personal Information for the following purposes, which align with the operation of a skill-gaming platform and our legal obligations:

• Provide and Improve Services: We use account and device information to create and maintain your account, enable gameplay, track scores and rankings, match you with opponents of similar skill, and operate tournaments. Usage and device data help us debug issues, analyze game fairness, and improve features.
• Facilitate Transactions: Payment and financial data are used to process your deposits and withdrawals, confirm payment authorization, and keep an accurate ledger of your account balance. We also use this info to detect suspicious transactions (see Security/Compliance below).
• Ensure Security and Compliance: We use personal data to verify your identity and eligibility (e.g., age and location) and to prevent fraudulent activities such as multiple accounts or unauthorized payments. Geolocation data ensures you're in a permitted region before allowing cash play. We also use data to enforce our Terms of Use and comply with applicable laws and regulations, including anti-fraud and anti-money laundering requirements. For example, identity documents may be used to fulfill KYC verification mandated by financial regulators, and we may use usage patterns to detect and block cheating or bot use.
• Communicate with You: We use your contact information to send service-related communications. This includes confirmations of transactions (deposit receipts, withdrawal confirmations), notifications of contest outcomes (e.g., "You won!" or "Tournament results"), important account or security alerts, and updates about changes to our Terms or Privacy Policy. We may also respond to your inquiries on support channels and provide troubleshooting assistance via email or in-app chat. (If you consent to receive SMS messages for account security or promotions, we will send texts to the provided number. Standard message/data rates apply. You can opt-out by replying STOP at any time.)
• Marketing and Promotions: With your consent where required, we may use your email or push notification token to send promotional materials. This could include bonus offers, new game announcements, or loyalty rewards. We strive to send you offers that are relevant to you based on your gameplay or preferences. You can opt out of marketing emails at any time by clicking the unsubscribe link, and you can manage push notification preferences in the app settings. Opting out of marketing will not affect transactional communications (which you will still receive).
• Analytics and Personalization: We may use cookies and usage data to analyze how players use Carnival, in order to personalize your experience. For instance, we might recommend tournaments you'd be interested in, or tailor the home screen for you (e.g., showing your favorite game genre first). We also use aggregated data to understand overall user behavior and preferences, which guides our development of new features and games.
• Legal and Administrative: We may use or retain your information as needed to handle disputes or inquiries (e.g., investigating a contested outcome in a tournament), to exercise or defend legal claims, for audits and compliance checks, or as otherwise required by law, court order, or regulatory authorities. For example, we keep records of winnings and payouts to comply with tax reporting obligations (see Section 6 on Data Retention).
• Anti-Money Laundering ("AML") & Fraud Monitoring: We analyse deposits, withdrawals, gameplay telemetry, and device signals to detect unusual or suspicious patterns, comply with the Bank Secrecy Act, and file Suspicious Activity Reports ("SARs") or Currency Transaction Reports ("CTRs") where legally required.

3. Sharing Your Information

We do not sell your personal information to third parties for profit. However, we do share certain categories of information with third parties for legitimate operational purposes, as follows:

• Service Providers: We share necessary personal information with trusted third-party companies that perform services on our behalf. These include:
  • Payment Processors: for processing credit card, debit card, or ACH transactions (e.g., Finix, Stripe, LinkMoney). These processors receive your payment details and billing info to execute deposits/withdrawals. They are authorized to use this data only as needed to process transactions and comply with law.
  • Identity Verification Services: for KYC checks (e.g., services that verify your ID against databases to confirm your age and identity). They might receive info like your name, address, DOB, and last four of SSN or an ID document scan, and return a verification result.
  • Cloud Hosting and Data Storage: (e.g., AWS) that host our application and databases. Personal data is stored on their secure servers but remains under our control and subject to strict protections via contract.
  • Analytics Providers: (e.g., Google Analytics, or in-app analytics tools) that help us understand usage patterns. These providers may set cookies or collect device identifiers and usage info. We use aggregated insights (e.g., app performance metrics, user funnel stats) from them to improve Carnival.
  • Customer Support Platforms: (e.g., Zendesk or Intercom) that manage support tickets or in-app chats. If you contact support, your communications may route through these platforms, which will see things like your email and support issue details.
  Each service provider is contractually obligated to protect your data, use it only for the services they perform for us, and to adhere to applicable privacy laws.
• Legal and Regulatory: We may disclose your information to government authorities, regulators, or law enforcement if required by law or legal process, or if we believe in good faith that such disclosure is necessary to: (i) comply with a legal obligation (subpoena, court order, or similar); (ii) protect our rights, property, and safety or those of our users or the public; or (iii) investigate and address fraud or security issues. For example, if a state gaming authority or financial regulator requests information as part of an inquiry, we may provide it. We will attempt to notify you of such requests when allowed, unless prohibited by law.
• Business Transfers: If we undergo a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred to the successor entity as part of that transaction. In such cases, we will ensure the recipient agrees to handle your data in a manner consistent with this Privacy Policy, and we will notify you (e.g., via email or notice on our site) of any change in data ownership or new privacy policy if applicable.
• Contest Winner Information: For transparency in large tournaments, we may publish winners' usernames and general location (e.g., city, state) on leaderboards or winner announcement pages. We will not publish personal contact info. This is standard to showcase contest outcomes and is often required by contest rules.

4. Third-Party Services and Links

Carnival may contain links to or integrations with third-party websites or services. For example:

• You might click an external link to a community forum or social media group for Carnival players.
• We offer social login options, allowing you to sign in using a Google, Apple, or Facebook account, which are governed by those platforms' privacy policies.
• Our payments are handled by third-party gateways which might present you with their terms or privacy notices when entering payment info.

Please note that these third-party websites and services operate independently of Carnival and have their own privacy policies. We encourage you to review the privacy policy of any third-party service you interact with through our app. We do not control the content or practices of these external services, and thus we cannot be responsible for their handling of your data. However, if you have an issue specifically with a service integrated into Carnival (for instance, a payment processor), you can contact us and we will try to help resolve it or direct you appropriately.

5. Cookies and Tracking Technologies

We and our service providers use cookies and similar tracking technologies to collect information automatically:

• Cookies: These are small data files stored on your device. In our mobile app, we use analogous techniques (since traditional browser cookies aren't used in apps) like local storage or secure cookies in WebViews. These help us remember your preferences and authentication status. For example, a cookie might keep you logged in by remembering your session token, or it might note that you've seen a certain in-app tutorial so we don't show it again.
  
  
• Analytics SDKs: We include third-party Software Development Kits (SDKs) such as Firebase Analytics or Adjust, which automatically collect usage events (like level completions, button clicks) and device data (like OS version, device model). This helps us analyze user engagement and the effectiveness of marketing campaigns.
  
  
• Web Beacons & Pixels: If we send emails, we may use pixel tags to tell if you open the email, which helps us gauge interest in our communications. Similarly, on any web landing pages we have, pixels might track conversions (e.g., clicking a download link).
  
  

Your Choices: When using our website, you can manage cookies through your browser settings – for example, you can refuse or delete cookies. On the mobile app, you can reset your advertising identifier (which affects tracking) or limit ad tracking in your device settings. Note that disabling certain tracking (like analytics) might impact our ability to improve the product, but it's your right. We currently do not respond to "Do Not Track" signals in the context of the app because there is no consistent industry standard for them, but we respect the Global Privacy Control (GPC) signal for California users as an opt-out of sale/sharing (though we don't sell data, we treat GPC as a request to limit data sharing for targeted advertising). More information on opting out is provided in the California section below.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Services. This means:

• Basic account information (like your name, email, age) is kept while you have an account with Carnival.
  
  
• Gameplay records, transaction history, and communications are retained as long as you have an account, and for a reasonable period (in case of dispute) thereafter. For example, if you delete your account, we may still retain records of deposits, withdrawals, and wins for 10 years to satisfy financial and tax regulations.
  
  
• Geolocation verification logs are kept for a shorter period (e.g., 5 years, aligning with some gaming regs) unless tied to a dispute.
  
  

We also retain data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. For instance, we keep records of payouts and tax reporting for at least the period required by the IRS (generally 3-7 years). If you were banned for fraud, we might keep device or account identifiers to block future attempts to re-register, as permitted by law.

When personal data is no longer necessary for the purposes described above, we will securely delete, destroy, or anonymize it. Anonymization means we remove personally identifying components so that the data can no longer be linked to you – we might do this to retain aggregated game statistics (e.g., total games played) without retaining your personal details.

7. Data Security

We implement industry-standard security measures to protect your information from unauthorized access, disclosure, or misuse. These measures include:

• Encryption of sensitive data in transit (TLS 1.2/1.3 HTTPS for all communications between the app and our servers) and encryption at rest for personal and financial data.
• Secure firewalls and network monitoring to protect our servers from intrusions.
• Access controls within our organization: only employees or contractors with a need-to-know (for example, customer support or fraud team) can access personal data, and they use authenticated, logged sessions.
• Training our staff on privacy and security best practices.
• All card transactions are tokenised and processed exclusively by PCI-DSS Level 1 service providers (Stripe or Finix); Carnival's servers never store un-tokenised card numbers.

Despite our efforts, no method of transmission or storage is 100% secure. We thus cannot guarantee absolute security of information. However, we will promptly notify users and relevant authorities of any data breaches as required by law. We also encourage you to help keep your data safe: use a strong, unique password for Carnival, do not share your credentials, and update your software to the latest versions.

If you have reason to believe that your interaction with us is no longer secure (for example, if you feel your account has been compromised), please immediately contact us (see Contact Us section below).

8. Your Rights and Choices

Depending on your location and applicable law, you may have certain rights regarding your personal data. We provide mechanisms to exercise those rights as follows:

• Access and Portability: You have the right to request a copy of the personal information we hold about you, and to obtain it in a portable format (to the extent required by law). For example, California residents can request a report of specific pieces of data we have collected. We will provide this in a commonly used electronic form.
• Correction (Rectification): If any of your information is inaccurate or outdated, you have the right to request we correct it. You can also update much of your profile info directly in-app.
• Deletion: You can request that we delete your personal data. This is also known as the "right to be forgotten." There are exceptions – if we have a legal obligation or compelling legitimate interest to keep certain data, we will inform you. For instance, we cannot immediately delete records of financial transactions due to anti-fraud and accounting requirements, but we can deactivate your account and archive the data until the retention period lapses. When you delete your account via the app or by contacting support, we will remove or anonymize personal info not subject to an exception within a reasonable time.
• Restriction of Processing: You have the right to ask us to limit processing of your data in certain circumstances – e.g., while a requested correction is pending, or if you have objected to processing (see below) and we're evaluating that request.
• Objection to Processing: If we process your data on the basis of legitimate interests, you can object to that and we will consider your request. For instance, EU users can object to certain analytics or personalization processing. If you object to marketing, we will cease marketing (that's an absolute right). If you object to other processing (like location collection), we will either stop or provide a compelling justification allowed by law for continuing (which is unlikely in our context).
• Opt-out of "Sale"/"Sharing": As we clarify, we do not sell personal data. However, California law defines "sharing" for targeted advertising as something you can opt out of. While we currently do not share data for cross-context behavioral advertising, if that changes we will provide a "Do Not Sell or Share" link. In any case, California, Nevada, and certain other state residents can submit a request to opt out of any future sale of their personal info, and we will honor it.
• Automated Decision-Making: Carnival does not make any legally significant decisions about you based solely on automated algorithms. Game matchmaking and outcome determination are automated (since it's skill-based scoring), but these do not produce legal or similarly significant effects on you – they just produce game results based on your performance. Thus, this is not the type of automated decision the law typically allows you to contest. If you believe otherwise, you may contact us for an explanation or to contest any decision.

Exercising Your Rights: To make any request regarding your personal data, please contact us at support@carnivalplay.com. Please specify your request clearly (e.g., "I am requesting a copy of my data" or "Please delete my account and data"). We may need to verify your identity before fulfilling the request – typically by confirming control of your account email or asking for certain account info. Authorized agents: If you are an authorized agent making a request on behalf of someone (as allowed under CCPA), you must provide proof of authorization (e.g., a signed permission), and we will also verify the data subject's identity directly.

We will respond to access or deletion requests within 45 days as mandated by CCPA (or sooner if required by another law). If we need an extension (up to an additional 45 days), we will inform you of the reason.

These rights may be subject to certain exceptions under applicable law. For instance, if fulfilling your deletion request would interfere with another user's rights or with a legal obligation (like if you were involved in a fraud case), we might need to retain some information.

9. Region-Specific Disclosures

California (CCPA/CPRA): If you are a California resident, you have specific privacy rights under the California Consumer Privacy Act (as amended by the CPRA). This Privacy Policy is designed to comply with CCPA. In the past 12 months, we have collected the following categories of personal information (as defined in CCPA) from users:

• Identifiers (like name, email) and similar info
• Personal information categories under Cal. Civ. Code §1798.80 (like payment info, some of which overlaps with Identifiers)
• Characteristics of protected classifications (age/date of birth, which we collect for eligibility and COPPA compliance)
• Commercial information (transaction history on our platform)
• Internet or other electronic network activity (device and usage data)
• Geolocation data
• Inferences drawn from above (to personalize content)

Purposes were as described in Section 2. We do not sell or share (for targeted advertising) personal information. We do not have actual knowledge of selling or sharing data of consumers under 16. California users can exercise the rights listed in Section 8 – access, deletion, correction, etc. – and also the right to limit use of sensitive personal info (however, we only use sensitive info like precise geolocation or SSN for necessary purposes of verification/security, not for secondary purposes requiring an opt-out). California's "Shine the Light" law (Civ Code §1798.83) allows customers to request certain info about our disclosure of personal data to third parties for their direct marketing. We have not disclosed data to third parties for their own direct marketing. You may contact us at support@carnivalplay.com for any further questions about CCPA compliance.

10. Children's Privacy

Carnival is not intended for individuals under the age of 18. We do not knowingly collect or solicit personal information from anyone under 18 years of age. Our Services are designed and marketed for adults (and we often further require 18+ for cash play in all cases, and 21+ for certain games). If you are under 18, please do not attempt to register or send any information about yourself to us. If we learn that we have inadvertently collected personal data from a child under 18, we will delete that information as soon as possible. If you believe we might have any information from or about a minor, please contact us immediately (see Contact Us below).

11. Changes to This Privacy Policy

We may revise this Privacy Policy from time to time. If we make material changes (for example, if we start collecting additional categories of personal data or begin using data for new purposes), we will notify you by updating the "Last Updated" date at the top and, where appropriate, by other means (e.g., an in-app notification or email). We encourage you to review this page periodically to stay informed about our data practices. Your continued use of Carnival after any changes to this Privacy Policy become effective constitutes acceptance of those changes. If you do not agree to the revised policy, you should stop using the Services and may request deletion of your data.

12. Our Lawful Bases for Processing

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

You may also use the above contact information to appeal any decision we have made with respect to your privacy rights (for example, if you requested access or deletion and are unsatisfied with our response, let us know and we will review the matter).

(End of Privacy Policy)