Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

Gustavo Colin
Email: dpo@backendofluck.com
Website: thebackendofluck.com
Country: Netherlands

2. Data We Collect

2.1 Data You Provide Directly

• Purchase information: Name and email address (collected by our payment processor, Gumroad)
• Communication data: Email address and message content when you contact support
• Newsletter subscription: Email address (opt-in only)

2.2 Data Collected Automatically

• Website usage data: Pages visited, time spent, referral source (via Google Analytics with anonymized IP addresses)
• Technical data: Browser type, operating system, device type, screen resolution
• Log data: IP address (anonymized), access timestamps, HTTP status codes

2.3 Data We Do NOT Collect

• We do NOT process payment card numbers, bank account details, or financial data directly. All payment processing is handled by Gumroad.
• We do NOT collect special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, health data, etc.).

3. Purpose and Legal Basis

4. Data Retention

• Purchase records: Retained for 7 years (Dutch fiscal retention obligation under AWR)
• Customer support emails: Retained for 2 years after last communication
• Newsletter subscription data: Retained until you unsubscribe
• Website analytics: Anonymized data retained for 14 months (Google Analytics default)
• Server logs: Retained for 90 days, then automatically deleted

5. Third-Party Data Processors

We share personal data with the following third parties, each acting as a data processor under GDPR:

*International transfers to the United States are covered by the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs) as applicable. See Section 9 for details.

6. We Do Not Sell Your Data

7. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to restriction (Art. 18): Request that we limit processing of your data
• Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interest, including direct marketing
• Right to withdraw consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent

How to Exercise Your Rights

To exercise any of these rights, contact us at dpo@backendofluck.com with the subject line "GDPR Request". We will respond within 30 days as required by GDPR Article 12(3). We may ask you to verify your identity before processing your request.

Right to Lodge a Complaint

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30, 2594 AV Den Haag, Netherlands
Website: autoriteitpersoonsgegevens.nl
Phone: +31 (0)70 888 85 00

7a. Granular Consent

Consent is sought separately for each purpose, as required by GDPR Art. 7(2) and Recital 43 (no "bundled" consent). Subscribing to the newsletter does not grant consent for affiliate marketing; purchasing the Book does not grant consent for newsletter. Each checkbox is independent and unchecked by default (Planet49, CJEU C-673/17, 1 October 2019).

Messages sent to the DPO vs. marketing

Any email you send to dpo@backendofluck.com to exercise your rights is processed only for that request (GDPR Art. 5(1)(b) purpose limitation). We do not add DPO correspondents to the newsletter or any marketing campaign. If, while we are resolving your request, you also want to subscribe to the newsletter, just say so in the same thread and we will record a separate, specific consent (GDPR Art. 7(2)); your address appears in the list only after that confirmation, never before.

7b. Scope — Gaming and Casino Data

This website is an editorial and educational publication about the engineering behind iGaming platforms. We do not operate a casino, sportsbook, or any real-money game on this domain. We do not collect wallet balances, bet history, game outcomes, KYC documents, source-of-funds evidence, self-exclusion registrations or any other player-side data from visitors.

Where the Book describes data typical of a licensed operator — player wallet, AML/SAR alerts, responsible-gambling limits, RNG audit logs — that material is technical and illustrative, drawn from anonymised real-world architectures. An operator applying the patterns to its own platform is the controller of that data under its own lawful bases (typically GDPR Art. 6(1)(b) contract performance, Art. 6(1)(c) legal obligation for regulatory reporting, and Art. 6(1)(f) legitimate interest for fraud detection with a documented DPIA).

7c. Brazilian Visitors — LGPD Parity

For visitors in Brazil, the same personal data is also treated in compliance with the Lei Geral de Proteção de Dados — LGPD (Lei nº 13.709/2018). You hold the nine rights listed in LGPD Art. 18 (confirmation, access, correction, anonymisation, portability, deletion, information on sharing, information on refusal, and withdrawal of consent). The Brazilian supervisory authority is the Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd. The Portuguese edition of this notice and the Cookie Policy live at portrasdasorte.com.br/privacy.html.

8. Cookies

Our website uses a minimal cookie approach:

8.1 Essential Cookies

We use only essential cookies that are strictly necessary for the functioning of the website (e.g., session management). These do not require consent under the Dutch Telecommunicatiewet (Article 11.7a) as they are technically necessary.

8.2 Analytics Cookies

If Google Analytics is enabled, it uses cookies to collect anonymized usage data. Google Analytics is configured with:

• IP anonymization enabled (last octet masked)
• Data sharing with Google disabled
• Advertising features disabled

You may opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.

8.3 No Third-Party Tracking Cookies

We do NOT use advertising cookies, social media tracking pixels, or any third-party tracking technologies beyond the analytics described above.

9. International Data Transfers

Some of our third-party processors are based in the United States. We ensure adequate protection for international data transfers through:

• EU-US Data Privacy Framework: Where processors are certified under the framework
• Standard Contractual Clauses (SCCs): Approved by the European Commission (Decision 2021/914) where the Data Privacy Framework does not apply

10. Children's Privacy

Our website and the Book are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child under 16, please contact us immediately and we will delete it.

11. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• TLS 1.2/1.3 encryption for all data in transit
• Access controls limiting data access to authorized personnel only
• Regular security updates and server hardening

12. Updates to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to affected individuals. The "Last Updated" date at the top of this page indicates the most recent revision. We encourage you to review this page periodically.

13. Contact

For any questions or concerns about this Privacy Policy or our data practices, contact:

Gustavo Colin
Email: dpo@backendofluck.com
Website: thebackendofluck.com
Country: Netherlands