Privacy Policy - Funhideoutsprout

Last updated: January 2026 | Effective Date: 1 January 2026 | Document Version: 4.2

Neon shield protecting digital data privacy illustration

1. Introduction & Scope

Welcome to Funhideoutsprout ("we", "our", "us"). We are committed to protecting your privacy and personal data. This Privacy Policy explains in detail how we collect, use, store, transfer, and safeguard the information you provide when visiting our website at funhideoutsprout.world or interacting with our social casino entertainment services. By using our platform, you consent to the practices described in this policy.

This Privacy Policy applies to all visitors, registered users, newsletter subscribers, contest participants, and any other individuals whose personal data we process in the course of operating Funhideoutsprout. It covers data processed through our website, mobile-optimized interfaces, email marketing channels, customer support communications, social media interactions, and any future digital touchpoints we may launch.

We have designed this Privacy Policy to be transparent, comprehensive, and accessible. If anything in this document is unclear, we encourage you to contact our Data Protection Officer for clarification before using the Platform.

2. Who We Are (Data Controller Information)

The data controller responsible for the processing of your personal data is:

Funhideoutsprout Oy
Eteläesplanadi 22 B, 4th Floor
00130 Helsinki, Finland
Business ID (Y-tunnus): FI-2917648-3
VAT Number: FI29176483
Phone: +358 9 6815 4720
Email: [email protected]
Data Protection Officer: Mr. Eero Lindström — [email protected]

We are registered with the Finnish Trade Register and supervised by the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu).

GDPR compliance neon shield with EU stars and digital lock

3. Information We Collect

We collect the following categories of information when you interact with our platform:

Email Addresses — voluntarily submitted via our forms (hero section, footer subscription, modal popups, contact, promotions, free spins, and VIP signup).
Submission Metadata — timestamp, source URL, page path, form identifier, and submission ID.
Technical Data — IP address (anonymized to /24 subnet), browser type and version, operating system, device type, screen resolution, language preferences, and referral source.
Usage Data — pages visited, time spent on site, scroll depth, click patterns, hover events, and interaction sequences (collected through analytics cookies with consent).
Optional Communications — messages submitted via our contact form, email correspondence, and any feedback you provide voluntarily.
Marketing Preferences — newsletter subscription status, email open and click engagement, opt-out timestamps.
Game Interaction Data — non-personally-identifiable interaction logs from the KungFu Slot demo for performance optimization (e.g. spin counts per session, average session length).
Cookie & Local Storage Identifiers — anonymized session tokens, consent records, and device fingerprint hashes (where consented).

We do not collect: payment data, banking information, government IDs, biometric data, health information, or sensitive personal data of any kind. We are an entertainment-only platform and have no business need for such information.

4. How We Use Your Information

Your information is used strictly for the following purposes:

Sending VIP rewards, promotional offers, free spin notifications, and platform updates you have subscribed to.
Personalizing your in-platform experience, theme preferences, and language defaults.
Improving our website performance, accessibility, security architecture, and overall user experience.
Detecting and preventing fraud, spam, bot traffic, and abuse via honeypot fields, rate limiting, and behavioural analysis.
Complying with legal obligations under EU and Finnish data protection law, including record-keeping for consent management.
Responding to support inquiries, customer feedback, and legal requests.
Conducting aggregated, anonymized statistical analysis to inform product roadmap decisions.
Communicating service-related notices such as planned maintenance, security advisories, or material policy changes.

We never sell, rent, lease, or trade your personal information to any third party for marketing purposes. We do not engage in cross-context behavioural advertising or audience-sharing arrangements.

5. Legal Basis for Processing (GDPR Article 6)

Under the General Data Protection Regulation (EU 2016/679), we process your data on the following legal grounds:

Consent (Art. 6(1)(a)) — when you submit your email through our forms, accept cookies, or opt in to marketing communications. Consent can be withdrawn at any time.
Legitimate Interest (Art. 6(1)(f)) — analytics, fraud prevention, network security, and platform improvement, balanced against your fundamental rights.
Legal Obligation (Art. 6(1)(c)) — compliance with retention, reporting, tax, and consumer-protection requirements under Finnish and EU law.
Contractual Necessity (Art. 6(1)(b)) — where processing is required to deliver a service you have specifically requested.

6. Data Storage, Security & Retention

All data is stored on encrypted servers located within the European Economic Area (EEA), specifically in our primary data centres in Helsinki, Finland and Frankfurt, Germany, with redundant backup in Stockholm, Sweden. We apply industry-standard and where appropriate, beyond-industry-standard security measures including:

TLS 1.3 encryption for all data in transit.
AES-256 encryption at rest for personal data fields.
Sanitized form input validation and parameterized database queries.
Honeypot anti-bot protection and rate-limited submission endpoints.
Strict role-based access controls with mandatory two-factor authentication for staff.
Quarterly third-party penetration testing and continuous vulnerability scanning.
24/7 SIEM monitoring and incident response capability.
Encrypted, geographically separated daily backups with 90-day rolling retention.

Retention periods: Newsletter and marketing data is retained for up to 24 months from the last engagement. Analytics data is retained for 14 months in identifiable form, then anonymized indefinitely. Contact form messages are retained for 36 months for support continuity. Consent records are retained for 7 years to demonstrate compliance. After retention periods expire, data is securely deleted using cryptographic erasure or DoD 5220.22-M overwrite standards.

7. Cookies & Tracking Technologies

We use cookies and similar technologies to provide functionality, analytics, and personalization. For detailed information about the categories of cookies we use, please review our Cookie Policy. You can manage your preferences through your browser settings or our cookie consent banner. We honour all "Do Not Track" browser signals and Global Privacy Control (GPC) headers.

8. Your Rights Under GDPR

As a data subject, you have the following rights, exercisable free of charge:

Right of Access (Art. 15) — request a copy of your personal data along with details of how it is processed.
Right to Rectification (Art. 16) — correct inaccurate or incomplete data without undue delay.
Right to Erasure (Art. 17) ("right to be forgotten") — request deletion of your data when no longer necessary.
Right to Restrict Processing (Art. 18) — limit how we use your data while disputes are resolved.
Right to Data Portability (Art. 20) — receive your data in a structured, machine-readable format (JSON or CSV).
Right to Object (Art. 21) — opt out of processing based on legitimate interests, including marketing.
Right to Withdraw Consent (Art. 7(3)) — at any time, without affecting prior lawful processing.
Right Not to Be Subject to Automated Decision-Making (Art. 22) — we do not engage in profiling that produces legal effects.
Right to Lodge a Complaint (Art. 77) — with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) at tietosuoja.fi.

To exercise any of these rights, contact us at [email protected]. We respond to all verified requests within 30 days, with a possible 60-day extension for complex cases (you will be notified of any extension).

Neon control panel showing user data rights and privacy controls

9. Third-Party Services & Sub-Processors

We use a limited number of trusted third-party processors strictly for operational purposes. Each is bound by a Data Processing Agreement (DPA) compliant with GDPR Article 28. Current sub-processors include:

Hetzner Online GmbH (Germany) — primary cloud hosting and data storage.
Cloudflare Inc. (EU region) — DDoS protection, CDN, and edge security.
Postmark / Wildbit (EU region) — transactional and marketing email delivery.
Plausible Analytics (Estonia) — privacy-respecting, cookieless analytics.
Sentry (EU region) — application error monitoring.

We do not authorize any third party to use your data for their own marketing or to combine it with data from other sources. A current and complete list of sub-processors is available upon request.

10. Children's Privacy

Funhideoutsprout is intended exclusively for users aged 18 and older. We do not knowingly collect personal information from minors. If we discover that a user is under 18, we will immediately delete their data and terminate any associated subscriptions. If you are a parent or guardian and believe a minor has provided us with personal data, please contact us at [email protected] for immediate action.

11. International Data Transfers

Your data is primarily stored within the EU/EEA. In rare cases where data must be transferred outside the EEA (for example, when communicating with users located in third countries), we ensure adequate safeguards are in place, including:

European Commission adequacy decisions for the destination country.
Standard Contractual Clauses (SCCs) approved by the European Commission (2021/914).
Supplementary technical measures including end-to-end encryption.
Transfer Impact Assessments (TIAs) for each non-adequate destination.

12. Data Breach Notification

In the unlikely event of a personal data breach that may pose a risk to your rights and freedoms, we will notify the Finnish Data Protection Authority within 72 hours of becoming aware of the breach (per GDPR Art. 33), and inform affected users without undue delay (per GDPR Art. 34). Our incident response plan includes forensic investigation, containment, remediation, and a post-incident report published within 30 days.

13. Marketing Communications

If you have consented to marketing emails, you may receive newsletters, promotional offers, free spin alerts, and event invitations. Every marketing email includes a one-click unsubscribe link in the footer. You may also unsubscribe by replying with "UNSUBSCRIBE" in the subject line, or by emailing [email protected]. Unsubscribe requests are processed within 48 hours.

14. Profiling & Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal effects or significantly affects you. Email segmentation for marketing campaigns is based on broad, non-sensitive categories (e.g. "subscribed to free spins" vs. "subscribed to VIP newsletter") and never produces consequential decisions about you.

15. California Residents (CCPA / CPRA Notice)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act, including the right to know, delete, correct, and opt out of "sales" or "sharing" of personal information. We do not sell or share personal information as defined under CCPA. To exercise these rights, contact [email protected] with "CCPA Request" in the subject line.

16. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal obligations. Significant changes will be communicated via email (if you have subscribed) or via a prominent notice on our website at least 30 days before taking effect. Continued use of our platform after updates indicates your acceptance. Historic versions are archived and available on request.

17. Contact Information

For privacy-related inquiries, please contact our Data Protection Officer:

Funhideoutsprout Oy — Data Protection Office
Eteläesplanadi 22 B, 4th Floor
00130 Helsinki, Finland
Business ID: FI-2917648-3
Phone: +358 9 6815 4720
Email: [email protected]
DPO Direct: [email protected]

For supervisory authority complaints:
Tietosuojavaltuutetun toimisto (Office of the Data Protection Ombudsman)
PL 800, 00531 Helsinki, Finland
Tel: +358 29 566 6700 — tietosuoja.fi