Privacy Policy

This page sets out what personal data we collect on ovoda.org, why we collect it, how long we keep it, who we share it with, and how you can access, correct, or delete it. It is written in plain English. If anything below is unclear, email us at [email protected] and we will walk you through it.

1. Who we are and how to reach us

Ovoda operates the website ovoda.org (the "Site"). The Site is an independent review platform covering Jackpot Jill Casino for the Australian market. We do not run the casino. We do not hold your casino account. We do not process your deposits, withdrawals, or KYC documents. We are a publisher, and the only personal data we handle is what you give us directly on this website and what your browser sends automatically when you visit.

For any question about your personal data, write to [email protected]. For everything else, [email protected] reaches our general inbox.

We handle personal data under two frameworks at once: the EU General Data Protection Regulation (Regulation (EU) 2016/679) for any visitor physically inside the EEA when they browse the Site, and the Australian Privacy Act 1988 plus the thirteen Australian Privacy Principles (APPs) for Australian readers, who make up the bulk of our audience. Where the two overlap, we apply the stricter standard.

2. What we collect

2.1 Data you give us directly

When you fill in the contact form on /contact or email us, we receive your name, your email address, the subject you picked, and whatever you wrote in the body of the message. That is it. We do not ask for your date of birth, your home address, your phone number, your casino account details, payment information, passwords, or copies of ID documents. If you send any of that to us by accident, we delete it on receipt and ask you to resend without the sensitive detail.

2.2 Data your browser sends automatically

Every time any browser visits any website, it hands over a small bundle of technical information. We log the following, server-side, in the same way Cloudflare and most hosting providers do by default:

2.3 Cookies and similar technologies

We use a small set of cookies and similar mechanisms, described in full on our Cookie Policy. The short version: one session cookie keeps the site running, a Google Analytics cookie pair lets us see aggregate traffic numbers, and an affiliate tracking cookie fires on the outbound "/go" link so the casino can attribute the referral. None of those cookies knows your name, email, or anything personal beyond a random ID.

3. Why we process your data (legal basis under GDPR Art. 6)

Different data is collected for different reasons. Under GDPR Article 6, the specific legal bases we rely on are:

Legitimate interest (Art. 6(1)(f)) covers server logs, spam filtering, bot mitigation, and aggregate analytics. Our legitimate interest is running a working website without it being pounded into the ground by bots, and understanding in broad strokes which reviews readers actually find useful. We have run the balancing test documented internally; your privacy interests here are light because we do not build profiles and we do not retarget advertising to you anywhere.

Consent (Art. 6(1)(a)) covers any non-essential cookie. You see the cookie banner on your first visit. If you reject analytics, the `_ga` family does not fire. If you reject marketing cookies, the affiliate tracking cookie does not fire until you actively click an outbound casino link (at which point clicking the link is the consent signal).

Performance of a contract (Art. 6(1)(b)) covers the contact form exchange — if you email us, we have to process your email to reply to you.

Legal obligation (Art. 6(1)(c)) covers any retention forced on us by Australian or EU law, including records we have to keep for tax or regulatory audit purposes.

Under the Australian Privacy Act 1988, the equivalent authority is APP 3 (collection of solicited personal information) and APP 5 (notification of collection). This page is our APP 5 notice.

4. Who we share data with

We do not sell personal data. We have never sold personal data. We are not going to start selling personal data.

We do share limited technical data with the following processors, because the Site could not function without them. In each case, a written data processing agreement is in place.

Cloudflare, Inc. (USA) — our CDN and DDoS protection layer. Cloudflare sees the IP address and User-Agent of every request, because it is the first server in the chain. Cloudflare's own privacy terms are at cloudflare.com/privacypolicy. International transfers to Cloudflare rely on the EU Standard Contractual Clauses and on Cloudflare's certification under the EU-US Data Privacy Framework.

Hetzner Online GmbH (Germany) — our origin server host. Hetzner sees HTTP requests routed from Cloudflare. Data centre is physically located in Falkenstein, Germany. Hetzner's processing is governed by the German Federal Data Protection Act and GDPR, with no international transfer involved.

Google LLC (USA) — Google Analytics 4 for traffic measurement, and Google Search Console for indexing diagnostics. IP anonymisation is enabled on GA4. GA4 never receives your email or name because we never pass those to it. Google's privacy terms: policies.google.com/privacy.

Affiliate network (Income Access or direct Jackpot Jill affiliate system) — when you click the outbound "/go" link, your browser is redirected via the affiliate URL. The affiliate network records the click (timestamp, partner ID, random click ID). It does not receive your name, your email, or any data you entered on our Site. It does receive the IP address and User-Agent that your browser sends to any site you visit, because that is how HTTP works.

Beyond the four processors above, nothing. We do not share data with ad networks. We do not share data with data brokers. We do not hand data to the casino directly — the casino only sees you if you choose to register with them after clicking our link, and at that point you are their customer under their own privacy policy, not ours.

5. International transfers

Cloudflare and Google are US entities. The legal basis for transferring your personal data outside the EEA/Australia to these processors is the EU Standard Contractual Clauses (2021/914) plus, where applicable, the EU-US Data Privacy Framework adequacy decision of 10 July 2023. Hetzner keeps our origin server inside Germany, so origin data never leaves the EU. If you want a copy of the SCCs we rely on, email [email protected] and we will send you the relevant extract.

6. How long we keep data

Retention is not a vague "we keep it as long as needed" statement. We have specific periods for specific data:

After the relevant period, data is deleted or irreversibly anonymised. "Irreversibly anonymised" means we keep aggregate counts but no individual record.

7. Your rights

Under the GDPR (if you are in the EEA) and under the Australian Privacy Principles (if you are in Australia), you have the following rights. They overlap almost completely, so we treat every request under whichever framework gives you the stronger position.

Right of access (GDPR Art. 15 / APP 12): ask for a copy of everything we hold about you. We respond within 30 days for GDPR, 30 days for APP 12. If the request is complex, we may extend to 60 days and tell you why.

Right to rectification (Art. 16 / APP 13): if something is wrong, we correct it.

Right to erasure, also known as the right to be forgotten (Art. 17): we delete your data unless we have a legal obligation to keep it (tax records, for example, we legally cannot delete before the 7-year window).

Right to restrict processing (Art. 18): we freeze your data in place — stop processing it but do not delete — while we work out a disputed issue.

Right to data portability (Art. 20): we send you your data in a machine-readable format (JSON or CSV).

Right to object (Art. 21): you can object to any processing we do on the basis of legitimate interest. In practice, this means you can tell us to stop the analytics cookie from firing, and we will honour that.

Right to withdraw consent: if you said yes to non-essential cookies and now want to say no, you can re-open the cookie banner from the footer and change your settings. Your previous consent stays valid up to the point of withdrawal — we do not pretend retroactively that the analytics data was illegal.

To exercise any of the above, email [email protected] with "Data request" in the subject line. We acknowledge receipt within 72 hours and complete the response within 30 days.

If you are unhappy with our response, you have the right to complain. In Australia, to the Office of the Australian Information Commissioner (oaic.gov.au, 1300 363 992). In the EU, to your local data protection authority — the European Data Protection Board keeps the directory at edpb.europa.eu/about-edpb/about-edpb/members_en.

8. Security

Our security posture is not perfect. Nobody's is. Here is what we actually do:

If we ever detect a breach affecting your personal data, we notify you within 72 hours of becoming aware of it, per GDPR Art. 33–34 and per the Notifiable Data Breaches scheme under the Privacy Act. That notification tells you what happened, what data was affected, what we are doing about it, and what you can do to protect yourself.

9. Children

The Site is for people aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has submitted data through our contact form, email [email protected] and we will delete it immediately. We do not advertise to children. We do not write content designed to appeal to children. All outbound links to Jackpot Jill Casino are subject to the casino's own age verification at registration.

10. Automated decisions and profiling

We do not run automated decision-making or profiling on your personal data within the meaning of GDPR Art. 22. We do not score you, rank you, segment you, or make any decision that affects you based on automated processing. Aggregated analytics on which pages perform well is not profiling in the Art. 22 sense — it does not produce a legal or similarly significant effect on any individual.

11. Changes to this policy

When we update this policy, the "Last updated" date at the top of the page changes, and we publish a short note in the footer of the homepage for at least 30 days. Substantive changes — anything that expands what we collect, who we share with, or how long we keep it — trigger a banner on the homepage and, where feasible, a direct email to anyone who has corresponded with us in the last 12 months. If you keep using the Site after a change has taken effect, you are considered to have accepted it.

12. Related pages

The cookies and similar tracking tech referenced here are documented in depth on our Cookie Policy. The commercial relationships that shape which casino we review are explained on our Affiliate Disclosure. The legal framework for using the Site in general is our Terms & Conditions. General questions go to Contact.

Data matters. If something in this policy does not sit right with you, tell us — we would rather fix a clumsy sentence than ship a privacy policy nobody trusts.