bm8 Privacy Policy

bm8 ("bm8", "we", "us", "our") operates the online casino and sports betting platform accessible at bm8.bio. bm8 is the data controller for personal data collected through the bm8 platform. As data controller, bm8 is responsible for determining the purposes and means by which your personal data is processed.

This Privacy Policy applies to all users of the bm8 platform, including registered Members with an active bm8 account and visitors to bm8.bio who have not registered. For the purposes of this Policy, "personal data" means any information that identifies or is capable of identifying you as an individual, directly or in combination with other information.

bm8 collects personal data in the following categories, depending on your interaction with the platform:

bm8 does not collect sensitive personal data categories (such as health data, religious beliefs, or political opinions) except where strictly required by a specific regulatory obligation applicable to bm8's licensing jurisdiction.

bm8 processes your personal data for the following purposes:

• Account Management: To create, maintain, and administer your bm8 Member account, including processing your login credentials, account settings, and responsible gaming preferences.
• Identity Verification (KYC): To verify your identity, confirm your age (21+ requirement), confirm your Malaysian residency, and satisfy anti-money laundering (AML) obligations required under bm8's international gaming licence.
• Payment Processing: To process deposits from and withdrawals to your designated payment methods, including Touch 'n Go eWallet, Boost, Maybank, CIMB, and Public Bank accounts registered in your name.
• Service Delivery: To provide access to bm8's casino games, live dealer tables, sportsbook markets, and all other platform features; to calculate and credit winnings; to apply and track bonus offers.
• Security & Fraud Prevention: To detect, investigate, and prevent fraudulent activity, money laundering, account sharing, multi-accounting, and other prohibited conduct outlined in bm8's Terms and Conditions.
• Responsible Gaming: To monitor betting patterns that may indicate problem gambling behaviour; to apply self-exclusion, deposit limits, and cooling-off periods at your request; to send session duration reminders where configured.
• Customer Support: To respond to enquiries, process complaints, and maintain records of support interactions for quality assurance and dispute resolution purposes.
• Marketing Communications: To send promotional offers, bonus notifications, and platform updates to Members who have opted in to marketing communications. You may withdraw consent for marketing communications at any time via your account settings.
• Platform Improvement: To analyse aggregated, anonymised usage data to identify platform performance issues, optimise user experience, and develop new features.
• Legal & Regulatory Compliance: To meet obligations imposed by bm8's licensing authority, applicable financial crime legislation, and any lawful requests from regulatory or law enforcement authorities.

bm8 processes your personal data on the following legal bases:

• Contractual Necessity: Processing required to perform the contract between bm8 and you as a registered Member (account creation, payment processing, game delivery, withdrawal processing).
• Legal Obligation: Processing required to comply with regulatory obligations under bm8's gaming licence, AML legislation, and financial crime prevention frameworks.
• Legitimate Interests: Processing carried out for bm8's legitimate business interests, including fraud prevention, security monitoring, platform improvement, and responsible gaming monitoring, where these interests are not overridden by your fundamental rights.
• Consent: Processing of your data for direct marketing communications, where you have provided specific, informed consent. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.

bm8 does not sell, rent, or trade your personal data to third parties for commercial purposes. bm8 shares personal data only in the following limited circumstances:

• Payment Processors: Financial data is shared with payment service providers (including Malaysian e-wallet and bank transfer operators) strictly as necessary to process your deposits and withdrawals. These providers are contractually bound to process your data only for this purpose.
• Identity Verification Providers: Identity and document data is shared with KYC verification service providers to facilitate age and identity checks. These providers operate under strict data processing agreements with bm8.
• Game Providers: Technical data necessary to deliver specific casino games may be shared with certified game studios. Game providers receive only the minimum data necessary to operate the game session and are prohibited from using this data for independent marketing purposes.
• Regulatory & Law Enforcement Authorities: bm8 will disclose personal data to licensing authorities, financial regulators, or law enforcement agencies where required by law or a valid legal order. bm8 will notify you of such disclosures where legally permitted to do so.
• Fraud Prevention Services: bm8 participates in industry fraud prevention schemes and may share limited data with these services to identify and prevent fraudulent account activity across the online gaming sector.

bm8 uses cookies and similar tracking technologies on bm8.bio. Cookies are small text files stored on your device that enable the platform to function correctly, maintain your login session, and collect usage analytics. bm8 uses the following categories of cookies:

• Strictly Necessary Cookies: Required for the bm8 platform to function. These include session authentication cookies that keep you logged in to your bm8 account. These cookies cannot be disabled without preventing you from using core platform features.
• Functional Cookies: Used to remember your preferences, such as language settings, preferred game view, and responsible gaming limit configurations.
• Analytics Cookies: Used to collect aggregated, anonymised data about how Members use bm8.bio, including which pages are most visited and how users navigate the platform. This data is used solely to improve the bm8 platform and is not used to identify individual users.
• Security Cookies: Used to detect and prevent fraudulent logins, including cookies that identify whether a login attempt is originating from a device previously associated with your bm8 account.

You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies will impair your ability to use the bm8 platform. bm8 does not use third-party advertising cookies or serve targeted advertising based on your bm8 activity on external websites.

bm8 retains your personal data for as long as your bm8 account is active and for such additional periods as are required by applicable law or bm8's licensing obligations. The following general retention periods apply:

• Account & Identity Data: Retained for the duration of your active bm8 account and for a minimum of five (5) years following account closure, in compliance with AML record-keeping requirements.
• Transaction Records: Retained for a minimum of five (5) years from the date of the transaction, in accordance with financial crime prevention and gaming licence obligations.
• Customer Support Records: Retained for three (3) years from the date of the support interaction for dispute resolution and quality assurance purposes.
• Marketing Data: Retained until you withdraw consent for marketing communications, at which point your data is removed from all marketing lists within 30 days.
• Technical & Usage Data: Anonymised after 24 months and retained in aggregate form for platform analytics indefinitely.

Upon expiry of the applicable retention period, bm8 will securely delete or anonymise your personal data. Where deletion is not immediately possible due to technical constraints, data is isolated from active processing and deleted at the earliest practicable opportunity.

Subject to applicable law and bm8's legal obligations, you have the following rights in respect of your personal data held by bm8:

• Right of Access: You may request a copy of the personal data bm8 holds about you. bm8 will respond to verified access requests within 30 days.
• Right to Rectification: You may request correction of inaccurate or incomplete personal data. You can update most account information directly in your bm8 account settings. For identity data, a formal rectification request and supporting documentation may be required.
• Right to Erasure: You may request deletion of your personal data in certain circumstances — for example, where the data is no longer necessary for the purposes for which it was collected. This right is subject to bm8's overriding legal obligations to retain certain data under its gaming licence and AML framework.
• Right to Restrict Processing: You may request that bm8 restricts its processing of your data in certain circumstances, such as where you contest the accuracy of the data or where processing is unlawful but you prefer restriction over deletion.
• Right to Object: You have the right to object to processing carried out on the basis of bm8's legitimate interests. bm8 will cease such processing unless it can demonstrate compelling legitimate grounds that override your interests.
• Right to Withdraw Consent: Where processing is based on your consent (e.g., marketing communications), you may withdraw consent at any time via your account settings or by contacting bm8 support. Withdrawal does not affect the lawfulness of prior processing.

To exercise any of the above rights, please contact bm8 customer support via the live chat facility available on the platform or via email at [email protected] (plain text — not a clickable link). bm8 will verify your identity before processing any data rights request to protect against unauthorised access to your personal data.

bm8 implements a range of technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction:

• 256-bit SSL/TLS encryption for all data transmitted between your device and bm8.bio.
• Encryption at rest for sensitive personal data including identity documents and financial details stored in bm8's systems.
• Role-based access controls ensuring that bm8 staff access personal data only to the extent necessary for their specific function.
• Multi-factor authentication required for all bm8 internal systems that access personal data.
• Regular penetration testing and security audits conducted by independent third-party security specialists.
• Incident response procedures with defined timelines for notifying affected Members in the event of a data breach that poses a risk to their rights and freedoms.

Notwithstanding the above measures, no data transmission over the internet is completely secure. bm8 cannot guarantee absolute security but commits to implementing and maintaining security measures that meet or exceed industry standards for the online gaming sector. In the event of a data breach affecting your personal data, bm8 will notify you in accordance with applicable legal obligations.

The bm8 platform is strictly for adults aged 21 and above. bm8 does not knowingly collect personal data from persons under the age of 21. Age verification is a mandatory step in the bm8 registration and KYC process. If bm8 becomes aware that it has inadvertently collected personal data from a person under 21, such data will be deleted immediately and the associated account closed in accordance with bm8's responsible gaming obligations. If you believe your child has registered a bm8 account, please contact bm8 support immediately so the account can be investigated and closed.

bm8 may update this Privacy Policy from time to time to reflect changes in our data processing practices, regulatory requirements, or platform features. Material changes to this Policy will be communicated to registered Members by email to the registered account address or by a prominent notice on bm8.bio. The date of the most recent revision is displayed at the top of this page. Your continued use of the bm8 platform following notification of changes constitutes acceptance of the revised Policy. We recommend reviewing this Policy periodically to remain informed of how bm8 protects your data.

For any questions, concerns, or requests regarding this Privacy Policy or bm8's data processing practices, please contact bm8 through the following channels:

• Email: [email protected] (plain text — not a clickable link)
• Live Chat: Available 24/7 on the bm8 platform post-login
• Response Time: Privacy-related requests acknowledged within 48 hours; substantive responses within 30 days

bm8 will verify your identity before processing data rights requests to ensure we release personal data only to the account holder or their authorised representative.