floki Casino & Sportsbook Data Care

This page describes what data we collect when you use floki and how we keep that information protected. We at floki handle your personal information—email, phone number, government ID, payment details, and account activity—according to clear practices. We explain where your data goes, who accesses it, and what rights you have to review or delete it.

Our platform operates only in jurisdictions where local law permits. When you create a floki account, you provide identifying information so we can verify your identity and comply with anti-money-laundering regulations. We do not share your personal data with third parties for marketing purposes. Payment processors, fraud detection services, and our hosting providers may access your data only to the extent needed to serve your account.

If you have questions about how we handle your data, what rights you have, or how to request deletion, our support team can help through the in-app help center or by email.

What data we collect on floki

We collect your email address, phone number, and password when you register an account on floki. We also collect your full name, date of birth, and government identification (passport or national ID) during the KYC (Know Your Customer) verification process. This verification is required before you can deposit or withdraw.

We collect your proof of address—a utility bill, bank statement, or official correspondence—to confirm your residential location matches your registered address. We collect payment method information when you deposit; for card payments, we do not store full card numbers. Instead, our payment processor stores a token that lets us initiate future transactions without retaining your card details directly on our servers.

We collect transaction data: every deposit, withdrawal, observation (bet), game result, and balance change. We also collect technical data: your device type (Android or iOS), your browser or app version, your IP address, login timestamps, and failed login attempts. This technical data helps us detect fraud and resolve account access issues.

How we use your data on floki

We use your email and phone number to contact you about account security, deposit confirmations, withdrawal status, and important policy changes. We do not send marketing emails unless you explicitly opt in. Your identification data—name, ID, date of birth—is used solely for KYC verification and to comply with anti-money-laundering (AML) regulations. We cross-check your details against sanctions lists and fraud databases to ensure we do not onboard users from restricted jurisdictions or with criminal histories.

We use your transaction data to calculate your account balance, process observations (bets), track gaming activity, and detect suspicious patterns. For example, if we notice a sudden large withdrawal from a newly-created account, our fraud detection system flags it for manual review. We use technical data (IP address, device fingerprint) to identify login attempts from unusual locations and to protect your account from unauthorized access.

We may use your data to comply with legal requests from law enforcement or regulatory authorities in your jurisdiction or in jurisdictions where we operate. We retain transaction records for at least five years to satisfy audit and compliance requirements.

Payment processors and third-party data access

When you deposit via DANA, e-wallet, mobile banking, local payment, online payment, or bank transfer, we send your payment details to our payment processors. These processors include Stripe, our acquiring bank, and the payment rail operators (Fintech companies licensed by Bank Indonesia). These third parties access your name, email, and transaction amount solely to process your deposit. They do not store this data for marketing purposes.

We use fraud detection and KYC verification services provided by third-party vendors. These vendors may temporarily store your ID image and proof of address to verify your identity. Once verification is complete, most vendors delete this data automatically; some retain it encrypted for dispute resolution purposes. We contractually require all vendors to comply with data protection standards and to use your data only for the services we request.

How we protect your data on floki

Your password is hashed using bcrypt, a one-way encryption algorithm. We do not store your plain-text password; even our administrators cannot view it. When you log in, we compare the hash of your entered password to the stored hash. If they match, we grant access. If you forget your password, we send you a reset link via email; you create a new password, which is hashed and stored separately.

We use HTTPS (SSL/TLS encryption) for all communication between your phone or browser and our servers. This means data in transit—your login credentials, payment details, account balance—is encrypted. We store sensitive data (ID images, payment tokens) in encrypted databases. Our servers sit behind firewalls and are accessible only to authorized staff via VPN.

Server location

Our servers may be located outside Indonesia. By using floki, you acknowledge that your data may be processed in jurisdictions with different data protection laws than Indonesia.

Data breach notification

If we discover a security breach affecting your data, we notify you by email within 72 hours and describe what data was compromised and what steps we took to mitigate the risk.

Two-factor authentication

We offer optional 2FA (two-factor authentication) via email or SMS. Enabling 2FA adds a verification step when logging in from a new device, making your account more secure.

Your rights regarding data on floki

You have the right to access your personal data on floki. Log into your account and navigate to Account Settings to view your registered name, email, phone number, and transaction history. For a complete data export (including all technical logs and communication history), submit a request through the in-app help center; we provide a copy within 30 days.

You have the right to correct inaccurate data. If your name or address has changed, update it in Account Settings. If we hold incorrect data that you cannot correct yourself—for example, a KYC document we uploaded incorrectly—contact our support team and we'll correct it.

You have the right to request deletion of your account and associated data. Submit a deletion request through the help center. We delete non-essential data (login logs, technical records) within 30 days. We retain transaction records and KYC documents for five years to comply with financial regulations; these records are archived and not accessible for daily account operations.

Cookies and tracking on floki

When you access floki in a browser, we use cookies to maintain your session and remember your preferences. Session cookies expire when you close the browser; they do not persist long-term. We use functional cookies to store your language preference and any UI settings (e.g., dark mode). These cookies contain no personal data; they are simple identifiers that let us recognize your device on return visits.

We use analytics cookies (via Google Analytics) to understand how users interact with floki—which pages are visited most, which payment methods are popular, where users drop off during registration. These analytics are anonymized; they do not identify individuals. We do not use cookies for advertising or to track you across other websites.

You can disable cookies in your browser settings, though this may impair floki's functionality (your session may not persist, and you may lose your login state).

How long we keep your data on floki

We keep active account data (name, email, phone, current balance) for as long as your account exists. If you close your account, we archive this data for five years to satisfy financial compliance requirements. After five years, we delete archived data unless law requires us to retain it longer.

Transaction records (deposits, withdrawals, observations, game results) are retained for five years. This window covers dispute resolution, audit requirements, and regulatory inquiries. After five years, transactions are deleted from active systems and moved to long-term archive storage, then deleted after an additional two years (seven years total).

Technical data (IP addresses, login logs, device fingerprints) is retained for 90 days. This window lets us investigate security incidents and fraud. Data older than 90 days is automatically deleted unless we identify an active investigation.

Jurisdiction and data transfer

Our services are available only where local law permits. We comply with data protection regulations in jurisdictions where we operate. If we operate in the European Union under GDPR, we comply with GDPR data subject rights. In Indonesia, we comply with Law No. 27 of 2022 (PDP Law) regarding personal data protection. Users are responsible for understanding their own jurisdiction's data protection rights.

Your data may be transferred to, processed in, or stored in jurisdictions outside Indonesia. By using floki, you consent to this international transfer. We ensure that any third parties accessing your data (payment processors, cloud hosting providers) maintain data protection standards equivalent to those we enforce.

Contact us about privacy

If you believe floki has mishandled your personal data or violated this privacy policy, submit a complaint through the in-app help center or contact our privacy team by email. We investigate complaints within 14 business days and notify you of the outcome. If you are unsatisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction.

We update this privacy policy occasionally to reflect changes in our practices or law. We notify you of material changes by email and by posting the updated policy on our platform. Your continued use of floki after such notification means you accept the revised policy.