PT EN
Play Now
Privacy Policy | Vegastars Casino

Privacy Policy

Last updated: 21 May 2026.

This Privacy Policy explains how VegaStar Casino — operated by Vegastars (operated by Neptune Projects S.R.L., Costa Rica) under the Tobique Gaming Commission — collects, uses, stores and protects personal data when you visit vegastar.[domain], create an account, deposit, play, or contact our support team. We process personal data in accordance with the Republic Act No. 10173 (Data Privacy Act of 2012), the National Privacy Commission (NPC) implementing rules and circulars, and — where applicable — the EU General Data Protection Regulation (GDPR) for visitors based in the European Economic Area. Read alongside our Cookies Policy and Terms and Conditions.

1. Introduction & Scope

VegaStar Casino brand logo on dark background — official wordmark with spade icon.

This Policy applies to the websites and applications operated under the VegaStar brand at vegastar.[domain] and the official mobile applications distributed from vegastar.[domain]/app/. It applies to Philippine residents and to users from other permitted jurisdictions. By creating an account or using the platform, you confirm that you have read this Policy and understand how your personal data is handled. Where you do not agree with this Policy, do not create an account and do not deposit funds.

2. Data Controller Information

The data controller responsible for your personal data is Vegastars (operated by Neptune Projects S.R.L., Costa Rica), a company registered under registration number 3-102-900308, with registered address at De la POPS de Curridabat, 300 Sur, 75 Este, casa gris con celeste, 11801, San Jose, Granadilla, Curridabat, Costa Rica. The operator is licensed by the Tobique Gaming Commission under licence 0000020. The Data Protection Officer (DPO) can be reached at dpo@vegastar.[domain]; the DPO is the primary contact for any privacy question, data-access request or complaint covered by this Policy.

3. Personal Information We Collect

We collect personal data directly from you, from your device, and from third-party verification partners when we are required to confirm your identity. The categories below cover the full data set across registration, KYC, payments, gameplay and marketing.

Identification Data

Full legal name, date of birth, nationality, place of birth, government-issued PH ID — passport, driver’s licence, UMID, PhilSys (Philippine National ID), voter’s ID, postal ID, PRC ID or OFW iCard — and a selfie taken during the KYC liveness step. KYC is mandatory at registration for PAGCOR-licensed operation and at the first withdrawal request or AML threshold trigger for offshore-licensed operation. Identification data is retained for the periods set out in the retention table below, with AML records retained for 5 years post-account-closure under the Anti-Money Laundering Act of 2001 (RA 9160).

Contact Data

Email address, mobile phone number (including the Globe / Smart / DITO carrier code where relevant), residential address (collected at proof-of-address step for AML-threshold withdrawals), and emergency contact (only if you provide one).

Financial Data

Deposit and withdrawal method — GCash phone number, Maya phone number, PayMaya wallet identifier, bank account number, bank name (BPI, BDO, Metrobank, RCBC, UnionBank, Security Bank or other), transaction reference IDs from the payment gateway, settlement timestamps, and amounts in PHP. Card details (where card payments are enabled) are never stored on VegaStar servers — payment data is handled exclusively by PCI-DSS-certified payment processors. Where you use GCash, Maya or PayMaya, we hold only the e-wallet phone number linked to your account plus the per-transaction reference; we do not access your e-wallet balance or transaction history outside the VegaStar deposit/withdrawal stream.

Gameplay Data

Stakes, wins, losses, game session length, game titles played, provider, bonus claims, wagering progress, sportsbook bet history, loyalty-point accrual, and tier movement. Gameplay data is necessary for delivering the service, calculating bonuses, detecting bonus abuse and complying with AML reporting obligations.

Technical Data

IP address, approximate geolocation derived from IP, device type, operating system version, browser type and version, screen resolution, time-zone, the URL by which you reached the site, session timestamps, and an anonymised device fingerprint used for anti-fraud and anti-multi-account checks. We collect technical data automatically through cookies and similar technologies — see our Cookies Policy.

Marketing & Preferences Data

Communication preferences (email, SMS, Facebook Messenger, push notifications), interest categories declared during onboarding (slots/live/sportsbook), survey responses, and engagement with our promotional emails. Marketing data is processed on the basis of explicit opt-in consent and you can withdraw consent at any time via Account → Notifications.

We rely on the legal bases listed in Section 12 of RA 10173: contract performance (delivering the gambling service you signed up for); legal obligation (KYC under AMLA RA 9160, tax-record obligations, regulator reporting under the Tobique Gaming Commission); legitimate interest (anti-fraud monitoring, security, service improvement); and consent (marketing communications, advertising cookies, behavioural profiling). For EEA users we additionally rely on the equivalent GDPR Article 6 bases.

5. Purposes of Processing

  • Create and manage your VegaStar account, including authentication and password reset.
  • Perform KYC and AML checks under PAGCOR / the Tobique Gaming Commission and AMLA RA 9160 obligations.
  • Process deposits and withdrawals through GCash, Maya, PayMaya and bank transfer rails.
  • Operate gameplay, calculate stakes, settle wins and losses, and credit bonuses including the welcome match up to ₱128, sign-up bonus, App Download Bonus, daily cashback and free spins.
  • Detect and prevent fraud, multi-accounting, bonus abuse, VPN/TOR access and money laundering.
  • Provide customer support via live chat, email, Facebook Messenger and Telegram.
  • Send transactional notifications (login alerts, withdrawal confirmations, KYC outcomes).
  • Send marketing communications and personalised offers, where you have opted in.
  • Comply with court orders, regulator requests, tax authority requests and other legal obligations.

6. Third Parties Who Receive Your Data

  • Game providers. JILI, PG Soft, JDB, KA Gaming, FaChai, Booongo, WM Casino, Evolution Gaming, SA Gaming, Pragmatic Play — receive technical session data and bet records necessary to run their titles and settle outcomes.
  • Payment processors. PCI-DSS-certified gateways for GCash, Maya, PayMaya and bank transfers; card processors where card payments are enabled.
  • KYC and AML partners. Third-party identity-verification providers for document checking, face-match, liveness analysis and AML watchlist screening.
  • Analytics. Google Analytics 4 with IP anonymisation enabled. Aggregated reporting; no individual identifying data shared beyond the standard GA4 pseudonymous client ID.
  • Advertising partners (opt-in). Meta Pixel (Facebook), Google Ads — only when you have consented to advertising cookies via the consent banner.
  • Customer support tooling. Live chat platform, email helpdesk software — for ticket handling and conversation history.
  • Regulators and law enforcement. the Tobique Gaming Commission, the AMLC, the BIR for tax matters, and PH courts on lawful order.

7. Data Retention

We retain personal data only for as long as necessary for the purpose for which it was collected, with the periods below as a summary. Where multiple periods apply to the same category, the longest applicable period governs.

  • Account & identification data. Retained for the life of the account plus 5 years post-closure (AMLA RA 9160).
  • KYC documents and selfie. 5 years post-closure (AMLA RA 9160).
  • Financial transaction records. 5 years post-closure (AMLA + tax-record obligations under PH NIRC).
  • Gameplay history and bet records. 5 years post-closure for AML-related events; 12 months otherwise.
  • Technical logs. 12 months from collection.
  • Marketing data. Until you withdraw consent or 24 months of inactivity, whichever is sooner.
  • Customer support transcripts. 24 months from the last interaction.

8. Your Rights Under RA 10173

As a data subject under the Data Privacy Act of 2012 you have eight rights: right to be informed, right to access, right to object, right to erasure or blocking, right to damages, right to rectify, right to data portability, and right to file a complaint with the National Privacy Commission. Exercise any right by emailing dpo@vegastar.[domain] with proof of identity. We respond within 30 days. Some rights are limited by overriding legal obligations — for example, AML record retention overrides erasure for the AMLA 5-year period.

9. International Transfers

Some of our processors (notably analytics, payment gateways and game providers) operate outside the Philippines. Where personal data is transferred outside the Philippines, we apply contractual safeguards (standard data-protection clauses) and select processors with equivalent or stronger data-protection regimes. EEA users’ transfers are subject to GDPR Chapter V safeguards.

10. Security Measures

GEOTRUST 256-bit SSL/TLS encryption secures every connection. Passwords are hashed with bcrypt or Argon2 (industry standard); plain-text passwords are never stored. 2FA (TOTP and SMS-OTP) is available on every account. Access to KYC documents is restricted to trained, background-checked staff under audit logging. Suspicious-activity monitoring flags unusual login patterns for OTP step-up. Under NPC Circular 16-03 we notify the NPC of any personal-data breach affecting Filipino data subjects within 72 hours of awareness.

11. Children & Age Verification

VegaStar is restricted to adults — 21+ for PAGCOR-domestic Philippine operation; 18+ for offshore operation. We do not knowingly collect personal data from anyone under the minimum age. Age is verified at KYC via valid PH government ID. If we discover that we hold data on a minor, we close the account, return any deposited funds (less withdrawals) and erase the data, subject to AML override.

12. NPC Complaint Escalation

If you are not satisfied with our handling of your personal data, you can escalate in three tiers. Tier 1: contact the VegaStar DPO at dpo@vegastar.[domain] — we respond within 30 days. Tier 2: file a complaint with the National Privacy Commission at [email protected] or via the NPC complaints portal at privacy.gov.ph. NPC hotline: (02) 8234 2228. Tier 3: seek redress in the appropriate court of competent jurisdiction. EEA users may additionally complain to their national data-protection authority.

13. Changes to This Policy

We may update this Policy from time to time. Material changes are notified by email to active accounts and via an in-account banner at least 30 days before they take effect, unless a shorter notice is required by law. The "Last updated" date at the top of this page reflects the latest revision.

14. Contact

For any privacy question, data-subject request or complaint: Data Protection Officer, Vegastars (operated by Neptune Projects S.R.L., Costa Rica), De la POPS de Curridabat, 300 Sur, 75 Este, casa gris con celeste, 11801, San Jose, Granadilla, Curridabat, Costa Rica, email dpo@vegastar.[domain]. For general support: support@vegastar.[domain] / 24/7 live chat / Facebook Messenger @VegaStarCasinoPH.