• Email address — used for registration, login, password reset, and account identification.
• OAuth identifier (optional) — when a member signs in via an external identity provider such as Google, the identifier and email issued by that provider.

The following information is generated and recorded automatically by the system in the course of operating the Services. It does not identify the individual directly, but it is linked to the account.

• TRC-20 wallet address — a deposit address derived per member from an HD wallet (publicly visible on-chain).
• Transaction logs — deposit and withdrawal transaction hashes, betting and settlement records, comp accrual and claim history, referral tracking.
• Access metadata — IP address, access timestamp, User-Agent, cookie identifiers (used for blocking abusive access and debugging).

• Member identification and login session continuity.
• Processing of USDT deposits, withdrawals, betting, and settlements.
• Operating the comp, VIP, and referral reward programs.
• Notifying members of material changes (Terms updates, security incidents, etc.).
• Anti-money-laundering and fraud monitoring.

• Email and account information: until membership withdrawal. Upon withdrawal, the data is deleted or de-identified.
• Transaction records (deposits, withdrawals, betting, settlements): 5 years for operational and accounting purposes.
• Access logs and IP addresses: 90 days.
• Where retention is required by law or by a fraud investigation, the data is stored separately for the corresponding period.

The Company does not sell or otherwise share member information externally. The following are limited exceptions.

• Where the member has given prior consent.
• Where required through due legal process by an investigative or regulatory authority.
• Where necessary to protect a legitimate interest, such as anti-money-laundering or fraud investigation.

The Company entrusts the following external processors with limited operational tasks.

• Game content providers — bet and settlement processing. Only internal member identifiers are passed; emails are not disclosed.
• OAuth providers (Google, etc.) — login authentication. Only information that the member has consented to with the provider directly is received.
• Infrastructure providers (AWS, Cloudflare, etc.) — server hosting and DDoS mitigation. Only traffic metadata is processed.

• Members may request access to, correction of, deletion of, or suspension of processing of their own information (email and transaction records).
• Members may withdraw their consent by terminating their membership. (However, items subject to a legal retention obligation are kept for the statutory period.)
• Rights are exercised via in-site 1:1 support or by email to [email protected].

The Company uses cookies and similar technologies for login session continuity and to block abusive access. They are not used for advertising or marketing tracking. Members may refuse cookies in their browser settings, though some functionality (such as staying logged in) may be limited.

• HTTPS / TLS encryption end-to-end.
• Encrypted storage of session tokens.
• Two-factor authentication (TOTP) and IP allowlisting for administrator accounts.
• Multi-step review and automated fraud monitoring on withdrawal transactions.
• Isolation and least-privilege access for hot-wallet private keys.
• Idempotency-key verification for callbacks between the Company and game / payment systems.

LuckyBox serves a global membership including Vietnam, Thailand, Korea, and English-speaking markets. Where online gambling is prohibited under the law of the member's country of residence, the Services are not available. The member is responsible for verifying their country's law; the Company relies on the representations and warranties made at registration.

Material changes to this Policy are announced on the site at least 7 days before the effective date. Members who do not agree to the changes may withdraw their consent by terminating their membership.