Skip to content
Vega

Privacy Policy

Last updated: March 2026

This privacy policy ("Policy") describes how RIPARI YOUNG GROUP S.A.S. DI RIPARI ENRICO, operating under the brand Vega, collects, uses, stores, and protects the personal data of platform users, in accordance with Regulation (EU) 2016/679 ("GDPR") and Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018.

1. Data Controller

The Data Controller responsible for processing your personal data is:

  • Company name: RIPARI YOUNG GROUP SOCIETA' IN ACCOMANDITA SEMPLICE DI RIPARI ENRICO
  • Registered office: Via Scipio Sighele 13, 00177 Roma (RM)
  • VAT number: IT10964801004
  • Tax code: 10964801004
  • REA: RM - 1268036
  • Certified email (PEC): ripariyounggroupsnc@legalmail.it
  • Support email: support@vegabet.com

2. Types of Data Collected

In the course of providing the Service, the Data Controller processes the following categories of personal data:

  • Registration data: first name, last name, email address, password (stored in hashed, non-reversible format)
  • Financial data: deposit and withdrawal amounts, payment methods used, complete transaction history
  • Usage data: betting history, casino game activity, browsing session information
  • Technical data: IP address, browser type and version, device type, operating system
  • Communication data: content of support requests, feedback, and any other communications with the Service

3. Legal Bases for Processing (Art. 6 GDPR)

The processing of your personal data is based on the following legal grounds:

  • Art. 6(1)(a) – Consent: for sending direct marketing communications and for the use of profiling cookies. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal.
  • Art. 6(1)(b) – Contractual performance: for managing user accounts, processing bets, handling deposits and withdrawals, and the overall provision of the Service.
  • Art. 6(1)(c) – Legal obligation: for compliance with anti-money laundering regulations (Italian Legislative Decree 231/2007), provisions of the Customs and Monopolies Agency (ADM), and applicable tax obligations.
  • Art. 6(1)(f) – Legitimate interest: for fraud prevention, platform security, detection of suspicious activities, and protection of the Data Controller's rights.

4. Purposes of Processing

Personal data is processed for the following purposes:

  • Provision, management, and maintenance of the Service
  • Processing of deposits, withdrawals, and bets
  • User identity verification and fraud prevention (KYC/AML procedures)
  • Compliance with applicable legal and regulatory obligations
  • Account-related communications (transactional notifications, security alerts, service updates)
  • Direct marketing, subject to the explicit consent of the data subject
  • Service improvement, statistical analysis, and user experience optimization

5. Processing Methods

Personal data is processed using electronic and automated tools, in compliance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.

The Data Controller implements the following technical and organizational security measures:

  • Encryption of data in transit and at rest
  • Password hashing using the bcrypt algorithm with unique salts
  • HTTPS protocol for all client-server communications
  • Role-based access controls (RBAC) for authorized personnel
  • Continuous security monitoring and intrusion detection
  • Regular backups and disaster recovery procedures

Access to personal data is strictly limited to authorized personnel of the Data Controller, who are appropriately trained and bound by confidentiality obligations.

6. Place of Processing

Personal data is processed at the Data Controller's operational premises and on servers located within the European Union. Servers are hosted in data centers that comply with international security standards (ISO 27001).

Data is not transferred outside the European Economic Area (EEA), except as otherwise indicated in the section on international data transfers.

7. Data Retention Period

Personal data is retained for the time strictly necessary to fulfill the purposes for which it was collected, in accordance with the following periods:

  • Account data: for the duration of the contractual relationship, plus 10 years from the end of the relationship, in compliance with Italian Legislative Decree 231/2007 (anti-money laundering regulations)
  • Transactional data: retained for a minimum of 10 years in compliance with tax obligations and anti-money laundering regulations
  • Marketing consent: until consent is withdrawn by the data subject, and in any case no longer than 24 months from the last contact or interaction
  • Technical logs: retained for a maximum of 6 months from the date of generation
  • Account closure: following account closure, personal data not subject to legal retention obligations will be deleted within 90 days

Upon expiry of the retention periods, data will be securely and irreversibly deleted or anonymized.

8. Data Recipients and Disclosure

Personal data may be disclosed to the following categories of recipients, acting as data processors or authorized persons:

  • Payment processors: for processing deposits and withdrawals (data transmitted is limited to what is strictly necessary for the transaction)
  • Game providers: only account ID and balance, to the extent necessary for game delivery
  • Judicial and supervisory authorities: when required by law, court order, or applicable regulations
  • ADM – Italian Customs and Monopolies Agency: as part of legal and regulatory obligations in the gaming sector
  • Fraud prevention services: for the detection and prevention of fraudulent activities

The Data Controller does not sell, transfer, or disclose users' personal data to third parties for their own commercial purposes.

9. International Data Transfers

As a general rule, users' personal data is not transferred outside the European Union or the European Economic Area.

Should a transfer to third countries become necessary, it will only take place in the presence of adequate safeguards, including:

  • Adequacy decisions by the European Commission (Art. 45 GDPR)
  • Standard contractual clauses approved by the European Commission (Art. 46(2)(c) GDPR)
  • Binding corporate rules (Art. 47 GDPR)

The data subject has the right to obtain a copy of the adequate safeguards adopted by contacting the Data Controller at the contact details provided in this Policy.

10. Your Rights (Art. 15–22 GDPR)

As a data subject, you have the right to exercise the following rights at any time with respect to the Data Controller:

  • Right of access (Art. 15): obtain confirmation of the existence of processing and access your personal data
  • Right to rectification (Art. 16): obtain correction of inaccurate personal data or completion of incomplete data
  • Right to erasure / right to be forgotten (Art. 17): obtain the deletion of your personal data, in the cases provided by law
  • Right to restriction of processing (Art. 18): obtain restriction of processing in certain circumstances
  • Right to data portability (Art. 20): receive your data in a structured, commonly used, and machine-readable format
  • Right to object (Art. 21): object at any time to the processing of your data on grounds relating to your particular situation
  • Right to withdraw consent (Art. 7): withdraw consent at any time, without affecting the lawfulness of processing based on consent given prior to withdrawal
  • Right not to be subject to automated decisions (Art. 22): not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you

To exercise your rights, you may contact the Data Controller at the following addresses:

The Data Controller undertakes to respond to requests within 30 days of receipt, as required by Art. 12(3) of the GDPR.

11. Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, the data subject who believes that the processing of their personal data is carried out in violation of the GDPR has the right to lodge a complaint with the competent supervisory authority, in particular:

12. Cookie

The Vega platform uses essential technical cookies for authentication and session management, which are necessary for the proper functioning of the Service, as well as optional analytics and profiling cookies subject to user consent.

For detailed information about the cookies used, their purposes, and how to manage your preferences, please refer to our Cookie Policy.

13. Changes to This Policy

The Data Controller reserves the right to modify, update, or supplement this Policy at any time, including as a result of regulatory changes.

Material changes will be communicated to users via email to the address associated with the account or through a visible notification on the platform. The date of the last update is indicated at the top of this page.

Continued use of the Service after publication of changes constitutes acceptance of the new version of the Policy. Where changes require the consent of the data subject, such consent will be requested in the manner prescribed by law.

14. Contact

For any questions, requests, or communications regarding this Policy or the processing of your personal data, you may contact the Data Controller at the following addresses: