Kyc Policy

Scope and Purpose

This KYC policy establishes the Know Your Customer obligations for customers of SUPERPH. It governs all individuals who create an account, make deposits, or participate in gaming activities hosted by the Company. The policy specifies identity verification, risk assessment, ongoing monitoring, data handling, and regulatory compliance to prevent money laundering, fraud, and other financial crimes while ensuring the protection of customer information.

Regulatory Framework

The Company operates under the supervision of the competent gaming regulator and applies applicable anti money laundering and countering the financing of terrorism laws, together with data protection regulations. This policy implements mandatory KYC, AML and CFT controls and is subject to ongoing regulatory oversight and reviews.

Definitions

• KYC — Know Your Customer
• CDD — Customer Due Diligence
• EDD — Enhanced Due Diligence
• PEP — Politically Exposed Person
• Source of Funds — the origin of the funds used to establish or maintain the business relationship
• Source of Wealth — overall wealth derives from the customer
• Regulator — the competent gaming authority with jurisdiction over the Company

Onboarding and Identity Verification

During account opening the Company collects accurate personal data including full name, date of birth, residential address, contact details and nationality. Verification seeks to establish identity, age and the legitimacy of funds used for gaming.

• Documentation required on onboarding
  • Government issued photo identification showing name, date of birth and photograph (examples include passport, national identity card, or driver license);
  • Proof of address issued in the last three months showing the customer name and current address (examples include a utility bill or bank statement);
  • Where appropriate, additional documents to verify the source of funds or wealth for high risk profiles;
  • In all cases, the documents must be legible and valid.
• Age verification confirms the customer is 18 years of age or older. If age cannot be confirmed, access to the Service is restricted and verification steps must be completed before gaming activity continues.
• Selfie or live verification may be requested to corroborate the identity document.

Verification Timeframes

On submission, automated identity checks are completed within 24 hours. If automated checks are inconclusive, manual review is completed within 3 business days. Customers may be asked to provide additional documents, and a response window of 14 days will be offered. Failure to provide requested documentation within the window may result in restriction or suspension of account activity until verification is complete.

Risk-Based Ongoing Due Diligence and Monitoring

Supervised monitoring of customer activity is conducted on a risk-based basis. The Company assesses risk upon onboarding and conducts ongoing monitoring of transactions and behavior to identify unusual or suspicious activity.

• Triggers for enhanced scrutiny include high value transactions, rapid or large deposits relative to the account profile, inconsistent source of funds information, and activity from elevated risk jurisdictions.
• Customers identified as higher risk may be required to provide additional information or documentation and may experience limitations on certain features until verification is complete.

Enhanced Due Diligence

Enhanced due diligence is applied for high risk scenarios including but not limited to PEP status, risky geographies, large cumulative funding, or opaque ownership structures. Requirements may include:

• Verification of source of funds and source of wealth through documentary evidence such as bank statements or pay slips;
• Additional identity checks, including corroboration across independent data sources;
• Senior management review and potential temporary limitations on account activity pending completion of the verification process.

Data Governance and Privacy

The Company acts as the data controller for personal data collected under this policy. Personal data are processed lawfully, fairly and transparently, and only to the extent necessary to achieve KYC objectives.

• Legal bases include contract performance, compliance with legal obligations and legitimate interests in preventing financial crime.
• Personal data processed may include identity data, contact details, identification numbers and documentation provided for verification.

Data Retention and Destruction

Personal data collected for KYC purposes are retained for a minimum period of eight years after the end of the business relationship or last interaction, in accordance with applicable laws and regulator expectations. Where permissive retention periods apply, data may be retained longer to comply with statutory obligations or to resolve any dispute

Data Access, Correction and Rights

Customers have the right to access personal data held by the Company, request correction, restriction or deletion where legally permissible, and obtain a copy of their personal data in a portable format. Requests should be directed to the Company through the provided contact channel and will be handled in accordance with applicable data protection laws and internal procedures.

Data Sharing and Third-Party Processors

Personal data may be shared with regulatory authorities, payment processors, and other service providers involved in the provision of the Service. Transfers to third countries shall be protected by appropriate safeguards and in compliance with data protection laws. All third parties processing personal data on behalf of the Company are contractually bound to implement appropriate security measures and to only process data for purposes specified by the Company.

Sanctions Screening and AML Controls

The Company conducts sanctions screening and ongoing AML controls to detect and prevent prohibited activity. The screening applies to customers, beneficiaries and beneficial owners and is updated on a regular basis or when there is a material change in customer information or risk indicators.

Responsible Gaming and Self-Exclusion

To support responsible gaming, customers may request self-exclusion or set loss limits in the account settings. Self-exclusion remains in effect until the customer requests its removal and the Company completes verification to reestablish normal service, subject to regulatory requirements. Data used to implement self-exclusion is protected and not disclosed outside the scope of responsible gaming measures.

Governance, Compliance and Training

The Company maintains an AML and KYC governance framework, with policies reviewed at least annually and upon material regulatory changes. Staff receive training on identification of suspicious activity, KYC procedures, and reporting requirements. All employees must adhere to the documented policies and report anomalies through approved channels.

Policy Review and Updates

This policy is reviewed periodically to reflect changes in law, regulator guidance, and risk profile. Material changes are communicated to customers in accordance with regulatory and licensing requirements.

Contact and Data Protection

For questions about data processing, access requests, or to exercise data subject rights, contact the Company’s data protection team at privacy@SUPERPH. For policy specific queries or reporting suspicious activity, contact the Compliance Office through the usual secure channels.