Privacy Policy - Anunnaki Currents

Effective date: 31 May 2026 Version: 1.0

1. Who we are

This Privacy Policy describes how Anunnaki Elite Ltd (“Anunnaki”, “we”, “us”, or “our”) handles personal data in connection with the Currents compliance infrastructure platform (the “Service”). Anunnaki Elite Ltd is a company incorporated in the British Virgin Islands (Company No. 2139623) and holds a Client Provider Authorization issued by the Kahnawà:ke Gaming Commission (“KGC”) under its Regulations concerning Interactive Gaming. The Service is offered to licensed gaming operators (each, an “Operator”) to enable compliance with applicable gaming regulations.

2. Our role under data protection law

Anunnaki acts as a data processor on behalf of the Operator. The Operator is the data controller of any personal data relating to its end users (each, a “Player”) and determines the purposes and means of processing. Anunnaki processes Player personal data only on the documented instructions of the Operator and as required by the regulatory obligations attached to the Anunnaki KGC license. This Privacy Policy does not replace the Operator’s own privacy notice to its Players, which governs the Operator–Player relationship. Where this Policy is referenced or made available to Players, it is provided for transparency about Anunnaki’s processing activities.

3. Categories of personal data we process

In order to deliver the six regulated compliance functions of the Service — Self-Exclusion, Deposit Limits, KYC Verification, Geo-Blocking, Sanctions Screening, and AML Pattern Detection — Anunnaki processes the following categories of personal data:

Identity data: full name, date of birth, nationality, government-issued identifier or document references.
Contact data: email address and, where provided by the Operator, phone number and postal address.
Verification data: identity document images, selfies, and liveness data submitted through KYC vendor flows (held only for the period necessary to complete verification and to satisfy KGC audit requirements).
Financial activity data: deposit and withdrawal amounts, currency, frequency, and risk-relevant transaction patterns. Anunnaki does not store payment instrument details (card numbers, bank account numbers, or wallet private keys).
Connection data: IP address, country derived from IP, device and user-agent metadata, and timestamps of requests.
Compliance event data: outcomes of KYC checks, sanctions and AML decisions, self-exclusion status, and any case lifecycle metadata generated by the Service.

Anunnaki does not knowingly collect personal data from minors and rejects any verification submission that indicates a minor.

4. Purposes and lawful bases of processing

Anunnaki processes personal data exclusively for the following purposes:

Regulatory compliance. Performance of the compliance checks the Operator is required to carry out under its gaming license and applicable anti-money-laundering, sanctions, and responsible-gaming law. Lawful basis: compliance with a legal obligation and legitimate interests of the Operator in operating a lawful gaming service.
Service delivery. Authentication of Operator requests, routing to compliance vendors, generation of audit records, and webhook delivery. Lawful basis: performance of the contract between Anunnaki and the Operator.
Audit and recordkeeping. Retention of compliance events for the period required by the KGC. Lawful basis: compliance with a legal obligation.
Security and fraud prevention. Detection and prevention of abuse of the Service. Lawful basis: legitimate interests.

Anunnaki does not use Player personal data for marketing, profiling outside the compliance purposes above, or any analytics not necessary to the Service. Anunnaki does not sell personal data.

5. Disclosure to third parties

Anunnaki shares personal data only with the following categories of recipient, and only to the extent necessary:

Compliance sub-processors: identity-verification, sanctions-screening, and geolocation vendors engaged to perform discrete compliance functions. Each sub-processor is bound by written contractual obligations no less protective than this Policy.
The Operator: outcomes and minimum necessary metadata returned in response to Operator-initiated compliance checks, subject to the tipping-off restrictions in section 8.
Regulators and law enforcement: the KGC and, where legally compelled, other competent authorities. Disclosure is limited to what the applicable law or regulator requires.
Professional advisors and auditors: lawyers, accountants, and independent auditors, under duties of confidentiality.

Anunnaki does not disclose personal data to advertisers, data brokers, or for any commercial purpose unrelated to the Service.

6. International transfers

Anunnaki is established in the British Virgin Islands. Personal data may be processed in, or transferred to, the Mohawk Territory of Kahnawà:ke (Canada) for licensing and audit purposes, and to jurisdictions in which Anunnaki’s sub-processors are established (including the European Union and the United Kingdom). Where personal data is transferred from a jurisdiction with cross-border transfer restrictions (such as the European Economic Area, the United Kingdom, or jurisdictions applying comparable rules), Anunnaki relies on standard contractual safeguards with its sub-processors and applies additional technical and organizational measures, including encryption in transit and at rest.

7. Retention

Anunnaki retains personal data only for as long as is necessary for the purposes described in this Policy. As a KGC licensee, Anunnaki is required to retain compliance records for a minimum of seven (7) years from the date of the relevant event. Identity-verification artefacts retained by KYC vendors are governed by the vendor’s retention schedule, which is contractually aligned to this period. On expiry of the retention period, personal data is either deleted or irreversibly anonymized.

8. Tipping-off and confidentiality of compliance outcomes

Where Anunnaki performs sanctions screening or anti-money-laundering pattern detection on behalf of an Operator, the detailed reasons for any match, alert, or hold (including matched list names, rule identifiers, and scoring detail) are not disclosed to the Operator or to the Player. This restriction is required by international anti-money-laundering standards (the FATF Recommendations) and applicable law. The Operator receives only the operational outcome necessary to act on the compliance decision (for example, “hold transaction pending review”).

9. Security

Anunnaki applies technical and organizational measures appropriate to the risk, including:

TLS encryption for all data in transit;
Encryption at rest for stored personal data and credentials;
HMAC-signed webhook delivery to authenticate compliance events to the Operator;
Least-privilege access controls and audit logging of administrative actions;
Encrypted, offsite, daily backups with seven-year retention;
Documented incident-response and disaster-recovery procedures.

In the event of a personal data breach, Anunnaki will notify the affected Operator without undue delay so that the Operator can fulfill any breach-notification obligations it owes to its Players and to its regulators.

10. Data subject rights

The Operator, as data controller, is the primary point of contact for any Player who wishes to exercise data subject rights (access, rectification, erasure, restriction, objection, or portability), subject to the limits imposed by the Operator’s regulatory recordkeeping obligations. Where Anunnaki receives a request directly from a data subject, Anunnaki will, where lawful and reasonably practicable, refer the request to the relevant Operator and assist the Operator in responding.

11. Automated decisions

Certain compliance decisions (for example, geo-blocking of a signup from a restricted jurisdiction, or rule-based AML holds) are automated. These decisions are required to give effect to the Operator’s regulatory obligations and to the conditions of the Anunnaki KGC license. A human reviewer is available to consider compliance holds where appropriate, in accordance with the Operator’s case-management workflow.

12. Cookies and tracking

The Anunnaki documentation site (docs.anunnakielite.com) and the corporate website (anunnakielite.com) do not set advertising or cross-site tracking cookies. Strictly necessary cookies and basic, aggregated analytics may be used to operate the sites; no Player personal data is associated with these.

13. Changes to this Policy

Anunnaki may update this Privacy Policy from time to time. The “Effective date” at the top of this Policy will be updated and, where the changes are material, Operators will be notified through the Service or by email.

14. Contact

For privacy questions, requests, or to notify Anunnaki of a suspected breach, please contact: Anunnaki Elite Ltd Privacy Office Email: privacy@anunnakielite.com For matters relating to the Anunnaki KGC license or regulatory oversight, the Kahnawà:ke Gaming Commission may be contacted at gamingcommission.ca.

Documentation Index

​1. Who we are

​2. Our role under data protection law

​3. Categories of personal data we process

​4. Purposes and lawful bases of processing

​5. Disclosure to third parties

​6. International transfers

​7. Retention

​8. Tipping-off and confidentiality of compliance outcomes

​9. Security

​10. Data subject rights

​11. Automated decisions

​12. Cookies and tracking

​13. Changes to this Policy

​14. Contact