Legal & Regulatory

Transparency on our jurisdiction, licensing, compliance frameworks, and operational models. Detailed answers to common regulatory and legal inquiries.

Licensing & Jurisdiction

We are a fully licensed, KYC-compliant, UAE-regulated prediction markets, fantasy gaming, and online casino platform. We hold a VARA VASP license for virtual asset services and a RAK Gaming license for interactive gaming. We perform full KYC/AML on all users via Sumsub and Chainalysis, employ a dedicated MLRO, file STRs with UAE FIU, and comply with the FATF Travel Rule. We do not serve U.S. persons or OFAC-sanctioned jurisdictions. Our model is identical to Stake.com, Polymarket.com, and DraftKings.com — we simply operate from a jurisdiction that has explicitly created regulatory frameworks for our business.

We do not serve "all" countries. We maintain a dynamic geo-restriction matrix updated quarterly by external regulatory counsel. Jurisdictions fall into three buckets: Green (licensed or explicitly legal—UK, Malta, Isle of Man, parts of Latin America, most of Africa, Southeast Asia where permitted), Amber (legal gray area—we accept users but with enhanced compliance controls and reduced product offerings), and Red (explicitly prohibited or sanctioned—United States, France, Australia, Netherlands, Iran, North Korea, among others). Red-list jurisdictions are enforced through KYC document rejection, IP blocking with VPN detection via MaxMind and GeoComply, device-fingerprinting, and payment-method filtering. Our terms of service place legal responsibility on the user for confirming their local laws, but we do not rely on that alone—the technical enforcement stack makes access practically impossible for restricted users. This approach mirrors the compliance models of Stake, Betway, and other Tier 1 operators serving global audiences from single-jurisdiction licenses.

The UAE's regulatory landscape shifted materially with the establishment of the General Commercial Gaming Regulatory Authority (GCGRA) under Federal Decree-Law in 2024, signaling a deliberate federal strategy to regulate—not prohibit—commercial gaming. The GCGRA issues operator licenses for entities conducting gaming activities within defined regulatory parameters. Our entity is structured in RAK DAO for the Web3/crypto layer and holds the relevant GCGRA license for gaming operations. We do not market to or accept UAE residents as players—our customer base is entirely international, and UAE-based IPs and Emirates ID documents are blocked at registration. Dubai serves as the operational, legal, and banking headquarters, leveraging its zero-income-tax environment, robust banking infrastructure (Emirates NBD, Mashreq, RAKBANK all service licensed gaming entities), talent pool, and geographic positioning between European and Asian markets. The jurisdiction's signaling is unambiguous: Abu Dhabi's Wynn resort license, the GCGRA framework, and VARA's crypto-asset regulation collectively establish the UAE as a forward-looking hub for regulated gaming and digital assets.

Our legal architecture is designed for jurisdictional containment. The operating entity holds its license from the GCGRA in the UAE—a sovereign jurisdiction with no mutual legal assistance treaties that would compel automatic compliance with, say, a German or Australian regulatory order directed at an offshore operator. That said, we do not ignore foreign regulatory action. Our protocol upon receiving any cease-and-desist is: (1) immediate legal review by jurisdiction-specific external counsel, (2) voluntary geo-blocking of the issuing country's residents if not already restricted, (3) formal written response through counsel acknowledging receipt and outlining our licensing basis and compliance posture, and (4) escalation to our board compliance committee. We carry regulatory defense insurance underwritten by Lloyd's syndicates, covering legal costs associated with multi-jurisdictional regulatory challenges. Our corporate structure isolates IP, operational assets, and player funds into separate legal vehicles, ensuring that a regulatory action against one entity does not jeopardize the entire operation.

The characterization of regulatory arbitrage assumes all jurisdictions offer equivalent protections and that choosing one over another is inherently evasive. The reality is the opposite: we chose the UAE specifically because its regulatory framework—GCGRA for gaming, VARA for virtual assets, the Central Bank for fiat oversight—imposes substantive, audited compliance obligations rather than rubber-stamping licenses. A Curaçao sublicense, by contrast, involves minimal ongoing supervision, no mandatory player-fund segregation, and limited enforcement infrastructure—that would be regulatory arbitrage. Our structure places operational headquarters, key personnel, compliance infrastructure, banking relationships, and tax residency in a single jurisdiction (UAE) with genuine regulatory teeth, rather than parking a shell in a permissive offshore zone while operating from an apartment in Tallinn. The dual-entity model (UAE operating company plus any legacy offshore vehicle) exists because the UAE licensing framework was not available when the company was first incorporated—we are actively consolidating all licensing under the GCGRA as their framework matures. We welcome regulatory scrutiny and proactively submit to audits, inspections, and information-sharing requests because our compliance infrastructure is designed to withstand examination, not avoid it.

Product Classification

This platform operates prediction markets under a licensed gaming framework, not as a financial instrument exchange. Contracts are structured as fixed-odds wagers on event outcomes—binary yes/no positions with capped payouts—rather than as swaps, futures, or options subject to securities regulation. The GCGRA license explicitly covers event-based wagering. Where jurisdictional ambiguity exists (notably the U.S., where the CFTC has asserted authority over certain prediction contracts), we geo-block residents of those jurisdictions at the KYC gate and enforce it at the IP, device-fingerprint, and document-verification layers. The Kalshi v. CFTC ruling in 2023 further clarified that event contracts on non-excluded commodities can be legally offered under proper registration—our model sidesteps this entirely by operating outside U.S. jurisdiction and declining U.S. persons. We maintain external legal opinions from [jurisdiction-specific counsel] confirming this classification in each market we serve.

Fantasy gaming products on our platform are structured as skill-based contests under the dominant legal interpretation established across multiple jurisdictions. Outcomes depend on participants' knowledge of player statistics, matchup analysis, roster construction strategy, and salary-cap management—not on a single random event. Our contest structures align with the three-prong test used in most common-law analyses: (1) participants draft from a pool of real athletes across multiple real-world events, (2) outcomes reflect cumulative statistical performance rather than point spreads or single-game results, and (3) no contest result is determined by the outcome of any single real-world game. Where jurisdictions draw the line differently—India's state-by-state patchwork, for instance, or Germany's distinction under the Interstate Treaty on Gambling—we tailor product availability accordingly. Our legal team maintains jurisdiction-specific opinions for every market where fantasy products are offered, and these opinions are available for banking partner review under NDA.

Our products are structured as skill-based instruments that mirror the regulatory framework already accepted for securities and commodities trading. Outcomes depend on participants' analytical capabilities, risk assessment, probabilistic reasoning, and strategic decision-making—not on pure chance or a single random event. Our product architecture satisfies the dominant skill-based test applied across multiple common-law and civil-law jurisdictions: (1) participants deploy capital based on research, data analysis, and predictive modeling across multiple events or market conditions, (2) returns reflect cumulative performance derived from participant skill in pricing risk and managing positions rather than fixed-odds outcomes or single-event results, and (3) no individual result is determined exclusively by the outcome of any single isolated random occurrence. Where jurisdictional boundaries differ—such as the United States' state-by-state framework under the Unlawful Internet Gambling Enforcement Act and the Wire Act, the European Union's divergent member-state licensing regimes under the Gambling Directive, or India's state-level skill-gaming exemptions—we calibrate product availability, geofencing, and user eligibility accordingly. Our compliance infrastructure maintains jurisdiction-specific legal opinions, regulatory correspondence, and licensing documentation for every market in which these products are offered, and these materials are available for regulatory and banking partner review under appropriate confidentiality protocols.

Our platform token—if and when issued—is structured exclusively as a consumptive utility token under both the Howey framework analysis and VARA's Virtual Asset classification taxonomy. The token grants holders access to platform features: reduced house edge, governance votes on new market categories, staking for enhanced loyalty rewards, and priority access to new product launches. It does not represent equity, profit-sharing, dividends, or any claim on company revenue. There is no expectation-of-profit marketing—our whitepaper, token documentation, and all public communications explicitly disclaim investment value and describe the token solely in functional terms. Token distribution is conducted through a VARA-licensed entity, with the token classified and registered under VARA's utility-token framework before any public distribution. We engaged Clifford Chance and a specialist token-counsel firm to produce legal opinions under UAE, EU (MiCA), Singapore (MAS), and Cayman law confirming the non-security classification. No tokens are sold to U.S. persons under any circumstances—U.S. wallet addresses and KYC-identified U.S. nationals are blocked from token purchase, receipt, and staking functions. Secondary-market trading is restricted to VARA-licensed exchanges, and we do not provide or facilitate liquidity pools that could be construed as market-making in a security.

AML, KYC & Compliance

Our AML/CFT architecture is built to exceed FATF Travel Rule obligations, not merely meet them. Every user passes tiered KYC through Sumsub or Jumio—Tier 1 (government ID + liveness check) for deposits under $2,000/month, Tier 2 (proof of address + source-of-funds declaration) above that threshold, and Enhanced Due Diligence for any user flagged by our transaction-monitoring engine. Crypto deposits are screened in real time through Chainalysis KYT, which scores wallet provenance against sanctioned addresses, darknet clusters, and mixer outputs—deposits from wallets scoring above our risk threshold are quarantined and escalated to our compliance team before funds become playable. Fiat withdrawals route through licensed payment processors who perform their own independent AML screening, creating a dual-layer filter. Our MLRO reports directly to the board, files SARs with the UAE Financial Intelligence Unit, and undergoes annual independent audit by a Big Four firm. We retain transaction records for seven years, consistent with both UAE Federal Decree-Law No. 20 of 2018 and EU 6AMLD requirements for any European-facing operations.

All custodial and semi-custodial wallet infrastructure is managed through Fireblocks, which maintains SOC 2 Type II certification and integrates natively with Chainalysis and Elliptic for real-time transaction screening. Every inbound and outbound transaction is checked against OFAC SDN, EU Consolidated Sanctions, and UN Security Council lists before execution. Wallet addresses are scored at deposit and continuously monitored—if a previously clean wallet later appears in a sanctioned cluster, the associated account is frozen and reported. We do not support privacy coins (Monero, Zcash shielded transactions, Tornado Cash-tainted ETH) and reject deposits from mixing services. Our Travel Rule compliance is handled through Notabene, ensuring originator and beneficiary data accompanies every virtual asset transfer above the applicable threshold ($1,000 USD equivalent, stricter than the FATF-recommended $3,000). Quarterly penetration testing of our sanctions-screening pipeline is conducted by an independent cybersecurity firm, with results reported to our compliance committee and available to regulators upon request.

Age verification is enforced at three independent checkpoints before any user can deposit or place a wager. At registration, users must submit a government-issued photo ID (passport, national ID, or driver's license) verified through Sumsub's document-authentication pipeline, which cross-references the document's MRZ/barcode data against issuing-authority databases and performs AI-assisted age estimation from the liveness selfie. Any user whose verified age falls below 18—or 21 in jurisdictions where that threshold applies—is permanently rejected, and their device fingerprint and document hash are blacklisted to prevent re-registration attempts. The second layer is payment-method verification: credit/debit cards must match the registered name and must themselves be issued to an adult account holder, while crypto deposits trigger an additional identity-confirmation prompt for any account less than 30 days old. Third, our behavioral-analytics engine flags patterns consistent with minor usage—erratic session times correlating with school hours in the user's time zone, unusually small and frequent deposits, or chat/support interactions flagged by NLP for linguistic markers of underage users. Flagged accounts are suspended pending manual review. We conduct annual third-party audits of our age-verification systems and publish compliance rates in our transparency report.

We do not operate as a money transmitter, payment institution, or remittance service. Players deposit funds into their own gaming accounts for the purpose of wagering, and withdrawals return funds to verified accounts in the player's own name—this is a closed-loop system, not a peer-to-peer transfer mechanism. Fiat payment processing is handled entirely by third-party licensed payment service providers—currently Checkout.com (FCA-authorized), Nuvei (MGA-licensed and publicly listed), and a regional PSP licensed by the Central Bank of the UAE—who bear independent regulatory responsibility for their payment-processing activities, including currency-control compliance. Crypto deposits and withdrawals are processed through our VARA-licensed wallet infrastructure, and all virtual-asset transfers comply with the FATF Travel Rule via Notabene integration. We do not support fiat-to-fiat cross-border transfers, currency conversion services, or wallet-to-wallet transfers between users—there is no mechanism on the platform for one user to send funds to another. Withdrawal requests are processed only to the original deposit method or a verified account in the player's legal name, preventing the platform from being used as a value-transfer channel. For jurisdictions with capital controls (e.g., India's LRS limits, China's SAFE regulations), residents of those countries are either geo-blocked or subject to deposit ceilings aligned with the applicable outbound-remittance thresholds, enforced at the KYC and payment-processing layer.

PEP screening is integrated at onboarding and refreshed continuously. Every user's identity data is checked at registration against Dow Jones Risk & Compliance, World-Check (Refinitiv), and ComplyAdvantage databases, which collectively cover over 2.3 million PEP profiles, their relatives, and close associates across 240 jurisdictions. A PEP match does not result in automatic rejection—it triggers Enhanced Due Diligence requiring source-of-wealth documentation (audited financial statements, employment records, or asset declarations), a source-of-funds declaration for every deposit exceeding $500, and a mandatory compliance-committee review before the account is activated. PEP accounts are subject to lower transaction thresholds (50% of standard limits), monthly activity reviews by our MLRO, and automatic flagging of any transactions inconsistent with their declared wealth profile. We maintain a PEP risk-appetite statement approved by the board, which categorizes PEP tiers (heads of state and immediate family are declined outright; mid-tier government officials are accepted with controls; former PEPs who left office more than two years ago are treated as standard EDD clients). All PEP-related decisions are documented and retained for the full statutory period, and our PEP handling procedures are stress-tested annually through independent compliance reviews.

We are a gaming platform, not a tax-advisory service, and we neither facilitate nor encourage tax evasion. Our obligations and our users' obligations are distinct, and we are transparent about both. On our side, the operating entity is tax-resident in the UAE, where corporate tax is 9% on profits exceeding AED 375,000 under the Corporate Tax Law effective June 2023—we are not operating in a zero-tax environment, and we file and pay accordingly. On the user side, gambling winnings are taxable in many jurisdictions (the U.S., the UK for professional gamblers, Germany above certain thresholds, Australia for professional punters), and users agree at registration that they are solely responsible for reporting and paying taxes on winnings in accordance with their local laws. We issue annual win/loss statements to every user, downloadable from their account dashboard, providing the documentation necessary for tax filing. For jurisdictions that require operator-side withholding or reporting (which currently applies to zero jurisdictions we serve, given our geo-blocking of the U.S.), we have the technical infrastructure to implement withholding at the withdrawal layer if regulations change. We cooperate fully with tax-authority information requests received through proper legal channels and maintain records sufficient to support any such inquiry for the statutory retention period.

Our platform is designed for wagering and gaming—not peer-to-peer value transfer. Users cannot send funds to other users' accounts directly. Deposits must originate from wallets or payment methods verified to the depositing user, and withdrawals are returned exclusively to the originating verified source or a KYC-verified withdrawal address owned by the same user. This closed-loop model prevents the platform from functioning as a payment corridor or remittance channel. Our VARA VASP license covers the virtual asset service component, and we do not hold ourselves out as a money services business or payment institution. Transaction monitoring rules specifically flag patterns consistent with remittance behavior—rapid deposit-and-withdraw cycles with minimal wagering activity—for investigation and potential Suspicious Transaction Report filing. Users exhibiting these patterns are subject to enhanced due diligence and, where warranted, account suspension and funds freeze pending investigation.

We maintain a dedicated Legal & Regulatory Affairs function staffed with lawyers experienced in cross-border compliance. We cooperate fully with lawful requests from UAE authorities, including the UAE FIU, Central Bank, and relevant judicial bodies. For international requests, we honor Mutual Legal Assistance Treaty (MLAT) processes and direct law enforcement cooperation requests routed through proper legal channels—UAE law enforcement, INTERPOL, or bilateral agreements. Our data retention policy preserves full transactional records, KYC documentation, and communication logs for a minimum of five years (or longer where required), ensuring we can comply with retrospective requests. We have published a Law Enforcement Response Guide, consistent with industry best practice (similar to Coinbase and Binance's published LE guidelines), and maintain a dedicated secure channel for verified law enforcement submissions. We do not tip off users who are subjects of active investigations, in compliance with UAE anti-tipping-off provisions.

Security, Privacy & Responsible Gaming

We implement responsible gaming controls that exceed MGA and UKGC standards, regardless of whether the deposit currency is fiat or crypto. Every account is subject to mandatory deposit limits upon registration (user-set, with a platform ceiling), reality checks triggered at 60-minute intervals, automatic session timeouts, self-exclusion tools with a minimum 6-month lock-out period, and cool-down periods on limit increases (72-hour delay before any upward adjustment takes effect). Our behavioral analytics engine—built on play-pattern data including bet velocity, loss-chasing indicators, session duration anomalies, and deposit frequency spikes—flags at-risk users and triggers automated interventions ranging from pop-up warnings to forced account review by a trained responsible gaming officer. Crypto deposits do not bypass any of these controls. We also integrate with GamStop and equivalent self-exclusion databases in jurisdictions where available, and allocate 1% of gross gaming revenue annually to problem gambling research and treatment partnerships.

Our responsible gaming framework operates on a layered defense model. First, age and identity verification via Sumsub occurs at registration—no user can deposit or wager without completing KYC. Second, we integrate with major self-exclusion databases (GamStop, OASIS, and regional equivalents where accessible via API) and maintain our own platform-level self-exclusion registry. A self-excluded user who attempts to create a new account is flagged through document cross-referencing and biometric liveness checks. Third, we deploy behavioral analytics that detect patterns indicative of problem gambling—rapid loss chasing, session duration anomalies, dramatic deposit frequency increases—and trigger automated interventions ranging from pop-up warnings to mandatory cooling-off periods to account restriction pending welfare outreach from our Responsible Gaming team. Fourth, our terms of service contain an enforceable arbitration clause and clear acknowledgment by the user that they are of legal age, not self-excluded, and wagering voluntarily. While no system eliminates liability entirely, this multi-layered approach demonstrates the highest commercially available standard of care and substantially mitigates legal exposure under UAE law and international best practice.

Our data-processing architecture was built GDPR-first, even though our primary entity is UAE-domiciled, because we serve EU-resident users from jurisdictions where our products are legal. We appointed an external Data Protection Officer registered with the relevant EU supervisory authority. Personal data is classified into four tiers—identity verification documents (retained for 7 years per AML law, then auto-purged), transactional data (retained per regulatory minimums per jurisdiction), behavioral/analytics data (anonymized after 24 months), and marketing-consent data (retained only while consent is active). All PII is encrypted at rest using AES-256 and in transit via TLS 1.3, stored on infrastructure hosted within Equinix data centers in the UAE and the Netherlands (the latter serving as our EU data-residency node). Users can exercise their Article 15 access rights, Article 17 erasure rights (subject to legal retention obligations we transparently disclose), and Article 20 portability rights through a self-service dashboard or direct request to our DPO. We do not sell, lease, or share personal data with third-party advertisers. Third-party processors—Sumsub, Chainalysis, payment providers—are bound by Data Processing Agreements with Standard Contractual Clauses for cross-border transfers. We undergo annual GDPR compliance audits by an independent EU-based privacy consultancy, and audit summaries are available to banking partners and regulators under NDA. The UAE's Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) provides supplementary local compliance obligations, which we satisfy in parallel.

Our security architecture is built around a zero-trust model with defense-in-depth across infrastructure, application, and personnel layers. Infrastructure runs on AWS GovCloud-equivalent isolated tenancy with dedicated VPCs, encrypted EBS volumes, and network segmentation that isolates player-data stores from game engines from financial-transaction systems. Application security includes mandatory code review by two senior engineers for every merge to production, automated SAST/DAST scanning through Snyk and Burp Suite integrated into CI/CD, and quarterly external penetration testing by Cure53 (reports available to regulators under NDA). Crypto custody keys are managed through Fireblocks' MPC architecture—no single server or individual ever holds a complete signing key. Hot wallets hold a maximum of 5% of total crypto reserves at any time; the remainder sits in cold storage requiring multi-party ceremony for access. We maintain a 24/7 SOC (Security Operations Center) staffed by a managed-detection-and-response partner, with average alert-to-triage time under four minutes. Our incident-response plan is tabletop-tested biannually and includes predefined notification workflows to the GCGRA, UAE CERT, affected users (within 72 hours per GDPR Article 33 for EU-resident data), and law enforcement. We carry cyber-insurance underwritten by AIG covering up to $20M in breach-related losses, including regulatory fines, forensic investigation, and user notification costs. SOC 2 Type II certification is maintained annually, and the report is shared with banking and licensing partners.

Player funds are fully segregated from operational capital at all times, held in dedicated custodial accounts that are bankruptcy-remote by legal structure. Fiat balances sit in ring-fenced client-money accounts at Emirates NBD, governed by a trust deed that prevents creditors of the operating company from accessing those funds under any insolvency scenario. Crypto balances are held in Fireblocks-managed MPC wallets with multi-signature authorization requiring two of three signatories—our CFO, our external trustee, and a compliance officer—for any withdrawal exceeding $10,000 equivalent. The wallet addresses holding player crypto are published on-chain and independently auditable in real time; any user can verify total reserves against total player balances through our proof-of-reserves dashboard, which updates every six hours using a Merkle-tree attestation model audited quarterly by Armanino. In a worst-case liquidation scenario, the trust deed and custodial agreements ensure player funds are distributed to account holders before any operational creditor. This structure satisfies GCGRA player-protection requirements and mirrors the MGA's client-fund segregation standard under Article 44 of the Gaming Act.

Our infrastructure is deployed across geographically distributed cloud regions (AWS Middle East—Bahrain, with failover to AWS EU—Frankfurt) with real-time replication of all critical databases and wallet infrastructure. We maintain a documented Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) that are tested via tabletop exercises and live failover drills on a quarterly basis. Recovery Time Objective (RTO) is four hours for core platform services; Recovery Point Objective (RPO) is under fifteen minutes for transactional data. Cold-storage wallet keys are managed through a multi-signature, geographically distributed key ceremony process with no single point of failure. Hot wallet exposure is capped at a maximum of 5% of total assets under custody. Our incident response plan includes predefined communication protocols for notifying users, regulators (VARA, RAK Gaming Authority), and law enforcement within the timeframes prescribed by UAE data breach notification requirements. Annual penetration testing by an independent firm (e.g., CrowdStrike, Mandiant) supplements continuous bug bounty and internal red-team exercises.

Market Integrity & Operations

All casino and prediction market outcomes are verifiable through provably fair cryptographic systems. Slot and table game content is sourced exclusively from Tier 1 providers—Evolution Gaming, Pragmatic Play, Play'n GO, NetEnt—whose RNG engines are independently certified by GLI (Gaming Laboratories International) and eCOGRA. Our proprietary prediction market settlement engine uses oracle-fed data from multiple redundant sources (Associated Press for event outcomes, Chainlink and Pyth for on-chain data feeds) with a dispute resolution window and transparent settlement logs viewable on-chain. House-edge percentages for every game category are published in our transparency report and audited annually. We submit to quarterly platform integrity audits by an independent testing lab, and audit certificates are publicly accessible. Smart contracts governing prediction market payouts are open-source, deployed on [chain], and verified on the relevant block explorer—any user or regulator can inspect the settlement logic directly.

Our sports integrity framework operates on three pillars: detection, cooperation, and enforcement. On detection, our trading-surveillance engine monitors all prediction market and fantasy contest activity for anomalous patterns—sudden liquidity spikes on obscure lower-league fixtures, coordinated betting from geographically clustered accounts, line movements inconsistent with public information flow, and correlated positions across accounts that share device fingerprints or IP subnets. We subscribe to Sportradar's Integrity Services and the International Betting Integrity Association's alert network, receiving real-time flags on suspicious fixtures worldwide. On cooperation, we maintain memoranda of understanding with IBIA and the relevant sports governing bodies, and we are contractually obligated under our GCGRA license to share betting data with integrity investigators upon request. On enforcement, any market identified as potentially compromised is suspended immediately, positions are frozen, and payouts are withheld pending investigation. Users identified as participants in manipulation schemes face permanent account closure, fund forfeiture (to the extent permitted by applicable law), and referral to law enforcement. Our compliance team includes a dedicated sports-integrity analyst with prior experience at a Tier 1 sportsbook integrity unit.

All casino games deployed on our platform use certified Random Number Generators (RNGs) audited by independent testing laboratories such as GLI, BMM Testlabs, or iTech Labs, consistent with RAK Gaming license requirements. For crypto-native games, we implement provably fair algorithms where each outcome's seed is cryptographically hashed and published before the bet is placed, allowing any user to independently verify post-round that no manipulation occurred. Smart contracts governing prediction market settlement are audited by firms such as CertiK or OpenZeppelin and are immutable once deployed. Game RTPs (return-to-player percentages) are published transparently on each game page. Our RAK Gaming license mandates periodic compliance audits that include technical game integrity reviews, and we maintain real-time anomaly detection that flags statistical deviations from expected outcome distributions for internal investigation. The house edge is disclosed, fixed, and verifiable—not hidden.

Prediction markets are subject to a comprehensive market integrity framework modeled on principles from IOSCO and the CFTC's designated contract market rules. We enforce position limits per user and per market to prevent any single actor from cornering liquidity or distorting pricing. Our surveillance engine—integrated with Chainalysis and proprietary on-chain monitoring—flags wash trading, coordinated wallet activity, and abnormal volume spikes for manual review by our compliance team. Market creators and platform employees are prohibited from trading on any market they have non-public information about, enforced through internal trading policies, wallet disclosure requirements, and automated monitoring of employee-linked addresses. Settlement oracles use decentralized or multi-source resolution mechanisms (e.g., UMA, Chainlink, or a panel of independent adjudicators) to prevent single-point manipulation of outcomes. Where a market is flagged for potential manipulation, we reserve the right to void the market and return all funds to participants, per our published market rules.

We maintain a strict Prohibited Markets Policy that categorically bans markets on outcomes involving bodily harm, death, terrorism, illegal activity, or events whose resolution could incentivize criminal conduct. This policy is enforced at multiple levels: market creation is permissioned (not open to the public) and subject to a compliance review workflow before any market goes live. Our Market Integrity Committee—comprising legal, compliance, and product leads—reviews every proposed market against our prohibited categories, reputational risk criteria, and applicable law. Automated keyword and category filters provide a first-pass screen, but human review is mandatory before publication. In the event a live market is found to have been created in error or circumstances change (e.g., a sporting event becomes entangled in a criminal investigation), we have published procedures for market suspension, voiding, and full refund to participants. This approach mirrors the policies of regulated exchanges like Kalshi (CFTC-regulated) and aligns with the ethical market standards proposed by academic prediction market literature.

Smart-contract risk is the single highest-severity technical risk in any on-chain gaming product, and we treat it accordingly. All contracts governing prediction-market pools, settlement logic, and payout execution undergo triple-layered auditing before deployment: an internal audit by our senior Solidity engineers, followed by two independent external audits from firms selected on a rotating basis from Trail of Bits, OpenZeppelin, Consensys Diligence, and Spearbit. Audit reports are published in full on our GitHub. Post-deployment, contracts are monitored in real time by Forta agents and our internal monitoring dashboards, which trigger circuit-breaker functions if anomalous withdrawal patterns are detected—specifically, any single transaction exceeding 3% of a pool's total value, or cumulative outflows exceeding 15% within a 60-minute window, automatically pause the contract pending manual review. Pool liquidity is capped per market to limit maximum exposure: no single prediction market holds more than $500,000 equivalent at launch, scaling only after 90 days of incident-free operation. We maintain a $5M bug-bounty program through Immunefi, with critical-severity payouts up to $250,000, incentivizing white-hat discovery over exploitation. In the event of a confirmed exploit, our incident-response protocol includes immediate contract pause, forensic analysis, user communication within 12 hours, and a restitution plan funded by our insurance policy (smart-contract cover through Nexus Mutual) and a dedicated reserve fund holding 10% of gross gaming revenue.

In our casino vertical, the house is inherently the counterparty—this is standard across all regulated casino operations globally, disclosed transparently, and governed by published RTPs and certified RNGs. In our prediction markets vertical, the platform operates as a neutral exchange matching buyers and sellers of outcome shares. The platform does not take proprietary positions on any prediction market. Revenue is derived solely from trading fees and spread, not from directional exposure to market outcomes. Internal policy prohibits any employee, officer, or affiliate from trading on our prediction markets. This separation is audited as part of our annual compliance review and is a condition of our RAK Gaming license. Our settlement mechanism uses independent oracles rather than internal adjudication, eliminating the possibility that the platform could manipulate resolution in its own financial interest.

We accept only regulated or widely audited stablecoins—primarily USDC (issued by Circle, regulated under U.S. state money transmitter licenses and MiCA in the EU) and USDT (issued by Tether, with published attestation reports). VARA's virtual asset regulatory framework explicitly covers stablecoins as virtual assets, meaning our handling of stablecoin deposits and withdrawals falls within our VASP license scope. User stablecoin balances are segregated from operational funds and held in cold-storage multi-signature wallets with a qualified custodian. We do not issue our own stablecoin, eliminating depeg risk from our own operations. Our terms of service clearly disclose that stablecoins are not bank deposits and are not insured by any government deposit scheme, and we provide real-time conversion to fiat withdrawal options for users who prefer to off-ramp. Our treasury management policy limits stablecoin concentration risk by diversifying across issuers and maintaining fiat reserves sufficient to cover a minimum of 30 days' projected withdrawal volume.

Corporate Structure & Relationships

Our corporate structure is fully disclosed to both VARA and the RAK Gaming Authority as part of the licensing process. Ultimate beneficial owners (UBOs) holding 10% or more equity are identified, verified, and subjected to enhanced due diligence including source-of-wealth checks, PEP screening, and adverse media review. This information is maintained in our corporate registry filings in the UAE and is available to regulators upon request. We do not use nominee shareholders or opaque trust structures to obscure ownership. Any change in beneficial ownership exceeding the regulatory threshold triggers a mandatory notification to our licensing authorities and requires prior approval before completion. Our board composition, key management personnel, and MLRO appointment are all disclosed in our license applications and annual compliance filings.

Player disputes follow a three-tier resolution framework designed to resolve conflicts without requiring litigation in the vast majority of cases. Tier 1 is internal: players submit complaints through an in-platform dispute portal, handled by a dedicated player-support team within 48 hours, with escalation to a senior complaints officer if unresolved within 7 days. Tier 2 is independent ADR: unresolved complaints are referred to an independent Alternative Dispute Resolution provider approved by the GCGRA—currently eCOGRA's dispute-mediation service—at no cost to the player. The ADR provider reviews game logs, transaction records, and platform-side audit trails, and issues a binding recommendation within 30 days. Tier 3 is regulatory: if the player remains unsatisfied, they may escalate directly to the GCGRA's consumer-complaints division, which has authority to investigate, compel disclosure, and impose sanctions on the operator. Our terms of service designate UAE (DIFC Courts, specifically) as the governing jurisdiction for any formal legal proceedings, chosen because DIFC applies common-law principles, proceedings are conducted in English, and judgments are enforceable across the UAE and, through reciprocal arrangements, in a growing number of international jurisdictions. Players are informed of this dispute-resolution framework at registration, and a plain-language summary is accessible from every page of the platform.

Our marketing compliance framework imposes restrictions stricter than those required by any single jurisdiction we serve, applied globally as a baseline. All paid advertising creative passes through a three-stage approval chain: the marketing team drafts, external regulatory counsel reviews against a 47-jurisdiction advertising-law matrix, and the compliance officer signs off before any campaign goes live. We do not advertise on platforms where audience age cannot be verified or restricted to 18+—no TikTok, no Snapchat, no YouTube channels primarily aimed at minors. Programmatic display advertising uses age-gated audience segments exclusively, and we contractually require our media-buying agencies to exclude audiences under 25 from all retargeting pools. All advertisements carry responsible-gaming messaging, including our self-exclusion URL and a problem-gambling helpline number localized to the viewer's jurisdiction. We prohibit any creative that implies gambling as a financial strategy, depicts gambling as a solution to financial difficulty, features celebrities or influencers under the age of 25, or uses urgency-based language ("bet now before it's too late"). Affiliate partners are bound by our Responsible Marketing Code, which is appended to every affiliate agreement and audited quarterly—violations result in immediate commission forfeiture and contract termination. We maintain a marketing-complaints register reviewed monthly by the compliance committee.

All affiliate and referral partners are onboarded through a formal vetting process that includes KYC on the affiliate entity or individual, review of their marketing channels, and execution of a binding affiliate agreement that incorporates our responsible advertising policy. Affiliates are contractually prohibited from targeting minors, making misleading income or win-rate claims, advertising in restricted jurisdictions, or using spam or unsolicited communications. All affiliate-created marketing materials must be pre-approved by our compliance team before publication. We conduct ongoing monitoring of affiliate traffic sources using attribution analytics, and any affiliate found in breach is immediately suspended and subject to commission clawback. Our advertising policy aligns with the UK ASA's CAP Code for gambling advertising and the UAE's National Media Council guidelines, applied as a global floor standard even where local law is less prescriptive. Affiliate commission structures are designed to reward player lifetime value rather than pure volume, discouraging churn-and-burn acquisition tactics.

Any machine learning models deployed on the platform—whether for dynamic odds adjustment, user risk scoring, or content personalization—are subject to our AI Governance Policy. Models are documented with full transparency on training data, feature sets, and decision logic. We do not deploy opaque black-box models for any decision that materially affects a user's account status or wagering experience without a human-in-the-loop review mechanism. User risk scoring models (for responsible gaming and AML purposes) are validated for bias across demographic categories and are reviewed quarterly by our compliance and data science teams. We do not use AI-driven personalization to target users identified as at-risk for problem gambling with promotional content—in fact, our behavioral detection models work in the opposite direction, actively suppressing marketing to flagged users. Model audit trails are maintained and available to regulators upon request.