Anti-SPAM Policy

Effective: August 1^st 2019

1. Overview

This policy provides guidance for sending commercial or marketing emails and is important for avoiding liability and retaining consumers. This is especially true given the distinct rules in place depending on whether a recipient resides in the United States, Canada, or the European Union. The implementation of this uniform policy and adherence to this policy by Rampart Casino, Hawthorn Grill, ai Pazzi, Spa Aquae and their employees, officers, directors, contractors, agents and others working on their behalf (“Rampart”) will ensure that Rampart is able to provide commercial or marketing content to the largest possible audience without infringing on their rights.

2. Purpose

The purpose of this policy is to establish the minimum requirements for sending commercial or marketing emails. It provides guidance related to the CAN-SPAM Act in the United States, Canada’s Anti-Spam Legislation (“CASL”), and the requirements imposed by the European Union General Data Protection Regulation (“GDPR”). 

3. Collecting Email Addresses

The requirements set forth in this Section are required by law with respect to the collection of email addresses for individuals located in Canada, the European Union or Switzerland. Notwithstanding the foregoing, it is a best practice to adhere to the requirements in this Section for the collection of all email addresses.

• At any point in which an email address is collected by Rampart online or through a paper form, Rampart shall require that the individual provide an address or country of residence. Rampart shall establish and maintain a system by which it can easily reference and segregate email addresses from residents of the United States, Canada, and the European Union.

• Where Rampart intends to send any commercial or marketing messages to a collected email address, it shall provide an appropriate, prominent disclosure reviewed and approved by an attorney before collecting the email address. An example of such a disclosure would be:

By providing your email address, you are consenting to receive marketing emails from Rampart. You can unsubscribe at any time by emailing us at [email protected] or following the instructions at the bottom of any email. If you wish to contact us, please use the following information: Rampart Casino, Marketing Opt Out, 221 N Rampart Blvd, Las Vegas NV 89145, [email protected].  

The disclosure can be provided to users through text, or, where possible, as a pop-up, or on a separate page in which the user confirms that he or she is subscribing. For example, if a user enters an email address, you can direct that user to a separate page with the disclosure and a button for her to confirm.

• If Rampart is collecting an email address for a non-marketing purpose but intends to send marketing communications to the email address, Rampart shall present the individual with an unchecked box with an appropriate, prominent disclosure reviewed and approved by an attorney. An example of such a disclosure would be:

Yes, I would like receive updates and alerts about Rampart’s products and services.

• If Rampart knows or reasonably believes that it will be sending marketing emails to individuals in Germany or Switzerland, Rampart will take efforts to obtain an additional form of consent before adding such individual to its marketing lists. This can be done by asking the user to confirm consent after they indicate consent through a checkbox or sending a follow up email asking the individual to click a link to confirm consent. In the event an individual does not provide such additional consent, that individual shall not be included on Rampart’s marketing lists.

• Rampart shall establish and maintain a system by which it can easily reference and segregate email addresses from users who have provided consent to receive marketing or commercial emails and those who have not consented.

4. Sending Emails

The requirements in this Section are required under CAN-SPAM, CASL and GDPR.  

All marketing or commercial emails must have an appropriate, prominent disclosure reviewed and approved by an attorney at the bottom of the email. An example of such a disclosure would be:

You are receiving this communication because you consented to Rampart sending you updates about our products and services. You can unsubscribe at any time by clicking this Unsubscribe link.

If you wish to contact us, please use the following information: Rampart Casino, Marketing Opt Out, 221 North Rampart Blvd., Las Vegas NV 89145, [email protected]. 

5. Deleting Email Addresses Upon Request

• Rampart shall establish and maintain a system that removes a user’s email address from its marketing email lists (a) within 48 hours of Rampart’s receipt of an unsubscribe request from a resident of, or individual located in, Canada, the European Union or Switzerland; or (b) within 10 business days of Rampart’s receipt of an unsubscribe request from a resident of the United States. This system shall account for individuals clicking the “unsubscribe” link the footer of commercial or marketing emails or if they directly email Rampart.

• Rampart shall test its system for unsubscribing on an annual basis to ensure it is working properly and purging emails in a timely manner.

Rampart European Union Data Policy

Effective: July 3, 2025

1. Overview

The European Union General Data Protection Regulation (the “Regulation” or “GDPR”) imposes significant penalties on companies that fail to appropriately handle the Personal Data of individuals located in the European Union. It is therefore imperative that Rampart Casino, Spa Aquae, Hawthorn Grill, ai Pazzi Italian Restaurant by Fabio Viviani and their employees, officers, directors, contractors, agents and others working on their behalf (“Rampart”) and all companies with which it shares Personal Data maintain substantial compliance with the Regulation and be able to present evidence of its compliance to third parties and regulators. 

2. Purpose

The purpose of this policy is to establish the requirements for collecting, processing, storing, and sharing Personal Data and ensure that Rampart remains in substantial compliance with the GDPR.

3. General

• “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

• If Rampart collects Personal Data, it shall require that the user provide an address or country of residence where appropriate given the context and nature of the collection (e.g., when collecting Personal Data online or through forms). Rampart will establish and maintain a system by which it can easily reference and segregate Personal Data from residents of the European Union.

• Rampart shall designate one individual as their Data Protection Officer who shall be responsible for enforcing this policy and ensuring Rampart’s compliance with the GDPR.

• Rampart must follow the Anti-SPAM Policy and Privacy Analysis Policy as additional necessary components for compliance.

• Rampart shall provide training to new employees about the GDPR and this Policy, and offer supplemental courses for current employees on an annual basis. 

4. Collecting Personal Data

• Under no circumstances shall Rampart collect Personal Data online or through mobile applications without providing users with a link to its Privacy Policy. Where Rampart collects Personal Data in a manner that does not allow for an active link to Rampart’s Privacy Policy (e.g., through a paper form), Rampart shall provide the individual providing the Personal Data with information about where and how he or she can obtain a copy of Rampart’s Privacy Policy. All online and offline forms that are used to collect Personal Data shall include a disclosure stating that the user or individual is “Consenting to Rampart collecting, using, processing, and sharing the personal information provided under Rampart’s Privacy Policy.” The disclosure should be presented to users in an overt manner – i.e. not in very small print or a font that blends into the background.

• In addition to the disclosure, users must take a proactive step to consent to the collection. Ideally this will be an unchecked box that the user must check before being allowed to proceed. However, a simple “Submit” or “I Agree” button would also be adequate.

• If a user’s email address is being collected for marketing purposes or may be used for marketing purposes, Rampart must follow the protocols in the Rampart Anti-SPAM Policy.

• Rampart must maintain some kind of record or evidence that a user provided at the time Personal Data was collected (if not sooner). This record can be automatically generated and does not have to be in any particular format. A record is sufficient as long as it allows Rampart to demonstrate that a specific user provided consent in a specific manner at a specific time. 

5. Processing and Sharing Personal Data

• Rampart may only process or use Personal Data consistent with the terms of its Privacy Policy. Rampart shall closely review its Privacy Policy on a regular basis to ensure that it is disclosing all the ways in which it is collecting, processing, storing, or sharing Personal Data. 

• If Rampart is going to send commercial or marketing email messages, it must follow the protocol in the Anti-SPAM Policy.

• If Rampart is going to share Personal Data with any third-party entity, it shall take steps to ensure that the information will be treated consistent with Rampart’s Privacy Policy. Rampart shall also ensure that the third-party entity will protect Personal Data using adequate and reasonable security and will not use Personal Data in a manner that violates the GDPR. Ideally these assurances will be made as part of a written agreement or Data Processing Addendum.

• If Rampart receives Personal Data from a third-party entity, it shall ensure that it treats that information consistent with the third-party entity’s Privacy Policy. It shall also obtain assurances from the third-party entity that the Personal Data was collected in a manner consistent with the GDPR and that Rampart’s receipt and use of the Personal Data will not violate the Regulation. 

6. Responding to Data Subject Requests

• Rampart is required to respond to requests from European Union residents concerning their Personal Data. Specifically, Rampart shall, upon request,:

1. allow EU residents and other individuals located in the EU to review their Personal Data;
2. allow EU residents and other individuals located in the EU to make corrections to their Personal Data;
3. provide EU residents and other individuals located in the EU with their Personal Data in a format that allows it to be transported; and
4. delete the Personal Data of EU residents and other individuals located in the EU.

• Rampart shall create and maintain a separate inbox that EU residents and other individuals located in the EU can send requests to, and ensure that the inbox is regularly monitored. Additionally, the email address that direct messages to this inbox must be linked to in Rampart’s Privacy Policy.

• If Rampart receives a request from an EU resident or other individual located in the EU, it shall provide a response to the requester within 48 hours indicating that it is processing the request.

• Rampart shall establish and maintain a system or process to facilitate all requests from European Union residents within 30 days of receiving any given request.

• If Rampart believes that it cannot facilitate a European Union resident’s request or that facilitating such a request would violate other laws or policies, the employee responsible for facilitating the request shall consult with Rampart’s legal team as soon as practicable.

7. Analysis and Development of New Products and Services

• Rampart shall follow the steps provided in the Privacy Analysis Policy whenever it develops a new product or service, updates a product or service in a manner that implicates Personal Data, begins collecting Personal Data in a new manner, begins collecting a new type of Personal Data that may be considered especially sensitive, or intends to share Personal Data with a new third-party entity.