Privacy Policy
Last updated: 4 May 2026
This policy explains how Playfina Casino handles personal information for players in Australia and other accepted jurisdictions. We hold ourselves to GDPR-grade standards by default — the European framework is stricter than the Australian Privacy Principles in several places, so meeting GDPR effectively meets the APP requirements under the Privacy Act 1988 too. By creating an account and depositing, you agree to the collection, processing, and retention described below. Read it before you sign up, not after.
The Data Protection Officer (DPO) for Playfina can be reached at [email protected]. The DPO operates independently of marketing and customer-support functions and is the right contact for any data-related request.
What information do we collect?
We collect the minimum personal data needed to operate the casino, satisfy anti-money-laundering obligations, and prevent fraud. Data falls into three categories: information you provide directly, information generated automatically when you use the site, and information we receive from trusted third parties such as identity-verification providers.
Information you provide
At registration we ask for full legal name, date of birth, residential address, email, and mobile number. These are required — they're how we verify you meet the 18+ minimum age and how we comply with KYC/AML obligations under our licence. When you deposit or withdraw, payment information enters the system: card details (handled by PCI DSS Level 1 processors, not stored on our servers in plain form), bank account details for transfers, e-wallet IDs for Skrill or Neteller, and crypto wallet addresses for Bitcoin or Tether transactions. Identity-verification documents — your passport scan, driver licence image, or utility bill — are stored encrypted for the period the licence requires.
We collect only what's needed for service operation, regulatory compliance, and fraud prevention. You can ask the DPO at any time what we hold, request corrections, or request deletion (subject to legal retention rules). Response within 30 days.
Information collected automatically
Your IP address, browser type and version, device identifier, screen resolution, and operating system version are logged when you visit. These are needed to detect geographic restrictions, render compatible content, and flag unusual login patterns. Gameplay data — titles played, stakes, session duration, win/loss outcomes — is logged for both regulatory reporting and for our responsible-gambling triggers (sudden stake escalation, unusual session length, late-night patterns).
Cookies and similar technologies enhance the experience and enable analytics. We split cookies into four categories described below, and you can manage them through the consent banner that appears on your first visit.
How do we use your information?
Registration, login authentication, balance management, customer support, dispute resolution.
Deposits, withdrawals, transaction reconciliation, fraud screening, AML monitoring, source-of-funds checks.
Licence reporting, regulator requests, court orders, age verification, sanctions screening.
Triggering self-exclusion mechanisms, enforcing deposit caps, monitoring patterns suggestive of harm.
Marketing communications
We send promotional emails about new game releases, weekly reload offers, and tournaments to players who opted in at registration. You can unsubscribe at any time using the link at the foot of every marketing email or by switching the toggle off in your account preferences. The change applies within 24 hours. Transactional messages — deposit confirmations, withdrawal status, security alerts, KYC requests — are not subject to marketing opt-out because they relate to account operation rather than promotion.
Who do we share information with?
We share data only when it's needed to deliver service or comply with the law. We do not sell personal data to third-party marketers. The recipients fall into these categories.
| Recipient | Data shared | Purpose | Safeguard |
|---|---|---|---|
| Payment processors | Card / wallet data, transaction amount | Process deposits and withdrawals | PCI DSS Level 1 certified |
| Game providers | Pseudonymous player ID, stake, RTP outcome | Render games and report results | Contractual data-protection clauses |
| Identity verification | ID documents, name, DOB, address | KYC / AML checks | Encrypted transfer; ISO 27001 partners |
| Regulators | Whatever the licence requires | Licensing and AML reporting | Legal obligation |
| Cloud infrastructure | Encrypted databases | Storage and backup | ISO 27001 / SOC 2 providers |
| Fraud prevention services | Device, IP, transaction signals | Detect fraudulent patterns | Pseudonymised where possible |
How is your data secured?
Encryption protects information in transit and at rest. Connections to the cashier and account portal use TLS 1.3 with a 256-bit AES cipher. Stored documents and database records are encrypted at rest and access keys rotate on a documented schedule. Internal access to player data is governed by least-privilege rules: customer-support agents see only what they need to handle the ticket in front of them, and access to KYC documents is restricted to a small verification team.
Security monitoring runs 24/7. Intrusion-detection systems flag unusual access patterns, vulnerability scanning runs weekly, and external penetration testing happens at minimum annually. Two-factor authentication is mandatory for any administrative account. We don't claim our defences are unbreakable — no honest security policy does — but the operational basics are in place and the incident-response plan is documented.
- TLS 1.3 (256-bit AES) for all in-transit traffic.
- Encrypted at rest for documents and personally identifying database fields.
- Least-privilege access; audit logs retained for 12 months.
- Mandatory MFA for staff accounts.
- Annual external penetration test plus continuous vulnerability scanning.
- Documented incident-response plan; breach notification within 72 hours where applicable.
How long do we keep your data?
Retention periods are dictated by a mix of regulatory requirement and operational need. The default is GDPR-grade: keep only as long as needed, then delete or anonymise. The financial-transaction window of seven years is fixed by AML legislation and applies regardless of any deletion request — we cannot legally delete transaction records inside that window.
| Data type | Retention period | Reason |
|---|---|---|
| Active account profile | Lifetime of account + 6 months | Service operation |
| Financial transactions | 7 years from transaction date | AML legislation (cannot be shortened) |
| KYC documents | 5 years from account closure | Licensing requirement |
| Self-exclusion records | Indefinite (so we can enforce) | Responsible gambling |
| Marketing preferences | Until unsubscribe + 30 days | Suppression list maintenance |
| Support tickets | 3 years | Dispute and complaints history |
| Server logs | 12 months | Security forensics |
| Anonymised analytics | Indefinite | No personal identification possible |
What rights do you have over your data?
Privacy law gives you a defined set of rights over data we hold about you. Below is the practical list. Email [email protected] to exercise any of them; the DPO responds within 30 days.
| Right | What it means | How to use it |
|---|---|---|
| Access | Receive a copy of personal data we hold about you | Email DPO; reply within 30 days |
| Rectification | Correct inaccurate personal data | Account settings or DPO email |
| Erasure | Delete personal data (where legally allowed) | DPO email; some data must be retained for AML |
| Restriction | Limit how we process your data | DPO email with specific restriction |
| Portability | Receive your data in a machine-readable format | DPO email; CSV or JSON delivered |
| Object to processing | Stop us using data for marketing or analytics | Account preferences or DPO email |
| Withdraw consent | Where consent is the legal basis | Account preferences or DPO email |
| Complain to a regulator | Lodge a complaint independent of us | OAIC (Australia) at oaic.gov.au; or your local DPA |
Limits apply. We can't delete data we're legally required to retain — financial records inside the 7-year AML window stay regardless of an erasure request. Identity verification is also outside the scope of erasure during the licence-mandated retention period. We'll always tell you in writing if a request can't be honoured and why.
Cookies and tracking technologies
Cookies are small files placed on your device. We use four categories. The cookie-consent banner that appears on first visit lets you accept or reject the non-essential categories individually.
Login session, security, load balancing. Cannot be turned off — the site won't work without them.
Language, currency, favourite games, display preferences. Off-able. Without these you'll re-enter preferences each visit.
Aggregated usage statistics. Pseudonymised. Off-able. Used to identify broken pages and popular content.
Off-site retargeting. Off by default for new EU/UK visitors; opt-in elsewhere. Off-able.
You can also manage cookies at the browser level — reject all, allow first-party only, or delete after each session. Blocking strictly-necessary cookies will prevent login.
Third-party links
The site links to external pages — game providers, payment processors, regulator websites, responsible-gambling organisations. We aren't responsible for the privacy practices of those sites. Read their policies before sharing data on them. We pick partners carefully but we can't control downstream behaviour once you click through.
Underage protection
Playfina serves only adults aged 18 and older. We don't knowingly collect data from anyone under that age. Identity verification at first deposit (and again at first withdrawal) is the operational gate. If we discover an underage account, we close it immediately, return the deposit balance, void any winnings, and notify the registered guardian where one is identifiable. If you believe a minor has accessed our service, please email [email protected] with any details you can share.
International data transfers
Personal data may be processed outside Australia. Our cloud infrastructure includes data centres in the EU and the United States, and identity-verification providers operate from various jurisdictions. We rely on standard contractual clauses (SCCs) and equivalent safeguards to keep European-grade protection wherever data flows. We document each transfer mechanism and the DPO can provide a summary on request.
When this policy changes
We update this policy when our practices, technology, or legal obligations change. Material changes are notified at least 30 days before they take effect — by email to registered users, by a banner notice on the site, and by an updated "Last updated" date at the top of this page. Continuing to use the service after a change takes effect is treated as acceptance. If you disagree with a change, you can close your account before it takes effect with no penalty. Past versions of the policy are available on request from the DPO.
Contact the Data Protection Officer
For any privacy-related question or to exercise any of your rights, contact:
Data Protection Officer
Email: [email protected]
Postal: Playfina Casino, Heelsumstraat 51, E-Commerce Park, Willemstad, Curaçao
Response window: within 30 days of a verified request.
For general support unrelated to privacy, use live chat or [email protected] instead — the DPO route is reserved for data subject requests so the queue stays short. If you remain unhappy after a DPO response, Australian residents can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. Residents of other jurisdictions should contact their local data-protection authority.