Playing wanted dead or a wild slot login game means handing over personal data. This document sets forth exactly how long we keep it, the reasons, and what technical protections sit behind each category—all built around UK GDPR, the Data Protection Act 2018, and PCI DSS. We process identity documents, financial transactions, gameplay telemetry, responsible gambling markers, and marketing consents, each with its specific retention clock. Identity records are kept for five years after account closure. Financial logs stay for seven, matching HMRC requirements. Gameplay data undergoes 24 months before anonymisation is applied. Full card numbers never touch our systems—only tokenised aliases—and every byte is encrypted. Independent auditors verify our automated deletion routines, and any schedule slip initiates a full incident response. A version-controlled policy log documents every edit, and we give you 30 days’ notice before material changes are implemented. Subject access and deletion requests are processed within statutory deadlines.

Core Definitions and Scope of Personal Data

We take a broad view on what counts as personal data. Direct identifiers—name, email, billing address, masked payment details—are accompanied by indirect signals like hashed IP addresses, device fingerprints, browser agents, and advertising tokens. Behavioural data encompasses session length, bet sizing, spin velocity, and how often feature triggers fire. Even pseudonymised logs can re-identify a person when stitched together, so we regard them as personal. Our lawful bases are contractual necessity, legitimate interest for fraud prevention, and explicit consent for game-related marketing. Full card numbers get tokenised before storage. We never collect special category data. Encryption and access controls apply uniformly, and retention rules span live databases, archives, and backups without exception. Each window commences from the last activity or transaction date, spelled out below. We reassess definitions every six months to keep pace with regulatory guidance.

SAR and Deletion Processes

When a subject access request arrives, we produce a formatted JSON/CSV export of all non-purged data within one month, extendable by two months for complex cases. The export includes live databases, encrypted archives, and processor tokens, provided via a one-time secure link that expires in 72 hours. For deletion, we cascade: immediate account suppression and token revocation, then queued erasure of all personal data not subject to legal hold. We produce a confirmation report outlining erased versus retained categories and their justifications. This report is kept as auditable proof for as long as the longest surviving data category. All requests are documented immutably for five years.

Financial Transaction and Settlement Records

Deposit, withdrawal, and wager logs are kept for seven years from the transaction date, per HMRC and FCA rules. We seldom store full PANs or CVVs. We record only the BIN, last four digits, and a tokenised identifier. Chargeback disputes suspend the contested record until final settlement, after which the seven-year clock restarts. Data is partitioned quarterly so automated purging operates cleanly, with monthly deletion runs verified by auditors. Tokenised card references are valid only while your account is live and are wiped within thirty days of termination. Combined, anonymised totals remain for financial reporting without any personal details. All financial data is coded and quarantined from marketing systems.

Secured Payment Instruments and Processor References

Payment gateways generate vaulted tokens that map your card to a non-sensitive alias. We hold them for the account lifetime plus a thirty-day grace window, then send deletion commands to the processor and clear our own link. The only evidence left behind is an anonymised transaction hash used in aggregate reports, themselves deleted after seven years. No usable credentials ever exist on our systems. We track token revocation daily and raise incidents if deletion is unsuccessful. Tokens are linked to our merchant code and cannot be used in other contexts. Weekly reconciliation validates correctness, and tokens tied to lost or stolen cards are invalidated immediately. All token operations are recorded and auditable. Aggregate reports never disclose individual transaction hashes.

Consent for Marketing and Communication Logs

We keep your consent record—with time stamp, IP-marked, and method-captured—for the entirety of our partnership plus six years after cancellation, to satisfy PECR requirements. Dispatch records for e-mails, push notifications, and SMS are kept for only thirteen months. Cancelling consent immediately halts communications while preserving historical proof. A partitioned database ensures suppression without latency, and consent logs are stored in a dedicated compliance archive. Delivery logs hold metadata only—heading, timestamp, status—not full message body. The six-year post-withdrawal period mirrors the statute of limitations for regulatory probes. Quarterly audits confirm no expired consents trigger mailings. We never personalise offers with gameplay or financial data beyond explicit consents.

Gaming Session and Behavioral Analytics Data

All spins on Wanted Dead Or a Wild tracks reel positions, RNG seed, and net outcome with microsecond precision. We keep these raw logs for twenty-four months, then compress them into an anonymous statistical digest utilized for game design. Session behavioural profiles—average bet, spin cadence, feature buy-ins—persist for the same 24-month window and are then deleted. Feature trigger heatmaps remain for 12 months before merging into a global model. RNG seed audit trails get 36 months. Error diagnostics receive 90 days. No individual gameplay data goes into credit or marketing profiling. All logs are encrypted and off-limits to marketing teams.

  • Spin-level logs: 24 months from event date, then anonymized aggregation
  • Session behavioural profiles: 24 months from last session, then erased
  • RNG seed audit trails: 36 months to satisfy technical standards
  • Feature trigger heatmaps: 12 months, then integrated into global model
  • Error and crash diagnostic logs: 90 days, then rotated out

Responsible Gambling and Voluntary Exclusion Registers

Betting limits, session reminders, and timeout settings are kept for your account’s entire duration and never removed while it is active. If you choose to ban yourself, your hashed identity and device fingerprints enter a specialized exclusion register maintained indefinitely under UKGC licence requirements. The register is secured separately, accessed only at login or registration, and never used for analytics. Access is confined to trained compliance staff, and all queries are tracked for three years. The register holds only identity blocks—no monetary or gameplay records. We check it annually to fix errors and remove deceased individuals. Apart from that, it is kept permanent. This retention is mandatory and exempt from deletion requests.

Reality Check and Session Limit Enforcement

Reality check counters use short-lived session counters that restart every 24 hours, starting anew from your first spin after midnight. Your selected interval—say, 30 minutes—is stored persistently and routinely reactivates when you visit again, even after a long break. Changing the interval mid-session introduces the new value right away for the next reminder. These settings are deleted only upon verified account deletion. Session timer data lies in a specialized, encrypted store separate from gameplay analytics. The 24-hour counter is based on play start, not midnight, for accuracy. All timer configurations are auditable through the same three-year access log standard. We never analyze or advertise based on these settings.

Account Registration and Verification of Identity Data

Primary identity records—government ID scans, residence proof, biometric selfie matches—are kept for five years after your final session or account closure, whichever occurs later. This encompasses contractual limitation periods and anti-money laundering duties. We obtain only the key information: ID number, expiry, country of citizenship. The full-resolution image gets destroyed upon extraction. Once 5 years pass, all raw data is purged, but a encrypted hash of the verification result lives on for another two years inside an audit log. Personal identity information sits encrypted at rest with AES-256-GCM, isolated from analytics, and every access is recorded for a three-year period. Optional fields like birthplace are deleted at the time of verification to shrink the data size. Annual reviews confirm precision and actively purge expired entries.

File Upload and Biometric Handling

Upload an ID through our secure portal and automated checking finishes within 90 seconds. We extract the document ID, expiry, nationality, and a confidence score, then delete the high-resolution image right away—it is never stored on disk. The initial file stays in an memory buffer and vanishes after handling. A compressed, watermarked preview is produced for audit purposes and kept only for the identity verification period. That small image lives in a write-once storage with rigorous controls and is never exposed to customer support. Collected information are encoded and kept for the 5-year-plus-2-year hash period. All operations runs on ISO 27001 certified UK servers, and every preview retrieval is recorded immutably.

Biometric Information Details

Liveness verifications capture a quick video solely in memory. Images are analysed and discarded within a few milliseconds. Only a numerical vector of facial landmarks remains. This numerical representation lacks any image data and cannot be reverse-engineered into a face. It stays for the entire identity verification process and is irreversibly removed upon account termination or after 5 years. The numerical representation sits in a specialized HSM with auto-expiry and is never transferred. Authentication checks happen inside the HSM’s secure enclave without revealing the raw vector. The numerical representation is associated with a pseudonym separated from marketing profiles, which makes reidentification highly challenging. Even IT admins are unable to view or recreate face characteristics from the saved data.

Infrastructure Setup and Data Residency

All data resides in UK-based ISO 27001 Tier III+ data centres, never replicated outside the UK. A hot disaster recovery site in a separate UK zone syncs every six hours. Backups are encrypted client-side and follow identical retention rules. We apply least privilege with hardware MFA for administrators, logging their sessions in an immutable three-year audit trail. Multi-factor authentication uses a hardware token and biometric check. Penetration tests occur quarterly, and an independent auditor confirms automated purge schedules. Any deviation raises a Severity 1 incident, reported to our DPO within four hours. We also keep an air-gapped backup rotated weekly, subject to the same deletion policies.

Encryption Key Lifecycle Management

Master keys change every 90 days automatically inside an HSM. New keys are never exported in plaintext. Rotated keys are archived for the data’s retention period plus 12 months for lawful forensic access. When a data category is purged, its key is deleted inside the HSM, making any backups unrecoverable. We bind each key to a single data partition, never reuse, and conduct quarterly witnessed key ceremonies logged immutably for five years. The offline archive of old keys requires dual control and is stored on write-once media in a fireproof safe. Annual recovery drills ensure forensic decryption works when needed. No plaintext key material ever exits the HSM boundary.

Policy Review and Data Breach Protocols

We review this policy every six months or upon material change to the game or regulation. Reviews are documented with DPO, CISO, and legal counsel. A public summary is published in our privacy centre, minus confidential details. Material changes are emailed 30 days ahead. Minor edits are silently recorded. If a breach occurs affecting data under this policy, we alert affected individuals within 72 hours if high risk, report with the ICO, and post a transparency notice. Third-party processor breaches must follow the same protocol. We maintain a breach notification log audited quarterly. Post-incident reviews revise controls as needed. Biannual tabletop exercises model misconfigurations and ransomware to test our response.

Document Versioning and Revision History

We maintain a version-controlled history of this policy with semantic versioning and plain-English summaries of each change. The log details exactly which sections changed and why. Previous versions remain accessible for comparison, so you can see precisely what was added or removed. Material modifications affecting your rights are communicated via email at least thirty days in advance. Minor typographical fixes are deployed silently but still recorded. Each entry is cryptographically signed to prove integrity, and annual independent audits confirm the log’s accuracy. The log is a living document reflecting our evolving data practices. You can access the full change log through a link in our privacy centre at any time. This transparent approach demonstrates our commitment to accountable data governance.