CasinoLab Privacy Policy: Data Use and User Rights
Last updated: June 3, 2026
This policy explains how Genesis Global Limited handles personal information when users interact with the CasinoLab casino service. Data processing occurs each time a visitor browses the site, registers an account or places a bet. The framework is built around UK Gambling Commission and Malta Gaming Authority requirements, which demand transparency and user control over how records are managed.
The policy covers every data-related action that takes place on the platform, from cookie storage and registration through to withdrawal verification and marketing communication. It applies to all users who access CasinoLab services in the United Kingdom and Malta licensing territories.
What Key Terms Mean
Understanding the vocabulary used throughout this document makes the policy easier to follow. Legal terms often sound abstract, but each one connects to something a user actually does on the platform.
Terms That Affect Users
The word “user” applies to anyone who browses the site, whether or not they have registered an account. “Account holder” refers to players who have completed registration and created login credentials. “Device” covers phones, tablets and computers that connect to the CasinoLab service, while “processing” describes any action taken with personal data, from collection and storage through to deletion.
Data Categories
“Personal data” is any information that can identify an individual, such as a name, email address or payment card number. “Technical data” includes IP addresses, browser types and operating system details, which are collected automatically whenever someone visits the site. “Usage data” describes how users interact with the platform, including game selections, deposit frequency and login patterns.
What Information Is Collected
Data collection starts the moment someone opens the CasinoLab website. Some information arrives automatically through technical systems, while other details are provided manually during registration or account updates.
Identity and Contact Details
When a player registers, they enter their full name, date of birth, home address and phone number. These fields are mandatory because UK Gambling Commission rules require age verification and identity checks before any real-money play. The system also collects an email address, which serves as the primary communication channel for account updates, bonus notifications and security alerts.
Payment Information
Each deposit or withdrawal request triggers the collection of payment data. Card transactions capture the cardholder name, card number, expiry date and CVV code. Bank transfers require account numbers and sort codes, while crypto deposits record wallet addresses and transaction hashes. MiFinity payments collect the MiFinity account identifier and transaction reference. All payment records are stored to satisfy anti-money laundering checks and to ensure withdrawals return to the same source as the original deposit.
Technical and Usage Records
Every visit to the site generates a log entry that includes the user’s IP address, browser version, device type and operating system. The platform tracks which pages are viewed, how long sessions last and which games are played. This usage data helps identify irregular patterns such as bonus abuse, duplicate accounts or VPN use, which can trigger a manual security review.
Why Data Is Used
Each piece of information serves a specific operational or legal purpose. The platform does not collect data simply for the sake of record-keeping; every data point supports account management, security, compliance or service improvement.
Service Delivery
Personal data is used to create and maintain player accounts, process deposits and withdrawals, deliver game sessions and track bonus progress. When a player requests a payout, the system cross-checks payment details against registration records to confirm ownership. If a user forgets their password, the email address on file is used to send a reset link.
Legal and Regulatory Compliance
UK Gambling Commission licence 45235 and MGA/CRP/314/2015 impose strict obligations on how the operator handles player records. Age verification requires date-of-birth checks against government-issued ID. Anti-money laundering rules demand transaction monitoring, source-of-funds reviews and enhanced due diligence on large deposits or withdrawals. The operator must also respond to regulatory requests for player data during audits or investigations.
Marketing and Communication
Players who opt in during registration receive promotional emails about reload bonuses, free spins, tournaments and VIP rewards. Marketing communication is tailored using data such as deposit frequency, game preferences and bonus claim history. Users can withdraw consent at any time through account settings or by contacting support.
Analytics and Fraud Prevention
Usage data is analysed to detect patterns that indicate bonus abuse, multiple accounts, collusion or irregular betting. The system flags accounts that share IP addresses, payment methods or device fingerprints. When a risk signal appears, the compliance team reviews transaction history, gameplay logs and identity documents before deciding whether to request additional verification or suspend the account.
Legal Grounds for Processing
Data protection legislation requires a lawful basis for every processing activity. The operator relies on four main legal grounds, each applying to different types of data and actions.
Consent
Players agree to data processing when they tick the consent box during registration. This consent covers account creation, payment processing and marketing communication. Users can withdraw consent at any time, though doing so may limit access to certain platform features. Consent withdrawal does not affect the legality of processing that occurred before the request.
Contractual Necessity
Processing is necessary to deliver the casino service. Creating an account, accepting deposits, running games and paying out winnings all require the use of personal data. Without this processing, the operator cannot fulfil its contractual obligations to the player.
Legal Obligation
UK and Maltese gambling regulations impose duties that cannot be met without processing personal data. Age verification, identity checks, transaction monitoring and regulatory reporting all fall under this category. The operator has no discretion over whether to collect this data; the law requires it.
Legitimate Interests
The operator may process data to protect its business interests, provided those interests do not override user rights. Fraud detection, security monitoring and platform improvement are examples of legitimate interests. When a new account shares a payment method with a previously banned user, the system may flag the profile for review based on this legal ground.
How Data Is Shared
Personal information is not sold to third parties. However, certain operational and legal requirements mean that data is disclosed to external organisations in specific circumstances.
Service Providers
The platform relies on external companies to deliver technical services. Payment processors handle card transactions, bank transfers and e-wallet deposits. Cloud hosting providers store account records and game session logs. Email service providers send account notifications and marketing campaigns. Each service provider is bound by contract to protect data and use it only for the agreed purpose.
Affiliates and Partners
Genesis Global Limited operates multiple casino brands within its network. Data may be shared across this network to detect duplicate accounts, manage self-exclusions and coordinate responsible gambling controls. If a player bans themselves from one brand, the exclusion can be applied across the entire operator group.
Regulators and Law Enforcement
The UK Gambling Commission and Malta Gaming Authority can request player data during audits, investigations or compliance reviews. Law enforcement agencies may also request records under court orders or legal notices. The operator is legally required to comply with these requests and cannot notify users in advance if doing so would interfere with an investigation.
Legal Disclosures
Data may be disclosed to solicitors, accountants or other professional advisers when necessary to resolve disputes, enforce terms of service or defend legal claims. In the event of a merger, acquisition or sale of business assets, player data may be transferred to the new owner, subject to the same privacy protections.
How Long Data Is Kept
Retention periods are determined by legal requirements, operational needs and the nature of the data. Not all records are stored for the same length of time.
Active Account Data
While an account remains open, personal details, transaction history and gameplay logs are retained to support ongoing service delivery. Players can request updates to their personal information at any time, and the system reflects changes immediately.
Closed Account Data
When a player closes their account, most personal data is deleted within 30 days. However, UK Gambling Commission rules require the operator to retain transaction records, identity documents and risk assessments for at least five years. This retention period exists to support regulatory audits and anti-money laundering investigations.
Marketing Data
Players who withdraw marketing consent are removed from promotional mailing lists within seven days. However, transactional emails such as deposit confirmations and withdrawal notifications continue to be sent because they are necessary for account management.
Cookie and Technical Data
Cookies and session logs are typically deleted after 12 months unless they are needed for fraud detection or security monitoring. Anonymous analytics data may be retained indefinitely because it cannot identify individual users.
User Rights Over Personal Data
Data protection legislation grants users several rights that allow them to control how their information is used. Each right can be exercised by contacting the support team.
Access Requests
Players can request a copy of all personal data held about them. The operator must respond within 30 days and provide the information in a readable format, usually a PDF or spreadsheet. The first request each year is free, but the operator may charge a reasonable fee for additional copies.
Rectification and Updates
If personal details are incorrect or out of date, users can ask for corrections. Common examples include updating an address after moving house or changing a phone number. The operator must correct inaccurate data within 30 days unless there is a legitimate reason to refuse.
Erasure and Deletion
Players can request the deletion of their data under certain circumstances, such as when the information is no longer needed for its original purpose or when consent is withdrawn. However, the operator may refuse deletion if legal obligations require continued storage, such as the five-year retention period for transaction records.
Restriction and Objection
Users can ask the operator to stop processing their data while a dispute is being resolved. For example, if a player challenges the accuracy of their transaction history, the operator may be required to pause further processing until the issue is settled. Players can also object to marketing communication at any time, and the operator must stop sending promotional emails within seven days.
Data Portability
Players can request a machine-readable copy of their data to transfer to another service provider. This right applies only to information provided by the user, such as registration details and deposit history, and does not cover data generated by the platform, such as risk assessments or fraud flags.
Security Measures in Place
Protecting personal data requires a combination of technical controls, organisational policies and staff training. While no system can guarantee absolute security, the operator uses industry-standard measures to reduce risks.
Encryption and Secure Storage
All data transmitted between users and the platform is encrypted using TLS 1.2 or higher. Payment card details are tokenised immediately after entry, meaning the platform never stores full card numbers. Account passwords are hashed using bcrypt, which prevents them from being reversed even if the database is compromised.
Access Controls
Only authorised staff can access personal data, and permissions are granted based on job role. Customer support agents can view account balances and transaction history but cannot see payment card numbers or change withdrawal limits. Compliance officers have broader access to review identity documents and conduct anti-money laundering checks.
Fraud Detection Systems
Automated systems monitor login attempts, deposit patterns and gameplay behaviour to detect suspicious activity. If a user logs in from an unusual location or makes a large deposit after months of inactivity, the account may be flagged for manual review. Multi-factor authentication can be enabled to add an extra layer of protection.
Incident Response Procedures
If a data breach occurs, the operator must notify affected users within 72 hours and report the incident to the UK Information Commissioner’s Office. The notification includes details of what data was affected, what steps are being taken to resolve the issue and what actions users should take to protect themselves.
Cookies and Tracking Technologies
Cookies are small text files stored on a user’s device when they visit the site. They serve several purposes, from remembering login sessions to tracking page views for analytics.
Types of Cookies Used
Essential cookies are necessary for the site to function and cannot be disabled. They manage login sessions, remember language preferences and maintain shopping cart contents. Performance cookies collect anonymous data about how users navigate the site, such as which pages are most popular and how long visitors stay. Marketing cookies track users across websites to deliver targeted adverts based on browsing history.
| Cookie Type | Purpose | Lifespan | Control |
|---|---|---|---|
| 🔑 Essential | Login sessions, language settings | Session or 12 months | Cannot be disabled |
| 📊 Performance | Anonymous analytics, page views | 12 months | Can be disabled in settings |
| 🎯 Marketing | Targeted adverts, retargeting | 12 months | Can be disabled in settings |
| 🛡️ Security | Fraud detection, bot prevention | Session or 6 months | Cannot be disabled |
Managing Cookie Preferences
Users can control cookies through their browser settings. Most browsers allow cookies to be blocked entirely, though doing so may prevent certain site features from working properly. Players can also delete cookies manually, but this will reset preferences and require logging in again. The platform provides a cookie consent banner on the first visit, allowing users to accept or reject non-essential cookies.
Third-Party Tracking
Some cookies are placed by external services such as Google Analytics, Facebook Pixel and payment processors. These third parties have their own privacy policies, which users should review to understand how their data is used. The operator does not control third-party cookies and cannot be held responsible for how external companies process data.
External Links and Third-Party Sites
The CasinoLab platform contains links to external websites, such as payment provider portals, game developer sites and affiliate pages. These links are provided for convenience, but the operator does not control the content or privacy practices of external sites.
Responsibility for External Content
When a user clicks a link to a third-party site, they leave the CasinoLab platform and become subject to the external site’s privacy policy. The operator cannot guarantee the security or accuracy of information on external sites and is not responsible for data processing that occurs after a user navigates away.
Payment Provider Policies
Deposits and withdrawals often redirect users to external payment portals operated by Visa, Mastercard, MiFinity or crypto wallet providers. Each payment provider has its own data handling practices, and users should review those policies before entering payment details.
Age Restrictions and Minors
UK Gambling Commission rules prohibit anyone under 18 from registering an account, placing bets or accessing casino games. The operator enforces this restriction through age verification checks and monitoring systems.
Prohibition on Underage Access
Players must be at least 18 years old to use the CasinoLab service. During registration, the system checks the date of birth against the current date to confirm eligibility. If a user enters a date that indicates they are under 18, the registration is blocked.
Verification and Enforcement
Before processing the first withdrawal, the compliance team cross-checks the date of birth against a government-issued ID such as a UK passport or driving licence. If the ID shows the user is underage, the account is closed immediately, deposits are refunded and winnings are voided.
Removal of Underage Data
If the operator discovers that an account was created by someone under 18, all personal data related to that account is deleted within 30 days. Parents or guardians who believe their child has registered an account should contact support immediately to request closure and data removal.
Changes to This Policy
Privacy practices evolve over time due to legal updates, platform improvements and changes in data processing activities. The operator reserves the right to modify this policy at any time.
Notification of Updates
When significant changes are made, registered users receive an email notification explaining what has changed and when the new policy takes effect. Players who have not logged in for an extended period may see a pop-up notification when they next visit the site.
Effective Date and Version Control
The “Last updated” date at the top of this document shows when the current version was published. Players are encouraged to review the policy regularly, especially before submitting sensitive information or making large deposits. Continued use of the platform after a policy update constitutes acceptance of the new terms.
Historical Versions
Previous versions of the policy are archived and can be requested through customer support. This allows users to compare changes and understand how data handling practices have evolved over time.
Contact and Privacy Requests
Users who want to exercise their data protection rights or ask questions about this policy can contact the compliance team through multiple channels.
How to Submit a Request
Privacy requests should be sent through the account support form or live chat. The message should clearly state which right the user is exercising, such as access, rectification or erasure. Players must provide enough information to verify their identity, such as their registered email address and account number.
Response Times
The operator must respond to privacy requests within 30 days. Complex requests, such as those involving large volumes of data, may take up to 60 days, but the operator will notify the user within the first month if an extension is needed.
Data Protection Officer
Genesis Global Limited has appointed a data protection officer who oversees compliance with UK and Maltese data protection laws. Players who believe their rights have been violated can escalate their complaint to the data protection officer, whose contact details are available through customer support.
Regulatory Complaints
If a privacy concern cannot be resolved through the operator’s internal procedures, users have the right to lodge a complaint with the UK Information Commissioner’s Office or the Malta Office of the Information and Data Protection Commissioner. These regulators investigate data protection breaches and can impose fines on organisations that fail to comply with the law.