Privacy Policy & Data Protection
This Privacy Policy explains how Bass Win Casino ("we", "us", "our") collects, uses, stores, and protects your personal information when you use our services. We are committed to protecting your privacy and handling your data in an open and transparent manner in accordance with UK data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Contents
- Key Definitions
- Data Controller Information
- What Data We Collect
- How We Use Your Data
- Legal Basis for Processing
- Data Sharing & Third Parties
- International Data Transfers
- Data Retention Periods
- Security Measures
- Cookies & Tracking Technologies
- Your Data Protection Rights
- Children's Privacy
- Policy Changes & Updates
- Contact & Complaints
Key Definitions
- Personal Data
- Any information relating to an identified or identifiable natural person ("data subject").
- Processing
- Any operation performed on personal data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
- Data Controller
- The entity that determines the purposes and means of processing personal data.
- Data Processor
- The entity that processes personal data on behalf of the controller.
- UK GDPR
- The United Kingdom General Data Protection Regulation, the primary data protection law in the UK.
- Special Category Data
- Particularly sensitive personal data requiring enhanced protection, such as health data.
Data Controller Information
Bass Win Casino is operated by Bass Win Gaming Ltd., a company registered in the United Kingdom (Company Number: 12345678) with its registered office at:
Registered Address:
12 Piccadilly, London, W1J 0DH, United Kingdom
Data Protection Officer:
Data Protection Officer
Email: [email protected]
Postal: Data Protection Officer, Bass Win Gaming Ltd., 12 Piccadilly, London, W1J 0DH
Regulatory Compliance: We are licensed and regulated by the United Kingdom Gambling Commission (Account Number: 123456). Our data processing activities comply with the UK Gambling Commission's Licence Conditions and Codes of Practice (LCCP), particularly regarding social responsibility and customer interaction requirements.
What Personal Data We Collect
We collect different types of personal data at various stages of your interaction with our services:
Registration & Account Data
| Data Category | Examples | Collection Method |
|---|---|---|
| Identity Data | Full name, date of birth, gender | Directly from you during registration |
| Contact Data | Email address, telephone number, postal address | Directly from you during registration |
| Verification Data | Passport/driving license copies, utility bills, selfie verification | Uploaded by you during KYC process |
| Account Data | Username, password (hashed), security questions | Created by you during account setup |
Financial & Transaction Data
| Data Category | Examples | Purpose |
|---|---|---|
| Payment Data | Card details (tokenised), e-wallet IDs, bank account details | Processing deposits and withdrawals |
| Transaction History | Deposit/withdrawal amounts, dates, methods, game history | Financial auditing and responsible gambling |
| Bonus Activity | Bonus claims, wagering progress, promotion participation | Promotion management and fraud prevention |
Technical & Usage Data
- Device Information: IP address, device type, operating system, browser type
- Location Data: Country/location derived from IP address for regulatory compliance
- Usage Data: Pages visited, games played, session duration, clicks
- Communication Data: Contact history with customer support, chat logs, emails
Special Category Data: In limited circumstances related to responsible gambling support, we may process health-related information that constitutes special category data. This processing occurs only with your explicit consent or where necessary for reasons of substantial public interest (prevention of gambling harm).
How We Use Your Personal Data
We process your personal data for specific, explicit, and legitimate purposes:
| Processing Purpose | Data Types Used | Legal Justification |
|---|---|---|
| Account Management Creating and managing your player account |
Identity, Contact, Account Data | Contractual necessity |
| Identity Verification Complying with KYC and anti-money laundering regulations |
Identity, Verification, Contact Data | Legal obligation (UKGC requirements) |
| Payment Processing Handling deposits, withdrawals, and financial transactions |
Financial, Transaction, Identity Data | Contractual necessity, Legal obligation |
| Responsible Gambling Monitoring play patterns and implementing player protections |
Transaction, Usage, Technical Data | Legal obligation, Legitimate interests |
| Service Improvement Analyzing usage to enhance platform functionality |
Usage, Technical Data (anonymized) | Legitimate interests |
| Marketing Communications Sending promotional offers (with consent) |
Contact, Usage Data | Consent, Legitimate interests |
| Fraud Prevention Detecting and preventing fraudulent activity |
All relevant data categories | Legal obligation, Legitimate interests |
| Regulatory Compliance Meeting UKGC reporting and audit requirements |
Transaction, Identity, Financial Data | Legal obligation |
Legal Basis for Processing
Under UK GDPR, we must have a valid legal basis for processing your personal data. Our primary legal bases include:
Contractual Necessity
Processing necessary for the performance of a contract with you or to take steps at your request before entering into a contract. This includes:
- Processing your deposits and withdrawals
- Providing access to games and services
- Managing your account and customer support
Legal Obligation
Processing necessary for compliance with a legal obligation to which we are subject. This includes:
- Age and identity verification (UKGC requirement)
- Anti-money laundering checks
- Responsible gambling monitoring
- Tax reporting obligations
Legitimate Interests
Processing necessary for our legitimate interests or those of third parties, except where such interests are overridden by your interests or fundamental rights. This includes:
- Fraud prevention and security
- Network and information systems security
- Service improvement and development
- Marketing similar products to existing customers
Consent
Where we rely on consent, we will obtain your explicit, freely given, and informed consent. You may withdraw consent at any time through your account settings.
International Data Transfers
As an online service, your personal data may be transferred to, and processed in, countries outside the United Kingdom. We ensure all such transfers comply with UK data protection laws:
Adequacy Decisions
Where the UK Government has issued an adequacy decision for the recipient country, transfers may proceed without additional safeguards.
Standard Contractual Clauses (SCCs)
For transfers to countries without adequacy decisions, we use UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs approved by the UK Information Commissioner's Office.
Game Provider Transfers
Some game providers may process gameplay data outside the UK. All such providers are contractually bound to provide equivalent protection to your personal data.
Your Rights Regarding Transfers
You may request information about the safeguards we have put in place for international data transfers by contacting our Data Protection Officer.
Data Retention Periods
We retain personal data only for as long as necessary for the purposes for which it was collected, in accordance with our Data Retention Policy and legal obligations:
| Data Category | Retention Period | Legal Basis for Retention |
|---|---|---|
| Account Data (active accounts) |
Duration of account activity + 6 years after last login | Contractual necessity, Legal obligation (gambling regulations) |
| Financial Records (transactions, payments) |
6 years after transaction date | Legal obligation (tax, accounting laws) |
| KYC Documents (identity verification) |
5 years after account closure | Legal obligation (anti-money laundering regulations) |
| Marketing Consent (where applicable) |
Until consent withdrawn + 2 years for record-keeping | Consent management, Legal defence |
| Closed/Inactive Accounts | 6 years after closure/inactivity | Legal obligation (gambling regulations), Legitimate interests (fraud prevention) |
| Self-Exclusion Records | Indefinitely (or as required by UKGC) | Legal obligation (player protection) |
Anonymization: After the retention period expires, we may anonymize your personal data so it can no longer be associated with you, in which case we may use such information for statistical analysis without further notice to you.
Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Technical Security Measures
- Encryption: TLS 1.3 encryption for data in transit, AES-256 encryption for sensitive data at rest
- Access Controls: Role-based access controls, multi-factor authentication for staff
- Network Security: Firewalls, intrusion detection/prevention systems, DDoS protection
- Secure Development: Application security testing, vulnerability management programs
- Data Minimization: Collection of only necessary data, pseudonymization where possible
Organizational Security Measures
- Staff Training: Regular data protection and security awareness training
- Policies & Procedures: Comprehensive information security policies
- Incident Response: Documented procedures for security incidents
- Business Continuity: Disaster recovery and business continuity plans
- Third-Party Audits: Regular security assessments of critical vendors
Security Incident Notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office within 72 hours and communicate directly with affected individuals where required by law.
Your Data Protection Rights
Under UK data protection law, you have rights regarding your personal data:
| Right | Description | How to Exercise |
|---|---|---|
| Right of Access | Receive a copy of your personal data we hold (Subject Access Request) | Submit request through account or to DPO. No fee usually applies. |
| Right to Rectification | Correct inaccurate or incomplete personal data | Update in account settings or contact customer support |
| Right to Erasure | Request deletion of your personal data in certain circumstances | Submit request to DPO. Note: Legal obligations may prevent immediate deletion. |
| Right to Restriction | Limit processing of your data in certain circumstances | Contact DPO with specific restriction request |
| Right to Data Portability | Receive your data in structured, commonly used format | Request through account settings or to DPO |
| Right to Object | Object to processing based on legitimate interests or direct marketing | Use unsubscribe links or contact DPO |
| Rights re Automated Decision-Making | Not be subject to solely automated decisions with legal effects | Request human intervention, express your point of view |
Response Timeframes: We will respond to all legitimate requests within one month of receipt. If we need more time due to request complexity, we will inform you within the first month. You will not usually have to pay a fee to exercise your rights, but we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.
Identity Verification: To protect your data, we may need to verify your identity before responding to rights requests. This is a security measure to ensure personal data is not disclosed to unauthorized parties.
Children's Privacy
Our services are strictly limited to individuals aged 18 years or older. We do not knowingly collect, use, or disclose personal information from individuals under 18 years of age.
Age Verification Measures
- Registration Requirement: All users must declare they are 18+ during registration
- Document Verification: Age verification through government-issued ID
- Continuous Monitoring: Ongoing checks for potential underage gambling
- Reporting Mechanism: Procedures to handle suspected underage accounts
Parental Responsibilities
If you believe a minor has provided us with personal data without parental consent, please contact us immediately. We will promptly investigate and take appropriate action, including account closure and data deletion where appropriate.
Policy Changes & Updates
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
Notification of Changes
- Material Changes: We will notify you of significant changes via email or prominent website notice
- Review Opportunity: We encourage you to review this policy periodically
- Version Control: Each version is dated at the top of the document
- Continued Use: Continued use of our services after changes constitutes acceptance
Change Management Process
All changes to this policy undergo legal review to ensure continued compliance with UK data protection laws and gambling regulations. Significant changes affecting data processing activities may trigger Data Protection Impact Assessments where required.
Contact & Complaints
If you have questions, concerns, or wish to exercise your data protection rights:
Primary Contact Points
Data Protection Officer:
Email: [email protected]
Postal: Data Protection Officer, Bass Win Gaming Ltd., 12 Piccadilly, London, W1J 0DH
General Privacy Inquiries:
Email: [email protected]
Online: Privacy inquiry form in your account settings
Complaints Procedure
If you have concerns about our data handling practices, we encourage you to contact us first. If you remain dissatisfied, you have the right to lodge a complaint with:
- UK Information Commissioner's Office (ICO)
Website: ico.org.uk/make-a-complaint
Telephone: 0303 123 1113
Postal: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF - UK Gambling Commission (for gambling-specific concerns)
Website: gamblingcommission.gov.uk/contact-us
Response Commitment: We are committed to working with you to resolve any privacy concerns. We will acknowledge all privacy-related communications within 48 hours and provide a substantive response within 30 days, in accordance with UK GDPR requirements.