Playing slot wanted dead or a wild slots app means providing personal data. This document details exactly how long we store it, the rationale, and what technical protections underpin each category—all built around UK GDPR, the Data Protection Act 2018, and PCI DSS. We manage identity documents, financial transactions, gameplay telemetry, responsible gambling markers, and marketing consents, each with its unique retention clock. Identity records are kept for five years after account closure. Financial logs stay for seven, matching HMRC requirements. Gameplay data undergoes 24 months before anonymisation takes effect. Full card numbers never enter our systems—only tokenised aliases—and every byte is protected. Independent auditors check our automated deletion routines, and any schedule slip triggers a full incident response. A version-controlled policy log records every edit, and we give you 30 days’ notice before material changes become effective. Subject access and deletion requests are managed within statutory deadlines.
Monetary Transaction and Payment Records
Funding, withdrawal, and wager logs are retained for seven years from the transaction date, per HMRC and FCA rules. We seldom store full PANs or CVVs. We collect only the BIN, last four digits, and a tokenised alias. Chargeback disputes freeze the contested record until final resolution, after which the seven-year clock continues. Data is partitioned quarterly so automated purging runs cleanly, with monthly deletion runs checked by auditors. Tokenised card references stay valid only while your account is live and are wiped within thirty days of termination. Aggregated, anonymised totals endure for financial reporting without any personal details. All financial data is encrypted and quarantined from marketing systems.
Secured Payment Instruments and Processor References
Payment gateways generate vaulted tokens that associate your card to a non-sensitive alias. We store them for the account lifetime plus a thirty-day grace window, then transmit deletion commands to the processor and erase our own link. The only trace left behind is an anonymised transaction hash used in aggregate statements, themselves deleted after seven years. No usable credentials ever exist on our systems. We track token revocation daily and raise incidents if deletion does not work. Tokens are tied to our merchant code and cannot be used elsewhere. Weekly reconciliation validates authenticity, and tokens tied to lost or stolen cards are cancelled immediately. All token operations are recorded and verifiable. Aggregate reports never disclose individual transaction hashes.
User Account and Identity Verification Data
Primary identity records—official ID scans, residence proof, biometric selfie matches—are held for 5 years after your last activity or closure of account, whichever is later. This covers statutory limitation periods and AML obligations. We retrieve only the key information: ID number, expiry, citizenship. The original image gets deleted upon extraction. Once the five-year period pass, all raw data is erased, but a cryptographic hash of the verification result remains for another two years inside an audit trail. Identity data sits encrypted at rest with AES-256-GCM, isolated from analytics, and every data access is logged for a three-year period. Optional fields like birthplace are deleted at verification stage to reduce the data size. Annual reviews confirm precision and automatically remove outdated records.
File Upload and Biometric Data Processing
Upload an ID through our secure portal and automated validation finishes within 90 seconds. We pull the ID number, expiration date, nationality, and a confidence score, then delete the full-resolution image right away—it never touches disk. The initial file stays in an temporary memory and disappears after processing. A reduced, watermarked preview is produced for auditing purposes and kept only for the identity verification period. That thumbnail lives in a immutable vault with strict controls and is never shown to client support. Retrieved data are encoded and kept for the 5-year-plus-2-year hash period. All handling runs on ISO 27001 certified UK servers, and every thumbnail access is stored unchangeably.
Biometric Information Details
Liveness verifications capture a quick video entirely in memory. Frames are analysed and discarded within milliseconds. Only a numerical vector of facial landmarks survives. This numerical representation contains no image data and cannot be reverse-engineered into a facial image. It is kept for the time of identity verification and is irreversibly removed upon account termination or after 5 years. The numerical representation sits in a specialized HSM with self-expiry and is never exported. Login comparisons happen inside the HSM’s protected enclave without exposing the unprocessed data. The data set is bound to a anonymous identifier unlinked from marketing profiles, which makes re-identifying highly challenging. Even system admins are unable to view or reconstruct face characteristics from the saved data.
Gameplay Session and Behavioral Analytics Data
Each spin on Wanted Dead Or a Wild tracks reel positions, RNG seed, and net outcome with microsecond precision. We store these raw logs for twenty-four months, then compress them into an anonymous statistical digest used for game design. Session behavioural profiles—average bet, spin cadence, feature buy-ins—remain for the same 24-month window and are then deleted. Feature trigger heatmaps persist for 12 months before merging into a global model. RNG seed audit trails get 36 months. Error diagnostics have 90 days. No individual gameplay data goes into credit or marketing profiling. All logs are encrypted and off-limits to marketing teams.
- Spin-level logs: 24 months from event date, then anonymised aggregation
- Session behavioural profiles: 24 months from last session, then removed
- RNG seed audit trails: 36 months to comply with technical standards
- Feature trigger heatmaps: 12 months, then merged into global model
- Error and crash diagnostic logs: 90 days, then removed
Data Subject Access Request and Deletion Workflows
Upon receiving an SAR, we generate a structured JSON/CSV export of all non-purged data within one month, prolongable by two months for complex cases. The export covers live databases, encrypted archives, and processor tokens, delivered via a one-time secure link that expires in 72 hours. For deletion, we proceed sequentially: immediate account suppression and token revocation, then scheduled erasure of all personal data not subject to legal hold. We generate a confirmation report detailing erased versus retained categories and their justifications. This report is maintained as auditable proof for as long as the longest surviving data category. All requests are recorded immutably for five years.
Core Definitions and Extent of Personal Data
We cast a wide net on what constitutes personal data. Direct identifiers—name, email, billing address, masked payment details—sit alongside indirect signals like hashed IP addresses, device fingerprints, browser agents, and advertising tokens. Behavioural data covers session length, bet sizing, spin velocity, and how often feature triggers fire. Even pseudonymised logs can re-identify a person when stitched together, so we handle them as personal. Our lawful bases are contractual necessity, legitimate interest for fraud prevention, and explicit consent for game-related marketing. Full card numbers get tokenised before storage. We never collect special category data. Encryption and access controls apply uniformly, and retention rules cover live databases, archives, and backups without exception. Each window begins counting from the last activity or transaction date, spelled out below. We revisit definitions every six months to stay aligned with regulatory guidance.
Policy Review and Incident Reporting Protocols
We assess this policy every six months or upon material change to the game or regulation. Reviews are recorded with DPO, CISO, and legal counsel. A public summary is published in our privacy centre, minus confidential details. Material changes are emailed 30 days ahead. Minor edits are silently recorded. If a breach occurs affecting data under this policy, we inform affected individuals within 72 hours if high risk, submit with the ICO, and publish a transparency notice. Third-party processor breaches must follow the same protocol. We keep a breach notification log audited quarterly. Post-incident reviews update controls as needed. Biannual tabletop exercises model misconfigurations and ransomware to test our response.
Document Versioning and Change Log
We keep a version-controlled history of this policy with semantic versioning and plain-English summaries of each change. The log outlines exactly which sections changed and why. Previous versions remain accessible for comparison, so you can see precisely what was added or removed. Material modifications affecting your rights are conveyed via email at least thirty days in advance. Minor typographical fixes are deployed silently but still recorded. Each entry is cryptographically signed to prove integrity, and annual independent audits check the log’s accuracy. The log is a living document reflecting our evolving data practices. You can retrieve the full change log through a link in our privacy centre at any time. This transparent approach reflects our commitment to accountable data governance.

Marketing Approval and Message Logs
We keep your consent document—time-stamped, with IP address, and method-recorded—for the life of our partnership plus six years after withdrawal, to satisfy PECR rules. Send logs for electronic messages, push messages, and SMS are kept for only thirteen months. Withdrawing consent immediately suppresses communications while preserving historical proof. A divided database ensures suppression without lag, and consent logs are kept in a dedicated compliance archive. Dispatch records hold metadata only—topic, timestamp, state—not full message body. The six-year post-withdrawal window mirrors the statute of limitations for regulatory investigations. Quarterly audits confirm no expired consents initiate mailings. We never tailor offers with gameplay or financial data beyond explicit authorisations.
Infrastructure Setup and Data Location
All data resides in UK-based ISO 27001 Tier III+ data centres, with no replication outside the UK. A hot disaster recovery site in a separate UK zone synchronizes every six hours. Backups are encrypted client-side and maintain identical retention rules. We apply least privilege with hardware MFA for administrators, recording their sessions in an immutable three-year audit trail. Multi-factor authentication uses a hardware token and biometric check. Penetration tests are conducted quarterly, and an independent auditor verifies automated purge schedules. Any deviation triggers a Severity 1 incident, reported to our DPO within four hours. We also operate an air-gapped backup rotated weekly, subject to the same deletion policies.
Key Lifecycle Administration
Master keys change every 90 days automatically inside an HSM. New keys are not extracted in plaintext. Rotated keys are stored for the data’s retention period plus 12 months for lawful forensic access. When a data category is purged, its key is deleted inside the HSM, making any backups unrecoverable. We assign each key to a single data partition, never reuse, and conduct quarterly witnessed key ceremonies logged immutably for five years. The offline archive of old keys needs dual control and is stored on write-once media in a fireproof safe. Annual recovery drills ensure forensic decryption works when needed. No plaintext key material ever leaves the HSM boundary.
Controlled Gambling and Player Ban Registers

Betting limits, reality checks, and timeout settings are kept for your account’s entire duration and never deleted while it is active. If you opt for self-exclusion, your hashed identity and device fingerprints are added to a specific exclusion register kept permanently under UKGC licence requirements. The register is secured separately, accessed only at login or registration, and never utilized for analytics. Access is confined to qualified compliance staff, and all lookups are tracked for three years. The register stores only identity blocks—no banking or gameplay records. We examine it annually to correct errors and remove deceased individuals. Otherwise, it is kept indefinite. This retention is mandatory and exempt from deletion requests.
Reality Check and Session Limit Enforcement
Reality check counters use temporary session counters that restart every 24 hours, starting anew from your first spin after midnight. Your preferred interval—say, 30 minutes—is stored persistently and automatically reactivates when you return, even after a long break. Modifying the interval mid-session applies the new value right away for the next reminder. These settings are purged only upon verified account deletion. Session timer data sits in a specific, encrypted store separate from gameplay analytics. The 24-hour counter is based on play start, not midnight, for accuracy. All timer configurations are checkable through the same three-year access log standard. We never analyze or market based on these settings.