Data Retention Policy for Wanted Dead Or a Wild Slot Game in the United Kingdom

Playing Wanted Dead Or a Wild Slot means providing personal data. This document details exactly how long we store it, the rationale, and what technical protections underpin each category—all aligned with UK GDPR, the Data Protection Act 2018, and PCI DSS. We manage identity documents, financial transactions, gameplay telemetry, responsible gambling markers, and marketing consents, each with its own retention clock. Identity records stick around for five years after account closure. Financial logs stay for seven, satisfying HMRC requirements. Gameplay data receives 24 months before anonymisation takes effect. Full card numbers never enter our systems—only tokenised aliases—and every byte is encrypted. Independent auditors verify our automated deletion routines, and any schedule slip initiates a full incident response. A version-controlled policy log documents every edit, and we offer you 30 days’ notice before material changes become effective. Subject access and deletion requests are managed within statutory deadlines.

Essential Definitions and Range of Personal Data

We cast a wide net on what counts as personal data. Direct identifiers—name, email, billing address, masked payment details—coexist with indirect signals like hashed IP addresses, device fingerprints, browser agents, and advertising tokens. Behavioural data includes session length, bet sizing, spin velocity, https://en.wikipedia.org/wiki/Casino_Helsinki and how often feature triggers fire. Even pseudonymised logs can re-identify a person when stitched together, so we treat them as personal. Our lawful bases are contractual necessity, legitimate interest for fraud prevention, and explicit consent for game-related marketing. Full card numbers get tokenised before storage. We never collect special category data. Encryption and access controls apply uniformly, and retention rules cover live databases, archives, and backups without exception. Each window commences from the last activity or transaction date, spelled out below. We revisit definitions every six months to remain compliant with regulatory guidance.

Registration Account and Verification of Identity Data

Core identity profiles—scans of government IDs, address verification, biometric selfie matches—are retained for a five-year period after your last session or account closure, whichever comes later. This includes statutory limitation periods and anti-money laundering responsibilities. We obtain only the essentials: document ID, expiry, nationality. The original image gets shredded right after extraction. Once the five-year period pass, all original data is purged, but a cryptographic hash of the verification result remains for another two years inside an audit log. Identification data sits encrypted in storage with AES-256-GCM, stored away from analytics, and every access is recorded for 3 years. Unnecessary fields like place of birth are deleted at the time of verification to minimize the data volume. Annual reviews confirm correctness and actively purge expired data.

File Upload and Biometric Processing

Provide an ID through our safe portal and automatic verification wraps up within a minute and a half. We retrieve the ID number, expiration date, nationality, and a trust score, then delete the original image right away—it never touches disk. The initial file stays in an in-memory buffer and vanishes after processing. A compressed, stamped preview is created for auditing purposes and retained only for the ID lifecycle. That small image lives in a write-once storage with tight controls and is never exposed to customer support. Retrieved data are encrypted and kept for the five-year-plus-two hash window. All operations runs on UK-based ISO 27001 servers, and every preview retrieval is logged permanently.

Biometric Data Specifics

Live detection checks collect a brief video feed solely in memory. Video frames are processed and discarded within milliseconds. Only a data vector of facial landmarks persists. This data set lacks any image data and cannot be reconstructed into a picture. It remains for the entire identity verification process and is purged irrevocably upon account termination or after a five-year period. The data set sits in a dedicated HSM with automatic expiration and is never transferred. Login comparisons happen inside the HSM’s safe environment without exposing the original vector. The data set is linked to a pseudonym unlinked from advertising profiles, which makes re-identifying highly challenging. Even system administrators are unable to view or recreate facial features from the saved data.

Gameplay Session and Behavioural Analytics Data

Every spin on Wanted Dead Or a Wild tracks reel positions, RNG seed, and net outcome with microsecond precision. We store these raw logs for twenty-four months, then compact them into an anonymous statistical digest employed for game design. Session behavioural profiles—average bet, spin cadence, feature buy-ins—remain for the same 24-month window and are then deleted. Feature trigger heatmaps persist for 12 months before merging into a global model. RNG seed audit trails have 36 months. Error diagnostics get 90 days. No individual gameplay data flows into credit or marketing profiling. All logs are encrypted and off-limits to marketing teams.

  • Spin-level logs: 24 months from event date, then anonymized aggregation
  • Session behavioural profiles: 24 months from last session, then removed
  • RNG seed audit trails: 36 months to meet technical standards
  • Feature trigger heatmaps: 12 months, then combined into global model
  • Error and crash diagnostic logs: 90 days, then rotated out

Safe Gambling and Player Ban Registers

Deposit limits, session reminders, and timeout settings are kept for your account’s whole period and never purged while it stays active. If you opt for self-exclusion, your hashed identity and device fingerprints are placed into a dedicated exclusion register held without time limit under UKGC licence requirements. The register is secured separately, accessed only at login or registration, and never employed for analytics. Entry is restricted to educated compliance staff, and all searches are recorded for three years. The register contains only identity blocks—no monetary or gameplay records. We check it annually to fix errors and remove deceased individuals. Apart from that, it remains everlasting. This retention is obligatory and exempt from deletion requests.

Time Check and Gaming Duration Enforcement

Reality check counters use temporary session counters that clear every 24 hours, starting anew from your first spin after midnight. Your preferred interval—say, 30 minutes—is saved persistently and instantly reactivates when you return, even after a long break. Altering the interval mid-session applies the new value right away for the next reminder. These settings are deleted only upon validated account deletion. Session timer data sits in a dedicated, encrypted store separate from gameplay analytics. The 24-hour counter is based on play start, not midnight, for precision. All timer configurations are auditable through the same three-year access log standard. We do not categorize or promote based on these settings.

SAR and Deletion Processes

When an SAR lands, we compile a formatted JSON/CSV export of all non-purged data within one month, prolongable by two months for complex cases. The export covers live databases, encrypted archives, and processor tokens, delivered via a one-time secure link that expires in 72 hours. For deletion, we cascade: immediate account suppression and token revocation, then batched erasure of all personal data not subject to legal hold. We generate a confirmation report specifying erased versus retained categories and their justifications. This report is kept as auditable proof for as long as the longest surviving data category. All requests are documented immutably for five years.

Financial Transaction and Settlement Records

Deposit, withdrawal, and wager logs are retained for seven years from the transaction date, per HMRC and FCA rules. We never store full PANs or CVVs. We record only the BIN, last four digits, and a tokenised alias. Chargeback disputes freeze the contested record until final resolution, after which the seven-year clock continues. Data is partitioned quarterly so automated purging operates cleanly, with monthly deletion runs verified by auditors. Tokenised card references are valid only while your account is open and are erased within thirty days of closure. Summarised, anonymised totals persist for financial reporting without any personal details. All financial data is secured and quarantined from marketing systems.

Tokenised Payment Instruments and Processor References

Payment gateways generate vaulted tokens that map your card to a non-sensitive reference. We hold them for the account lifetime plus a thirty-day grace interval, then transmit deletion commands to the processor and erase our own link. The only evidence left behind is an anonymised transaction hash used in aggregate statements, themselves deleted after seven years. No usable credentials ever sit on our systems. We check token revocation daily and trigger incidents if deletion fails. Tokens are linked to our merchant code and cannot be used in other contexts. Weekly reconciliation confirms correctness, and tokens tied to lost or stolen cards are cancelled immediately. All token operations are recorded and auditable. Aggregate reports never expose individual transaction hashes.

Marketing Approval and Correspondence Records

We store your consent log—time-stamped, with IP address, and method-recorded—for the life of our relationship plus six years after withdrawal, to satisfy PECR requirements https://wanteddeadorwild.uk/. Dispatch records for emails, push notifications, and SMS are retained for only thirteen months. Cancelling consent immediately blocks communications while preserving historical proof. A segmented database ensures suppression without delay, and consent logs are kept in a separate compliance archive. Dispatch records include metadata only—topic, time, condition—not full message body. The six-year post-withdrawal timeframe mirrors the statute of limitations for regulatory inquiries. Quarterly audits check no expired consents initiate mailings. We never personalise offers with gameplay or financial data beyond explicit permissions.

Technical Infrastructure and Data Storage

All data resides in UK-based ISO 27001 Tier III+ data centres, never replicated outside the UK. A hot disaster recovery site in a separate UK zone synchronizes every six hours. Backups are encrypted client-side and adhere to identical retention rules. We implement least privilege with hardware MFA for administrators, logging their sessions in an immutable three-year audit trail. Multi-factor authentication uses a hardware token and biometric check. Penetration tests run quarterly, and an independent auditor validates automated purge schedules. Any deviation triggers a Severity 1 incident, reported to our DPO within four hours. We also operate an air-gapped backup rotated weekly, following the same deletion policies.

Management of Encryption Keys

Master keys change every 90 days automatically inside an HSM. New keys are not extracted in plaintext. Rotated keys are archived for the data’s retention period plus 12 months for lawful forensic access. When a data category is purged, its key is removed inside the HSM, making any backups unrecoverable. We bind each key to a single data partition, avoid reuse, and conduct quarterly witnessed key ceremonies logged immutably for five years. The offline archive of old keys requires dual control and is stored on write-once media in a fireproof safe. Annual recovery drills ensure forensic decryption works when needed. No plaintext key material ever leaves the HSM boundary.

Policy Evaluation and Incident Reporting Protocols

We evaluate this policy every six months or upon material change to the game or regulation. Reviews are documented with DPO, CISO, and legal counsel. A public summary is posted in our privacy centre, minus confidential details. Material changes are emailed 30 days ahead. Minor edits are silently recorded. If a breach occurs affecting data under this policy, we alert affected individuals within 72 hours if high risk, submit with the ICO, and publish a transparency notice. Third-party processor breaches must follow the same protocol. We hold a breach notification log audited quarterly. Post-incident reviews update controls as needed. Biannual tabletop exercises simulate misconfigurations and ransomware to test our response.

Policy Version Control and Revision History

We maintain a version-controlled history of this policy with semantic versioning and plain-English summaries of each change. The log outlines exactly which sections changed and why. Previous versions remain accessible wikidata.org for comparison, so you can see precisely what was added or removed. Material modifications affecting your rights are conveyed via email at least thirty days in advance. Minor typographical fixes are deployed silently but still recorded. Each entry is cryptographically signed to prove integrity, and annual independent audits verify the log’s accuracy. The log is a living document reflecting our evolving data practices. You can view the full change log through a link in our privacy centre at any time. This transparent approach demonstrates our commitment to accountable data governance.