Playing Wanted Dead Or a Wild Slot means submitting personal data https://wanteddeadorwild.uk/. This document details exactly how long we store it, the rationale, and what technical protections underpin each category—all based on UK GDPR, the Data Protection Act 2018, and PCI DSS. We manage identity documents, financial transactions, gameplay telemetry, responsible gambling markers, and marketing consents, each with its own retention clock. Identity records are retained for five years after account closure. Financial logs stay for seven, meeting HMRC requirements. Gameplay data receives 24 months before anonymisation kicks in. Full card numbers never touch our systems—only tokenised aliases—and every byte is secured. Independent auditors check our automated deletion routines, and any schedule slip initiates a full incident response. A version-controlled policy log documents every edit, and we provide you 30 days’ notice before material changes take effect. Subject access and deletion requests are processed within statutory deadlines.
Fundamental Definitions and Range of Personal Data
We adopt a comprehensive approach on what qualifies as personal data. Direct identifiers—name, email, billing address, masked payment details—sit alongside indirect signals like hashed IP addresses, device fingerprints, browser agents, and advertising tokens. Behavioural data includes session length, bet sizing, spin velocity, and how often feature triggers fire. Even pseudonymised logs can link back to a person when stitched together, so we treat them as personal. Our lawful bases are contractual necessity, legitimate interest for fraud prevention, and explicit consent for game-related marketing. Full card numbers get tokenised before storage. We never collect special category data. Encryption and access controls apply uniformly, and retention rules cover live databases, archives, and backups without exception. Each window begins counting from the last activity or transaction date, spelled out below. We reassess definitions every six months to remain compliant with regulatory guidance.
Session Gameplay and Behavioural Analytics Data
All spins on Wanted Dead Or a Wild tracks reel positions, RNG seed, and net outcome with microsecond precision. We retain these raw logs for twenty-four months, then condense them into an anonymous statistical digest utilized for game design. Session behavioural profiles—average bet, spin cadence, feature buy-ins—stay for the same 24-month window and are then deleted. Feature trigger heatmaps remain for 12 months before merging into a global model. RNG seed audit trails receive 36 months. Error diagnostics get 90 days. No individual gameplay data goes into credit or marketing profiling. All logs are encrypted and off-limits to marketing teams.
- Spin-level logs: 24 months from event date, then anonymised aggregation
- Session behavioural profiles: 24 months from last session, then erased
- RNG seed audit trails: 36 months to meet technical standards
- Feature trigger heatmaps: 12 months, then combined into global model
- Error and crash diagnostic logs: 90 days, then rotated out
Payment Transaction and Billing Records
Funding, withdrawal, and wager logs are retained for seven years from the transaction date, per HMRC and FCA rules. We do not store full PANs or CVVs. We record only the BIN, last four digits, and a tokenised identifier. Chargeback disputes suspend the contested record until final resolution, after which the seven-year clock continues. Data is partitioned quarterly so automated purging works cleanly, with monthly deletion runs checked by auditors. Tokenised card references remain valid only while your account is live and are deleted within thirty days of closure. Aggregated, anonymised totals persist for financial reporting without any personal identifiers. All financial data is secured and quarantined from marketing systems.
Tokenized Payment Instruments and Processor References
Payment gateways create vaulted tokens that map your card to a non-sensitive reference. We hold them for the account lifetime plus a thirty-day grace window, then issue deletion commands to the processor and wipe our own reference. The only remnant left behind is an anonymised transaction hash used in aggregate statements, themselves removed after seven years. No usable credentials ever exist on our systems. We check token revocation daily and initiate incidents if deletion does not work. Tokens are tied to our merchant code and cannot be used in other contexts. Weekly reconciliation verifies correctness, and tokens tied to lost or stolen cards are invalidated immediately. All token operations are logged and checked. Aggregate reports never disclose individual transaction hashes.
Account Registration and ID Verification Data
Main identity data—government ID scans, residence proof, selfie biometric matches—are kept for 5 years after your last session or account termination, whichever is later. This includes contractual time limits and anti-money laundering duties. We extract only the essentials: document number, validity, nationality. The full-resolution image gets destroyed upon extraction. Once the five-year period pass, all original data is purged, but a hash of the verification result persists for two more years inside an audit trail. Identification data sits stored encrypted with AES-256-GCM, stored away from analytics, and every retrieval is recorded for three years. Optional fields like birthplace are deleted at the time of verification to shrink the data footprint. Yearly audits verify correctness and actively purge outdated records.
File Upload and Biometric Processing
Upload an ID through our secure portal and automated checking wraps up within ninety seconds. We retrieve the document number, expiration date, nationality, and a confidence score, then shred the full-resolution image instantly—it never reaches storage. The original file stays in an memory buffer and disappears after handling. A compressed, marked preview is created for compliance purposes and retained only for the identity verification period. That thumbnail lives in a immutable vault with tight controls and is never shown to client support. Collected information are encoded and stored for the five-year-plus-two hash window. All operations runs on servers in the UK with ISO 27001, and every small image access is logged permanently.
Biometric Data Specifics
Liveness checks record a quick video completely in memory. Video frames are analyzed and removed within milliseconds of time. Only a mathematical vector of facial landmarks survives. This vector contains no image data and cannot be turned back into a facial image. It stays for the duration of identity verification and is permanently deleted upon account closure or after a five-year period. The vector sits in a hardware security module with self-expiry and is never exported. Login verifications happen inside the HSM’s safe environment without exposing the raw vector. The vector is linked to a pseudonymous identifier separated from marketing data, which makes re-identification extremely difficult. Even IT admins cannot see or recreate facial features from the kept numerical representation.
SAR and Deletion Processes
When an SAR lands, we generate a formatted JSON/CSV export of all non-purged data within one month, prolongable by two months for complex cases. The export spans live databases, encrypted archives, and processor tokens, provided via a one-time secure link that expires in 72 hours. For deletion, we cascade: immediate account suppression and token revocation, then batched erasure of all personal data not subject to legal hold. We generate a confirmation report outlining erased versus retained categories and their justifications. This report is retained as auditable proof for as long as the longest surviving data category. All requests are documented immutably for five years.
Marketing Consent and Communication Logs
We maintain your consent record—timestamped, IP-marked, and method-captured—for the duration of our partnership plus six years after cancellation, to satisfy PECR rules. Delivery logs for emails, push alerts, and SMS are kept for only thirteen months. Withdrawing consent immediately halts communications while preserving historical proof. A partitioned database guarantees suppression without latency, and consent logs are kept in a distinct compliance archive. Send logs include metadata only—heading, time stamp, condition—not full message content. The six-year post-withdrawal timeframe matches the statute of limitations for regulatory probes. Quarterly audits verify no expired consents trigger mailings. We never tailor offers with gameplay or financial data beyond explicit consents.
Controlled Gambling and Player Ban Registers
Stake limits, reality checks, and timeout settings are stored for your account’s entire duration and never purged while it is active. If you self-exclude, your hashed identity and device fingerprints enter a specific exclusion register kept indefinitely under UKGC licence requirements. The register is encrypted separately, queried only at login or registration, and never utilized for analytics. Permission is restricted to educated compliance staff, and all searches are tracked for three years. The register stores only identity blocks—no monetary or gameplay records. We examine it annually to rectify errors and remove deceased individuals. Apart from that, it remains indefinite. This retention is obligatory and excluded from deletion requests.
Reality Check and Play Time Restriction Enforcement
Reality check counters use temporary session counters that clear every 24 hours, starting anew from your first spin after midnight. Your selected interval—say, 30 minutes—is saved persistently and instantly reactivates when you come back, even after a long break. Altering the interval mid-session applies the new value right away for the next reminder. These settings are removed only upon validated account deletion. Session timer data resides in a specialized, encrypted store separate from gameplay analytics. The 24-hour counter is based on play start, not midnight, for correctness. All timer configurations are auditable through the same three-year access log standard. We never categorize or promote based on these settings.
Infrastructure Setup and Data Location
All data is stored in UK-based ISO 27001 Tier III+ data centres, with no replication outside the UK. A hot disaster recovery site in a separate UK zone syncs every six hours. Backups are encrypted client-side and adhere to identical retention rules. We apply least privilege with hardware MFA for administrators, logging their sessions in an immutable three-year audit trail. Multi-factor authentication uses a hardware token and biometric check. Penetration tests occur quarterly, and an independent auditor validates automated purge schedules. Any deviation triggers a Severity 1 incident, alerted to our DPO within four hours. We also operate an air-gapped backup rotated weekly, following the same deletion policies.
Key Lifecycle Administration
Master keys are renewed every 90 days automatically inside an HSM. New keys are never exported in plaintext. Rotated keys are archived for the data’s retention period plus 12 months for lawful forensic access. When a data category is purged, its key is removed inside the HSM, making any backups unrecoverable. We bind each key to a single data partition, avoid reuse, and conduct quarterly witnessed key ceremonies logged immutably for five years. The offline archive of old keys demands dual control and is stored on write-once media in a fireproof safe. Annual recovery drills guarantee forensic decryption works when needed. No plaintext key material ever departs the HSM boundary.
Policy Evaluation and Incident Reporting Protocols
We assess this policy every six months or upon material change to the game or regulation. Reviews are minuted with DPO, CISO, and legal counsel. A public summary is displayed in our privacy centre, minus confidential details. Material changes are emailed 30 days ahead. Minor edits are silently recorded. If a breach occurs affecting data under this policy, we notify affected individuals within 72 hours if high risk, report with the ICO, and publish a transparency notice. Third-party processor breaches must follow the same protocol. We keep a breach notification log audited quarterly. Post-incident reviews adjust controls as needed. Biannual tabletop exercises test misconfigurations and ransomware to test our response.
Policy Version Control and Change Log
We keep a version-controlled history of this policy with semantic versioning and plain-English summaries of each change. The log details exactly which sections changed and why. Previous versions remain accessible for comparison, so you can see precisely what was added or removed. Material modifications affecting your rights are communicated via email at least thirty days in advance. Minor typographical fixes are deployed silently but still recorded. Each entry is cryptographically signed to prove integrity, and annual independent audits check the log’s accuracy. The log is a living document reflecting our evolving data practices. You can retrieve the full change log through a link in our privacy centre at any time. This transparent approach shows our commitment to accountable data governance.
