Winner Island Casino — Privacy Policy

Winner Island is a trading name of Winner Island Ltd, registered in England and Wales. Our registered office address is provided on request to privacy@winnerisland.org.uk, the same inbox monitored by our Data Protection Officer.

We are listed as a data controller with the UK Information Commissioner's Office (ICO). You can verify the registration directly at ico.org.uk.

Identity and contact data: full legal name, date of birth, gender, nationality, residential address, email address, telephone number, copies of identification documents (passport, driving licence, national ID) and proof of address.

Financial data: payment card details (tokenised by our PCI DSS Level 1 payment processors — we never store full card numbers ourselves), bank account references, e-wallet identifiers, deposit and withdrawal history, source-of-funds evidence and tax identifiers where they're legally required.

Gameplay and transaction data: balance, bets placed, games played, session length, win/loss history, bonus history, chat messages and any customer-service interactions you've had with us.

Technical data: IP address, geolocation, device type, operating system, browser, language, time-zone, login times and a device fingerprint used solely for fraud prevention.

Marketing and communication data: your consent state for our and our partners' marketing, plus your preferred contact channels.

Performance of contract: setting up and running your account, processing deposits and withdrawals, delivering the games and paying winnings.

Legal obligation: verifying your identity and age (KYC), meeting AML, counter-terrorist financing, sanctions and tax-reporting duties, and responding to lawful requests from regulators, courts and law enforcement.

Legitimate interests: detecting and preventing fraud, bonus abuse and gambling-related harm; securing the platform; improving our products; managing complaints; and defending legal claims. Each interest has been weighed against your rights and assessed as not overridden.

Consent: marketing communications, non-essential cookies and any data sharing with marketing partners. Consent is fully withdrawable at any time.

We share personal data with: payment service providers and banks; identity-verification and KYC vendors (for example Onfido and Jumio); fraud-prevention agencies; cloud and IT providers (under formal data-processing agreements); game-content suppliers; our regulator Anjouan Gaming and other competent authorities; tax authorities where the law requires it; law-enforcement agencies under valid legal process; and our professional advisers (lawyers, auditors, accountants).

Where data has to leave the UK or EEA, we lean on UK or EU adequacy decisions, the UK International Data Transfer Agreement, or Standard Contractual Clauses backed by appropriate supplementary measures.

We never sell your personal data. We may publish anonymised, aggregated statistics for industry research where there is no risk of re-identification.

Account, KYC, transaction and gameplay records: kept for the life of the account plus 5 further years after closure, in line with the Money Laundering Regulations 2017.

Customer-service correspondence: 3 years from the date of last contact.

Marketing data: kept while consent is active and deleted within 30 days of withdrawal.

Cookies and analytics data: as detailed in our cookie banner, typically 13 months or less.

Under UK GDPR you have the right to: receive a copy of your personal data; ask us to correct inaccurate data; request erasure ("the right to be forgotten") subject to our legal retention duties; restrict or object to processing; receive your data in a portable format; and withdraw consent where consent is what we rely on.

To exercise any of these, email privacy@winnerisland.org.uk. We respond inside one calendar month. If you're not happy with our response, you can escalate free of charge to the Information Commissioner's Office at ico.org.uk or by phoning 0303 123 1113.

We use strictly necessary cookies to make the site work and, with your consent, performance, functional and marketing cookies. Preferences can be reviewed and changed any time via the cookie settings link in the site footer.

Defence in depth: TLS 1.3 in transit, AES-256 at rest, multi-factor authentication on every administrative account, segmented production networks, regular external penetration testing, and 24/7 security monitoring. No system is 100% impenetrable, so please flag anything suspicious to us straight away.

Material changes are emailed to all account holders at least 14 days before they take effect. The current published version on this page is always the binding one.