Privacy Policy
How Virgin Games Casino collects, uses, stores, and protects the personal data of United Kingdom players under UK GDPR and the Data Protection Act 2018.
On this page
How Virgin Games Casino Handles Your Personal Data
Virgin Games Casino is operated by Gamesys Operations Limited (part of Bally's Corporation) under licence from the UK Gambling Commission, account number 38905. As a UK-only licensed gambling operator, the casino acts as the data controller for personal information collected from players in the United Kingdom and processes that information in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This page is a plain-English summary of how player data is collected, why it is needed, how long it is kept, and what rights United Kingdom residents have over it. The Information Commissioner's Office (ICO) is the independent supervisory authority that oversees data protection in the UK, and players can raise concerns with the ICO at any time. The summary below is informational and does not replace the formal privacy notice provided to players inside the registered account.
What Data We Collect and Why
UK gambling operators are legally required to hold specific categories of personal data to verify identity, prevent money laundering, run safer-gambling checks, and process payments. The table below summarises the main data categories, the lawful purpose for processing, and how long the casino is generally required to keep each one. UKGC and HMRC rules require licensed operators to retain transactional and KYC records for a minimum of five years after the end of the customer relationship.
| Data Category | Purpose | Retention Period |
|---|---|---|
| Identity (name, DOB, address) | Age verification, KYC, UKGC compliance | Account life + 5 years (AML rules) |
| Contact details (email, phone) | Account management, safer-gambling notices, marketing (opt-in) | Account life + 5 years |
| Financial data (card last 4, bank ref) | Deposits, withdrawals, fraud prevention | 5 years after last transaction |
| ID documents (passport, driving licence) | UKGC mandatory age & identity checks | 5 years from upload |
| Gameplay & transaction history | Bonus tracking, dispute resolution, safer gambling | Account life + 5 years |
| Device & IP data | Fraud detection, geo-location (UK-only enforcement) | 12-24 months |
| Source-of-funds evidence | Enhanced due diligence on higher-spend accounts | 5 years from check date |
| Support correspondence | Complaint handling, training, quality assurance | 24-36 months |
| Self-exclusion / GAMSTOP records | Block reinstatement during exclusion period | Up to 7 years (regulatory) |
Your Rights Under UK GDPR
Under the UK GDPR and the Data Protection Act 2018 every player has a clear set of rights over their personal data. Some rights are absolute, some can be limited where the casino has a legal obligation to keep certain records (for example, anti-money-laundering and gambling-licence record-keeping requirements override an immediate right to erasure). Requests are normally handled within one calendar month and are free of charge.
| Your Right | What It Means | How To Exercise It |
|---|---|---|
| Right of access | Get a copy of all personal data the casino holds about you (a Subject Access Request) | Email the data protection team from your registered address |
| Right to rectification | Correct inaccurate or incomplete data (e.g. address, name) | Update in account settings or contact support with proof |
| Right to erasure | "Right to be forgotten" — limited by AML/UKGC retention rules | Written request; honoured after legal retention expires |
| Right to restrict processing | Pause use of your data while a dispute is investigated | Submit written restriction request to data protection team |
| Right to data portability | Receive your data in a structured, machine-readable format | Request via SAR; delivered as CSV/JSON file |
| Right to object | Stop direct marketing and certain profiling | Toggle marketing preferences in account settings |
| Rights re: automated decisions | Request a human review of automated KYC or safer-gambling decisions | Written request to data protection team |
| Right to complain to the ICO | Escalate to the UK regulator if you are not satisfied with the response | Contact the Information Commissioner's Office directly |
Who We Share Data With
Virgin Games Casino does not sell personal data. Data is shared only with carefully selected processors and regulators when there is a clear lawful basis — performance of contract, legal obligation, or legitimate interest such as fraud prevention. Every processor is bound by a written data-processing agreement and, where data leaves the UK, by appropriate safeguards under UK GDPR Article 46 (such as UK International Data Transfer Agreements).
| Third Party Type | Example | Why Data Is Shared |
|---|---|---|
| UK regulator | UK Gambling Commission | Licensing audits, complaints, AML reporting |
| Data regulator | Information Commissioner's Office (ICO) | Breach notification, complaint investigations |
| Payment processors | Card acquirers, Apple Pay, Google Pay | Process deposits and withdrawals securely |
| KYC / ID providers | Electronic identity-verification suppliers | Confirm age and identity at sign-up |
| Fraud & AML screening | PEPs and sanctions databases | Anti-money-laundering legal obligation |
| Safer-gambling network | GAMSTOP self-exclusion register | Block accounts during active self-exclusion |
| Game providers | Gamesys studios, partner suppliers | Run individual game sessions (pseudonymised) |
| Cloud & hosting | Approved EU/UK data-centre providers | Platform hosting and disaster recovery |
| Tax authority | HM Revenue & Customs | Gambling-duty and tax reporting |
| Group companies | Bally's Corporation entities | Internal admin, M Club loyalty programme |
How Your Data Is Protected
Virgin Games Casino applies layered technical and organisational controls to keep personal data safe in line with the UK GDPR's "security of processing" principle (Article 32). Controls are reviewed regularly as part of UKGC technical compliance and are tested by independent assessors. Any personal-data breach that is likely to result in a risk to players' rights is reported to the ICO within 72 hours of discovery, as required by law.
TLS Encryption
256-bit encryption on all data in transit
Access Controls
Role-based access, multi-factor auth for staff
UK/EU Hosting
Data centres inside UK GDPR jurisdiction
Pseudonymisation
Game suppliers see player IDs, not names
Breach Reporting
ICO notification within 72 hours where required
Staff Training
Annual data-protection and AML training
Our Privacy Commitments
Personal data is processed under the seven UK GDPR principles — lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. The list below summarises how those principles translate into day-to-day promises to UK players.
-
✓
No data sales — your personal information is never sold to advertisers or list brokers
-
✓
UK GDPR aligned — every lawful basis for processing is documented inside the account privacy notice
-
✓
Minimal data — only data required for licensing, payment, and safer gambling is collected
-
✓
UK-only platform — accounts are restricted to UK residents and data stays in the UK GDPR area
-
✓
Marketing opt-in — promotional emails and SMS only after an explicit, granular consent
-
✓
Human review — players can request a human re-review of any automated KYC or limits decision
-
✓
ICO escalation — full right to complain to the Information Commissioner's Office if unhappy with our response
Access & Submit a Data Request
Subject Access Requests (SARs), erasure requests, and any other UK GDPR rights are handled by the casino's data protection team via the registered account email. Always send the request from your registered email address so the team can verify your identity quickly.
If you cannot access the site, alternative mirror routes give you the same logged-in account and the same data-request workflow. Your privacy preferences and consent records follow your account across every entry point.
Privacy FAQ
Who is the data controller for Virgin Games Casino?
The data controller is Gamesys Operations Limited, the UK-licensed operating company within Bally's Corporation. The company holds UK Gambling Commission account number 38905 and is registered with the Information Commissioner's Office as a data controller for UK gambling services.
Why can't the casino delete my account immediately on request?
UK anti-money-laundering rules and UKGC licence conditions require licensed operators to retain identity, transaction, and safer-gambling records for at least five years after the customer relationship ends. The account can be closed and personal data restricted from active use straight away, but the underlying records must be archived for the regulatory period before full erasure.
How do I make a Subject Access Request?
Send a written request from your registered email address to the casino's data protection team via the in-product help centre. State that you want to exercise your right of access under the UK GDPR. The team will verify your identity and respond within one calendar month, free of charge.
Is my data ever transferred outside the UK?
Primary processing and hosting take place inside the UK and EEA, both of which are covered by UK GDPR adequacy decisions. Any onward transfer to a third country (for example, group support functions) is protected by a UK International Data Transfer Agreement or equivalent safeguard under UK GDPR Article 46.
How do I stop marketing emails?
Open your account, go to communication preferences, and switch off email and SMS marketing. You can also click "unsubscribe" at the bottom of any marketing email. Transactional messages (security alerts, withdrawal confirmations, regulatory notices) will still be sent because they are not marketing.
What happens if there is a data breach?
Any personal-data breach is investigated immediately by the data protection team. If the breach is likely to result in a risk to your rights and freedoms, it is reported to the Information Commissioner's Office within 72 hours. Where the risk is high, the affected players are also notified directly without undue delay.
Can I complain to the regulator if I am unhappy with the response?
Yes. The Information Commissioner's Office (ICO) is the independent UK regulator for data protection and accepts complaints directly from individuals. Complaints about gambling licence conduct (rather than data protection) can additionally be raised with the UK Gambling Commission once the casino's internal complaints process is exhausted.
Does the casino use automated decision-making?
Limited automated decisions are used to detect fraud, apply safer-gambling triggers, and run electronic age and identity verification at sign-up. Players have the right under UK GDPR Article 22 to ask for human review of any decision that has a significant effect on them — for example, an automatic account suspension or a withdrawal hold.
Play With Confidence at Virgin Games Casino
Your data is protected by UK GDPR, the Data Protection Act 2018, and UKGC oversight. Join thousands of UK players who trust a licensed operator with their personal information.