Information Retention Policy for Wanted Dead Or a Wild Slot Game in the United Kingdom

Playing Wanted Dead Or A Wild Slot means handing over personal data. This document lays out exactly how long we keep it, the reasons, and what technical protections underpin each category—all based on UK GDPR, the Data Protection Act 2018, and PCI DSS. We process identity documents, financial transactions, gameplay telemetry, responsible gambling markers, and marketing consents, each with its unique retention clock. Identity records are kept for five years after account closure. Financial logs stay for seven, matching HMRC requirements. Gameplay data undergoes 24 months before anonymisation takes effect. Full card numbers never reach our systems—only tokenised aliases—and every byte is secured. Independent auditors review our automated deletion routines, and any schedule slip activates a full incident response. A version-controlled policy log records every edit, and we give you 30 days’ notice before material changes take effect. Subject access and deletion requests are managed within statutory deadlines.

Infrastructure Setup and Data Storage

All data resides in UK-based ISO 27001 Tier III+ data centres, not copied outside the UK. A hot disaster recovery site in a separate UK zone updates every six hours. Backups are encrypted client-side and adhere to identical retention rules. We enforce least privilege with hardware MFA for administrators, logging their sessions in an immutable three-year audit trail. Multi-factor authentication integrates a hardware token and biometric check. Penetration tests occur quarterly, and an independent auditor verifies automated purge schedules. Any deviation raises a Severity 1 incident, alerted to our DPO within four hours. We also maintain an air-gapped backup rotated weekly, subject to the same deletion policies.

Key Lifecycle Administration

Master keys change every 90 days automatically inside an HSM. New keys are kept internal in plaintext. Rotated keys are archived for the data’s retention period plus 12 months for lawful forensic access. When a data category is purged, its key is removed inside the HSM, making any backups unrecoverable. We assign each key to a single data partition, never reuse, and conduct quarterly witnessed key ceremonies logged immutably for five years. The offline archive of old keys requires dual control and is stored on write-once media in a fireproof safe. Annual recovery drills confirm forensic decryption works when needed. No plaintext key material ever exits the HSM boundary.

Responsible Gambling and Voluntary Exclusion Registers

Stake limits, time checks, and timeout settings are saved for your account’s lifetime and never purged while it stays active. If you opt for self-exclusion, your hashed identity and device fingerprints are placed into a dedicated exclusion register kept permanently under UKGC licence requirements. The register is secured separately, checked only at login or registration, and never employed for analytics. Access is restricted to trained compliance staff, and all lookups are logged for three years. The register holds only identity blocks—no banking or gameplay records. We check it annually to fix errors and remove deceased individuals. Otherwise, it remains indefinite. This retention is required and free from deletion requests.

Session Awareness and Play Time Restriction Enforcement

Reality check timers use transient session counters that restart every 24 hours, beginning again from your first spin after midnight. Your preferred interval—say, 30 minutes—is kept persistently and routinely reactivates when you come back, even after a long break. Modifying the interval mid-session introduces the new value instantly for the next reminder. These settings are removed only upon validated account deletion. Session timer data sits in a dedicated, encrypted store separate from gameplay analytics. The 24-hour counter is based on play start, not midnight, for correctness. All timer configurations are checkable through the same three-year access log standard. We at no time profile or market based on these settings.

SAR and Deletion Processes

Upon receiving an SAR, we generate a structured JSON/CSV export of all non-purged data within one month, expandable by two months for complex cases. The export covers live databases, encrypted archives, and processor tokens, sent via a one-time secure link that expires in 72 hours. For deletion, we cascade: immediate account suppression and token revocation, then scheduled erasure of all personal data not subject to legal hold. We create a confirmation report specifying erased versus retained categories and their justifications. This report is kept as auditable proof for as long as the longest surviving data category. All requests are recorded immutably for five years.

Registration Account and Verification of Identity Data

Main identity data—government ID scans, address verification, selfie biometric matches—are retained for a five-year period after your last session or account termination, whichever is later. This covers contractual time limits and anti-money laundering responsibilities. We extract only the essentials: ID number, expiration date, citizenship. The original image gets deleted upon extraction. Once five years pass, all raw data is erased, but a encrypted hash of the verification result persists for another two years inside an audit log. Personal identity information sits stored encrypted with AES-256-GCM, isolated from analytics, and every data access is tracked for 3 years. Optional fields like birth location are deleted at verification time to minimize the data size. Annual reviews confirm correctness and automatically remove expired data.

File Upload and Biometric Handling

Provide an ID through our protected portal and automated validation wraps up within ninety seconds. We pull the document number, expiration date, nationality, and a reliability score, then delete the high-resolution image immediately—it is never stored on disk. The initial file stays in an temporary memory and vanishes after analysis. A reduced, watermarked small image is produced for audit purposes and retained only for the identity verification period. That small image lives in a immutable vault with tight controls and is never exposed to support staff. Extracted fields are encrypted and stored for the five-year plus two-year hash timeframe. All processing runs on servers in the UK with ISO 27001, and every small image access is logged permanently.

Biometric Data Specifics

Liveness checks collect a short video stream completely in memory. Video frames are analyzed and removed within milliseconds of time. Only a mathematical vector of face features survives. This numerical representation lacks any image data and cannot be reverse-engineered into a face. It is kept for the time of identity verification and is irreversibly removed upon account closure or after 5 years. The vector sits in a specialized HSM with automatic expiration and is never sent out. Login comparisons happen inside the HSM’s safe environment without exposing the raw vector. The vector is associated with a pseudonymous identifier unlinked from marketing profiles, which makes re-identifying highly challenging. Even IT admins cannot view or reconstruct facial attributes from the saved data.

Financial Transaction and Payment Records

Deposit, withdrawal, and wager records are retained for seven years from the transaction date, per HMRC and FCA rules. We never store full PANs or CVVs. We record only the BIN, last four digits, and a tokenised reference. Chargeback disputes freeze the contested record until final outcome, after which the seven-year clock continues. Data is partitioned quarterly so automated purging runs cleanly, with monthly deletion runs verified by auditors. Tokenised card references are valid only while your account is active and are deleted within thirty days of termination. Summarised, anonymised totals persist for financial reporting without any personal information. All financial data is secured and quarantined from marketing systems.

Tokenised Payment Instruments and Processor References

Payment gateways produce vaulted tokens that associate your card to a non-sensitive reference. We hold them for the account lifetime plus a thirty-day grace period, then issue deletion commands to the processor and clear our own reference. The only remnant left behind is an anonymised transaction hash used in aggregate statements, themselves deleted after seven years. No usable credentials ever exist on our systems. We check token revocation daily and raise incidents if deletion fails. Tokens are bound to our merchant code and cannot be used other places. Weekly reconciliation confirms validity, and tokens tied to lost or stolen cards are cancelled immediately. All token operations are recorded and checked. Aggregate reports never disclose individual transaction hashes.

Consent for Marketing and Message Logs

We maintain your consent document—time-stamped, IP-marked, and method-recorded—for the duration of our relationship plus six years after cancellation, to meet PECR rules. Send logs for electronic messages, push alerts, and SMS are retained for only thirteen months. Cancelling consent instantly blocks communications while preserving historical proof. A segmented database ensures suppression without delay, and consent logs are held in a distinct compliance archive. Dispatch records contain metadata only—subject, time stamp, status—not full message body. The six-year post-withdrawal period mirrors the statute of limitations for regulatory inquiries. Quarterly audits check no expired consents initiate mailings. We never tailor offers with gameplay or financial data beyond explicit permissions.

Session Gameplay and Analytics of Behavior Data

Each spin on Wanted Dead Or a Wild records reel positions, RNG seed, and net outcome with microsecond precision. We retain these raw logs for twenty-four months, then compress them into an anonymous statistical digest employed for game design. Session behavioural profiles—average bet, spin cadence, feature buy-ins—persist for the same 24-month window and are then deleted. Feature trigger heatmaps remain for 12 months before merging into a global model. RNG seed audit trails get 36 months. Error diagnostics get 90 days. No individual gameplay data feeds into credit or marketing profiling. All logs are encrypted and off-limits to marketing teams.

• Spin-level logs: 24 months from event date, then aggregated aggregation
• Session behavioural profiles: 24 months from last session, then removed
• RNG seed audit trails: 36 months to meet technical standards
• Feature trigger heatmaps: 12 months, then combined into global model
• Error and crash diagnostic logs: 90 days, then removed

Core Definitions and Range of Personal Data

We cast a wide net on what counts as personal data. Direct identifiers—name, email, billing address, masked payment details—are accompanied by indirect signals like hashed IP addresses, device fingerprints, browser agents, and advertising tokens. Behavioural data covers session length, bet sizing, spin velocity, and how often feature triggers fire. Even pseudonymised logs can link back to a person when stitched together, so we regard them as personal. Our lawful bases are contractual necessity, legitimate interest for fraud prevention, and explicit consent for game-related marketing. Full card numbers get tokenised before storage. We never collect special category data. Encryption and access controls apply uniformly, and retention rules cover live databases, archives, and backups without exception. Each window commences from the last activity or transaction date, spelled out below. We reassess definitions every six months to remain compliant with regulatory guidance.

Policy Evaluation and Incident Reporting Protocols

We review this policy every six months or upon material change to the game or regulation. Reviews are minuted with DPO, CISO, and legal counsel. A public summary is published in our privacy centre, minus confidential details. Material changes are emailed 30 days ahead. Minor edits are silently recorded. If a breach occurs affecting data under this policy, we alert affected individuals within 72 hours if high risk, submit with the ICO, and publish a transparency notice. Third-party processor breaches must follow the same protocol. We maintain a breach notification log audited quarterly. Post-incident reviews revise controls as needed. Biannual tabletop exercises simulate misconfigurations and ransomware to test our response.

Policy Versioning and Change Log

We preserve a version-controlled history of this policy with semantic versioning and plain-English summaries of each change. The log outlines exactly which sections changed and why. Previous versions remain accessible for comparison, so you can see precisely what was added or removed. Material modifications affecting your rights are conveyed via email at least thirty days in advance. Minor typographical fixes are deployed silently but still recorded. Each entry is cryptographically signed to prove integrity, and annual independent audits check the log’s accuracy. The log is a living document reflecting our evolving data practices. You can view the full change log through a link in our privacy centre at any time. This transparent approach demonstrates our commitment to accountable data governance.