Play

Privacy Policy

Data Protection Controls Coverage

Categories of Personal Data Collected

Data Table 1
CategoryExampleLegal Basis
IdentityName, DOB, addressContract + AML law
ContactE-mail, phoneContract
FinancialPayment tokens, redemption bankContract + AML
Play behaviourSession logs, bet historyLegitimate interest
DeviceIP, browser fingerprint, OSFraud prevention
KYC docsID scan, proof-of-addressLegal obligation

Data Retention Periods

Data Table 2
Data SetRetentionTrigger for Deletion
Session logs13 monthsRolling window
Bet history7 yearsAML archive requirement
KYC documents7 years post-closureAML archive requirement
Marketing preferencesUntil unsubscribeUser action
Support transcripts24 monthsRolling window
Closed-account skeletonIndefinite (name + last login)Fraud prevention

Privacy Framework Overview

The Chumba Casino privacy framework has been rebuilt to align with both Canada's federal Personal Information Protection and Electronic Documents Act and the emerging provincial privacy statutes that Quebec, Ontario and British Columbia have each advanced during the last legislative cycle. The data-protection controls radar above scores the operator's current implementation against a mature-industry benchmark on six axes: encryption, consent, minimisation, retention, portability and breach readiness.

Personal data collected during play falls into six categories, each with a distinct legal basis and retention window. Identity, contact and financial data are collected under the contract signed at registration and preserved for the seven-year window required by anti-money-laundering statutes. Play behaviour and device data are collected under legitimate-interest grounds for fraud prevention and are pruned on a rolling thirteen-month cycle so that stale profiling material does not accumulate.

Members can exercise the full spectrum of privacy rights — access, correction, deletion, portability and objection — through the privacy portal linked from the account menu. Requests are processed by a named privacy officer within the thirty-day statutory window, and most are resolved inside a week. Where a deletion request conflicts with an AML retention obligation the operator will always explain the conflict in writing and apply the narrowest possible carve-out.