Privacy Policy
Data Protection Controls Coverage
Categories of Personal Data Collected
| Category | Example | Legal Basis |
|---|---|---|
| Identity | Name, DOB, address | Contract + AML law |
| Contact | E-mail, phone | Contract |
| Financial | Payment tokens, redemption bank | Contract + AML |
| Play behaviour | Session logs, bet history | Legitimate interest |
| Device | IP, browser fingerprint, OS | Fraud prevention |
| KYC docs | ID scan, proof-of-address | Legal obligation |
Data Retention Periods
| Data Set | Retention | Trigger for Deletion |
|---|---|---|
| Session logs | 13 months | Rolling window |
| Bet history | 7 years | AML archive requirement |
| KYC documents | 7 years post-closure | AML archive requirement |
| Marketing preferences | Until unsubscribe | User action |
| Support transcripts | 24 months | Rolling window |
| Closed-account skeleton | Indefinite (name + last login) | Fraud prevention |
Privacy Framework Overview
The Chumba Casino privacy framework has been rebuilt to align with both Canada's federal Personal Information Protection and Electronic Documents Act and the emerging provincial privacy statutes that Quebec, Ontario and British Columbia have each advanced during the last legislative cycle. The data-protection controls radar above scores the operator's current implementation against a mature-industry benchmark on six axes: encryption, consent, minimisation, retention, portability and breach readiness.
Personal data collected during play falls into six categories, each with a distinct legal basis and retention window. Identity, contact and financial data are collected under the contract signed at registration and preserved for the seven-year window required by anti-money-laundering statutes. Play behaviour and device data are collected under legitimate-interest grounds for fraud prevention and are pruned on a rolling thirteen-month cycle so that stale profiling material does not accumulate.
Members can exercise the full spectrum of privacy rights — access, correction, deletion, portability and objection — through the privacy portal linked from the account menu. Requests are processed by a named privacy officer within the thirty-day statutory window, and most are resolved inside a week. Where a deletion request conflicts with an AML retention obligation the operator will always explain the conflict in writing and apply the narrowest possible carve-out.