Playing Wanted Dead Or a Wild Slot game means handing over personal data. This document sets forth exactly how long we retain it, the rationale, and what technical protections support each category—all based on UK GDPR, the Data Protection Act 2018, and PCI DSS. We manage identity documents, financial transactions, gameplay telemetry, responsible gambling markers, and marketing consents, each with its own retention clock. Identity records are retained for five years after account closure. Financial logs remain for seven, meeting HMRC requirements. Gameplay data receives 24 months before anonymisation takes effect. Full card numbers never reach our systems—only tokenised aliases—and every byte is encrypted. Independent auditors check our automated deletion routines, and any schedule slip activates a full incident response. A version-controlled policy log records every edit, and we offer you 30 days’ notice before material changes become effective. Subject access and deletion requests are processed within statutory deadlines.
Monetary Transaction and Billing Records
Funding, withdrawal, and wager logs are retained for seven years from the transaction date, per HMRC and FCA rules https://wanteddeadorwild.uk/. We never store full PANs or CVVs. We record only the BIN, last four digits, and a tokenised reference. Chargeback disputes halt the contested record until final outcome, after which the seven-year clock resumes. Data is partitioned quarterly so automated purging works cleanly, with monthly deletion runs audited by auditors. Tokenised card references remain valid only while your account is live and are deleted within thirty days of termination. Combined, anonymised totals endure for financial reporting without any personal information. All financial data is secured and isolated from marketing systems.
Tokenised Payment Instruments and Processor References
Payment gateways produce vaulted tokens that map your card to a non-sensitive identifier. We hold them for the account lifetime plus a thirty-day grace window, then transmit deletion commands to the processor and erase our own link. The only evidence left behind is an anonymised transaction hash used in aggregate reports, themselves purged after seven years. No usable credentials ever exist on our systems. We track token revocation daily and trigger incidents if deletion is unsuccessful. Tokens are bound to our merchant code and cannot be used in other contexts. Weekly reconciliation validates validity, and tokens tied to lost or stolen cards are revoked immediately. All token operations are logged and checked. Aggregate reports never reveal individual transaction hashes.
User Account and ID Verification Data
Core identity profiles—official ID scans, address verification, selfie biometric matches—are kept for a five-year period after your last activity or account closure, whichever is later. This includes statutory limitation periods and anti-money laundering duties. We extract only the essentials: document ID, expiration date, nationality. The original image gets shredded immediately after extraction. Once 5 years pass, all original data is removed, but a hash of the verification data lives on for an additional two years inside an logging system. Identification data sits encrypted in storage with AES-256-GCM, isolated from analytics, and every retrieval is tracked for a three-year period. Optional fields like place of birth are deleted at the time of verification to reduce the data footprint. Yearly reviews confirm correctness and proactively delete expired data.
Document Upload and Biometric Data Processing
Upload an ID through our secure portal and automated checking completes within 90 seconds. We retrieve the document ID, expiry, country of citizenship, and a confidence score, then delete the high-resolution image immediately—it never reaches storage. The original file stays in an memory buffer and vanishes after handling. A compressed, stamped small image is generated for audit purposes and retained only for the ID lifecycle. That preview lives in a write-once storage with tight controls and is never exposed to client support. Extracted fields are encoded and kept for the five-year-plus-two hash window. All processing runs on UK-based ISO 27001 servers, and every preview retrieval is recorded immutably.
Biometric Information Details
Liveness verifications capture a brief video feed solely in memory. Images are analyzed and removed within milliseconds of time. Only a mathematical vector of face features remains. This vector lacks any image data and cannot be turned back into a face. It is kept for the time of identity verification and is permanently deleted upon account closure or after a five-year period. The data set sits in a specialized HSM with auto-expiry and is never sent out. Login verifications happen inside the HSM’s safe environment without exposing the unprocessed data. The data set is associated with a anonymous identifier unlinked from advertising profiles, which makes re-identification highly challenging. Even IT admins cannot view or reconstruct face characteristics from the saved data.
SAR and Deletion Processes
When an SAR lands, we produce a structured JSON/CSV export of all non-purged data within one month, prolongable by two months for complex cases. The export includes live databases, encrypted archives, and processor tokens, sent via a one-time secure link that expires in 72 hours. For deletion, we implement a cascade: immediate account suppression and token revocation, then queued erasure of all personal data not subject to legal hold. We create a confirmation report outlining erased versus retained categories and their justifications. This report is kept as auditable proof for as long as the longest surviving data category. All requests are recorded immutably for five years.
Marketing Approval and Message Logs
We store your consent record—time-stamped, IP-stamped, and method-recorded—for the life of our relationship plus six years after revocation, to satisfy PECR rules. Send logs for e-mails, push alerts, and SMS are held for only thirteen months. Withdrawing consent instantly suppresses communications while keeping historical proof. A divided database ensures suppression without delay, and consent logs are held in a distinct compliance archive. Send logs contain metadata only—topic, time stamp, condition—not full message text. The six-year post-withdrawal period reflects the statute of limitations for regulatory investigations. Quarterly audits verify no expired consents activate mailings. We never personalise offers with gameplay or financial data beyond explicit authorisations.
Gaming Session and Analytics of Behavior Data
All spins on Wanted Dead Or a Wild records reel positions, RNG seed, and net outcome with microsecond precision. We retain these raw logs for twenty-four months, then condense them into an anonymous statistical digest utilized for game design. Session behavioural profiles—average bet, spin cadence, feature buy-ins—stay for the same 24-month window and are then deleted. Feature trigger heatmaps persist for 12 months before merging into a global model. RNG seed audit trails receive 36 months. Error diagnostics get 90 days. No individual gameplay data flows into credit or marketing profiling. All logs are encrypted and off-limits to marketing teams.
- Spin-level logs: 24 months from event date, then anonymized aggregation
- Session behavioural profiles: 24 months from last session, then erased
- RNG seed audit trails: 36 months to comply with technical standards
- Feature trigger heatmaps: 12 months, then merged into global model
- Error and crash diagnostic logs: 90 days, then rotated out
Technology Framework and Data Residency
All data is stored in UK-based ISO 27001 Tier III+ data centres, never replicated outside the UK. A hot disaster recovery site in a separate UK zone syncs every six hours. Backups are encrypted client-side and adhere to identical retention rules. We enforce least privilege with hardware MFA for administrators, recording their sessions in an immutable three-year audit trail. Multi-factor authentication combines a hardware token and biometric check. Penetration tests occur quarterly, and an independent auditor verifies automated purge schedules. Any deviation generates a Severity 1 incident, alerted to our DPO within four hours. We also operate an air-gapped backup rotated weekly, under the same deletion policies.
Management of Encryption Keys
Master keys rotate every 90 days automatically inside an HSM. New keys are not extracted in plaintext. Rotated keys are stored for the data’s retention period plus 12 months for lawful forensic access. When a data category is purged, its key is removed inside the HSM, making any backups unrecoverable. We assign each key to a single data partition, do not reuse, and conduct quarterly witnessed key ceremonies logged immutably for five years. The offline archive of old keys needs dual control and is stored on write-once media in a fireproof safe. Annual recovery drills ensure forensic decryption works when needed. No plaintext key material ever departs the HSM boundary.
Policy Evaluation and Data Breach Protocols
We evaluate this policy every six months or upon material change to the game or regulation. Reviews are recorded with DPO, CISO, and legal counsel. A public summary is displayed in our privacy centre, minus confidential details. Material changes are communicated 30 days ahead. Minor edits are silently recorded. If a breach occurs affecting data under this policy, we inform affected individuals within 72 hours if high risk, submit with the ICO, and publish a transparency notice. Third-party processor breaches must follow the same protocol. We keep a breach notification log audited quarterly. Post-incident reviews update controls as needed. Biannual tabletop exercises model misconfigurations and ransomware to test our response.
Policy Versioning and Change Log
We keep a version-controlled history of this policy with semantic versioning and plain-English summaries of each change. The log outlines exactly which sections changed and why. Previous versions remain accessible for comparison, so you can see precisely what was added or removed. Material modifications affecting your rights are communicated via email at least thirty days in advance. Minor typographical fixes are deployed silently but still recorded. Each entry is cryptographically signed to prove integrity, and annual independent audits confirm the log’s accuracy. The log is a living document reflecting our evolving data practices. You can retrieve the full change log through a link in our privacy centre at any time. This transparent approach demonstrates our commitment to accountable data governance.
Essential Definitions and Scope of Personal Data
We adopt a comprehensive approach on what qualifies as personal data. Direct identifiers—name, email, billing address, masked payment details—are accompanied by indirect signals like hashed IP addresses, device fingerprints, browser agents, and advertising tokens. Behavioural data includes session length, bet sizing, spin velocity, and how often feature triggers fire. Even pseudonymised logs can re-identify a person when stitched together, so we handle them as personal. Our lawful bases are contractual necessity, legitimate interest for fraud prevention, and explicit consent for game-related marketing. Full card numbers get tokenised before storage. We never collect special category data. Encryption and access controls apply uniformly, and retention rules cover live databases, archives, and backups without exception. Each window commences from the last activity or transaction date, spelled out below. We revisit definitions every six months to stay aligned with regulatory guidance.
Safe Gambling and Self-Exclusion Registers
Betting limits, reality checks, and timeout settings are stored for your account’s whole period and never purged while it stays active. If you choose to ban yourself, your hashed identity and device fingerprints are added to a specialized exclusion register kept permanently under UKGC licence requirements. The register is encrypted separately, queried only at login or registration, and never utilized for analytics. Permission is limited to educated compliance staff, and all searches are recorded for three years. The register holds only identity blocks—no banking or gameplay records. We examine it annually to fix errors and remove deceased individuals. Apart from that, it remains everlasting. This retention is required and exempt from deletion requests.
Reality Check and Session Limit Enforcement
Reality check timers use temporary session counters that restart every 24 hours, restarting from your first spin after midnight. Your selected interval—say, 30 minutes—is kept persistently and instantly reactivates when you return, even after a long break. Modifying the interval mid-session introduces the new value instantly for the next reminder. These settings are purged only upon verified account deletion. Session timer data resides in a specific, encrypted store separate from gameplay analytics. The 24-hour counter is based on play start, not midnight, for correctness. All timer configurations are verifiable through the same three-year access log standard. We never analyze or advertise based on these settings.
