Data processing statement

This statement expands on our shorter privacy summary. It is intended for Bally Casino online customers who want to understand logging practices, marketing segmentation boundaries, and how automated fraud tools interact with personal data under UK law.

Scope and definitions

“Personal data” means information relating to an identified or identifiable individual. “Processing” includes collection, storage, alteration, retrieval, disclosure, and deletion. This site’s controller details appear in regulatory filings linked from the footer.

Data categories in detail

Account and KYC

Identity documents, utility bills, and selfies may be processed with biometric templates where permitted solely for verification, not for advertising.

Transactional telemetry

We log IP addresses, device fingerprints, geolocation hints, and betting patterns to detect collusion, bonus abuse, and account takeover attempts.

Marketing segments

Where consent or soft opt-in applies, we may segment audiences by game preference or spend bands. We exclude individuals who self-exclude or unsubscribe, and we suppress conflicting signals before campaigns launch.

Legal bases in practice

Contractual processing covers account operation. Legal obligation covers regulatory reporting. Legitimate interests cover network security and service improvement, following balancing tests documented internally. Consent covers optional newsletters or push categories where required.

Where multiple bases could apply, we document the primary basis to avoid confusion during audits. Players receive concise explanations in privacy FAQs tied to common scenarios such as identity reverification after long inactivity.

Automated decision-making

Risk scores may trigger step-up verification or temporary holds. Significant decisions receive human review where the law demands. You may request meaningful information about the logic involved, subject to confidentiality constraints protecting security and other data subjects.

Processors and onward transfers

We maintain a register of subprocessors by function—hosting, email delivery, analytics, payments. Changes that materially affect you will be announced as required. Transfers outside the UK use approved mechanisms and supplementary measures when risk assessments call for them.

Copies of standard contractual clauses are available on request, subject to redactions that protect commercial confidentiality.

Retention nuances

Some logs expire automatically; others must persist for audit. Marketing suppression may outlive account deletion to honour your opt-out. Aggregated statistics may be kept indefinitely if no individual is identifiable.

Your rights and how to exercise them

Access, rectification, erasure, restriction, objection, and portability are available where statutory conditions are met. Respond to verification prompts promptly; delayed identity checks delay fulfilment. You may lodge complaints with supervisory authorities.

Breach notification

If a personal data breach risks your rights, we will notify regulators and affected individuals as required, describing likely impact and remedial steps without undue delay.

Post-incident reviews feed into vendor scorecards and internal training. Repeat failures by a processor trigger contract remedies or replacement, because your trust is not renewable indefinitely after sloppy handling.

Minors

Services are adult-only. Inadvertent collection triggers deletion and enhanced checks.

Updates

We revise this statement when products or laws change. Continued use after notice may imply acceptance of non-material edits; material changes receive prominent communication.

Archived versions may be available on request for individuals establishing historical processing facts relevant to disputes or regulatory questions.