Playing Wanted Dead Or a Wild Slot means submitting personal data wanteddeadorwild.uk. This document details exactly how long we retain it, the rationale, and what technical protections sit behind each category—all aligned with UK GDPR, the Data Protection Act 2018, and PCI DSS. We manage identity documents, financial transactions, gameplay telemetry, responsible gambling markers, and marketing consents, each with its own retention clock. Identity records are kept for five years after account closure. Financial logs stay for seven, matching HMRC requirements. Gameplay data gets 24 months before anonymisation is applied. Full card numbers never enter our systems—only tokenised aliases—and every byte is encrypted. Independent auditors check our automated deletion routines, and any schedule slip initiates a full incident response. A version-controlled policy log records every edit, and we give you 30 days’ notice before material changes are implemented. Subject access and deletion requests are processed within statutory deadlines.
SAR and Deletion Processes

Upon receiving an SAR, we produce a structured JSON/CSV export of all non-purged data within one month, expandable by two months for complex cases. The export spans live databases, encrypted archives, and processor tokens, delivered via a one-time secure link that expires in 72 hours. For deletion, we proceed sequentially: immediate account suppression and token revocation, then scheduled erasure of all personal data not subject to legal hold. We create a confirmation report outlining erased versus retained categories and their justifications. This report is retained as auditable proof for as long as the longest surviving data category. All requests are recorded immutably for five years.
Technical Infrastructure and Data Residency
All data sits in UK-based ISO 27001 Tier III+ data centres, not copied outside the UK. A hot disaster recovery site in a separate UK zone synchronizes every six hours. Backups are encrypted client-side and follow identical retention rules. We implement least privilege with hardware MFA for administrators, recording their sessions in an immutable three-year audit trail. Multi-factor authentication combines a hardware token and biometric check. Penetration tests are conducted quarterly, and an independent auditor validates automated purge schedules. Any deviation triggers a Severity 1 incident, notified to our DPO within four hours. We also operate an air-gapped backup rotated weekly, subject to the same deletion policies.
Management of Encryption Keys
Master keys change every 90 days automatically inside an HSM. New keys are not extracted in plaintext. Rotated keys are stored for the data’s retention period plus 12 months for lawful forensic access. When a data category is purged, its key is destroyed inside the HSM, making any backups unrecoverable. We link each key to a single data partition, do not reuse, and conduct quarterly witnessed key ceremonies logged immutably for five years. The offline archive of old keys demands dual control and is stored on write-once media in a fireproof safe. Annual recovery drills guarantee forensic decryption works when needed. No plaintext key material ever leaves the HSM boundary.
Fundamental Definitions and Scope of Personal Data
We adopt a comprehensive approach on what constitutes personal data. Direct identifiers—name, email, billing address, masked payment details—are accompanied by indirect signals like hashed IP addresses, device fingerprints, browser agents, and advertising tokens. Behavioural data includes session length, bet sizing, spin velocity, and how often feature triggers fire. Even pseudonymised logs can link back to a person when stitched together, so we treat them as personal. Our lawful bases are contractual necessity, legitimate interest for fraud prevention, and explicit consent for game-related marketing. Full card numbers get tokenised before storage. We never collect special category data. Encryption and access controls apply uniformly, and retention rules span live databases, archives, and backups without exception. Each window commences from the last activity or transaction date, spelled out below. We revisit definitions every six months to remain compliant with regulatory guidance.
Gameplay Session and Behavioral Analytics Data
Every spin on Wanted Dead Or a Wild tracks reel positions, RNG seed, and net outcome with microsecond precision. We keep these raw logs for twenty-four months, then compress them into an anonymous statistical digest utilized for game design. Session behavioural profiles—average bet, spin cadence, feature buy-ins—stay for the same 24-month window and are then deleted. Feature trigger heatmaps remain for 12 months before merging into a global model. RNG seed audit trails have 36 months. Error diagnostics have 90 days. No individual gameplay data flows into credit or marketing profiling. All logs are encrypted and off-limits to marketing teams.
- Spin-level logs: 24 months from event date, then anonymized aggregation
- Session behavioural profiles: 24 months from last session, then deleted
- RNG seed audit trails: 36 months to meet technical standards
- Feature trigger heatmaps: 12 months, then merged into global model
- Error and crash diagnostic logs: 90 days, then cycled out
Registration Account and ID Verification Data
Core identity profiles—scans of government IDs, residence proof, biometric selfie verifications—are kept for a five-year period after your last session or closure of account, whichever comes later. This encompasses contractual time limits and anti-money laundering duties. We retrieve only the necessary details: ID number, expiration date, country of citizenship. The original image gets destroyed right after extraction. Once the five-year period pass, all raw data is purged, but a cryptographic hash of the verification result remains for two more years inside an logging system. Personal identity information sits stored encrypted with AES-256-GCM, kept separate from analytics, and every data access is recorded for a three-year period. Unnecessary fields like birth location are removed at the time of verification to shrink the data size. Yearly reviews ensure correctness and actively purge outdated records.
Document Upload and Biometric Processing
Submit an ID through our protected portal and automated validation completes within a minute and a half. We retrieve the ID number, expiration date, nationality, and a confidence score, then shred the original image right away—it never touches disk. The original file stays in an temporary memory and vanishes after processing. A compacted, marked thumbnail is created for compliance purposes and kept only for the identity verification period. That small image lives in a immutable vault with rigorous controls and is never exposed to customer support. Collected information are secured and kept for the five-year plus two-year hash timeframe. All processing runs on servers in the UK with ISO 27001, and every preview retrieval is recorded immutably.
Biometric Data Specifics
Liveness verifications collect a brief video feed entirely in memory. Frames are analyzed and deleted within milliseconds. Only a mathematical vector of face features persists. This numerical representation has no image data and cannot be reverse-engineered into a picture. It is kept for the time of identity verification and is irreversibly removed upon account closure or after five years. The numerical representation sits in a specialized HSM with automatic expiration and is never exported. Authentication checks happen inside the HSM’s protected enclave without revealing the unprocessed data. The data set is associated with a anonymous identifier disconnected from marketing profiles, which makes re-identifying highly challenging. Even IT admins cannot see or recreate face characteristics from the kept numerical representation.
Responsible Gambling and Player Ban Registers
Betting limits, time checks, and timeout settings are saved for your account’s whole period and never removed while it stays active. If you opt for self-exclusion, your hashed identity and device fingerprints are added to a specialized exclusion register maintained without time limit under UKGC licence requirements. The register is secured separately, accessed only at login or registration, and never employed for analytics. Access is confined to qualified compliance staff, and all lookups are recorded for three years. The register stores only identity blocks—no monetary or gameplay records. We review it annually to correct errors and remove deceased individuals. Apart from that, it remains permanent. This retention is mandatory and excluded from deletion requests.
Time Check and Gaming Duration Enforcement
Reality check clocks use temporary session counters that clear every 24 hours, restarting from your first spin after midnight. Your selected interval—say, 30 minutes—is kept persistently and automatically reactivates when you come back, even after a long break. Altering the interval mid-session applies the new value immediately for the next reminder. These settings are deleted only upon validated account deletion. Session timer data lies in a specialized, encrypted store separate from gameplay analytics. The 24-hour counter is based on play start, not midnight, for correctness. All timer configurations are auditable through the same three-year access log standard. We do not profile or market based on these settings.
Monetary Transaction and Billing Records
Funding, withdrawal, and wager records are maintained for seven years from the transaction date, per HMRC and FCA rules. We never store full PANs or CVVs. We collect only the BIN, last four digits, and a tokenised alias. Chargeback disputes halt the contested record until final resolution, after which the seven-year clock resumes. Data is partitioned quarterly so automated purging runs cleanly, with monthly deletion runs checked by auditors. Tokenised card references stay valid only while your account is active and are erased within thirty days of termination. Aggregated, anonymised totals remain for financial reporting without any personal information. All financial data is coded and quarantined from marketing systems.
Tokenised Payment Instruments and Processor References
Payment gateways produce vaulted tokens that associate your card to a non-sensitive reference. We hold them for the account lifetime plus a thirty-day grace window, then send deletion commands to the processor and wipe our own reference. The only trace left behind is an anonymised transaction hash used in aggregate reports, themselves deleted after seven years. No usable credentials ever exist on our systems. We monitor token revocation daily and raise incidents if deletion does not work. Tokens are tied to our merchant code and cannot be used other places. Weekly reconciliation validates validity, and tokens tied to lost or stolen cards are cancelled immediately. All token operations are logged and verifiable. Aggregate reports never reveal individual transaction hashes.
Policy Review and Data Breach Protocols
We assess this policy every six months or upon material change to the game or regulation. Reviews are minuted with DPO, CISO, and legal counsel. A public summary is posted in our privacy centre, minus confidential details. Material changes are emailed 30 days ahead. Minor edits are silently recorded. If a breach occurs affecting data under this policy, we alert affected individuals within 72 hours if high risk, file with the ICO, and post a transparency notice. Third-party processor breaches must follow the same protocol. We hold a breach notification log audited quarterly. Post-incident reviews revise controls as needed. Biannual tabletop exercises simulate misconfigurations and ransomware to test our response.
Policy Version Control and Update Log
We maintain a version-controlled history of this policy with semantic versioning and plain-English summaries of each change. The log specifies exactly which sections changed and why. Previous versions remain accessible for comparison, so you can see precisely what was added or removed. Material modifications affecting your rights are communicated via email at least thirty days in advance. Minor typographical fixes are deployed silently but still recorded. Each entry is cryptographically signed to prove integrity, and annual independent audits check the log’s accuracy. The log is a living document reflecting our evolving data practices. You can access the full change log through a link in our privacy centre at any time. This transparent approach demonstrates our commitment to accountable data governance.
Marketing Approval and Message Logs
We maintain your consent log—timestamped, IP-marked, and method-captured—for the duration of our relationship plus six years after withdrawal, to meet PECR rules. Send logs for e-mails, push notifications, and SMS are retained for only thirteen months. Cancelling consent right away halts communications while preserving historical proof. A partitioned database guarantees suppression without lag, and consent logs are stored in a distinct compliance archive. Dispatch records hold metadata only—heading, timestamp, condition—not full message text. The six-year post-withdrawal period matches the statute of limitations for regulatory inquiries. Quarterly audits check no expired consents trigger mailings. We never tailor offers with gameplay or financial data beyond explicit permissions.
