Playing Wanted Dead Or a Wild Slot means submitting personal data. This document details exactly how long we keep it, the rationale, and what technical protections support each category—all based on UK GDPR, the Data Protection Act 2018, and PCI DSS. We manage identity documents, financial transactions, gameplay telemetry, responsible gambling markers, and marketing consents, each with its specific retention clock. Identity records are kept for five years after account closure. Financial logs stay for seven, matching HMRC requirements. Gameplay data receives 24 months before anonymisation is applied. Full card numbers never touch our systems—only tokenised aliases—and every byte is encrypted. Independent auditors check our automated deletion routines, and any schedule slip activates a full incident response. A version-controlled policy log documents every edit, and we give you 30 days’ notice before material changes take effect. Subject access and deletion requests are processed within statutory deadlines.
Policy Evaluation and Breach Notification Protocols
We evaluate this policy every six months or upon material change to the game or regulation. Reviews are minuted with DPO, CISO, and legal counsel. A public summary is posted in our privacy centre, minus confidential details. Material changes are communicated 30 days ahead. Minor edits are silently recorded. If a breach occurs affecting data under this policy, we alert affected individuals within 72 hours if high risk, submit with the ICO, and issue a transparency notice. Third-party processor breaches must follow the same protocol. We hold a breach notification log audited quarterly. Post-incident reviews update controls as needed. Biannual tabletop exercises test misconfigurations and ransomware to test our response.
Policy Version Control and Change Log
We keep a version-controlled history of this policy with semantic versioning and plain-English summaries of each change. The log outlines exactly which sections changed and why. Previous versions remain accessible for comparison, so you can see precisely what was added or removed. Material modifications affecting your rights are conveyed via email at least thirty days in advance. Minor typographical fixes are deployed silently but still recorded. Each entry is cryptographically signed to prove integrity, and annual independent audits confirm the log’s accuracy. The log is a living document reflecting our evolving data practices. You can retrieve the full change log through a link in our privacy centre at any time. This transparent approach demonstrates our commitment to accountable data governance.
Marketing Consent and Communication Logs
We store your consent document—with time stamp, IP-marked, and method-captured—for the entirety of our relationship plus six years after cancellation, to meet PECR obligations. Delivery logs for electronic messages, push alerts, and SMS are held for only thirteen months. Cancelling consent immediately blocks communications while keeping historical proof. A partitioned database ensures suppression without delay, and consent logs are stored in a dedicated compliance archive. Send logs hold metadata only—heading, timestamp, status—not full message text. The six-year post-withdrawal timeframe reflects the statute of limitations for regulatory investigations. Quarterly audits confirm no expired consents activate mailings. We never tailor offers with gameplay or financial data beyond explicit authorisations.
Fundamental Definitions and Scope of Personal Data
We take a broad view on what qualifies as personal data. Direct identifiers—name, email, billing address, masked payment details—coexist with indirect signals like hashed IP addresses, device fingerprints, browser agents, and advertising tokens. Behavioural data includes session length, bet sizing, spin velocity, and how often feature triggers fire. Even pseudonymised logs can re-identify a person when stitched together, so we regard them as personal. Our lawful bases are contractual necessity, legitimate interest for fraud prevention, and explicit consent for game-related marketing. Full card numbers get tokenised before storage. We never collect special category data. Encryption and access controls apply uniformly, and retention rules span live databases, archives, and backups without exception. Each window starts ticking from the last activity or transaction date, spelled out below. We reassess definitions every six months to keep pace with regulatory guidance.
Session Gameplay and Behavioral Analytics Data
Every spin on Wanted Dead Or a Wild records reel positions, RNG seed, and net outcome with microsecond precision. We store these raw logs for twenty-four months, then compact them into an anonymous statistical digest utilized for game design. Session behavioural profiles—average bet, spin cadence, feature buy-ins—remain for the same 24-month window and are then deleted. Feature trigger heatmaps stay for 12 months before merging into a global model. RNG seed audit trails receive 36 months. Error diagnostics receive 90 days. No individual gameplay data feeds into credit or marketing profiling. All logs are encrypted and off-limits to marketing teams.
- Spin-level logs: 24 months from event date, then aggregated aggregation
- Session behavioural profiles: 24 months from last session, then deleted
- RNG seed audit trails: 36 months to satisfy technical standards
- Feature trigger heatmaps: 12 months, then integrated into global model
- Error and crash diagnostic logs: 90 days, then removed
Responsible Gambling and Player Ban Registers
Betting limits, reality checks, and timeout settings are stored for your account’s whole period and never deleted while it remains active. If you choose to ban yourself, your hashed identity and device fingerprints enter a dedicated exclusion register maintained without time limit under UKGC licence requirements. The register is coded separately, accessed only at login or registration, and never utilized for analytics. Permission is limited to trained compliance staff, and all lookups are tracked for three years. The register stores only identity blocks—no banking or gameplay records. We review it annually to correct errors and remove deceased individuals. Apart from that, it is kept everlasting. This retention is required and free from deletion requests.
Session Awareness and Play Time Restriction Enforcement
Reality check counters use short-lived session counters that restart every 24 hours, restarting from your first spin after midnight. Your preferred interval—say, 30 minutes—is saved persistently and automatically reactivates when you visit again, even after a long break. Altering the interval mid-session sets the new value right away for the next reminder. These settings are removed only upon confirmed account deletion. Session timer data lies in a specialized, encrypted store separate from gameplay analytics. The 24-hour counter is based on play start, not midnight, for correctness. All timer configurations are verifiable through the same three-year access log standard. We do not analyze or promote based on these settings.
Monetary Transaction and Billing Records
Deposit, withdrawal, and wager records are maintained for seven years from the transaction date, per HMRC and FCA rules. We do not store full PANs or CVVs. We capture only the BIN, last four digits, and a tokenised alias. Chargeback disputes halt the contested record until final settlement, after which the seven-year clock resumes. Data is partitioned quarterly so automated purging runs cleanly, with monthly deletion runs audited by auditors. Tokenised card references are valid only while your account is open and are wiped within thirty days of closure. Summarised, anonymised totals endure for financial reporting without any personal identifiers. All financial data is encrypted and isolated from marketing systems.
Secured Payment Instruments and Processor References
Payment gateways generate vaulted tokens that associate your card to a non-sensitive alias. We hold them for the account lifetime plus a thirty-day grace period, then issue deletion commands to the processor and erase our own mapping. The only remnant left behind is an anonymised transaction hash used in aggregate statements, themselves purged after seven years. No usable credentials ever sit on our systems. We monitor token revocation daily and initiate incidents if deletion does not work. Tokens are tied to our merchant code and cannot be used in other contexts. Weekly reconciliation validates validity, and tokens tied to lost or stolen cards are cancelled immediately. All token operations are recorded and auditable. Aggregate reports never expose individual transaction hashes.
Access Request and Erasure Workflows
When a subject access request arrives, we generate a organized JSON/CSV export of all non-purged data within one month, prolongable by two months for complex cases. The export includes live databases, encrypted archives, and processor tokens, delivered via a one-time secure link that expires in 72 hours. For deletion, we proceed sequentially: immediate account suppression and token revocation, then queued erasure of all personal data not subject to legal hold. We generate a confirmation report specifying erased versus retained categories and their justifications. This report is maintained as auditable proof for as long as the longest surviving data category. All requests are documented immutably for five years.
Account Registration and ID Verification Data
Main identity data—official ID scans, residence proof, biometric selfie matches—are held for five years after your last session or account termination, whichever is later. This covers contractual limitation periods and AML obligations. We retrieve only the essentials: ID number, validity, citizenship. The high-resolution image gets destroyed upon extraction. Once the five-year period pass, all source data is removed, but a cryptographic hash of the verification data lives on for another two years inside an audit trail. Identification data sits stored encrypted with AES-256-GCM, isolated from analytics, and every access is recorded for three years. Optional fields like birth location are discarded at verification stage to reduce the data size. Annual reviews ensure precision and automatically remove expired entries.
File Upload and Biometric Data Processing
Submit an ID through our secure portal and automatic verification completes within 90 seconds https://wanteddeadorwild.uk. We retrieve the ID number, expiry, nationality, and a trust score, then shred the original image instantly—it never reaches storage. The initial file stays in an in-memory buffer and is removed after processing. A compressed, marked small image is created for compliance purposes and kept only for the ID lifecycle. That preview lives in a immutable vault with rigorous controls and is never exposed to support staff. Retrieved data are encoded and saved for the five-year-plus-two hash window. All processing runs on UK-based ISO 27001 servers, and every preview retrieval is logged permanently.
Specifics of Biometric Data
Liveness verifications record a quick video entirely in memory. Video frames are processed and discarded within milliseconds. Only a mathematical vector of face features survives. This data set lacks any image data and cannot be reconstructed into a picture. It stays for the duration of identity verification and is purged irrevocably upon account closure or after five years. The numerical representation sits in a dedicated HSM with self-expiry and is never exported. Login verifications happen inside the HSM’s safe environment without disclosing the raw vector. The numerical representation is bound to a pseudonymous identifier separated from advertising profiles, which makes reidentification extremely difficult. Even system admins are unable to view or recreate face characteristics from the kept numerical representation.
Technology Framework and Data Residency
All data sits in UK-based ISO 27001 Tier III+ data centres, never replicated outside the UK. A hot disaster recovery site in a separate UK zone syncs every six hours. Backups are encrypted client-side and maintain identical retention rules. We apply least privilege with hardware MFA for administrators, recording their sessions in an immutable three-year audit trail. Multi-factor authentication integrates a hardware token and biometric check. Penetration tests occur quarterly, and an independent auditor verifies automated purge schedules. Any deviation raises a Severity 1 incident, notified to our DPO within four hours. We also operate an air-gapped backup rotated weekly, following the same deletion policies.
Encryption Key Lifecycle Management
Master keys change every 90 days automatically inside an HSM. New keys are not extracted in plaintext. Rotated keys are archived for the data’s retention period plus 12 months for lawful forensic access. When a data category is purged, its key is removed inside the HSM, making any backups unrecoverable. We link each key to a single data partition, avoid reuse, and conduct quarterly witnessed key ceremonies logged immutably for five years. The offline archive of old keys demands dual control and is stored on write-once media in a fireproof safe. Annual recovery drills confirm forensic decryption works when needed. No plaintext key material ever exits the HSM boundary.