Winspirit
Login Register

Privacy Policy

This policy explains how Winspirit Casino collects, uses, stores and discloses personal information about Australian players. It is structured around the Australian Privacy Act 1988 and the 13 Australian Privacy Principles ("APPs") that sit beneath it. Where an APP is directly relevant, the section is labelled.


This policy was last reviewed on 2026-05-20.

1. Who We Are and What This Covers (APP 1 — Open and Transparent Management)

Winspirit Casino is operated by the licensed entity disclosed in our Terms & Conditions, section 1.2. This policy applies to all personal information we collect through our website, mobile PWA, customer-support channels and email communications.


We make this policy available without requiring login, in plain English, and we date the most recent review at the top.

2. What Personal Information We Collect (APP 3 — Collection of Solicited Information)

We collect only what we need to operate the platform, meet our licensing obligations, and serve you as a punter. Specifically:

  • Identity: full name, date of birth, residential address, nationality.

  • Contact: email, mobile number.

  • Verification: government photo ID, proof of address, payment-method screenshots (KYC, see Section 4).

  • Financial: deposit and withdrawal history, payment-rail metadata (PayID alias, last 4 digits of cards, crypto receive address).

  • Gameplay: bets, wins, losses, time-on-site, session events, RG-tool settings.

  • Technical: IP address, device type, browser, language, anonymised location at city level.

  • Communications: support tickets, live-chat transcripts, email correspondence.

We do not collect: health information, biometric templates (Face ID stays on your device), political opinions, religious beliefs, or sexual orientation. Where such information is incidentally provided in a free-text chat message, it is deleted at the next review cycle.

3. Anonymity and Pseudonymity (APP 2)

Anonymous play is not possible. Australian and Curacao licensing requires identified accounts. Where you contact us with a general enquiry that does not involve account access — for example, asking about a published feature — you may do so without identifying yourself, and we will respond without requesting identity unless the answer requires it.

4. How and Why We Use Your Information (APP 6 — Use or Disclosure)

We use the information above for the following purposes, and only these:

  1. Account operation: signup, login, balance, gameplay.

  2. KYC and AML compliance: verifying you are who you say, age 18+, and not on a sanctions list.

  3. Payments: processing deposits and withdrawals.

  4. Responsible gambling: enforcing the limits and self-exclusions you set.

  5. Customer support: resolving your issues.

  6. Fraud prevention: detecting multi-accounting, bonus abuse, card-testing.

  7. Service improvement: aggregated analytics on lobby performance, payment-rail reliability, support response times.

  8. Communications: transactional emails (deposits, withdrawals, KYC requests) and — only with your opt-in consent — promotional emails.

We will not use your information for any other purpose without your explicit consent.

5. Who We Share It With (APP 6 — Disclosure)

A small list, named, not vague:

  • Payment processors carrying out your deposit or withdrawal — PayID intermediaries, POLi, BPAY, Neosurf, card acquirer, our crypto custodian.

  • KYC verification provider (Sumsub-class document checker) — receives your ID and proof of address only.

  • Game studios — receive your anonymous player session ID and bet data; they do not receive your name, address or financial details.

  • Cloud infrastructure provider hosting our servers in EU and AU regions.

  • Curacao regulator and ADR body — if a dispute requires it, or under a lawful regulatory request.

  • Australian agencies under lawful warrant or compulsory notice — AUSTRAC, ATO, AFP, on production of the required instrument.

We do not sell your data. Ever. We do not share it with advertising networks for retargeting.

6. Cross-Border Data Flow (APP 8)

Some of our processors are located outside Australia (EU, Curacao). Where data moves offshore, we ensure each processor is contractually bound to APP-equivalent standards and to the GDPR where it applies. A list of countries and processors is available on written request.

7. Data Quality (APP 10) and Security (APP 11)

We take reasonable steps to keep your data accurate and up to date — you can update most fields yourself in your profile, and we ask you to confirm details at each KYC step.


Security measures include: TLS 1.3 on all traffic, AES-256 at rest for stored personal information, segregated KYC document storage with separate access controls, password hashing with bcrypt, optional two-factor authentication, and quarterly third-party penetration testing.


If a data breach occurs that is likely to result in serious harm, we notify the Office of the Australian Information Commissioner (OAIC) and you, the affected individual, within 30 days, in line with the Notifiable Data Breaches scheme.

8. Cookies and Tracking

We use four cookie categories. You can manage them at any time via the consent banner footer link.

Category

Purpose

Default

TTL

Strictly necessary

Login session, cashier state

On (cannot disable)

Session – 30 days

Functional

Language, lobby preferences

On (consent given by use)

90 days

Analytics

Aggregated lobby performance

Off by default

180 days

Marketing

None — we do not run ad retargeting

Off

N/A

9. Access, Correction, Complaints (APP 12, APP 13)

You have the right to:

  • Access the personal information we hold about you — email [email protected]. We respond within 30 calendar days.

  • Correct any inaccurate information — most fields are self-serve in your profile; for KYC-locked fields, support corrects on request with verification.

  • Complain about how we have handled your personal information — to us first at the same email, with response within 30 days. If you remain unsatisfied, lodge a complaint with the OAIC at oaic.gov.au.

10. Retention and Deletion

We retain account and transaction data for seven years after account closure — the period required by Australian financial-record law and Curacao AML obligations. Marketing-consent data is retained only while consent is current. KYC documents are deleted within 30 days of the seven-year retention end-point.

11. Children

Our services are 18+. We do not knowingly collect data from anyone under 18. If you believe an under-18 has created an account, email [email protected] and we will close it and erase non-mandatory data.

12. Changes to This Policy

Material changes are notified via email and a banner at the top of the site for at least 30 days before they take effect. Minor edits (typos, formatting) do not trigger notification but are logged in a change history available on request.

13. Contact

Privacy questions: [email protected]

General support: [email protected]

Complaints: [email protected]