Privacy Policy for OZ2Win Casino: Data Categories, Retention and Rights
The Privacy Policy of OZ2Win Casino governs four data categories — identity/KYC data, transaction data, gameplay data, and technical/marketing data — with retention periods ranging from 90 days up to 7 years depending on category and the regulatory record-keeping requirement attached to it. Identity documents submitted for verification carry the longest retention window, since Curaçao eGaming licence conditions (Master Licence 8048/JAZ) require KYC records to remain available for a fixed post-closure period rather than being deleted on account closure itself.
Data collected across OZ2Win Casino is transmitted over 256-bit SSL encryption and stored on servers accessed under role-based permission controls, meaning individual data categories are not visible to every internal system by default. The breakdown below separates data types, retention periods, third-party recipients, and the specific rights available to request access, correction, or deletion.
Data Categories Collected
| Category | Examples | Purpose | Retention Period |
|---|---|---|---|
| Identity / KYC | Government ID, proof of address | Age verification (18+), withdrawal approval above AU$2,000 | 7 years post-closure |
| Transaction | Deposit/withdrawal records, payment method details | Processing deposits (min. AU$20), payouts (min. AU$30) | 5 years |
| Gameplay | Bet history, wagering progress, bonus tracking | Wagering requirement calculation (40x bonus amount) | 3 years |
| Technical / Marketing | IP address, device type, cookie identifiers | Session security, bonus attribution | 90 days – 24 months |
The 7-year retention figure for identity data reflects a regulatory floor rather than an operational preference — it applies regardless of how long an account remains active, and it does not reduce even if a player requests account closure before that period elapses. Transaction records at 5 years align with standard financial audit requirements referenced under the licence framework.
How Identity (KYC) Data Is Verified and Stored
Identity verification at OZ2Win Casino is triggered automatically once a withdrawal request exceeds AU$2,000, requiring a government-issued ID and a proof-of-address document, both accepted in JPG or PDF format up to 10MB. Submitted documents are reviewed within 24–48 hours and, once approved, are stored separately from gameplay and transaction records under restricted access rather than in the same database table — a separation that limits which internal systems can cross-reference identity data with betting activity.
Documents rejected at verification (mismatched name, expired ID, unreadable scan) are flagged for resubmission but are not deleted immediately; rejected submissions are retained for 90 days to support any related dispute before removal.
Third-Party Data Recipients
A portion of the data collected across OZ2Win Casino is shared with external service providers required to process specific functions — payment settlement, identity verification, and regulatory reporting each involve a different third party with a different data scope.
| Recipient Type | Data Shared | Purpose | Retention Under Third Party |
|---|---|---|---|
| Payment processors | Transaction amount, method, account identifier | Processing deposits/withdrawals | Session to 90 days |
| KYC verification provider | ID document, proof of address | Age and identity confirmation | Up to 7 years (matches operator retention) |
| Analytics provider | IP address, session behaviour | Aggregated usage tracking | 12 months |
| Regulatory body (Curaçao eGaming) | Account and transaction records | Licence compliance (Master Licence 8048/JAZ) | Per licence requirement |
No data category listed above is sold to unrelated third parties outside this table; each recipient is scoped to the specific function required for account, payment, or regulatory processing.
Data Retention After Account Closure
Closing an account does not trigger immediate deletion across all categories. Gameplay data is held for 3 years post-closure to support any wagering dispute raised after the account is closed; transaction data for 5 years to support financial audit requirements; and identity data for 7 years under the regulatory floor described above. Technical and marketing data, by contrast, expires on the shorter 90-day to 24-month schedule regardless of account status, since it is not subject to the same audit requirement.
Security Measures
Data in transit across OZ2Win Casino is encrypted using 256-bit SSL, and stored data is segmented by role-based access — support staff handling live chat queries do not have default access to stored identity documents, which are restricted to the verification team specifically. Password data is not stored in plain text; account authentication uses a hashed format that is not reversible even with direct database access.
Data Subject Rights and Response Times
Requests to access, correct, or delete personal data can be submitted through the support channels listed on the Contact page, and each request type carries a distinct response window based on the complexity of the category involved.
| Request Type | Response Time | Notes |
|---|---|---|
| Access request (copy of held data) | Up to 30 days | Covers all four data categories |
| Correction request (e.g., updated address) | 5–10 business days | Applies to KYC and account profile data |
| Deletion request | Up to 30 days | Does not override the 7-year KYC or 5-year transaction retention floor |
A deletion request does not remove identity or transaction data ahead of the regulatory retention period listed above; it applies to technical and marketing data, and to gameplay data once the 3-year retention window has passed.
Frequently Asked Questions
How long is identity (KYC) data kept after an account is closed?
7 years, which is a regulatory floor under the Curaçao eGaming licence (Master Licence 8048/JAZ) and does not shorten based on when the account was closed.
Can transaction data be deleted immediately upon request?
No. Transaction data is retained for 5 years to meet financial audit requirements, regardless of account status or deletion requests submitted earlier.
Is identity data shared with support staff handling live chat?
No. Identity documents are restricted to the verification team under role-based access; live chat and general support staff do not have default access to stored KYC records.
How long does a data access request take to process?
Up to 30 days, covering identity, transaction, gameplay, and technical/marketing data categories in a single response.