1. Casino status and scope of this Policy for players from Australia
This Policy governs online gambling privacy on vegazoneaustralia.com for all players accessing from Australia at least once every 12 months. The casino acts as a data controller (the term “data controller” means a person or entity that determines the purposes and means of processing personal information). The core casino data protection objectives apply to all sections of the website, all games and all types of bets without exception. Processing is carried out in line with the Australian Privacy Principles and is ensured as Privacy Act compliance where the site is accessed from at least one Australian jurisdiction.
2. Categories of personal data and sources of collection
The casino processes data in clearly defined groups, recording the source for each category at least once every 24 hours. The scope of player account information is limited to the fields requested in the registration form and for verification. Personal data handling means any access, recording, transmission or deletion. The term PII (personally identifiable information) means a set of data that allows a player to be uniquely identified where at least 2 parameters match.
3.Purposes of processing and legal bases for operating the website
The purposes of processing are aligned with one primary lawful basis for processing for each operation and are reviewed at least once every 12 months. Data is used for contract performance when registration, deposits, betting or withdrawals are required within 24 hours from the time of the request. Certain processes rely on the casino’s legitimate interests where the impact on the player is objectively minimal. For reporting to authorities, a regulatory reporting regime applies, with the date and time recorded. Certain responsible gambling data is applied to player limits, breaks and selfexclusion. The term API (application programming interface) means a technical data exchange channel between the website systems.
4. Payments, transactions and checks for misuse
All operations are carried out through payment information processing, recording the amount, currency and time with an accuracy of up to 1 second. A transaction history record is maintained for each account for at least 5 years from the last operation. Specific fraud prevention systems are triggered where amounts exceed 1,000 units within 24 hours. Mandatory antimoney laundering checks apply to each withdrawal of funds. Risk assessment procedures mean a formalised scale for assessing an operation with at least 3 levels. The term AML (antimoney laundering) describes such checks.
5. Marketing messages and management of player consents
Marketing messages are sent only via direct marketing communications by email, SMS or push notifications, at a rate of no more than 30 messages in 30 days per account. All channels are enabled via consent management in the player’s account at least once upon first subscription. Profile analysis is used to tailor content, taking into account the last 3–10 sessions. The term optin means that the player actively ticks or selects consent. Behavioural metrics are collected via behavioral analytics with daily aggregation.
6. Disclosure of data to third parties and international transfers
Data disclosure is allowed in limited cases, which are recorded at least once every 12 months. Thirdparty service providers are involved in processing under contracts that specify concrete retention periods. Crossborder movements are documented as international data transfers indicating at least one destination country. Customer support records mean player contacts with support, stored for at least 3 years. The term SLA (service level agreement) means documented response and resolution timeframes.
Main disclosure cases:
- execution of payments and games;
- resolution of disputes via a dispute resolution process;
- compliance with legal obligations.
7. Cookies, access logs and other tracking technologies
On the first visit to the website, cookie consent management is launched, recording the choice for at least 180 days. Technical files are used to ensure stable operation and page load times of up to 3 seconds. The term HTTP cookie (a small text file in the browser) means a record of up to 4 KB on a device. For analytics, tracking technologies usage is applied, with parameter updates once every 24 hours. Server access log files store IP, URL and request time for at least 90 days.
8. Data retention periods, minimisation and backups
Retention periods are set out in a retention period policy specifying at least 3 data categories and a range of 1–10 years. The principle of data minimisation means that, for each operation, only the set of fields needed for the specific purpose is stored, and only for the relevant period. Backups are maintained through backup storage on a daily basis, at least once every 24 hours. The term RPO (recovery point objective) here means the maximum acceptable data loss of no more than 24 hours by time.
9. Data protection, encryption and incident management
Technical and organisational measures are included in an overall data security measures framework, reviewed at least once every 12 months. Data transmission is implemented via encryption in transit with a key length of at least 128 bits. Secure authentication is used for login: at least 1 username, 1 password and, where possible, 1 additional factor. Hashing (a oneway transformation) means a method of password protection that does not store the password in plain text. The data breach notification procedure is triggered within 72 hours from the moment the system records an incident.