EN EN
Menu Welcome Bonus Banner Claim Bonus
SpinsUp Casino Hero Banner
SpinsUp Casino Australia $5,000 + 300 Free Spins Welcome Package Licensed Platform with 7,000+ Games from 80+ Providers Claim Your Bonus
7,000+ Games
7,000+ GamesFrom 80+ providers including NetEnt, Microgaming, Pragmatic Play
Evolution Gaming Live Casino
Evolution Gaming Live CasinoProfessional dealers streaming 24/7 in HD quality
$5,000 Bonus + 300 FS
$5,000 Bonus + 300 FSFour-deposit welcome package for Australian players

Privacy Policy

Effective Date: January 1, 2023
Last Updated: November 19, 2025
Policy Version: 2.3

Digital Entertainment N.V. (operating SpinsUp Casino) collects, processes, stores, and protects personal information in accordance with Curacao data protection regulations, General Data Protection Regulation (GDPR) principles, and Australian Privacy Principles (APPs) under Privacy Act 1988.

This policy details: information collection categories and methods, usage purposes and legal bases, data sharing protocols, security measures, retention periods, user rights, international transfers, and contact procedures for privacy-related inquiries.

Account creation constitutes consent to data processing as described. Continued platform use after policy updates constitutes acceptance of modifications. Users disagreeing with terms must cease platform use and request account closure.


Categories of Information Collected

Registration Data

Collected During Account Creation:

  • Full legal name (first, middle, surname)
  • Date of birth (age verification requirement)
  • Email address (primary communication method)
  • Mobile phone number (verification, 2FA, notifications)
  • Residential address (street, suburb, state, postcode, country)
  • Preferred currency (AUD - permanent selection)
  • Username (unique platform identifier)
  • Password (encrypted, never stored in readable format)

Collection Method: User-submitted via registration form
Legal Basis: Contractual necessity, regulatory compliance (age verification, anti-money laundering)
Storage Duration: Account lifetime plus 7 years post-closure

Identity Verification Documents (KYC)

Collected Before First Withdrawal:

  • Government-issued photo identification: Passport, driver's license, national ID card (copies containing name, photo, date of birth, document number, expiration date)
  • Proof of address: Utility bills, bank statements, government correspondence dated within 90 days (containing name and residential address)
  • Payment method verification: Card photographs (first 6 and last 4 digits visible, middle obscured), e-wallet screenshots, bank account statements
  • Selfie photographs with ID document (enhanced verification cases)

Collection Method: User upload via secure document portal or email attachment
Legal Basis: Regulatory compliance (AML, CTF regulations), fraud prevention, contractual necessity
Storage Duration: 7 years minimum per regulatory requirements

Financial Transaction Information

Collected During Payment Processing:

  • Payment method types (credit card, e-wallet, cryptocurrency, bank transfer)
  • Card types and last 4 digits (full numbers never stored on platform servers)
  • E-wallet account identifiers
  • Cryptocurrency wallet addresses
  • Bank account details (account numbers, routing codes)
  • Transaction amounts and currencies
  • Transaction timestamps and status
  • Payment processor transaction IDs
  • Deposit and withdrawal history

Collection Method: Automatic recording during transaction processing
Legal Basis: Contractual necessity, regulatory compliance, fraud prevention
Storage Duration: 7 years for financial records
Important: Full credit card numbers processed by PCI-DSS compliant third-party processors, never stored on SpinsUp servers

Gameplay and Betting Data

Automatically Recorded:

  • Games played (titles, providers, timestamps)
  • Bet amounts and frequencies
  • Win and loss records
  • Game session durations
  • Bonus activations and usage
  • Wagering requirement progress
  • RTP achieved per game
  • Tournament participations and rankings
  • Favorite games and play patterns

Collection Method: Automatic system logging
Legal Basis: Contractual necessity (platform functionality), legitimate interest (analytics, responsible gaming monitoring)
Storage Duration: Account lifetime plus 7 years

Technical and Device Information

Automatically Collected:

  • IP addresses (geographic location verification, security monitoring)
  • Device types (desktop, mobile, tablet), manufacturers, models
  • Operating systems and versions
  • Browser types, versions, and settings
  • Screen resolutions and display settings
  • Geographic location (country, region, city level - not precise GPS)
  • Language preferences
  • Referral sources (how user found platform)
  • Session information (login times, duration, pages visited)
  • Device identifiers and fingerprints

Collection Method: Automatic via server logs and analytics systems
Legal Basis: Legitimate interest (security, fraud prevention, platform optimization), contractual necessity
Storage Duration: 2 years for analytics, 7 years for security logs

Communication Records

Stored Communications:

  • Live chat transcripts (complete conversation history)
  • Email correspondence (sent and received)
  • Support ticket submissions and responses
  • Phone call recordings if telephone support implemented
  • Feedback submissions and survey responses

Collection Method: Direct user communication via support channels
Legal Basis: Legitimate interest (customer service, dispute resolution, service improvement), contractual necessity
Storage Duration: 7 years for dispute records, 2 years for general support communications

Cookies and Tracking Technologies

Types Deployed:

  • Essential cookies: Session management, login authentication, security
  • Functional cookies: Preferences, settings, language selection
  • Analytics cookies: Usage patterns, performance metrics, user behavior
  • Authentication tokens: Security and access control

Collection Method: Automatic browser storage
Legal Basis: Essential cookies (contractual necessity), analytics cookies (consent or legitimate interest)
Storage Duration: Session cookies expire on browser close, persistent cookies 1-12 months
Detailed Information: See Cookie Policy for comprehensive cookie usage details


Information Usage and Processing Purposes

Core Platform Operations

Purpose Data Used Legal Basis
Account creation and management Registration data, login credentials Contractual necessity
Payment processing Financial data, transaction records Contractual necessity
Bonus allocation and tracking Gameplay data, transaction records Contractual necessity
Game delivery and functionality Account data, device information Contractual necessity
Customer support provision All account data, communication records Contractual necessity, legitimate interest
Transaction history maintenance Financial data, gameplay records Contractual necessity, regulatory compliance

Security and Fraud Prevention

  • Account access authentication and authorization
  • Suspicious activity pattern detection and analysis
  • Multiple account identification (duplicate prevention)
  • Payment fraud detection and prevention
  • Bonus abuse identification and prevention
  • Geographic restriction enforcement (blocked jurisdictions)
  • Security breach monitoring and incident response
  • Device fingerprinting for fraud detection

Legal Basis: Legitimate interest (platform security, fraud prevention), contractual necessity

Regulatory and Legal Compliance

  • Age verification enforcement (18+ requirement)
  • Anti-money laundering (AML) checks and reporting
  • Counter-terrorism financing (CTF) screening
  • Licensing authority reporting and audits
  • Transaction record retention (7-year regulatory requirement)
  • Dispute documentation and resolution
  • Tax reporting where legally required
  • Legal request compliance (court orders, law enforcement inquiries)
  • Responsible gambling monitoring and intervention

Legal Basis: Legal obligation, regulatory compliance

Marketing and Communications (With Consent)

Promotional Communications:

  • Bonus offer emails and notifications
  • Tournament announcements
  • New game release information
  • VIP program updates and personalized offers
  • SMS promotional messages (if opted in)
  • Push notifications (mobile platforms, if enabled)

Legal Basis: Consent (opt-in during registration or settings)
Opt-Out: Available anytime via account settings, unsubscribe links in emails, or support request
Note: Transactional communications (deposit confirmations, withdrawal updates, security alerts, verification status) cannot be disabled as they constitute essential account management

Platform Analytics and Improvement

  • User experience optimization and A/B testing
  • Game performance analysis and selection decisions
  • Feature usage pattern identification
  • Technical performance monitoring and error tracking
  • Interface design improvements and usability testing
  • Conversion funnel analysis

Legal Basis: Legitimate interest (service improvement)
Data Processing: Aggregated and anonymized data used for analytics, individual identification not retained in analytics reports


Information Sharing and Third-Party Disclosure

Essential Service Providers

Payment Processors:

  • Data Shared: Transaction details, card information (processed directly by processor), amounts, currencies, user identifiers
  • Processors: Multiple payment gateways including card processors, e-wallet services, cryptocurrency exchanges, bank transfer facilitators
  • Security Standards: All processors maintain PCI-DSS Level 1 compliance or equivalent
  • Purpose: Deposit and withdrawal transaction processing
  • Data Retention: Per processor policies (typically 7 years financial records)

Game Providers:

  • Data Shared: Username, session tokens, bet amounts, game outcomes (minimal data required for game functionality)
  • Providers: 52 certified software developers (listed in About section)
  • Data NOT Shared: Financial information, identification documents, contact details
  • Purpose: Game delivery and functionality
  • Security: Encrypted API connections, no direct database access

Identity Verification Services:

  • Data Shared: Identification documents, personal details for verification matching
  • Service Providers: Third-party KYC verification specialists
  • Purpose: Identity verification, age confirmation, document authenticity checking
  • Security: Encrypted transmission, confidentiality agreements, data protection obligations
  • Retention: Verification results stored, documents may be retained by provider per their policies

Cloud Hosting and Infrastructure:

  • Data Shared: Entire database (encrypted at rest)
  • Providers: Cloud infrastructure providers for server hosting
  • Access: Technical maintenance only, cannot decrypt personal information without authorization keys held exclusively by SpinsUp
  • Security: Encryption at rest and in transit, access logging, security audits
  • Locations: Multiple geographic regions for redundancy and performance

Email and Communication Services:

  • Data Shared: Email addresses, message content
  • Access Limitation: Cannot access broader account information or financial data
  • Purpose: Email delivery (transactional and marketing)
  • Security: Encrypted transmission, access controls

Legal and Regulatory Entities

Licensing Authority (Curacao eGaming):

  • Data Shared: Operational reports (aggregated player data), financial transactions summaries, dispute records
  • Individual Data: Shared only for specific investigations, compliance audits, or regulatory inquiries
  • Frequency: Monthly reports, annual audits, ad-hoc investigations
  • Purpose: Regulatory compliance verification, dispute resolution, license maintenance

Law Enforcement and Government Agencies:

  • Data Shared: Information specifically requested in valid legal orders
  • Legal Basis: Court orders, subpoenas, law enforcement investigations, national security requests
  • Scope: Limited to specific inquiry requirements, no blanket data sharing
  • Process: Legal team review of each request, compliance only with valid jurisdiction orders

Dispute Resolution Services:

  • Data Shared: Relevant information for complaint investigation and mediation
  • Services: Alternative dispute resolution (ADR) providers, licensing authority mediation
  • Purpose: Independent complaint review and resolution facilitation

Business Transactions

In event of merger, acquisition, asset sale, bankruptcy, or similar corporate transaction:

  • Player information may transfer to successor entity as business asset
  • Users notified via email of ownership changes minimum 30 days advance notice
  • Privacy protections continue under new ownership unless users offered account closure option
  • Users may close accounts and request data deletion before transfer completion

Information NOT Shared

Prohibited Disclosures:

  • Personal information never sold, rented, or traded to third parties for marketing purposes
  • No sharing with affiliate partners for their marketing use
  • No disclosure to advertising networks or data brokers
  • Email addresses not provided to third-party marketing services without explicit separate consent
  • Player lists not shared with other gambling operators

Security Measures and Data Protection

Technical Security Controls

Security Layer Implementation Details
Encryption (Data at Rest) 256-bit AES encryption for all stored personal data and financial records
Encryption (Data in Transit) TLS 1.3 protocol for all data transmission between users and servers
Password Security Bcrypt hashing algorithm with individual salt values, original passwords never stored
Network Security Cloudflare DDoS protection (500 Gbps capacity), Web Application Firewall (WAF)
Access Controls Role-based permissions, multi-factor authentication for admin access, IP whitelisting
Database Security Encrypted storage, parameterized queries (SQL injection prevention), access logging
Session Management Secure session tokens, 24-hour timeout, single session per account

Organizational Security Measures

  • Employee Training: Mandatory data protection training for all staff, annual refresher courses, confidentiality agreements
  • Access Limitation: Only authorized personnel access sensitive information, access granted on need-to-know basis
  • Audit Trails: All data access logged with timestamps, user IDs, actions performed
  • Background Checks: Security screening for employees with data access privileges
  • Non-Disclosure Agreements: Contractual confidentiality obligations continuing post-employment
  • Physical Security: Secure server facilities with restricted access, surveillance, environmental controls

Security Monitoring and Testing

  • 24/7 security operations center monitoring for threats and anomalies
  • Automated intrusion detection systems
  • Real-time suspicious activity alerts
  • Quarterly penetration testing by independent security firms
  • Annual comprehensive security audits
  • Vulnerability assessments and patch management
  • Security incident response procedures and breach notification protocols

Data Breach Response

In event of data breach affecting personal information:

  1. Immediate containment and investigation (within 1 hour of detection)
  2. Impact assessment and affected user identification (within 24 hours)
  3. User notification via email within 72 hours of breach confirmation
  4. Regulatory authority notification per legal requirements
  5. Remediation measures implementation
  6. Post-incident review and security enhancement

Breach History: Zero major security breaches since platform launch (2022-present). Minor incidents (attempted unauthorized access) resolved average 4 hours with no user data compromise.

Security Limitations

Despite comprehensive security implementation, no system guarantees absolute security. Internet transmission and electronic storage carry inherent risks. SpinsUp implements industry-standard protections but cannot guarantee complete invulnerability to sophisticated attacks or unauthorized access.

Users responsible for: maintaining login credential confidentiality, using strong unique passwords, enabling two-factor authentication, reporting suspicious account activity immediately, keeping contact information current for security notifications.


Data Retention Periods and Deletion

Retention Schedule by Data Category

Data Category Active Account Retention Post-Closure Retention Legal Basis
Registration information Indefinite (account lifetime) 7 years Regulatory compliance, dispute resolution
Financial transaction records Indefinite 7 years minimum Tax compliance, financial auditing, AML requirements
Verification documents Until new documents submitted 7 years Regulatory compliance, fraud prevention
Gameplay and betting history Indefinite 7 years Dispute resolution, regulatory reporting
Communication records Indefinite 7 years (disputes), 2 years (general) Customer service, dispute resolution
Technical/device data 2 years (analytics), 7 years (security) Same as active Security monitoring, fraud prevention
Marketing consent data Until withdrawal of consent 30 days after opt-out Consent management

Special Retention Cases

Self-Excluded Accounts:

  • Name, date of birth, email address retained indefinitely (prevent circumvention through new registration)
  • Other personal data deleted after 7-year retention period
  • Self-exclusion status permanent database flag never deleted

Disputed or Under Investigation Accounts:

  • All data retained until dispute resolution completion plus standard retention period
  • May extend retention if legal proceedings ongoing

Banned Accounts (Terms Violations):

  • Full data retained for 7 years minimum
  • Fraud indicators and patterns retained indefinitely for prevention purposes

Data Deletion Procedures

After retention period expiration:

  1. Automated system flags data for deletion
  2. Manual review confirms no ongoing legal holds or disputes
  3. Secure deletion using DoD 5220.22-M standard (7-pass overwrite) or cryptographic erasure
  4. Deletion verification and audit trail creation
  5. Anonymization of data required for statistical purposes (individual identification impossible)

Anonymized statistical data may be retained indefinitely for research, analytics, regulatory reporting without individual identification possibility.


User Privacy Rights and Exercise Procedures

Right of Access (Data Subject Access Request)

Right: Request copies of all personal information held
Process: Email [email protected] with subject "Data Access Request" including username and registered email
Response Time: 30 days maximum
Provided Information: Personal details, account history, transaction records, communication logs, gameplay data
Format: Structured electronic format (PDF, CSV, JSON as appropriate)
Cost: Free for first request, reasonable administrative fee for excessive or repetitive requests

Right to Rectification (Correction)

Right: Correct inaccurate or incomplete personal information
Process: Most fields editable through Account Settings → Personal Information. Fields requiring verification (name, date of birth) must be requested through support with documentation
Response Time: Immediate for self-editable fields, 5-7 days for verified field changes
Documentation Required: Government-issued ID showing correct information for name/DOB changes

Right to Erasure ("Right to be Forgotten")

Right: Request account deletion and data erasure
Process: Email [email protected] with subject "Data Deletion Request" or Account Settings → Close Account
Important Limitations:
- Financial records, regulatory compliance data, dispute records retained for legal 7-year requirement
- Self-exclusion information retained permanently to honor exclusion
- Data subject to ongoing legal proceedings retained until resolution
Non-Essential Data Deletion: Within 30 days of request
Complete Deletion: After 7-year legal retention period expiration

Right to Data Portability

Right: Receive personal data in machine-readable format for transfer to another service
Process: Email request to [email protected] with subject "Data Portability Request"
Response Time: 30 days
Provided Data: Account information, transaction history, gameplay records in CSV, JSON, or XML format
Scope: Only data provided by user or generated through platform use, not derived or inferred data

Right to Restrict Processing

Right: Request limitation of data processing for specific purposes
Process: Email [email protected] with subject "Processing Restriction Request" specifying purposes to restrict
Limitations: Essential processing (security, payment processing, legal compliance) cannot be restricted without account closure
Available Restrictions: Marketing processing, analytics inclusion, data sharing with specific partners
Response Time: 7 days for implementation

Right to Object

Right: Object to specific data processing activities
Most Common Objections: Marketing communications, analytics inclusion, profiling for personalized offers
Process: Account Settings → Communication Preferences for marketing, email support for other objections
Implementation: Immediate for marketing, 7 days for other objections
Note: Objections to essential processing require account closure as necessary for platform operation

Right to Withdraw Consent

Right: Withdraw previously given consent for data processing
Process: Account Settings → Communication Preferences or Privacy Settings
Effect: Immediate cessation of consent-based processing (marketing, optional analytics)
Important: Withdrawal does not affect processing legality prior to withdrawal
Scope: Only applies to consent-based processing, not contractual necessity or legal obligations

Right to Lodge Complaint

Right: File complaint with supervisory authority regarding data processing
Australian Users: Office of Australian Information Commissioner (OAIC)
- Website: www.oaic.gov.au
- Phone: 1300 363 992
- Email: [email protected]
European Users: Relevant data protection authority in EU member state
Process: Contact supervisory authority directly, no requirement to exhaust internal complaints first

Exercising Rights - General Procedures

  1. Submit request via email to [email protected] with clear subject line indicating right being exercised
  2. Include username and registered email for verification
  3. Provide additional identification if requested (security measure)
  4. Receive acknowledgment within 5 business days
  5. Request processed within 30 days (extended to 60 days for complex requests with notification)
  6. Receive outcome notification via email with explanation of actions taken

Verification Requirements: Identity verification may require additional information before fulfilling requests to prevent unauthorized access to personal data.

Fees: No charges for reasonable requests. Excessive, repetitive, or manifestly unfounded requests may incur administrative fee (notified before processing).


International Data Transfers

SpinsUp operates internationally. Personal information may be transferred to and processed in countries outside Australia including:

  • Curacao (company registration and licensing)
  • European Union member states (payment processors, game providers)
  • United States (cloud hosting infrastructure, analytics services)
  • Asia-Pacific region (game providers, technical support)

Data Protection Standards for Transfers

Countries receiving transfers may have different data protection standards than Australia. SpinsUp implements safeguards:

  • Standard Contractual Clauses: EU Commission-approved contracts with data recipients
  • Binding Corporate Rules: Internal policies ensuring consistent protection across jurisdictions
  • Processor Agreements: Contractual requirements for equivalent protection standards
  • Encryption: Data encrypted during transfer and at rest in receiving country
  • Access Controls: Limited access to transferred data based on necessity

All third-party service providers contractually obligated to maintain data protection standards meeting or exceeding Australian Privacy Principles and GDPR requirements regardless of processing location.

Legal Basis for Transfers

  • Contractual necessity (payment processing, game delivery require international providers)
  • Explicit consent (users consent to international processing through account creation)
  • Adequate safeguards (standard contractual clauses, binding corporate rules)

Protection of Minors

SpinsUp strictly prohibits registration and platform access by individuals under 18 years of age.

Age Verification Measures

  • Registration form requires date of birth entry, automatically rejects submissions indicating age under 18
  • Identity verification documents checked for age confirmation
  • Account closure and data deletion if minor access discovered
  • IP blocking for repeated underage access attempts

Handling Underage Access

If minor account access discovered:

  1. Immediate account suspension
  2. All deposited funds returned to source
  3. Personal information deleted within 30 days
  4. Investigation to prevent future occurrences
  5. Parent/guardian notification if contact information available

Parental Reporting

Parents or guardians suspecting minor accessed platform should immediately contact [email protected] with subject "Minor Access Report" including:

  • Minor's name and date of birth
  • Suspected account username or email
  • Relationship to minor
  • Any available evidence of access

Investigation and account termination initiated immediately upon receipt. No penalties applied to minor; focus on prevention and safeguarding.


Privacy Policy Modifications

Policy reviewed and updated as necessary for: legal compliance changes, operational modifications, technology updates, industry best practice evolution.

Update Notification Procedure

  • Significant changes announced via email notification to all active accounts
  • Prominent platform notice displayed 30 days before implementation
  • "Last Updated" date at policy top indicates most recent revision
  • Version number incremented for tracking (current version 2.3)
  • Change summary provided in notification email

User Response to Changes

Continued platform use after notification period constitutes acceptance of modifications. Users disagreeing with updated terms must:

  1. Cease platform use before changes take effect
  2. Request account closure and data deletion
  3. Withdraw funds during notice period

Policy changes never retroactively alter data processing performed under previous terms. New processing activities governed by updated policy only.


Australian Privacy Act Compliance

For Australian residents, data handling aligns with Australian Privacy Principles (APPs) under Privacy Act 1988 (Commonwealth).

APP Compliance Summary

  • APP 1: Privacy policy transparent and accessible
  • APP 3: Personal information collected only when necessary for platform functions
  • APP 5: Notification provided at collection about purposes and disclosures
  • APP 6: Information used only for disclosed purposes or related secondary purposes
  • APP 8: Overseas disclosures comply with reasonable steps requirement
  • APP 11: Security safeguards implemented to protect information
  • APP 12: Access provided to individuals requesting their information
  • APP 13: Correction mechanisms available for inaccurate information

Australian Privacy Complaints

Internal Complaint Process:

  1. Email [email protected] with subject "Privacy Complaint - Australia"
  2. Include detailed complaint description and desired resolution
  3. Receive acknowledgment within 7 days
  4. Receive response within 30 days

External Complaint Escalation:

Office of Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992
Email: [email protected]
Mail: GPO Box 5288, Sydney NSW 2001

OAIC complaints can be lodged if internal resolution unsatisfactory or 30 days elapse without response.


Privacy Inquiries and Contact Information

Privacy Contact Email: [email protected]
Subject Line Templates:
- "Data Access Request"
- "Data Deletion Request"
- "Data Portability Request"
- "Processing Restriction Request"
- "Privacy Policy Question"
- "Privacy Complaint"
- "Minor Access Report"

Required Information: Username, registered email address
Response Time: Maximum 30 days for data requests, 7 days for general inquiries
Verification: Identity verification may be required for data requests to prevent unauthorized access

Corporate Privacy Contact:
Digital Entertainment N.V.
Heelsumstraat 51
Curacao
Registration Number: 156284

Quick Links
Legal Information
18+

2026 SpinsUp Casino. All rights reserved.