Playing Wanted Dead Or a Wild Slot game means handing over personal data https://wanteddeadorwild.uk/. This document details exactly how long we store it, the reasons, and what technical protections underpin each category—all based on UK GDPR, the Data Protection Act 2018, and PCI DSS. We manage identity documents, financial transactions, gameplay telemetry, responsible gambling markers, and marketing consents, each with its specific retention clock. Identity records stick around for five years after account closure. Financial logs stay for seven, meeting HMRC requirements. Gameplay data receives 24 months before anonymisation is applied. Full card numbers never enter our systems—only tokenised aliases—and every byte is encrypted. Independent auditors review our automated deletion routines, and any schedule slip initiates a full incident response. A version-controlled policy log records every edit, and we provide you 30 days’ notice before material changes become effective. Subject access and deletion requests are processed within statutory deadlines.
Registration Account and Identity Verification Data
Primary identity records—official ID scans, address verification, biometric selfie matches—are held for 5 years after your last session or closure of account, whichever occurs later. This encompasses contractual time limits and anti-money laundering responsibilities. We extract only the essentials: ID number, expiration date, country of citizenship. The full-resolution image gets shredded upon extraction. Once 5 years pass, all source data is removed, but a hash of the verification result lives on for another two years inside an logging system. Personal identity information sits stored encrypted with AES-256-GCM, isolated from analytics, and every data access is recorded for a three-year period. Optional fields like place of birth are removed at the time of verification to minimize the data size. Annual reviews confirm accuracy and proactively delete expired entries.
Document Upload and Biometric Handling
Upload an ID through our protected portal and automatic verification completes within ninety seconds. We pull the document ID, expiry, country of citizenship, and a confidence score, then delete the high-resolution image immediately—it is never stored on disk. The source file stays in an in-memory buffer and disappears after analysis. A reduced, stamped small image is produced for compliance purposes and stored only for the identity verification period. That preview lives in a immutable vault with tight controls and is never exposed to customer support. Retrieved data are secured and kept for the five-year-plus-two hash window. All processing runs on servers in the UK with ISO 27001, and every small image access is logged permanently.
Biometric Data Specifics
Live detection checks record a short video stream completely in memory. Images are analyzed and removed within a few milliseconds. Only a data vector of face features persists. This numerical representation has no image data and cannot be reverse-engineered into a picture. It remains for the duration of identity verification and is irreversibly removed upon closure of account or after 5 years. The vector sits in a specialized HSM with auto-expiry and is never transferred. Authentication checks happen inside the HSM’s protected enclave without revealing the raw vector. The data set is associated with a pseudonym separated from advertising profiles, which makes re-identification extremely difficult. Even system administrators cannot see or reconstruct face characteristics from the saved data.
Consent for Marketing and Correspondence Records
We keep your consent log—time-stamped, IP-stamped, and method-recorded—for the life of our partnership plus six years after withdrawal, to satisfy PECR rules. Send logs for e-mails, push messages, and SMS are held for only thirteen months. Revoking consent immediately suppresses communications while keeping historical proof. A divided database provides suppression without delay, and consent logs are stored in a separate compliance archive. Delivery logs include metadata only—heading, time stamp, state—not full message content. The six-year post-withdrawal timeframe reflects the statute of limitations for regulatory probes. Quarterly audits confirm no expired consents activate mailings. We never personalise offers with gameplay or financial data beyond explicit consents.
Controlled Gambling and Self-Exclusion Registers
Stake limits, time checks, and timeout settings are stored for your account’s lifetime and never purged while it stays active. If you self-exclude, your hashed identity and device fingerprints enter a dedicated exclusion register maintained permanently under UKGC licence requirements. The register is encrypted separately, checked only at login or registration, and never used for analytics. Entry is confined to trained compliance staff, and all queries are tracked for three years. The register contains only identity blocks—no financial or gameplay records. We examine it annually to correct errors and remove deceased individuals. Otherwise, it remains permanent. This retention is mandatory and excluded from deletion requests.
Time Check and Session Limit Enforcement
Reality check timers use transient session counters that clear every 24 hours, beginning again from your first spin after midnight. Your selected interval—say, 30 minutes—is stored persistently and instantly reactivates when you come back, even after a long break. Changing the interval mid-session introduces the new value instantly for the next reminder. These settings are removed only upon confirmed account deletion. Session timer data sits in a dedicated, encrypted store separate from gameplay analytics. The 24-hour counter is based on play start, not midnight, for correctness. All timer configurations are auditable through the same three-year access log standard. We never categorize or market based on these settings.
Infrastructure Setup and Data Residency
All data resides in UK-based ISO 27001 Tier III+ data centres, with no replication outside the UK. A hot disaster recovery site in a separate UK zone updates every six hours. Backups are encrypted client-side and adhere to identical retention rules. We enforce least privilege with hardware MFA for administrators, recording their sessions in an immutable three-year audit trail. Multi-factor authentication combines a hardware token and biometric check. Penetration tests occur quarterly, and an independent auditor confirms automated purge schedules. Any deviation raises a Severity 1 incident, reported to our DPO within four hours. We also keep an air-gapped backup rotated weekly, subject to the same deletion policies.
Encryption Key Lifecycle Management
Master keys change every 90 days automatically inside an HSM. New keys are never exported in plaintext. Rotated keys are archived for the data’s retention period plus 12 months for lawful forensic access. When a data category is purged, its key is destroyed inside the HSM, making any backups unrecoverable. We assign each key to a single data partition, do not reuse, and conduct quarterly witnessed key ceremonies logged immutably for five years. The offline archive of old keys needs dual control and is stored on write-once media in a fireproof safe. Annual recovery drills guarantee forensic decryption works when needed. No plaintext key material ever exits the HSM boundary.
Access Request and Erasure Workflows
Upon receiving an SAR, we compile a formatted JSON/CSV export of all non-purged data within one month, expandable by two months for complex cases. The export covers live databases, encrypted archives, and processor tokens, provided via a one-time secure link that expires in 72 hours. For deletion, we cascade: immediate account suppression and token revocation, then scheduled erasure of all personal data not subject to legal hold. We produce a confirmation report detailing erased versus retained categories and their justifications. This report is retained as auditable proof for as long as the longest surviving data category. All requests are documented immutably for five years.
Core Definitions and Range of Personal Data
We take a broad view on what qualifies as personal data. Direct identifiers—name, email, billing address, masked payment details—are accompanied by indirect signals like hashed IP addresses, device fingerprints, browser agents, and advertising tokens. Behavioural data includes session length, bet sizing, spin velocity, and how often feature triggers fire. Even pseudonymised logs can link back to a person when stitched together, so we handle them as personal. Our lawful bases are contractual necessity, legitimate interest for fraud prevention, and explicit consent for game-related marketing. Full card numbers get tokenised before storage. We never collect special category data. Encryption and access controls apply uniformly, and retention rules span live databases, archives, and backups without exception. Each window commences from the last activity or transaction date, spelled out below. We review definitions every six months to stay aligned with regulatory guidance.
Gaming Session and Behavioural Analytics Data
All spins on Wanted Dead Or a Wild logs reel positions, RNG seed, and net outcome with microsecond precision. We retain these raw logs for twenty-four months, then compact them into an anonymous statistical digest used for game design. Session behavioural profiles—average bet, spin cadence, feature buy-ins—remain for the same 24-month window and are then deleted. Feature trigger heatmaps persist for 12 months before merging into a global model. RNG seed audit trails receive 36 months. Error diagnostics get 90 days. No individual gameplay data feeds into credit or marketing profiling. All logs are encrypted and off-limits to marketing teams.
- Spin-level logs: 24 months from event date, then aggregated aggregation
- Session behavioural profiles: 24 months from last session, then deleted
- RNG seed audit trails: 36 months to satisfy technical standards
- Feature trigger heatmaps: 12 months, then integrated into global model
- Error and crash diagnostic logs: 90 days, then rotated out
Payment Transaction and Settlement Records
Funding, withdrawal, and wager records are retained for seven years from the transaction date, per HMRC and FCA rules. We never store full PANs or CVVs. We capture only the BIN, last four digits, and a tokenised alias. Chargeback disputes halt the contested record until final resolution, after which the seven-year clock continues. Data is partitioned quarterly so automated purging works cleanly, with monthly deletion runs verified by auditors. Tokenised card references remain valid only while your account is live and are deleted within thirty days of closing. Aggregated, anonymised totals remain for financial reporting without any personal details. All financial data is encrypted and isolated from marketing systems.
Tokenised Payment Instruments and Processor References
Payment gateways produce vaulted tokens that associate your card to a non-sensitive identifier. We hold them for the account lifetime plus a thirty-day grace interval, then transmit deletion commands to the processor and clear our own link. The only evidence left behind is an anonymised transaction hash used in aggregate summaries, themselves purged after seven years. No usable credentials ever exist on our systems. We monitor token revocation daily and trigger incidents if deletion is unsuccessful. Tokens are tied to our merchant code and cannot be used elsewhere. Weekly reconciliation verifies authenticity, and tokens tied to lost or stolen cards are revoked immediately. All token operations are documented and checked. Aggregate reports never expose individual transaction hashes.
Policy Review and Data Breach Protocols
We assess this policy every six months or upon material change to the game or regulation. Reviews are recorded with DPO, CISO, and legal counsel. A public summary is displayed in our privacy centre, minus confidential details. Material changes are communicated 30 days ahead. Minor edits are silently recorded. If a breach occurs affecting data under this policy, we alert affected individuals within 72 hours if high risk, submit with the ICO, and post a transparency notice. Third-party processor breaches must follow the same protocol. We hold a breach notification log audited quarterly. Post-incident reviews update controls as needed. Biannual tabletop exercises test misconfigurations and ransomware to test our response.
Policy Versioning and Update Log
We keep a version-controlled history of this policy with semantic versioning and plain-English summaries of each change. The log specifies exactly which sections changed and why. Previous versions remain accessible for comparison, so you can see precisely what was added or removed. Material modifications affecting your rights are communicated via email at least thirty days in advance. Minor typographical fixes are deployed silently but still recorded. Each entry is cryptographically signed to prove integrity, and annual independent audits confirm the log’s accuracy. The log is a living document reflecting our evolving data practices. You can view the full change log through a link in our privacy centre at any time. This transparent approach demonstrates our commitment to accountable data governance.


