Data controller
Casino Decoded is the data controller for users of casinodecoded.com. Privacy contact: privacy@casinodecoded.com. For formal written requests please ask for the postal address at the same email.
This Policy is drafted in compliance with:
- Regulation (EU) 2016/679 (GDPR) — for users in the EU/EEA
- UK Data Protection Act 2018 and UK GDPR — for users in the United Kingdom
- California Consumer Privacy Act (CCPA) and CPRA — for users in California
- Russian Federal Law 152-FZ "On Personal Data" — for users in Russia
- Polish Data Protection Act of 10 May 2018 (in conjunction with RODO) — for users in Poland
We extend the maximum protection of any of these regimes to all users.
What we collect
Automatically (cookies + server logs)
On every visit our server records:
- IP address — used for geolocation (language version selection), bot defense, aggregate statistics. Stored in logs for 30 days, then auto-deleted. The full IP is never sent to analytics — only the country code and an IP truncated at the last octet.
- User-Agent — browser and OS string, used to serve correct mobile/desktop layout and to compute aggregate statistics.
- Referer — the page you arrived from (including the search SERP).
- Visit time, pages viewed, session duration.
- Cookie consent token — a technical cookie storing your banner choice so we don't re-prompt.
Legal basis (GDPR Art. 6(1)(f)): legitimate interest — operating the site, defending against bots and DDoS, and basic statistics.
With your consent (analytics cookies)
If you click "Accept" in the cookie banner, we additionally load:
- Anonymous view stats (no cross-site tracking, no fingerprinting)
- Source referer + UTM tags
- Time on page, scroll depth
- CTA clicks (no user identification — only aggregate counters)
This data is retained in our analytics system for up to 14 months and then deleted automatically. You can withdraw consent at any time — see the "Cookies" section.
Legal basis (GDPR Art. 6(1)(a)): your explicit consent given via the cookie banner.
What we don't collect
- Names, emails, phone numbers (no registration on the site)
- Payment data (no purchases on site)
- Personal messages (no chat)
- Operator-side data (after
/go/click you leave our site and our control ends) - Biometrics, voice prints, or browser fingerprints
- Health data, political opinions, religion, or other special categories
Cookies
Three categories:
| Category | Purpose | Retention | Consent required |
|---|---|---|---|
| Necessary | Language, consent token, anti-bot | Up to 365 days | No (Art. 5(3) ePrivacy carve-out) |
| Analytics | View statistics and behaviour | Up to 14 months | Explicit consent required |
| Marketing | Not used | — | N/A |
Full inventory of specific cookies:
cd_lang— language preference (necessary, 365 days)cd_consent— your cookie banner choice (necessary, 365 days)cd_session— anti-bot session token (necessary, browser session)_pa_id,_pa_ses— analytics (only after consent, 14 months and 30 minutes)
To withdraw consent, clear site cookies and localStorage in browser settings, or click "Manage cookie settings" in our footer.
Third-party data processors
We do NOT sell, rent, or share your data for marketing. We do, however, use the following processors to operate the site:
| Processor | Purpose | Data | Jurisdiction | Transfer safeguard |
|---|---|---|---|---|
| Cloudflare, Inc. | CDN, DDoS protection, edge logic | IP, User-Agent, requests | USA | EU SCC + Data Processing Addendum |
| Hetzner Online GmbH | Server hosting | Server logs | Germany (EU) | Inside EEA |
| Plausible Insights OÜ | Cookieless analytics | Anonymised IP, country | Estonia (EU) | Inside EEA |
Data Processing Agreements (DPA) are in place with each processor and available on request. Transfers outside the EEA (only Cloudflare) are protected by the European Commission's Standard Contractual Clauses 2021/914.
Disclosure to law enforcement only on lawful basis (court order or criminal investigation). We log all such requests and notify the user where lawful.
Affiliate clicks
When you click a CTA /go/{slug}/ link, we record the click (aggregated, with no link to your IP — only a counter per slug). You then transit to the operator. From the moment of redirect, our site no longer controls your data — the operator's privacy policy applies. We recommend reading the operator's privacy policy before registering.
Retention schedule
| Data type | Retention | Basis |
|---|---|---|
| Server logs | 30 days | Attack defense, debugging |
| Cookie consent choice | 365 days | Avoid re-prompting |
| Analytics data | 14 months | Seasonal statistics |
| Email correspondence | 3 years | Statute of limitations |
| Legal inquiries | 7 years | Tax and legal recordkeeping |
After expiry, data is automatically deleted or anonymised.
Your rights
You have the right to:
- Access (GDPR Art. 15): request what data we hold about you. Since we do not identify users by name/email, identification is by IP — please indicate approximate visit dates and current IP.
- Rectification (Art. 16): request correction of inaccurate data.
- Erasure / "right to be forgotten" (Art. 17): request deletion. We action this within 30 days unless lawful grounds for retention exist.
- Restriction (Art. 18): request temporary suspension of processing.
- Portability (Art. 20): receive your data in machine-readable form (JSON).
- Object (Art. 21): object to processing based on legitimate interest.
- Withdraw consent (Art. 7(3)): revoke previously given consent at any time.
- Lodge a complaint with a supervisory authority: ICO (UK), CNIL (France), DPC (Ireland), UODO (Poland), Roskomnadzor (Russia), or the regulator in your country.
CCPA-specific rights for California residents:
- Right to know what personal information is collected
- Right to delete personal information held about you
- Right to opt out of sale (we do not sell — but you can confirm in writing)
- Right to non-discrimination for exercising rights
How to submit a request (precise procedure)
- Email privacy@casinodecoded.com with subject "Data Subject Request — [type]".
- Include: type of request (access/erasure/portability/objection), identifying data (current IP, visit dates, country), preferred response format.
- We confirm receipt within 5 business days.
- We may request additional verification data — never more than the law requires.
- Full response within 30 days (extendable to 60 days for complex requests with mandatory notice).
- The response is sent to the email address that originated the request.
Requests are processed free of charge. We may charge for repetitive or manifestly unfounded requests under GDPR Art. 12(5).
Data Protection Officer (DPO) contact
We are not formally required to appoint a DPO based on processing volume, but our privacy contact is privacy@casinodecoded.com. Requests are handled by an editor with formal GDPR training.
Complaints process
If you are unhappy with our response:
- Reply with "Escalation" in the subject — your message goes to the editor-in-chief.
- Lodge a complaint with the supervisory authority of your country:
- UK: ICO (ico.org.uk)
- Ireland: DPC (dataprotection.ie)
- Germany: BfDI (bfdi.bund.de)
- France: CNIL (cnil.fr)
- Poland: UODO (uodo.gov.pl)
- Russia: Roskomnadzor (rkn.gov.ru)
- Pursue judicial remedy in your country of residence.
Data security
Technical measures:
- TLS 1.3 on all connections
- HSTS with preload, CAA records
- Security headers (CSP, X-Frame-Options, Referrer-Policy strict-origin)
- Server access only via SSH keys with 2FA
- Backups encrypted (AES-256), stored in a separate jurisdiction
- Logs accessible only to editors (3 people), access is logged
Organisational measures: NDA with vendors, mandatory annual GDPR training, incident-response plan with regulator notification within 72 hours of breach.
Age
The site is for 18+ only. We do not knowingly collect minor data. If discovered, the data is deleted immediately. Parents or guardians who discover that a minor has used the site can request deletion at privacy@casinodecoded.com with subject "Minor data".
Changes
Last updated: April 30, 2026. Change history is kept in our public wiki's git repository and available on request. Material changes (new processor, new data categories, retention changes) trigger a banner notification with a 14-day notice before they take effect.