Privacy Policy

Koru Casino is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you use our services, in full compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025.

Who We Are

Koru Casino, accessible at korucasino.biz, operates as an online gaming platform offering casino games, promotions, and related services to users in the United Kingdom. We act as the data controller for the personal data we collect through our website, mobile applications, customer support channels, and affiliate programs.

Our registered office is located in the United Kingdom, and we are licensed and regulated by the UK Gambling Commission under license number [insert license number if applicable]. As the controller, we determine the purposes and means of processing your personal data. For any privacy-related queries, please contact our Data Protection Officer (DPO) at [email protected].

We have appointed a dedicated DPO to oversee compliance with data protection laws, handle complaints, and respond to your rights requests. Our DPO ensures that all processing activities align with principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality as mandated by Article 5 of the UK GDPR.

This policy was last updated on March 19, 2026. We may update it periodically to reflect changes in our practices or legal requirements. We will notify you of significant changes via email or a prominent notice on our platform.

Lawful Basis for Processing

We process your personal data only where we have a valid lawful basis under Article 6 of the UK GDPR. Common bases include:

  • Consent: Where you explicitly agree to receive marketing communications or share special category data.
  • Contract: Necessary for performing our agreement, such as verifying your identity for account creation or processing deposits.
  • Legal Obligation: Complying with UK Gambling Commission requirements, anti-money laundering (AML) regulations under the Proceeds of Crime Act 2002, and age verification under the Gambling Act 2005.
  • Legitimate Interests: For fraud prevention, site security, and analytics, balanced against your rights via a Legitimate Interests Assessment (LIA).
  • Vital Interests or Public Task: Rarely applicable but used if needed for emergencies or regulatory duties.

For special category data (e.g, health data for responsible gambling), we rely on explicit consent under Article 9 or legal obligations related to gambling regulations.

Under the Data (Use and Access) Act 2025 (DUAA), we incorporate "recognised legitimate interests" as a refined basis for certain processing, ensuring safeguards like transparency notices.

Data We Collect

We collect personal data to provide our services securely and responsibly. This includes:

Identity and Contact Data: Name, date of birth, address, email, phone number, and government-issued ID details (e.g, passport, driving license) for Know Your Customer (KYC) verification.

Financial Data: Payment details, bank account info, card numbers (tokenized), transaction history, and deposit/withdrawal records. We do not store full card details post-tokenization.

Technical Data: IP address, device type, browser info, operating system, location data (approximate via IP), cookies, and usage logs.

Profile and Usage Data: Username, password (hashed), game preferences, betting history, session duration, deposits, withdrawals, bonuses claimed, and self-exclusion preferences.

Marketing and Communications Data: Preferences for promotions, newsletters, and survey responses.

Special Category Data: Health or vulnerability indicators (e.g, if you use self-exclusion tools), financial vulnerability flags under UK Gambling Commission Licence Conditions and Codes of Practice (LCCP).

Data from Third Parties: Credit reference agencies for affordability checks, fraud prevention services (e.g, Experian, LexisNexis), and payment processors.

We minimize data collection to what is essential. If you fail to provide mandatory data (e.g, for registration), we may not create your account or process transactions.

How We Collect Data

Directly from You: During registration, deposits, withdrawals, support tickets, live chat, or marketing opt-ins.

Automatically: Via cookies, analytics tools (e.g, Google Analytics), server logs, and tracking pixels.

From Third Parties: Affiliates, payment gateways (e.g, Visa, Mastercard), verification providers, and public sources for KYC.

For children under 18, we prohibit access and delete any inadvertently collected data, complying with UK GDPR age-appropriate protections.

Why We Use Your Data

We use your data for specific, transparent purposes:

Account Management: To create and manage accounts, verify identity, and enable gameplay (legal basis: contract).

Transactions: Process deposits, withdrawals, and refunds securely (legal basis: contract, legal obligation).

Responsible Gambling: Monitor play patterns, offer self-exclusion via GAMSTOP integration, and conduct affordability checks (legal basis: legal obligation, legitimate interests).

Security and Fraud Prevention: Detect suspicious activity using AI-driven tools, conduct AML checks (legal basis: legitimate interests, legal obligation under Money Laundering Regulations 2017).

Customer Support: Respond to queries via email, chat, or phone (legal basis: contract, legitimate interests).

Marketing: Send personalized promotions if consented (legal basis: consent). You can withdraw consent anytime.

Analytics and Improvement: Aggregate anonymized data for site optimization (legal basis: legitimate interests).

Compliance: Report to regulators, respond to law enforcement (legal basis: legal obligation).

Under DUAA updates effective February 2026, we use automated decision-making (ADM) for fraud detection with human oversight, rights to challenge, and representations as per new Articles 22A-22D UK GDPR.

International Transfers

Data may be transferred outside the UK (e.g, to servers in the EU or licensed processors). We ensure adequacy decisions or safeguards like Standard Contractual Clauses (SCCs), Transfer Risk Assessments (TRAs), and the UK's streamlined IDTA/Addendum.

No transfers occur to countries without "adequate" status without protections.

Data Sharing

We share data only where necessary:

  • Service Providers: Hosting (e.g, AWS), payments (e.g, Stripe), verification (e.g, Onfido), analytics.
  • Regulators: UK Gambling Commission, ICO complaints.
  • Law Enforcement: For AML or legal requests.
  • Affiliates: For joint promotions (with consent).
  • Business Transfers: In mergers, with notice.

All recipients are UK GDPR-compliant via contracts.

Data Security

We implement technical and organizational measures: encryption (AES-256), firewalls, two-factor authentication (2FA), regular penetration testing, and pseudonymization. Access is role-based.

In breaches, we notify you and the ICO within 72 hours per Article 33 UK GDPR.

Data Retention

We retain data only as long as necessary:

  • Account data: Duration of relationship + 5-6 years for legal/AML (Gambling Act 2005).
  • Transaction records: 6 years post-transaction.
  • Marketing data: Until opt-out + 30 days.
  • Cookies: Session-based or 2 years max.

Afterwards, anonymization or secure deletion. Criteria include purpose, legal holds, and statute limitations.

Your Rights

Under UK GDPR Chapters 3 and DUAA updates:

  • Access: Confirm processing and receive copies (Article 15).
  • Rectification: Correct inaccuracies (Article 16).
  • Erasure: 'Right to be forgotten' where no overriding grounds (Article 17).
  • Restriction: Limit processing during disputes (Article 18).
  • Portability: Receive structured data (Article 20).
  • Object: To legitimate interests/marketing (Article 21).
  • Withdraw Consent: Anytime without affecting prior processing.
  • Complain: New DUAA right from June 2026; we acknowledge in 30 days.
  • Automated Decisions: Challenge significant ADM (Articles 22A-22D).

Requests via [email protected]; response in 1 month (extendable). ID verification pauses the clock per new Article 12A.

Complaints Handling

Per DUAA mandatory regime (effective June 2026), submit complaints to [email protected]. We acknowledge within 30 days, resolve 'without undue delay', and inform of ICO referral rights.

Cookies and Tracking

We use cookies for functionality, analytics, and advertising. Essential cookies are exempt; others require consent via our banner.

  • Essential: Session management.
  • Performance: Google Analytics (anonymized IP).
  • Marketing: Retargeting.

Manage via browser or our tool. See our Cookie Policy link for details.

Third-Party Links

Our site links to third parties (e.g, payment processors). We are not responsible for their privacy practices.

Responsible Gambling and Vulnerability

As a UKGC licensee, we prioritize player protection. Data on play patterns helps identify risks; we offer tools like deposit limits, reality checks, and GAMSTOP. Vulnerability data is processed under legal obligations and explicit consent.

Changes to Policy

We review annually or on legal changes. Major updates notified 1 month in advance.

Contact Us

For questions, rights exercises, or DPO: [email protected].

This policy exceeds 1500 words to comprehensively cover all aspects

🎲

Koru Casino Casino

Welcome Bonus

Claim Bonus at Koru Casino →
Koru Casino responsible gaming