Privacy policy

This Privacy Policy explains how Spinago Casino (“Spinago,” “we,” “our,” or “us”) collects, uses, stores, and shares personal information about you when you visit auspinago.com, use the Spinago mobile apps, or interact with our support team.

We take privacy seriously — not because we have to, but because trust is the foundation of an online casino relationship. You share sensitive financial and identity data with us to play, and we owe you clarity about what happens to that data after it leaves your device.

Spinago operates under a gaming licence issued by Curaçao eGaming. Where applicable, we also comply with the Australian Privacy Act 1988 (including the Australian Privacy Principles), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA/CPRA). If any conflict arises between this policy and mandatory local law, the local law applies to you.

We only collect what we genuinely need to run the casino, process your transactions, and comply with our legal obligations. Here is everything we may collect, grouped by category:

Account and identity data — full name, date of birth, residential address, nationality, email address, phone number, chosen username and password (passwords are stored as one-way salted hashes; we never see them in plain text).

KYC verification data — scanned copies of government-issued ID (driver’s licence, passport, or national ID), proof of address (utility bill or bank statement issued within the last three months), and, where required, a selfie verification check. This data is mandatory under anti-money-laundering regulations.

Financial data — payment method details (the last four digits of your card, your PayID handle, or cryptocurrency wallet address), transaction history, balance, wagering activity. Full card numbers never touch our servers — they are handled directly by our PCI-DSS compliant payment processors.

Gameplay and behavioural data — which games you play, session duration, bet sizes, wins and losses, bonus activity, and actions you take within the app. We use this to improve the product and, more importantly, to detect signs of problem gambling so our responsible gaming team can check in with you.

Device and technical data — IP address, browser type and version, device identifiers, operating system, screen resolution, referral source, and cookies (see Section 08).

Communications data — emails, live chat transcripts, and support tickets. Calls to our support line, if any, may be recorded for quality and training purposes (you will be told at the start of the call).

We use the data above for six specific purposes, and not for anything else:

1. Running your account. Opening, verifying, maintaining, and securing your Spinago account. Processing deposits, withdrawals, bonus credits, and gameplay.

2. Legal compliance. Meeting our obligations under gaming licence conditions, anti-money-laundering law, tax reporting, responsible gambling regulation, and any valid court order or regulatory request.

3. Fraud and security. Detecting duplicate accounts, fraudulent transactions, account takeover attempts, bonus abuse, and illegal activity. Some of this is automated; significant decisions get human review.

4. Customer support. Answering your questions, resolving disputes, processing refunds, and following up on any issues you raise.

5. Responsible gambling. Monitoring for patterns that may indicate gambling harm and offering proactive support — deposit-limit prompts, cool-off reminders, and direct outreach from our safer-gambling team where warranted.

6. Product improvement and limited marketing. Understanding how the product is used so we can make it better. If you opt in, we also send you promotional emails and push notifications about bonuses, tournaments, and new games. You can unsubscribe any time — one click in the email footer, or in your account settings.

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with GDPR-equivalent rules, we rely on the following legal bases:

Contract. Processing necessary to provide the casino service you signed up for (running your account, handling your deposits and withdrawals, delivering gameplay).

Legal obligation. Processing required to comply with anti-money-laundering law, responsible gambling rules, tax law, and regulator directives.

Legitimate interests. Fraud prevention, security monitoring, product analytics, and internal reporting. We’ve weighed our interest in doing these against your privacy rights and believe the processing is proportionate and expected.

Consent. Marketing emails, promotional push notifications, and any non-essential cookies. You can withdraw consent at any time without affecting the lawfulness of processing that happened before you withdrew it.

We do not sell your data to advertisers, data brokers, or any third party. We share it only with the categories of recipients listed below, and only for the purposes stated.

Payment processors and banking partners. To execute your deposits and withdrawals. These providers are PCI-DSS compliant and handle card and payment data under their own privacy standards.

KYC and identity verification providers. To verify the ID documents and proof of address you upload. These providers are contractually bound to protect your data and use it only for the verification task.

Game providers. Studios whose games you play (Pragmatic Play, Evolution, NetEnt, and others) receive limited anonymised game-session data needed to serve the game and credit winnings. They do not receive your identity or payment details.

Cloud infrastructure and analytics. Hosting, CDN, logging, and analytics providers we use to run the platform. They process data under strict contractual and technical controls.

Regulators, auditors, and law enforcement. Where we are legally required to provide information — including the Curaçao eGaming authority, law enforcement agencies acting under a valid order, or a court.

Professional advisors. Our lawyers, accountants, and auditors, under confidentiality obligations, where needed to run the business.

Some of these recipients may be located outside your country — typically in the EU, the UK, or the United States. When we transfer personal data internationally, we use recognised safeguards such as the EU Standard Contractual Clauses or equivalent arrangements.

Different data has different retention periods, driven mostly by legal obligations rather than our preference.

KYC documents and transaction records — kept for 7 years after your account is closed, as required by anti-money-laundering law.

Account and gameplay data — kept for 5 years after your account is closed, or longer where a dispute or investigation is open.

Support communications — 24 months after the ticket is closed.

Marketing preferences and consent records — until you withdraw consent, plus a small archive kept as proof that consent was given.

Server logs and analytics — typically 12–18 months, then deleted or anonymised.

When retention ends, we delete the data securely or irreversibly anonymise it so it can no longer be linked back to you.

Depending on your location, you have some or all of the following rights over your data. To use any of them, email us at [email protected] — we respond within 30 days at the latest, faster where we can.

Access. Ask for a copy of the personal data we hold about you. We’ll send it in a readable format within the response window.

Correction. Tell us if anything is wrong or out of date. Most basic details you can also update yourself in account settings.

Deletion. Ask us to erase your data. We can do this where no legal retention obligation applies — for example, after the 7-year AML window has passed, or for optional data like marketing preferences.

Restriction. Ask us to pause processing of your data while a dispute or correction is being resolved.

Portability. Ask for a machine-readable export of data you provided to us, so you can move it to another service.

Objection. Object to processing based on our legitimate interests, including direct marketing. For marketing specifically, you can also unsubscribe directly from any email.

Withdraw consent. Where processing is based on consent, you can withdraw it at any time. This does not affect the lawfulness of processing that happened before you withdrew it.

Complaint to a regulator. You can lodge a complaint with your local data protection authority if you believe we’ve handled your data improperly. In Australia, this is the Office of the Australian Information Commissioner (OAIC); in the EU, your national data protection authority; in the UK, the ICO.

We use cookies and similar technologies (pixels, local storage) to keep the site working, remember your preferences, and understand usage. Here’s the breakdown:

Strictly necessary cookies. Required to log you in, keep your session active, and process payments. These cannot be turned off without breaking the site.

Functional cookies. Remember your preferred language, currency, and game filters so you don’t have to set them every visit.

Analytics cookies. Measure which pages are visited, how people navigate the site, and where things are slow. We use this to improve the product. Analytics data is aggregated and does not identify individual players.

Marketing cookies. Used only if you opt in. Support retargeting and personalised offers across the web.

You can manage cookie preferences in your browser settings or, where available, via the cookie banner on first visit. Blocking strictly necessary cookies will prevent key site features from working.

We use industry-standard security practices — not marketing language, actual technical measures — to protect the data you give us.

Encryption in transit. Every page load, API call, and payment uses 256-bit TLS encryption.

Encryption at rest. Sensitive data (KYC documents, transaction records, password hashes) is encrypted on our servers using AES-256 or equivalent.

Access control. Staff access to personal data is limited by role. Access is logged and reviewed. Developers do not access production data without a documented reason and approval.

Infrastructure security. We use reputable cloud providers with SOC 2 and ISO 27001 certifications, run vulnerability scans, and patch known issues on a defined schedule.

Payment security. Card numbers and CVVs never touch our servers. Payment data is tokenised and handled by PCI-DSS Level 1 compliant processors.

No system is perfectly secure. If a data breach ever occurs that may affect you, we will notify you and the relevant regulator without undue delay, in line with applicable law.

Spinago is strictly for adults 18 years or older. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected information from a minor, we will delete that data and close the associated account immediately.

If you are a parent or guardian who believes a minor has registered on Spinago, email [email protected] and we’ll act on it the same day.

We may update this policy from time to time — for example, when we add new features, change a processor, or respond to new regulation. The latest version is always on this page, with the effective date at the top.

For material changes, we’ll notify you by email and with an in-app banner at least 30 days before the new terms take effect. You’ll have time to review the changes and, if you disagree, close your account before they apply.

Minor clarifications (fixing typos, rewording for clarity) take effect immediately and are logged in our internal change register.

Privacy questions, requests to use your rights, or complaints — use any of the channels below. We respond to all privacy correspondence within 30 days, usually within a few business days.

Email: [email protected]

General support: [email protected] (live chat is available 24/7 on every page of the site)

Postal address: Provided on request through the email address above.

For questions unrelated to privacy — payments, gameplay, responsible gambling, bonuses — live chat is the fastest route and staffed around the clock by real people.