Privacy Policy

Last updated: 4 May 2026.

Golden Crown Casino, operated by Golden Crown Playzone Entertainment (Willemstad, Curaçao), processes personal data of Australian residents under a privacy framework aligned with the Australian Privacy Principles and adapted for the Curaçao licensing context. Where Australian law and the operator's licensing obligations diverge, this policy defaults to whichever provides the stronger user protection. By creating an account and using the service you agree to the terms below; if you disagree with any part, do not register or use the service.

🔒

Headlines

TLS 1.3 encryption end-to-end. Card numbers tokenised through PCI-DSS Level 1 processors — full PAN never stored. Account and financial records retained 7 years. Marketing data deleted within 2 years of opt-out or last login. DPO contactable at [email protected] — first response within 5 business days, full response within 30 days.

What data does Golden Crown collect, and why?

Three categories: registration data needed to create the account and verify age; financial data needed to process deposits and withdrawals under anti-money-laundering rules; and gameplay data generated as you use the service. Each piece serves a specific operational or legal purpose, and the smallest dataset that fulfils the purpose is the dataset retained.

Registration data

  • Identity: full legal name, date of birth, gender (optional), nationality. Required to confirm age 18+ and eligibility under your home jurisdiction's gambling laws.
  • Contact: email address, phone number (optional), residential address. Required for account communication and AML compliance.
  • Credentials: username and password. Passwords are hashed with Argon2id — the operator cannot read your plaintext password and never will.
  • KYC documents: photo ID and proof-of-address scan, retained encrypted in a separate identity-verification vault separated from the gameplay database.

Financial data

  • Payment-method tokens: first 6 and last 4 digits of card numbers, never the full PAN. Crypto wallet addresses you have used for deposits or withdrawals. E-wallet account ID hashes.
  • Transaction history: deposit amount, withdrawal amount, currency, timestamp, method, status. Required for accounting, AML reporting, and dispute resolution.
  • Source-of-funds documentation: only collected when triggered by AML thresholds (AU$2,000 cumulative in 30 days, or AU$5,000 single deposit). Stored separately and accessed only by the AML team.

Gameplay and technical data

  • Session: games played, bets placed, wins, losses, session duration, login and logout timestamps.
  • Device fingerprint: IP address, browser version, operating system, screen resolution, time zone, language. Used for fraud detection and the duplicate-account check.
  • Bonus state: active bonuses, wagering progress, free-spin count, tournament leaderboard score.
  • Support transcripts: chat logs and email correspondence retained for 3 years for service-quality review and dispute resolution.

Who else sees your data?

Golden Crown does not sell personal data to third parties for marketing. Data is shared only with operational partners under contract, and only the minimum needed for each partner's role.

Recipient category Purpose Data shared
Payment processors (PCI-DSS L1) Deposit and withdrawal execution Tokenised card data, transaction amounts, name, address
Game studios (Pragmatic, NetEnt, etc.) Game delivery, RTP audit Pseudonymised player ID, bet history
KYC verification provider Document authenticity check ID document image, address-proof image, name, DOB
Cloud hosting (encrypted at rest) Database storage and backup Full encrypted database; provider holds no decryption key
Curaçao Gaming Authority Licensing audit Aggregated transaction data; full account records on formal request only
Australian Transaction Reports and Analysis Centre (AUSTRAC) AML reporting where applicable Suspicious-matter reports for transactions meeting threshold

How long is data kept?

Retention periods are tied to legal obligation rather than operator preference. The 7-year horizon on financial data reflects AU and Curaçao tax and AML record-keeping rules.

Data category Retention Reason
Account registration Account life + 7 years AML, tax, dispute resolution
Financial transactions 7 years from transaction AUSTRAC and Curaçao licensing rules
Gameplay records 5 years from session Regulator audit, dispute resolution
KYC documents 5 years post account closure AML evidence retention
Marketing preferences 2 years from opt-out or last login Customer relationship management
Support transcripts 3 years from interaction Quality review, dispute evidence
Cookie analytics Up to 24 months Site performance and usability

What cookies run on this site?

Four categories. Necessary cookies cannot be disabled without breaking core functionality. The other three are optional and managed via the cookie banner on first visit; preferences can be changed any time through the "Cookie settings" link in the footer.

  • Necessary: authentication tokens, session ID, CSRF protection, cart-equivalent state for the cashier. Always on.
  • Performance / analytics: page-load timing, error reporting, aggregate navigation paths. Anonymised by default. Used to fix bugs and improve speed.
  • Functional: language preference, last-played slot, favourite-game list, theme. Make the site personal across visits.
  • Marketing: retargeting and conversion attribution. Optional. Disabling them does not affect gameplay.

What are your rights as a player?

Eight rights, exercisable at any time by emailing [email protected] from the address registered to your account. The DPO acknowledges within 5 business days and provides a full response within 30 days. Identity verification is required before any rights request is actioned — typically a re-confirmation of registration details and one of the documents already on file.

  • Access: request a copy of all personal data held about you, in a readable format. Provided within 30 days.
  • Rectification: correct inaccurate data. Most fields self-serve in account settings; the DPO handles anything sensitive.
  • Erasure: request deletion. Subject to the 7-year financial-records retention obligation, which overrides the right for that specific data category until the period elapses.
  • Restriction: limit how your data is processed in specific circumstances (e.g. while disputing accuracy).
  • Portability: receive your data in a machine-readable format (JSON or CSV) suitable for transfer to another service.
  • Objection: opt out of marketing or of processing based on legitimate interests. Marketing opt-out is one click in account preferences.
  • Withdrawal of consent: for any consent-based processing, revoke at any time without affecting the lawfulness of prior processing.
  • Complaint to a supervisory authority: the Office of the Australian Information Commissioner (OAIC) for AU residents, or the equivalent body in your home jurisdiction.

Security measures

Encryption
TLS 1.3

All traffic encrypted in transit; database encrypted at rest.

  • HSTS preload list
  • Argon2id password hashing
  • Tokenised card data
  • Encrypted KYC vault
Access control
Least privilege

Role-based access; staff log every record they open.

  • 2FA mandatory for staff
  • Per-record audit log
  • Quarterly access reviews
  • Background-checked staff
Player tools
Account protection

Optional 2FA via authenticator app, login alerts, IP whitelist.

  • TOTP 2FA
  • Login email notifications
  • Withdraw-only IP lock
  • Biometric on mobile PWA
Testing
Audit cadence

Penetration test annually; bug-bounty programme open year-round.

  • Annual external pentest
  • Quarterly vulnerability scan
  • RNG audit by iTech Labs / eCOGRA
  • Bug-bounty contact in security.txt

International data transfer

Personal data may be processed outside Australia in the operational countries of the operator's payment processors, KYC verifier, and cloud hosting provider. Transfers happen under Standard Contractual Clauses or equivalent legal mechanisms ensuring an adequate protection level. The KYC vault is hosted within the European Economic Area; transactional data sits in a multi-region cloud architecture with at-rest encryption keys held by the operator alone.

Children's data

The service is for adults aged 18 and older. Age verification runs at registration and again at first KYC. If we learn a minor has registered, we suspend the account immediately, void all transactions, return verified deposits to the original payment source, and delete all personal information except the minimum needed to prevent re-registration. Notify [email protected] if you believe a minor has accessed the service.

Updates to this policy

Material changes are notified via email to the address registered to your account at least 30 days before the new terms apply. The "Last updated" date at the top of this page reflects the most recent revision. Trivial copy-edits and typo fixes do not trigger an email notification but the dated revision history is available on request.

Contact the data protection officer

📧

DPO direct line

Email: [email protected]
Subject prefix for fastest routing: "Privacy Request – [right invoked]"
First response: within 5 business days
Full response: within 30 days
Postal: Heelsumstraat 51, E-Commerce Park, Willemstad, Curaçao

Where to lodge a complaint about privacy handling

  • Operator first: [email protected] — formal response within 30 days.
  • Curaçao Gaming Authority: licensing-framework escalation — contact details shared on request.
  • Office of the Australian Information Commissioner (OAIC): oaic.gov.au, for AU residents whose privacy concerns are not satisfactorily resolved by the operator.

Question about your data?

Email the DPO directly — first reply within 5 business days.

Open Contact Page