Privacy Policy

Last updated: 4 May 2026 (AEST). Effective from: 4 May 2026.

Golden Crown Casino, operated by Golden Crown Media B.V. (registered office: Schottegatweg Oost 10, Willemstad, Curaçao), is the data controller for personal information processed through this website. This policy explains what we collect, why we collect it, how long we keep it, who we share it with, and what rights you have. We have written it for clarity, not for legal performance art.

By creating an account or playing on the site, you agree to the data practices described below. If anything here is unclear, email [email protected] — we respond inside 30 days as required by the Australian Privacy Principles and the EU General Data Protection Regulation.

What information do we collect?

Three categories: information you provide, information collected automatically, and information from third parties (KYC services, payment processors, fraud-detection partners).

Personal information you provide

At account registration and during play, we collect:

• Full legal name and date of birth (age verification, AML compliance).
• Email address and mobile number (account contact, 2FA delivery).
• Residential address (KYC, geolocation cross-check).
• Username and password — passwords are hashed with Argon2id, never stored in plaintext.
• Government-issued identity document (passport, driver's licence, national ID).
• Payment method details — card numbers tokenised at the PCI-DSS Level 1 acquirer; we hold last-4 digits only.
• Proof of address documents (utility bill, bank statement) within the 90-day freshness window.
• Source-of-funds documents for transactions over AU$2,000 single or AU$10,000 cumulative-monthly.
• Communication preferences (marketing opt-in or opt-out, language, notification channels).

Information collected automatically

Our systems log technical and behavioural data for security, fraud detection and platform improvement:

• IP address and geolocation derived from it (country and approximate region only).
• Device type, operating system version, browser engine and version.
• Screen resolution, language, timezone (for layout adaptation).
• Pages visited, time on each page, click and tap events.
• Game sessions — title, bet size, spin count, session duration, opening/closing balance.
• Transaction history with timestamps in UTC and AEST.
• Login attempts (success and failure) with IP and device fingerprint.
• Marketing campaign tracking (UTM parameters from inbound links).

Cookies and tracking technologies

Cookies are small data files your browser stores. We use four categories — full breakdown in the Cookies section below. Disabling all cookies will prevent the site from working; you can selectively disable analytics and marketing cookies without breaking gameplay.

How do we use your information?

Each processing purpose has a lawful basis under GDPR (Article 6) and a parallel basis under the Australian Privacy Principles. We do not process for purposes beyond what's listed.

Service delivery and account management

Creating and maintaining your account, processing gameplay, handling deposits and withdrawals, providing customer support. Lawful basis: contract performance (GDPR Art. 6(1)(b)); APP 6 use for primary purpose.

Legal and regulatory compliance

Curaçao Gaming Authority licence conditions require KYC, AML monitoring, transaction record retention and responsible-gambling intervention triggers. AUSTRAC's framework applies to AU-targeted operations for transaction reporting at threshold limits. Lawful basis: legal obligation (GDPR Art. 6(1)(c)).

Marketing and communications

With your explicit opt-in, we send promotional emails about welcome offers, reload bonuses, tournament invites and new game launches. You can withdraw consent any time through the unsubscribe link or account settings. Transactional emails (deposit confirmation, withdrawal status, KYC outcome, security alerts) continue regardless of marketing preferences. Lawful basis: consent (GDPR Art. 6(1)(a)) for marketing; legitimate interest (Art. 6(1)(f)) for transactional.

Platform improvement and security

Aggregated analytics inform game catalogue decisions and UX changes. Real-time fraud monitoring flags unusual login patterns, deposit-and-withdrawal cycling, multi-account behaviour. Lawful basis: legitimate interest (GDPR Art. 6(1)(f)), with the legitimate-interest balance documented internally.

Who do we share your information with?

We do not sell personal data. We share with categories of third parties who support service delivery, regulatory compliance or legal process — and only what's needed for their function.

Service providers and business partners

• Payment processors — card acquirer, crypto on-ramp partners, bank transfer rail. Receive transaction data only.
• Game providers — Pragmatic Play, NetEnt, Hacksaw, Nolimit, ELK, Push, Quickspin, Play'n GO, Evolution. Receive session data for game integrity and RTP calibration; no PII.
• KYC verification services — confirm document authenticity and address validity. Receive document images and personal details, retain per their own retention windows.
• Cloud hosting — EU-based and AU-based hosting infrastructure. Encrypted at rest, encrypted in transit.
• Customer support tooling — chat platform and email ticketing. Receive support-conversation content.
• Marketing platforms — only where you've opted into marketing. Email service provider, attribution analytics.

All processors operate under written data-processing agreements that mandate equivalent data-protection standards.

Legal and regulatory disclosure

We disclose information when required by law, court order, regulatory directive or government investigation. This includes responding to AUSTRAC requests within the AML framework, Curaçao Gaming Authority audits, and civil-court subpoenas. We notify you of disclosure where the disclosing law or order permits it.

Business transfers

If Golden Crown Media B.V. is involved in a merger, acquisition or asset sale, your data may transfer to the new entity. You'll be notified at least 30 days before the transfer takes effect, with the opportunity to delete your account before transition.

How do we secure your information?

Technical safeguards

• TLS 1.3 enforced site-wide. Certificate scoring A+ on SSL Labs (last verified 22 April 2026).
• Argon2id password hashing — never plaintext, never reversible MD5 or SHA1.
• Card data tokenised at the PCI-DSS Level 1 acquirer; only last-4 digits stored on our side.
• Firewall and DDoS mitigation at edge.
• Annual third-party penetration testing.
• Intrusion detection and 24/7 SOC monitoring.
• Encrypted-at-rest storage on AWS S3 server-side encryption; encrypted-in-transit via TLS 1.3.
• Encrypted backups retained per the regulatory retention window.

Organisational safeguards

Access to personal data is restricted by role and reviewed quarterly. Staff sign confidentiality undertakings on hire and complete annual data-protection training. Privileged-access actions are logged and audited. We maintain an incident-response runbook and rehearse it semi-annually.

Payment security

Card details are tokenised. We do not store full PANs, CVVs or magnetic-stripe data anywhere on our systems. Crypto deposit and withdrawal addresses are stored hashed against your account; on a withdrawal we surface the stored address but never the private key (we never have it).

How long do we keep your data?

Retention periods vary by data category and the regulation that applies.

• Account profile (name, address, contact): active account life + 7 years (Curaçao gaming licence and AUSTRAC equivalent retention).
• KYC documents: 7 years from KYC completion or last account activity, whichever is later.
• Transaction records (deposits, withdrawals, gameplay): 7 years from transaction date.
• Marketing preferences and consent records: until withdrawn plus 3 years for proof-of-consent.
• Support conversation history: 5 years from interaction.
• Server logs (IP, device, behavioural): 13 months rolling, then aggregated and anonymised.
• Cookies: per-cookie expiry; full table in the Cookies section.
• Self-exclusion records: permanently retained to enforce the exclusion across re-registration attempts.

After account closure, retention reverts to the legal floor (typically 7 years for transaction records). Beyond that floor, data is deleted from production systems within 90 days.

What rights do you have?

You have the rights below under both GDPR and the Australian Privacy Principles. Exercise them by emailing [email protected] from your registered address. We respond inside 30 days; complex requests can extend by an additional 30 days with notice to you.

Access and portability

Request a copy of your personal data. We provide a structured export (JSON or CSV) covering profile, transactions, gameplay history, support conversations and consent records. Most data is also viewable live in your account dashboard.

Correction and updates

Update most personal details directly in account settings. For data you cannot edit yourself (KYC document images, registration date), email [email protected] and we'll correct after re-verification.

Deletion and erasure

Request account deletion. We erase non-mandatory data within 90 days. Mandatory retention data (transaction records, KYC documents) sits in a locked archive for the regulatory retention period, then deletes automatically. Self-exclusion enforcement data is retained indefinitely and is not erasable on request.

Marketing opt-out

Unsubscribe via the link in any marketing email or through Account → Communication Preferences. Opt-out takes effect inside 24 hours; transactional emails continue. Withdrawing consent does not affect lawful processing prior to withdrawal.

Objection and restriction

Object to specific processing activities or request restriction. We assess objections case-by-case; where a legal obligation or compelling legitimate interest applies, we may continue processing with notice to you.

Right to lodge a complaint

EU residents may complain to their national supervisory authority. Australian players may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. We encourage you to contact us first so we can address the issue directly.

Cookies — four categories and how to manage them

Cookies are managed via a consent banner on first visit. You can change preferences anytime via the "Cookie Settings" link in the footer.

Essential cookies

Required for basic operation — login session, security tokens, geolocation, cashier state. Cannot be disabled without breaking the site. Lifetime: session to 24 hours.

Functional cookies

Preferences — language, theme, last-visited game, autoplay state, reality-check interval. Improve usability; not strictly necessary. Lifetime: 90 days.

Analytics cookies

Aggregate behavioural analytics — page popularity, navigation paths, drop-off points. We use a privacy-preserving analytics setup (no third-party data sharing for advertising). Lifetime: 13 months. Optional.

Marketing cookies

Campaign attribution and re-engagement messaging. Set only after marketing consent. Lifetime: 90 days. Optional.

Managing cookie preferences

Browser-level settings let you block or delete cookies — typically under Settings → Privacy. Most browsers offer "block third-party cookies" as a default. Mobile platforms (iOS, Android) offer per-app tracking controls. Note: blocking essential cookies will prevent login.

Third-party links

The site contains links to external sites — game studios' info pages, regulators, responsible-gambling resources (BeGambleAware, Gambling Help Online, BetStop). Those operators have their own privacy policies, which we do not control. Review their policies before sharing personal information on their domains.

Children's privacy

Golden Crown is for adults 18 or older. We do not knowingly collect personal data from anyone under 18. Age verification at registration cross-checks date of birth against the KYC document. If we discover an account belongs to a minor, we close the account immediately, refund verifiable real-money deposits and erase associated data beyond the legal-retention floor. Parents or guardians who believe a child has accessed the site should email [email protected] immediately.

International data transfers

Your data may be processed outside Australia — in Curaçao at the operator's registered office, in EU data centres for cloud hosting, and at processor locations specified in our data-processing agreements. We rely on Standard Contractual Clauses (SCCs) for EU-onward transfers and equivalent contractual safeguards for other jurisdictions. Where a recipient country lacks an adequacy decision, we apply additional technical and organisational measures (encryption in transit and at rest, pseudonymisation where practical).

Changes to this policy

We update this policy periodically — typically when regulation changes, when we add or remove processors, or when we change retention periods. Material changes are notified to you by email and via a banner on the site at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent change. Continued use after a notified change indicates acceptance.

Contact us about privacy

Privacy queries, rights requests and complaints route to a dedicated privacy team. We respond within 30 days under both GDPR and APP timelines.

When you contact us about privacy, include your registered username and email address. We may ask additional identity-verification questions before processing rights requests, to prevent unauthorised disclosure.

Australian Privacy Principles

For Australian players, our processing is aligned with the Australian Privacy Principles (APPs) under the Privacy Act 1988. Key alignment points:

• APP 1 — open and transparent management; this policy is the public artefact.
• APP 5 — notification at collection (registration form and KYC submission).
• APP 6 — use for primary purpose only; secondary use only with consent or legal basis.
• APP 8 — cross-border disclosure with contractual safeguards (SCCs).
• APP 11 — security of personal information; covered above.
• APP 12 and 13 — access and correction; covered under Your Rights.

Australian players who believe we've breached APP obligations may complain to the Office of the Australian Information Commissioner. We'd appreciate the chance to address concerns directly first via [email protected].

Responsible gambling and privacy

We monitor gameplay patterns for indicators of harm — sustained loss-chasing, sudden bet-size escalation, session length beyond the platform's reality-check thresholds. If indicators trigger, the responsible-gambling team may contact you to discuss tools available. This processing is mandatory under Curaçao licence conditions and AU regulatory expectations; the lawful basis is legal obligation, not legitimate interest.

Self-exclusion and time-out requests are handled confidentially. They are recorded in a locked register that we retain permanently to enforce the exclusion if you attempt to re-register. Self-exclusion data is shared with BetStop's national register where you've opted into that cross-operator exclusion.