Legal
Data Retention Schedule
Per-data-type retention periods. Why each period applies, when the clock starts, and what happens at the end.
Last updated
1. How to read this page
Each row below lists a category of data, the period we retain it, when the retention period starts running, and the lawful basis for that period.
“Active retention” means the data sits in our production systems and is available to internal users with a legitimate need. “Backup retention” means the data may persist in encrypted backups for a further period.
2. Schedule
| Category | Active retention | Backup retention | Clock starts | Basis |
|---|---|---|---|---|
| Account record (email, username) | 7 years | 90 days | Account closure | AML / Terms |
| KYC documents (ID, selfie, proof of address) | 7 years | 90 days | Account closure or last KYC refresh | Curaçao AML law |
| Source-of-funds / source-of-wealth documents | 7 years | 90 days | Account closure | Curaçao AML law |
| Financial transactions (deposits, withdrawals) | 7 years | 90 days | Date of transaction | Curaçao AML law, tax law |
| Crypto addresses linked to account | 7 years | 90 days | Account closure | AML, fraud prevention |
| Bank wire records (counterparty, amount, reference) | 7 years | 90 days | Date of transaction | Banking regulations |
| Hand histories | 7 years | 90 days | Date of hand | Game integrity |
| Tournament records | 7 years | 90 days | Date of tournament | Game integrity, tax |
| Chat messages at the table | 2 years | 90 days | Date of message | Game integrity, harassment investigations |
| Support tickets and email correspondence | 5 years | 90 days | Closure of ticket | Operational, legal-defence |
| Sign-in events and IP addresses | 2 years | 90 days | Date of event | Fraud / account-takeover |
| Geolocation events | 2 years | 90 days | Date of event | Sanctions, restricted-country enforcement |
| Responsible-gambling limits and changes | 7 years | 90 days | Account closure | Regulatory |
| Self-exclusion records | Permanent (irrevocable list) | n/a | Date of self-exclusion | Player protection |
| AML alerts and case files | 7 years | 90 days | Closure of case | Curaçao AML law |
| Suspicious activity reports (SARs) filed | 7 years | 90 days | Date of filing | Curaçao AML law |
| Marketing consent records | Lifetime of account + 3 years | 90 days | Withdrawal of consent | Demonstrating consent |
| Email-marketing opens / clicks | 13 months | 90 days | Date of event | Legitimate interests |
| Server access logs (raw) | 90 days | 90 days | Date of log line | Security |
| Server access logs (aggregated) | 13 months | 90 days | Date of log line | Security |
| Cookies on your browser | per Cookie Policy | n/a | First set | per Cookie Policy |
3. Self-exclusion is permanent
The self-exclusion list itself is retained indefinitely so that we cannot re-open the account by accident. Beyond the list entry — a hash of the player’s identity — no other personal data is held longer than the periods above.
4. Backups
We maintain encrypted, off-site backups for disaster-recovery purposes. Backups roll on a 90-day cycle: any record deleted from active systems is gone from backups within 90 days of the production deletion.
5. Right to erasure
You can ask us to delete your data. Where the request conflicts with an active retention obligation (most commonly AML or tax), we will explain the conflict, delete what we can, and isolate the rest under strict access controls until its retention period ends. See the Privacy Policy for details.
6. Changes
Material changes to this schedule are posted at least seven (7) days before they take effect.