Personal data collected

• Identity and contact details: name, date of birth, address, email, phone, identity documents.
• Account and verification data: username, passwords, KYC/AML checks, affordability evidence.
• Financial and transaction data: deposits, withdrawals, payment method details (tokenised where possible), bet history, balances.
• Technical data: device identifiers, IP address, browser type, operating system, network logs.
• Usage data: pages visited, time on site, games played, preferences, interaction logs.
• Safer gambling data: limits set, self-exclusion status, session data, risk indicators.
• Marketing and communications: preferences, opt-ins, records of communications.

Why data is collected

• To register, verify, and manage user accounts.
• To process payments, settle bets, and provide customer support.
• To comply with the UK Gambling Commission requirements, anti-money laundering and counter-terrorist financing laws, and tax and accounting rules.
• To monitor and promote safer gambling.
• To secure the websites and investigate fraud or misuse.
• To improve services through analytics and service testing.

Protection measures

• Encryption in transit and at rest for sensitive data.
• Role-based access controls, staff vetting, and multi-factor authentication.
• Regular security testing, vulnerability management, and audit logging.
• Vendor due diligence, data processing agreements, and ongoing monitoring.
• Incident response plans and, where required, breach notifications to users and the ICO.

Legal compliance

• UK GDPR and the Data Protection Act 2018.
• Privacy and Electronic Communications Regulations (PECR) for cookies and similar technologies.
• UK Gambling Commission Licence Conditions and Codes of Practice (LCCP) and the Money Laundering Regulations 2017.

User rights

• Access: request a copy of personal information.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request deletion where no longer required or consent is withdrawn, subject to legal duties.
• Restriction and objection: limit or object to certain processing, including marketing.
• Portability: receive certain data in a structured, commonly used format.
• Complaint: raise concerns with the Information Commissioner’s Office (ico.org.uk).

Retention and deletion

• Data is kept only as long as needed for the purposes described or as required by law (for example, AML records typically up to 5 years after the relationship ends; financial records up to 6 years).
• When retention ends, data is securely deleted or anonymised.

How data is used

• Account setup and management, including age and identity verification.
• Processing deposits, withdrawals, bet placement, settlement, and account statements.
• Security, fraud prevention, chargeback management, and dispute handling.
• Compliance with UKGC, AML/CTF, sanctions screening, affordability assessments, and responsible gambling obligations.
• Customer support, service communications, and incident notifications.
• Personalisation of content, odds display, product recommendations, and settings.
• Analytics, service improvement, testing, and quality assurance.
• Marketing communications where consent has been given or where permitted by law, with opt-out controls.

Lawful bases for processing

• Contract: to deliver the online services you request.
• Legal obligation: to meet regulatory, AML, tax, and reporting duties.
• Legitimate interests: to secure systems, prevent fraud, and improve the websites and services, balanced against user rights.
• Consent: for certain marketing, cookies not strictly necessary, and optional features. Consent can be withdrawn at any time.

Processing is carried out in a lawful, fair, and transparent manner and is limited to the purposes stated above.

Access, update, or delete

• Submit a privacy request through Account settings or the support channels shown on the website.
• Identification may be required to protect accounts and personal information.
• A response will be provided within one month, or within any extended period permitted by law for complex requests.

Correction and deletion

• Update most details in Profile settings or contact support for assistance.
• Request deletion of personal data that is no longer needed or where consent is withdrawn. Certain records must be retained to meet legal and regulatory duties (for example, AML retention and financial records).

Security checks and payments

• By using Hand of Luck, users consent to necessary security checks and the processing of payment and verification data by payment providers and verification agencies for fraud prevention, age checks, and compliance.

• Services are for individuals aged 18 or over. Proof of age is required.
• Electronic age verification is performed and, in some cases, documents are needed. The operator cannot verify age without documents when these are required, and access may be restricted until checks are completed.
• If it is discovered that an account belongs to a minor, the account will be closed and personal data will be deleted where permitted by law.
• Parents or guardians can request deletion of a minor’s data through the support channels shown on the website. Proof of identity and relationship will be required.

• Personal data may be processed in other countries where service partners operate to provide hosting, payments, verification, support, analytics, or anti-fraud services for Hand of Luck.
• Using the site and services signifies consent to these transfers where consent is the appropriate legal basis. Suitable safeguards are applied, including UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), or Standard Contractual Clauses with the UK Addendum.
• All partners are contractually required to protect confidentiality, ensure security, and process information only for documented purposes.
• Copies of relevant safeguards can be requested, subject to redactions for security and confidentiality.

• This policy forms part of the terms that govern the use of the services. A legal disclaimer may modify how certain rules apply, for example to reflect regulatory changes or to clarify responsibilities.
• The disclaimer applies when the user accepts this policy by signature, clicking to accept online, or by continuing to access the services.
• Nothing in this document limits statutory rights under consumer or data protection law. If any term is invalid under applicable law, the remainder continues to apply.

• Cookies are small files placed on devices to store settings and recognise users.
• They are used for statistics, behaviour analysis, personalisation, security, and to improve the websites and services.
• Non-essential cookies are used only after consent, managed through the cookie banner or preferences. Strictly necessary cookies operate to deliver core functionality.
• Standard retention is up to 1 year for non-essential cookies unless a shorter period is stated. Session cookies expire when the browser is closed.
• Users can manage cookies through site preferences and browser settings. Blocking certain cookies may affect functionality.

• Using Hand of Luck means full acceptance of this Privacy Policy and any updates.
• The current version published on the website prevails over any previous version. Material changes will be signposted on the site or by service message. Continued use after changes indicates acceptance of the updated document.

• Personal data may be shared where required by law, to resolve disputes, to enforce agreements, or to provide services through third parties such as payment processors, verification agencies, fraud prevention services, cloud hosting, analytics, auditors, and regulators.
• The main categories or lists of third parties are identified on the website. If a specific provider is not listed, users will be informed of the purpose and scope of sharing when required.
• Providing data constitutes consent where consent is the lawful basis (for example, for certain marketing or optional features). Each third party processes information under its own privacy policy. Appropriate contractual and security measures are applied before sharing.

• The websites may contain links to external sites that have their own privacy policies and security practices.
• The operator is not responsible for how external websites collect, use, or protect personal information. Users should review the privacy terms of any external site before providing information.
• Exercise caution when leaving the service and verify that the destination website is trusted and secure.