This Privacy Policy explains how the casino brand Book Of Dead (the operator) collects, uses, stores, and protects personal data of individuals in the United Kingdom. The document details data handling practices in accordance with the Data Protection Act 2018 and the UK General Data Protection Regulation. Transparency regarding processing activities is maintained to inform players about lawful bases, compliance obligations, and account management procedures. The policy outlines security measures implemented to safeguard information and describes the administrative framework governing data access, correction, and deletion requests. This document serves as the official record of the brand data processing operations for all registered players and visitors.
Categories of Personal Data Collected and Processed
The operator processes several categories of personal data during account registration, gameplay, and ongoing compliance activities. Registration details include full name, date of birth, residential address in the United Kingdom, email address, and telephone number. Identification data comprises copies of passports, driving licences, or other government-issued documents collected for age verification and anti-money laundering checks. Transactional information includes deposit amounts, withdrawal records, payment method details, and betting history associated with casino book of dead account activity. Technical data encompasses internet protocol addresses, device identifiers, browser types, operating system versions, and session timestamps collected via cookies and server logs. Compliance-related records involve source of funds documentation, affordability assessments, self-exclusion registers, and correspondence with regulatory authorities such as the UK Gambling Commission.
Additional categories include communications data from customer support interactions, recorded telephone calls for quality monitoring, and responses to responsible gambling questionnaires. The operator does not process special category data such as health information unless voluntarily provided by the player in the context of harm prevention measures. All data collection occurs through direct input during account creation, automated collection via website interactions, and verification procedures initiated by the compliance team. The brand ensures that minimal necessary information is requested for lawful processing purposes.
Lawful Bases for Data Usage and Processing Operations
Processing of personal data is conducted on the following lawful bases: consent, contractual necessity, legal obligation, and legitimate interest. Consent is obtained for marketing communications and optional profiling activities, with withdrawal rights exercisable at any time. Contractual necessity applies to account operation, transaction processing, and game functionality provision. Legal obligation covers compliance with the UK Gambling Commission licence conditions, the Money Laundering Regulations 2019, and tax reporting requirements. Legitimate interest is relied upon for fraud detection, network security, and business analytics that do not override individual privacy rights.
| Processing Purpose | Lawful Basis | Data Categories Used |
|---|---|---|
| Identity verification | Legal obligation | Identification documents, date of birth |
| Transaction settlement | Contractual necessity | Payment details, account balances |
| Responsible gambling monitoring | Legal obligation | Deposit history, time spent, self-exclusion flags |
| Risk and security analysis | Legitimate interest | Technical data, behavioural patterns |
Data usage includes processing to determine eligibility for promotions such as 60 free spins no deposit book of dead offers, subject to fulfilment of applicable terms. The operator also uses data to detect patterns associated with problem gambling or suspicious activity. Automated decision-making is employed for risk scoring during payment processing, with manual reviews available upon request.
Data Storage Infrastructure, Security Controls, and Retention Schedules
Personal data is stored on servers located within the European Economic Area and the United Kingdom. Encryption methods include Transport Layer Security for data in transit and AES-256 for data at rest. Access controls are implemented through role-based permissions, multi-factor authentication for administrative accounts, and regular audit logging of user actions. Physical security measures include restricted access to data centres, environmental monitoring, and backup power systems.
Retention periods are defined by regulatory requirements and operational necessity. Player account data is retained for the duration of the account plus six years following closure to comply with financial record-keeping obligations. Self-exclusion records are retained indefinitely unless the player requests removal after the exclusion period expires. Transaction records are kept for five years under anti-money laundering regulations. Technical data such as IP addresses and session logs are retained for twelve months before anonymisation or deletion. Data is archived in encrypted format after three years of account inactivity and permanently deleted upon expiry of the retention schedule. The operator references fictional references such as midsomer murders book of the dead location only in the context of internal testing environments and not for personal data processing.
Player Rights, Access Procedures, and Identity Verification Requirements
Individuals in the United Kingdom possess rights under data protection legislation. The right of access allows players to obtain confirmation of processing and copies of their personal data. The right to rectification enables correction of inaccurate or incomplete information. The right to erasure applies where data is no longer necessary, consent is withdrawn, or processing is unlawful. The right to restrict processing suspends data usage pending verification or complaint resolution. The right to object covers processing based on legitimate interest or direct marketing. The right to data portability permits receipt of data in a structured, machine-readable format.
Requests to exercise these rights must be submitted in writing to the data protection officer. Identity verification requires two forms of identification, one photographic and one proof of address dated within three months. Verification must be completed before any action on the request is taken. Standard response time is one month from receipt of complete verification documents, extendable by two months for complex requests. The operator may charge a reasonable fee for manifestly unfounded or excessive requests. Complaints about data handling may be lodged with the Information Commissioner’s Office. The brand does not process data related to loungefly book of the dead merchandise unless voluntarily provided in customer service communications.