Privacy Summary — FatPirate casino Under the FatPirate Casino Microscope

Data Controller

The data controller for the player relationship is FatPirate casino itself — operated by GMBL Tech N.V. under the Costa Rica framework — reachable through the Data Protection Officer mailbox shown in the contact section. FatPirate Casino is an independent editorial observer, not a joint controller: when a British reader leaves this page through an affiliate link and lands inside the FatPirate casino cashier, the controller relationship transfers to the operator and falls under the operator’s own privacy notice. The summary below applies to that downstream relationship, decoded from the public-facing documentation that FatPirate publishes for UK players.

Data We Collect

FatPirate processes four cleanly bounded data classes through the account lifecycle, each tied to its own purpose layer. FatPirate Casino reads the architecture along the processing axis: account data (full name, date of birth, British residential address, email, password hash, currency preference) forms the anchor identity; KYC data (passport or driving licence, address proof via utility bill, plus source-of-funds evidence above raised thresholds) covers the AML obligation layer; transaction data (deposit and withdrawal logs, payment-method tokens, crypto wallet addresses, MiFinity references, card BIN-level fingerprints) sits on the financial tier; behavioural data (game history, stake size, session duration, device fingerprint, IP address with derived geolocation) feeds the security and responsible-gambling module.

Purpose-setting follows the classic three-pillar model that underwrites European iGaming compliance. Pillar one: regulatory obligation — KYC, age verification and sanctions-list screening are not marketing options but Money Laundering Regulations 2017 (as retained in UK law) prerequisites. Pillar two: fraud and bonus-abuse prevention — device heuristics, multi-account detection and wallet cross-checks stop the same FatPirate casino player claiming the welcome match twice through fresh aliases. Pillar three: marketing and player protection — segmentation for reload codes, cashback calculation and the responsible-gambling triggers that watch unusual stake patterns against pre-set thresholds. The first two pillars run consent-free (contractual necessity, legal obligation); the third requires a separate, withdrawable consent.

For retention, FatPirate sits inside the industry-standard EU/UK AML corridor of five to ten years from the end of the business relationship. That window does not come from marketing logic but from the Money Laundering Regulations: KYC documents and transaction traces must remain retrievable for the ICO, HMRC, the Financial Intelligence Unit and law-enforcement agencies. Behavioural data and marketing profiles outside the AML scope carry materially shorter retention periods; the concrete intervals are listed in the full FatPirate privacy notice inside the account dashboard. With a 13,400-strong slot lobby on the cashier, the transaction-log volume per active account is non-trivial — another reason the AML archive is structured for retrieval rather than purged on closure.

Lawful Bases for Processing

Each processing operation maps to a UK GDPR Article 6 base. Art. 6(1)(b) — contractual necessity — covers account creation, deposits, withdrawals and the core gaming service. Art. 6(1)(c) — legal obligation — underpins KYC, age verification, AML monitoring and sanctions screening. Art. 6(1)(f) — legitimate interest — covers fraud prevention, security logging and aggregated commercial analytics, with a documented balancing assessment available on request. Art. 6(1)(a) — consent — is reserved for marketing communications, non-essential cookies and any profiling that goes beyond fraud and responsible-gambling triggers. Where special-category data appears (typically self-declared health information inside a self-exclusion request), Art. 9(2)(a) explicit consent applies in addition.

Cookies & Analytics

The cookie stack splits cleanly into three classes from the FatPirate Casino vantage point. Strictly necessary cookies (session token, CSRF guard, language and consent state, cashier in-flight state) are technically indispensable and exempt from consent under PECR Regulation 6(4) — without them, login, gameplay and withdrawal simply do not function. Analytics cookies (lobby navigation, game performance, page-load metrics) aggregate reach signals across Pragmatic, Evolution and Hacksaw titles but can be withdrawn from the banner at any moment. Marketing cookies (affiliate attribution, reload-code personalisation, retargeting on partner networks) load strictly after explicit opt-in — pre-ticking is structurally absent from the FatPirate banner, as the ICO guidance requires.

One British-reading note: FatPirate casino fires third-party marketing pixels only after an active banner opt-in. A pre-ticked default would be unlawful under UK GDPR and PECR alike, and FatPirate Casino’s test traversal of the consent stack found no such default. Analytics cookies expire at twelve months; marketing cookies typically at thirteen — both followed by a fresh consent prompt rather than a silent rollover.

Third Parties & Recipients

The recipient map follows a three-tier logic that FatPirate Casino separates into obligation-driven, operational and marketing-driven flows. Regulator layer: licensing authorities (the Costa Rica framework, plus the MGA and UKGC for upstream studio licences), the UK’s Information Commissioner’s Office on data-protection inquiries, the Financial Intelligence Unit on suspicious activity reports, and HMRC or law-enforcement bodies under formal disclosure orders. Operational layer: payment processors (Visa and Mastercard acquirers, MiFinity, Revolut, Paysafecard, SEPA-rail banks, blockchain nodes and USDT bridges), KYC vendors (typically Jumio, Veriff or Onfido-class providers), hosting providers and game studios such as Pragmatic Play or Evolution where a live-dealer session demands per-player identification. Player-protection layer: responsible-gambling monitoring services that match stake patterns against risk thresholds without seeing persistent clear-text identifiers.

Affiliate networks and ad partners receive only anonymous click and conversion signals — no clear-text personal data. Data brokerage in the classic sense (selling address lists or player cohorts to third parties) does not happen and would be irreconcilable with UK GDPR in any case. Where transfers leave the UK or EEA, FatPirate relies on Standard Contractual Clauses (the UK Addendum where the receiver is not covered by an adequacy decision) plus the supplementary technical safeguards the ICO expects under the Schrems II line of reasoning.

Your UK GDPR Rights

UK GDPR vests eight substantive rights against FatPirate as controller. FatPirate Casino pairs each with the response-time window FatPirate inherits from the statutory framework and its own published terms:

• Art. 15 — Right of access: free-of-charge subject access response covering all processed data, purposes, recipients and storage periods. Response-time target: 30 calendar days, extendable to 90 in complex cases under Art. 12(3).
• Art. 16 — Right to rectification: correction of inaccurate or incomplete master data; an address change runs through the account dashboard plus a fresh KYC address proof.
• Art. 17 — Right to erasure: takes effect only after the AML retention obligation has run. KYC and transaction layers remain restricted during the industry-standard hold, archived rather than deleted.
• Art. 18 — Right to restriction: processing is reduced to bare storage, useful during an open bonus-ledger dispute or contested KYC status.
• Art. 20 — Right to data portability: output of player-supplied data in a structured, machine-readable format (JSON or CSV). Response-time target: 30 days.
• Art. 21 — Right to object: objection to direct marketing and profiling takes effect immediately — reload codes and marketing emails switch off without interrupting gameplay.
• Art. 7(3) — Withdrawal of consent: available at any time for marketing and analytics cookies from the banner footer, with no detriment to service.
• Art. 77 — Right to complain: direct to the ICO without any obligation to escalate through FatPirate first.

The Art. 22 protection against solely automated decision-making with legal or similarly significant effect is rounded into the responsible-gambling and fraud layers: automated triggers can flag an account, but a human reviewer signs off the consequential decision. Identity verification of the requester is mandatory and runs through the already-verified KYC anchor — hence the routine instruction to submit any request from the email address on file.

Cookie Consent & Opt-out

The opt-out path is redundantly engineered. First route: the «Cookie preferences» link kept permanently in the footer reopens the banner and lets a FatPirate casino player toggle the granular categories (strictly necessary, analytics, marketing) individually. Second route: native browser controls clear or block cookies even without banner access — FatPirate honours the device-level response. Third route: every marketing email carries an unsubscribe link under the Privacy and Electronic Communications Regulations, which clears the list without any further engagement on the player’s part.

Disabling analytics and marketing cookies does not break login, gameplay or cashier — only the personalised reload recommendations fall away. Core functionality across the 13,400-title catalogue remains fully accessible.

Security & Data Retention

The transport layer runs HTTPS with HSTS, a restrictive Content Security Policy and TLS 1.3 on the player-facing edges. Payment data is tokenised at the acquirer rather than stored at FatPirate, and KYC documents sit in encrypted-at-rest object storage with access keyed to a small operations cohort. The five-to-ten-year AML window applies to KYC and transaction layers; behavioural analytics roll off on shorter cycles; consent records themselves are retained for the duration of the consent plus a statutory evidence margin. Server logs containing pseudonymised IPs are rotated within thirty days for security and debugging, beyond which only aggregated statistics persist for trend analysis.

Contact & ICO Complaints

Privacy queries, subject access requests, erasure and objection filings all route through the FatPirate casino Data Protection Officer at [email protected]. FatPirate Casino recommends labelling each request with the subject line «UK GDPR request» plus the specific article being invoked (for example «Art. 15 access») and sending from the email address on the account file — that combination accelerates identity verification and can materially shorten the response window. Statutory handling time is up to thirty calendar days, with most FatPirate requests closing well inside that ceiling.

If you are not satisfied with the response, the right of complaint runs to the Information Commissioner’s Office (ICO) — the UK’s independent privacy authority — at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, online at ico.org.uk, helpline 0303 123 1113. The ICO accepts complaints directly, without any obligation to exhaust the operator’s internal route first. This FatPirate Casino summary does not replace the full FatPirate privacy notice; the dashboard version, with its processing register, recipient list and concrete retention intervals, remains the authoritative source and supersedes this reading aid wherever the two diverge.