Duel Casino Privacy Policy: short, honest and to the point
This page is not fine-print boilerplate but a clear explanation of how Duel Casino handles information about you. It sets out exactly what we receive, what we use it for, how long we keep it and what you can do with it at any time. Our principle is simple: we take only as much as the game, payouts and the law require, and not a line more.
These rules are based on the EU General Data Protection Regulation (GDPR, Regulation EU 2016/679), on the requirements of licensed gambling jurisdictions and on the FATF anti-money-laundering standards. By registering and using the site you agree to the procedure described here. If any point raises doubts, it is best to clarify it with us before you start playing – you can write to us at any time.
In a nutshell:
• the Duel Casino operator acts as the controller of your data under GDPR;
• we collect the minimum – only what the service and the law require;
• data is never sold or rented out to advertisers;
• information is encrypted both in transit and at rest;
• access, a copy, correction, erasure or a complaint can be requested by emailing privacy@duel.com.
✓ What we always do
- explain which data we take and why;
- encrypt traffic, databases and backups;
- answer requests about your rights within the set deadline;
- delete information as soon as the lawful ground to keep it disappears.
✗ What we never do
- sell or pass on data for advertising;
- store passwords in plain text;
- collect information about minors;
- ask for documents “just in case”, without a risk-based reason.
Who is responsible for processing
The controller of personal data within the meaning of Article 4(7) GDPR is the operator of the Duel Casino brand (hereinafter “we” or “the operator”). The company’s full legal details are listed in the “Licence” block on the homepage. Specific people and channels handle any data-related questions:
- data protection officer (DPO) – dpo@duel.com;
- privacy team – privacy@duel.com;
- round-the-clock live support chat in your account.
What information we receive
The set of data depends on exactly how you use the platform. For clarity we have grouped it by type:
- Registration details. Email as the main login, a display nickname (visible in chats and leaderboards), a password hash (the password itself is not stored – bcrypt is used), confirmation of adulthood, and the date and IP of registration.
- Payment and crypto information. Wallet addresses for deposits and withdrawals, blockchain transaction identifiers (txid), networks and currencies, amounts and timestamps; for fiat payments – masked details and the card’s country of issue.
- Technical data. IP address and the approximate region derived from it, device type and OS, browser, language and time zone, logs of visited pages and sessions, online identifiers (cookies, local storage), as well as security signals including VPN or proxy indicators.
- Gameplay behaviour. History of bets, wins and losses, activated bonuses and cashback, balance movements and the responsible-gaming limits you have set.
- Correspondence and requests. The content of support tickets, conversations in chat and email, call recordings (where made – with a warning), and the status of your marketing consents.
When verification kicks in (KYC/AML)
An important point: we do not request identity documents from everyone by default. Verification is triggered on a case-by-case basis – when risk indicators fire, when a regulator requires it or when signs of suspicious activity appear. This is mandated by the EU directives (4th, 5th and 6th AMLD) and the FATF recommendations. In such a case we may ask for:
- proof of identity (passport, ID card or driving licence);
- proof of residential address;
- proof of source of funds and wealth;
- proof of ownership of a wallet or payment instrument;
- the results of screening against sanctions lists and politically exposed persons (PEP) databases.
More about how the verification thresholds work and when you can play without it is explained on the No verification page.
Purposes of processing and legal bases
Every operation with data is tied to a specific basis from Article 6 GDPR – we do not process anything “just in case”:
- Performance of a contract (Art. 6(1)(b)). Creating and running the account, gaming operations, deposits and withdrawals, cashback accrual, action history and user support.
- Legal obligation (Art. 6(1)(c)). KYC/AML checks, sanctions screening, monitoring of dubious transactions, gambling and tax reporting, responses to regulators, keeping out minors.
- Legitimate interest (Art. 6(1)(f)). Fighting fraud, detecting multi-accounts and collusion, protecting the infrastructure from attacks, anonymised analytics and defending our rights in disputes.
- Consent (Art. 6(1)(a)). Marketing emails, push notifications, optional analytics and advertising cookies. Consent can be withdrawn at any time – this does not affect the core service.
Cookies and similar technologies
Cookies are small files the browser saves when you visit a site; they help recognise you on return visits and understand how the platform is used. We split them into four groups:
- Strictly necessary. Responsible for login, the session, CSRF protection and the payment form. The service does not work without them, so they cannot be turned off in the consent window.
- Functional. Remember language, currency and interface settings; they do not identify you personally.
- Analytics. Provide anonymised visit statistics and are enabled only after your consent.
- Security. Help spot abnormal behaviour, multi-accounts and attempts to bypass restrictions.
You can manage cookies directly in the browser: block them, delete them on exit or get warnings. Note that disabling strictly necessary cookies will make login and operations impossible.
Who we share data with and where
We do not trade in user information. Transfers happen strictly to the extent necessary and only to the following categories of recipients:
- payment services and crypto processors – to carry out a deposit or withdrawal;
- verification and screening services (for example Sumsub, Onfido, ComplyAdvantage) – for KYC and list matching;
- game-content providers – a minimal set of data within a specific gaming session;
- cloud infrastructure and monitoring systems – as processors acting on our instructions, bound by data processing agreements (DPA);
- regulators, law-enforcement and tax authorities – upon a lawful request;
- lawyers, auditors and counterparties in possible corporate deals – while preserving the level of protection and notifying users.
Some processors may be located outside the European Economic Area. In such cases we rely on the mechanisms of Chapter V GDPR: European Commission adequacy decisions, standard contractual clauses (SCC, Decision EU 2021/914) with additional safeguards, and binding corporate rules within groups of companies. A copy of the applicable safeguards can be requested at dpo@duel.com.
Retention periods
The lifetime of each data category is determined by its purpose and by legal requirements. As soon as the information is no longer needed, we delete it or irreversibly anonymise it. The basic benchmarks:
| Data category | How long we keep it |
|---|---|
| Registration data of an active account | for as long as the account exists |
| KYC/AML documents and records | at least 5 years after account closure, up to 10 years during an investigation |
| Payments and transactions | at least 5 years from the operation date (AMLD requirements) |
| Gaming history and bets | at least 5 years after account closure |
| Technical and security logs | from 90 days to 12 months |
| Support correspondence | up to 24 months after the ticket is closed |
| Marketing consents | until consent is withdrawn |
| Self-exclusion records | indefinitely – to prevent re-registration |
How protection works
We ensure data security through a combination of technical and organisational measures:
- traffic between you and the servers is encrypted with TLS (minimum 1.2, 1.3 by default) with HSTS enabled;
- databases and backups are stored encrypted (AES-256), and the most sensitive data is protected by key management via an HSM;
- passwords exist only as a bcrypt hash, and two-factor authentication (2FA) is available and recommended;
- staff access is granted on a least-privilege basis, and all access to data is logged;
- external audits and pen-tests are carried out regularly, and production is isolated from the development environment;
- round-the-clock monitoring (SIEM) is in place; in an incident that threatens your rights we notify users and the supervisory authority within 72 hours (Art. 33–34 GDPR).
Your rights and how to exercise them
GDPR and comparable local laws give you a specific set of rights over your data:
- Access (Art. 15) – find out which data we process and obtain a copy of it.
- Rectification (Art. 16) – correct inaccuracies; much of this is available right in your account.
- Erasure (Art. 17) – the “right to be forgotten” if there is no lawful reason to keep the data further. Records mandatory under AML and gambling law are deleted only after their periods expire.
- Restriction (Art. 18) – temporarily “freeze” processing in disputed situations.
- Portability (Art. 20) – receive the data in a machine-readable format (JSON/CSV) or have it transferred to another controller.
- Objection (Art. 21) – against processing based on legitimate interest; for marketing the objection is accepted unconditionally.
- Withdrawal of consent – at any time, without affecting the lawfulness of processing already carried out.
- Complaint to a supervisory authority – at your place of residence or of the alleged infringement.
To exercise any right, write to dpo@duel.com from the email linked to your account. We reply within 30 calendar days; for complex requests the period may extend to 90 days with prior notice. Additional details may be required to confirm your identity.
Age 18+ and child protection
Duel Casino is intended exclusively for adults and does not knowingly collect data about minors. Age is confirmed at registration. If you are a parent or guardian and have found that a child left their data with us, write to privacy@duel.com – after verification we will delete that data and close the account. Parental-control and filtering tools are described on the Responsible Gaming page.
Decisions without human involvement
Some processes run automatically: anti-fraud, transaction screening against AML and sanctions criteria, and game recommendations (the latter only with consent to analytics). If an automated decision significantly affects you – for example a block triggered by fraud signals – under Article 22 GDPR you have the right to contest it, state your position and demand a review by a human operator. The request is sent to dpo@duel.com.
Review and updates of the policy
We may update this document when legislation or internal processes change – the current version is always published on this page. We will give advance notice of material changes affecting your rights (by email and/or a message at login) no later than 14 days beforehand. Continued use of the service means agreement with the new version; if it does not suit you, the account can be closed and erasure of the data requested.
Contacts for requests
For any privacy questions and to exercise your rights, choose a convenient channel:
- data protection officer (DPO) – dpo@duel.com;
- general privacy questions – privacy@duel.com;
- support team – support@duel.com;
- live chat in your account, around the clock.
Requests are accepted in English, Russian and any other interface language. The standard response time is up to 30 calendar days, and up to 90 days for complex requests with prior notice.
Quick answers to common questions
Do I have to complete verification right after registration?
No. KYC is triggered case by case – when risk indicators fire, a regulator requests it or there are signs of suspicious activity. Many players go all the way from deposit to withdrawal without a check. Details are on the “No verification” page.
Do you sell my data to advertisers?
No. Data is not sold or rented out. Transfers are possible only to the recipients listed in the “Who we share data with” section, and strictly to the extent necessary.
How do I request a copy or erasure of my data?
Write to dpo@duel.com from the email linked to your account. We will reply within 30 days. Note that records mandatory under AML and gambling law are deleted only after the set retention periods expire.
How is my password stored?
Only as a bcrypt hash – it does not exist in plain text even on our side. We also recommend enabling two-factor authentication (2FA) in the security settings.
What happens to my data after I close the account?
Some details are deleted immediately, but payment records, betting history and KYC/AML documents are kept for at least 5 years due to legal requirements. Once the periods expire they are deleted or irreversibly anonymised.
🔞 Access to Duel Casino is strictly for those aged 18 and over. If you need information about safe play, limits and help with gambling addiction, take a look at the Responsible Gaming.