Privacy Policy

RollXO Casino Ltd is the data controller responsible for your personal information. We are incorporated in Malta and operate under Malta Gaming Authority licence MGA/CRP/148/2007. Our registered address is Level 3, Tagliaferro Business Centre, High Street, Sliema, SLM 1551, Malta.

For Australian privacy matters, we appoint a local compliance representative to handle enquiries from Australian residents under the Privacy Act 1988 (Cth). Contact details are provided in Section 12 of this Policy.

Where GDPR applies to European residents accessing our platform, RollXO Casino Ltd acts as the data controller as defined by Article 4(7) of GDPR. We have appointed a Data Protection Officer (DPO) whose contact details are provided in Section 12.

We collect the following categories of personal data:

3.1 Account Management: To create, maintain, and manage your account, verify your identity, process transactions, and provide customer support.

3.2 Regulatory Compliance: To fulfil our obligations under anti-money laundering (AML) legislation, know your customer (KYC) requirements, and our MGA licence conditions. This includes transaction monitoring, suspicious activity reporting, and age verification.

3.3 Gaming Services: To provide access to games, process bets and winnings, calculate bonus eligibility, and maintain your game history and account activity records.

3.4 Responsible Gambling: To identify patterns of play that may indicate problem gambling, enforce deposit limits, apply self-exclusion requests, and comply with responsible gambling obligations under our licence.

3.5 Marketing: To send you promotional communications about offers, bonuses, and new games, where you have consented to receive such communications. You may withdraw consent at any time via your account settings or by unsubscribing from emails.

3.6 Fraud Prevention: To detect, prevent, and investigate fraudulent activity, bonus abuse, account sharing, and other prohibited activities that breach our Terms and Conditions.

3.7 Platform Improvement: To analyse usage patterns, identify technical issues, and improve the features and performance of the Platform. Analytics are typically performed on aggregated or anonymised data.

3.8 Legal Claims: To establish, exercise, or defend legal claims if a dispute arises between you and RollXO Casino Ltd.

Under GDPR and the Australian Privacy Act, we rely on the following legal bases to process your personal data:

4.1 Contract Performance: Processing necessary to fulfil our contract with you — providing gaming services, processing transactions, and managing your account.

4.2 Legal Obligation: Processing required to comply with AML regulations, gaming licence conditions, tax reporting requirements, and other applicable laws.

4.3 Legitimate Interests: Processing for fraud prevention, security monitoring, and Platform improvement, where these interests are not overridden by your rights and interests.

4.4 Consent: Processing for marketing communications and non-essential cookies, where you have given explicit consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.

We do not sell your personal data. We share your data only in the following circumstances:

5.1 Payment Processors: We share payment-related data with our certified payment service providers to process deposits and withdrawals. All processors are PCI-DSS compliant.

5.2 KYC/AML Partners: We use third-party identity verification services to perform KYC checks. These providers receive only the minimum data necessary for verification.

5.3 Game Providers: Game data (username, session ID) is shared with software providers (Pragmatic Play, NetEnt, etc.) necessary to deliver game services. Full identity data is not shared with game providers.

5.4 Regulatory Authorities: We are required to report certain information to the Malta Gaming Authority, Australian Transaction Reports and Analysis Centre (AUSTRAC), and other applicable regulatory bodies.

5.5 Self-Exclusion Registers: We share exclusion data with recognised national and state-based self-exclusion schemes in Australia to enforce your exclusion rights across multiple operators.

5.6 Law Enforcement: We may disclose personal data to law enforcement authorities where required by law or court order.

5.7 Business Transfer: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such transfer.

6.1 We use cookies and similar tracking technologies on the Platform. Cookies are small text files stored on your device that help us provide a better user experience and analyse Platform usage.

6.2 Essential Cookies: Required for basic Platform functionality — session management, login persistence, and security. These cannot be disabled without impairing Platform functionality.

6.3 Analytics Cookies: Used to understand how players use the Platform, which pages are visited most frequently, and where technical issues occur. Typically provided by Google Analytics or similar analytics services. These are anonymised where possible.

6.4 Marketing Cookies: Used to track your interaction with our promotional content and serve relevant advertising. These require your explicit consent and can be declined via the cookie consent prompt on your first visit.

6.5 You can manage cookie preferences through your browser settings. Note that disabling certain cookies may affect Platform performance and functionality.

7.1 We retain your personal data for as long as your account is active and for a period thereafter as required by applicable law and our regulatory obligations.

7.2 Account records and transaction history are retained for a minimum of five (5) years following account closure in accordance with AML legislation and gaming licence requirements.

7.3 KYC documents are retained for five (5) years following the end of the customer relationship or the last transaction, whichever is later.

7.4 Marketing data (communication preferences and engagement history) is retained for three (3) years from the last interaction, after which consent is refreshed or data is deleted.

7.5 Support communication history is retained for three (3) years from the date of the communication.

7.6 After the applicable retention period, data is securely deleted or anonymised so that it can no longer be associated with you as an individual.

8.1 We implement technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction.

8.2 All data transmitted between your device and our Platform is encrypted using industry-standard TLS (Transport Layer Security) with a minimum of 256-bit encryption.

8.3 Access to personal data within our organisation is restricted on a need-to-know basis. Employees with data access are subject to confidentiality obligations and receive regular data security training.

8.4 Payment card data is processed exclusively through PCI-DSS Level 1 certified processors. We do not store full card numbers on our own infrastructure.

8.5 In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, in accordance with applicable data breach notification requirements (including the Notifiable Data Breaches scheme under Australian law).

8.6 Despite these measures, no internet transmission is completely secure. We cannot guarantee absolute security and you transmit data at your own risk.

Depending on your location, you may have the following rights regarding your personal data:

To exercise any of these rights, contact our Data Protection Officer using the details in Section 12. We will respond within 30 days. Note that some rights are limited by our regulatory obligations — we cannot delete transaction records that we are legally required to retain.

10.1 Your personal data may be transferred to and processed in countries outside your country of residence, including Malta (our headquarters) and other jurisdictions where our third-party service providers operate.

10.2 Where we transfer data from the European Economic Area (EEA) to countries without an adequate level of data protection, we implement appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission.

10.3 For transfers from Australia, we ensure that overseas recipients handle data in accordance with the Australian Privacy Principles or provide equivalent protection through contractual arrangements.

10.4 By using the Platform, you acknowledge that your data may be transferred internationally as described in this section.

11.1 The Platform is intended exclusively for adults aged 18 and over. We do not knowingly collect personal data from individuals under the age of 18.

11.2 If we become aware that we have inadvertently collected personal data from a minor, we will immediately delete that data and close the associated account.

11.3 If you believe a minor has registered an account on our Platform, please contact our support team immediately with relevant details so we can take prompt action.

12.1 RollXO Casino Ltd complies with the Australian Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs) that govern the collection, use, disclosure, and storage of personal information held by organisations. As an overseas operator serving Australian residents, we are bound by APP 8 (cross-border disclosure of personal information) and ensure that any overseas recipients of Australian players' personal data handle that data in a manner consistent with the APPs.

12.2 Under APP 5, we are required to notify you of key matters at or before the time we collect your personal information. This Privacy Policy constitutes that notification. We collect personal information directly from you at registration, during KYC verification, and through your use of the Platform. We also collect information automatically through cookies and session tracking as described in Section 6.

12.3 Under APP 12, you have the right to access your personal information held by us. Requests for access should be directed to our Privacy Officer using the contact details in Section 13 below. We will respond within a reasonable period (typically 30 days) and may charge a modest fee to cover the administrative cost of providing access, in accordance with APP 12.5.

12.4 Complaints from Australian residents about our handling of personal information may be directed first to our Privacy Officer. If your complaint is not resolved to your satisfaction, you may escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au, by phone at 1300 363 992, or in writing to GPO Box 5218, Sydney NSW 2001.

For any questions about this Privacy Policy, to exercise your data rights, or to raise a privacy concern, contact us via:

Australian residents who are not satisfied with our response to a privacy complaint may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or call 1300 363 992.

EEA residents who are not satisfied with our response may lodge a complaint with the Malta Information and Data Protection Commissioner (IDPC) at idpc.org.mt.

This Privacy Policy was last updated on February 1, 2026. Version 2.1. We may update this policy from time to time. Material changes will be communicated by email or on-site notice. Continued use of the Platform after such notice constitutes acceptance of the updated policy.