Privacy Policy — Lucky Dreams Casino

Last updated:

This privacy policy explains how Lucky Dreams Casino, registered in Willemstad, Curaçao, collects, uses, stores, and protects your personal data when you use the luckydreamsplayzone.com website, the Progressive Web App, or any associated service. The policy is written to a GDPR-equivalent standard. AU residents are also covered by the Australian Privacy Act 1988 and the 13 Australian Privacy Principles.

By creating an account or making a deposit, you confirm you have read this policy. If anything below is unclear, the Data Protection Officer can be reached at [email protected].

Plain-English summary

We collect what we need to run a regulated casino — identity, payment, gameplay, and technical data. We never sell personal data. We share with KYC and payment partners, regulators when required, and game providers to deliver gameplay. Retention follows our licensing obligations (typically 7 years on financial records). You have rights to access, rectify, erase, and export your data — instructions below.

What information do we collect?

Five categories of data, each with a specific purpose tied to running a licensed casino. None of it is collected speculatively.

Identity and contact data

Collected at registration and during KYC verification:

  • Full legal name, date of birth, gender, nationality
  • Email address, mobile number, residential address with postcode
  • Login credentials (email + Argon2id-hashed password; password never stored in plain text)
  • KYC documents: government ID (passport or driver's licence), proof of address (utility bill or bank statement under three months old), selfie holding ID
  • Source-of-funds documentation when cumulative deposits cross A$2,000 in any 30-day window

Payment and financial data

Collected when you deposit or withdraw:

  • Tokenised card details (full PAN never stored on Lucky Dreams servers — payment processor handles tokenisation under PCI DSS Level 1)
  • E-wallet identifiers (Skrill, Neteller account IDs)
  • Crypto wallet addresses for Bitcoin and Ethereum withdrawals
  • Bank account details for wire withdrawals
  • Transaction history, deposit amounts, withdrawal timing, payment method preferences

Technical data

Collected automatically when you load the site or PWA:

  • IP address (last octet retained for 90 days; full IP anonymised after that)
  • Approximate geolocation derived from IP — country and state, not street address
  • Device type, operating system version, browser version
  • Connection timestamps, session duration, idle-timeout events
  • Pages visited, features used, click stream
  • Cookies and similar storage as described in the cookies section below

Gameplay data

Logged for regulatory audit, game-fairness verification, and dispute resolution:

  • Games played, bet amounts, wins, losses
  • Bonus claims, wagering progress, free-spin batch usage
  • Tournament participation and leaderboard placement
  • Account balance changes minute-by-minute
  • Live dealer hand outcomes (Evolution and Pragmatic Live also retain camera footage independently)

Communication data

Logged when you contact support:

  • Live chat transcripts (retained 3 years)
  • Email correspondence with support, complaints, and responsible-gambling teams
  • Survey responses you choose to submit
  • Marketing-preference selections (opt-in by default off; opt-out any time)

How do we use your information?

Six legitimate purposes drive every use of personal data. We do not sell or rent personal data to third parties for marketing or any other purpose.

👤

Account management

Creating your account, authenticating logins, sending you security alerts, processing self-service changes (address updates, payment-method changes, limit adjustments).

💳

Payment processing

Routing deposits and withdrawals through PCI-compliant processors, verifying payment methods belong to you, fraud screening, and maintaining the financial records our regulator requires.

🎮

Service delivery

Loading games, applying bonuses, tracking wagering progress, syncing balance across devices, and personalising lobby recommendations based on your stated preferences.

🔐

Security & fraud prevention

Detecting account compromise, blocking credential-stuffing attempts, identifying duplicate accounts, preventing underage gambling, screening high-risk transactions.

⚖️

Legal & regulatory

Curaçao licence reporting, AML reports to financial intelligence units when triggered, KYC under our licensing framework, audit trails for dispute resolution, responding to law-enforcement requests.

📧

Marketing — opt-in only

Promo emails, push notifications about new releases, SMS for tournament reminders. Off by default. You opt in once at registration or in account preferences; you can opt out at any time from any marketing email.

How is your data secured?

Multiple layered controls. None of these are optional features — they're standard for the entire user base.

Technical controls

  • TLS 1.3 across all sub-pages (no mixed-content fallback to HTTP)
  • AES-256 encryption at rest for the player database and document storage
  • Argon2id password hashing with per-user salt (resistant to GPU brute force)
  • Optional 2FA via TOTP standard (RFC 6238) — Google Authenticator, Authy, Microsoft Authenticator
  • Web application firewall and DDoS mitigation in front of the origin
  • Annual independent penetration test by an external security firm
  • PCI DSS Level 1 payment processing — card PANs are tokenised by the processor and never reach our servers

Operational controls

  • Need-to-know access for staff — KYC reviewers see KYC docs, payment ops see transactions, neither sees both
  • Quarterly security training for all staff with access to player data
  • Mandatory 2FA on internal admin tools — no exceptions
  • Incident-response runbook with 1-hour notification target for confirmed data breaches
  • Secure document destruction after retention periods expire (cryptographic erasure)
  • 72-hour breach notification target to affected users and to the Curaçao Gaming Authority where required
Your share of the responsibility

Account security is half us, half you. Use a 14-character random password from a password manager. Enable 2FA before your first deposit. Never share login details with anyone — Lucky Dreams agents will never ask for your password. Sign out on shared devices. Report suspicious sign-in alerts immediately via live chat. If something feels wrong, lock the account first and ask questions second.

Who do we share data with?

Five categories of third party. Each one signed a data-processing agreement that limits use to the specific purpose listed below.

The third-party list, current as of 4 May 2026

Third-party data sharing — purpose and data scope
Third party type Purpose Data shared Retention by them
Payment processors Card & e-wallet processing Tokenised card, amount, currency, name 7 years per PCI
Game providers (Pragmatic, Hacksaw, Evolution, etc.) Delivering slots and live games Pseudonymous player ID, bet, outcome 5-7 years per provider
KYC verification (Jumio-class) Identity verification ID document, selfie, address proof 5 years
Curaçao Gaming Authority Licence reporting, dispute resolution As specified in regulations Per regulator
Customer support tools Chat, ticketing, knowledge base Communication content, account ID 3 years

We do not share data with advertisers, data brokers, or analytics resellers. The first-party analytics on the site (server-side log analysis) does not transmit identifiable data to any external service.

Cookies and similar storage

The site uses cookies and the PWA service-worker uses local storage. Both are limited to four functional categories.

Cookie categories

  • Essential: session token, login state, language preference. Cannot be disabled — the site does not function without them.
  • Performance: page load timings, error reports, anonymised navigation. Used for site improvements; not personalised.
  • Functional: remembered preferences (currency display, lobby filter, theme). Helpful but optional.
  • Marketing: only set if you explicitly opt in to marketing communications during registration or in preferences.

You can manage cookies via your browser settings. The cookie banner on first visit gives you category-level opt-in. Disabling Essential cookies will break the login flow — there is no workaround.

Your rights — GDPR-equivalent and AU privacy

You have seven rights under this policy. To exercise any of them, email [email protected] from your registered email address. We respond within 30 days, usually within 7-14.

  • Access: request a copy of all personal data we hold on you, in CSV or JSON format
  • Rectification: correct any inaccurate or incomplete data we hold
  • Erasure: delete your data, subject to legal retention requirements (financial records cannot be deleted before the 7-year retention runs out)
  • Restriction: limit how we process your data while a dispute is being resolved
  • Portability: receive your data in a structured, machine-readable format you can take elsewhere
  • Objection: object to processing for marketing purposes (we stop immediately) or to processing based on legitimate interest (we review and respond)
  • Withdraw consent: revoke any consent-based processing at any time, including marketing opt-ins, push notifications, and analytics opt-ins

For AU residents, you may also lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe we have mishandled your data.

How long do we keep your data?

Retention is driven by licensing and AU AML obligations, not by our preference. Most financial data is held for 7 years from the relevant transaction.

Data retention schedule, Lucky Dreams
Data type Retention Reason
Account profile Account life + 7 years Curaçao licensing, AU AML
Transaction records 7 years from transaction Financial regulation
Gameplay logs 7 years from gameplay Licensing audit trail
KYC documents 5 years from account closure AML / KYC regulations
Communication transcripts 3 years from last contact Dispute resolution
IP and session logs 90 days full / 12 months anonymised Security forensics
Marketing preferences Until withdrawn Honouring your choice

International data transfers

Lucky Dreams' primary data infrastructure is hosted in the European Union. Some service providers (KYC verification, customer support tooling) operate from other jurisdictions. Where data is transferred outside the EU or AU, we apply Standard Contractual Clauses or the equivalent regulatory transfer mechanism. The KYC partner uses an AU-based processing centre for AU-resident document review, so most KYC data on AU accounts stays in AU.

If you want a list of every country your data may transit, email the Data Protection Officer and we'll provide one within 14 days.

Underage protection

Lucky Dreams is for adults aged 18 or over only. We use multi-stage age verification: DOB capture at registration, ID document check at KYC, and ongoing profile review. Any account suspected of being held by a minor is suspended pending verification. If we confirm the account holder is under 18, we delete all personal data immediately — except for the minimum financial-record retention required by law — and refund all deposits.

If you believe someone under 18 has registered with our service, email [email protected]. We act on every credible report within 24 hours.

Changes to this policy

We update this policy when our practices, our regulators, or applicable law change materially. The "last updated" date at the top reflects the most recent change. Significant changes are notified to you via email and a prominent banner on the site for at least 30 days. Minor clarifications (typo fixes, link updates) are made silently with the date stamp updated.

If a change reduces your rights or expands our use of your data, you'll be asked to actively re-consent before the change takes effect on your account.

How to contact us about privacy

The Data Protection Officer is the right contact for any privacy question, request, or complaint:

Data Protection Officer — Lucky Dreams Casino

Email: [email protected]
Postal address: Data Protection Officer, Lucky Dreams Casino, Heelsumstraat 51, E-Commerce Park, Willemstad, Curaçao
Response target: 14 days for routine requests; 30 days for complex requests
For player-facing support questions (deposits, bonuses, accounts), use the contact page instead — those reach the right team faster.

If you're not satisfied with our response, AU residents can escalate to the OAIC at oaic.gov.au. Players in the EU can lodge complaints with their national supervisory authority. Complaints to the Curaçao Gaming Authority are appropriate where the issue concerns gameplay or licensing rather than data handling.