Sign In Sign Up

Duel Casino Privacy Policy

This Privacy Policy describes which personal data we collect when you use the Duel Casino site and services, how we use it, to whom we disclose it, how long we keep it, and which rights you have over your data. The document is drafted in line with the EU General Data Protection Regulation (GDPR – Regulation EU 2016/679), licensed gambling-jurisdiction standards and international FATF recommendations on anti-money-laundering.

We follow the principle of data minimization: we only ask for information that is necessary to provide the service or to comply with applicable law. Using the site means you have read this Policy and agree to the described processing of data. If any provision is unacceptable to you, please stop using the service until it is resolved.

In short:

👉 We are the operator of Duel Casino and the controller of your data within the meaning of GDPR. We collect the minimum data required to run the service. We do not sell your data to third parties. We encrypt data at rest and in transit. You can at any time request a copy of your data, correct it, delete it, or lodge a complaint with the supervisory authority. For any privacy matter, email privacy@duel.com.

1. Who we are and how to reach us

The controller of your personal data within the meaning of Article 4(7) GDPR is the operator of the Duel Casino brand (hereinafter – «Duel Casino», «we», «us»). For any matter related to processing of personal data, exercising your rights and submitting requests you can contact:

The full legal-entity and registration details of the operating company are listed in the «License» section on the homepage.

2. What personal data we collect

Depending on how you use the service, we may collect the following categories of data:

2.1 Registration data

  • Email address (used as the primary account identifier).
  • Username (shown on public leaderboards, in chats, and during gameplay).
  • Password hash (we do not store the password in clear text – we use bcrypt or an equivalent algorithm).
  • Age confirmation (declaration of being 18 or older).
  • Registration date and IP address.

2.2 Payment and crypto data

  • Cryptocurrency wallet addresses used for deposits and withdrawals.
  • Blockchain transaction hashes and identifiers (txid).
  • Transaction networks and currencies (BTC, ETH, USDT-TRC20, etc.), amounts and timestamps.
  • For fiat operations (if used): masked card or payment-provider details, currency, country of issue.

2.3 KYC / AML data (only when required)

Additional verification is requested when risk indicators are triggered, in line with the casino's anti-money-laundering obligations (EU 4AMLD, 5AMLD, 6AMLD and FATF recommendations). This may include:

  • A copy of identification (passport, ID card, driver's license).
  • Proof of address (utility bill, bank statement, etc.).
  • Confirmation of source of funds and source of wealth.
  • Proof of crypto wallet ownership (signed message or test transaction).
  • Results of sanctions screening, PEP register checks and adverse-media databases.

2.4 Technical and identification data

  • IP address and approximate IP-based geolocation.
  • Device type, operating system, browser type and version.
  • Screen resolution, language, time zone.
  • Log data: visited pages, clickstream, referrer, session duration, errors.
  • Unique online identifiers (cookies, local storage, SDK identifiers).
  • VPN/proxy signals and other technical security markers.

2.5 Gameplay data

  • History of bets, wins and losses for each gameplay session.
  • Bonuses used and cashback credits.
  • Balance status, deposit and withdrawal history.
  • Responsible-gaming limit parameters (deposit, loss, time, time-out, self-exclusion).

2.6 Communications data

  • Support request texts, live-chat and email correspondence.
  • Phone call recordings (where applicable) – you will be informed in advance.
  • Marketing consents and consent-withdrawal records.

3. Purposes and legal bases for processing

Each data category is processed for a specific purpose and on a defined legal basis under Article 6 GDPR:

  • Performance of a contract – Art. 6(1)(b) GDPR. Creating and maintaining the account, running gaming operations, processing deposits and withdrawals, crediting cashback and bonuses, keeping transaction history, providing user support.
  • Legal obligations – Art. 6(1)(c) GDPR. KYC/AML verification, sanctions screening, monitoring of suspicious transactions, record-keeping for tax and gambling law, responding to regulator and law-enforcement requests, protection of minors.
  • Legitimate interests – Art. 6(1)(f) GDPR. Fraud prevention, detection of multi-accounting and collusion, defense against automated attacks, information security, analytics for service improvement (in aggregated/anonymized form), defense of our legal interests in disputes.
  • Consent – Art. 6(1)(a) GDPR. Email and messenger marketing, push notifications, use of non-essential analytics and advertising cookies. Consent can be withdrawn at any time without explanation and without consequences for the core service.

4. Who we share your data with

We do not sell personal data to third parties under any circumstances. Data may be shared only with the following categories of recipients and only to the extent necessary for the specific purpose:

  • Payment service providers. Processors, acquirers and crypto-transaction handlers – for executing deposits and withdrawals.
  • KYC and sanctions-screening providers. Specialized services (Sumsub, Onfido, Jumio, ComplyAdvantage and similar) – for verification, document review and sanctions/PEP screening.
  • Game content providers. Slot, live-dealer and platform providers – the minimum data set needed to deliver a specific game (session, bets, wins).
  • Analytics and cloud services. Cloud infrastructure providers (hosting, CDN, monitoring) acting as data processors on our behalf, bound by Data Processing Agreements.
  • Regulators, law-enforcement and tax authorities. Upon a lawful request – to the extent and in the manner provided by applicable law.
  • Legal and audit advisors. When defending our rights in disputes and conducting mandatory audits and regulatory inspections.
  • In corporate transactions. In a merger, acquisition or asset transfer – with mandatory user notice and preserved data-protection level.

With every recipient processing data on our behalf we have Data Processing Agreements (DPAs) requiring security measures no lower than our own.

5. International data transfers

Some of our processors may be located outside the European Economic Area (EEA). When data is transferred to third countries, we use the safeguard mechanisms provided in Chapter V GDPR:

  • Transfers to countries with a European Commission adequacy decision (UK, Switzerland, Canada for commercial purposes, and others).
  • Use of Standard Contractual Clauses (SCC – Commission Decision (EU) 2021/914) with additional technical and organizational measures.
  • In certain cases – Binding Corporate Rules within the recipient's group.

You can request a copy of the applicable safeguard mechanisms by contacting us at dpo@duel.com.

6. Data retention periods

We keep personal data no longer than necessary for the purposes for which it was collected, and for the periods required by law. Specific periods depend on the data category:

Data category Retention period
Active account registration data For the lifetime of the account
KYC/AML documents and verification records At least 5 years after the account closes; up to 10 years if an investigation is ongoing
Payment and transaction data At least 5 years from the transaction date (AMLD requirement)
Gaming history and bet records At least 5 years after the account closes
Technical and security logs 90 days to 12 months
Support tickets Up to 24 months after ticket resolution
Marketing consents Until consent is withdrawn
Self-exclusion records Indefinitely (to prevent re-registration in case of permanent self-exclusion)

Once the periods expire, data is either destroyed or irreversibly anonymized – in which case it no longer relates to an identifiable individual and may be used for statistics and research.

7. Your rights over your personal data

Under GDPR and similar local laws you have the following set of rights:

  • Right of access (Art. 15 GDPR). Get confirmation of whether we process your data and a structured copy of the data we process.
  • Right to rectification (Art. 16 GDPR). Have inaccurate data corrected or incomplete data completed – most data you can update yourself in your account.
  • Right to erasure, «right to be forgotten» (Art. 17 GDPR). Request deletion of your data when there is no lawful basis for further processing. Note that data related to mandatory AML/gambling-law record-keeping cannot be deleted before the prescribed retention periods expire.
  • Right to restriction of processing (Art. 18 GDPR). Request a «freeze» on processing in case of disputed accuracy, unlawful processing, and other situations envisaged by the regulation.
  • Right to portability (Art. 20 GDPR). Receive your data in a machine-readable format (JSON/CSV) and/or transmit it to another controller.
  • Right to object (Art. 21 GDPR). Object to processing based on legitimate interest, including profiling. Objections to marketing are accepted unconditionally and without explanation.
  • Right to withdraw consent. If processing is based on consent, you can withdraw it at any time. This does not affect the lawfulness of processing carried out before withdrawal.
  • Right to lodge a complaint with a supervisory authority. In your country of habitual residence or of the alleged infringement – with the data-protection authority.

To exercise any of these rights, send a request to dpo@duel.com from the email address linked to your account. We respond within 30 calendar days (in complex cases the deadline can be extended to 90 days with notice). For verification we may request additional information to confirm your identity.

8. Cookies and similar technologies

Cookies are small text files saved by your browser when you visit the site. They let us recognize you on return visits, ensure proper operation of the service and analyze how it's used.

Cookie categories we use:

  • Strictly necessary cookies. Provide core functionality: login, session persistence, CSRF protection, correct operation of the payment form. The service cannot function without them, so they cannot be disabled via the consent UI.
  • Functional cookies. Remember language, currency, interface preferences. Do not identify you personally.
  • Analytics cookies. Help us understand how users interact with the site (popular pages, session duration, traffic sources). Used in anonymized form. Activated only with your consent.
  • Security cookies. Track anomalous behavior, help detect fraud, multi-accounting and attempts to bypass restrictions (VPN signals, bot patterns).

You can manage cookies via your browser settings: block all, delete on close, receive warnings before installation. Note that disabling strictly necessary cookies will make login and transactions impossible.

9. Data security

We apply the following technical and organizational measures to protect your data:

  • Channel encryption. All traffic between your device and our servers is protected by modern TLS (v1.2 minimum, v1.3 by default) with HSTS headers.
  • Encryption at rest. Databases and backups are stored encrypted (AES-256). Especially sensitive data (KYC documents, API keys) is encrypted separately with key management via HSM.
  • Password hashing. Passwords are not stored in clear text. We use bcrypt with a current cost factor.
  • Two-factor authentication (2FA). Available and strongly recommended for every user account.
  • Least-privilege access. Staff only have access to the data necessary for their duties. All access is logged.
  • Regular audits and pentests. External security specialists periodically test the system for vulnerabilities.
  • Isolated environments. Production is isolated from development and testing; de-identified data is not used outside production for testing.
  • Monitoring and incident response. 24/7 security monitoring (SIEM), incident-response procedures, user and authority notification within 72 hours of a breach posing a risk to data subjects' rights and freedoms (Art. 33–34 GDPR).

10. Protection of minors

The Duel Casino service is intended exclusively for adult users (18 and older). We do not knowingly collect personal data from anyone under 18. If you are a parent or legal guardian and learn that your child has provided us with their data, contact us immediately at privacy@duel.com. Once confirmed, we will delete the data and close the account.

As additional measures to protect minors we:

  • Require age confirmation at registration.
  • Perform extended document verification when risk indicators trigger.
  • Support parental-control initiatives and inform users about relevant tools (see the Responsible Gaming page).

11. Automated decision-making and profiling

Some platform processes use automated processing, including profiling. This includes:

  • Automated anti-fraud (detection of multi-accounts, bonus abuse, unusual betting patterns).
  • Transaction screening against sanctions and AML criteria.
  • Interface adaptation and game recommendations based on preferences (only with consent to analytics cookies).

Where an automated decision produces significant effects for you (for example, account blocking on fraud signals), you have the right under Art. 22 GDPR to contest the decision, express your point of view and request human review. Send such requests to dpo@duel.com.

12. Policy changes

We may update this Privacy Policy from time to time – for example, when laws change, new services are launched, or internal processes change. The current version is always available at the permanent link on this page. The last update date is shown at the top of the document.

For material changes that affect your rights or categories of processed data, we will notify you separately – by email and/or via a pop-up at account login – at least 14 days before the changes take effect. Continuing to use the service after the notice means you accept the updated Policy; if the new version is unacceptable to you, you may close the account and request data deletion in the manner described above.

13. Request contacts

For any matter related to this Privacy Policy, processing of your personal data and exercising your rights, use any of the channels below:

We accept requests in English, Russian and any other supported interface language. Standard response time is up to 30 calendar days; for complex requests up to 90 days with prior notice.

🔞 Access to Duel Casino is strictly for players 18 and over. If you need information on safe play, limits and gambling-addiction help, see the Responsible Gaming page.

← Back to homepage