Skip to main content
โ—† CryptoCasinoHouse
๐Ÿ”’ Effective May 22, 2026 ยท GDPR + CCPA compliant

Privacy Policy

What data we collect, why, and how we protect it. Plain-English explanations of the legal text, with concrete numbers for retention and disclosure.

1. Introduction and scope

CryptoCasinoHouse is an independent review publication. We operate under European data protection standards because most of our audience lives in jurisdictions that require this baseline. This policy applies to all subdomains, all 14 language editions, and any data we receive through our forms, newsletter, or analytics tools. Last reviewed by our Data Protection Officer on May 22, 2026; the next scheduled audit is in 90 days.

We do not run any casino, wallet, or payment service. We never see your gambling deposits, your wallet seed phrase, or your KYC documents. The strongest privacy practice we can offer is restraint: we collect less than 0.1% of what a typical e-commerce site collects, and we hold what we do collect for the shortest retention period that still lets us debug the service. If you want to read the full European baseline we measure ourselves against, see the official GDPR text and the California Attorney General CCPA guidance.

2. What data we collect

We split data into three buckets so you can see exactly what is automatic, what is optional, and what we never touch.

2.1 Automatic (server logs and edge analytics)

Every web server logs requests. Ours stores: truncated IP address (last octet stripped, so 192.168.4.0 instead of 192.168.4.123), user agent string, HTTP referrer, requested URL, response status code, and a millisecond timestamp. Cloudflare, our CDN edge, sees the full IP for 4 hours before truncation, used only for DDoS protection. We do not attempt browser fingerprinting, canvas fingerprinting, audio fingerprinting, or any cross-device link analysis.

2.2 Voluntary (forms, newsletter, contact)

If you submit our contact form we receive your name, email, and message body. If you subscribe to the newsletter we receive your email and your locale preference. If you flag a casino dispute we may receive screenshots or transaction hashes you choose to paste in. Nothing on this site requires a wallet connection, a signed transaction, or a Web3 modal.

2.3 What we do not collect

We do not collect: precise GPS location, contact lists, social-media graphs, payment cards, bank statements, identity documents, KYC selfies, wallet addresses you have not personally pasted to us, or any "shadow profile" from data brokers. We do not buy supplementary audience segments from third parties.

3. How we use the data

Every use case below is tied to a specific legal basis under Article 6 of the GDPR.

  • Geo-filtering (legitimate interest, Art. 6(1)(f)): We block casino offers in 21 restricted jurisdictions to comply with their gambling laws. This requires reading the truncated IP at request time.
  • Affiliate attribution (contractual necessity, Art. 6(1)(b)): When you click a "Visit Casino" link, the destination casino receives a referral parameter from our /go/ redirector. They do not receive your IP from us; they see whatever your browser sends when it lands on their domain.
  • Analytics (consent, Art. 6(1)(a)): Google Analytics 4 with IP anonymization runs only after you accept the cookie banner. Anonymous traffic generates roughly 92% of our pageviews because most users decline.
  • Communication (consent, Art. 6(1)(a)): We email only after explicit opt-in, with a one-click unsubscribe in every message.
  • Security (legal obligation, Art. 6(1)(c)): We retain web server logs for 30 days to investigate intrusion attempts and respond to lawful subpoenas.

4. Third-party processors

We use 5 vendors that may touch your data on our behalf. Each operates under a signed Data Processing Agreement (DPA) and is restricted to the purpose listed.

4.1 Cloudflare (edge and CDN)

Cloudflare terminates TLS, blocks malicious bots, and serves cached pages. They see your full IP for up to 4 hours. They are CCPA-compliant and the certified processor for our edge geo-filtering. Their EU customers benefit from Standard Contractual Clauses (SCCs).

4.2 Google Analytics 4 (consented users only)

GA4 runs in IP-anonymization mode (the last octet is stripped before storage at Google). Data is retained for 14 months, then auto-deleted. We do not enable Google Signals, do not import GA4 audiences to Google Ads, and do not share data with advertising partners. If you decline the cookie banner, no GA4 cookies are set at all.

4.3 Email provider (newsletter only)

Our transactional email service stores your email, locale, and a hashed unsubscribe token. They process under SCCs for EU subscribers.

4.4 Hosting (origin server)

Our origin server lives in a Tier-3 EU data center. They see the same truncated IP that Cloudflare forwards. They do not access application data.

4.5 Error monitoring

A privacy-preserving error monitor catches 500-status responses and JavaScript crashes. Personal identifiers in URLs are scrubbed before any error reaches the dashboard. Retention is 30 days.

5. Cookies in detail

We classify every cookie into one of three categories. The cookie banner gives you an opt-in toggle for the second and third categories.

5.1 Strictly necessary cookies

These cookies are required for the site to function. They do not require consent under GDPR Recital 30. We use 3 of them: cc_age_18 (365 days, stores the answer to the age gate), cc_locale (180 days, remembers your language), and cc_session (24 hours, used only if you submit a form). None of these are shared with advertisers.

5.2 Performance cookies

Performance cookies measure page load timings and error rates. We use a single first-party cookie, cc_perf, with a 7-day lifetime. It contains a random session ID and no personal data. You can refuse this category without breaking any feature.

5.3 Analytics cookies

If you opt in, Google Analytics sets _ga (24 months) and _ga_* (24 months) cookies. We do not run any advertising cookies, no Facebook Pixel, no TikTok pixel, no LinkedIn Insight Tag, no retargeting cookies of any kind. Our visitor flow funnels to outbound casino links, not to ads.

6. Your rights under GDPR

If you are in the European Economic Area, the UK, Switzerland, or another jurisdiction with similar law, you have 8 specific rights. We honor all of them at no cost within 30 days.

  • Right of access (Art. 15): Request a copy of all data we hold about you. We deliver it as a portable JSON file.
  • Right to rectification (Art. 16): Correct inaccurate information, typically your email or newsletter preferences.
  • Right to erasure (Art. 17): Delete your data unless we have a legal obligation to retain it.
  • Right to restriction (Art. 18): Freeze processing while a dispute is investigated.
  • Right to data portability (Art. 20): Receive your data in a machine-readable format.
  • Right to object (Art. 21): Stop legitimate-interest processing.
  • Right against automated decisions (Art. 22): We do not make automated decisions that affect you legally; this right is granted by default.
  • Right to withdraw consent: Toggle cookies off, unsubscribe from email, or close your contact thread at any time.

To exercise any right, write to our DPO via the contact page. We log the request, verify your identity using the email address on file, and respond within 30 calendar days. Complex requests may take an extra 60 days under Article 12(3); we will notify you in writing if that extension applies.

7. Your rights under CCPA and CPRA

California residents have 5 additional rights under the California Consumer Privacy Act and its 2023 amendment, the California Privacy Rights Act. We do not "sell" or "share" personal information as those terms are defined under ยง1798.140. Even so, we provide:

  • Right to know what personal information we hold and where it came from.
  • Right to delete personal information we have collected.
  • Right to correct inaccurate information.
  • Right to opt out of any future sale or sharing (already disabled by default).
  • Right to limit the use of sensitive personal information.

We do not discriminate against California residents who exercise these rights. We do not require account creation to file a CCPA request; an email from any verified address is enough.

8. How to opt out of analytics

You have three independent layers of opt-out. Any single layer is sufficient.

  1. Cookie banner: Click "Reject" or "Customize" on first visit. No GA4 code loads at all.
  2. Browser-level Do Not Track or Global Privacy Control: We honor the GPC header from Brave, Firefox, and recent Safari builds. When GPC is present, we treat your visit as opted-out regardless of banner state.
  3. Google's opt-out add-on: Install the official Google Analytics opt-out for site-wide refusal across the web.

9. Data retention periods

Different data classes have different retention windows. Anything not listed below is purged within 24 hours.

  • Truncated server logs: 30 days
  • Cloudflare edge logs (full IP): 4 hours
  • Google Analytics 4 events: 14 months
  • Contact form submissions: 12 months, then anonymized
  • Newsletter subscriber list: until you unsubscribe, plus 30 days for re-confirmation
  • Error monitoring events: 30 days
  • Affiliate referrer cookies (set by the casino on its domain): 30 to 90 days, per casino policy
  • Backups: 35 days rolling, encrypted at rest with AES-256

10. Security and breach notification

Traffic between you and the site uses TLS 1.3 with strong cipher suites. Form submissions are stored encrypted at rest with AES-256-GCM. Administrator access requires hardware-key two-factor authentication; we rotate keys every 90 days. We do not store payment cards because we do not accept payments.

If we ever experience a data breach affecting personal information, we follow the GDPR Article 33 timeline: notify the lead supervisory authority within 72 hours of discovery, then notify affected users without undue delay if the breach poses a high risk to their rights. Our incident response runbook is reviewed quarterly. We have not experienced a reportable breach since the site launched.

11. International transfers

Some of our processors operate outside the EEA. Transfers to the United States rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. We perform a Transfer Impact Assessment for every new processor that handles EEA personal data. The full list of transfer destinations is available on request.

12. Children's privacy

This site is intended for adults aged 18 and over (21 and over in certain US states and other jurisdictions). We do not knowingly collect personal information from minors. If you are a parent or guardian and believe your child has interacted with us, write to our DPO and we will delete the data within 7 days.

13. Frequently asked questions

13.1 Do you sell my data?

No. We do not sell, rent, lease, or barter personal information. The CCPA-defined term "sale" is broader than common usage; even under the broader definition, we do not sell.

13.2 Do casinos see my IP when I click a "Visit Casino" link?

They see whatever your browser sends when it lands on their domain, which includes your IP. We do not transmit your IP to them from our server. If you want maximum privacy, use a reputable VPN before clicking, but check the casino's terms first as some restrict VPN traffic.

13.3 Can I use the site without cookies?

Yes. You can decline every non-essential cookie via the banner and still browse freely. The age-gate cookie will re-appear once per device until you confirm you are 18 or older. See our about page for the editorial workflow.

13.4 How do I file a privacy complaint?

First write to our DPO via the contact page. If we cannot resolve the issue, you may complain to your local supervisory authority. EU residents can find theirs at the European Data Protection Board directory. California residents may complain to the California Attorney General.

13.5 What if you update this policy?

Material updates are highlighted at the top of the page for 30 days, and newsletter subscribers receive an email summary. Minor edits (typo fixes, formatting) are logged in our internal changelog. The current version is dated May 22, 2026.

14. Related pages

Read our terms of use for the legal framework that accompanies this policy, our affiliate disclosure for how we earn revenue, our responsible gambling resources for help with problem gambling, our 25-step methodology for how we score casinos, and our blacklist of operators we cannot recommend.

15. Contact our DPO

For any privacy question, data subject access request, or breach inquiry, write to us through the contact form and mark the subject "DPO". We respond to privacy requests within 30 calendar days as required by GDPR, and faster for urgent breach notifications.

16. Cookie banner detail and granular consent

The cookie banner is the primary point at which you can shape what data the site processes about your visit. We designed it for granular control rather than the "accept all" pattern used by most affiliate sites. The default state when you arrive is "Reject all"; nothing loads until you actively grant consent. The banner separates 3 categories: strictly necessary cookies (no consent option, since GDPR Recital 30 makes them lawful by default), performance cookies (single toggle, defaults off), and analytics cookies (single toggle, defaults off). Marketing cookies are not present anywhere on the site, which means we have no toggle to offer for them. Roughly 92% of our pageviews come from visitors who decline the optional categories.

Separate consent for analytics and marketing

We deliberately separate analytics consent from any other category. Analytics tracking measures aggregate site behavior (page load times, search-result clicks, locale preferences) and is set to expire 14 months after each opt-in event. Marketing consent does not exist on the site because we run zero advertising cookies: no Facebook Pixel, no TikTok pixel, no LinkedIn Insight Tag, no Google Ads remarketing, no retargeting cookies of any kind. The 5-cookie ceiling we apply across all 14 language editions is documented in the cookie inventory at the bottom of this page. If you opt in to analytics only, Google Analytics 4 sets the _ga and _ga_* cookies with 24-month lifetimes; if you opt in to performance only, our first-party cc_perf cookie is set with a 7-day lifetime.

How to revoke consent and third-party cookies blocked by default

Revoking consent takes 2 clicks: open the cookie preferences link in the page footer (visible on every page across the 14 locales) and toggle the categories you want to disable. The toggle takes effect immediately on the next page load and any cookies in the disabled category are cleared automatically. Cookie preferences are stored in the cc_consent cookie with a 13-month lifetime; clearing the cookie returns you to the default "Reject all" state on your next visit. Third-party cookies are blocked by default at the edge layer regardless of consent state, with 4 exceptions that we explicitly permit (the 4 vendors listed in section 4 above). Embedded YouTube videos, embedded Twitter cards, and embedded comment widgets are not used anywhere on the site, so the supply-chain risk surface is intentionally small. Our DPO inbox handles any consent-revocation issue within 48 hours.

Curaรงao Gaming Control Board licence verification badge eCOGRA certified safe and fair gambling badge Gaming Laboratories International (GLI) RNG-tested badge Malta Gaming Authority (MGA) compliance badge GPWA Code of Conduct certified affiliate badge BeGambleAware responsible gambling partner badge GamCare responsible gambling support partner badge 18 plus age restriction badge โ€” must be of legal gambling age