Legal
Privacy Policy
Transparency about personal data for your Citadel account, play activity, and support interactions.
Last updated · April 2026
Data we collect
We collect information you provide at registration and during the relationship: identity, contact details, date of birth, KYC documents, transaction history, and support messages. Technical data (IP address, device, session identifiers, security logs) is processed for safety and compliance.
Payment details are handled by certified partners; we do not store full card numbers on our servers when tokenisation is used.
Purposes
Data is used to operate your account, execute gaming and betting contracts, process payments, prevent fraud and money laundering, meet legal obligations (gaming regulation, tax), and improve services and UX.
Where required, we send marketing only with consent. You can withdraw marketing consent via preferences or unsubscribe links.
Legal bases (GDPR)
Processing relies on contract performance, legal obligations, legitimate interests (security, fraud prevention, aggregated analytics), and consent for certain marketing or non-essential cookies.
Sharing
We share data with processors (hosting, payments, identity verification, support tools) under strict contracts. Authorities receive data when the law requires. Transfers outside the EEA use appropriate safeguards (e.g. standard contractual clauses).
Cookies
See our Cookie policy for categories, purposes, and how to manage preferences.
Retention
Data is kept for the life of the relationship and then archived per statutory periods (e.g. accounting, AML). Security logs may be retained longer if disputes or investigations require it.
Your rights
Subject to GDPR (and similar laws), you may request access, rectification, erasure, restriction, portability, and object to certain processing. Withdraw consent without affecting prior lawful processing.
Contact the DPO below. You may lodge a complaint with your supervisory authority (e.g. CNIL in France).
Security
We apply technical and organisational measures: TLS encryption, access controls, logging, training, and reviews. Please protect your credentials and enable 2FA when offered.
Data controller & DPO
The controller is the Citadel operator identified in site legal notices. Privacy questions: dpo@citadelcasino.example — replace with your production address.