Your personal information earns the same editorial precision as any other page on this site. Below, the operator explains which datapoints SpinMacho actually needs, why each point matters and how the file stays sealed against misuse. Terdersoft B.V. runs the casino under Curaçao Gaming Control Board Licence OGL/2024/1126/0521 and acts as the data controller for Norwegian residents. Furthermore, this notice is refreshed whenever a processing activity shifts, so a quarterly re-read is a sensible habit for attentive members.
Lawful Bases Under GDPR
SpinMacho anchors every processing activity to a named lawful basis from GDPR Article 6. In other words, nothing is collected “just in case” — every entry on the record of processing has an auditable justification. Moreover, Norwegian residents retain the right to challenge any basis they find excessive, and the data-protection officer reviews such challenges inside one calendar month. As a result, the balance between the operator’s duties and the member’s control sits squarely inside the European regime.
Most daily processing rests on three bases: contract performance, legal obligation and legitimate interest. For instance, running your cashier sits under contract, while AML record-keeping rests on legal obligation. Furthermore, fraud screens use legitimate interest, and marketing segmentation depends on explicit consent that you can revoke at any moment. In fact, the consent banner clearly separates these flavours so that a declined marketing opt-in never blocks basic account functionality.
Data Families We Process
SpinMacho collects five data families to keep the platform safe, compliant and personalised. Each family respects the data-minimisation principle embedded in GDPR Article 5, so the file never grows beyond the stated purpose. The table below opens the panoramic view of what lands inside the account record.
| Family | Examples | Lawful Basis | Retention |
|---|---|---|---|
| Identifier records | Legal name, date of birth, residential address, ID scan | Contract and legal obligation | 5 years after closure |
| Cashier records | Card tokens, crypto wallet addresses, transaction IDs | Contract and AML duty | 7 years after last movement |
| Device signals | IP, user agent, device fingerprint, consent cookies | Legitimate interest | 12 months |
| Play history | Game sessions, bet size, deposit cadence, bonus claims | Contract and legal obligation | 5 years after closure |
| Contact logs | Chat transcripts, email threads, phone notes | Legitimate interest | 3 years from ticket close |
Inside Each Family
Identifier records power sign-up, the mandatory age check and every later KYC escalation. Specifically, the pack includes legal name, date of birth, residential address and an ID scan that binds the profile to a real person. Moreover, the same file drives critical account notifications such as verification outcomes, payout alerts and security warnings. Marketing emails never flow from this base without a positive opt-in, so claiming a bonus does not commit you to promotional contact.
Cashier records are tokenised end-to-end, because the PCI DSS processor returns a reversible token instead of the raw card number. Therefore, even in the unlikely case of a breach, your card cannot be used to charge third parties. Furthermore, crypto wallet addresses and on-chain transaction IDs are stored so that AML screens can reconcile on-ledger movements against the account ledger. Indeed, this transparency is a core condition of the Curaçao licence framework.
Device signals arrive automatically through server logs during each session, while play history is written by the game engine after each round. For example, device data includes the IP, device fingerprint and browser string; play data covers session length, bet size and bonus status. Consequently, these two families feed fraud detection and duty-of-care checks without drifting into unrelated profiling. In summary, both sets stay inside their stated purpose and never feed external ad networks.
Why We Use Your Data
Your file serves six concrete purposes, and each one ties to a defined legal basis. In other words, nothing is collected speculatively; every processing activity has a documented rationale that auditors can verify. The list below summarises the use cases Norwegian residents should recognise inside their account.
- Account Operation: Registering the profile, authenticating each login, powering the cashier and personalising the lobby.
- Regulatory Duty: Running KYC, AML screening and tax reporting where statute or licence demands it.
- Fraud Defence: Spotting device mismatches, identity theft attempts and bonus-abuse signatures across the membership.
- Duty of Care: Monitoring deposit cadence and bet-size spikes so the safer-play team can act before harm lands.
- Support and Disputes: Resolving chat tickets, escalations to the Curaçao GCB and complaints filed with Forbrukertilsynet.
- Marketing: Sending opt-in emails, tailoring bonus suggestions and measuring campaign uplift, always on explicit consent.
Retention Windows Explained
Data is kept only as long as each purpose requires, after which the record is purged or anonymised. Moreover, retention windows are calibrated to match Norwegian tax statutes and the EU AML directive. Consequently, certain files — for example, cashier ledgers — persist for seven years after the last transaction, while short-lived device signals disappear after twelve months.
Specifically, identifier and play-history files age out five years after the account closes, because this is the statutory minimum under the applicable AML framework. Furthermore, contact logs stay for three years from ticket closure, so a returning member’s context remains retrievable within that window. In addition, consent metadata — the what-when-where of a marketing opt-in — is preserved across the same five-year horizon to evidence lawful contact.
Who Touches Your File
A small vendor roster supports the day-to-day platform, and every partner sits under a signed data-processing agreement. Furthermore, each partner contract lists the permitted purpose, the data fields shared and the geographical hosting footprint. Consequently, no vendor can repurpose SpinMacho records for unrelated commercial goals. The list below groups the vendor map into readable categories.
- Cashier Processors: Licensed payment providers that tokenise card numbers and settle fiat rails under PCI DSS.
- Blockchain Analytics: On-chain intelligence firms that verify crypto deposits against sanction lists and mixer activity.
- KYC Vendor: Identity-verification partners that match ID scans to selfies and interrogate address proofs.
- Cloud Hosts: EEA-based data centres that keep the dashboard, cashier API and support ticketing online.
- Email Operator: The transactional mail provider that ships verification links, payout alerts and opt-in marketing.
All partners sit inside the European Economic Area where practical. When a transfer crosses outside the EEA, standard contractual clauses plus supplementary safeguards apply. Therefore, a United States payment processor or a Swiss identity-verification partner remains bound to GDPR-level standards. Additionally, the operator keeps a sub-processor register that Norwegian members can request from [email protected].
Cookie Register and Device Tracking
The cookie banner on the first visit separates strictly necessary cookies from analytics and marketing cookies. First, necessary cookies run without consent because they keep the login session and the cashier basket stable. Next, analytics cookies activate only after affirmative consent, and they never mix with marketing cookies without a separate opt-in. Moreover, a consent refresh triggers every twelve months so that lapsed approvals do not linger.
| Cookie Category | Purpose | Example Vendors | Duration |
|---|---|---|---|
| Strictly necessary | Login session, cashier security | In-house | Session |
| Preference | Language, currency, UI theme | In-house | 12 months |
| Analytics | Page performance, funnel studies | Google Analytics (IP-masked) | 14 months |
| Marketing | Retargeting, campaign attribution | Meta Pixel, affiliate tags | 180 days |
| Anti-fraud | Device fingerprint, replay defence | Specialist security vendor | 30 days |
Your GDPR Rights
Norwegian residents enjoy the full list of data-subject rights granted by GDPR Article 15 to Article 22. Moreover, the data-protection officer processes each request inside one calendar month, though complex cases may extend to ninety days when expressly communicated. Consequently, most requests close long before the statutory ceiling, and a written trail tracks each step of the workflow.
- Access: Request a copy of your full file in a machine-readable format.
- Rectification: Correct any inaccurate or outdated entry, usually through the dashboard itself.
- Erasure: Ask for removal where no AML retention duty applies; statutory exceptions remain documented.
- Restriction: Pause processing during a pending dispute or pending correction cycle.
- Objection: Refuse legitimate-interest processing such as behavioural analytics at any time.
- Portability: Receive an electronic copy that can be forwarded to another controller.
Requests travel to [email protected], and a unique ticket identifier returns within three working days. Furthermore, Datatilsynet at datatilsynet.no stands ready as the external regulator whenever a response disappoints you. Additionally, the European Data Protection Board supports cross-border complaints when the processing spans multiple member states. Therefore, at least two escalation routes remain open even after the internal process closes.
Minors and Family Protection
SpinMacho never knowingly collects information from anyone under eighteen. First, the registration form enforces the age gate, and KYC triggers a second check before the first withdrawal. Moreover, parents who suspect underage exposure can write directly to [email protected] for a priority takedown and data erasure. Consequently, the platform treats underage data as a compliance failure rather than a low-priority ticket.
Furthermore, households can layer extra filters on top of the in-site protection. For example, Norwegian families frequently rely on Altibox or Telia parental controls, plus browser-level extensions such as Gamban or BetBlocker. Additionally, device-level screen-time tools on iOS and Android block entire gambling domain categories. Therefore, a layered defence dramatically lowers the risk that a teenager stumbles onto the cashier.
Security Controls Behind the File
The operator wraps the member file in multiple layers of defence, starting with TLS-1.3 across every request. Furthermore, passwords sit as salted hashes, and cashier card numbers travel only as tokenised stand-ins. Moreover, role-based access inside the operator prevents support agents from reading the raw ID scans unless a manager approves the elevated permission. Consequently, even internal queries leave an audit trail that compliance officers can review at any time.
Encryption at rest protects every database shard, and periodic penetration tests keep the estate honest against new attack vectors. Specifically, the operator commissions an annual external audit that covers web, mobile and cashier endpoints. Additionally, a bug-bounty programme rewards responsible disclosure, which encourages security researchers to report rather than exploit. Therefore, the security posture evolves in step with the threat landscape instead of drifting backward.
Data Breaches and Notifications
In the unlikely case of a personal-data breach, the operator activates a tested incident-response plan within an hour of detection. First, the technical team contains the breach and preserves forensic evidence. Next, the data-protection officer evaluates the scope and risk to members. Moreover, Datatilsynet receives notification inside the statutory seventy-two-hour window whenever a high-risk breach affects Norwegian residents.
Affected members receive a direct email notification that explains the incident, the data fields involved and the concrete steps to protect themselves. Furthermore, a post-incident report lands on the site once containment closes, which keeps the wider membership informed without dramatising the event.
Keeping the Notice Current
This notice refreshes whenever a data flow changes or a partner enters or leaves the vendor roster. Moreover, significant revisions trigger a dedicated email and a dashboard banner, both published at least fourteen days before the new version takes effect. Consequently, members always get advance sight of a new practice before it goes live. Questions travel to [email protected], while concerns that feel ignored escalate to Datatilsynet or the EDPB without penalty.