Privacy Policy
1. Introduction
Effective date: 1 July 2026. This Privacy Policy (the "Policy") describes how WolfWinner N.V., a company incorporated in Curaçao under registration number 157447, with registered office at Heelsumstraat 51, E-Commerce Park, Curaçao (the "Operator", "we", "us" or "our"), collects, uses, discloses, stores and protects personal information relating to natural persons who register an account with, deposit funds at or otherwise interact with the Wolf Winner Casino brand (the "User" or "Player"). The Policy applies to all activity conducted through the Wolf Winner Casino Australian-facing website, its cashier, its game clients and any related support channels. By registering an account or otherwise engaging with the Services, the User acknowledges having read and understood the practices set out below and consents to those practices to the extent that consent is the relied-upon lawful basis. Where any provision of this Policy is not accepted, the User must refrain from creating an account and refrain from submitting personal information through the Site. This Policy should be read together with the Terms & Conditions, the KYC & AML Policy and the Responsible Gambling policy, each of which forms part of the User’s contractual and regulatory relationship with the Operator.
2. Compliance Framework
2.1 Australian Privacy Act 1988
WolfWinner N.V. is a Curaçao-based entity and is not itself an "APP entity" within the strict meaning of the Privacy Act 1988 (Cth). Notwithstanding that jurisdictional position, and in recognition of the fact that the Wolf Winner Casino Australian-facing brand serves a materially Australian audience, personal information is handled in a manner that is substantially aligned with the principles and expectations of the Privacy Act 1988 (Cth). Where Australian statutory rights are engaged, those rights are preserved and are not displaced by any provision of this Policy.
2.2 Australian Privacy Principles (APPs)
Data-handling practices at the Company are structured with reference to the thirteen (13) Australian Privacy Principles set out in Schedule 1 of the Privacy Act 1988 (Cth). The APPs governing open and transparent management (APP 1), anonymity and pseudonymity where practicable (APP 2), collection of solicited personal information (APP 3), dealing with unsolicited personal information (APP 4), notification (APP 5), use and disclosure (APP 6), direct marketing (APP 7), cross-border disclosure (APP 8), adoption of government-related identifiers (APP 9), data quality (APP 10), data security (APP 11), access (APP 12) and correction (APP 13) are treated as material reference points for internal controls, staff training and vendor selection.
2.3 Curaçao Data Protection Regulations
As data controller, the Operator processes personal information in accordance with the data-protection obligations imposed by the laws of Curaçao and by the conditions of Curaçao eGaming licence number 8048/JAZ (full form 8048/JAZ2020-013). Records required to be kept for gaming, anti-money-laundering and financial-reporting purposes are retained in accordance with those obligations, which may extend the retention period beyond the User’s ordinary preferences.
2.4 Relationship to the GDPR
The Operator does not represent that it is fully compliant with the European Union General Data Protection Regulation (Regulation (EU) 2016/679). Users who are habitually resident in the European Union or the European Economic Area may nevertheless be entitled to additional data-subject rights arising under the GDPR where that regulation applies extraterritorially. Requests from such Users are handled on a good-faith basis in accordance with the substantive rights conferred by the GDPR, notwithstanding the Operator’s non-EU domicile.
3. What Data We Collect
3.1 Account Data
At registration, the Operator collects the User’s full legal name, date of birth, residential address, country and state of residence, email address, mobile telephone number, chosen username and a password (which is stored in hashed form and is not accessible in plaintext to Operator staff). Preferred-communication settings, such as language selection, are also captured at this point.
3.2 Verification Data
For the purpose of satisfying know-your-customer, source-of-funds and anti-money-laundering obligations, government-issued photographic identification (passport, driver licence or comparable document), proof of residential address (utility bill, bank statement or comparable document dated within the previous three months) and proof of payment-method ownership (a screenshot or scan showing the account holder’s name and truncated instrument number) are collected. Where source-of-funds enquiries are triggered, further documentation such as payslips, tax returns or bank statements may be requested.
3.3 Transaction Data
Records of every deposit, withdrawal, wager, win, loss, bonus grant and bonus conversion associated with the Account are processed and retained. Transaction records include amount, currency, timestamp, payment instrument reference (where lawfully permissible), game identifier and internal transaction reference numbers.
3.4 Technical Data
Technical information collected by the Site includes Internet Protocol (IP) address, device fingerprint metrics (screen resolution, operating system, browser vendor and version, timezone, language), session cookies, session-duration metrics, referring URL and click-path data. This technical information is used for security, fraud prevention, geo-verification and analytics purposes.
3.5 Communication Data
Support-channel interactions — including live-chat transcripts, email correspondence, in-app messages and any telephone-support recordings where such recordings are permitted by local law — are collected and retained. Users interacting with support are informed at the point of interaction of the collection of such data.
4. How We Use Your Data
4.1 Provision of Services and Transaction Processing
Personal information is used to provide the Services described in the Terms & Conditions, including account authentication, cashier operation, deposit and withdrawal processing, game session delivery and customer support. Without this processing, the Services cannot be delivered.
4.2 KYC / AML Compliance and Fraud Detection
Personal and verification information is processed for the purpose of verifying identity, screening against sanctions and politically-exposed-persons lists, detecting duplicate accounts, and monitoring for patterns consistent with money laundering, bonus abuse, chargeback fraud or payment-instrument compromise, in accordance with the KYC & AML Policy.
4.3 Responsible Gambling Monitoring
Session-duration data, deposit velocity, loss velocity and support-channel content are reviewed for markers of at-risk play. Where markers are detected, the User may be prompted to review deposit-limit, session-time and self-exclusion settings, in accordance with the Responsible Gambling policy.
4.4 Marketing Communications (Opt-In)
Personal information is used to deliver promotional communications only where the User has provided a positive opt-in at registration or subsequently through the Account preferences page. Opt-in consent may be withdrawn at any time through the unsubscribe link in each communication or through the Account preferences page, without adverse effect on the Services.
4.5 Legal and Regulatory Obligations
Personal information may be processed where required in order to comply with obligations imposed on the Operator by Curaçao law, by the conditions of its gaming licence, or by valid legal process originating from a competent authority — including in appropriate cases requests from Australian regulatory or law-enforcement bodies.
5. Legal Basis for Processing
5.1 Performance of Contract
The primary lawful basis for the majority of processing described in this Policy is the performance of the contract between the Operator and the User. Without account creation, transactional processing and support interactions, the Services cannot be delivered.
5.2 Compliance with Legal Obligation
Processing carried out for KYC, AML, sanctions-screening, transaction-monitoring, reporting to competent authorities and record-keeping is grounded in legal-obligation bases arising under Curaçao law and under the conditions of the Operator’s gaming licence.
5.3 Legitimate Interests
Processing carried out for fraud prevention, security monitoring, duplicate-account detection, bonus-abuse detection and internal analytics is grounded in the Operator’s legitimate interest in operating a secure, solvent and regulated gaming service, balanced against the fundamental rights and freedoms of the User.
5.4 Consent
Processing carried out for direct marketing, non-essential analytics cookies and optional profiling features is grounded in the User’s freely-given, specific, informed and unambiguous consent. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to the withdrawal.
6. Data Sharing
Personal information is disclosed only to categories of recipient set out below, and only to the extent necessary for the purposes described in section 4.
6.1 Payment Providers
Deposit and withdrawal processing requires disclosure of the necessary transaction data to the User’s chosen payment provider — including PayID, POLi, Neosurf, card processors (Visa, MasterCard), bank-transfer intermediaries and cryptocurrency processors handling Bitcoin, Ethereum, Litecoin and Tether transfers. Full payment methods are documented on the cashier page.
6.2 KYC Service Providers
Identity verification may be delegated to third-party specialists such as document-verification and biometric-liveness vendors (for example, providers of a scale comparable to SumSub or Onfido). Such vendors process personal information strictly on behalf of the Operator and under contractual data-protection commitments.
6.3 Game and Live-Dealer Providers
Delivery of game sessions requires session-level data (game identifier, wager amount, seat identifier where applicable) to be exchanged with the game studio hosting the underlying content — including live-dealer suppliers such as Evolution Gaming and Pragmatic Play Live, and slot-content suppliers listed in the game lobby.
6.4 Analytics Providers
Aggregated and pseudonymised analytics data — page views, session-duration percentiles, campaign performance — may be shared with analytics vendors selected by the Operator. Personally identifiable information is not shared for analytics purposes without additional lawful basis.
6.5 Law Enforcement and Regulators
Personal information may be disclosed to law-enforcement agencies, regulators or courts where a valid legal request is received. Disclosures of this nature are recorded internally, reviewed for scope and, where lawful, notified to the affected User.
7. Data Retention
7.1 Active Accounts
For so long as an Account remains active, the full record of Account, verification, transaction, technical and communication data associated with that Account is retained. "Active" for these purposes has the meaning set out in the Terms & Conditions dormancy clause.
7.2 Closed Accounts
Following closure or self-exclusion, identity, verification and transaction records are retained for a period of seven (7) years from the date of closure, as required for anti-money-laundering, tax and regulatory-audit purposes. After the seven-year period, records are anonymised or securely destroyed unless a longer retention period is required by law.
7.3 Chat and Support Logs
Live-chat transcripts, email correspondence and support-ticket records are retained for a rolling period of twenty-four (24) months from the date of the interaction, unless the interaction relates to an unresolved dispute, in which case retention is extended until final resolution plus the applicable statute of limitations.
7.4 Marketing Consent Records
Records of marketing opt-ins and opt-outs are retained for the duration of the consent and for a period of twenty-four (24) months following its withdrawal, as evidence of the consent state at any given point in time.
8. Your Rights (APP 12 and APP 13)
8.1 Right of Access
The User may request confirmation as to whether personal information about the User is processed by the Operator and, if so, a copy of that information. Reasonable requests will be actioned within thirty (30) calendar days from receipt of a verified request, in alignment with APP 12.
8.2 Right of Correction
The User may request correction of inaccurate, incomplete or outdated personal information. Where correction is refused, the User is entitled to a written statement of the reasons for refusal and to have a note associated with the record indicating that correction has been sought, in alignment with APP 13.
8.3 Right to Complain
The User may lodge a complaint with the Operator’s internal privacy contact set out in section 13. Where the internal response is not satisfactory, an Australian User may escalate the matter to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
8.4 Right to Withdraw Consent
Where processing is grounded in consent (in particular marketing communications and non-essential analytics), the User may withdraw that consent at any time through the Account preferences page or through the unsubscribe link included in each marketing communication. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.
9. Cookies and Tracking
9.1 Essential Cookies
Essential cookies — including the session-authentication cookie, the anti-CSRF token cookie and the geolocation-verification cookie — are strictly necessary for the operation of the Services and cannot be disabled without breaking core functionality (login, cashier, game launch).
9.2 Analytics Cookies
Analytics cookies measure page-level and session-level engagement and are set only where the User has provided consent through the first-visit cookie banner. Analytics cookies may be disabled at any time by revisiting the cookie banner or by adjusting the cookie preferences in the Account settings.
9.3 Marketing Cookies
Marketing cookies support advertising personalisation and campaign attribution and are set only where the User has provided consent through the first-visit cookie banner. As with analytics cookies, marketing cookies may be disabled at any time.
9.4 Third-Party Cookies
Certain third parties — notably payment providers and embedded game clients — may set cookies within their own iframes as an incident of delivering their service. Such cookies are governed by the respective third-party privacy policies, references to which are made available through the cookie banner.
10. Data Security
10.1 Encryption in Transit
All communication between the User’s browser and the Operator’s servers is protected in transit through Transport Layer Security at version 1.3 where supported by the User’s browser, with fallback to TLS 1.2 for older clients. HTTP traffic is redirected to HTTPS at the edge.
10.2 Encryption at Rest
Personal information stored in the Operator’s production databases is encrypted at rest using AES-256 or an equivalent industry-standard algorithm. Backups are encrypted with independently-managed key material and are held in geographically-separate storage locations.
10.3 Access Controls
Access to production personal information is restricted on a strict need-to-know basis, enforced through role-based access control, multi-factor authentication for administrative accounts, and periodic access reviews. Administrative actions on personal information are logged and audit-trailed.
10.4 Breach Notification
Where the Company becomes aware of a data breach that is likely to result in serious harm to affected individuals, notification will be provided to those individuals and, where the User is an Australian resident, in a manner consistent with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth), which contemplates notification as soon as practicable following the Operator’s awareness of the breach.
11. Children’s Data
11.1 18+ Jurisdiction
The Services are directed exclusively to natural persons aged eighteen (18) years or over. The Operator does not knowingly collect, process, use or disclose personal information relating to individuals under the age of eighteen.
11.2 Accidental Collection
Where the Operator becomes aware that personal information relating to an individual under the age of eighteen has been collected — whether through a false declaration at registration or otherwise — that information is deleted from active systems as soon as reasonably practicable, the associated Account is closed and, where funds were deposited, those funds are returned to the source of deposit, subject to any anti-money-laundering restrictions.
12. International Transfers
12.1 Server Location
The Operator’s primary processing infrastructure is located within the European Union and Curaçao. Personal information relating to Australian Users is therefore transferred cross-border for storage and processing purposes.
12.2 Cross-Border Safeguards
Cross-border transfers are protected through a combination of contractual mechanisms with recipients (including data-protection clauses substantively comparable to Standard Contractual Clauses adopted under EU law) and technical safeguards described in section 10. In accordance with APP 8, reasonable steps are taken to ensure that overseas recipients do not breach the APPs in relation to the transferred information.
13. Data Protection Officer and Contact
13.1 Privacy Contact
Queries, access requests, correction requests, marketing-consent withdrawals and complaints may be directed to the Operator’s privacy contact by email to the address published on the Site’s Contact page (illustrative reference: [email protected] pending confirmation on the live Site). Postal correspondence may be addressed to: WolfWinner N.V., Attn: Privacy Officer, Heelsumstraat 51, E-Commerce Park, Curaçao.
13.2 External Escalation
Where an internal response is not satisfactory, Australian Users are entitled to lodge a complaint with the Office of the Australian Information Commissioner (OAIC), the independent statutory authority responsible for privacy oversight in Australia. Complaint procedures and contact information are published at www.oaic.gov.au.
14. Changes to This Policy
This Policy may be amended from time to time to reflect changes in law, regulatory guidance, business practice, third-party vendor arrangements or the categories of personal information processed. Where an amendment is material, registered Users will be notified by email and by an on-Site banner not less than fourteen (14) calendar days prior to the amended Policy taking effect. Continued use of the Services after the effective date of an amended Policy constitutes acceptance of that amended Policy. Where the User does not accept a material amendment, the Account may be closed and any Cash Balance withdrawn, subject to Wagering Requirements and the standard withdrawal rules set out in the Terms & Conditions. Users are encouraged to revisit this Policy periodically and to consult the Wolf Winner AU homepage for links to the most recent version of the Operator’s governance documents.
Wolf Winner Editorial · Last updated 1 July 2026.