RoyalSea Casino is the data controller for the information described on this page. The company is registered offshore and operates under licence at the address listed in the footer. The data protection officer can be contacted by email at privacy@royalsea.vip. We take all reasonable technical and organisational measures to protect your data, but no system is ever completely free of risk, so we encourage you to use a strong unique password and enable two factor authentication on your account.
Account Data
Name, date of birth, address, email, phone, country and currency.
Identity Data
Government issued ID and proof of address used to satisfy KYC and AML obligations.
Transaction Data
Deposits, withdrawals, bets and wins, retained for regulatory and tax reporting periods.
Technical Data
IP address, device, browser and login times, used for fraud prevention and account security.
Marketing Data
Preferences and consent records, only used while opt in remains active.
Location Data
Country level location used to comply with regional restrictions on access.
What personal data does RoyalSea Casino collect and why?
We collect the minimum data necessary to register your account, verify your identity, process payments, deliver the games and meet our legal obligations. Registration captures your name, date of birth, residential address, email, telephone number, base currency and chosen password. The date of birth and address are mandatory because we have a legal obligation to verify that you are over 18 and to apply anti money laundering rules. Email and phone are mandatory because they are how we deliver service messages and the recovery flow if you lock yourself out of the account.
Identity verification captures a copy of a government issued photo ID and a recent proof of address. These documents are stored encrypted at rest and accessed only by trained compliance staff. We retain identity documents for the period required by our regulator, which is currently five years after closure of the account, and securely delete them at the end of that retention period.
What is the legal basis for processing your data?
The lawful bases we rely on vary by data category. Contract performance covers account creation, deposits, gameplay and withdrawals because we cannot deliver the service without those data points. Legal obligation covers identity verification, anti money laundering checks, sanctions screening and the retention of transaction records for the regulatory period. Legitimate interest covers fraud prevention, security monitoring and aggregated analytics that improve the platform without identifying individual users. Consent covers all direct marketing, optional cookies and any optional personalisation features. You can withdraw consent at any time without affecting the lawfulness of processing performed before the withdrawal.
Your rights under GDPR
Access, rectification, erasure, restriction, portability, objection and the right to withdraw consent are all available. Submit a request to privacy@royalsea.vip and we will respond within thirty days. Most requests are handled inside seven days unless they require document review.
How does RoyalSea Casino share personal data with third parties?
We use a small number of third party processors to operate the service. Payment processors handle deposits and withdrawals and receive only the data they need to process a given transaction. Identity verification providers receive the documents and personal data they need to confirm your identity, then return a result to us and delete the underlying material per their own data policy. Hosting providers run the infrastructure on which the platform operates, with data stored in EU and EEA data centres. Customer support tooling stores conversation logs for the period required to resolve disputes. Marketing tools, where you have opted in, send the messages you have agreed to receive and respect the unsubscribe link in every message.
We do not sell personal data to any party. We do not share personal data with advertisers for behavioural retargeting. The only times we disclose personal data outside the processor list are when we are legally required to do so by a court order, when we need to defend a legal claim, or when we are responding to a substantiated request from a regulator with jurisdiction over our operations.
How long do we keep your data and how can you delete it?
Account data is retained for the duration of the account plus the regulatory retention period that follows closure. For most categories that period is five years, which matches the standard AML retention requirement, but financial records linked to large transactions may be retained for up to seven years where the underlying transaction warrants it. Marketing data is deleted within thirty days of consent withdrawal. Technical logs are rotated and aggregated within ninety days for the most granular fields, with anonymous aggregates retained longer for security analysis.
To delete your account and trigger the deletion of all data we are not legally required to retain, submit an erasure request via the support team. We will close the account, return any remaining balance to your verified payment method, and confirm the deletion in writing. Data we are legally required to retain for AML purposes cannot be deleted until the regulatory retention window expires, but it is locked from all marketing and analytical use the moment the erasure request is processed.
International data transfers follow the European Commission Standard Contractual Clauses for any processor located outside the EEA. Where a transfer relies on additional safeguards, those are documented in the processor agreement and reviewed annually. The current list of processors and their locations is available on request via the privacy team. We commit to giving thirty days notice in your account inbox before adding any new processor that materially changes the international transfer profile.
Children are not permitted to use the platform. The account creation process verifies date of birth electronically and any account that is later determined to belong to a child is locked, with any deposits returned to the source of funds and the data deleted in line with the law. If you believe a child has registered an account using your details, contact privacy@royalsea.vip immediately.
Security controls include encryption in transit via TLS 1.3, encryption at rest for personal data in the production database, role based access control for staff, mandatory two factor authentication on every internal admin tool, and continuous monitoring for unusual access patterns. We test the platform with both internal and external security teams on a recurring basis and remediate findings to a documented severity timeline. In the event of a personal data breach that meets the notification threshold, we will notify the relevant supervisory authority within seventy two hours and inform affected users without undue delay.
You can read more about how cookies work on this site on the RoyalSea Casino Cookie Policy page. The cookie banner that appears on first visit captures your consent preferences and the same preferences apply across every page of the site and every session, until you choose to update them.
For questions about responsible play, account closure or any topic that is not strictly a privacy matter, see the RoyalSea Casino Get Help page. The privacy team handles data subject requests; the support team handles every other type of question and can route a request to the privacy team if needed. If you remain unsatisfied with the privacy team response, you have the right to complain to the supervisory authority in your country of residence. In Ireland the supervisory authority is the Data Protection Commission, which can be reached at dataprotection.ie or on 1800 437 737.
- We are the data controller for your account data
- Identity documents stored encrypted, retained per AML rules
- No sale of personal data to any party
- Standard Contractual Clauses cover international transfers
- Two factor authentication available on every account
- Right to complain to the Data Protection Commission if a concern is not resolved