burger icon
The Online Casino United Kingdom
Log In

Privacy Policy

This Privacy Policy explains how The Online Casino on tonline.casino collects, uses, shares, and protects personal data. A privacy policy is required to ensure transparency and to meet UK data protection requirements, including the UK GDPR and the Data Protection Act 2018, and to help you understand your choices and rights.

This Privacy Policy applies to (i) visitors to tonline.casino, (ii) registered players who open and use an account, and (iii) people who contact us (for example, via support channels) in connection with The Online Casino.

Effective date: 6 November 2025.

Who We Are

OBSERVE: The Online Casino is a UK-facing online casino brand operated on the ProgressPlay Limited platform as a white-label arrangement. The licensed operator identified in the provided data is ProgressPlay Limited, holding a UK Gambling Commission licence for remote gambling operations for UK players (licence no. 39335) and a Malta Gaming Authority licence for non-UK operations (MGA/B2C/231/2012).

EXPAND: Under UK GDPR, we must clearly identify the "controller" (or explain controller/processor roles) and provide contact routes to a responsible privacy function. As a white-label structure may involve multiple parties (brand marketing partner, platform, payment entities such as Babaloo Limited for card processing), we also need to explain that different entities may act as independent controllers or processors depending on the activity (e.g., KYC checks, payments, fraud prevention).

REFLECT: For privacy matters relating to The Online Casino on tonline.casino, please use the contacts below.

Operator (Platform & Licensed Entity)

  • Legal name: ProgressPlay Limited
  • Registered/legal address: Soho Office, 3A, Punchbowl Centre, Elia Zammit Street, St. Julians, STJ3154, Malta
  • UKGC licence: 39335 (Remote gambling operations for UK players; active as verified in the provided data as of January 2025)
  • MGA licence: MGA/B2C/231/2012 (Non-UK oversight; active as verified in the provided data as of January 2025)
  • Company registration number / tax identification: Not specified in the provided data.

Data Protection Contact (DPO / Privacy Function)

  • Email: Not specified in the provided data. Any future privacy email address, if published, will use the @tonline.casino domain.
  • Phone: Not specified in the provided data.
  • Postal contact: Data Protection Department, ProgressPlay Limited, Soho Office, 3A, Punchbowl Centre, Elia Zammit Street, St. Julians, STJ3154, Malta

Note: Support availability information in the provided data is conflicting (24/7 vs. 08:00-00:00 GMT). Where a response-time expectation is stated in this Privacy Policy, it applies regardless of live-agent hours.

What Personal Data We Collect

OBSERVE: The Online Casino on tonline.casino provides remote gambling services that inherently require identity verification, fraud prevention, payment processing, and responsible gaming controls (including GAMSTOP integration noted in the provided data). These functions require collecting certain personal, technical, and behavioural information.

EXPAND: Under UK GDPR, we must describe categories of data collected and be clear where data is provided directly by you, obtained from third parties (e.g., KYC/AML providers), or generated by your use of the service (e.g., gameplay logs). We must also reflect that payment processing may involve separate entities (e.g., Babaloo Limited for card transactions, per provided data).

REFLECT: We may collect the following categories of personal data (depending on how you use the site and your account settings):

Identity & Contact Data

  • Core identifiers: full name, date of birth, username, nationality (where required for regulatory checks).
  • Contact details: email address, telephone number, residential address.
  • Verification/KYC data: copies of identity documents, proof of address, selfie/liveness checks (where required), and Source of Funds/Source of Wealth information when required by AML triggers.

Account, Gameplay & Behavioural Data

  • Account activity: registration date, login history, account status, verification status, and communications with support.
  • Gambling activity: betting and transaction history, game sessions, wins/losses, bonus use, responsible gaming limits, and self-exclusion indicators (including GAMSTOP interactions where applicable).
  • Behavioural analytics: clicks, navigation paths, time spent on pages, feature usage patterns (subject to cookie choices and lawful basis).

Financial & Payment Data

  • Payment details: deposit and withdrawal records, payment method used (e.g., Visa/Mastercard, PayPal, Trustly, EcoPayz, Apple Pay, Pay via Phone), partial card identifiers, and payment confirmations.
  • Processor involvement: card transaction processing may involve Babaloo Limited (described in the provided data as a subsidiary for card processing), and other payment partners may process payment data as controllers/processors as applicable.

Technical Data

  • Device & network identifiers: IP address, device type, operating system, browser type, language preferences, and approximate location inferred from IP.
  • Log and security data: access logs, error reports, anti-fraud signals, and authentication events.

Cookies and Similar Technologies

  • Cookie data: cookie identifiers, preferences, and consent signals.
  • Tracking technologies: pixels/SDKs/tags used for analytics and advertising (where consent is required).

Legal Basis for Processing

OBSERVE: Under the UK GDPR, each processing activity must have a lawful basis. For gambling operations, common bases include contract performance, legal obligation (KYC/AML and regulatory reporting), legitimate interests (fraud prevention, service security), and consent (non-essential cookies and certain marketing).

EXPAND: UK gambling compliance (including UKGC expectations) intersects with privacy: identity verification, affordability/Source of Funds checks, and responsible gambling monitoring can be legally required or strongly justified as legitimate interests and/or legal obligations. We must also recognise that consent is not the default for everything; it should be used where it is genuinely freely given (e.g., marketing preferences, non-essential cookies).

REFLECT: We rely on one or more of the following legal bases, depending on the context:

  • Contract (UK GDPR Art. 6(1)(b)): to create and administer your account, provide gameplay, process deposits/withdrawals, apply bonuses under the applicable terms, and deliver customer support.
  • Legal obligation (Art. 6(1)(c)): to comply with gambling and financial crime laws and regulatory requirements, including KYC/AML checks, ongoing monitoring, record-keeping, responding to regulator requests (e.g., UKGC), and enforcing self-exclusion/responsible gaming controls (including GAMSTOP where applicable).
  • Legitimate interests (Art. 6(1)(f)): to secure tonline.casino, prevent and detect fraud, protect the integrity of games, maintain service quality, perform limited analytics and internal reporting, and manage disputes-balanced against your rights and expectations.
  • Consent (Art. 6(1)(a)): for non-essential cookies and similar technologies, and for certain direct marketing where required by law (and always subject to your ability to withdraw consent).

Special category data: We do not intend to collect special category data (UK GDPR Art. 9) unless strictly necessary and legally permitted. If it is inadvertently provided (e.g., in documents you upload), it will be handled with additional safeguards and minimised.

Purpose of Processing

OBSERVE: The Online Casino uses data to operate an online casino, meet regulatory duties, and deliver support. The provided data indicates group-level sharing may occur for marketing with an opt-out through dashboard settings.

EXPAND: Purpose limitation requires that we define purposes clearly and not reuse data incompatibly. We should also acknowledge the operational realities: anti-fraud and AML monitoring may result in additional checks and temporary restrictions, as hinted by the operator's UKGC regulatory history and common compliance controls.

REFLECT: We process personal data for the following purposes:

  • Service delivery: register and manage your account, provide access to games, administer promotions/bonuses, and facilitate withdrawals and deposits.
  • Identity verification and compliance: perform KYC/AML checks, Source of Funds/Source of Wealth requests where required, age verification, and enforce responsible gaming and self-exclusion measures (including GAMSTOP integration where applicable).
  • Fraud prevention and security: detect suspicious activity, prevent account takeover, protect payment integrity, and maintain platform security.
  • Customer support and communications: respond to enquiries, handle complaints, and provide service messages (e.g., verification status updates).
  • Analytics and product improvement: understand how tonline.casino is used and improve performance, usability, and content (subject to cookie/consent settings where required).
  • Marketing (where permitted): send marketing communications and show personalised offers, including group marketing as described in the provided data, subject to your preferences and opt-out controls.
  • Legal claims and dispute management: establish, exercise, or defend legal claims; manage disputes, including ADR routes where relevant.

Disclosure & Sharing

OBSERVE: Running The Online Casino on tonline.casino requires third-party providers (payment partners, KYC vendors, hosting, analytics). The operator is UKGC-licensed (licence 39335) and may need to share data with regulators. The provided data also indicates data sharing within the ProgressPlay group for marketing with opt-out via user dashboard settings.

EXPAND: UK GDPR requires transparency about recipients and categories of recipients, plus safeguards for third-party processing (DPAs, confidentiality, minimisation). Because advertising/affiliate ecosystems can create heightened privacy risk, consent and cookie compliance (PECR) must be reflected for tracking-based advertising.

REFLECT: We may disclose personal data to the following recipients where necessary and lawful:

Service Providers (Processors)

  • Hosting and infrastructure: providers that host or support tonline.casino systems and databases.
  • Security and fraud prevention: device fingerprinting, threat detection, and fraud analytics vendors.
  • KYC/AML and verification: identity, age, address verification providers and screening tools used to meet legal and regulatory requirements.
  • Communications: providers enabling operational emails and service messaging (e.g., verification notices), subject to appropriate safeguards.

Payment and Financial Partners

  • Payment processors and banking partners: to process deposits/withdrawals and manage chargebacks and fraud.
  • Card processing entity: Babaloo Limited is described in the provided data as handling card transaction processing as a compartmentalised payment processor entity. Depending on the transaction flow, this entity may act as a processor or controller for certain payment data.

Regulators, Authorities, and Legal Necessity

  • UK Gambling Commission (UKGC): we may share information required for licensing compliance, audits, and regulatory requests.
  • Law enforcement and public authorities: where required by law, court order, or to prevent/ investigate crime (including financial crime).

Group and Corporate Sharing

  • ProgressPlay group sharing: the provided data states that the privacy policy allows data sharing within the ProgressPlay group for marketing, with an opt-out available via user dashboard settings. We will apply appropriate controls, minimisation, and respect your marketing preferences.

Affiliates and Advertising Networks

  • Affiliate attribution: we may share limited data required to attribute traffic and commissions (e.g., conversion events) where lawful.
  • Advertising and personalisation: where cookies/identifiers are used for advertising, we will seek consent where required and offer opt-out/management tools via the cookie settings panel and browser controls.

We do not sell personal data in the sense commonly used under privacy laws. Where we enable marketing/advertising partners, it is for service delivery, measurement, or advertising functions and subject to lawful basis and controls.

International Transfers

OBSERVE: The operator address in the provided data is in Malta, while the brand targets UK players. Third-party vendors (e.g., cloud hosting, fraud tools, analytics, and payment partners) may be located in multiple jurisdictions, which can involve international transfers of personal data.

EXPAND: Under the UK GDPR, transfers outside the UK require appropriate safeguards (e.g., UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs, adequacy regulations). References such as "Privacy Shield" are no longer a default UK mechanism; if the UK-US Data Bridge applies, it should be framed carefully and only where actually relied upon by the parties. Because vendor footprints change, we should describe regions and safeguards rather than an exhaustive list.

REFLECT: Personal data may be transferred and processed outside the UK, including (as operationally necessary):

  • Malta: because certain operational functions are performed by the Malta-based licensed operator entity noted above.
  • EEA/EU and other locations: where our group companies, payment partners, verification vendors, customer support tools, or infrastructure providers are located.
  • Other jurisdictions (including the United States): where specific service providers operate, depending on your interactions and our vendor stack at the time.

Safeguards We Use

  • Adequacy regulations: where the UK has recognised a country/territory as providing adequate protection.
  • Contractual safeguards: the UK IDTA or the UK Addendum to the EU SCCs, plus vendor due diligence and audit rights where appropriate.
  • Technical and organisational measures: encryption in transit (TLS), access controls, and minimisation to reduce transfer risk.

Regional compliance note (UK): We assess transfers under UK GDPR requirements and implement safeguards designed to maintain an essentially equivalent level of protection.

Data Retention

OBSERVE: Gambling operators must retain certain data for regulatory and anti-money laundering purposes. The provided instruction requires clear retention periods (example: no more than 5 years after account closure), plus deletion criteria. The operator also applies inactivity rules in other policies (e.g., dormant account fee after 12 months), which implies continued account record management.

EXPAND: Retention must be proportionate, tied to purposes, and consistent with legal obligations (e.g., AML record-keeping). We should separate: (a) regulatory/AML retention, (b) account operations, (c) marketing data, (d) technical logs, and (e) dispute/legal claims. We must also clarify that deletion may be constrained by legal obligations.

REFLECT: We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention Overview (Typical Periods)

  • Core account and identity/KYC data: typically retained for up to 5 years after account closure (or longer if required to meet legal/regulatory obligations or to handle disputes/claims).
  • Transaction and payment records: typically retained for up to 5 years after account closure (and potentially longer where required for financial, tax, AML, or chargeback/anti-fraud purposes).
  • Gameplay and behavioural history (player protection, fraud, compliance): typically retained for up to 5 years after account closure, subject to legal obligations and the need to evidence compliance with responsible gambling and AML duties.
  • Marketing preferences and consent records: retained while you maintain an account and/or until you withdraw consent or object, plus a limited period afterwards to evidence compliance (suppression lists may be retained to ensure we respect opt-outs).
  • Technical logs and security records: typically retained for 6 to 24 months, unless a longer period is needed to investigate security incidents, fraud, or disputes.
  • Cookies: retained according to cookie type (session cookies expire when you close your browser; persistent cookies remain for the period set in the cookie settings unless deleted earlier).

Deletion and Anonymisation Criteria

  • Account closure: triggers retention countdowns, subject to mandatory legal retention.
  • User request: we will action valid deletion requests where we have no overriding legal basis to retain the data.
  • End of purpose: when the data is no longer necessary for the purpose collected, we delete or irreversibly anonymise it.

Important limitation: Where we must retain data to comply with legal obligations (e.g., AML) or to establish/defend legal claims, we will restrict processing rather than delete it until retention obligations expire.

Your Rights

OBSERVE: UK users have rights under the UK GDPR and Data Protection Act 2018. The prompt also requires "GDPR and Mexican privacy law alignment" and references Mexican regulations. The Online Casino is UK-focused, but users may still request information from abroad; therefore, we can acknowledge Mexico's framework while keeping UK compliance primary.

EXPAND: We must describe rights, how to exercise them, timeframes (30 days), and free-of-charge principle, plus limits/exemptions (e.g., AML retention). For Mexico, the relevant concept is ARCO rights under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) and its regulations. We should avoid implying we are primarily regulated by Mexico, but we can state we will facilitate equivalent requests for users located in Mexico.

REFLECT: Subject to applicable law and identity verification, you have the following rights:

Your UK GDPR Rights

  • Right of access: obtain confirmation of whether we process your data and receive a copy, along with key information.
  • Right to rectification: correct inaccurate or incomplete data.
  • Right to erasure: request deletion where processing is no longer necessary or where consent is withdrawn (subject to legal retention duties, including AML/UKGC requirements).
  • Right to restriction: request that we limit processing in specific cases (e.g., contested accuracy, pending objection outcome).
  • Right to object: object to processing based on legitimate interests and object at any time to direct marketing (marketing objection is absolute).
  • Right to data portability: receive certain data you provided to us in a structured, commonly used, machine-readable format, and transmit it to another provider where technically feasible.
  • Right to withdraw consent: where processing is based on consent (e.g., non-essential cookies), you can withdraw it at any time without affecting the lawfulness of prior processing.

Mexico (ARCO Rights) - Where Relevant

  • Access, Rectification, Cancellation, Opposition (ARCO): if you are located in Mexico, you may submit an ARCO-style request consistent with the LFPDPPP and its Regulations. We will handle it using materially similar verification and response steps as under UK GDPR, unless local mandatory rules require otherwise.
  • Scope clarification: The Online Casino on tonline.casino is UK-focused; however, we will not refuse a legitimate privacy request solely because it references ARCO terminology.

How to Exercise Your Rights (Procedure)

  1. Submit a request: write to our Data Protection Department using the contact routes in the "Complaints & Contacts" section. Include your username, registered email (if any), and the right you wish to exercise.
  2. Verify identity: we may request additional information to confirm you are the account holder. This is a security measure to prevent unauthorised disclosure.
  3. Receive our response: we aim to respond within 30 days. Where requests are complex or numerous, we may extend the period as permitted by law and will inform you of the extension and reasons.
  4. Cost: requests are generally handled free of charge. We may charge a reasonable fee or refuse a request only where it is manifestly unfounded or excessive, as permitted by law.

Operational note: If your account is subject to KYC/AML review (including Source of Funds checks), we may be required to retain and process certain data despite deletion requests, and we may restrict access to specific information to comply with legal obligations.

Cookies & Tracking Technologies

OBSERVE: Cookies and similar technologies are used for login sessions, security, preferences, analytics, and potentially advertising/affiliate tracking. UK compliance requires alignment with UK GDPR and PECR for non-essential cookies/trackers (consent and clear information).

EXPAND: We should distinguish cookie categories and provide user controls (cookie banner/panel, browser settings). Also, third-party cookies and identifiers should be clearly identified as potentially set by analytics/advertising partners, with consent where required.

REFLECT: The Online Casino on tonline.casino uses the following cookie types:

Types of Cookies

  • Strictly necessary (session) cookies: required to operate the website, enable log-in, preserve session state, and support security features.
  • Functional (persistent) cookies: remember choices such as language, display settings, and certain preferences.
  • Analytics cookies: help us understand how users interact with pages and features, so we can improve performance and usability (used subject to consent where required).
  • Advertising/affiliate cookies: measure marketing campaign effectiveness, manage affiliate attribution, and (where enabled) personalise advertising (used subject to consent where required).
  • Third-party cookies: set by service providers integrated into tonline.casino (e.g., analytics and advertising partners), subject to your settings and applicable consent requirements.

How to Manage Cookies

  • Cookie banner / settings panel: use the cookie consent tool on tonline.casino to accept, reject, or customise non-essential cookies where available.
  • Browser controls: you can delete existing cookies and block some or all cookies via your browser settings. Note that blocking strictly necessary cookies may prevent parts of the site (including login and gameplay) from functioning correctly.
  • Marketing choices: where the dashboard provides marketing opt-out controls (as described in the provided data for group marketing), you can update your preferences there to reduce marketing communications.

Data Security

OBSERVE: The provided data indicates SSL encryption and a Sectigo RSA domain validation certificate. The prompt requires a comprehensive set of controls (TLS 1.2+, encryption at rest/in transit, MFA, access controls, audits, training, incident response) and references international standards (ISO 27001, SOC 2) "where applicable."

EXPAND: For legal defensibility, we must describe measures without overstating certification claims (the provided data says no explicit certifications like eCOGRA for fairness; and no explicit ISO/SOC certifications are provided). We can state "where applicable / where implemented" and focus on standard measures expected in regulated gambling environments.

REFLECT: We maintain technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

Key Security Measures

  • Encryption in transit: we use HTTPS and industry-standard transport encryption (including TLS 1.2+) to protect data transmitted between your device and our systems.
  • Certificate and site security: the provided data notes a Sectigo RSA domain validation certificate and "standard 128-bit SSL encryption" messaging; we implement current best-practice HTTPS configurations consistent with modern browser and security requirements.
  • Encryption at rest: sensitive data is protected using encryption and/or tokenisation techniques where appropriate, particularly for authentication and security-relevant datasets.
  • Access controls: role-based access, least-privilege principles, logging, and controlled administrative access to systems handling player data.
  • Account protection: measures to reduce account takeover risk, which may include step-up verification and multi-factor authentication (MFA) controls for privileged access and/or where available to users.
  • Security testing and audits: periodic vulnerability assessments, patch management, monitoring, and review of supplier security. Where applicable, we align internal controls to recognised frameworks (e.g., ISO/IEC 27001 or SOC 2 principles), without implying formal certification unless explicitly stated.
  • Staff training: privacy and security awareness training for relevant personnel, with confidentiality obligations.
  • Incident response: documented processes to detect, investigate, contain, and remediate security incidents, including assessment of notification obligations to the ICO and affected individuals where required under UK GDPR.

Important note: No method of transmission or storage is completely secure. You should also protect your account credentials and avoid sharing your password.

Complaints & Contacts

OBSERVE: The prompt requires complaint channels (DPO email/phone, forms, postal) and a step-by-step complaint procedure with response times, plus escalation paths to supervisory authorities including Mexico and EU "where applicable," with direct contact information. The provided data does not include a DPO email/phone or contact form URLs; we must not invent them.

EXPAND: We should provide (a) internal complaint route via postal address, (b) mention that web contact routes may exist on the site but are not specified here, (c) the UK supervisory authority is the Information Commissioner's Office (ICO) with public contact details, (d) Mexico's authority is INAI, and (e) EU authority depends on the member state; provide the EDPB list link as a directory without adding extra sections.

REFLECT: If you have questions, concerns, or a complaint about how The Online Casino on tonline.casino handles personal data, you can contact us and escalate as described below.

How to Contact Us (Privacy)

  • Email (Data Protection): Not specified in the provided data. Any published privacy email will use the @tonline.casino domain.
  • Phone: Not specified in the provided data.
  • Online form: Not specified in the provided data. If a privacy/contact form is available on https://tonline.casino, you may use it and mark the request "Data Protection/Privacy".
  • Post: Data Protection Department, ProgressPlay Limited, Soho Office, 3A, Punchbowl Centre, Elia Zammit Street, St. Julians, STJ3154, Malta

Complaint Handling Procedure

  1. Step 1 - Submit your complaint: include your username, the email associated with your account (if any), a description of the issue, and what outcome you are seeking.
  2. Step 2 - Identity verification: if needed, we will request information to confirm you are the correct account holder.
  3. Step 3 - Investigation: we review relevant logs, account records, and third-party processor involvement (e.g., payment verification) as necessary and lawful.
  4. Step 4 - Response timeframe: we aim to provide a substantive response within 30 days. If additional time is required (complexity/volume), we will inform you and explain the reason.
  5. Step 5 - Resolution and follow-up: we will implement corrective actions where appropriate and confirm closure of the complaint.

Escalation to Supervisory Authorities

  • United Kingdom - Information Commissioner's Office (ICO):
    Website: https://ico.org.uk
    Phone: 0303 123 1113 (UK)
    Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, UK
  • Mexico - INAI (Instituto Nacional de Transparencia, Acceso a