Privacy Policy

Last updated: 26 April 2026 · Effective from: 15 January 2026

This Privacy Policy explains how Fortunica Casino UK ("we", "us", "our") handles personal data when you visit fortunicacasinouk.co.uk. We are an independent online casino review website serving British players — not a gambling operator, payment provider or licensee. We do not run games, accept stakes or hold player funds. Everything below applies to information we receive when you read our reviews, fill in our contact form or click through one of our affiliate links.

The data controller for the purposes of UK GDPR and the Data Protection Act 2018 is Fortunica Casino UK. For any privacy-related question, write to [email protected]. We aim to acknowledge any request within 72 hours and reply substantively within 30 days, in line with UK GDPR Article 12.

1. Data we collect

1.1 Information you give us directly

When you write to us through the contact form (/contact-us) we collect the name you supply, your email address, the subject category you select and the body of your message. That is it. We do not ask for your address, date of birth, payment details, casino account credentials, copies of ID documents or anything that would let us impersonate you with a casino. If you accidentally include sensitive information in a free-text message, we redact it on receipt.

1.2 Information collected automatically

Like most websites, we collect a small amount of technical information every time a page loads. The list is short and there are no surprises in it. Your IP address is logged for roughly 90 days for security and abuse prevention — DDoS mitigation, blocking obvious scrapers, that kind of thing. The first three octets are kept; the final octet is hashed within 24 hours so the stored value cannot be linked back to a single household.

We also receive your browser's User-Agent string (which tells us whether to serve mobile or desktop layouts), the operating system family, the screen resolution range, the URL you arrived from, the pages you opened on our site and the rough length of each visit. None of this is matched to your name unless you have already written to us.

1.3 Cookies and similar technologies

We use a small number of first-party cookies and four third-party services that may set their own cookies. The full list — names, providers, retention periods — lives on our Cookie Policy page. The short version: a session cookie keeps the site working, a consent cookie remembers what you ticked on the banner, Google Analytics 4 tracks aggregate behaviour, Cloudflare protects us from bots, and our affiliate partners drop a click-tracking cookie when you press a "play" or "claim bonus" button. You can refuse the optional categories at any time through the cookie banner.

2. Why we process your data

Each piece of data we hold has a defined purpose. We do not collect "just in case".

Service delivery — loading the site, remembering your preferences, keeping the casino review pages and the promotions page live and responsive.
Analytics — anonymous, aggregated traffic data via Google Analytics 4 helps us see which casino reviews actually get read to the end and which sections lose people halfway. Oliver and the editorial team use those reports to decide what to update next.
Affiliate attribution — when you click a tracked button to a casino, the partner network registers the referral. We have no visibility into your subsequent activity at the casino — no balance, no stakes, no winnings, no losses.
Security — keeping the site reachable, blocking automated abuse, recording attack signatures.
Communication — responding to you when you contact us through the form or by email.
Compliance — keeping records that we may be obliged to retain for tax, advertising-standards or other legal reasons.

3. Legal basis under UK GDPR

UK GDPR requires us to identify a lawful basis for every processing activity (Article 6). Here is what we rely on for each category.

Consent (Article 6(1)(a)) — for analytics cookies, advertising-related cookies and any future marketing communication. You give consent through the cookie banner and you can withdraw it at any time without affecting prior lawful processing.
Legitimate interest (Article 6(1)(f)) — for site security, fraud prevention, basic server logs and aggregate analytics where consent has been given. Our legitimate interest is keeping a free editorial service online and useful. We have run a balancing test and concluded this processing is proportionate and expected.
Contract (Article 6(1)(b)) — when you message us, we need to process your contact details to reply. Without that data we cannot answer you.
Legal obligation (Article 6(1)(c)) — for retaining records that HMRC, the ICO or the Advertising Standards Authority might ask for in the relevant retention windows.

We do not sell personal data. We never have. Our affiliate revenue model means selling data would actively undermine our business — readers who feel sold to do not return. The list below is exhaustive; if a name is not on it, we are not sharing your data with that company.

Google LLC (Google Analytics 4) — pseudonymised event data with IP-anonymisation enabled. Transfer to the United States is covered by the UK-US Data Bridge (an extension of the EU-US Data Privacy Framework) plus our own Standard Contractual Clauses where the Bridge does not apply.
Cloudflare, Inc. — edge security and CDN. Cloudflare processes connection metadata (IP, request headers) for the seconds it takes to deliver each request. UK IDTA in place.
Affiliate networks (the operator's own affiliate platform or third-party networks such as Income Access or NetRefer) — receives a click identifier when you press a tracked button. No name, no email.
Our hosting provider (located inside the UK / EEA) — operates the servers; sees standard server logs only.
Email provider — when you write to us, the message passes through a business email service. Stored in encrypted form on the provider's UK infrastructure.

We do not pass your data to the casinos we review. If you sign up at a casino after clicking through, the casino collects your registration details directly under its own privacy policy.

5. International data transfers

Some of our processors (Google in particular) store data outside the UK. Where data leaves the UK, we rely on one of the following safeguards: an adequacy regulation made by the UK Government (e.g. for EEA countries), the UK-US Data Bridge for transfers to certified US recipients, or the UK International Data Transfer Agreement (IDTA) where neither of the first two applies. Copies of the relevant safeguards are available on request to [email protected].

6. How long we keep things

Specific retention periods, not vague "as long as needed" language.

Contact form submissions — 12 months from last correspondence, then deleted from the inbox and archive.
Server logs — 90 days, then overwritten.
Google Analytics 4 user-level data — 14 months (the platform default we have selected).
Affiliate tracking cookies — typically 30 to 90 days depending on the partner network. Set on your device, not on our server.
Records retained under tax law (e.g. invoices) — 6 years from the end of the relevant accounting period.
Records retained under the CAP Code / ASA rules — 3 years.

7. Your rights under UK GDPR

You have the following rights, free of charge, exercisable by emailing [email protected]. We will reply within 30 days and may extend that by a further two months if the request is unusually complex (we will tell you why).

Right of access (Article 15) — ask us for a copy of any personal data we hold on you. We will provide it in a clear, readable format.
Right to rectification (Article 16) — ask us to correct anything inaccurate or incomplete.
Right to erasure (Article 17) — ask us to delete your data. We will, unless a legal basis requires us to keep it (e.g. ongoing tax records).
Right to restriction (Article 18) — ask us to pause processing while a dispute over accuracy or lawfulness is resolved.
Right to data portability (Article 20) — receive your data in a structured, machine-readable format (JSON or CSV).
Right to object (Article 21) — object to processing based on legitimate interest.
Right to withdraw consent — the cookie banner has a "manage preferences" link that lets you reverse a previous choice in seconds.
Right to complain to the ICO — if you are unhappy with how we have handled a request, you can complain to the Information Commissioner's Office at ico.org.uk or call 0303 123 1113. We would prefer a chance to fix things first, but the ICO route is always open.

To exercise any right we may need to verify it is really you asking — usually a reply from the email address you previously used to contact us is enough. We will not ask for ID copies for routine requests.

8. How we protect your data

The website runs entirely over HTTPS using TLS 1.3. The certificate is renewed automatically and the private key never leaves the server. Administrative access to the CMS requires two-factor authentication for every editor — including Oliver. Editorial and admin accounts are scoped: a writer cannot read raw server logs, an admin cannot read someone's draft email replies. Backups are encrypted at rest with AES-256 and stored in a separate region from the production server.

No system is unbreakable, and we will not pretend otherwise. If a personal data breach occurs that is likely to cause risk to your rights, we will notify the ICO within 72 hours of becoming aware (UK GDPR Article 33) and tell you directly without undue delay (Article 34) using the email you supplied or, where that is not possible, a public notice on this site.

9. Children

This is a UK gambling-information site. Nothing on it is intended for under-18s. We do not knowingly collect data from anyone under 18, and the site itself is gated by a 18+ notice. If a parent or guardian believes a child has submitted information to us, please email [email protected] and we will delete the record.

10. Changes to this policy

We update this policy when something material changes — new processor, new cookie, change of legal basis, change of retention period. The "Last updated" date at the top of this page is the simplest signal; substantial changes are also flagged on the homepage for two weeks. Continuing to use the site after a change means you accept the updated policy.

11. Contact

Privacy questions: [email protected]
General enquiries: see our Contact Us page
ICO (UK supervisory authority): ico.org.uk / 0303 123 1113

For more on how cookies work specifically, see the Cookie Policy. For information about how we generate revenue and what that means for our editorial choices, the Affiliate Disclosure page covers it in plain English.