This Privacy Policy explains how Limbo collects, uses, and protects personal data in connection with its provision of online casino services to players in the United Kingdom. It sets out the data handling practices of the brand, the lawful bases for processing, and the compliance obligations under applicable data protection legislation. This document is intended to provide transparency regarding account management procedures, the types of information processed, and the security measures applied to safeguard personal data. By reading this policy, individuals will understand the scope of data collection, retention rules, and the administrative processes for exercising their rights under UK law.
Data Collection and Categories of Personal Information Processed
Limbo processes several categories of personal data during the lifecycle of a player account. This includes information provided at the point of registration, such as full name, date of birth, residential address, email address, and telephone number. These details are necessary to establish a unique identity and to comply with the age verification requirements mandated by the United Kingdom Gambling Commission.
Identification data is also collected to satisfy anti-money laundering and know-your-customer obligations. This may include copies of government-issued identification documents, proof of address, and financial statements. Where required, biometric data or facial recognition images may be processed for enhanced identity verification. Transactional information is recorded for every deposit, withdrawal, and wagering activity, including amounts, timestamps, payment methods used, and transaction reference numbers.
Technical data is automatically collected when an individual accesses the Limbo website or mobile platform. This includes IP addresses, browser type and version, operating system, device identifiers, and browsing behaviour such as pages viewed and session duration. Compliance-related records are maintained for all interactions with customer support, including correspondence, complaint logs, and any disputes processed. Additionally, records of gambling activity, including play on Limbo 2 slots, are stored for responsible gambling monitoring and regulatory reporting.
Data from third-party sources may be received, such as credit reference agencies, fraud prevention databases, and payment service providers. This supplementary information is used to verify accuracy of provided data and to assess financial risk. All categories of data are processed strictly in accordance with the principles of lawfulness, fairness, and transparency as defined under the UK General Data Protection Regulation and the Data Protection Act 2018.
Data Usage and Legal Grounds for Processing
Personal data is used for a range of administrative and operational purposes. The primary use is to establish and manage player accounts, process transactions, and verify identity. Data is also used to detect, investigate, and prevent fraudulent activity, money laundering, and problem gambling. Limbo relies on specific legal bases for each processing activity, as required by UK data protection law.
Consent is relied upon for certain processing activities, such as the receipt of promotional communications and the use of non-essential cookies. Where consent is the lawful basis, individuals have the right to withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. For essential account operations, the legal basis is contractual performance. This includes the processing of data necessary to register an account, execute deposits and withdrawals, and facilitate gameplay, including participation in Limbo leovegas promotions.
Legal obligation forms the basis for processing related to regulatory compliance. Limbo is required by the United Kingdom Gambling Commission to verify player age, conduct anti-money laundering checks, and report suspicious transactions. Data is also processed to comply with tax reporting obligations and to respond to lawful requests from law enforcement or regulatory bodies. Legitimate interest is invoked for anonymised analytics, security monitoring, and fraud prevention, provided that the data usage is proportionate and does not override individual rights.
Data may be used to assess eligibility for free-to-play trial versions, such as Limbo slot free play features, where no monetary stake is involved. In these cases, processing is limited to what is necessary for the trial environment. For real-money play, data is processed to confirm sufficient funds, authorise transactions, and record outcomes. The legal basis for such processing remains contractual performance or legitimate interest, depending on the specific function.
- Account registration and maintenance: contractual necessity
- Identity verification: legal obligation
- Transaction processing: contractual necessity
- Fraud detection and security: legitimate interest
- Promotional communications: consent
- Regulatory reporting: legal obligation
Data Storage, Security Controls, and Retention Periods
All personal data processed by Limbo is stored on secure servers located within the European Economic Area or in jurisdictions that have been deemed adequate by the UK Secretary of State. Data is encrypted in transit using Transport Layer Security protocols and at rest using AES-256 encryption. Access to personal data is restricted to authorised personnel who require the information to perform their duties, with strict role-based access controls and audit logging enforced.
Security measures include firewalls, intrusion detection systems, and regular vulnerability assessments. Where personal data is shared with third-party processors, contractual agreements are in place to ensure equivalent levels of protection. Processors are required to implement technical and organisational measures commensurate with the risk of the processing activity. The brand does not use the term "secure" as a claim but maintains these controls as a matter of administrative standard.
Retention periods are determined by the purpose for which data was collected and by legal obligations. Account data, including identification documents and transaction records, is retained for the duration of the account and for a period of six years following account closure. This duration satisfies the record-keeping requirements under UK anti-money laundering regulations and tax laws. Data related to responsible gambling interactions, including self-exclusion requests, is retained indefinitely or until the individual requests erasure, subject to legal limits.
Technical data, such as IP logs and browsing history, is retained for a maximum of twelve months unless required for an ongoing investigation. Data collected for marketing purposes is kept until consent is withdrawn or until the account is closed. Upon expiry of the relevant retention period, data is either deleted permanently or anonymised for statistical purposes. Archival procedures are documented and executed in accordance with the Limbo data retention schedule. Where a player chooses to play Limbo for real money, transaction records are fully retained for the statutory period to ensure audit trail integrity.
| Data Category | Retention Period | Legal Basis for Retention |
|---|---|---|
| Registration and identification data | Duration of account plus 6 years | Anti-money laundering regulations |
| Transaction records | 6 years after account closure | Tax and financial audit requirements |
| Technical logs and IP data | 12 months | Legitimate interest (security) |
| Marketing consent records | Until consent withdrawal or account closure | Consent |
| Self-exclusion data | Indefinite or until legal erasure | Legal obligation |
Player Data Rights and Access Request Procedures
Under UK data protection law, individuals have specific rights regarding their personal data. These include the right to obtain confirmation of whether data is being processed and to request access to a copy of that data. Individuals may also request rectification of inaccurate or incomplete data. The right to erasure, commonly known as the right to be forgotten, applies in circumstances where data is no longer necessary for the purpose for which it was collected, or where consent has been withdrawn and no other legal basis exists.
Players may request restriction of processing where the accuracy of data is contested, or where processing is unlawful and the individual opposes erasure. The right to object to processing is available when processing is based on legitimate interests or direct marketing. Where technically feasible, individuals may request data portability to transfer their data to another service provider. This right applies only to data processed by automated means and based on consent or contract.
All requests to exercise data rights must be submitted in writing to the Limbo data protection officer. To prevent unauthorised disclosure, the brand requires identity verification before processing any request. Verification typically involves matching information on file, such as name, address, and date of birth, and may include a request for a copy of a valid photo identification document. Additional verification steps may be required for complex requests or where fraud risk is elevated.
Limbo will respond to valid requests within one month, as specified by the UK General Data Protection Regulation. This period may be extended by two additional months for complex or multiple requests, and the individual will be informed of any such extension within the initial month. Requests may be charged a reasonable fee if they are manifestly unfounded or excessive, particularly if a request for access is repetitive. The brand will provide a clear explanation for any refusal to act on a request, along with information on the right to lodge a complaint with the Information Commissioner's Office.
Individuals who wish to exercise these rights should contact the data protection officer at the registered address of the casino operator. Responses to requests will be provided in a structured, commonly used, and machine-readable format where appropriate. Limbo does not use automated decision-making that produces legal effects concerning players without human review. Any concerns regarding data handling practices should be directed to the supervisory authority in the United Kingdom.