Richard
Login Register

Richard Casino Privacy Policy

This document tells Australian players what we do with personal information at Richard Casino. We have written it against the Australian Privacy Principles (APP 1–13) under the Privacy Act 1988 (Cth) and matched each section to the principle it satisfies. If something here conflicts with the Act for AU residents, the Act wins.

Operator: Hollycorn N.V., licensed by the Government of Curaçao (licence 8048/JAZ2019-015). Effective: 7 May 2026. Owner of this notice for AU enquiries: [email protected].

How This Policy Maps to the APPs (APP 1)

Every section heading below carries the relevant APP number in brackets. APP 1 requires that we publish a policy that is clear, current and accessible — that is what this page does. We update it whenever a sub-processor, retention rule or data category changes, and we date-stamp each revision at the top.

If you only have two minutes: we collect what KYC, anti-fraud and gameplay require; we store it on EU servers with named sub-processors; we keep KYC records for seven years after account closure to mirror AUSTRAC's record-keeping window; you can ask for access, correction or deletion via the inbox above.

Anonymous and Pseudonymous Use (APP 2)

You can browse our marketing pages, read this policy, contact support with general questions and view game demos without an account. The moment a deposit, withdrawal or real-money round of pokies is involved, anonymous use stops being possible — anti-money-laundering rules force us to identify the player. We do not run shadow profiles for anonymous browsers beyond standard analytics cookies, which the Cookies Policy covers in full.

What We Collect (APP 3 — Solicited Information)

The categories below are everything we ask for. We do not collect health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation or biometric templates — nothing in the sensitive-information bucket under section 6 of the Act.

  • Identity: full name, date of birth, residential address, AU mobile number, email.
  • KYC documents: drivers' licence (both sides) or passport bio page; Medicare card optional as a second ID; recent utility bill or bank statement < 90 days old for proof of address.
  • Financial: last 4 digits of a card, BSB + last 3 digits of an account, PayID handle, e-wallet email. We never see your full card number — that goes straight to our PCI-DSS-certified payment processor.
  • Gameplay: stakes, sessions, RTP outcomes, time stamps, IP, device fingerprint hash, language/timezone.
  • Support: live-chat transcripts, email threads, screenshots you upload to dispute a hand or a withdrawal.

Information We Do Not Solicit But Receive (APP 4)

If you upload a document we did not request — a passport when we only needed a licence, for example — we treat the surplus the same way as solicited data, then destroy or de-identify what was not needed within 30 days unless an investigation is open. We will tell you what was extra and why we removed it.

Notification at Collection (APP 5)

The first time we collect identity data — at account opening — the registration form links here, names [email protected], lists the purposes (account, payments, KYC, AML, marketing if opted in) and confirms that some data leaves Australia for storage and processing. KYC uploads display a second short notice naming the verification sub-processor before the file leaves your device.

Use and Disclosure (APP 6)

We use personal information for the primary purpose it was collected: running your account, processing AU$ deposits and withdrawals, paying bonuses, responding to support, meeting AML/KYC obligations and defending against fraud. Secondary uses — product analytics, marketing, suppression-list testing — happen only with consent or where the Act allows.

We disclose to: payment processors (PayID via NPP; card acquirers; e-wallets), the KYC verification provider, AUSTRAC and the Curaçao Gaming Control Board on lawful request, and our hosting and analytics sub-processors. None of these parties may use the data for their own marketing.

Direct Marketing (APP 7)

By default a new account is opted out of marketing email and SMS. If you opt in during signup or in your account settings, every message carries a one-click unsubscribe and the equivalent SMS opt-out word ("STOP"). We do not buy or rent third-party lists. Once you opt out, the suppression record stays in place even after account closure — which is the Spam Act 2003 and APP 7 working together.

Cross-Border Disclosure (APP 8)

Account, gameplay and KYC data is hosted on encrypted servers inside the European Economic Area, primarily in Frankfurt and Amsterdam. Curacao receives a regulatory feed only — no full KYC images leave the EU cluster except in response to a documented regulator request. Sub-processor categories: cloud hosting, KYC verification, payments, fraud-screening, analytics. The full named list is available on request to [email protected] because vendors change and a hard-coded list goes stale.

Where APP 8.1 applies, we take reasonable steps to ensure the recipient handles the data consistently with the APPs. Where you have given consent under APP 8.2 with the required notice, we rely on that.

Government-Related Identifiers (APP 9)

We collect AU drivers' licence and passport numbers, plus optional Medicare card numbers, only for KYC. We do not adopt these as our internal account identifier — your account ID is a randomly generated string. We do not disclose government identifiers except to the KYC provider, AUSTRAC on lawful request, or to a court order.

Data Quality (APP 10)

You can edit name, address, phone and email from your account. If you change your legal name, upload a marriage certificate or change-of-name certificate so the KYC chain stays intact — payouts default to the verified name on the account. Quarterly we run automated checks on stale addresses; if email bounces twice or SMS fails three times, we pause marketing and flag the account for re-verification on the next login.

Security (APP 11)

TLS 1.3 in transit. AES-256 at rest. KYC images encrypted with per-record keys. Production access is least-privilege, MFA-protected, and every privileged action is logged for 24 months. Pen-tests run twice a year by an external firm; the latest summary is available on request. If a notifiable data breach occurs, we follow the OAIC's NDB scheme: contain, assess within 30 days, notify the OAIC and affected individuals as required.

Retention: account and gameplay data while the account is active, plus seven years after closure to mirror AUSTRAC's record-keeping period. Marketing suppression records: indefinite. Support transcripts: two years. CCTV (live dealer studios, third-party): per the studio's policy.

Access (APP 12)

Email [email protected] from your registered address with the subject "APP 12 access request". We respond within 30 days. The first export per calendar year is free; later exports in the same year carry a small admin fee that we will quote before you proceed. We may withhold material that would identify another person, prejudice an investigation, or breach a court order — we will say which exception we are using.

Correction (APP 13)

If something is wrong, tell us and we fix it inside 30 days. If we disagree with a correction request, we will say why and you can ask us to attach a statement to your record noting the dispute. Correction is free.

Children

Our service is 18+. We screen at registration; if a minor's account is suspected, we freeze it, hold any balance and pursue refunds to the funding source after verification of the parent or guardian.

Specific Sub-Processor Categories

For full transparency, the categories of third parties currently processing AU player data: cloud hosting (EEA-based, primarily Frankfurt and Amsterdam), KYC verification provider (UK-based, ISO 27001 certified), payment processors and fraud-screening (PCI-DSS Level 1), email and SMS dispatch (one provider for each), live-chat platform (US-based, GDPR-compliant), and analytics (Google Analytics 4 in privacy mode). The exact named vendors change as contracts rotate; the live list is available on request from [email protected].

Complaints, Contact and Updates

If you think we have mishandled your information, write to [email protected] first. We acknowledge inside 5 business days and aim to resolve in 30. Unhappy with our response? You can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au — there is no fee.

This policy may change. Substantive changes are flagged at login for 14 days; minor edits are date-stamped at the top.