Last updated: 15 May 2026
This Privacy Policy explains how Irwin Casino collects, uses, stores and protects the personal information of players in Canada. It is written to align with the PIPEDA, the Quebec Act respecting the protection of personal information in the private sector (commonly called Loi 25), the British Columbia and Alberta Personal Information Protection Acts (PIPA BC and PIPA AB), and the licensing requirements of the Curaçao Gaming Control Board. By using the Irwin Casino website, mobile site or apps, you confirm that you have read and understood how we handle your information.
This Policy applies to all personal information processed in connection with the Irwin Casino brand, including the website at irwincasino.com and any official mobile applications, customer-support channels and marketing communications operated under the Irwin brand. It covers Canada-resident players and anyone who interacts with the brand from Canada. By creating an Irwin account, depositing funds or otherwise using our services, you agree to the practices described below. For information about how cookies and similar technologies are used, please also read our Cookies Policy. For the broader contract that governs your use of the site, see our Terms and Conditions.
The legal entity responsible for processing your personal information under this Policy is:
| Legal entity | Galaktika N.V. |
|---|---|
| Registration number | 140803 |
| Registered address | [INSERT_REGISTERED_ADDRESS], Curaçao |
| Regulator | Curaçao Gaming Control Board |
| Licence number | OGL/2024/169/0146 |
| Data Protection Officer | [email protected] |
We collect only the personal information we need to operate a regulated gambling service, to comply with applicable law, and to provide you with a safe and personalised experience. Categories are grouped below.
Your name, date of birth, government-issued identification (passport, driver's licence, provincial ID), and a photo selfie used for liveness checks during KYC. We do not request your Social Insurance Number unless a specific legal obligation requires it (for example, narrow tax-reporting use cases).
Email address, mobile telephone number, postal address, and your preferred contact language. We use these to authenticate you, deliver service messages and — only with your consent — to send marketing communications under the CASL framework.
Deposits, withdrawals, payment-method tokens, transaction history, Interac e-Transfer reference data, and cryptocurrency wallet addresses where applicable. We do not store full card numbers on our systems; full card data is handled by PCI-DSS-certified payment processors and only the masked reference is retained with your account.
Bets and wagers, game choices, session length, win/loss history, bonus participation, and your use of responsible-gaming tools (deposit limits, time-outs, self-exclusion). This information helps us deliver a relevant product and meet our regulatory obligations around player protection.
IP address, device identifier, browser type and version, operating system, time-zone, screen resolution, province-level geolocation, and cookies. See our Cookies Policy for granular detail.
Your opt-in status, preferred channels (email, SMS, push), and your response history to past communications. Marketing is sent only after express consent under CASL and can be withdrawn at any time using the unsubscribe link in every message or your account preferences.
We collect personal information in three ways:
PIPEDA does not use the same legal-basis language as the European GDPR, but it does require that processing be reasonable, transparent and consented to. Quebec residents have additional rights under Loi 25, which requires express consent for certain sensitive uses of personal information. The table below maps how we justify each processing activity.
| Activity | Basis |
|---|---|
| Account creation & service delivery | Performance of contract |
| KYC / AML checks | Legal obligation (PCMLTFA + licensing rules) |
| Fraud prevention & account security | Legitimate interest of the operator and players |
| Marketing communications | Express consent (CASL); withdrawable at any time |
| Sensitive processing for QC residents | Express consent under Loi 25 |
| Regulatory reporting | Legal obligation |
We use the personal information described above for the following purposes:
Irwin is operated from outside Canada. As a result, your personal information may be hosted in or transferred to data centres in the European Union (primary) and Curaçao (disaster-recovery backup), with selected processors located in the United Kingdom, the United States and other jurisdictions in line with the recipient table above. Where we transfer personal information out of Canada, we put contractual safeguards in place, encrypt data in transit, and require recipients to provide a level of protection comparable to PIPEDA. Hosting outside Canada means that data may be subject to lawful access by authorities in those jurisdictions.
We keep personal information only as long as we need it for the purposes it was collected for or as long as we are legally required to. The table below sets the baseline; longer retention may apply where dictated by law, regulatory request or an active dispute.
| Data type | Retention | Reason |
|---|---|---|
| KYC documents & account records | 5 years after account closure | PCMLTFA / FINTRAC requirement |
| Transaction history | 5 years from transaction date | AML and accounting |
| Communications & support tickets | 3 years from last contact | Dispute resolution and quality |
| Marketing preferences & opt-out logs | Until consent withdrawn + 1 year | Compliance with CASL |
| Server / security logs | 12 months | Security and fraud forensics |
| Self-exclusion records | For the duration of the exclusion + 5 years | Enforcement of responsible-gaming commitments |
We use a layered set of controls to protect personal information against loss, theft and unauthorised access. While no online system can be guaranteed free from breach, the measures we implement are aligned with industry best practice for regulated gambling operators.
PIPEDA codifies ten "fair-information principles" that frame your rights and our obligations. They are:
If you reside in Quebec, you also benefit from rights under the provincial Act respecting the protection of personal information in the private sector (commonly called Loi 25), including:
If you reside in British Columbia or Alberta, the provincial Personal Information Protection Acts may apply alongside PIPEDA. Your rights of access and correction closely mirror those described above, with the relevant Information and Privacy Commissioner serving as your provincial regulator.
You can exercise any of the rights described above by emailing [email protected] from the email address registered with your Irwin account. To protect your privacy, we will ask you to confirm your identity before we disclose any personal information. We respond within 30 days, which is the standard timeline under PIPEDA. In limited cases, where the request is unusually complex or requires extensive review, we may extend the period and will notify you of the reason.
Irwin Casino is intended only for adults of legal gambling age in their province (19+ in most of Canada; 18+ in Alberta, Manitoba and Quebec). We do not knowingly collect personal information from minors. If we discover that a minor has registered or attempted to register, we will close the account, delete or restrict the data subject to mandatory retention obligations, and return any deposited funds to the original payment method after standard checks.
We may update this Policy from time to time to reflect changes in our practices, technology or legal requirements. The "Last updated" date at the top of the page shows when the document was last revised. Where changes are material — for example, where we introduce a new processing purpose — we will notify you by email and through an in-account banner before the change takes effect. Continuing to use Irwin after a change means you accept the updated Policy.
If you have questions about this Policy or how we handle your personal information, please contact our Data Protection Officer at [email protected]. We will do our best to resolve any concern directly. For broader account questions, visit our Contacts page.
If you remain unhappy with our response, you have the right to lodge a complaint with the appropriate regulator:
Retention varies by data type — see Section 9 above. Identification and transaction records are kept for at least 5 years after account closure to satisfy our obligations under PCMLTFA. Marketing data is kept until you withdraw consent, plus one year for the unsubscribe audit trail.
Yes. Email [email protected] from your registered address. We will verify your identity and respond within 30 days. Larger requests may take longer; we will tell you in advance if that is the case.
No. Irwin Casino does not sell personal information. We share it only with the processors, regulators and advisers listed in Section 7, and only under written data-processing agreements.
Primary hosting is in the European Union, with disaster-recovery backup in Curaçao. Some processors are located in the UK and the US. All cross-border transfers use contractual safeguards and encryption.
Email [email protected] with the request. We will delete personal information unless retention is legally required (for example, 5 years for AML records). We will explain which categories remain and why.
Quebec residents benefit from the additional rights provided by Loi 25, including data portability, the right to be forgotten in qualifying circumstances, the right to information about automated decision-making, and a requirement of express consent for sensitive processing.