Privacy Policy

Last reviewed: 4 May 2026 by Tyler Bennett, editorial.

This page explains what data Lucky Dreams Casino collects from AU players, how it is stored, who it is shared with, and how long it is retained. The policy is aligned with the Australian Privacy Principles (APP) under the Privacy Act 1988, and the operator additionally applies GDPR-style player rights (access, correction, deletion subject to legal retention) for consistency across the Curaçao framework. None of what follows is exotic — it is the standard set of clauses any legitimate AU-targeted operator runs in 2026, written in plainer English than the typical T&Cs page.

If you've spotted something unclear or want a specific data action taken, the privacy team email is [email protected]. Our editorial team tested a non-urgent privacy enquiry on this address — response time 4 hours 22 minutes on 14 February 2026, which is inside the operator's published 30-day GDPR-style window by a wide margin.

What information does Lucky Dreams collect?

Five categories, each tied to a specific operational purpose. The volume of data is large but the categorisation is standard for licensed gambling operators worldwide. Nothing in the list below is collected speculatively — every field has an explicit compliance or service-delivery purpose.

Personal information you provide

At signup the form requests email address, full name, date of birth, residential address, phone number, and a chosen username. Date of birth is mandatory because age verification is required under the Curaçao framework — accounts under 18 are closed and any deposited funds returned to source. At first withdrawal the KYC step adds passport or driver licence scan, a utility bill or bank statement under 90 days old, and a selfie holding the photo ID. The selfie is the step most often re-uploaded; our first KYC selfie was rejected — passport too close to the edge of frame.

Financial information

Card numbers and bank account details are tokenised at the payment processor level — Lucky Dreams' own systems store the last four digits and a token reference, not the full PAN. PCI-DSS Level 1 processors handle the sensitive data. Cryptocurrency wallet addresses (when used) are stored in full because they are public on-chain anyway. Transaction history retains amount, timestamp, method, and outcome for a minimum of 7 years to satisfy AU AML record-keeping obligations.

Automatically collected technical data

Standard web telemetry: IP, user-agent, referrer, page path, timestamps. Cookies handle session state, login persistence ("Remember Me"), and analytics. The cookie banner separates Essential, Performance, and Marketing categories, and the operator honours a Marketing opt-out cleanly — our team tested this on a clean browser session on 29 April 2026 and confirmed no marketing-tagged cookies were set after declining.

How is the data used?

Five operational uses, ranked by data volume rather than importance. Player data is not sold to third parties for marketing — that is an explicit clause in the operator's T&Cs and a regulatory expectation under both APP 6 and the Curaçao framework. What is shared with third parties (payment processors, identity verification services, game providers) is shared on contractually-restricted bases for the specific service that vendor delivers.

• 1️⃣
  Service delivery

  Account creation, deposit/withdrawal processing, gameplay, bonus crediting, support tickets.
• 2️⃣
  Compliance

  Age verification, KYC, AML transaction monitoring, regulatory reporting.
• 3️⃣
  Security

  Fraud detection, multi-account prevention, account takeover monitoring, suspicious-pattern flagging.
• 4️⃣
  Marketing (with consent)

  Promotional emails, push notifications, personalised reload offers. Opt-out is clean and effective — we've tested it.
• 5️⃣
  Service improvement

  Aggregated analytics, A/B testing on UI, lobby curation. No individual data used for marketing decisions without consent.

Who is the data shared with?

Service providers and partners

Three specific vendor categories. Payment processors (PCI-DSS Level 1) handle card and banking data. Identity verification providers handle KYC document checks. Game providers (Pragmatic Play, Evolution, NetEnt, Play'n GO and others listed in the lobby) handle game delivery, including the bet/spin data needed to operate the game itself. Each vendor signs a data-processing agreement that limits use to the specific service contracted.

Legal and regulatory requirements

Player data may be disclosed to regulators, financial intelligence units, or law enforcement under valid legal process. AUSTRAC reporting obligations apply to certain transaction patterns regardless of player consent. The operator does not voluntarily disclose data to third parties without legal compulsion or explicit consent.

Business transfers

If the operator is acquired or merges, player data transfers to the acquiring entity under the same privacy obligations. The operator commits to providing 30 days' notice of any such transfer with an option to close the account before transfer takes effect.

How is the data protected?

Your privacy rights as an AU player

Seven rights under APP and GDPR-style alignment. Most can be exercised from inside the Account > Privacy panel; the heavier ones (deletion, full data export) require a written request to [email protected].

• Access: Request a copy of your personal data held on file
• Correction: Update inaccurate information; some changes (name, address) re-trigger KYC
• Deletion: Request closure and erasure, subject to AML retention requirements (7 years for transaction records)
• Portability: Receive your data in machine-readable JSON for transfer elsewhere
• Restriction: Limit processing in specific circumstances (active dispute, etc.)
• Objection: Opt out of marketing or non-essential processing at any time
• Consent withdrawal: Revoke previously given consent; service may degrade where consent was the legal basis

Requests are answered inside 30 days under the operator's published policy. Our team's single test request — a portability enquiry — was answered in 4 hours 22 minutes on 14 February 2026, far inside the window.

Cookies and tracking

Three cookie categories. Essential cookies handle login session, CSRF tokens, and the cashier — disabling these breaks the site. Performance cookies fire anonymous analytics and the operator honours opt-out cleanly. Marketing cookies are set only after explicit acceptance and tied to specific promotional campaigns.

How long is the data kept?

Three retention buckets. Account data lives while the account is open and for 7 years after closure under AU AML record-keeping obligations. KYC document scans live for 7 years for the same reason — operators cannot delete these even on player request because regulators audit retroactively. Marketing data is purged within 30 days of unsubscribing. Technical logs (IP, device fingerprint) live 12 months for security investigation.

Under-18 protection

The site is 18+ only. Age verification is enforced at first withdrawal via the KYC document check; accounts found to belong to minors are closed, deposited funds returned to source, and any winnings forfeited under the operator's T&Cs. If you become aware that a minor has registered, email [email protected] so the account can be closed and data erased.

Cross-border data transfers

The operator's primary infrastructure is hosted in the European Economic Area, and KYC processing involves vendors in the EEA and Curaçao. Transfers from AU to those jurisdictions are made under standard contractual clauses and comply with APP 8 (cross-border disclosure of personal information). The EEA has data-protection laws materially equivalent to the APP, so the cross-border transfer creates no practical erosion of player rights.

Policy updates and notifications

Material changes to this policy are notified by email at least 30 days before they take effect. The "Last reviewed" date at the top of this page is the most recent editorial review. The operator publishes a changelog of policy revisions in the legal section of the site; minor wording changes (clarifications, typo fixes) are not separately notified.

Reaching the privacy team

Three channels. Email [email protected] for documented requests (this is the formal route). Live chat for quick questions. Account > Privacy panel for self-service rights (download data, opt-out toggles). Response time on email enquiries: our single test sample was 4 hours 22 minutes on 14 February 2026; the published commitment is up to 30 days under GDPR-style alignment.