Researcher and Associate Professor at CQUniversity, specialising in gambling behaviour and iGaming
I’ve spent the better part of a decade reviewing online casinos from a research perspective, and I’ll say this plainly — the privacy policy page is the one most Australian players skip entirely. They scroll straight to the bonuses, deposit A$50, and never once wonder who’s holding their passport scan. That’s a problem. After spending time inside the 21Bit Casino platform and going through its data handling framework carefully, I want to lay out exactly what this policy contains, what it means for you as an Australian user, and where you should pay attention.
Who is behind 21Bit Casino and why does it matter for privacy
21Bit Casino is operated under a Curaçao gaming licence, which is a common jurisdiction for internationally accessible online casinos. The operator collects and processes personal data as part of running a regulated gambling service. For Australian players, this means your data is handled by a company incorporated outside Australia — and that distinction has real implications under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Under APP 8, when an Australian entity (or a foreign one targeting Australians) sends personal information overseas, it must take reasonable steps to ensure the overseas recipient handles it with equivalent protections. Knowing this framework helps you understand what 21Bit Casino is legally expected to provide — and what you can demand if something goes wrong.
What data 21Bit Casino collects about you
The identity and document data is collected during KYC (Know Your Customer) verification, which all licensed operators are required to conduct. In practice, this means 21Bit Casino will ask you to upload a government-issued ID before processing your first withdrawal. That document scan sits on their servers — so it matters enormously how they store and protect it.
The platform collects several categories of information, not all of which are obvious. From registration through to every spin and withdrawal, here is what flows into their systems:
| Data category | Specific examples |
|---|---|
| Identity data | Full name, date of birth, nationality |
| Contact data | Email address, phone number, residential address |
| Verification documents | Passport scan, driver’s licence, proof of address |
| Financial data | Deposit and withdrawal history, payment method details |
| Technical data | IP address, device type, operating system, browser |
| Behavioural data | Session duration, games played, betting patterns |
| Communication data | Support chat logs, email exchanges |
How your information is used
21Bit Casino processes personal data for a defined set of purposes. The legitimate purposes are broadly what you’d expect from any regulated operator:
- Account management — creating and maintaining your player account
- Payment processing — verifying and executing A$ deposits and withdrawals
- Legal compliance — satisfying AML (anti-money laundering) obligations and licence conditions
- Fraud and security — detecting suspicious activity and protecting account integrity
- Responsible gambling — monitoring behavioural indicators and enforcing self-exclusion
- Marketing communications — sending promotional offers, but only with your explicit consent
- Platform analytics — improving site performance and game recommendations
The important distinction here is between necessary processing and optional processing. Payments, compliance, and fraud prevention are non-negotiable — the casino cannot legally operate without them. Marketing is optional, and under Australian Privacy Principle 7, you have the right to opt out of direct marketing at any time. If 21Bit Casino emails you promotions and you haven’t consented or can’t easily unsubscribe, that’s a breach worth escalating.
Cookies and tracking: what’s running in the background
Like virtually every modern online platform, 21Bit Casino uses cookies and similar tracking technologies. These aren’t inherently sinister, but you should know what each type does:
| Cookie type | Function | Can be disabled? |
|---|---|---|
| Essential cookies | Login sessions, security tokens | No — disabling breaks the site |
| Analytical cookies | Track page visits, time on site, and feature usage for internal reporting | Yes — via browser settings |
| Preference cookies | Remember your language, display settings, and notification choices | Yes |
| Marketing cookies | Serve relevant promotions if you have consented to personalised content | Yes |
| Security cookies | Flag unusual login behaviour and prevent unauthorised account access | No |
If you’re using Chrome or Firefox, you can review and selectively disable non-essential cookies through your browser’s privacy settings. Third-party cookies used for ad retargeting are increasingly restricted by modern browsers anyway, but the casino’s own first-party analytics remain active by default.
Data sharing: who else sees your information
This is the section players read least but should probably read most. 21Bit Casino shares personal data with third parties, and the policy identifies the following categories of recipients:
| Recipient type | Purpose |
|---|---|
| Payment processors | Executing A$ transactions, fraud checks |
| KYC/AML providers | Identity verification and compliance screening |
| Cloud hosting providers | Data storage and infrastructure |
| Analytics platforms | Site performance and user behaviour analysis |
| Regulatory authorities | Providing records when required by law or licensing requirements |
| Responsible gambling organisations | Self-exclusion list cross-referencing |
The key commitment in any responsible privacy policy is that third parties must be contractually bound to use data only for the stated purpose and must implement comparable security standards. Whether 21Bit Casino enforces this contractually is not always visible in the public-facing policy, but it’s something you can ask their support team to confirm in writing.
How long is your data kept
Data retention is governed by a mix of business necessity and legal obligation. Here’s the general framework based on industry standards and what the policy reflects:
| Data type | Retention basis |
|---|---|
| Account data | Active for the life of the account; archived post-closure |
| KYC documents | Minimum 5 years post-account closure (AML compliance) |
| Financial transaction records | Minimum 7 years (Australian financial record-keeping standards) |
| Session and behavioural logs | Typically 12–24 months |
| Support communications | Duration of relationship plus 2 years |
The 5–7 year retention of financial and identity records isn’t optional on 21Bit Casino’s part — it’s a legal requirement tied to anti-money laundering legislation and licence conditions. This means even if you close your account, your documents don’t disappear immediately.
Security measures protecting your data
For any casino handling A$ payments and government ID documents, security infrastructure isn’t a nicety — it’s a baseline requirement. The measures 21Bit Casino implements include:
- SSL/TLS encryption on all data transmitted between your device and their servers
- Encrypted storage for sensitive documents and financial records
- Access controls limiting internal staff access to only what their role requires
- Two-factor authentication available for account logins
- Continuous monitoring for suspicious login attempts and unusual activity
From a practical standpoint, the SSL certificate is easy to verify yourself — the padlock icon in your browser confirms it. What you can’t verify personally is the quality of their internal access controls, but a Curaçao-licensed casino operating internationally is generally subject to regular third-party security audits as a licence condition.
Your rights as an Australian user
Under the Australian Privacy Act, you have enforceable rights regarding your personal data held by 21Bit Casino. These include:
- Right of access — you can request a copy of the personal information the casino holds about you
- Right to correction — if your data is inaccurate or outdated, you can request it be corrected
- Right to opt out of direct marketing — at any time, without needing to justify the decision
- Right to make a complaint — if you believe your privacy has been breached, you can escalate to the Office of the Australian Information Commissioner (OAIC)
To exercise any of these rights, contact 21Bit Casino’s support team directly. Requests should be handled within a reasonable timeframe — the Privacy Act generally treats 30 days as the standard. If you receive no response or an unsatisfactory one, the OAIC at oaic.gov.au is your next step.
Responsible gambling and data use
One aspect of privacy that’s specific to gambling operators is the use of behavioural data to support responsible gambling mechanisms. 21Bit Casino may use your session and betting data to:
- flag patterns consistent with problem gambling behaviour
- enforce deposit or loss limits you’ve set voluntarily
- process self-exclusion requests against national databases
- refer accounts showing risk indicators to support resources
This is one area where I’d argue more data use, not less, is actually in players’ interests. Australia’s National Self-Exclusion Register (BetStop) applies primarily to interactive wagering service providers under federal regulation, but offshore casinos operating in a grey area should still maintain their own internal exclusion systems. If you need support, Gambling Help Online (gamblinghelponline.org.au) operates 24/7.
What happens if there’s a data breach
Under the Notifiable Data Breaches scheme established by the Privacy Act, entities covered by Australian law must notify affected individuals and the OAIC when a data breach is likely to cause serious harm. Because 21Bit Casino is a foreign operator, its obligations under this scheme depend on whether it’s considered to be doing business in Australia — a legal question that isn’t always simple. Practically, a responsible operator will notify affected users regardless of technical jurisdiction. If you receive a breach notification, change your password immediately, request a review of any KYC documents held, and contact your bank if payment credentials were involved.
A note on policy updates
Privacy policies aren’t static documents. 21Bit Casino reserves the right to update this policy, and the most current version will be published on the /privacy-policy/ page with a revision date. I’d recommend bookmarking it and checking back any time the casino sends a terms-update notification. Continued use of the platform after a policy update is generally treated as acceptance — which means it’s worth knowing what changed before you log in to your next session.
Alex M. T. Russell is an Australian researcher and associate professor at CQUniversity, specialising in gambling behaviour and iGaming. He has contributed to over 150 academic publications used by regulators and responsible gambling organisations across Australia. His research is focused on how digital casino environments affect player decisions and risk.
