Your personal data earns the same editorial precision as every other page on this site. Below, the operator explains which datapoints Savaspin collects, why each point is needed and how the file is kept sealed. Terdersoft B.V. and Interdersoft Limited run the casino under Curaçao eGaming Licence No. 152341 and accept joint controllership for Danish residents. Furthermore, the policy is refreshed whenever a processing activity changes; therefore, a quarterly re-read is a sensible habit.
Encryption and Security Practices
Security underpins every line of this policy, because data confidentiality is the first guarantee a casino owes its players. Specifically, every connection between your browser and savaspin-dk.com rides on 256-bit TLS, which matches the encryption strength used by high-street banks. Moreover, cashier flows sit on a separate segmented network behind a PCI DSS Level 1 processor, so card numbers never reach the Savaspin application servers in raw form. As a result, a breach of the public site would not expose your payment credentials.
Our data-centres operate inside EU jurisdictions, which keeps processing under the General Data Protection Regulation regime. In addition, intrusion-detection sensors watch every node in real time, and independent penetration tests run at least twice per year. Multi-factor authentication protects internal admin consoles; consequently, no single engineer can pull a full player file without a second approver. Overall, layered technical controls reduce the chance of a meaningful leak to a demonstrable minimum.
Data Categories We Collect
Savaspin gathers five data families to keep the platform safe, compliant and personalised. Moreover, each family is limited to the minimum required for the stated purpose, in line with GDPR Article 5 data-minimisation duty. The table below opens the overview, and the breakdown below it adds the specifics for Danish accounts.
| Category | Examples | Legal Basis | Retention |
|---|---|---|---|
| Identity data | Legal name, date of birth, address, CPR-linked ID scan | Contract and legal obligation | 5 years after account closure |
| Payment data | Card tokens, crypto wallets, transaction IDs | Contract, AML duty | 5 years after last transaction |
| Technical data | IP, user agent, device identifiers, cookie IDs | Legitimate interest | 12 months |
| Behavioural data | Game history, session length, bet size, deposit pattern | Contract, legal obligation | 5 years after account closure |
| Communication data | Chat transcripts, support emails, call recordings | Legitimate interest | 3 years from closure of ticket |
Category-by-Category Breakdown
Identity data powers the account creation flow and the mandatory age check for Danish residents. Specifically, the pack includes your legal name, date of birth, address and an ID scan that binds the profile to a real person. In addition, the same file supports critical account notifications such as KYC outcomes, batch payout alerts and security warnings. Marketing emails are never sent from this base without an explicit opt-in; consequently, you can claim bonuses without committing to promotional contact.
Payment data is tokenised end-to-end, because the PCI DSS processor returns a reversible token instead of the raw card number. Therefore, even in the unlikely event of a breach, your card cannot be used to charge a third party. Moreover, crypto wallet addresses and on-chain transaction identifiers are stored so that AML screens can reconcile on-ledger movements. In fact, this transparency is a core condition of the Curaçao licence.
Technical data lands automatically on every session through server logs. For example, the collection includes IP, device fingerprint, browser string and cookie identifiers. Behavioural data, on the other hand, captures game history, session length and bet size, which feeds responsible-gaming algorithms that flag risky patterns. In summary, these two families power security, abuse detection and duty-of-care checks without drifting into unrelated profiling.
How We Use Your Data
Your data serves six concrete purposes, and each purpose ties to a defined legal basis under GDPR. In other words, nothing is collected “in case it becomes useful later”; every processing activity has a documented justification. The list below summarises the use cases Danish residents should be aware of.
- Contractual performance: running the account, settling deposits and paying out withdrawals inside the published timelines.
- Legal compliance: AML screens, sanctions lists and record-keeping duties attached to the Curaçao eGaming licence.
- Fraud prevention: device-fingerprint checks, duplicate-account detection and chargeback mitigation.
- Responsible gaming: monitoring bet size, deposit frequency and session length to catch early warning signs.
- Personalisation: tailoring the homepage, bonus offers and sportsbook rail to your confirmed interests.
- Service quality: analysing support tickets and on-site surveys to refine cashier and lobby flows.
Cookie Policy
Cookies sit at the core of any modern gaming site, and Savaspin is no exception. In practice, a consent banner greets each new visitor, and non-essential cookies stay dormant until you agree. Moreover, the preference you save is stored against the device so that the banner does not reappear on every visit. In addition, you can revisit the panel at any time from the footer link.
Active Cookies on the Site
| Cookie Type | Purpose | Vendor | Duration |
|---|---|---|---|
| Essential session | Keep the player logged in and the cart active | Savaspin | Session |
| Security | Detect suspicious login attempts and bot traffic | Savaspin | 30 days |
| Analytics | Measure page traffic and navigation paths | Google Analytics 4 | 14 months |
| Performance | Monitor load times and cashier latency | Cloudflare | 6 months |
| Marketing | Serve retargeting ads on partner networks | Meta, Google Ads | 180 days |
| Preferences | Remember language, theme and consent choice | Savaspin | 12 months |
Managing Cookie Preferences
You remain in charge of the cookie experience at all times. Specifically, the consent centre lets you toggle analytics, marketing and preference groups on or off without touching essential cookies. Furthermore, most browsers ship with a dedicated privacy panel that deletes cookies, blocks third-party tracking or wipes local storage on exit. However, switching off essential cookies can break the login or cashier, so we recommend tailoring only the non-essential groups.
Sharing with Third Parties
Savaspin works with a lean roster of processors, because every extra partner widens the exposure surface. Moreover, each partner signs a data-processing agreement that mirrors the GDPR Article 28 template and forbids re-use outside the commissioned task. As a result, your file never travels further than the operational need requires. The main recipient families are listed below.
- Payment processors: PCI DSS Level 1 gateways that clear Visa, Mastercard, MobilePay and Apple Pay transactions on our behalf.
- KYC and AML vendors: specialised providers that cross-check identity documents against global sanctions and PEP lists.
- Game studios: suppliers such as Pragmatic Play, Play’n GO and Nolimit City that host the game servers behind a pseudonymised account ID.
- Analytics and hosting: Google, Cloudflare and select EU-based cloud partners that deliver the site without access to payment data.
- Regulators and law enforcement: Curaçao Gaming Control Board, EU authorities or Danish authorities on receipt of a lawful, documented request.
The directory below names the principal processors Savaspin relies on, so that Danish residents can verify each recipient before engaging with the cashier. Moreover, the same list is updated whenever a vendor is swapped, and the version date at the page foot flags the most recent change.
| Processor | Function | Jurisdiction | Safeguard |
|---|---|---|---|
| Praxis Cashier | Card and MobilePay processing | EU (Malta) | PCI DSS Level 1 and tokenisation |
| SumSub | KYC and document verification | EU (Germany) | ISO 27001 and GDPR Article 28 DPA |
| BitGo | Crypto wallet infrastructure | EU (Switzerland) | SOC 2 Type II and multi-sig vaults |
| Google Analytics 4 | Traffic and navigation metrics | EU hosting | Standard Contractual Clauses in place |
| Cloudflare | CDN and DDoS protection | EU region | ISO 27001 and GDPR-aligned DPA |
| Zendesk | Support ticketing | EU (Ireland) | SOC 2 Type II and encryption at rest |
Data Retention Periods
Retention lengths track the legal backbone of the operation rather than commercial convenience. Specifically, AML rules oblige us to keep transactional records for five years after the last movement on the account, so that picture cannot be shortened at will. In addition, responsible-gaming evidence is held for the same window, because a future regulator review may need to inspect that file. Nevertheless, inactive marketing consents are purged after twenty-four months to avoid profile bloat.
Technical logs are rotated inside a twelve-month window, because their evidentiary value decays quickly. Consequently, older server logs are irreversibly destroyed on a rolling schedule managed by the security team. Support transcripts remain on file for three years after a ticket closes, to preserve the paper trail behind dispute decisions. Overall, the retention ladder is documented inside a Record of Processing Activities that is made available to auditors on request.
Your Rights under GDPR
Danish residents retain the full bundle of rights granted by the General Data Protection Regulation, and Savaspin welcomes requests under each heading. Therefore, a privacy request never costs the user anything and is not treated as a signal to close the account. The rights you can exercise are as follows.
- Right of access: receive a structured copy of the personal data held under your profile, together with the purposes of processing.
- Right of rectification: correct inaccurate details such as a misspelled surname or an outdated residential address.
- Right of erasure: delete data that is no longer legally required, subject to the mandatory AML retention window.
- Right of portability: export your personal file in a machine-readable format so you can move it to another controller.
- Right to object: pause marketing processing, profiling or legitimate-interest processing you find intrusive.
- Right to restrict: freeze processing while a dispute about accuracy or lawfulness is under investigation.
File requests through [email protected] with the subject line “GDPR request” and the account username. The data-protection desk replies within one calendar month; however, complex cases can extend by a further two months with written notice. In addition, you retain the right to complain to the Danish Data Protection Authority (Datatilsynet) at any time, and that route does not require Savaspin’s prior sign-off. As a result, the escalation ladder is genuinely neutral.
Contact and Document Updates
This policy is refreshed whenever a processing activity, vendor list or legal duty shifts. Consequently, the version date at the top of the page marks the latest effective text. Moreover, material changes — for example, a new processor or a different retention window — are announced to every active account by email at least seven days in advance. For routine questions, reach the data-protection desk at [email protected], and the team will reply inside one business day.
For formal escalations, Danish residents can contact the Datatilsynet at Carl Jacobsens Vej 35, 2500 Valby, Copenhagen. Furthermore, the authority accepts complaints through its online portal and does not charge a fee for opening a case. Savaspin cooperates with every regulator inquiry inside the statutory deadlines, and the internal privacy team keeps a log of such requests for auditability. As a result, the accountability loop between the operator, the player and the supervisory authority remains fully closed.