burger icon
Heaps Of Wins Casino Australia
Log In

Privacy Policy

This Privacy Policy explains how Heaps Of Wins Casino, operating the online casino website heapsofbet-au.com ("Heaps Of Wins Casino", "we", "us", "our"), collects, uses, discloses and protects your personal information. It applies to visitors to our website, players who create an account (including via the Inclave identity system), and any person who otherwise interacts with our services. By visiting or using heapsofbet-au.com you agree to the practices described in this Privacy Policy. This Privacy Policy is effective from 1 January 2026.

Who We Are

Heaps Of Wins Casino is an online gambling service targeting, among others, Australian and North American players and operated via the domain heapsofbet-au.com as part of the Heaps Of Wins Casino project.

Operator and responsibility for your data

  • Website operator: The services offered at heapsofbet-au.com are provided by an offshore online gambling operator (the "Operator"). The Operator does not publicly disclose its full legal name, registered office or company registration number in the website footer, Terms & Conditions or other customer-facing documentation.
  • Scope of this policy: This Privacy Policy describes how the Operator of heapsofbet-au.com handles personal information collected through this website, associated mobile or web applications, and the Inclave identity system where used for login and account management.
  • Regulatory context: The Operator currently has no verifiable public gaming licence and no Alternative Dispute Resolution (ADR) body is identified. The platform uses RealTime Gaming (RTG) software, which is certified by Gaming Laboratories International (GLI) under GLI-19, but this certification applies to the software provider and not to the Operator's overall regulatory status.

Contact for privacy matters

  • Data Protection Contact: For all privacy and data-protection questions, or to exercise your rights, you may contact our dedicated Data Protection Contact:
    • Email: [email protected] (primary channel for privacy, support, and responsible gambling/self-exclusion requests)
    • Online chat: 24/7 live chat is available on heapsofbet-au.com; initial responses may be automated, with escalation to a human agent.
  • Postal address: The Operator does not currently publish a verified service or mailing address. If this changes, we will update this section and, where required, notify affected users.
  • Phone: No active privacy or support telephone number is currently provided. Any legacy references to toll-free numbers should be treated as obsolete.

What Personal Data We Collect

Identification and contact data

  • Basic registration data: full name, username, password (stored using hashing techniques), email address, country of residence, preferred currency (e.g. AUD), and date of birth.
  • Contact data: additional email addresses you provide, mobile or landline phone numbers (if requested or voluntarily submitted), and communication preferences.
  • KYC/verification data: documents and information collected to meet Know-Your-Customer (KYC) and anti-money laundering (AML) requirements, such as:
    • Government-issued photo ID (e.g. passport, driver's licence)
    • Proof of address (e.g. utility bill dated within the last 3 months)
    • Copies of the payment card used for deposits (with middle digits and CVV appropriately masked as instructed)
    • Any additional information we reasonably need to confirm your identity or payment ownership.

Technical and usage data

  • Technical data: IP address, device identifiers, operating system, browser type and version, language and time-zone settings, and other technical information automatically collected when you access heapsofbet-au.com.
  • Log and session data: login and logout times, failed login attempts, session duration, pages viewed, referring URLs, clickstream data, and error reports.
  • Cookies and similar technologies: identifiers stored in cookies, local storage, pixels, tags, and SDKs that enable us and selected third parties to recognise your browser or device and track interactions (see "Cookies & Tracking Technologies" below).

Gaming, behavioural and communications data

  • Account and gaming data: account status, language, bonuses claimed, wagering requirements, game preferences, game plays, betting stakes, wins and losses, RTP settings applied at account or game level (where applicable), and time spent on games.
  • Behavioural data: navigation patterns, clicks, response to offers, device fingerprinting attributes used for anti-fraud, and risk indicators derived from your behaviour (e.g. chargeback risk, bonus abuse risk, or potential problem-gambling indicators).
  • Communications data: records of your interactions with us, including emails, live chat transcripts, complaint correspondence, support tickets, and notes created by support and finance teams.
  • Responsible gambling data: self-exclusion requests and related correspondence, notes of any concerns raised about gambling harm, and actions we take in response.

Payment and financial data

  • Transaction data: deposits, wagers, withdrawals, bonuses, chargebacks, refunds, chargeback reason codes, and currency data.
  • Payment instrument data: limited card details (card type, masked card number, expiry date), Neosurf voucher identifiers, eZeeWallet account references, and cryptocurrency wallet details (e.g. Bitcoin or Litecoin addresses) where used.
  • Banking and processing data: information relating to bank wires, intermediary or acquiring banks, and payment processors (including those located offshore, e.g. in Asia or Africa), as needed to process payments and comply with AML/CTF requirements.

Third-party and Inclave identity data

  • Inclave identity: When you register or log in using Inclave, we receive identifiers and profile data from the centralised Inclave identity management system, allowing single sign-on across a network of sister casinos (e.g. Royal Ace, Slots Garden). This may include verification status and shared fraud-risk information.
  • Third-party data: we may receive risk, AML or KYC information from payment providers, fraud prevention services, and other casinos within the same Inclave/RTG network, as well as public or commercially available databases (e.g. sanctions lists, PEP lists).

Legal Basis for Processing

While the Operator is an offshore entity primarily targeting a grey-market audience, it seeks to align, where reasonably practical, with principles of the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and - where relevant to particular users - with the EU General Data Protection Regulation (GDPR) and Mexican data protection rules. Depending on your location and the specific processing activity, we rely on the following legal grounds or equivalent principles:

  • Performance of a contract or steps taken at your request: We process data that is necessary to:
    • Create and manage your Heaps Of Wins Casino account
    • Provide access to RTG games and related services
    • Process deposits and withdrawals through card, cryptocurrency, Neosurf, eZeeWallet or bank transfer
    • Provide customer support and resolve operational and financial queries.
  • Compliance with legal and regulatory obligations: We process certain data to meet AML/KYC, fraud and financial reporting obligations that may apply to the Operator in its place of establishment or to its payment partners, including:
    • Identity verification and source-of-funds checks
    • Retention of transaction records for audit, tax or AML purposes
    • Responding to lawful requests from competent authorities (e.g. financial intelligence units, law enforcement, or regulators), recognising that, in Australia, online gambling regulation falls under frameworks such as the Interactive Gambling Act 2001 and oversight by bodies including ACMA and, for privacy matters, the Office of the Australian Information Commissioner (OAIC).
  • Legitimate interests (or equivalent balancing test): We rely on legitimate interests, balanced against your privacy rights, to:
    • Maintain account and platform security, including device fingerprinting and monitoring for multiple accounts or bonus abuse
    • Detect and prevent fraud, chargebacks and abuse of promotions
    • Conduct internal analytics and business reporting, including on player cohorts and RTP performance at an aggregated level
    • Improve our website, games offering and customer experience.
  • Consent: We rely on your consent to:
    • Send direct marketing communications (where required by applicable law)
    • Use certain non-essential cookies or tracking technologies for analytics and advertising
    • Share data with certain advertising or affiliate partners for personalised offers, where you have agreed.
    You may withdraw your consent at any time, as described in the "Your Rights" and "Cookies & Tracking Technologies" sections.
  • Protection of vital interests / public interest: In rare cases, we may process or disclose data where we believe it is necessary to protect your vital interests or those of another person (for example, in relation to suspected fraud, identity theft or serious risk of self-harm) or to assist public authorities in preventing or investigating serious offences.

Purpose of Processing

Provision and operation of casino services

  • Account creation and management: to register you, authenticate logins (including via Inclave), maintain your profile, verify your age and eligibility, and manage account settings and security.
  • Gaming services: to operate games and tournaments, track wagers, calculate wins and losses, credit bonuses, and apply game configurations (including RTP settings as chosen by the Operator within the RTG platform).
  • Payments and withdrawals: to process deposits and withdrawals, manage payment disputes, handle chargebacks and refunds, and meet related AML/CTF obligations.

Service improvement, analytics and risk management

  • Performance monitoring: to analyse platform performance, identify technical issues, optimise load times and ensure compatibility with devices and browsers used by our players.
  • Product development and analytics: to understand how players use heapsofbet-au.com, which games are popular, and how promotions perform, enabling us to refine our games portfolio, UX design and bonus structures.
  • Fraud and abuse prevention: to detect suspicious activity, improper chargebacks, collusion, money laundering, bonus abuse and multi-accounting, including by sharing limited risk indicators with RTG, Inclave and other security partners.

Marketing, personalisation and responsible gambling

  • Marketing communications: to send you offers, bonuses, newsletters and other promotional messages via email or on-site messaging, subject to your consent or applicable legal permissions.
  • Personalisation: to tailor content, game recommendations and promotions based on your activity, preferences and inferred interests.
  • Responsible gambling: to process self-exclusion requests sent to [email protected], assess potential signs of gambling harm, and take reasonable actions such as restricting bonuses or closing accounts where warranted.

Legal, regulatory and business purposes

  • Legal compliance and enforcement: to comply with AML/CTF, sanctions and other applicable laws in relevant jurisdictions, to respond to lawful requests from authorities, and to enforce our Terms & Conditions.
  • Record keeping and disputes: to maintain records needed to handle complaints, chargebacks or legal claims, and to demonstrate compliance with applicable obligations, standards and internal policies.
  • Business operations: to manage business planning, accounting, auditing and, where applicable, potential restructuring, merger or acquisition involving the Operator and its assets.

Disclosure & Sharing

Service providers and technical partners

  • Platform and software providers: We share necessary data with RealTime Gaming (RTG) and other technical providers who host or support our gaming platform. These providers may access pseudonymised or identifiable data as needed to operate games, maintain systems and handle incidents.
  • Inclave identity management: Where you use Inclave, your identity and related data are processed in a centralised system shared across a network of casinos. We and other participating casinos may receive and contribute information such as verification status, login credentials, and fraud-risk indicators via Inclave.
  • IT and security providers: Hosting providers, content delivery networks, DDoS protection, analytics tools, email delivery services and other IT vendors may process your personal data solely on our instructions to support heapsofbet-au.com.

Payments, banking and financial partners

  • Payment processors: We share data with card acquirers and processors (e.g. for Visa, MasterCard, American Express), Neosurf, eZeeWallet, cryptocurrency processors, and intermediary or correspondent banks, including those located offshore (for example, in Asia or Africa), as necessary to:
    • Process deposits and withdrawals
    • Verify transactions and card ownership
    • Handle chargebacks and investigate fraud or AML concerns.
  • Fees and routing: Because payments are routed offshore, your bank may apply international transaction fees (often up to around 3%) and may treat transactions as high-risk due to gambling merchant category codes.

Affiliates, marketing and analytics partners

  • Affiliate networks and tracking: We share limited identifiers (such as account IDs, country and basic attribution data) with affiliate partners and tracking providers to credit referrals and measure campaign performance.
  • Marketing service providers: Subject to your consent where required, we may share hashed email addresses or other identifiers with advertising networks or marketing platforms to deliver or measure targeted offers.
  • Analytics providers: We use analytics tools to understand how users interact with heapsofbet-au.com. These tools may use cookies or similar technologies to collect pseudonymised usage data.

Group, network and legal disclosures

  • Other casinos in the network: Limited data may be exchanged with other RTG/Inclave network casinos (for example, Royal Ace, Slots Garden and similar sister brands) for security, fraud prevention, self-exclusion enforcement and risk management, particularly where a single Inclave profile is used across multiple sites.
  • Legal, regulatory and enforcement authorities: We may disclose data to law enforcement, regulators, courts or governmental bodies where we believe disclosure is required or permitted by applicable law, regulation or court order, or to protect our rights, players, staff or third parties.
  • Business transfers: In the event of a proposed or actual sale, merger, restructuring or acquisition involving the Operator or its assets, we may transfer personal data to prospective or actual purchasers, subject to confidentiality obligations and, where required, appropriate safeguards.

We do not sell your personal data as that term is commonly understood, but certain sharing with advertising or analytics partners may be treated as a "sale" or "sharing" under some privacy laws; where relevant, we will provide appropriate opt-out mechanisms.

International Transfers

Because the Operator, its technical providers and payment partners are located in various countries, your personal information may be transferred to and processed in jurisdictions outside your own, including outside Australia, the European Economic Area (EEA) and Mexico. These jurisdictions may have privacy and data-protection laws that differ from, and may be less protective than, those in your home country.

Where your data may be processed

  • Hosting and platform locations: Servers and infrastructure supporting heapsofbet-au.com and RTG may be located in multiple countries, including but not limited to Caribbean jurisdictions (e.g. Curaçao), North America and the European Union.
  • Payment processing: Card and bank transactions may be routed through processors and intermediary banks located in regions such as Asia or Africa, depending on the payment route selected and banking arrangements.
  • Inclave and network services: The Inclave identity system and related fraud-prevention services may operate from the United States or other jurisdictions with their own privacy regimes.

Safeguards and limitations

  • Contractual protections: Where required by applicable law (for example, for transfers of personal data from the EEA or the UK), we endeavour to use appropriate safeguards, such as:
    • Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent instruments
    • Contractual obligations requiring service providers to protect personal data and use it only for specified purposes.
  • Technical and organisational security: We implement technical measures such as encryption in transit and at rest, access controls and security monitoring to reduce risks associated with cross-border data transfers.
  • Inherent risks: As an offshore, unlicensed operator, we may not be subject to the full oversight or enforcement mechanisms available in some regulated jurisdictions. While we take reasonable steps to protect your data, you should be aware that legal remedies and regulatory recourse (for example, through EU or Australian regulators) may be more limited than with fully regulated providers.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal or contractual obligations, and to protect our legitimate interests (for example, in relation to disputes or audits). Retention periods may vary depending on your country of residence and the applicable laws of relevant jurisdictions.

Typical retention periods

Category of data Typical retention period
Account profile data (name, contact details, account settings) For the life of your account and up to 5 years after account closure, unless a longer period is necessary for legal claims.
KYC/AML documentation (ID, proof of address, card verification) Typically up to 7 years after account closure or last transaction, or such longer period as required by applicable AML/CTF or financial regulations.
Transaction and payment records At least 7 years from the date of the transaction, to support accounting, tax and AML obligations.
Gaming and behavioural data For as long as your account is active and generally up to 5 years after closure, subject to anonymisation or aggregation where feasible.
Technical logs (IP addresses, device data, access logs) Typically 12 - 24 months from collection, unless longer retention is necessary for security investigations or legal purposes.
Marketing data (subscriptions, preferences) Until you opt out of marketing, or generally up to 24 months after your last interaction with our marketing communications, whichever occurs first.
Complaints and dispute records For the duration of the dispute and a minimum of 6 years afterwards.
Cookies and similar identifiers Typically up to 13 months from placement on your device, unless renewed with your consent or per your browser settings.

Deletion and anonymisation

  • When data is no longer required for the purposes described in this Privacy Policy, we will either delete it or irreversibly anonymise it so that it can no longer be linked to you.
  • Deletion may be delayed where data is needed for an ongoing investigation, regulatory request, legal claim or chargeback process.
  • If you exercise your right to erasure (where applicable), we will remove or anonymise data that we are not legally or contractually required to retain.

Your Rights

Depending on your location, and subject to certain legal limitations and verification of your identity, you may have rights similar to those granted under the European Union's GDPR and Mexico's Federal Law on Protection of Personal Data Held by Private Parties and related regulations. We also seek to align, where reasonable, with the Australian Privacy Principles for Australian users.

Key rights

  • Right to be informed: To receive clear information about how we process your personal data, which this Privacy Policy is intended to provide.
  • Right of access: To obtain confirmation as to whether we hold personal data about you and, if so, to receive a copy of that data and certain related information.
  • Right to rectification / correction: To have inaccurate or incomplete personal data corrected or updated.
  • Right to erasure / cancellation ("right to be forgotten"): To request deletion of your personal data where, for example, it is no longer necessary for the purposes for which it was collected, you withdraw consent (where processing was based on consent), or the data has been processed unlawfully. This right is subject to limitations where data must be retained for legal, regulatory or legitimate interest purposes (such as AML, tax and dispute handling).
  • Right to restriction / blocking of processing: To request that we restrict the processing of your data in certain circumstances, such as while we verify its accuracy or where you have objected to processing.
  • Right to object: To object, on grounds relating to your particular situation, to processing based on our legitimate interests, including profiling, and to object at any time to processing for direct marketing purposes.
  • Right to data portability: Where applicable (for example, under GDPR or similar regimes), to receive certain personal data in a structured, commonly used and machine-readable format and to request that we transmit it to another controller where technically feasible.
  • Right to withdraw consent: Where processing is based on your consent (e.g. marketing communications or non-essential cookies), you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Rights in relation to automated decision-making: Where applicable law grants such rights, you may request human review of decisions that significantly affect you and are based solely on automated processing, such as certain fraud or risk assessments.

How to exercise your rights

  1. Submit a request: Contact us via email at [email protected], indicating that your message concerns a privacy or data-protection request. You may also start a request via live chat, but we may ask you to confirm details by email.
  2. Verification: For your security, we may ask you to provide information necessary to verify your identity (for example, confirming account details or providing ID documentation, consistent with our KYC practices).
  3. Response time: We aim to respond to your request within 30 days of receipt. Where the request is complex or numerous, we may extend this period by up to an additional 30 days, in which case we will notify you of the extension and reasons.
  4. Fees: We generally handle rights requests free of charge. However, where requests are manifestly unfounded or excessive, we may charge a reasonable fee or decline to act, as permitted by applicable law.
  5. Limitations: Some rights may not apply in all jurisdictions or may be restricted by other legal obligations (e.g. AML/CTF laws or requirements to retain transaction records). Where we decline to act on your request in whole or in part, we will explain the reasons unless prohibited by law.

Cookies & Tracking Technologies

We use cookies and similar technologies (such as pixels, tags, local storage and SDKs) on heapsofbet-au.com to enable core site functionality, remember your preferences, analyse site usage and support marketing and affiliate activities.

Types of cookies and technologies

  • Strictly necessary (session) cookies: Essential for the operation of the site and for enabling you to log in, navigate between pages, maintain your session and access secure areas. These cookies are generally deleted when you close your browser.
  • Functional (persistent) cookies: Used to remember your choices, such as language, region, game preferences or whether you have seen certain notices, and to provide enhanced, more personalised features.
  • Analytics cookies: Used to collect information about how visitors use our site, such as which pages are visited most often, how users move around the site and whether they encounter errors. This helps us improve site performance, user experience and content.
  • Advertising and affiliate cookies: Used to deliver or measure targeted advertising and promotions, track the effectiveness of marketing campaigns, credit affiliate partners for referred players and reduce fraud in affiliate programmes.
  • Similar technologies: We and our partners may use pixels or tags embedded in emails or web pages to understand when you have opened a message, visited a page or taken an action in response to an offer.

Managing cookies

  • Browser controls: Most browsers allow you to:
    • View which cookies are stored on your device
    • Delete cookies
    • Block cookies from all or selected sites
    • Set preferences for how cookies are handled.
    If you block strictly necessary cookies, some features of heapsofbet-au.com may not function properly.
  • On-site settings: Where a cookie banner or preferences panel is made available on our site, you can use it to manage your consent for different categories of cookies (for example, analytics or advertising).
  • Third-party opt-outs: Some third-party analytics and advertising providers offer their own opt-out mechanisms. We will provide links or information where relevant within our cookie notices or this Privacy Policy.

Data Security

We take reasonable technical and organisational measures to protect your personal data from unauthorised access, loss, misuse, alteration or disclosure. However, no internet or electronic system is completely secure, and we cannot guarantee absolute security.

Technical measures

  • Encryption in transit and at rest: Data transmitted between your browser and heapsofbet-au.com is protected using Transport Layer Security (TLS) protocol (version 1.2 or above). Where feasible, sensitive data in our systems is encrypted at rest using industry-standard cryptographic techniques.
  • Access controls and authentication: Access to personal data is restricted to authorised personnel and service providers who need it to perform their duties. Staff accounts are protected by strong passwords and, where possible, multi-factor authentication (MFA).
  • Network and system security: We use firewalls, intrusion detection or prevention systems, anti-malware solutions and regular security patching within the environments that host our services, including RTG and associated infrastructure.

Organisational measures

  • Policies and training: Staff who handle personal data receive training on privacy, data security and acceptable use policies, including obligations to protect player information and report suspected incidents.
  • Vendor management: We select third-party service providers (including RTG, Inclave and payment processors) that commit to appropriate security standards and confidentiality obligations.
  • Risk management: We carry out ongoing monitoring of fraud risks, payment abuse, and unusual account behaviour, and maintain internal procedures for managing these risks.

Security monitoring and incident response

  • Monitoring and audits: We perform periodic reviews and technical assessments of our systems, and rely on platform providers whose software is tested against standards such as GLI-19 for interactive gaming systems. These software certifications do not replace our own security responsibilities but help support overall platform integrity.
  • Incident response: We maintain processes to investigate suspected security incidents, mitigate harm, and implement remediation measures. Where required by applicable law, we will notify affected users and relevant authorities of significant data breaches without undue delay.
  • Player responsibilities: You are responsible for keeping your login credentials confidential, using strong, unique passwords and taking reasonable steps to secure your devices and internet connection.

Complaints & Contacts

Contacting us

  • Primary contact for privacy and data protection:
    • Email: [email protected]
    • Subject line suggestion: "Privacy request" or "Data protection complaint"
  • Live chat: You may raise concerns via 24/7 live chat on heapsofbet-au.com; we may ask you to follow up by email for formal privacy requests.
  • Postal address: As noted above, the Operator does not currently publish a verified mailing address. If and when a service address becomes available, it will be added to this section.

Internal complaint procedure

  1. Submit your complaint: Provide a clear description of your issue, including relevant dates, account information and any evidence you consider important.
  2. Acknowledgement: We aim to acknowledge receipt of your complaint within 7 days.
  3. Investigation and response: We will investigate your complaint and aim to provide a substantive response within 30 days. Complex matters may take longer; if so, we will inform you of the delay and expected timeline.
  4. Escalation within the Operator: If you are not satisfied with the initial response, you may request escalation. Your complaint may then be reviewed by a more senior member of our support or compliance team.

External escalation to supervisory authorities

Depending on your location and applicable law, you may have the right to lodge a complaint with a data-protection authority. The following references are provided for convenience and do not constitute legal advice:

  • Australia (privacy): Office of the Australian Information Commissioner (OAIC)
  • Mexico: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI)
    • Website: https://www.inai.org.mx
  • European Union / EEA: If you are in the EU/EEA, you may contact your local data protection authority. Details are available via the European Data Protection Board (EDPB):

Please note that, given the Operator's offshore and unlicensed status, some authorities may have limited jurisdiction over its activities. Nevertheless, you may choose to raise your concerns with them, particularly in relation to data-protection issues.

Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements or other factors.

Notification of changes

  • Minor changes: Updates that do not materially affect your rights or the way we process your data will take effect when the revised Privacy Policy is posted on heapsofbet-au.com. We encourage you to review this page periodically.
  • Material changes: Where we make significant changes - for example, new categories of data, new purposes of processing, or substantial changes to international transfers - we will provide additional notice, which may include:
    • Email notification to the address associated with your account
    • Prominent banners or pop-up notices on heapsofbet-au.com
    • In-account messages or alerts.
  • Notice period: Where reasonably possible, we will provide at least 30 days' notice before material changes take effect for existing account holders.

Your options in case of changes

  • If you do not agree to an updated Privacy Policy, you may choose to stop using our services and request closure of your account by contacting [email protected].
  • Continued use of heapsofbet-au.com after any changes become effective will be taken as your acceptance of the updated Privacy Policy, to the extent permitted by applicable law.

Last updated: November 2026

Summary of recent material changes:

  • Clarified the Operator's offshore status and absence of a verifiable public gaming licence.
  • Expanded explanation of data sharing with Inclave and RTG, and of international transfers, including offshore payment routing.
  • Aligned rights and complaint information with GDPR-style and Mexican data-protection frameworks, and added references to OAIC, INAI and EU supervisory authorities.
  • Updated retention periods and security measures to reflect current practices as of 2026.