Winz.io Privacy Policy

• Role and legal basis
  • The operator acts as a Data Fiduciary under India’s Digital Personal Data Protection Act, 2023, and as a Data Controller under the GDPR where applicable.
  • Processing is based on one or more lawful bases: consent, performance of a contract, legal obligation, or legitimate interests.
• Personal data collected
  • Identity and verification data: full name, date of birth, nationality, gender, photographs, official ID documents (such as passport, driving licence), Permanent Account Number (PAN). Aadhaar details are used only in line with law and express consent.
  • Contact details: email address, mobile number, residential address.
  • Account and usage data: username, preferences, responsible gaming limits, game and bet history, session logs, customer support interactions.
  • Transaction and payment information: payment method details provided to or via payment service providers, transaction identifiers, deposits, withdrawals, refunds.
  • Technical data: device identifiers, IP address, operating system, browser type, app version, cookie data, advertising identifiers, language and time zone.
  • Location data: approximate location inferred from IP for compliance and service delivery.
  • Risk and compliance data: sanctions and PEP screening results, fraud indicators, chargeback data, dispute records.
• Why personal information is collected
  • To create and manage your Winz account and provide online services.
  • To process payments, verify identity (KYC), and meet anti-money laundering obligations.
  • To support responsible gaming tools and enforce self-exclusion and limits.
  • To provide customer support and resolve disputes.
  • To secure the platform, prevent fraud, and ensure service integrity.
  • To measure performance, conduct analytics, and improve features.
  • To send service notices and, subject to consent or legitimate interest, marketing communications.
• Technical and organisational safeguards
  • Encryption in transit (TLS 1.2+), encryption at rest, and segregated environments.
  • Strict access controls, role-based permissions, multi-factor authentication, and logging.
  • Regular security testing, vulnerability management, and independent audits.
  • Vendor due diligence and data processing agreements with processors.
  • Data minimisation, purpose limitation, and retention controls aligned to legal needs.
• User rights (India and international)
  • Access and confirmation of processing.
  • Correction of inaccurate or incomplete data.
  • Deletion of personal data, subject to regulatory and record-keeping duties.
  • Withdrawal of consent without affecting prior lawful processing.
  • Objection to direct marketing and restriction of certain processing.
  • Portability where technically feasible and permitted by law.
  • Grievance redressal through the designated contact.
• Compliance
  • This Policy is designed to meet the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000 and SPDI Rules, and the GDPR where applicable.

• Service delivery and account operations
  • Register and authenticate users, maintain profiles, and provide online services.
  • Facilitate deposits, bets, gameplay, withdrawals, and refunds.
• Safety, integrity, and responsible gaming
  • Monitor usage to prevent fraud, cheating, money laundering, and bonus abuse.
  • Apply self-exclusion, cooling-off, and limit features to support safer play.
• Customer support and communications
  • Respond to enquiries, troubleshoot issues, and manage disputes.
  • Send transactional updates, security alerts, and service notices.
• Analytics and product improvement
  • Analyse performance, quality, and user experience to improve functionality.
  • Conduct aggregated statistics and reporting without identifying individuals when possible.
• Marketing
  • Send offers or updates only where permitted by consent or legitimate interests.
  • Provide easy opt-out options in each message and in account settings.
• Legal and compliance
  • Meet KYC/AML checks, tax, accounting, and regulatory requests.
  • Enforce terms, protect rights, and comply with lawful data disclosure requests.

Processing is carried out lawfully, fairly, and in a transparent manner. Where automated decisions have legal or similar effects, users may request human review and express their point of view.

• How users can access and update data
  • Review and edit core profile fields in account settings.
  • Request a copy of personal information by emailing privacy@winz.io.
• Correction and deletion procedures
  • Submit requests to correct or delete data through account tools or by email.
  • Identity verification may be required to protect users and prevent misuse.
  • Requests are processed within 30 days, or as allowed by law for complex cases.
  • Certain records must be kept for legal, tax, fraud prevention, or AML purposes for at least five years after account closure.
• Security checks and payments
  • By using the site, users consent to verification, sanctions screening, fraud checks, and risk assessment.
  • Users also consent to payment information being processed by payment service providers and banks to complete transactions.
• Grievance and DPO contacts
  • India Grievance Officer: grievance.india@winz.io
  • Data Protection Officer: dpo@winz.io

• Access is restricted to persons aged 18 years and above.
• The operator cannot verify age without supporting documents and may request proof before allowing further use.
• If a parent or legal guardian notifies that a minor has provided personal information, the account will be suspended and such data will be deleted after verification of the requestor’s identity and authority.
• Any suspected underage use results in immediate review and account action.

• Personal information may be stored or processed in other countries where service partners, data centres, or group entities operate, including the EEA, the United Kingdom, Singapore, and the United States.
• By using the website and services, users consent to cross-border transfers subject to safeguards.
• Transfers follow applicable law, including the DPDP Act, contractual protections such as Standard Contractual Clauses where relevant, intra-group agreements, and partner confidentiality obligations.
• Partners are required to implement appropriate security and privacy controls consistent with this Policy.

• This Policy may be supplemented by specific notices, terms, or product-level privacy statements that clarify or modify how certain rules apply.
• The disclaimer applies once the user accepts the Policy by signature, click-acceptance, accession, or continued use of the services.
• If there is a conflict between versions or translations, the most recent English version published on the website prevails to the extent permitted by law.
• Nothing in this Policy limits rights under mandatory law or any lawful request by authorities.

• Definition and purpose
  • Cookies are small files stored on a device to remember a user and preferences across websites and sessions.
• How cookies are used
  • Necessary cookies for login, account security, and core functions.
  • Functional cookies for preferences and improved user experience.
  • Analytics cookies for statistics, behaviour analysis, and service improvement.
  • Marketing cookies to personalise content and measure campaign effectiveness.
• Retention
  • Session cookies expire when the session ends.
  • Persistent cookies are retained for up to 1 year unless deleted earlier by the user.
• Choices
  • Users can manage cookie settings through the cookie banner and browser controls.
  • Blocking some cookies may affect availability of certain features.

• Using the site constitutes full acceptance of this Privacy Policy and any updates posted here.
• The current version available on the website prevails over any prior version.
• Material changes will be communicated by notice on the site or by email where appropriate.
• Continued use after the effective date of changes indicates acceptance of the updated Policy.

• Sharing of information
  • Personal data may be shared with third parties to comply with law, handle disputes, perform contracts, and provide integrated services.
  • Typical recipients include payment service providers and banks, KYC/AML and sanctions screening vendors, analytics providers, customer support tools, cloud hosting and security partners, auditors, and regulators.
• Transparency
  • A current list or representative categories of processors and partners is maintained on the website. If a new material category is introduced, users will be informed of the purpose and scope as required by law.
• Safeguards
  • Third parties are bound by confidentiality, data protection obligations, and security standards proportionate to the risk and nature of processing.
  • Providing personal information to enable these services constitutes consent where required.

• The site may contain links to external websites or services that operate under their own privacy policies and security practices.
• The operator does not control and is not responsible for how those websites collect, use, or share personal information.
• Users should review the privacy statements of any external website and proceed cautiously before providing personal data.