burger icon
Merlin Casino United Kingdom
Log In

Privacy Policy

This Privacy Policy explains how Versus Odds B.V. ("we", "us", "our") collects, uses, discloses and protects your personal data when you use the Merlin Casino version of our online casino services available at https://merlincas.com (the "Website", "Merlin Casino"). It applies to registered players, visitors to the Website, and users of our customer support channels. This policy is effective from 6 November 2025 and is designed to comply with applicable UK data protection law, including the UK GDPR and the Data Protection Act 2018.

By creating an account, using the Website, contacting support, or otherwise interacting with Merlin Casino on merlincas.com, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this policy, you should not use the Website or our services.

Who We Are

The Website is operated by Versus Odds B.V., trading as "Merlin Casino" for the Merlin Casino offering on merlincas.com.

Operator and Registration Details

  • Legal entity: Versus Odds B.V., a private limited company (B.V.) incorporated under the laws of Curaçao.
  • Registered address / legal address: Korporaalweg 10, Willemstad, Curaçao.
  • Company registration number: 147011.
  • Gambling licence: Online gambling licence No. 8048/JAZ2019-020 issued by Antillephone N.V., Curaçao (master licence holder: Antillephone N.V.).
  • Licence validator: The validity of the licence can be checked via the Antillephone N.V. validator available through the seal in the Website footer (link contains license.antillephone.com).

Versus Odds B.V. operates from Curaçao and accepts UK players on an offshore/non-GamStop basis. The Website is not licensed or regulated by the UK Gambling Commission (UKGC), and player protection standards may therefore differ from those of UK-licensed operators. However, for UK players, we apply the UK GDPR and the Data Protection Act 2018 to the processing of personal data.

Data Protection Contact

We have designated a data protection point of contact to handle privacy-related questions and requests:

  • Data Protection Officer (DPO): Data Protection Officer, Versus Odds B.V.
  • Postal address: Data Protection Officer, Versus Odds B.V., Korporaalweg 10, Willemstad, Curaçao.
  • Email (preferred channel): [email protected]
  • Support channels: 24/7 live chat on the Website and email support (accessible via the Website). No telephone support is currently offered.

What Personal Data We Collect

We collect different categories of personal data when you visit merlincas.com, create or use a Merlin Casino account, interact with our games, or contact support. We collect only data that is necessary for specified purposes described in this policy.

Identity and Contact Data

  • Identification details: first name, last name, date of birth, gender, country of residence, and proof-of-identity data (e.g. copies of ID documents) collected as part of our KYC/AML checks in accordance with our KYC Policy.
  • Contact details: email address, postal address, and (where provided) telephone number or instant messaging identifiers.
  • Account details: username, password (stored using secure hashing), language preference, and communication preferences.

Account, Gameplay and Behavioural Data

  • Account activity: registration date, login times, account status, verification status, self-exclusion or cooling-off flags, and account limits.
  • Gameplay data: game sessions, stakes, wins and losses, betting history, preferred games, and time spent on site, which we may use for responsible gambling monitoring and fraud prevention.
  • Behavioural data: clickstream data, pages viewed, referral URLs, session duration, and interactions with bonuses, promotions and website features.

Technical and Device Data

  • Technical identifiers: IP address, device identifiers, browser type and version, operating system, time zone, and language settings.
  • Device and network details: device model, screen resolution, network provider, approximate location based on IP address, and log files generated by our servers.
  • Security logs: failed login attempts, suspicious activity patterns, and other security-related logs used for anti-fraud and account protection.

Payment and Financial Data

  • Payment details: partial payment card data (such as masked card numbers and expiry dates), bank account details, e-wallet identifiers, and other payment method information, collected and processed mostly by our payment partners.
  • Transaction data: deposits, withdrawals, chargebacks, refunds, bonuses, wagering requirements and related financial records.
  • Payment processing partners: For example, payment processing may be handled via Deloraze Limited in Cyprus and other authorised payment service providers.

Marketing and Communication Data

  • Marketing preferences: opt-ins and opt-outs to email marketing, SMS, push notifications and on-site messaging.
  • Communication history: records of emails, live chat transcripts, and any correspondence with our customer support, including complaints and dispute files.

Cookies and Similar Technologies

  • Cookies: small text files stored on your device to support core functionality, security, analytics and marketing.
  • Tracking technologies: web beacons, pixels, SDKs, local storage and similar tools used to recognise your browser or device and measure engagement with our services and promotions.

Special Categories of Data

We do not intentionally request or process special categories of personal data (such as health data or data revealing ethnic origin) except where you voluntarily provide limited information relating to responsible gambling (for example, information regarding gambling addiction issues when requesting self-exclusion or assistance). Where this occurs, we process such data only for the purpose of protecting your vital interests and complying with responsible gambling and legal obligations.

We do not knowingly collect personal data from individuals under 18 years of age. If we become aware that a minor has provided personal data, we will take steps to close the account and delete or securely anonymise the data, unless retention is required for legal reasons (for example, to investigate fraudulent use of another person's identity).

Legal Basis for Processing

We process your personal data in accordance with the UK GDPR and the Data Protection Act 2018, and we align our practices with relevant international standards, including the EU GDPR and Mexican data protection principles where applicable. We rely on the following legal bases:

Performance of a Contract

  • Account creation and management: to register your account, verify your age and identity, provide access to games and process your transactions.
  • Service delivery: to provide the gaming services you request, including bonuses, tournaments and loyalty programmes, and to communicate with you about your account, gameplay and requests.
  • Customer support: to answer your questions, resolve complaints and technical issues, and provide assistance via live chat and email.

Compliance with Legal Obligations

  • KYC/AML and responsible gambling: to verify your identity, detect and prevent money laundering, terrorist financing, fraud and other illegal activities, and to implement responsible gambling measures.
  • Regulatory reporting: to comply with demands from our licensing authority in Curaçao, financial regulators, tax authorities and law enforcement where required by law.
  • Record-keeping: to retain transaction and account records for legally mandated periods, including accounting and anti-money laundering requirements.

Legitimate Interests

  • Service improvement and analytics: to understand how players use our Website, improve performance and usability, test new features and ensure the stability of the platform.
  • Fraud prevention and security: to monitor for suspicious activity, protect accounts, detect abuse of bonuses, and maintain the integrity of our systems and games.
  • Business operations: to manage our relationship with you, enforce our Terms & Conditions and Bonus Terms, and protect our legal rights and interests.

Consent

  • Marketing communications: sending you promotional emails, SMS or push notifications about offers and products, where required by law, is based on your explicit consent or on soft opt-in rules where permitted under UK e-privacy rules.
  • Non-essential cookies: setting analytics and advertising cookies and using similar technologies on your device, where required by law, is based on your consent via our cookie banner or settings.

Legal Claims and Vital Interests

  • Legal claims: we may process your data when necessary to establish, exercise or defend legal claims (for example, in the context of disputes, litigation or regulatory investigations).
  • Vital interests: in rare cases, we may process data to protect your vital interests or those of another person, for example by sharing information with relevant organisations if there is a serious risk of harm linked to problem gambling.

Purpose of Processing

We use your personal data strictly for specified, explicit and legitimate purposes. The main purposes include:

Providing and Managing Casino Services

  • Account registration and verification: to onboard you as a player, verify your age and identity, carry out KYC checks, and manage your account status and access to merlincas.com.
  • Gameplay and transactions: to enable deposits, bets, game participation, withdrawals, bonuses and loyalty rewards, and to track wagering requirements and game outcomes.
  • Customer support: to respond to enquiries, provide technical assistance, resolve complaints and maintain records of communications.

Compliance, Risk Management and Fraud Prevention

  • Anti-fraud and security: to monitor accounts and transactions for suspicious patterns, prevent misuse of bonuses, and protect against unauthorised access and cyber-attacks.
  • AML and regulatory obligations: to perform risk assessments, transaction monitoring and reporting in line with our KYC/AML policy and licensing requirements.
  • Responsible gambling: to administer self-exclusion, deposit limits, time-outs and other safer gambling tools, and to contact you about potential problem gambling indicators.

Service Improvement and Analytics

  • Usage analytics: to analyse aggregated gameplay and website usage data, improve game selection, optimise performance and fix bugs.
  • Personalisation: to customise content, display relevant games and promotions, and tailor user experience based on your behaviour and preferences.

Marketing and Promotions

  • Direct marketing: to send you offers, news and promotions about Merlin Casino via email, SMS, push notifications or on-site messages, in accordance with your preferences and applicable laws.
  • Advertising and measurement: to measure the effectiveness of campaigns, prevent duplicate registrations via affiliate networks, and operate loyalty or VIP programmes.

Legal, Regulatory and Business Purposes

  • Legal compliance: to maintain mandatory records, respond to lawful requests from authorities and comply with applicable laws in Curaçao, the UK and other relevant jurisdictions.
  • Business operations: to manage disputes, enforce our Terms & Conditions and Bonus Terms, support audits and due diligence processes, and manage potential corporate transactions such as mergers or acquisitions.

Disclosure & Sharing

We do not sell your personal data. We share your data only with trusted recipients where necessary for the purposes described in this policy, subject to appropriate safeguards.

Within Versus Odds B.V. and Affiliates

  • Internal teams: authorised employees of Versus Odds B.V. (e.g. customer support, payments, compliance, risk, IT) who require access to perform their duties, under strict confidentiality and access controls.
  • Group and brand partners: affiliated entities and brands operated by Versus Odds B.V. where needed for centralised risk management, IT security, or shared services.

Payment Partners and Financial Institutions

  • Payment processors: companies that process deposits and withdrawals on our behalf, such as Deloraze Limited in Cyprus and other licensed payment service providers.
  • Banks and financial institutions: to process payments, verify ownership of accounts, and handle chargebacks or disputes.

Service Providers and Technical Partners

  • IT and hosting providers: companies providing server hosting, cloud infrastructure, content delivery networks and technical support.
  • Game providers and platforms: suppliers of casino games and related technology, to the extent necessary to enable game play and ensure game integrity.
  • Analytics and security vendors: providers of analytics tools, anti-fraud systems, KYC/AML screening tools, and security solutions.

Affiliates and Advertising Networks

  • Affiliate partners: marketing affiliates who refer players to the Website. We may share limited information (such as registration or deposit status) necessary to calculate commissions and prevent abuse.
  • Advertising and tracking partners: where you consent to advertising cookies and similar technologies, we may work with advertising networks to deliver and measure targeted ads.

Regulators, Authorities and Dispute Bodies

  • Licensing and regulatory authorities: Antillephone N.V. and other regulators or supervisory bodies where legally required.
  • Law enforcement and courts: when necessary to comply with legal obligations, court orders or to protect our rights, players, or others.

Business Transfers

  • Corporate transactions: in the event of a merger, acquisition, restructuring or sale of assets, personal data may be transferred to the relevant third party, subject to continuity of protections consistent with this policy.

International Transfers

Because Versus Odds B.V. is based in Curaçao and uses service providers located in various countries, your personal data may be transferred and processed outside the United Kingdom, including in jurisdictions that may not offer the same level of data protection as the UK.

Main Transfer Locations

  • Curaçao: operational location of Versus Odds B.V. and primary processing location for certain back-office functions.
  • Cyprus: location of payment processing partners such as Deloraze Limited.
  • Other countries: locations of hosting providers, game suppliers, analytics providers or other service providers, which may be within or outside the European Economic Area (EEA).

Safeguards for International Transfers

  • Contractual safeguards: where required, we use Standard Contractual Clauses (SCCs) approved under the UK GDPR and/or EU GDPR, together with supplementary measures, to ensure an adequate level of protection.
  • Technical safeguards: we use encryption, access controls and minimisation of data shared with service providers to reduce risk.
  • Due diligence: we assess the legal and security environment of third-country recipients and require them to implement appropriate technical and organisational measures.

By using merlincas.com and Merlin Casino, you understand that your data may be processed in these locations, subject to the safeguards described above.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying legal, accounting and regulatory requirements. Retention periods may vary depending on the type of data and applicable law.

Typical Retention Periods

  • Account and identity data: kept for the duration of your active account and normally for up to 5 years after account closure, to comply with AML and regulatory obligations and to manage potential disputes.
  • KYC/AML documentation: copies of ID documents, proof of address and related verification data are typically retained for up to 7 years after account closure or the last transaction, in line with anti-money laundering requirements.
  • Transaction and financial data: records of deposits, withdrawals and gameplay transactions are normally retained for up to 7 years for accounting, tax and regulatory purposes.
  • Marketing data: information about your marketing preferences and consents is kept while you remain subscribed and for a limited period (normally up to 2 years) after you last interact with our marketing, unless you withdraw consent earlier.
  • Technical and log data: security logs and technical records are usually stored for up to 2 years, unless a longer period is required to investigate or respond to security incidents or fraud.
  • Complaint and dispute files: correspondence and documents relating to complaints or disputes may be retained for the lifetime of the dispute and usually up to 6 years thereafter, to protect our legal rights and demonstrate compliance.

Deletion and Anonymisation

  • Deletion: when data is no longer needed, we will delete it or securely destroy physical media.
  • Anonymisation: we may anonymise data so that it can no longer be associated with you and use it for statistical, analytical and reporting purposes indefinitely.
  • Legal exemptions: if you request erasure, we may be unable to delete certain data where we are legally required to retain it (for example, for AML, tax or accounting purposes). In such cases, we will explain the reasons for retention.

Your Rights

As a data subject, you have rights over your personal data. For UK players, these arise primarily under the UK GDPR and the Data Protection Act 2018. We also aim to align our practices with the EU GDPR and Mexican privacy legislation, including the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP), particularly in relation to ARCO rights (access, rectification, cancellation, opposition) where applicable.

Data Protection Rights

  • Right of access: to obtain confirmation of whether we process your data and receive a copy of your personal data and certain related information.
  • Right to rectification: to have inaccurate or incomplete personal data corrected or updated.
  • Right to erasure ("right to be forgotten" / cancellation): to request deletion of your personal data in certain circumstances, for example where data is no longer necessary for the purposes for which it was collected, subject to our legal retention obligations.
  • Right to restriction of processing: to request that we limit processing of your data in specific situations, such as while we verify accuracy or consider an objection.
  • Right to object: to object to processing based on our legitimate interests, including profiling, and to object at any time to processing of your data for direct marketing.
  • Right to data portability: to receive certain personal data you have provided to us in a structured, commonly used and machine-readable format and to have it transmitted to another controller where technically feasible.
  • Right to withdraw consent: where processing is based on consent (for example, marketing, non-essential cookies), you may withdraw your consent at any time, without affecting the lawfulness of processing prior to withdrawal.
  • Rights related to automated decision-making: where we use automated processes (including profiling) that have legal or similarly significant effects on you, you have the right to request human review and to contest the decision, subject to applicable law.

How to Exercise Your Rights

  • Submitting a request: you can exercise your rights by contacting us at [email protected] or via live chat requesting contact with the data protection team. Please indicate which right you wish to exercise and provide sufficient information to identify your account.
  • Identity verification: to protect your data, we may ask for additional information or documentation to verify your identity before responding to a request.
  • Response time: we aim to respond to all valid requests within 30 days of receipt, and we may extend this period by up to two further months for complex or numerous requests, in which case we will inform you of the extension and reasons. For data subjects covered by Mexican law, we aim to respond in line with LFPDPPP timeframes while maintaining at least the 30-day standard.
  • Fees: we handle requests free of charge, unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act, as permitted by law.

Certain rights may be limited where restrictions are necessary and proportionate, for example to comply with legal obligations (such as AML rules), protect the rights of others, or preserve the confidentiality of security measures. If we cannot comply with your request, we will explain the reasons.

Cookies & Tracking Technologies

We use cookies and similar technologies on merlincas.com to ensure the Website functions properly, to improve performance, and to support marketing and analytics activities, in compliance with applicable UK e-privacy rules.

Types of Cookies We Use

  • Strictly necessary cookies: essential for the operation of the Website and use of core features, such as logging in, maintaining session state, processing payments and providing security. These cookies cannot be switched off through our cookie tools, although you may block them in your browser (which may impair functionality).
  • Functional (preference) cookies: used to remember your settings and preferences, such as language, region and saved details, to provide a more personalised experience.
  • Analytics and performance cookies: used to collect aggregated information about how visitors use the Website, such as pages visited, session duration and error messages, helping us improve performance and usability.
  • Advertising and targeting cookies: used to deliver relevant advertisements on our Website or third-party sites, limit how often you see an ad, and measure the performance of marketing campaigns. These may be set by us or by advertising networks and affiliates.
  • Third-party cookies: set by third parties such as game providers, analytics tools, payment processors or advertising partners when their services are integrated into our Website.

Managing Cookies

  • Cookie banner and settings: on your first visit (and periodically thereafter), you will see a cookie banner allowing you to accept or reject non-essential cookies. You can adjust your choices at any time via our cookie settings panel (accessible from the Website footer or your account area, where available).
  • Browser controls: most browsers allow you to block or delete cookies via settings. However, blocking all cookies may prevent the Website from functioning correctly.
  • Do Not Track: our systems may not respond to "Do Not Track" signals; instead, you can manage cookies via our tools and browser settings.

Further details about specific cookies in use may be provided in a separate Cookie Policy on the Website, which should be read together with this Privacy Policy.

Data Security

We take the security of your personal data seriously and implement a range of technical and organisational measures designed to protect it against unauthorised access, disclosure, alteration or destruction. While no system can be guaranteed 100% secure, we strive to follow recognised industry practices.

Technical Measures

  • Encryption in transit and at rest: data transmitted between your browser and our servers is protected using TLS (Transport Layer Security) version 1.2 or higher. Sensitive data is encrypted at rest where appropriate using strong cryptographic standards.
  • Account security: passwords are stored using industry-standard hashing algorithms. We encourage the use of strong, unique passwords, and we may implement additional security features such as multi-factor authentication (MFA) for administrative access.
  • Access controls: access to systems and databases is restricted on a least-privilege basis. Only authorised personnel with a legitimate business need can access personal data.
  • Network and application security: firewalls, intrusion detection/prevention systems, anti-malware tools and regular patching are used to protect our infrastructure and applications.

Organisational Measures

  • Policies and training: staff are bound by confidentiality obligations and receive training on data protection, information security and responsible handling of player data.
  • Vendor due diligence: we assess the security posture of third-party service providers and require them to implement appropriate protection measures through contractual obligations.
  • Audits and testing: we conduct periodic security assessments, vulnerability scans and, where appropriate, penetration tests. We aim to align our practices with recognised security frameworks such as ISO 27001 and SOC 2, without implying formal certification unless explicitly stated on the Website.

Incident Response

  • Monitoring and detection: we monitor for unusual activity and potential security incidents on our systems.
  • Breach management: if we become aware of a personal data breach, we will investigate and take appropriate remedial action. Where required by law, we will notify the relevant supervisory authority and affected individuals without undue delay, in accordance with the UK GDPR and other applicable laws.

Complaints & Contacts

If you have questions, concerns or complaints about how we handle your personal data, we encourage you to contact us first so we can try to resolve the issue directly.

How to Contact Us

  • Email (privacy matters): [email protected]
  • Postal address: Data Protection Officer, Versus Odds B.V., Korporaalweg 10, Willemstad, Curaçao.
  • Customer support: 24/7 live chat and email support via the Website; please indicate that your message concerns privacy or data protection.

Internal Complaint Procedure

  1. Step 1 - Contact support: raise your concern via live chat or email support. Many issues can be resolved quickly at this stage.
  2. Step 2 - Escalate to the DPO: if you are not satisfied with the initial response, or if your request specifically concerns data protection rights, contact the DPO at [email protected]. Please provide your account details and a clear description of your concern.
  3. Step 3 - Our response: we will acknowledge your complaint and aim to provide a substantive response within 30 days. For particularly complex matters, we may need more time, in which case we will inform you of the extension and reasons.

Escalation to Supervisory Authorities

If you remain dissatisfied, you have the right to lodge a complaint with a data protection authority. The relevant authority will depend on your location.

  • United Kingdom: If you are in the UK, you can contact the Information Commissioner's Office (ICO):
    Website: www.ico.org.uk
    Telephone (UK): +44 303 123 1113
    Postal: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom.
  • Mexico: If Mexican data protection law applies to you, you may contact the Mexican data protection authority, the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI):
    Website: www.inai.org.mx.
  • European Union/EEA: If you are located in the EU/EEA, you may lodge a complaint with your local data protection authority under the EU GDPR.

For gambling-related disputes concerning game fairness or payouts, you should note that our licence is issued in Curaçao by Antillephone N.V. As an offshore, non-UKGC operator, industry experience suggests that dispute resolution outcomes may differ from those available under UKGC-licensed regimes, and UK services such as IBAS and GamStop are not available for play on merlincas.com. However, this does not limit your statutory privacy rights with data protection authorities as described above.

Updates

We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or industry best practices. When we make material changes, we will take appropriate steps to inform you.

Notification of Changes

  • Advance notice: for significant changes that materially affect your rights or how we use your data, we will, where practicable, provide notice at least 30 days before the changes take effect.
  • Communication channels: we may notify you via email, account notifications, on-site messages, or prominent banners on the Website.
  • Continued use: your continued use of merlincas.com and the Merlin Casino services after the effective date of an updated policy will indicate your acceptance of the changes, where permitted by law.

Version Control and Changelog

Last updated: November 2025

Current version: 4.0

Recent material changes include:

  • Clarification of the application of UK GDPR, EU GDPR alignment and references to Mexican data protection principles.
  • Expanded information on international data transfers to Curaçao, Cyprus and other jurisdictions, including safeguards used.
  • Updated descriptions of player rights, retention periods, security measures, and complaint/escalation routes to supervisory authorities.

We encourage you to review this Privacy Policy periodically to stay informed about how we handle your personal data.