burger icon
Wild Robin United Kingdom
Log In

Privacy Policy

This Privacy Policy explains how Wild Robin (operated via weldrobin.com) collects, uses, shares, and protects personal data. A privacy policy is needed to meet transparency obligations under the UK GDPR and the Data Protection Act 2018, and to help website visitors and players understand their choices and rights.

This Policy applies to (i) visitors to https://weldrobin.com, (ii) registered account holders, and (iii) individuals who communicate with us (for example, through support or compliance checks). It also applies where you access mirror domains associated with the brand that route you to services connected with weldrobin.com (for example, domains used to maintain availability where ISP blocking occurs in the UK).

Effective date: 6 November 2025.

Who We Are

OBSERVE: The available operator data indicates an offshore gambling operator targeting UK players under a Curaçao eGaming sub-licence, and the brand context must be tied to weldrobin.com. The profile notes the managing entity appears to be registered in Willemstad, Curaçao and described as an N.V., but does not provide a full street address, registration number, or named Data Protection Officer (DPO).

EXPAND: UK GDPR requires that we provide clear controller identification and contact routes. Where mandatory legal particulars are not available in the provided dataset, we must (a) disclose what is known, (b) identify the gaps, and (c) provide an operational privacy contact channel and a method to request the missing corporate details. Because the business accepts UK users while being not licensed by the UK Gambling Commission, it is also important to avoid implying UKGC oversight of privacy handling.

REFLECT: For transparency, we provide the best-available controller information below and commit to supplying missing corporate details on request.

  • Data controller / Operator (best available): The managing entity is described in our available records as Sherwood Holdings N.V. (legal entity type: N.V.), registered in Willemstad, Curaçao. Full legal address, company registration number, and tax ID are not specified in the available data.
  • Gambling licence (regulatory context): Operates under Curaçao eGaming master licence 365/JAZ with sub-licence GLH-OCCHKTW0708172025 (verified as valid as of January 2025; expiry not specified in available data). Not licensed by the UK Gambling Commission (UKGC).
  • Websites in scope: Primary domain: https://weldrobin.com. Public links referenced by the service include https://weldrobin.com/terms-and-conditions and https://weldrobin.com/responsible-gaming. Mirror domains identified in our records may include wild-robin-casino.co and wildrobin-wins.com (used to maintain access in the UK), but privacy governance is administered for the weldrobin.com service.
  • Data protection contact (DPO / privacy department): No dedicated DPO email/phone is provided in the available data. Until specific details are published, you may submit privacy requests via our site support channels available within your account area on weldrobin.com. If you cannot access your account, use the contact route presented in the site footer/help interface. We will provide written confirmation of the responsible privacy contact on request.
  • Payment processing presence: Our records state payment processing (Visa/Mastercard) is handled by a subsidiary in Cyprus (legal name and address not specified in available data).

What Personal Data We Collect

OBSERVE: The service provides online casino functionality (registration, deposits/withdrawals, gameplay, bonus eligibility, compliance checks). This necessarily involves identity/contact data, technical identifiers, payment records, and behavioural data (game and transaction history). The site also uses cookies and similar technologies.

EXPAND: Under UK GDPR, we must describe categories of personal data clearly and include special handling where data may become "special category" or "criminal offence" related. For gambling compliance, we may process identity verification data and fraud/AML screening outcomes (which can be sensitive). Even if we do not intentionally collect special category data, a user may disclose it in support interactions; that possibility must be covered.

REFLECT: We limit collection to what is necessary for defined purposes and explain typical categories below.

  • Identity & contact data: Full name, date of birth, username, email address, telephone number (where provided), country of residence, and other registration details needed to operate your account and verify eligibility.
  • Verification (KYC) data: Copies or extracts of identity documents, address verification (for example, utility bill), selfie/liveness checks (where used), age-verification results, and notes/outcomes of compliance checks.
  • Payment & transaction data: Deposit/withdrawal amounts, dates and times, payment instrument metadata (for example, masked card details, payment method type, BIN/issuer country where provided by processors), chargeback status, wallet/account identifiers from payment providers, and payment risk scoring.
  • Gameplay & behavioural data: Betting and gaming history, session duration, game selections, clicks and interactions, bonus usage, responsible gambling interactions (for example, limit settings), and suspected collusion/fraud markers.
  • Technical & usage data: IP address, device identifiers, browser type/version, operating system, language settings, time zone, referral URLs, logs, and diagnostic/anti-fraud telemetry.
  • Communications data: Messages to support/compliance teams, complaint submissions, call/chat logs where offered, and attachments you provide.
  • Cookies & similar technologies: Cookie identifiers, pixels/tags, SDK identifiers (if using mobile web/app wrappers), and consent signals.
  • Inferences & profiles (where permitted): Segments for fraud prevention, responsible gambling monitoring, service improvement, and (where you consent) marketing personalisation.

Legal Basis for Processing

OBSERVE: Processing occurs for account creation and operation, payments, fraud prevention, analytics, marketing, and compliance (KYC/AML). UK GDPR requires a lawful basis for each purpose and clearer separation between consent, contract necessity, legal obligation, and legitimate interests.

EXPAND: Gambling operations typically rely on: (i) contract necessity for account and gameplay, (ii) legal obligation for identity checks and record-keeping (depending on applicable laws and licence conditions), (iii) legitimate interests for security and fraud prevention, and (iv) consent for certain cookies and direct marketing (especially ePrivacy/PECR in the UK). We must also note that you can withdraw consent without affecting processing that relies on other lawful bases.

REFLECT: We apply the following legal bases under UK GDPR (and, where relevant, EU GDPR concepts) depending on the activity.

  • Performance of a contract: To create and manage your account, provide games and features, process deposits/withdrawals, apply bonuses, and provide customer support connected to the service.
  • Legal obligation: To conduct identity/age verification and compliance checks, keep required records, respond to lawful requests from competent authorities, and meet obligations tied to gambling, taxation, or anti-money laundering frameworks that apply to our operations and banking/payment partners.
  • Legitimate interests: To secure our systems, prevent fraud/abuse, protect the integrity of games, measure and improve service performance, perform internal reporting, and defend or pursue legal claims. Where we rely on legitimate interests, we balance our interests against your rights and expectations.
  • Consent: For non-essential cookies and similar technologies, and for certain direct marketing activities where consent is required. You may withdraw consent at any time via cookie settings (where available) or by opting out of marketing.

Purpose of Processing

OBSERVE: The policy must specify why data is used: service delivery, improvements, marketing, analytics, and fraud prevention.

EXPAND: To be legally robust, each purpose should be concrete and connected to the gambling lifecycle (registration -> verification -> deposits -> gameplay -> withdrawals -> monitoring -> dispute handling). It should also address responsible gambling interactions and enforcement actions (for example, account restrictions), which are highly relevant to an operator targeting UK users.

REFLECT: We use personal data for the following purposes.

  • Providing casino services: Registering accounts, enabling login/authentication, delivering games and features, processing deposits and withdrawals, administering bonuses/promotions (per https://weldrobin.com/terms-and-conditions), and maintaining service functionality.
  • Compliance and risk management: Performing KYC/age checks, AML/fraud detection, payment risk screening, monitoring suspicious activity, enforcing terms, and protecting customers and the business.
  • Customer support and communications: Answering queries, handling complaints, providing operational notices (for example, changes to terms/policy, security notices), and verifying identity when you contact us.
  • Service improvement and analytics: Debugging, performance monitoring, product development, statistical analysis, and understanding how users interact with the website.
  • Marketing (where permitted): Sending marketing communications and offering personalised promotions where you have consented or where permitted by applicable marketing rules; you can opt out at any time.
  • Security and incident management: Preventing unauthorised access, investigating suspicious activity, maintaining logs, and responding to security incidents.

Disclosure & Sharing

OBSERVE: Data may be disclosed to payment partners, service providers, regulators, affiliates, and advertising networks (with consent). The profile also notes payment processing links to Cyprus and licensing oversight in Curaçao. The service targets UK players while outside UKGC jurisdiction, so disclosures must not suggest UKGC supervision.

EXPAND: UK GDPR requires transparency about recipients and categories of recipients, plus safeguards such as contracts (processor terms, confidentiality, security). Advertising/affiliate sharing must be conditioned on consent and cookie controls (PECR). We should also include disclosures for legal claims, corporate restructuring, and fraud networks.

REFLECT: We share personal data only to the extent necessary for the purposes described and subject to appropriate contractual and security controls.

  • Payment providers and financial partners: To process deposits/withdrawals, manage chargebacks, and conduct payment risk checks. Our records indicate some payment processing is handled via a subsidiary in Cyprus (details not specified in available data).
  • Service providers (processors): Hosting and infrastructure, security monitoring, identity verification/KYC vendors, analytics providers, email delivery, customer support tooling, and fraud-prevention services. These providers process data under contract and instructions where they act as processors.
  • Regulators and competent authorities: Where required or permitted by law, we may disclose information to authorities connected to our licensing jurisdiction (Curaçao) and to law enforcement, courts, or other public authorities with valid requests.
  • Affiliates and advertising networks: Where you consent to advertising cookies/technologies, certain identifiers and event data may be shared to measure campaign performance and prevent fraud in advertising attribution.
  • Professional advisers: Legal, audit, and compliance advisers where necessary for governance, dispute handling, or claims.
  • Corporate transactions: If we undergo reorganisation, merger, acquisition, or asset transfer, personal data may be shared with counterparties and advisers subject to confidentiality and lawful processing requirements.

International Transfers

OBSERVE: The data indicates operational ties to Curaçao (registration/licensing) and Cyprus (payment processing), while users are in the UK. This implies international transfers outside the UK. The prompt asks to indicate countries/regions and safeguards such as SCCs and Privacy Shield (noting Privacy Shield is no longer a UK/EU adequacy mechanism).

EXPAND: Under UK GDPR, transfers require an appropriate safeguard (UK International Data Transfer Agreement (IDTA), UK Addendum to EU SCCs, adequacy regulations, or another mechanism), plus transfer risk assessment where applicable. We must avoid incorrectly relying on "Privacy Shield"; instead, we can explain we do not rely on it and use contractual safeguards.

REFLECT: We describe typical transfer destinations and the protection measures used.

  • Where data may be transferred: The UK, Curaçao (operator/licensing-related administration), Cyprus (payment processing arrangements), and other jurisdictions where our vetted service providers or their sub-processors operate (for example, data centres in the EEA/US depending on vendor configuration).
  • Safeguards used: Where UK adequacy regulations do not apply, we implement appropriate safeguards such as the UK IDTA or the UK Addendum to the EU Standard Contractual Clauses, together with technical and organisational measures (for example, encryption, access controls, minimisation).
  • Important note on "Privacy Shield": We do not rely on the EU-US or Swiss-US Privacy Shield frameworks for UK GDPR compliance, as those mechanisms are not recognised as adequate safeguards for UK/EU transfers.
  • Your options: You may request further information about transfer safeguards by contacting us via the privacy request route described in the "Complaints & Contacts" section.

Data Retention

OBSERVE: The policy must specify retention periods by category and criteria for deletion, including "no more than 5 years after account closure" as an example. Gambling and payment records often require longer retention depending on legal obligations and dispute windows.

EXPAND: A compliant approach is to (i) define retention principles, (ii) provide category-level timeframes, and (iii) explain that some data may be retained longer for legal claims, AML, and fraud prevention. We must also align deletion with purpose limitation and legal holds.

REFLECT: We retain data only for as long as necessary for the purposes described, unless a longer period is required or justified by law, regulatory expectations, or for the establishment/exercise/defence of legal claims.

  • Account profile data: Typically retained for the life of the account and then up to 5 years after account closure, unless extended due to legal obligations, disputes, or risk investigations.
  • KYC/verification records: Typically retained up to 5 years after completion of checks or account closure (whichever is later), subject to applicable AML/legal requirements and ongoing investigations.
  • Payment and transaction records: Typically retained up to 7 years to meet accounting, audit, chargeback, and financial compliance requirements (timeframe may vary by payment partner and applicable law).
  • Gameplay and behavioural records: Typically retained up to 5 years after account closure for integrity monitoring, dispute handling, and regulatory/compliance needs.
  • Technical logs and security events: Typically retained from 90 days to 12 months depending on log type and security relevance; longer where needed for incident investigation or legal claims.
  • Marketing preferences and consent logs: Retained while marketing is active and for an additional up to 5 years to demonstrate compliance and honour opt-out history.

Deletion criteria: We delete or anonymise data when (i) the purpose has been fulfilled, (ii) retention periods expire, (iii) you withdraw consent (for consent-based processing) and no other lawful basis applies, or (iv) you make a valid erasure request and we are not required to retain the data for legal/compliance reasons. Where deletion is not possible (for example, backups), we isolate and protect the data until deletion is feasible.

Your Rights

OBSERVE: The prompt requires detailed GDPR rights and "Mexican privacy law alignment," including procedures, 30-day timeframe, and free-of-charge guarantees, and references to Mexican regulations. The site is UK-targeted, but we can provide an additional reference for users in Mexico (or where Mexican law could be relevant) without adding extra sections.

EXPAND: Under UK GDPR, users have rights (access, rectification, erasure, restriction, portability, objection, automated decision-making safeguards, withdrawal of consent). We must describe how to exercise them, identity verification, response time (one month/30 days), extension rules, and fees (generally free). For Mexico, the core framework is the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) and its Regulations, providing ARCO rights (Access, Rectification, Cancellation, Opposition). We should reconcile both: present UK GDPR rights and note ARCO equivalence where applicable.

REFLECT: We provide a single rights process that meets UK GDPR standards and is broadly aligned with ARCO rights under Mexican privacy law.

  • Right of access: You can request confirmation of whether we process your data and obtain a copy of your personal data, along with required supplementary information.
  • Right to rectification: You can request correction of inaccurate data and completion of incomplete data.
  • Right to erasure ("right to be forgotten"): You can request deletion of personal data where applicable (for example, where data is no longer necessary or consent is withdrawn). This is not absolute; we may retain data where required for compliance (for example, KYC/AML), fraud prevention, or legal claims.
  • Right to restriction: You can request that we limit processing (for example, while a dispute about accuracy is resolved).
  • Right to object: You can object to processing based on legitimate interests. You also have the right to object to direct marketing at any time (we will stop).
  • Right to data portability: Where processing is based on consent or contract and carried out by automated means, you can request a portable copy in a commonly used format, where technically feasible.
  • Right to withdraw consent: Where processing relies on consent (for example, certain cookies/marketing), you can withdraw at any time without affecting processing already carried out.
  • Automated decision-making: Where we use automated systems for fraud/risk screening, you can request meaningful information about the logic involved and challenge outcomes where applicable, subject to security and anti-fraud constraints.

How to Exercise Your Rights (Procedure)

  1. Submit a request: Use the privacy/contact route available within your account on weldrobin.com. If you cannot access your account, use the contact pathway shown in the website help/footer interface and clearly mark your message as a "Privacy Request".
  2. Identify yourself: To protect your account and prevent fraud, we may request information to verify your identity (for example, confirming account details or requesting documentation proportionate to the request).
  3. Scope your request: Tell us which right you want to exercise and which data/processing activity you are concerned about (for example, marketing emails, cookies, account profile).
  4. Response timeframe: We aim to respond within 30 days. If a request is complex or numerous, we may extend the period in line with UK GDPR and will notify you with reasons.
  5. Fees: Requests are generally handled free of charge. We may charge a reasonable fee or refuse a request only where permitted by law (for example, manifestly unfounded or excessive requests), and we will explain our decision.

Mexican law alignment (ARCO rights): If you are located in Mexico or your request is assessed under Mexican privacy principles, you may exercise ARCO rights-Acceso (Access), Rectificación (Rectification), Cancelación (Cancellation/Erasure), and Oposición (Opposition)-under the LFPDPPP and its Regulations. We apply materially similar steps and timeframes to ensure consistent protection, subject to legal retention duties.

Cookies & Tracking Technologies

OBSERVE: The site uses cookies and similar technologies; the policy must list cookie types (session, persistent, third-party), purposes (functional, analytics, advertising), and how to manage them (browser settings, internal panel).

EXPAND: In the UK, cookie use is governed by PECR alongside UK GDPR. Non-essential cookies generally require consent. We should describe categories and consent management, including withdrawal.

REFLECT: We use cookies and similar technologies to operate, secure, and improve weldrobin.com, and (with your consent where required) for analytics and advertising.

  • Session cookies: Temporary cookies that expire when you close your browser. Used for core site functions such as authentication and session continuity.
  • Persistent cookies: Remain on your device for a set period or until deleted. Used to remember preferences (for example, language) and support security and fraud-prevention controls.
  • Third-party cookies/technologies: Set by service providers (for example, analytics or advertising partners) to measure performance and attribute marketing-used only where consent is required and obtained.

Cookie Purposes

  • Strictly necessary / functional: Enable website operation, account login, fraud prevention, and security controls. These are generally required to provide the service.
  • Analytics: Help us understand site usage, diagnose issues, and improve performance (typically consent-based where required).
  • Advertising / targeting: Used to deliver and measure marketing and prevent affiliate/ad fraud (consent-based where required).

How to Manage Cookies

  • On-site controls: Use the cookie consent banner or cookie settings interface (where presented) to accept, reject, or customise non-essential cookies and to withdraw consent later.
  • Browser settings: You can block or delete cookies using your browser settings. Note that blocking strictly necessary cookies may impair site functionality, including login and payments.

Data Security

OBSERVE: The prompt requires comprehensive measures: TLS 1.2+, encryption at rest/in transit, MFA, access controls, audits, training, incident response, and reference to ISO 27001/SOC 2 "where applicable." We must avoid falsely claiming certification; we can state "aligned with" or "where applicable/where adopted."

EXPAND: UK GDPR requires "appropriate technical and organisational measures" (Article 32). For a gambling operator, this includes strong authentication, fraud monitoring, segregation of duties, logging, least privilege, vendor risk management, and breach response (including notification obligations where applicable). Because the profile data does not confirm certifications, we should describe a security programme without asserting formal certification.

REFLECT: We implement layered security controls proportionate to risk and continuously review them.

  • Encryption in transit: We use TLS 1.2 or higher to protect data transmitted between your device and our systems.
  • Encryption at rest: Where appropriate, we encrypt stored data and apply key-management controls to reduce unauthorised access risk.
  • Access controls: Role-based access, least-privilege permissions, strong password policies, and monitored administrative access to sensitive systems.
  • Multi-factor authentication (MFA): MFA is used for privileged/admin access and may be used for additional player account protection where available.
  • Security monitoring & logging: Centralised logging, anomaly detection, anti-fraud tooling, and alerting to identify suspicious activity.
  • Testing and audits: Regular vulnerability management, patching processes, and security assessments. Where third parties are used, we assess their security posture and contractual commitments.
  • Staff training: Security and privacy awareness training for personnel, including phishing resistance and data handling requirements.
  • Incident response: Documented incident response procedures, containment and remediation steps, and escalation workflows. Where a personal data breach is likely to result in risk to individuals, we will assess notification obligations under applicable data protection law.
  • Standards alignment: Our controls are designed to be aligned with widely recognised information security frameworks (for example, ISO/IEC 27001 and SOC 2 principles) where applicable to our vendors and internal programme; this statement does not imply that we hold a specific certification unless expressly stated elsewhere on weldrobin.com.

Complaints & Contacts

OBSERVE: The prompt asks for DPO contact details (email/phone), forms, postal address, step-by-step complaint procedure with response times, and escalation to supervisory authorities including Mexican authority and EU authorities, with direct contact information. The provided data contains no email/phone/postal address. We must be transparent about missing details and still provide an actionable process and authority escalation information.

EXPAND: Under UK GDPR, users should be told they can complain to the UK Information Commissioner's Office (ICO). Even though the operator is offshore, UK users can still contact the ICO regarding UK GDPR concerns. For Mexico, the authority is INAI. For the EU, users may contact their local supervisory authority (EDPB list). We must include direct web contact points and describe internal handling timelines (acknowledgement, investigation, resolution).

REFLECT: We provide internal channels first, then escalation options if you remain dissatisfied.

How to Contact Us About Privacy

  • Primary route (account holders): Submit a ticket/message from within your account area on weldrobin.com and label it "Privacy Request / Complaint".
  • If you cannot access your account: Use the contact method displayed in the help/footer interface on https://weldrobin.com.
  • DPO / dedicated privacy email and phone: Not provided in the available data for Wild Robin. If you request it, we will provide the current designated privacy contact details in our reply.
  • Postal address for privacy correspondence: Not specified in the available data. Where a postal address is required for your request, we will provide it upon verification and in our response.

Complaint Handling Procedure

  1. Step 1 - Submit: Send your complaint with relevant details (account identifier, dates, and what outcome you seek).
  2. Step 2 - Acknowledgement: We aim to acknowledge receipt within 7 days.
  3. Step 3 - Investigation: We review account records, technical logs, and vendor processing where relevant, applying minimisation and access controls.
  4. Step 4 - Response: We aim to provide a substantive response within 30 days. If additional time is required due to complexity, we will explain the reason and expected timeline.
  5. Step 5 - Resolution/escalation: If you disagree with our outcome, you may request an internal review and/or escalate to an appropriate supervisory authority (details below).

Escalation to Supervisory Authorities

  • United Kingdom (ICO): Information Commissioner's Office - website: https://ico.org.uk/make-a-complaint/
  • Mexico (INAI): Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales - website: https://www.inai.org.mx/
  • European Union (local authority): If EU GDPR authorities are relevant to your situation, you may contact your local supervisory authority. A directory is available via the European Data Protection Board: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en

Important jurisdiction note: Wild Robin is not licensed by the UK Gambling Commission. Privacy complaints are handled under data protection frameworks (for example, UK GDPR) via the channels above; gambling-dispute schemes associated with UKGC licensing may not apply.

Updates

OBSERVE: The policy must explain how updates are notified (email, banner, dashboard), include "Last updated: " with versioning and changelog of material changes, specify advance notice periods (minimum 30 days) and options to object or close accounts. We have a last_updated date: 2025-11-06.

EXPAND: Material changes should be defined (new purposes, new recipients, new transfer locations, reduction of rights). Notice should be meaningful and recorded. Users should have the option to stop using the service and close their account if they object, subject to outstanding obligations.

REFLECT: We implement controlled updates with transparent notice and user choice.

Last updated: November 2025 (v1.0).

How We Notify You of Changes

  • Email notice: Where we have your email and the change is material, we may notify you by email associated with your weldrobin.com account.
  • Website banner: We may display a banner or pop-up on weldrobin.com highlighting key changes.
  • Account dashboard alerts: We may display an in-account notification when you log in.

Advance Notice and Your Options

  • Significant/material changes: We will provide at least 30 days' advance notice where feasible (for example, new data uses, new sharing categories, or new international transfer locations).
  • Your options: If you object to a material change, you may (i) adjust your preferences (for example, marketing/cookies), (ii) submit a privacy objection request, and/or (iii) close your account and discontinue use of the service, subject to necessary retention for compliance and outstanding transactions.

Changelog (Material Changes)

  • v1.0 (November 2025): Initial publication for Wild Robin on weldrobin.com, including transparency on offshore licensing context (Curaçao eGaming sub-licence GLH-OCCHKTW0708172025), international transfer safeguards (UK IDTA/UK Addendum), and rights/complaints procedures with UK ICO and Mexico INAI references.