burger icon
Play Uk United Kingdom
Log In

Privacy Policy

This Privacy Policy explains how Play, in connection with the website play-uk.com (the "Website"), collects, uses, discloses and protects your personal data when you visit the Website, create an account, play games or otherwise interact with us. It applies to all Website visitors and registered players located in the United Kingdom and any other permitted jurisdictions. This Privacy Policy is effective from 1 January 2026 and replaces all previous versions. For information on how and when we may update this Privacy Policy, please see the "Updates" section below.

OBSERVE: we describe who is covered and from when this Policy applies. EXPAND: we clarify that it applies to visitors and players using play-uk.com under the Play project. REFLECT: by using the Website after the effective date you acknowledge this Privacy Policy.

Who We Are

OBSERVE: this section identifies the legal operator responsible for your data. EXPAND: it explains corporate, licensing and contact details. REFLECT: you can use these details to exercise your rights or raise any privacy concerns.

The Website play-uk.com associated with the project identifier Play is operated as a white-label online casino brand ("Play" or "PlayUK") on the Grace Media platform.

The data controller for players in the United Kingdom is:

  • Legal entity: Grace Media (Gibraltar) Limited
  • Registered / legal address: Suite 7, Hadfield House, Library Street, Gibraltar, GX11 1AA
  • Jurisdiction: Gibraltar, operating in the United Kingdom under UK Gambling Commission remote licence number 57869

Grace Media (Gibraltar) Limited operates PlayUK for UK customers under the oversight of the UK Gambling Commission, licence number 57869 (see the public register entry for confirmation).

Data Protection Contact / DPO:

  • Email: support@play-uk.com (please include "Data Protection" or "Privacy" in the subject line)
  • Postal contact for privacy matters: Data Protection Officer, Grace Media (Gibraltar) Limited, Suite 7, Hadfield House, Library Street, Gibraltar, GX11 1AA
  • Online contact: 24/7 live chat via the Website (bot-first via chatbot "Grace", with escalation to a human agent)

There is currently no telephone support number available; all customer and privacy enquiries should be submitted via email or live chat in the first instance.

What Personal Data We Collect

OBSERVE: we set out the categories of information we collect about you. EXPAND: this includes data you provide, data generated by your use of the Website and data from third parties. REFLECT: understanding these categories helps you assess how and why your data is processed.

Identity and Contact Data

  • Registration and profile details: full name, date of birth, gender (if provided), residential address, nationality, username, password, security questions and answers.
  • Contact details: email address (for example support@play-uk.com for our communications to you), alternative contact emails you provide, mobile and landline phone numbers if requested, preferred language and communication preferences.
  • Verification data: copies or data extracted from identity documents (passport, ID card, driving licence), proof of address (utility bills, bank statements) and other Know Your Customer (KYC) documents used to verify identity and age.

Technical and Device Data

  • Technical identifiers: IP address, device identifiers, browser type and version, operating system, time zone settings, language settings and approximate location based on IP address.
  • Device and session data: information about the devices you use to access the Website (desktop, mobile, tablet), session start and end times, pages visited, links clicked, game loading times, and error logs.
  • Log information: server logs recording interactions with our systems, security logs, login attempts, authentication logs and access control records.

Financial and Transaction Data

  • Payment details: limited payment card or account details (such as card type and the last few digits of your card number) as provided to us or our payment processors, e-wallet identifiers, bank account identifiers where needed for withdrawals, and billing address.
  • Transaction history: deposits, withdrawals, bonus redemptions, chargebacks, refunds and other payment-related transactions associated with your player account.
  • Anti-fraud and AML data: results of payment risk checks, sanctions list screening, politically exposed person (PEP) checks and suspicious activity monitoring data, as required by applicable anti-money laundering (AML) and counter-terrorist financing laws.

Behavioural and Usage Data

  • Gaming activity: game selections, stakes, wins and losses, betting history, duration and frequency of play, bonus use, session times and responsible gambling interactions (for example, self-exclusion, deposit limits, reality checks).
  • Website interactions: clickstream data, navigation paths, interaction with banners and offers, response to marketing communications and in-site messages.
  • Support interactions: transcripts or summaries of live chat conversations with our support team or chatbot "Grace", email correspondence, complaints, and other communications.

Cookies and Similar Technologies

  • Cookie identifiers: unique IDs stored in cookies or similar tracking technologies associated with your browser or device.
  • Analytics and performance data: aggregated statistics on how you use the Website, including from third-party analytics providers.
  • Advertising and attribution data: information about the source of your visit (for example, affiliate links, campaigns or advertisements) and performance of our marketing activities.

Where permitted by law, we may combine information from different sources (for example, from payment partners, verification providers and public registers) to ensure the accuracy of your data, comply with regulatory obligations and protect the integrity of our services.

Legal Basis for Processing

OBSERVE: this section explains the legal grounds under which we process your personal data. EXPAND: it links specific processing activities to those legal bases under the UK GDPR and related laws. REFLECT: this helps you understand when we rely on consent, contractual necessity, legal obligations or legitimate interests.

We process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and, where applicable, the EU GDPR and other regional laws. Depending on the specific processing activity, we rely on one or more of the following legal bases:

  • Performance of a contract: we process data that is strictly necessary to:
    • create and manage your player account on play-uk.com,
    • verify your age and eligibility to use our gambling services,
    • process deposits, bets, game play and withdrawals,
    • provide customer support, handle complaints and manage your account settings.
  • Compliance with legal obligations: we process your data when required to:
    • comply with AML, counter-terrorist financing and fraud prevention laws,
    • satisfy UK Gambling Commission regulatory requirements, including responsible gambling obligations,
    • maintain records for tax, accounting and regulatory reporting,
    • respond to lawful requests from courts, regulators and law-enforcement authorities.
  • Legitimate interests: we process data where necessary for our legitimate business interests, provided your interests and fundamental rights do not override those interests. This includes:
    • monitoring and improving the Website's performance and security,
    • preventing abuse, cheating, fraud and other prohibited conduct,
    • protecting the integrity of our games and systems,
    • performing analytics and statistics to understand how our services are used,
    • defending or establishing legal claims.
  • Consent: where we rely on your consent, we will clearly ask for it in advance. This typically applies to:
    • sending you electronic marketing communications (such as promotional emails or SMS),
    • using certain non-essential cookies or similar technologies for analytics and advertising,
    • sharing data with certain third-party marketing or advertising partners where this is not otherwise justified by another legal basis.

You may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Where we rely on legitimate interests, you have the right to object as described in the "Your Rights" section.

Purpose of Processing

OBSERVE: we outline why we collect and use your personal data. EXPAND: we connect each purpose to our services and obligations. REFLECT: this enables you to assess whether our use of your data is proportionate and expected.

We process your personal data for the following purposes:

  • Providing and operating our gambling services: to register your account, verify age and identity, allow you to deposit, play and withdraw, manage your balance, apply bonuses in line with our bonus policy, and provide a secure gaming environment.
  • Customer support and communication: to respond to your enquiries via email or live chat, investigate and resolve complaints or disputes (including with the appointed ADR provider, IBAS), and send you service-related messages such as account notices, transactional confirmations or security alerts.
  • Regulatory compliance and responsible gambling: to meet our obligations under the UK Gambling Commission licence, including monitoring for problematic gambling patterns, offering self-exclusion and limits, and complying with AML, fraud prevention and record-keeping requirements.
  • Improvement and optimisation of our services: to analyse performance, fix bugs, develop new features, enhance user experience, improve game selection and tailor content on the Website.
  • Marketing and promotions: with your consent or where permitted by law, to send you promotional offers, newsletters and tailored recommendations, including via email or on-site messages, and to measure the effectiveness of those campaigns.
  • Analytics and statistics: to conduct aggregated or anonymised analysis of how players use the Website, helping us understand trends and optimise our products and marketing spend.
  • Security and fraud prevention: to authenticate users, prevent unauthorised access, detect and investigate fraud or misuse, protect our systems, and safeguard the integrity of games and player accounts.
  • Legal and business purposes: to establish, exercise or defend legal claims, respond to legal processes or regulatory enquiries, and support corporate transactions such as restructuring or transfer of operations, subject to appropriate safeguards.

Disclosure & Sharing

OBSERVE: we identify the categories of recipients who may receive your personal data. EXPAND: we explain the reasons for sharing and the safeguards applied. REFLECT: this helps you understand when your data leaves our direct control and how it remains protected.

We do not sell your personal data. We may, however, share it with the following categories of recipients, strictly on a need-to-know basis and subject to appropriate contractual and security safeguards:

  • Group and platform companies: entities involved in the operation of the PlayUK brand and the Grace Media white-label platform, supporting technology infrastructure, payment processing, customer support and compliance functions.
  • Payment service providers and banks: financial institutions, card schemes, e-wallet providers and other payment processors that enable deposits, withdrawals and other payment transactions.
  • Verification, fraud prevention and AML service providers: identity verification agencies, credit reference agencies, sanctions and PEP screening providers, fraud and risk management vendors and other due diligence partners used to comply with legal and regulatory obligations.
  • Technical and operational service providers: hosting providers, data centres, IT support, security monitoring providers, analytics and performance monitoring services, email and messaging platforms, and customer support tools (including chatbot providers).
  • Regulators and authorities: the UK Gambling Commission, financial and law-enforcement authorities, tax authorities, courts and dispute resolution bodies where required by law or regulation, or where necessary to protect our rights, players or others.
  • ADR and dispute resolution bodies: the Independent Betting Adjudication Service (IBAS) or any other appointed Alternative Dispute Resolution (ADR) provider that may handle disputes between you and us.
  • Affiliates and marketing partners: where you access play-uk.com via an affiliate or marketing partner, we may share limited information necessary to attribute traffic and confirm eligibility for commissions or bonuses. Marketing or advertising networks may receive data only where permitted by law and usually with your consent for non-essential cookies.
  • Professional advisers: lawyers, auditors, accountants, consultants and similar professionals who provide services to us and are subject to confidentiality obligations.
  • Corporate transactions: in connection with a merger, acquisition, sale of assets, restructuring or similar transaction involving Grace Media (Gibraltar) Limited or the PlayUK business, your data may be transferred to prospective or actual purchasers, subject to continued protection under this Privacy Policy or an equivalent policy.

Where we engage third parties as data processors, they may process your personal data only in accordance with our documented instructions, for the purposes described in this Privacy Policy, and under strict contractual and security safeguards.

International Transfers

OBSERVE: we explain where your data may be processed geographically. EXPAND: we outline safeguards for transfers outside the UK and EEA. REFLECT: this allows you to understand how your data remains protected even when processed abroad.

Your personal data is primarily processed within the United Kingdom, Gibraltar and the European Economic Area (EEA), where many of our core systems and service providers are located. However, some of our service providers or their sub-processors may be located in countries outside the UK and EEA, which may have different data protection standards.

Whenever we transfer your personal data outside the UK or EEA, we ensure that an adequate level of protection is in place by using one or more of the following safeguards:

  • transfers to countries that have been formally recognised as providing an adequate level of data protection by the UK government or the European Commission,
  • use of Standard Contractual Clauses (and, where relevant, the UK Addendum or International Data Transfer Agreement) approved by the UK Information Commissioner's Office or the European Commission,
  • implementation of additional technical and organisational measures, such as encryption in transit and at rest, strict access controls and data minimisation,
  • in limited cases, reliance on specific derogations allowed by law (for example, where the transfer is necessary for the performance of a contract with you).

Where transfers involve service providers in countries that participate in frameworks such as the EU - US Data Privacy Framework or its UK extension, we will also consider those certifications when assessing adequacy. If you would like more information about international transfers or copies of relevant safeguards, you may contact us using the details in the "Complaints & Contacts" section.

Data Retention

OBSERVE: we describe how long we keep your personal data. EXPAND: retention periods depend on legal requirements and business needs. REFLECT: this gives you visibility over how long your data remains identifiable and when it is deleted or anonymised.

We retain your personal data only for as long as necessary for the purposes described in this Privacy Policy, including to meet legal, regulatory, accounting and reporting obligations. The specific retention period may vary depending on the type of data and applicable laws, but we generally apply the following principles:

  • Player account data: identity, contact, KYC and core account records are typically retained for the duration of your relationship with us and for up to 5 years after your account is closed, in line with UK AML and regulatory requirements, unless a longer period is required for legal reasons.
  • Transaction and financial records: payment and gaming transaction history is retained for at least 5 years after the relevant transaction or account closure, to comply with financial, tax and AML obligations.
  • Responsible gambling and compliance data: self-exclusion records, limit settings and related logs may be retained for the duration of any limitation and for a further period required by UK Gambling Commission rules and AML guidance.
  • Customer support records: communications with customer support (including live chat transcripts) and complaint files are generally retained for up to 6 years from the date of the last interaction, to allow us to respond to queries, resolve disputes and demonstrate compliance.
  • Marketing data: information about your marketing preferences and consent is kept for as long as you remain opted-in, and for a reasonable period afterwards to demonstrate when and how consent was obtained or withdrawn. If you unsubscribe, we retain only the minimum information necessary to respect your opt-out.
  • Cookies and tracking technologies: cookie data is retained in line with the lifespan of each cookie (see the "Cookies & Tracking Technologies" section), which typically ranges from the end of your session to up to 2 years, unless you delete cookies earlier via your browser settings.

When personal data is no longer required for the purposes for which it was collected, and no longer required to meet legal or regulatory obligations, we will either securely delete it or irreversibly anonymise it so it can no longer be associated with you. In some cases, we may aggregate and anonymise data for statistical or analytical purposes; such data is no longer considered personal data.

Your Rights

OBSERVE: we set out the rights you have over your personal data. EXPAND: we explain how these rights operate under the UK GDPR, EU GDPR and, where applicable, Mexican privacy law. REFLECT: we describe how you can exercise your rights, timeframes and cost conditions.

Depending on your location and subject to legal limitations, you have the following rights regarding your personal data:

  • Right of access: to obtain confirmation as to whether we process your personal data and, if so, to receive a copy of that data along with information about how it is used.
  • Right to rectification: to have inaccurate or incomplete personal data corrected or updated. You can update certain details directly via your account settings.
  • Right to erasure ("right to be forgotten"): to request deletion of your personal data where there is no compelling reason for us to continue processing it, for example where the data is no longer necessary, you have withdrawn consent, or processing is unlawful. This right may be limited where we must retain data to comply with legal obligations (for example, AML or regulatory record-keeping).
  • Right to restriction of processing: to request that we suspend processing of your data in certain circumstances, such as while we verify its accuracy or consider an objection you have raised.
  • Right to object: to object to processing based on our legitimate interests, including profiling on that basis. We will then stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or we need the data to establish, exercise or defend legal claims.
  • Right to object to marketing: you may at any time object to the processing of your personal data for direct marketing, including profiling related to such marketing. We will stop direct marketing as soon as reasonably practicable.
  • Right to data portability: where processing is based on consent or a contract and carried out by automated means, you may request to receive your personal data in a structured, commonly used and machine-readable format, and to have it transmitted to another controller where technically feasible.
  • Right to withdraw consent: where processing relies on your consent (for example, marketing communications or certain cookies), you can withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Rights under Mexican privacy law (where applicable): if you are located in Mexico and we process your data in the context of offering services there, you may have rights under the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP), which broadly align with the GDPR and include ARCO rights (access, rectification, cancellation and opposition). These rights can generally be exercised through the same channels described below.

How to Exercise Your Rights

  • Submission of requests: you can exercise your rights by contacting us via email at support@play-uk.com (using "Data Protection Request" in the subject line), via live chat on the Website, or by writing to our postal address identified in the "Who We Are" section.
  • Proof of identity: to protect your data, we may need to verify your identity before fulfilling your request, which may require additional information or documentation.
  • Timeframe: we aim to respond to all valid requests within one month (30 days) of receipt. If your request is particularly complex or we receive numerous requests, we may extend this period by up to a further two months, in which case we will inform you of the extension and reasons for the delay.
  • Fees: requests are normally handled free of charge. We may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive, particularly because of their repetitive character.
  • Restrictions: some rights may be limited by legal obligations, regulatory requirements, or the rights and freedoms of others. If we cannot fully comply with your request, we will explain the reasons.

Cookies & Tracking Technologies

OBSERVE: we describe how cookies and similar technologies are used on play-uk.com. EXPAND: we distinguish between types, purposes and management options. REFLECT: this enables you to control non-essential tracking in line with your preferences.

Cookies are small text files placed on your device when you visit the Website. We also use similar technologies such as pixels, tags and local storage. These technologies help us operate and improve play-uk.com, remember your preferences and tailor content.

Types of Cookies We Use

  • Strictly necessary (session) cookies: essential cookies that enable core functions such as page navigation, secure login, session management and access to secure areas of the Website. The Website cannot function properly without these cookies. They are usually session-based and expire when you close your browser.
  • Functional (persistent) cookies: cookies that remember your preferences (such as language, saved details where permitted, and custom settings) to provide a more personalised experience. They may remain on your device for a defined period (for example, several months) or until manually deleted.
  • Analytics and performance cookies: first- or third-party cookies used to collect aggregated information about how visitors use the Website, such as which pages are visited most often, error messages, and general usage patterns. This helps us improve performance and usability.
  • Advertising and targeting cookies: cookies used, where permitted by law and with your consent, to deliver relevant advertisements, measure the effectiveness of marketing campaigns, track conversions and limit the number of times you see a particular advert. These may be set by us or by approved advertising networks and affiliates.

Managing Cookies

  • On-site controls: when you first visit play-uk.com (and periodically thereafter), you may be presented with a cookie banner or preference centre, allowing you to accept or reject non-essential cookies and to change your preferences at any time.
  • Browser settings: most web browsers allow you to manage cookies, including blocking or deleting them. Please refer to your browser's help section for instructions. If you block or delete cookies, some features of the Website may not function as intended.
  • Do Not Track: while we respect browser privacy features, our systems may not currently respond to Do Not Track signals in a consistent manner due to the absence of a uniform industry standard.

For more detailed information about specific cookies used on play-uk.com, their purposes and lifespans, you may refer to any dedicated cookie information provided in the Website interface or contact us using the details below.

Data Security

OBSERVE: we outline the measures we take to protect your personal data. EXPAND: these cover technical, organisational and procedural safeguards. REFLECT: this demonstrates our commitment to security while acknowledging that no system is completely risk-free.

We implement appropriate technical and organisational measures designed to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include, among others:

  • Encryption: use of industry-standard encryption (such as TLS 1.2+) to protect data in transit between your device and our servers, and encryption of sensitive data at rest where appropriate.
  • Access controls: strict access control policies ensuring that only authorised personnel with a legitimate business need can access personal data, enforced through role-based access controls, authentication mechanisms and logging.
  • Authentication and account security: mechanisms to protect player accounts, including strong password requirements, secure login processes and monitoring for unusual or suspicious login activity. Where feasible, we may support or require additional authentication measures for certain actions.
  • Network and system security: firewalls, intrusion detection and prevention systems, anti-malware tools, regular patching and configuration management, and other measures designed to protect our IT environment.
  • Regular testing and audits: ongoing monitoring, internal reviews and, where appropriate, independent security assessments to evaluate the effectiveness of our controls and identify areas for improvement.
  • Staff training and awareness: training programmes and policies to ensure that employees and contractors understand their responsibilities regarding data protection, confidentiality and secure handling of personal data.
  • Incident response: documented procedures for identifying, reporting and responding to personal data breaches or security incidents, including, where required by law, notifying the relevant supervisory authorities and affected individuals within applicable timeframes.

While we strive to protect your personal data, no internet-based service can be entirely secure. You are responsible for keeping your login credentials confidential and for notifying us immediately if you suspect any unauthorised use of your account.

Complaints & Contacts

OBSERVE: we explain how you can contact us and lodge complaints. EXPAND: we set out our internal procedure and escalation routes to supervisory authorities. REFLECT: this provides you with clear, step-by-step options to seek redress.

Contacting Us

  • Email (primary): support@play-uk.com
  • Live chat: 24/7 live chat via the Website, initially handled by chatbot "Grace" with escalation to a human agent where appropriate.
  • Postal mail: Data Protection Officer, Grace Media (Gibraltar) Limited, Suite 7, Hadfield House, Library Street, Gibraltar, GX11 1AA.

Internal Complaint Procedure

  1. Step 1 - Initial contact: if you have any questions or concerns about this Privacy Policy or how your personal data is processed, please contact us via email or live chat. Provide as much detail as possible, including relevant account information and any supporting documentation.
  2. Step 2 - Investigation: we will acknowledge receipt of your complaint and investigate it. Where appropriate, the matter will be escalated to our Data Protection Officer or specialised team.
  3. Step 3 - Response: we aim to provide a substantive response within 30 days of receiving your complaint or request. If more time is needed due to complexity, we will inform you of the delay and provide an updated timeframe.
  4. Step 4 - Resolution: if you are not satisfied with our response, you may request further clarification, provide additional information, or escalate the matter as described below.

Escalation to Supervisory Authorities

  • United Kingdom: if you are located in the UK or your issue relates to processing under the UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). You can find contact details and guidance at www.ico.org.uk.
  • European Economic Area: if you are located in the EEA, you may have the right to lodge a complaint with your local data protection authority or the authority of the EU Member State where you work or where the alleged infringement occurred.
  • Mexico (where applicable): if you are located in Mexico and your data is processed in a manner subject to Mexican privacy law, you may have the right to complain to the National Institute for Transparency, Access to Information and Personal Data Protection (INAI), the authority responsible for enforcing the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP).

We encourage you to contact us first so we can attempt to resolve your concerns directly. Your right to contact a supervisory authority exists regardless of whether you have exhausted our internal process.

Updates

OBSERVE: we clarify how and when this Privacy Policy may change. EXPAND: we describe notification mechanisms and notice periods. REFLECT: this ensures you can make informed decisions about continued use of play-uk.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, regulatory guidance or technical developments affecting play-uk.com and the Play project.

  • Notification of changes: material changes will be communicated via prominent notices on the Website (for example, banners or pop-ups), email notifications to your registered address where appropriate, and/or messages in your account dashboard.
  • Advance notice: where a change materially affects your rights or the way we use your personal data, and where feasible, we will provide at least 30 days' notice before the change takes effect, allowing you time to review the updated terms.
  • Your options: if you do not agree with the updated Privacy Policy, you may choose to stop using the Website and request closure of your player account. Continued use of play-uk.com after the effective date of an updated Privacy Policy will constitute your acknowledgement of the changes.
  • Version control: we will indicate the effective date and, where relevant, summarise material changes. You should review this Privacy Policy periodically to stay informed of how we protect your personal data.

Last updated: January 2026.