Last updated: 14 April 2026
This Privacy Policy explains what personal data Fortunica collects when you use fortunicacasinoo.co.uk, why we collect it, how we use it, and what rights you have under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
Fortunica is an independent UK editorial project covering online casino reviews. The data controller for the site is the Fortunica editorial team, contactable at [email protected]. We are an editorial site and not an operator of gambling services — we don't process gambling deposits, hold player accounts, or provide financial services. The supervisory authority for UK data protection is the Information Commissioner's Office (ICO).
We collect minimal personal data, limited to what's necessary to operate the site and improve content. Specifically:
Technical data, automatically. When you visit the site we automatically receive your IP address, browser type and version, operating system and device type, referring URL, pages visited, timestamps, language preference, and screen resolution. This data is logged on our servers for operational and security purposes.
Cookie data. See the Cookie Policy for the full inventory and your control options.
Contact data. When you write to us via any of the editorial inboxes (editorial, partnerships, privacy, legal), we receive your email address, the message content, and any attachments you choose to send. We do not require contact-form submission via the website.
Affiliate click data. We record that an outbound click happened on a casino link, the source page on our site, and an anonymised session identifier. We do not track what you do at the operator's site afterwards — that interaction is between you and the casino.
Data we do not collect. No payment data, no casino account credentials, no copies of identity documents, no gambling history, no health information, no political or religious views, no biometric data. You don't pay us anything to read the site.
Legitimate interest (Art. 6(1)(f)). For technical logs, security, fraud prevention, basic analytics, and the affiliate-click recording that funds the site. Our legitimate interest is operating an independent editorial publication and understanding how readers use our content to improve it. We've performed a Legitimate Interests Assessment that concluded the processing is necessary, proportionate, and balanced against your interests; we can share the assessment summary on request.
Consent (Art. 6(1)(a)). For non-essential cookies and any analytics cookies that go beyond what's strictly necessary. Consent is requested via the cookie banner on first visit, can be withdrawn at any time via the "Cookie Settings" link in the footer, and is recorded for audit purposes.
Contract / pre-contract (Art. 6(1)(b)). For handling editorial and partnership correspondence where you've initiated a discussion that may lead to a working relationship.
Legal obligation (Art. 6(1)(c)). For record retention required by UK tax law (HMRC), advertising regulation (CAP Code archival requirements), or other UK legal obligations applicable to a UK editorial business.
Site operation and security — keeping the service running, protecting against attacks, debugging issues. Analytics — understanding which articles readers find useful so we can prioritise content updates. Editorial improvement — aggregated reading patterns inform the content calendar (we use this to decide which casinos enter the testing queue). Communication — replying to messages sent via the contact addresses. Affiliate accounting — verifying conversions reported by partner programmes.
We never sell personal data. We don't share data with operators or partners for their marketing. We don't combine data across other sites we don't operate. We don't use the data for automated decision-making with significant effects on you, in the sense of UK GDPR Article 22.
Server logs are retained for 90 days then deleted automatically. Analytics data is retained for 14 months in aggregated form. Email correspondence is retained for as long as necessary to handle the matter raised, then archived for up to 24 months and deleted thereafter — this is consistent with our editorial obligation to track corrections back to their original reporters. Cookie data is retained for the period specified per-cookie in the Cookie Policy. Affiliate click records are retained for 6 months for accounting reconciliation, then aggregated and the personal identifier is deleted.
Where retention is required by law (UK tax records under the Companies Act and HMRC requirements typically run 6 years), we retain only the minimum necessary records and segregate them from active editorial systems. If you exercise your right to erasure, we delete the relevant records within 30 days unless retention is required by law, in which case we explain which legal requirement applies.
We use a small number of third-party providers to operate the site. Each provider acts as a data processor under contract and may not use the data for its own purposes:
We don't share personal data with casino operators directly. If you click an affiliate link, the destination operator becomes its own data controller from that point — their privacy policy applies.
Some of our processors are based outside the UK or EEA — Google's Analytics infrastructure has US-based components, and Cloudflare is a US-headquartered company with global infrastructure. Where transfers are necessary, we rely on UK-approved adequacy decisions (where they apply) or on the International Data Transfer Agreement (IDTA) with appropriate supplementary safeguards. Specific transfer mechanisms per processor are available on request via [email protected].
You have the following rights regarding your personal data:
To exercise any of these rights, write to [email protected]. We respond within 30 days as required by UK GDPR. We may ask you to verify identity before sharing personal data, in line with ICO guidance (typically by replying from the email address you originally used to contact us, or by providing a piece of information only the data subject would know.
Fortunica uses HTTPS / TLS encryption across the site (TLS 1.3 where supported, 1.2 minimum). Server access is restricted via key-based authentication, and processor contracts include security clauses requiring appropriate technical and organisational measures consistent with UK GDPR Article 32. Backups are encrypted at rest. Administrative accounts use two-factor authentication. We don't store any data we don't need to operate the site.
No system is perfectly secure, but the data we hold is minimal — there is no payment data, no casino credentials, no copies of identity documents — which materially limits the impact of any incident. In the event of a notifiable personal data breach (UK GDPR Article 33), we would notify the ICO within 72 hours and any affected data subjects without undue delay where the breach is likely to result in high risk to their rights and freedoms.
Fortunica content is intended for adults aged 18 and over, consistent with UK gambling-related advertising rules. We don't knowingly collect personal data from minors. The age threshold for personal data processing in the UK GDPR is 13 (under the UK derogation), but our content audience is 18+ regardless. If you believe a minor has provided personal data through our site, write to [email protected] and we will delete it on confirmation.
This policy is reviewed annually and after any material change to our processing arrangements. Updates are dated at the top of the page. Substantial changes are notified via a banner on the site for 30 days following the update. We don't backdate this page or quietly change retention periods — version history is retained internally and available on request.
For any privacy question or to exercise your rights: [email protected]. To complain to the supervisory authority: Information Commissioner's Office (ICO), ico.org.uk, or call the ICO helpline on 0303 123 1113.
