burger icon
Rainbow Riches Casino United Kingdom
Log In

Privacy Policy

This privacy policy explains how personal data is collected, used, disclosed and protected when you access or use the Rainbow Riches Casino services made available through https://rainbowrichas.com (including the Rainbow Riches Casino profile) and any related products, features or communications. It applies to players, prospective players, website visitors and any person who contacts us about our services. By using the site, you acknowledge that your personal data will be processed in accordance with this policy. Effective date: 1 January 2026.

Who We Are

OBSERVE: To identify who is responsible for your data, we clarify our corporate and regulatory structure.

EXPAND: The Rainbow Riches Casino services promoted through https://rainbowrichas.com are operated on the Gamesys network under strict regulatory oversight.

REFLECT: This section explains the legal entities, licensing and how to contact our privacy team.

The online gaming services associated with the Rainbow Riches Casino profile on this site are provided by Gamesys Operations Limited (the "operator", "we", "us" or "our"), which forms part of Bally's Corporation. Gamesys Operations Limited is a licensed remote gambling operator.

  • Operating company: Gamesys Operations Limited
  • Parent company: Bally's Corporation
  • Primary UK licence: United Kingdom Gambling Commission (UKGC), licence number 38905 - details available on the public register at https://gamblingcommission.gov.uk/public-register/business/detail/38905
  • Additional licence: Gibraltar Gambling Commissioner, licence reference RGL No. 46 (primarily for players outside the UK)

Gamesys Operations Limited's registered and contact addresses, company registration number and other corporate details are published from time to time on the Rainbow Riches Casino pages at https://rainbowrichas.com and on the applicable regulator's public registers. Those details form part of this privacy policy by reference.

Data Protection Responsibility (DPO / Privacy Team)

  • Data controller: For players located in the United Kingdom, Gamesys Operations Limited is the "data controller" of personal data processed in connection with the services.
  • Data Protection Officer (DPO): Gamesys Operations Limited has designated a Data Protection Officer (or equivalent data protection function) responsible for overseeing compliance with UK data protection law.
  • How to contact us about privacy:
    • Use the contact or support channels indicated on the Rainbow Riches Casino pages of https://rainbowrichas.com and clearly mark your request "For the attention of the Data Protection Officer".
    • Or write to the postal address for Gamesys Operations Limited as shown on the UKGC public register and address your letter to "Data Protection Officer".

What Personal Data We Collect

OBSERVE: We identify the types of information we receive when you use rainbowrichas.com in relation to Rainbow Riches Casino.

EXPAND: We group this data into categories so that you can understand why it is needed and how it is handled.

REFLECT: We only collect data that is necessary for lawful gambling operations, security, compliance and service improvement.

Identification and Contact Data

  • Personal details: Full name, date of birth, gender, nationality, place of residence, verification images (e.g. ID documents, selfies where required), and similar identifiers.
  • Contact details: Email address, postal address, phone number(s), preferred language, and records of communications with customer support.

Account, Gameplay and Behavioural Data

  • Account data: Username, account ID, password (stored using secure hashing), account settings, responsible gambling limits and preferences.
  • Gameplay and transactional data: Deposits, withdrawals, bonus usage, wagering requirements, game selections, session length, betting history, win/loss records and loyalty or VIP status.
  • Behavioural data: Clickstream data, page views, time spent on pages, navigation paths, interaction with marketing messages (e.g. email opens and clicks), complaint and dispute history.

Technical and Device Data

  • Device information: IP address, operating system, browser type and version, language settings, device identifiers, approximate location derived from IP (e.g. country or region).
  • Log data: Access dates and times, login attempts, session tokens, security and audit logs, error logs and diagnostic information.

Payment and Financial Data

  • Payment details: Limited card or account information (e.g. masked card numbers), payment method type, transaction IDs, billing address and payment provider identifiers.
  • Financial verification and KYC/AML data: Proof of source of funds or wealth, employment status, bank statements, payslips or other financial documents where required by law or UKGC conditions.

Cookies and Similar Technologies

  • Cookie data: Unique identifiers stored on your device when you visit or use rainbowrichas.com, including session cookies, persistent cookies and cookies set by third parties (e.g. analytics or advertising providers).
  • Tracking technologies: Web beacons, pixels, tags, SDKs and similar technologies embedded in our site or communications to understand usage and campaign performance.

We do not intentionally collect personal data relating to persons under 18. If we discover that a minor has provided personal data, we will take reasonable steps to delete such data and may close the associated account in accordance with our legal obligations.

Legal Basis for Processing

OBSERVE: UK law (UK GDPR and the Data Protection Act 2018) requires us to identify and document our legal grounds for processing your personal data.

EXPAND: We rely on several lawful bases depending on the specific purpose of processing.

REFLECT: This section summarises the main legal bases and how they relate to Rainbow Riches Casino services offered via rainbowrichas.com.

Performance of a Contract

  • Setting up, operating and managing your Rainbow Riches Casino account.
  • Providing gaming services, processing deposits and withdrawals, crediting wins and bonuses, and administering loyalty or promotional programmes.
  • Providing customer support, managing technical issues, and notifying you of changes to our terms or to this privacy policy.

Compliance with Legal Obligations

  • Conducting identity verification, age verification and eligibility checks (KYC).
  • Carrying out anti-money laundering (AML), counter-terrorist financing and affordability checks, including ongoing monitoring as required by UKGC regulations and applicable law.
  • Keeping appropriate records for tax, accounting, regulatory reporting and audit purposes, and responding to lawful requests from regulators, courts, law enforcement or other competent authorities.

Legitimate Interests

  • Protecting the integrity and security of our systems, detecting and preventing fraud, misuse, bonus abuse, money laundering, collusion or other prohibited behaviour (including the use of VPNs to bypass geo-restrictions, as highlighted in our compliance notes).
  • Ensuring network and information security, troubleshooting issues, and improving the performance and functionality of our website and apps.
  • Analysing aggregated or pseudonymised data to understand user behaviour, improve our services and develop new features.
  • Defending and exercising legal claims, managing disputes and working with our ADR provider (IBAS) where necessary.

Consent

  • Sending direct marketing communications by email, SMS, push notifications or similar electronic channels where consent is required under applicable law (including the Privacy and Electronic Communications Regulations in the UK).
  • Using certain cookies and similar technologies that are not strictly necessary for the operation of the site (for example, some analytics or advertising cookies), where local law requires your consent.
  • Processing certain special categories of data if ever needed and expressly permitted by law (for example, where you choose to share information about your health in the context of responsible gambling support and we rely on your explicit consent).

You can withdraw your consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal.

Purpose of Processing

OBSERVE: We gather and use your data to run a compliant, safe online casino environment.

EXPAND: We explain each main purpose so you can understand how it relates to your experience with Rainbow Riches Casino on rainbowrichas.com.

REFLECT: We limit processing to what is necessary for clearly defined purposes and regularly review these purposes in light of evolving legal and industry standards.

Providing and Managing Casino Services

  • Creating and maintaining your account, verifying your identity and age, and enabling access to games and features.
  • Processing deposits, bets, wagers and withdrawals, calculating and crediting winnings, and managing bonuses and promotions.
  • Delivering customer support and resolving technical issues, complaints and disputes.

Safety, Integrity and Regulatory Compliance

  • Conducting KYC, AML and affordability checks as required by UK law and UKGC licence conditions.
  • Monitoring gameplay and payment patterns to detect fraud, money laundering, bonus abuse, prohibited use of VPNs and other breaches of our terms.
  • Applying responsible gambling tools (such as deposit limits, time-outs or self-exclusion) and fulfilling our social responsibility obligations.

Service Improvement and Analytics

  • Analysing usage, performance and interaction data (often in aggregated or pseudonymised form) to improve usability, game offerings and site performance.
  • Testing new features, changes to our user interface and optimisation of promotions and communications.

Marketing and Personalisation

  • Sending you personalised offers, promotions and updates where permitted by law and your preferences.
  • Profiling (within legal limits) to tailor bonuses, communications and content to your interests and playing patterns.

Legal, Regulatory and Business Purposes

  • Complying with legal obligations, regulator requirements and court orders.
  • Maintaining records for tax, accounting, audit and risk management purposes.
  • Managing business operations, including corporate governance, reporting within Bally's Corporation and considering business transactions (for example, mergers or reorganisations).

Disclosure & Sharing

OBSERVE: Operating an online casino requires controlled data sharing with certain third parties.

EXPAND: We categorise the main types of recipients and their roles.

REFLECT: We only share what is necessary, under appropriate safeguards and in line with UK GDPR and other applicable laws.

Group Companies and Internal Recipients

  • Other entities within the Bally's Corporation group that provide technical, operational, compliance or support services to Gamesys Operations Limited.
  • Internal departments such as customer support, payments, compliance, risk, legal, marketing and IT operations.

Service Providers and Business Partners

  • Payment and banking partners: Card scheme providers, banks, payment processors and other financial institutions that process deposits and withdrawals.
  • Technical and hosting providers: Data centres, cloud service providers, IT support, content delivery networks and communication platforms.
  • Verification and KYC/AML providers: Identity verification services, credit reference agencies, fraud prevention agencies and other due diligence providers.
  • Analytics and marketing providers: Providers that supply analytics, campaign management or advertising services, including third-party cookies or pixels (where permitted by law and your settings).

Regulators, Authorities and ADR Bodies

  • The United Kingdom Gambling Commission (UKGC), the Gibraltar Gambling Commissioner and other relevant gambling regulators.
  • Data protection authorities (such as the UK Information Commissioner's Office and, where applicable, other supervisory authorities including in Mexico and the EU/EEA).
  • Our alternative dispute resolution (ADR) provider, currently IBAS (Independent Betting Adjudication Service), when handling gambling-related disputes that involve your personal data.
  • Law enforcement, courts and other public authorities where disclosure is required or permitted by law.

Affiliates and Advertising Networks

  • Affiliate partners who promote Rainbow Riches Casino via the Rainbow Riches Casino profile and other channels, for tracking the effectiveness of marketing campaigns.
  • Advertising networks and social media platforms, where we are permitted to use your data (for example, hashed identifiers) to deliver or measure targeted advertising, subject to your consent or applicable legal basis.

Corporate Transactions

  • Potential or actual purchasers, investors, professional advisers and other parties in connection with any merger, acquisition, restructuring or sale of part or all of our business, subject to appropriate confidentiality and data protection safeguards.

We do not sell your personal data in the sense of transferring it for money for independent use by third parties. Any disclosures are made under contracts that require recipients to protect your data and use it only for specified purposes.

International Transfers

OBSERVE: Some of our suppliers and group entities are located outside the UK.

EXPAND: This may involve transferring your personal data to countries with different data protection standards.

REFLECT: We apply safeguards required by the UK GDPR and, where relevant, by EU and Mexican data protection laws.

Your personal data may be transferred to and processed in:

  • Other countries in the European Economic Area (EEA).
  • Gibraltar, where some operational functions and licences are located.
  • Other countries outside the UK and EEA, including potentially the United States and other jurisdictions where certain service providers (for example, cloud hosting, analytics or communications providers) are based.

Where we transfer personal data outside the UK, we do so only where one of the following conditions applies:

  • The destination country is subject to a UK "adequacy regulation" (or, where relevant, an EU adequacy decision) confirming that it affords an equivalent level of protection.
  • We have implemented appropriate safeguards such as the UK International Data Transfer Addendum and/or the European Commission's Standard Contractual Clauses, supplemented by additional technical and organisational measures where necessary.
  • A specific exception applies (for example, the transfer is necessary for the performance of a contract with you or for the establishment, exercise or defence of legal claims).

Where Mexican privacy law is relevant (for example, in respect of data subjects located in Mexico), we also ensure that cross-border transfers comply with the Federal Law on the Protection of Personal Data Held by Private Parties and associated regulations, including the use of contractual clauses and notices describing the transfer.

Data Retention

OBSERVE: We keep your personal data only for as long as necessary for the purposes described in this policy.

EXPAND: Legal and regulatory requirements, particularly in the gambling and financial sectors, require us to retain certain records for defined periods.

REFLECT: We apply retention schedules, securely delete or anonymise data when it is no longer needed and review those schedules periodically to ensure they remain appropriate for 2026 and beyond.

Retention periods vary depending on the category of data and the purpose of processing, but we generally apply the following guidelines:

  • Account and identification data: Typically retained for the duration of your relationship with us and for up to five (5) years after your account is closed, to meet regulatory, AML and record-keeping obligations and to manage potential disputes.
  • Transaction and gameplay data: Normally retained for at least five (5) years from the end of the business relationship or the date of the relevant transaction, and may be kept for longer where required by law, regulations or guidance (for example, in relation to AML or tax obligations).
  • KYC/AML and affordability documents: Retained for the periods required by relevant AML and gambling regulations (often at least five (5) years from the end of the relationship), and then securely deleted or anonymised unless longer retention is necessary for legal claims.
  • Marketing data: Retained while you remain subscribed to marketing communications and for a short period afterwards (for example, up to two (2) years) to demonstrate compliance with your choices and consent history.
  • Technical logs and security data: Retained for a period that enables us to investigate and respond to security incidents, typically between six (6) months and two (2) years, unless a longer period is required for legal or security reasons.

When personal data is no longer needed, we either irreversibly anonymise it (so that it is no longer personal data) or securely delete it. We may retain anonymised or aggregated data for analytics, reporting and business planning beyond these periods, as it no longer identifies individuals.

Your Rights

OBSERVE: You have rights over your personal data under the UK GDPR and, where applicable, other data protection laws.

EXPAND: We structure this section to align with both European-style rights and, where relevant, Mexican ARCO rights.

REFLECT: We provide clear procedures, timeframes and assurances so you can confidently exercise your rights in 2026 without charge, subject to lawful limitations.

Rights Under UK and EU Data Protection Law

  • Right of access: You can request confirmation of whether we process your personal data and obtain a copy of that data, together with information about how it is used.
  • Right to rectification: You can ask us to correct inaccurate or incomplete personal data we hold about you.
  • Right to erasure: You can request deletion of your personal data in certain circumstances (for example, where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent and there is no other legal basis), subject to our legal and regulatory retention obligations.
  • Right to restriction of processing: You can ask us to limit processing of your data in specific situations (for example, while we verify accuracy or assess an objection).
  • Right to object: You can object to processing based on our legitimate interests and, in particular, to processing for direct marketing. Where you object to marketing, we will stop such processing promptly.
  • Right to data portability: You can request that certain personal data you have provided to us is transferred to you or to another controller in a structured, commonly used and machine-readable format, where the processing is based on consent or contract and is carried out by automated means.
  • Right to withdraw consent: Where we rely on your consent (for example, for marketing or certain cookies), you may withdraw it at any time via account settings, unsubscribe links or by contacting us.

Rights Under Mexican Privacy Law (Where Applicable)

For data subjects whose relationship with our services brings them within the scope of Mexican data protection law, we aim to align with the Federal Law on the Protection of Personal Data Held by Private Parties and its regulations. This includes recognising ARCO rights:

  • Access: The right to know what personal data we hold and how we process it.
  • Rectification: The right to request correction of inaccurate or incomplete data.
  • Cancellation: The right to request that we stop processing and delete your data in certain circumstances, subject to legal retention requirements.
  • Opposition: The right to oppose specific processing activities, including for marketing, under established legal grounds.

How to Exercise Your Rights

  1. Submit a request: Contact us using the privacy/contact details provided on https://rainbowrichas.com/privacy (or the equivalent page for Rainbow Riches Casino), clearly describing the right you wish to exercise and providing sufficient information to verify your identity (for example, username, registered email and date of birth).
  2. Verification: We may request additional information to confirm your identity and ensure that we do not disclose data to an unauthorised person, in line with our KYC and security obligations.
  3. Response timeframe: We aim to respond to all valid requests within one (1) month from receipt. This period may be extended by a further two months for complex or multiple requests, in which case we will inform you of the extension and the reasons.
  4. Cost: Requests are normally handled free of charge. We may charge a reasonable fee or refuse to act on manifestly unfounded or excessive requests, as permitted by law.

Some rights may be limited, for example where fulfilling your request would conflict with our legal obligations, regulatory requirements or the rights of others. Where we cannot fully comply, we will explain why.

Cookies & Tracking Technologies

OBSERVE: Cookies and similar technologies help us understand how you use the Rainbow Riches Casino content delivered via rainbowrichas.com.

EXPAND: We categorise these tools by type and purpose to make your choices clearer.

REFLECT: We respect applicable cookie and e-privacy laws and give you practical ways to control your preferences.

Types of Cookies

  • Strictly necessary (session) cookies: Essential to provide core functionality such as logging in, maintaining a secure session, processing transactions and enabling basic navigation. These are generally session cookies that expire when you close your browser.
  • Functional (persistent) cookies: Remember your preferences (such as language, region or display settings) across sessions to improve your experience.
  • Analytics cookies: Help us understand how visitors interact with our site (for example, which pages are visited, how long users stay, and whether there are errors). These may be set by us or by third-party analytics providers.
  • Advertising and targeting cookies: Used to deliver relevant advertising, measure campaign effectiveness and limit the number of times a particular ad is shown. These are typically set by third-party partners, such as advertising networks or social media platforms, in connection with our content.

Managing Cookies

  • You can manage or disable cookies through your browser settings, which allow you to block or delete cookies and to receive alerts before a cookie is stored.
  • Where we offer an on-site cookie banner or preference centre, you can adjust your cookie preferences (for example, enabling or disabling analytics or advertising cookies) at any time.
  • If you disable certain cookies, parts of the site or some features may not function properly (for example, you may not be able to log in or complete transactions).

We also use similar technologies such as web beacons and tracking pixels in emails and on our site to measure performance and improve our services. These operate in a similar way to cookies and can usually be controlled by adjusting your browser or email client settings, or by changing your marketing preferences.

Data Security

OBSERVE: Operating a regulated online casino requires robust technical and organisational security measures.

EXPAND: We implement multi-layered controls designed to protect your data in transit and at rest.

REFLECT: We continuously review and improve our security posture in line with recognised industry standards and regulatory expectations.

Technical Measures

  • Encryption in transit: Data transmitted between your device and our systems is protected using modern transport layer security (TLS 1.2 or higher), helping to prevent unauthorised interception.
  • Encryption at rest: Sensitive data, including payment information and authentication credentials, is stored using strong encryption and hashing techniques, with separate key management controls.
  • Access controls: Access to personal data is restricted to authorised personnel who require it for their job role, following the "least privilege" principle and multi-factor authentication where appropriate.
  • Network and application security: Firewalls, intrusion detection and prevention systems, vulnerability scanning and other security tools are employed to monitor and protect our infrastructure.

Organisational Measures

  • Policies and training: We maintain internal policies on data protection, information security and acceptable use, and we provide regular training to staff on privacy, security and responsible gambling obligations.
  • Vendor due diligence: We assess the security of third-party service providers that handle personal data on our behalf and include appropriate data protection clauses in our contracts.
  • Security audits and assessments: We perform internal and external audits, risk assessments and penetration testing to evaluate and enhance our security controls. Where appropriate, we align with recognised standards such as ISO/IEC 27001 and SOC 2 principles.
  • Incident response: We maintain incident response procedures to detect, respond to and remediate suspected or actual personal data breaches. Where required by law, we will notify affected individuals and relevant authorities (for example, the UK Information Commissioner's Office) without undue delay.

Complaints & Contacts

OBSERVE: You may wish to ask questions, raise concerns or lodge complaints about how your personal data is handled.

EXPAND: We provide multiple contact channels and explain how complaints are processed.

REFLECT: We also inform you of your right to escalate matters to supervisory authorities, including in the UK, EU and Mexico, where applicable.

How to Contact Us

  • Online: Use the contact or support options available through https://rainbowrichas.com and indicate that your query relates to privacy or data protection.
  • Postal mail: Write to Gamesys Operations Limited at its registered office address as published on the UKGC public register and on our website, addressing your letter to "Data Protection Officer".

Internal Complaint Procedure

  1. Step 1 - Contact our support team: For general questions or minor issues, contact customer support via the channels indicated on the site. Many matters can be resolved quickly at this stage.
  2. Step 2 - Escalate to the Data Protection Officer: If your concern relates specifically to privacy or if you are dissatisfied with the initial response, ask for your query to be escalated to our Data Protection Officer or privacy team.
  3. Step 3 - Investigation and response: We will investigate your complaint and aim to provide a substantive response within one (1) month. For complex issues, this may be extended in line with data protection law, and we will inform you of any extension and the reasons.

Escalation to Supervisory Authorities

  • United Kingdom: If you are located in the UK or your complaint relates to processing under UK law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). Information on how to do this is available at https://www.ico.org.uk or by contacting the ICO directly.
  • European Union/EEA: If you are located in the EU/EEA and your data is processed in that context, you may also have the right to complain to your local Data Protection Authority.
  • Mexico: Where Mexican privacy law applies, you may lodge a complaint with the National Institute for Transparency, Access to Information and Personal Data Protection (INAI) in accordance with Mexican regulations.

Nothing in this privacy policy limits your right to approach any competent data protection authority. We encourage you, however, to contact us first so that we can try to resolve your concern promptly and fairly.

Updates

OBSERVE: Laws, regulatory guidance and our services evolve over time.

EXPAND: We may need to update this privacy policy to reflect those changes and to keep it aligned with UK, EU and (where relevant) Mexican data protection requirements.

REFLECT: We commit to transparent versioning, advance notice of significant changes and meaningful options for you.

How We Will Notify You

  • Website notices: We will post the current version of this privacy policy on https://rainbowrichas.com/privacy, indicating the "Last updated" date at the top or bottom of the page.
  • Email or in-account messages: For material changes, we may also notify you by email, account message or prominent banner on the site or app.
  • Advance notice for significant changes: Where required by law or where changes materially affect your rights or how we process your data, we will aim to provide at least 30 days' advance notice before the changes take effect, unless an earlier change is required by law or for security reasons.

Your Options

  • If you continue to use the Rainbow Riches Casino services via rainbowrichas.com after changes take effect, you will be deemed to have acknowledged the updated policy.
  • If you do not agree with the updated terms, you may stop using the services and, where applicable, request closure of your account and exercise your data protection rights as described in this policy.

Last updated: January 2026. This version reflects our understanding of applicable requirements under UK data protection law, relevant EU standards and, where applicable, Mexican privacy regulations as at 2025 - 2026.