Your privacy matters to us as much as your security does. This policy sets out the personal information we collect when you sign up for a Highbet account, the reasons we hold it, how long we keep it for and the rights you can exercise at any time. We have written it in plain language rather than legalese because if a privacy policy is unreadable it is not really doing its job.
Encrypted by default
Every byte of personal data is encrypted at rest and in transit using industry standard protocols.
PIPEDA aligned
We operate in line with the Personal Information Protection and Electronic Documents Act and provincial equivalents.
Minimal collection
We only collect what we need to run the platform and meet our regulatory obligations.
What personal data do we actually collect?
When you open an account we ask for your full name, date of birth, address, email and phone number along with a username and password. During verification we may ask for a photo of an official identity document such as a passport or driving licence, a recent utility bill or bank statement and a selfie that proves the document belongs to you. For payments we hold transaction records, but the card numbers themselves are tokenised by our payment processors and we never see the full PAN.
While you use the platform we record the games you play, the bets you place, the deposits and withdrawals you make and the support conversations you have with us. We also collect technical data about your device such as the IP address, browser version, operating system and approximate location. This data is needed to run the service, prevent fraud and comply with anti money laundering rules.
What do we actually use that data for?
There are six legitimate reasons we use personal data. First, to perform the contract you entered into when you opened your account, which covers running the games, processing payments and providing support. Second, to comply with the legal obligations placed on us as a licensed gambling operator, which includes age verification, anti money laundering checks and reporting suspicious activity. Third, to protect the integrity of the platform against fraud, hacking and bonus abuse.
Fourth, to monitor for signs of harm and intervene where our safer gambling team identifies a player at risk. Fifth, to provide marketing communication about products you have signed up to receive, which you can switch off at any time from your account preferences. Sixth, to improve the product through aggregated analytics that look at how players use the site without identifying any individual.
Who do we share data with?
We never sell personal data. The categories of organisations we share data with are limited to those that are necessary to run the service. Game studios such as Pragmatic Play and Evolution receive your username and stake information when you open a game so that the game can run. Payment providers receive the transaction details required to process a deposit or withdrawal. Identity verification providers receive the documents you upload for the duration of the check.
Regulators and law enforcement receive data when we are legally required to share it. This includes reporting suspicious transactions to the relevant financial intelligence unit, responding to court orders and cooperating with safer gambling registries. Each disclosure is recorded and we publish an annual transparency report covering the number and type of requests received.
How long do we keep your information?
Identity documents and account records are kept for the duration of the relationship and for five years after closure, as required by anti money laundering law. Financial transaction records are kept for seven years for tax and audit purposes. Game and bet records are kept for five years for regulatory review. Support correspondence is kept for two years.
Marketing data is kept only while you are subscribed to the relevant channel. If you unsubscribe from email or SMS marketing your contact details are removed from those lists immediately. If you close the account or self exclude, all marketing lists flush your details at once and we do not target you with win back campaigns at any point.
What rights do you have over your data?
Under PIPEDA and equivalent provincial laws you have the right to access the data we hold about you, to have inaccurate data corrected, to ask us to delete data where there is no longer a legal reason to retain it, to restrict how we process certain data, to object to processing for direct marketing and to receive a portable copy of your data in a machine readable format. You can also withdraw consent at any time where consent was the basis we relied on, and you can complain to the Office of the Privacy Commissioner of Canada if you are not happy with how we have handled a request.
To exercise any of these rights, email privacy@highbet.online from the address registered to your account or open a chat from inside the account. We respond inside thirty calendar days. There is no fee for a reasonable request and we will not penalise you in any way for exercising your rights.
How do we protect your data?
All personal data is encrypted at rest using AES 256 and in transit using TLS 1.3. Databases sit in regulated data centres with strict access controls, multi factor authentication and continuous monitoring. Internal access to personal data is granted on a need to know basis and every access is logged for audit. We run regular penetration tests with independent security firms and publish a yearly summary of the findings and the remediation actions taken.
In the unlikely event of a personal data breach we notify the relevant privacy regulator within the legally required window of becoming aware of it, and we notify affected players directly without undue delay. We have not had a notifiable breach to date but we test the response process every six months to make sure we can act fast if one ever happens.