burger icon
Virgin Games United Kingdom
Log In

Privacy Policy

This Privacy Policy explains how Virgin Games, operated via virgingam.com for the Virgin Games profile, collects, uses, shares, and protects your personal data when you visit our website, use our apps or interact with our gambling services. It applies to registered players, prospective players, website and app visitors, and any other individual whose personal data we process in connection with our UK-facing services.

We are required by data protection law, including the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018, to give you clear information about our processing activities. This notice is designed to be transparent and understandable while remaining legally robust. Please read it carefully so that you understand how and why your personal data is used, and the choices you have.

This Privacy Policy is effective from 6 November 2025 and reflects our practices as at that date. It is published at https://virgingam.com/privacy and may be updated from time to time as described in the "Updates" section below.

Who We Are

The Virgin Games online gambling services offered in Great Britain through virgingam.com (including the Virgin Games profile) are operated by Gamesys Operations Limited, a limited company forming part of the Bally's Corporation group.

Registered / legal address of operator
Gamesys Operations Limited
Suite 2, Floor 4, Waterport Place
Gibraltar GX11 1AA
Gibraltar

Licensing and regulatory information

  • Great Britain: Licensed and regulated by the UK Gambling Commission under Account Number 38932 for remote gambling services to players located in Great Britain.
  • Outside Great Britain: Licensed by the Gibraltar Gambling Commissioner under Remote Gambling Licence RGL No. 46 for services to certain players outside Great Britain.

Data protection responsibility
For personal data relating to players in Great Britain and other relevant markets, Gamesys Operations Limited is the "data controller" (or equivalent term under applicable law). We operate the "Virgin Games" brand under trademark licence from Virgin Enterprises Limited; this arrangement does not change who controls your personal data.

How to contact us about privacy

  • Data Protection Officer (DPO) / Data Protection Team: You can address privacy queries to our DPO or data protection team by contacting customer support via 24/7 live chat or email (through the help section on https://virgingam.com) and clearly stating that your request is for the attention of the "Data Protection Officer".
  • Postal contact (for privacy matters): Data Protection Officer, Gamesys Operations Limited, Suite 2, Floor 4, Waterport Place, Gibraltar GX11 1AA, Gibraltar.

Because specific email addresses and phone numbers for the DPO are not publicly listed in the profile data, we direct you through our established support channels, which operate 24/7 via live chat and email and will route your request internally to the appropriate team.

What Personal Data We Collect

We collect and process different categories of personal data depending on how you interact with virgingam.com and our services. Some data is provided directly by you, some is generated by your use of our services, and some is obtained from third parties (for example for identity verification and fraud prevention).

Identification and contact data

  • Full name, date of birth and gender (where provided).
  • Residential address and country of residence.
  • Email address(es) and any contact preferences you set.
  • Mobile and/or landline telephone numbers, where supplied.
  • Copies of identity documents (e.g., passport, driving licence, national ID card), proof of address and other KYC documents provided where electronic verification is not sufficient.

Account, gameplay and behavioural data

  • Username, account ID, account status and security settings (including self-exclusion, reality checks, deposit limits and GAMSTOP participation where applicable).
  • Login history (dates, times, methods), device management information (active sessions, recognised devices, remote logout actions) and account change logs.
  • Gameplay history including games played, stakes, wins/losses, bonus use, tournament participation and in-game events.
  • Interactions with our website and apps (pages viewed, buttons clicked, referral URLs, marketing campaign responses).
  • Records of communications with us (live chat transcripts, emails, internal notes of calls where applicable, complaint records and survey responses).

Technical and device data

  • IP address, approximate location derived from IP (e.g., country/region), and language settings.
  • Device identifiers and characteristics (device type, operating system, browser type and version, app version, screen resolution and other technical parameters).
  • Log data about service usage, performance and diagnostics, including error logs and security event logs.
  • Information captured by our "Device Management" features, including currently active sessions and devices used to access your account, to enable you to monitor and secure access.

Financial and transactional data

  • Payment instrument details (such as partial card numbers, card type and expiry date) as permitted under card scheme rules. Full payment details are typically processed by our payment providers rather than stored in clear form by us.
  • Deposit and withdrawal history, including amounts, methods used, timestamps and status.
  • Bank details you provide for withdrawals (e.g., account holder name, IBAN or sort code and account number), where required.
  • Verification and affordability data, such as salary or employment information and bank statement details, if you voluntarily provide them in support of responsible gambling checks or source-of-funds assessments.

Risk, compliance and profiling data

  • Results of identity checks, age verification, fraud screening and sanctions/PEP screening conducted by us or on our behalf.
  • Internal risk scores, flags and notes relating to anti-money laundering (AML), fraud, responsible gambling and account security.
  • Information about self-exclusion or gambling-blocking, including data obtained from schemes such as GAMSTOP and internal exclusion lists (including across sister brands where required by regulation).

Cookies and similar technologies

  • Cookies and similar technologies (such as SDKs, pixels and local storage) used to remember your preferences, maintain sessions, measure performance, personalise content and deliver advertising, as described further in the "Cookies & Tracking Technologies" section.

Special category and sensitive data

We generally avoid collecting special category data (such as health information) unless you choose to provide it (for example when explaining affordability, health-related gambling concerns or accessibility needs). Where we do, we will treat it with additional care and process it only when allowed by law and strictly necessary for the relevant purpose (e.g., to protect your vital interests or for reasons of substantial public interest in a responsible gambling context).

Legal Basis for Processing

We only process your personal data where we have a valid legal basis under applicable data protection laws (including UK GDPR and, where relevant, EU and Mexican data protection frameworks). Depending on the context, we rely on one or more of the following grounds:

  • Performance of a contract: We process data that is necessary to enter into and perform our contract with you, including to create and manage your account, verify your age and identity, provide games, process deposits and withdrawals, operate promotions, respond to your requests, and provide customer support.
  • Compliance with legal obligations: We are subject to extensive regulatory obligations under UK, Gibraltar and other applicable laws, including anti-money laundering (AML), counter-terrorist financing, fraud prevention, responsible gambling, taxation and reporting duties to authorities (such as the UK Gambling Commission and relevant financial intelligence units). We process personal data to comply with these obligations, for example to conduct KYC checks, monitor transactions, identify suspicious activity, enforce self-exclusion and maintain statutory records.
  • Legitimate interests: We process data where it is necessary for our legitimate business interests, provided these are not overridden by your interests or fundamental rights. This includes ensuring the security and integrity of our services (e.g., device management and access controls), preventing fraud and abuse, improving and optimising our products, conducting analytics and statistics, tailoring non-intrusive marketing to existing customers, and defending our legal rights or bringing claims.
  • Consent: In some cases we rely on your consent, for example for certain types of electronic marketing communications, some categories of cookies and advertising trackers, or where we process particular types of special category data you choose to provide. Where we rely on consent, you may withdraw it at any time, without affecting the lawfulness of processing prior to withdrawal.
  • Vital interests and public interest: In rare situations we may process data to protect your vital interests or those of another person (for example where there is an immediate risk of serious harm) or where permitted for reasons of substantial public interest, such as protecting vulnerable individuals in a responsible gambling context.

For users located in Mexico, our processing also aims to align with the lawful grounds recognised by Mexican data protection law (including the Federal Law on Protection of Personal Data Held by Private Parties), such as consent, contractual necessity, legal obligation and legitimate purposes compatible with the relationship between you and us.

Purpose of Processing

We use your personal data for clearly defined purposes, each grounded in one or more of the legal bases described above. In particular, we process your data for the following purposes:

  • Providing and operating our gambling services: To create and manage your account, verify your age and identity, determine eligibility to play (including cross-checking self-exclusions and GAMSTOP registrations), provide games, handle bets, settle wins and losses, manage promotions and loyalty programmes, and deliver a secure and reliable player experience on virgingam.com.
  • Payment processing and financial management: To process deposits and withdrawals, verify payment methods, prevent fraudulent transactions, manage chargebacks and refunds, and comply with anti-money laundering and financial reporting obligations.
  • Responsible gambling and player protection: To monitor gameplay for signs of problem gambling, evaluate affordability information where provided, apply or enforce limits and self-exclusions (including across sister brands where required), contact you with safer-gambling messages where appropriate, and maintain tools such as reality checks and device management to help safeguard your account.
  • Customer support and communication: To provide 24/7 support via live chat and email, resolve technical issues and complaints, respond to requests about your rights, and send service messages (e.g., about changes to terms, security notices, account status, and game or system updates).
  • Analytics, service improvement and personalisation: To analyse how our website, apps and games are used, understand performance, test new features, improve usability and security, and offer relevant content and recommendations. We may segment users for these purposes, using aggregated and anonymised data wherever possible.
  • Marketing and promotions: With your consent where required, to send you marketing communications about products, promotions and offers related to Virgin Games and, where appropriate, related brands within our group, and to measure the effectiveness of such campaigns. You can control your marketing preferences at any time in your account or by using unsubscribe mechanisms.
  • Risk management, fraud prevention and security: To detect and prevent fraud, abuse, collusion, money laundering, account takeover and other prohibited activities, including by monitoring log-in attempts, devices, behavioural patterns and transaction data, and by using internal risk scoring and security tools.
  • Legal, regulatory and business purposes: To comply with regulatory reporting obligations, respond to lawful requests from authorities, exercise or defend legal claims, conduct internal audits and investigations, maintain business records, and support corporate transactions (for example, restructuring or integration within Bally's Corporation), always subject to appropriate safeguards.

Disclosure & Sharing

We treat your personal data as confidential and only share it where necessary, proportionate and lawful. When we share data, we do so under contracts that impose strict confidentiality, security and data protection obligations on recipients.

Categories of recipients

  • Group companies: Other companies within the Bally's Corporation group may process data on our behalf or as joint controllers for operational, regulatory and group-level risk management purposes, subject to intra-group data protection arrangements.
  • Service providers and technical partners: Third-party providers that help us deliver our services, such as IT hosting and cloud providers, security and anti-fraud tools, payment processors, KYC/AML and identity verification providers, analytics services, marketing and customer support tools (including live chat platforms) and game content providers.
  • Payment partners and financial institutions: Banks, card schemes, payment service providers and other financial intermediaries involved in processing your deposits and withdrawals or investigating payment-related issues.
  • Regulators and authorities: The UK Gambling Commission, the Gibraltar Gambling Commissioner and other regulators, tax authorities, law enforcement and governmental or judicial bodies, where we are required or allowed by law to disclose information (for example for regulatory reporting, AML investigations, responsible gambling oversight or court proceedings).
  • Alternative dispute resolution (ADR) providers: eCOGRA, our ADR provider, may receive information relevant to your gambling complaint if you escalate a dispute through its online form at https://ecogra.org/forms/adr-dispute-step-1. Only the data necessary to evaluate and resolve the dispute will be shared.
  • Affiliates and marketing partners: In limited cases and subject to your consent where required, we may share pseudonymised identifiers with advertising networks, affiliates or marketing partners for campaign measurement, attribution and re-engagement, in line with your cookie and marketing preferences.
  • Professional advisors and other third parties: Lawyers, auditors, consultants, and prospective or actual buyers or investors in the event of a merger, acquisition or other corporate transaction, always under appropriate confidentiality and data protection safeguards.

We do not sell your personal data for monetary consideration. Any sharing for advertising or analytics purposes is carefully assessed and, where required by law (including Mexican law where applicable), subject to your prior consent and opt-out rights.

International Transfers

Because we operate in multiple jurisdictions and rely on global service providers, your personal data may be transferred to, and processed in, countries outside the United Kingdom and your country of residence, including Gibraltar, countries in the European Economic Area (EEA) and other countries that may have different data protection standards.

  • Gibraltar and EEA: Data may be processed in Gibraltar and EEA countries for operational, support, regulatory and hosting purposes in connection with the licences granted by the Gibraltar Gambling Commissioner and other EEA-based services. Gibraltar currently maintains data protection standards closely aligned with EU law.
  • Other third countries (for example, the United States): Certain group companies, service providers or technical partners may be located in or process data from countries that have not been recognised as providing an adequate level of data protection by the UK government.

Where we transfer personal data to a country without an adequacy decision, we implement appropriate safeguards as required by UK GDPR and, where applicable, EU GDPR, such as:

  • Standard Contractual Clauses or equivalent recognised contractual safeguards between us and the data recipient.
  • Intra-group data transfer agreements aligned with these standards.
  • Technical and organisational measures (e.g., encryption and strict access controls) to protect data in transit and at rest.
  • Careful assessment of local laws and practices to ensure your rights remain effectively protected.

For users in Mexico, international transfers are also structured to align, where applicable, with Mexican data protection requirements, including contractual commitments to ensure the same or higher level of protection as required under Mexican law.

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal and regulatory obligations, and to protect our legal rights. Retention periods can vary depending on the type of data and the context of processing, particularly given our obligations under gambling and AML regulations.

Broadly, we apply the following retention principles (dates and periods are indicative and may be extended where law or regulators require):

Category of data Typical retention period Main reasons
Account and identification data (KYC, identity documents, contact details) During the customer relationship and generally up to 5-7 years after account closure Compliance with AML and gambling regulations, fraud prevention, responding to regulatory enquiries and legal claims.
Transaction and financial records (deposits, withdrawals, payment details) At least 6-7 years from the end of the relevant financial year Accounting, tax and regulatory record-keeping obligations; dispute handling.
Gameplay and behavioural data (betting history, logs, risk profiles) During the relationship and typically up to 5 years after account closure Responsible gambling, AML monitoring, dispute resolution, compliance with regulator expectations.
Marketing and communication preferences Until you opt out or your account is closed, plus a short period (usually up to 2 years) to demonstrate compliance Proof of consent and opt-out; managing marketing suppression lists.
Cookies and analytics identifiers As described in our cookie settings; typically from session-only to up to 24 months, depending on type Service functionality, analytics and advertising, in line with your choices.
Complaint and dispute records (including ADR and authority cases) For the duration of the dispute and usually up to 6 years after resolution Defence of legal claims, regulatory reporting and quality assurance.

When data is no longer required, we will either securely delete it or irreversibly anonymise it so that it can no longer be associated with you. If you request deletion of your data, we will honour this where possible, but may need to retain certain information where law requires or permits us to do so (for example, AML and statutory record-keeping obligations extending beyond 2025).

Your Rights

Depending on where you are located and which laws apply, you may have various rights in relation to your personal data. We respect these rights and provide procedures to help you exercise them free of charge, subject to limited exceptions where requests are manifestly unfounded or excessive.

Rights under UK GDPR and, where applicable, EU GDPR

If you are in the United Kingdom (and, where applicable, the EEA), your rights typically include:

  • Right of access: To obtain confirmation as to whether we process your personal data and, if so, to receive a copy together with information about our processing.
  • Right to rectification: To have inaccurate or incomplete personal data corrected or updated. You can amend many details directly in your account settings.
  • Right to erasure ("right to be forgotten"): To request deletion of your personal data where there is no longer a lawful basis for us to retain or process it, subject to legal and regulatory retention requirements (for example, AML rules may require retention beyond 2025).
  • Right to restriction of processing: To request that we restrict processing of your data in certain circumstances, for example while we verify accuracy or consider an objection.
  • Right to object: To object to processing based on our legitimate interests, including profiling, on grounds relating to your particular situation. You always have an absolute right to object to direct marketing and related profiling.
  • Right to data portability: To receive personal data you provided to us in a structured, commonly used and machine-readable format and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means.
  • Right to withdraw consent: Where we rely on your consent (for example for certain marketing or cookies), you may withdraw it at any time using your account settings, unsubscribe links or by contacting us. This does not affect processing that took place before withdrawal.

Additional rights for users in Mexico

If you are located in Mexico, our handling of your personal data also aims to align with the rights recognised under Mexican data protection law, typically referred to as the ARCO rights:

  • Access: To know what personal data we hold about you, how we obtained it and how we use it.
  • Rectification: To request correction of inaccurate or incomplete data.
  • Cancellation: To request that your data be deleted or cancelled when it is excessive, unnecessary or being processed contrary to law or the terms of this Privacy Policy, subject to legal retention requirements.
  • Opposition: To object to certain processing activities on legitimate grounds, including the use of your data for marketing or profiling, where permitted by Mexican law.

These rights apply alongside, and are interpreted consistently with, the rights described above when Mexican law is applicable to our relationship with you.

How to exercise your rights

  • Submitting a request: You can exercise your rights by contacting customer support via live chat or email through https://virgingam.com and clearly identifying your request as a "data protection" or "privacy" request for the attention of the Data Protection Officer. You may be directed to use secure in-account messaging or a specific request form if available.
  • Verification: We may need to verify your identity and residency (for example by confirming account details or requesting additional documentation) before acting on your request, particularly for sensitive data or high-risk changes.
  • Timeframe and cost: We aim to respond within one month (30 days) of receiving a valid request. This period may be extended by up to a further two months for complex or multiple requests, in which case we will inform you. As a rule, we do not charge a fee, but may do so or refuse to act where requests are manifestly unfounded or excessive.
  • Limitations: Certain rights may be restricted where necessary to comply with legal obligations, protect public interests (for example, AML and responsible gambling requirements), or preserve the rights and freedoms of others.

Cookies & Tracking Technologies

We use cookies and similar tracking technologies on virgingam.com to make our services work, to improve performance and to personalise your experience. Cookies are small text files stored on your device; similar technologies include SDKs, pixels and local storage used in our apps and website.

Types of cookies we use

  • Strictly necessary (session) cookies: These are essential for the operation of the site and app, enabling basic functions such as page navigation, secure log-in, session management, fraud prevention and access to account features. They are typically session-based and expire when you log out or close your browser.
  • Functional (preference) cookies: These remember your settings and choices (such as language, display preferences, game filters and login options) so that we can provide a more personalised and convenient experience.
  • Analytics and performance cookies: These help us understand how visitors use our site and apps, which pages and games are popular, and how features perform. We may use internal analytics tools or trusted third-party providers to collect aggregated statistics and identify technical issues.
  • Advertising and marketing cookies: With your consent where required, these cookies and similar technologies are used to deliver relevant adverts on our own properties and, in some cases, on third-party sites or apps, to measure campaign effectiveness, and to avoid repeatedly showing you the same advertisement.
  • Security and fraud-prevention cookies: These are used to detect irregular or suspicious activity, prevent abuse, support device management and protect against unauthorised access to your account.

Managing cookies and tracking

  • Cookie settings: Where available, you can manage non-essential cookies and similar technologies through our cookie banner or preferences centre on virgingam.com, choosing which categories you wish to allow.
  • Browser and device controls: Most browsers and devices allow you to block or delete cookies, or to receive alerts before they are stored. The method varies by browser; please refer to your browser or device help for detailed instructions. Blocking certain cookies may affect your ability to use some site features.
  • In-app settings: Our mobile apps may provide additional in-app privacy or tracking settings where applicable.
  • Do Not Track and similar signals: At present, our services do not respond to all "Do Not Track" or similar browser signals, but we honour cookie and marketing choices you make using our tools and applicable legal requirements.

Data Security

We take the security of your personal data seriously and implement a combination of technical, organisational and physical measures designed to protect it against unauthorised access, loss, alteration or disclosure. Security is built into our systems and processes across the entire lifecycle of your data.

  • Encryption in transit and at rest: Data transmitted between your device and our systems is protected using industry-standard encryption protocols (such as TLS 1.2 or higher). Where appropriate, we also encrypt personal data at rest within our infrastructure.
  • Access controls and authentication: Access to personal data is restricted to authorised personnel and service providers who need it for legitimate business purposes, based on the principle of least privilege. We use strong authentication mechanisms, and encourage or provide multi-factor authentication options where feasible.
  • Secure development and testing: Our systems are developed and maintained under secure coding practices, with regular testing, vulnerability assessments and patch management to address emerging threats and maintain resilience.
  • Monitoring, logging and device management: We maintain security logs, monitor systems for suspicious activity and use our "Device Management" tools to help you review active sessions and remotely log out devices you do not recognise.
  • Organisational policies and training: Staff with access to personal data are subject to confidentiality obligations and receive regular training on data protection, information security, responsible gambling and anti-fraud procedures.
  • Incident response: We maintain incident response procedures for managing and investigating suspected personal data breaches. Where required by law, we will notify you and the relevant supervisory authorities without undue delay, including beyond 2025, if a breach is likely to result in a high risk to your rights and freedoms.

We aim to align our security controls with recognised international standards (such as ISO 27001 and SOC 2) where appropriate for our environment, even where formal certifications are not expressly listed in this notice.

Complaints & Contacts

We are committed to resolving privacy concerns and complaints fairly and promptly. If you have questions about this Privacy Policy or how we handle your personal data, or if you wish to raise a complaint, you have several options.

Contacting us first

  1. Customer support: In the first instance, please contact our 24/7 customer support via live chat or email through the help section of https://virgingam.com. Explain that your concern relates to privacy or data protection so that it can be routed appropriately.
  2. Escalation to the DPO: If your concern is not resolved at first line, or if it is particularly sensitive, you may request that it be escalated to our Data Protection Officer or data protection team. You can also write to the DPO at Gamesys Operations Limited, Suite 2, Floor 4, Waterport Place, Gibraltar GX11 1AA, Gibraltar.

Escalation to supervisory authorities

If you believe that we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with a competent supervisory authority. You can do this in addition to, or instead of, contacting us.

  • United Kingdom - Information Commissioner's Office (ICO):
    Website: https://ico.org.uk
    Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
    Telephone: +44 303 123 1113
  • Mexico - Data Protection Authority (INAI):
    For users in Mexico, you may have the right to complain to the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) if you consider that your ARCO rights have been infringed.
    Website: https://www.inai.org.mx
  • EU / EEA supervisory authorities: Where EU GDPR applies (for example, if you are located in the EEA and our processing falls within its scope), you may lodge a complaint with your local data protection authority or with the authority of the Member State where you live, work or where the alleged infringement occurred.

Other dispute resolution mechanisms

For complaints specifically concerning the fairness or outcome of gambling transactions (rather than privacy issues), you may also have the option to escalate to our alternative dispute resolution (ADR) provider, eCOGRA, via its online form at https://ecogra.org/forms/adr-dispute-step-1. This mechanism is designed for gambling-related disputes and operates alongside, not instead of, your rights to contact data protection authorities about privacy matters.

Updates

We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, regulatory guidance or technological developments. When we do so, we will revise the "Last updated" date shown below and, where appropriate, provide additional notice.

  • Notification methods: For material changes, we will take reasonable steps to inform you in advance, which may include emails to your registered email address, prominent notices or banners on virgingam.com, and/or alerts in your account dashboard.
  • Advance notice: Where feasible and where changes are significant (for example, introducing new processing activities that require consent or materially affecting your rights), we will provide at least 30 days' notice before the changes take effect, so that you can review them and, if you wish, adjust your preferences or close your account.
  • User options: If you do not agree with the updated Privacy Policy, you may close your account and request deletion or restriction of your data, subject to our legal obligations to retain certain records (which may extend beyond 2025 for regulatory reasons). Continued use of our services after the effective date of an updated policy will normally be treated as acceptance of the changes.
  • Version control and changelog: We may maintain a record of material changes (for example, new categories of data collected, new purposes, or new categories of recipients) and, where appropriate, summarise these in a changelog or update notice.

Last updated: November 2025