Privacy Policy 2026: How iGaming Payment Gateway Protects Your Data

1. Scope of This Privacy Policy

iGaming Payment Gateway (“we,” “us,” or “our”) operates payment infrastructure for licensed gaming operators and payment service providers across Bangladesh, Pakistan, India, Vietnam, the Philippines, and Myanmar. This Privacy Policy applies to every interaction you have with our website at igamingpaymentgateway.net, our APIs, branded cashier UIs, partner portals, and any communication exchanged with our team.

Our services include the branded payment gateway for gaming operators, managed payment infrastructure, and private payment channel. Each service tier handles different data categories, and this policy describes all of them in one place so you know exactly what we do with information that touches our systems.

2. Information We Collect

We collect four broad categories of data: identification data, transactional data, technical data, and communications data. Each category serves a specific operational or legal purpose, and we limit collection to what is necessary for delivering iGaming payment services.

2.1 Identification and KYC Data

For operators and PSPs onboarding to our platform, we collect business registration details, beneficial ownership documentation, licensing certificates, and authorized signatory identification. For end-player transactions routed through methods like UPI, bKash, GCash, or MoMo, we receive limited identifiers such as a payer name, mobile number, or payment instrument reference required by the local rail.

2.2 Transactional Data

Every deposit, withdrawal, refund, and chargeback flowing through our payment APIs and webhooks generates transactional records. These include amount, currency, timestamp, originating channel, settlement reference, and risk-scoring signals. Card data, where applicable, is tokenized at the acquirer level and never stored in cleartext on our infrastructure.

2.3 Technical and Device Data

When you visit our website or interact with the player cashier UI, we automatically log IP addresses, browser fingerprint attributes, device identifiers, referring URLs, and session timestamps. This data fuels fraud detection, geolocation enforcement, and uptime monitoring across our 24/7 operations stack.

2.4 Communications Data

Emails, chat transcripts, ticket histories, and call recordings exchanged with our support team are retained for service quality, dispute resolution, and regulatory reporting. We never sell communication content to third parties.

3. How We Use Your Information

We process the data described above for clearly defined, lawful purposes. The table below maps each data category to its primary processing purposes so partners can evaluate alignment with their own data-protection impact assessments.

4. Data Sharing and Third-Party Processors

iGaming payment processing involves multiple regulated counterparties. We share data only where strictly necessary and bind every recipient by written data processing agreements. The categories of processors we engage include:

• Banking and payment rail partners across each of the 6 Asian markets we serve, including local acquirers, mobile wallets, and UPI PSPs.
• KYC and identity verification vendors running document validation, liveness checks, and PEP/sanctions screening.
• Fraud and risk intelligence providers contributing device reputation, velocity, and behavioral signals.
• Cloud and infrastructure providers hosting our segmented PCI environments under contractual confidentiality.
• Auditors and regulators when disclosure is mandated by applicable law, license terms, or court order.

We do not sell personal data, and we do not share player-level data with marketing networks or data brokers. Partners interested in specific subprocessor lists for due diligence purposes can request the current register through our compliance contact channel.

5. Security Controls and PCI DSS Compliance

Security is the load-bearing pillar of any payment infrastructure. Our control framework follows PCI DSS, ISO 27001-aligned policies, and the regional cybersecurity rules of each market we operate in. Read the detailed scope in our dedicated PCI DSS compliance coverage overview.

6. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to keep sessions stable, remember preferences, and measure aggregate traffic. We classify cookies into three tiers:

1. Strictly necessary — session integrity, CSRF protection, language preferences. These cannot be disabled without breaking core functionality.
2. Analytics — anonymized traffic measurement using first-party tags. We do not deploy cross-site advertising cookies.
3. Functional — saved form inputs, region detection, and chat widget continuity.

Visitors from jurisdictions requiring affirmative consent (such as EU/EEA territories) will see a consent banner allowing per-category control. You can revoke consent at any time by clearing site cookies or contacting us directly.

7. International Data Transfers

Because we serve 6 Asian markets — see our multi-market gateway coverage for a breakdown of supported geographies — personal data may move across borders during settlement, reconciliation, and support. Transfers are governed by Standard Contractual Clauses where applicable, supplementary technical measures such as field-level tokenization, and binding intra-group agreements.

For India-specific transactions routed through the UPI payment gateway, we observe NPCI guidance on data residency. For Bangladesh and Pakistan corridors served via the bKash/Nagad gateway and Easypaisa gateway, we mirror the central bank’s localization expectations.

8. Data Retention

We retain data only for as long as it serves a legitimate purpose or is mandated by law. The default retention windows are:

• KYC and onboarding records: minimum of 5 years after the business relationship ends, or longer where mandated by national AML statutes.
• Transactional ledgers: 7 to 10 years, depending on the jurisdiction of the underlying rail.
• Technical access logs: 12 to 24 months, longer when retained for an ongoing investigation.
• Marketing engagement data: until consent is withdrawn or 24 months of inactivity, whichever is first.

9. Your Data Protection Rights

Depending on your jurisdiction, you may exercise several rights regarding your personal data. We honor these rights for partners, employees, and end players whose data we process, subject to applicable law and ongoing AML or licensing obligations.

To submit a request, write to the address listed in section 13. We respond within 30 calendar days, and we may extend by an additional 60 days for complex multi-jurisdictional requests with prior notice.

10. Players Under 18 and Responsible Gaming

The iGaming industry has strict age requirements. Our services are designed exclusively for licensed operators who enforce age verification and responsible-gaming controls. We do not knowingly process payment data for individuals under the legal gambling age of the originating jurisdiction. If we discover such data has entered our systems, we will work with the operator of record to remove it, reverse impacted transactions where possible, and report the incident in accordance with the relevant license framework.

11. Incident Notification

In the event of a confirmed personal data breach, we notify affected partners and competent regulators within the timelines set by applicable law — typically 72 hours from confirmation under GDPR-equivalent regimes and according to local central bank rules in each Asian corridor. Notifications include the scope of the incident, mitigation measures already taken, and the support resources available to affected parties.

12. Changes to This Privacy Policy

We review this Privacy Policy at least once a year and whenever a material change occurs in our service architecture, regulatory environment, or subprocessor list. Substantive changes are communicated to active partners by email at least 30 days before they take effect. The “Last Updated” date at the top of this page reflects the most recent revision.

13. How to Contact Us

Questions, data subject requests, and compliance disclosures should reach our Data Protection function through the channels below.

If you would prefer to first understand what we do before submitting a request, our about page and services overview describe our company, mission, and full product line in plain language.