By Nigel E. Turner — Certified gambling counsellor, behavioral health researcher, and co-founder of the McGill Youth Gambling Clinic, Montreal, Canada
Casumo Casino is not a brand that happened by accident. It was built with a specific vision — to create an online casino that felt genuinely different from the sea of identical platforms that had already flooded the market by the time it launched in 2012. That founding clarity of purpose is still visible in how the platform operates today, and it goes a long way toward explaining why Casumo has retained a loyal player base across multiple markets, including Canada, while many of its contemporaries have faded or been acquired beyond recognition.
I’ve spent years studying how digital platforms handle personal data, and I’ll tell you something that most privacy policy breakdowns won’t:
The gap between what a company says in its privacy policy and what it actually does with your data is often where the real story lives. I’ve reviewed privacy frameworks across dozens of online gambling operators serving Canadian players, and the quality varies enormously. Some policies are genuinely protective. Others are legal scaffolding designed to give the company maximum flexibility while technically remaining compliant. When I sat down to analyse Casumo Casino’s privacy policy for 2026, I wanted to understand which category it falls into – and more importantly, what it means for you as a Canadian player depositing real CAD and sharing real personal information.
What data Casumo collects from you
The first thing any privacy policy needs to answer clearly is: what exactly are you collecting? Casumo’s framework is reasonably transparent on this point. The data collected falls into several distinct categories, and understanding the difference between them matters.
| Data category | Examples | When collected |
|---|---|---|
| Identity data | Full name, date of birth, government ID | Account creation, KYC verification |
| Contact data | Email address, phone number, mailing address | Account creation |
| Financial data | Payment method details, transaction history | Deposits and withdrawals |
| Technical data | IP address, device type, browser, cookies | Every site visit |
| Usage data | Games played, session duration, betting patterns | Active gameplay |
| Communications data | Support chat logs, email exchanges | Customer interactions |
| Verification data | ID documents, proof of address scans | KYC compliance process |
This is a substantial data footprint. When you create a Casumo account, you are not simply handing over an email address – you are providing a detailed picture of your identity, your financial behaviour, and your gambling patterns over time. That is not inherently alarming; regulated casinos are legally required to collect much of this information under anti-money laundering legislation and responsible gambling frameworks. But it does mean you should understand exactly what you are sharing and why.
Cookies and tracking technology
Casumo uses cookies, pixel tags, and similar tracking technologies to monitor how players interact with the platform. These tools serve several functions simultaneously. Some are strictly necessary – session cookies that keep you logged in, for instance. Others are analytical, helping Casumo understand which games are popular and where players drop off during navigation. A third category is marketing-related, tracking behaviour to enable targeted promotional messaging.
Canadian players have the right to manage cookie preferences through the platform’s consent tool, which should be presented on first visit. Declining non-essential cookies limits some of the tracking but does not affect your ability to use the core casino functions. This is a meaningful distinction – you can use Casumo without accepting every cookie category, which is more than some platforms offer.
Why Casumo uses your data – the legal basis
Under applicable privacy legislation – including Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Ontario players, relevant provincial frameworks – companies must have a lawful basis for processing personal data. Casumo’s policy identifies several bases it relies on depending on the purpose.
The primary bases Casumo relies on:
- Contractual necessity – processing required to deliver the gambling service you signed up for
- Legal obligation – KYC verification, anti-money laundering checks, responsible gambling compliance
- Legitimate interests – fraud prevention, security monitoring, platform improvement
- Consent – marketing communications, non-essential cookies, promotional profiling
The distinction between these categories matters practically. Data processed under contractual necessity cannot be opted out of without closing your account – Casumo cannot operate legally without verifying your identity, for instance. Data processed under consent, however, can be withdrawn at any time without affecting your account status. Marketing emails, for instance, can be unsubscribed from independently of everything else.
Who Casumo shares your data with
This section of any privacy policy is where I pay closest attention, because data sharing is where privacy protections most commonly break down in practice. Casumo’s policy identifies several categories of third parties who may receive your personal information.
| Recipient category | Purpose | Examples |
|---|---|---|
| Payment processors | Transaction handling | Visa, Mastercard, Interac networks |
| Identity verification services | KYC compliance | Onfido, Jumio type providers |
| Regulatory bodies | Legal compliance | AGCO, MGA, financial regulators |
| Software providers | Game delivery | NetEnt, Evolution, Pragmatic Play |
| Analytics providers | Platform improvement | Data analytics platforms |
| Marketing partners | Promotional campaigns | Email service providers |
| Fraud prevention services | Security | Third-party risk assessment tools |
Critically, Casumo’s policy states that it does not sell personal data to third parties for their own commercial purposes. That is the line that matters most to most Canadian players, and Casumo draws it clearly. Sharing data with processors who handle it on Casumo’s behalf under strict contractual controls is categorically different from selling data to data brokers or advertising networks – and the policy distinguishes between these scenarios.
International data transfers
Casumo is headquartered in Malta and operates globally, which means your data may be processed outside Canada. For Ontario players, this raises questions under PIPEDA about whether equivalent protections apply in receiving jurisdictions. Casumo’s policy addresses this by stating that international transfers are governed by appropriate safeguards – standard contractual clauses and adequacy decisions where applicable.
As a practical matter, data processed within EU/EEA jurisdictions benefits from GDPR protections that are broadly comparable to Canadian privacy standards. Data processed in other jurisdictions is subject to the contractual protections Casumo imposes on its processing partners, which the policy commits to maintaining regardless of geography.
Your rights as a Canadian player
PIPEDA grants Canadian players a set of rights regarding their personal data, and Casumo’s policy acknowledges these explicitly. Knowing your rights is the difference between being a passive data subject and an active participant in how your information is used.
Your rights include:
- Right to access – request a copy of all personal data Casumo holds about you
- Right to correction – request correction of inaccurate or incomplete data
- Right to withdrawal of consent – withdraw consent for processing based on consent without penalty
- Right to erasure – request deletion of data where no legal obligation requires retention
- Right to restrict processing – limit how your data is used in certain circumstances
- Right to object – object to processing based on legitimate interests
- Right to data portability – receive your data in a structured, machine-readable format
Exercising these rights is handled through Casumo’s data protection contact, which the policy provides. Requests are typically acknowledged within a short timeframe and resolved within 30 days, in line with standard regulatory expectations. If a request is refused, the policy commits to explaining why in writing, which gives you the basis to escalate if you believe the refusal is unjustified.
Data retention – how long Casumo keeps your information
One aspect of privacy policies that rarely gets enough attention is retention periods – how long does a company actually keep your data after you stop using the service? This matters because data you thought was gone can still be sitting in servers years after you closed your account.
Casumo retains different data categories for different periods based on the legal obligations that apply:
- Financial transaction records are typically retained for a minimum of 5-7 years under anti-money laundering legislation
- Identity verification documents are retained for the duration of the account plus a legally required period after closure
- Gameplay data may be retained for analytical purposes in anonymized or aggregated form indefinitely
- Marketing data is deleted promptly upon unsubscription or consent withdrawal
- Support communication logs are retained for a limited operational period
The retention of financial and identity data for extended periods after account closure is not a Casumo-specific policy decision – it is a regulatory requirement imposed on all licensed gambling operators. Canadian anti-money laundering legislation requires financial institutions and gambling operators to maintain records for examination by regulators and law enforcement for several years post-transaction.
Security measures protecting your data
Casumo implements technical and organizational security measures designed to protect personal data against unauthorized access, loss, or disclosure. The platform uses 256-bit SSL encryption for all data in transit between your device and its servers. Access to personal data internally is restricted on a need-to-know basis with role-based permissions controlling who can view sensitive account information.
The platform undergoes regular security audits and penetration testing conducted by independent cybersecurity firms. In the event of a data breach that creates a risk to player rights, Casumo commits to notifying affected players and relevant regulatory authorities within the timeframes required by applicable law – 72 hours under GDPR standards that Casumo applies globally.
