Privacy Policy
Privacy matters at Mr Play in Canada. This policy explains how we collect, use, share, and protect personal information under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and relevant provincial rules.
Navigation
By accessing our services, you agree to the practices described here. If you need clarification, you can request it through our secure on-site contact options.
What we collect and why
We collect information needed to operate accounts, process transactions, prevent abuse, and support fair gameplay. Some data is provided during registration, while other data is generated through your use of the website.
Information you provide
- Personal details such as name, address, email, date of birth, phone number, and identification documents used for account verification.
- Payment information such as credit or debit card details, e-wallet details, and transaction history.
- Communication preferences you select for account messages and updates.
- Support interactions such as chat logs, emails, and phone calls, used for service delivery and quality control.
Information collected through use
- Technical data such as IP address, device information, cookies, and browsing behaviour.
- Behavioural data such as page visits, click patterns, login frequency and timing, and features you use most.
- Gameplay data such as games played, deposits, withdrawals, and promotions accessed.
How we use personal data
We use the information we collect to keep your account functional and compliant, and to improve site performance. Processing is based on legitimate operational needs, including platform security and legal obligations in Canada.
- Create and manage your account and process payments securely.
- Verify identity, age, and eligibility to participate in gaming.
- Personalize onsite content, including how bonuses and promotions are displayed.
- Analyze website use and improve services, products, and campaigns.
- Meet legal duties, including anti-money laundering requirements.
Sharing, disclosure, and transfers
We do not sell, trade, or rent personal information to third parties. When sharing is necessary, we limit what is shared to what is required for the specific purpose.
Information may be disclosed to payment processors, software providers, analytics providers, or legal authorities, and only for the uses described in this policy. Where appropriate, we minimize, anonymize, or pseudonymize data used for analytics.
Mr Play is headquartered in Canada, and some processors may store or process information outside Canada, including within the EU. Cross-border transfers use contractual safeguards designed to maintain protection equivalent to Canadian standards, including mechanisms such as Standard Contractual Clauses for certain processing.
Security measures we apply
We use layered technical and organizational controls to help prevent unauthorized access and reduce misuse risk. These controls include encryption, authentication, monitoring, and access restrictions.
- 256-bit SSL protection for sensitive data, including card transactions.
- TLS 1.3 for data transfers between the client interface and backend servers.
- AES-256 encryption for stored personal information in the database when not in use.
- Two-factor authentication, staff access controls, and role-based permissions.
- Regular vulnerability scans and penetration testing, plus anomaly-detection alerts.
Practical account-safety tips
- Use a unique password that you do not reuse elsewhere.
- Change credentials every 6 months, or sooner if you notice unusual activity.
- Do not share login details, and avoid signing in on shared devices.
- Enable two-step verification when it suits your setup and device access.
Cookies and tracking controls
Cookies and similar tools help the site function properly, remember settings, and tailor content. Our use of cookies, pixels, and tracking tools is explained in the Cookies Policy, including how targeted offers may be presented.
You can disable cookies or adjust how they work in your account settings. You can also refuse ad tracking at any time through available controls.
Your rights and response timelines
Under PIPEDA, you can request access to the personal data we hold, correct inaccurate details, and object to processing in certain circumstances. You can also request deletion of your account, subject to legal retention requirements.
Requests can be made through a secure account area or via our encrypted contact forms. We may request proof of identity to protect your information while we handle your request.
- Requests are acknowledged within 72 hours.
- A full response is usually provided within 30 days.
- Correction requests are handled within 7 business days.
Retention, sessions, and age limits
We retain data for as long as your account is active, plus any period required by Canadian legal or regulatory obligations. Account records are kept for 5 years after the account is closed, or longer when required by law.
To reduce exposure on unattended devices, sessions end automatically after 30 minutes of inactivity, and you must log in again to continue.
Our website is not intended for individuals under 19 years of age. Some site materials also reference an 18+ audience; in all cases, we do not knowingly collect information from minors and we use access-prevention steps.
Incident response and notifications
If a security breach affects your personal information, we notify affected individuals promptly and inform relevant authorities where required. We also take containment steps such as isolating access points, terminating sessions, and resetting suspicious credentials when appropriate.
Quick reference table
| Area | Standard / timeline | What it means |
|---|---|---|
| Encryption for sensitive transfers | 256-bit SSL; TLS 1.3 in transit | Protects transaction and account data during transmission. |
| Stored data protection | AES-256 at rest | Limits readability if storage systems are accessed improperly. |
| Authentication options | Two-factor authentication available | Adds an extra step before account access is granted. |
| Session handling | Auto logout after 30 minutes | Reduces risk from unattended devices. |
| Retention after closure | 5 years | May extend when law requires longer storage. |
| Access request acknowledgement | 72 hours | Secure verification may be required before processing begins. |
| Typical full response window | 30 days | Covers access, export, limits, and deletion requests. |
| Correction handling | 7 business days | Updates inaccurate personal details once confirmed. |
| Age access rule | Not intended for under 19; also references 18+ | Steps are used to help prevent minors from accessing services. |
How to contact us
A Data Protection Officer oversees questions about how personal data is handled. You can contact us through the encrypted forms on the site if you want to review, correct, or request deletion of stored information.