burger icon
Bluefox Сasino
Log In

Privacy Policy

OBSERVE: Identify controller, legal address, and contact. EXPAND: Include registration, licensing context, and a single point of contact. REFLECT: Provide clear, actionable contact routes for privacy matters.

Operator: ProgressPlay Limited (bluefox-casino for Canada via bluefox-ca.com)

  • Registered address: Soho Office, 3A, Punchbowl Centre, Elia Zammit Street, St. Julians, STJ3154, Malta
  • Company number: C58305 (Malta)
  • Licensing (context): MGA B2C Gaming Service Licence MGA/B2C/231/2012; UKGC Account No. 39335 (holder: ProgressPlay Limited)
  • Primary privacy contact (Data Protection Department/DPO): customersupport@instantgamesupport.com (use subject: "Privacy Request - bluefox-ca.com")
  • Web: https://bluefox-ca.com
  • Postal for privacy correspondence: at the registered address above

What Personal Data We Collect

OBSERVE: List categories collected during use of gaming services. EXPAND: Include cookies, behavioral, and KYC/AML data. REFLECT: Map categories to purposes detailed below.

  • Identity and contact: full name, date of birth, address, email, phone, nationality, government-issued ID copies and verification data, self-exclusion flags, age/majority status.
  • Account and usage: username, preferences, communication settings, support tickets, responsible gaming limits, session duration, game play logs.
  • Technical: IP address, device identifiers, OS/browser, language, referrer, crash/error logs, time zone, approximate geolocation.
  • Payment and transaction: deposits/withdrawals, payment instrument tokens (from processors), billing address, currency, chargeback records, AML/KYC checks, sanction and PEP screening results.
  • Behavioral/analytics: page views, clicks, scrolls, campaign attribution, betting history and stakes, bonuses opted, conversion metrics.
  • Cookies and similar technologies: session and persistent cookies, local storage, pixels, SDKs, device fingerprinting for fraud prevention (details in Cookies section).
  • Communications: consents/opt-ins, marketing preferences, survey responses, complaints.

We do not knowingly collect data from anyone below the legal age of majority in their province/territory.

Legal Basis for Processing

OBSERVE: Explain grounds under Canadian law with cross-jurisdiction notes. EXPAND: Distinguish consent/contract/legal obligations and reasonable purposes. REFLECT: Align to PIPEDA, provincial laws, and GDPR/UK where applicable.

  • Consent (PIPEDA, provincial PIPA, CASL): We rely on your express or implied consent for account registration, non-essential cookies, and marketing communications. You may withdraw consent at any time (see Your Rights).
  • Performance of a contract: To create/manage your account, verify age/identity, process deposits/withdrawals, provide games, and deliver support.
  • Legal obligations: To meet KYC/AML/CTF requirements, sanctions screening, fraud monitoring, record-keeping, and reporting to competent authorities; to comply with lawful requests and dispute resolution.
  • Reasonable/business purposes (PIPEDA appropriateness principle): Network and information security, service analytics, and service improvement in ways a reasonable person would consider appropriate in the circumstances.
  • Legitimate interests (EU/UK where applicable): For users protected by GDPR/UK law, we rely on legitimate interests for security, fraud prevention, and analytics, balanced against your rights.

Purpose of Processing

OBSERVE: State clear purposes. EXPAND: Tie to operations and compliance. REFLECT: Ensure purpose limitation and transparency.

  • Deliver and operate services: account creation, game access, payments, customer support, responsible gaming tools.
  • Security and fraud prevention: identity verification, device fingerprinting, anomaly detection, chargeback and abuse prevention.
  • Legal and regulatory compliance: KYC/AML screening, sanctions checks, record-keeping, audits, dispute handling.
  • Service improvement and analytics: performance monitoring, UI optimization, error diagnostics, aggregated reporting.
  • Marketing and personalization (with consent where required): offers, newsletters, retention campaigns, bonus recommendations, frequency capping.
  • Business continuity: backups, archiving, incident response testing and recovery.

Disclosure & Sharing

OBSERVE: Identify categories of recipients. EXPAND: Specify conditions and safeguards. REFLECT: Limit to necessity with contractual controls.

  • Payment and banking partners: card processors, e-wallets, and payout providers to process transactions and prevent fraud.
  • KYC/AML and risk vendors: identity verification, sanctions/PEP screening, fraud and chargeback prevention providers.
  • Technology/service providers: hosting, CDNs, analytics, security monitoring, customer support platforms, communications tools-bound by data processing agreements and confidentiality.
  • Regulators and authorities: disclosures to competent regulators and law enforcement when legally required or to defend legal claims.
  • Corporate affiliates: ProgressPlay Limited group entities for centralized compliance, finance, and operations, subject to appropriate safeguards.
  • Marketing/advertising partners: only with your consent where required; we implement preference controls and opt-outs.
  • Business transactions: in mergers, acquisitions, or reorganization, subject to continuity of protections and notices.

International Transfers

OBSERVE: Cross-border flows occur for operations. EXPAND: Name regions and safeguards. REFLECT: Ensure comparable protection as required by law.

  • Destinations: Canada; Malta and the EU/EEA (operations and compliance); United Kingdom; United States (cloud/CDN, security, communications); other locations of vetted vendors.
  • Safeguards (Canada): contractual measures ensuring comparable protection, encryption, strict access controls, and transfer risk assessments; Quebec Law 25 assessments for transfers outside Quebec.
  • Safeguards (EEA/UK data where applicable): EU Standard Contractual Clauses (SCCs) and UK IDTA/addenda; for US recipients, reliance on the Data Privacy Framework certification where applicable plus supplementary measures.
  • Transparency: Key transfer details are available upon request, subject to security and confidentiality constraints.

Data Retention

OBSERVE: Retention tied to purposes and law. EXPAND: Provide category-based timelines and criteria. REFLECT: Enable deletion when no longer needed.

  • Account and identity data: for the life of your account; after closure, retained for up to 5 years to meet AML/record-keeping and dispute requirements unless a longer period is legally required.
  • Transaction and financial records: up to 5 years after account closure or last transaction, subject to extended statutory obligations.
  • Risk/fraud and compliance logs: 5 years from creation, or longer if linked to investigations.
  • Support tickets/complaints: 3-5 years after resolution, depending on nature and applicable limitation periods.
  • Marketing data: until you opt out or after 24 months of inactivity, whichever occurs first, unless we must retain a suppression record.
  • Technical logs and analytics: 12-24 months, aggregated or anonymized thereafter.

Deletion criteria: expiry of retention period, withdrawal of consent where applicable, successful objection, or end of processing purpose, unless retention is required by law or to establish/exercise/defend legal claims.

Your Rights

OBSERVE: Clarify rights under Canadian law, with alignment for EU/UK and Mexico where applicable. EXPAND: Provide procedures and timelines. REFLECT: Ensure accessibility and no-cost principles.

  • Canada (PIPEDA and provincial laws): access to your personal information; correction/updates; withdraw consent to marketing and certain processing; ask about our policies and practices; challenge compliance. Quebec residents may have data portability rights for certain computerized data.
  • EU/UK (if applicable): rights of access, rectification, erasure, restriction, objection (including to profiling/marketing), portability, and to lodge a complaint with your supervisory authority.
  • Mexico (if applicable): ARCO rights (Access, Rectification, Cancellation, Opposition) under the Federal Law on Protection of Personal Data Held by Private Parties; right to revoke consent.
  • How to exercise: email customersupport@instantgamesupport.com with subject "Privacy Request - bluefox-ca.com," include your account email, jurisdiction of residence, and request details. We will verify identity and may request additional information solely to confirm your identity.
  • Timeframes and fees: we acknowledge within 7 days and respond within 30 days (extensions permitted by law; we will inform you). Requests are free of charge unless manifestly unfounded/repetitive; any permissible fee will be explained in advance.
  • Marketing opt-out: use unsubscribe links in emails or adjust preferences via your account (where available), or contact us.

Cookies & Tracking Technologies

OBSERVE: Explain types/uses. EXPAND: Provide control methods. REFLECT: Respect consent for non-essential cookies.

  • Types: session cookies (expire on browser close); persistent cookies (set duration); first-party and third-party cookies; pixels/SDKs; local storage.
  • Purposes:
    • Strictly necessary/functional: sign-in, security, load balancing, remembering choices.
    • Analytics: measuring site performance, diagnosing errors, improving UX.
    • Advertising/marketing: measuring campaigns, personalization, frequency capping (used only with consent where required).
    • Fraud prevention: device fingerprinting and anomaly detection.
  • Controls: manage via your browser settings (blocking/deleting cookies may impact functionality) and our Cookie Preferences tool (link: "Cookie Settings") for non-essential categories; opt out of marketing using in-message links.

Data Security

OBSERVE: Outline technical/organizational measures. EXPAND: Include encryption, access control, audits, and incident response. REFLECT: Commit to continuous improvement without over-claiming certifications.

  • Encryption: TLS 1.2+ in transit; industry-standard encryption (e.g., AES-256) at rest for sensitive data; key management with separation of duties.
  • Access controls: least-privilege, role-based access, MFA for administrative access, network segmentation, secure SDLC and code reviews.
  • Monitoring and testing: vulnerability scanning, periodic penetration testing, logging and alerting, anti-fraud/anti-abuse tooling.
  • Vendor management: security and privacy due diligence, contractual protections, and ongoing oversight.
  • Training and governance: staff security/privacy training, policies aligned with ISO/IEC 27001 and SOC 2 practices (we do not claim certification unless explicitly stated), regular risk assessments.
  • Incidents: documented response procedures; where required by Canadian law, we will notify the Office of the Privacy Commissioner of Canada (OPC) and affected individuals of breaches posing a real risk of significant harm, and keep records of all breaches.

Complaints & Contacts

OBSERVE: Provide clear channels and escalation. EXPAND: Set steps and timelines. REFLECT: Include relevant authorities and resources.

  • Contact us (preferred): customersupport@instantgamesupport.com (subject: "Privacy Complaint - bluefox-ca.com"). Postal: ProgressPlay Limited, Soho Office, 3A, Punchbowl Centre, Elia Zammit Street, St. Julians, STJ3154, Malta. Live chat may be available via your account.
  • Our process:
    1. Acknowledge your complaint within 7 days.
    2. Investigate and respond within 30 days with findings and any corrective action.
    3. If additional time is necessary, we will explain why and provide a new expected date.
  • Escalation (Canada): If unresolved, you may contact the Office of the Privacy Commissioner of Canada via https://www.priv.gc.ca/en/contact-the-opc/ and, where applicable, your provincial authority: Quebec CAI https://www.cai.gouv.qc.ca/, BC OIPC https://www.oipc.bc.ca/, Alberta OIPC https://www.oipc.ab.ca/.
  • EU/UK (where applicable): contact your local data protection authority: list at https://edpb.europa.eu/about-edpb/board/members_en or the UK ICO at https://ico.org.uk/global/contact-us/.
  • Mexico (where applicable): the INAI (National Institute for Transparency, Access to Information and Protection of Personal Data): https://www.inai.org.mx/.

Updates

OBSERVE: Explain how changes are communicated. EXPAND: Provide notice periods and user options. REFLECT: Ensure version control and transparency.

  • Last updated: October 2025 (version 1.0-CA).
  • Notifications: We will post updates on this page and, for material changes, notify you by email, account alerts, or prominent banners on bluefox-ca.com.
  • Advance notice: For significant changes impacting your rights or our processing purposes, we will provide at least 30 days' notice before the effective date, where feasible.
  • Your choices: If you object to changes, you may adjust preferences, withdraw consent where applicable, or close your account. Continued use after the effective date indicates acceptance of the revised policy.
  • Changelog (material changes): we will summarize substantive updates (e.g., new processing purposes, new categories of recipients, or new transfer destinations).

Regional compliance note: This policy is tailored for Canada (PIPEDA and applicable provincial laws) with alignment references for EU/UK and Mexico only where those laws apply to you.