Who is the data controller?

CrashAudit is the controller of data collected on this site for analytics and affiliate-tracking purposes. There is no user account on CrashAudit — we do not store your name, email, or login. For privacy questions: privacy@crashaudit.com.

Do you share my data with casinos?

We do not share personally identifiable data. When you click a casino link through our /go/ wrapper, the destination operator receives an anonymous affiliate sub-ID — that is what allows commission to be attributed correctly. It does not include your name, IP, or browsing history on our site.

How do I opt out of analytics?

Decline consent in the cookie banner. If you previously accepted, clear your cookies for this site and the banner will appear again so you can change your choice. You can also use a tracker-blocker (uBlock Origin, Privacy Badger) — we do not attempt to circumvent those.

What are my rights under GDPR and CCPA?

Under GDPR (UK/EU): access, rectification, erasure, restriction of processing, portability, objection, withdrawal of consent. Under CCPA/CPRA (California): right to know, right to delete, right to correct, right to opt out of sale (we do not sell), right to limit use of sensitive PI (we do not collect any). For any request: privacy@crashaudit.com — we respond within 30 days (GDPR statutory) or 45 days (CCPA statutory).

Is CrashAudit liable if I lose money at a casino?

No. CrashAudit is editorial information — we are not a casino and we are not party to financial transactions between you and third-party operators. We do our best to list operators with valid licences and a payout track record, but specific situations (stalled withdrawal, bonus terms dispute) are between you and the operator. If the operator is UKGC-licensed, escalate via the UKGC complaint process; if MGA, via the Malta Gaming Authority Player Support Unit; if Curaçao, via the operator-level dispute path or to the eCOGRA arbitration service when offered.

Privacy policy & terms of use

Data we collect

CrashAudit has no user accounts, runs no games, and processes no payments. The data we collect is the minimum needed for the site to work and for us to understand what people read:

Analytics cookies (only after your consent) — pages visited, time on page, device type (mobile/desktop), browser, country. We do not collect your name, email, phone number, or any direct personal identifier.
IP address — used once on page load to detect country and serve the right locale (US/UK/CA → /en/, Brazil → /pt/, etc.). After that single use, we truncate the IP for log retention. We do not store the full address.
Affiliate sub-ID — when you click a /go/ link, an anonymous identifier is created tying the click to potential commission. It contains no personal data.
Email address — only if you contact us — at editor@crashaudit.com or privacy@crashaudit.com. We retain only as long as needed to reply, maximum 12 months, then delete.

What we explicitly do NOT collect: casino account data (we have no access), banking history, identity documents, or any "special category" / "sensitive" personal information (race, religion, sexual orientation, health, biometrics) under GDPR Article 9 or CCPA sensitive PI rules.

Cookies in use

Three categories:

Essential (no consent required, basis: legitimate interest / contract) — basic site function, language preference, theme. Without them the site does not load correctly.
Analytics (consent required) — Google Analytics 4 or a privacy-respecting alternative (Plausible / Umami). Measures pageviews, retention, devices. IP anonymisation enabled by default.
Affiliate tracking (consent required) — when you click /go/, the destination casino registers that you came from CrashAudit. That is how commission attribution works.

The consent banner appears on first visit. You can accept all, reject all, or pick categories. Your choice is honoured — if you reject analytics, the script never loads on your session.

Terms of use

By using the site, you agree to:

Minimum age 18 (21 in some US states such as Massachusetts and Pennsylvania, 19 in some Canadian provinces). Gambling is prohibited for minors. If you are under the legal age in your jurisdiction, leave the site.
CrashAudit is not a casino. We list third-party operators and provide editorial analysis. Your financial relationship is with the operator, not with us.
Content is informational, not legal or financial advice. Gambling involves real money loss. The decision is yours.
You are responsible for the legality of gambling in your jurisdiction. Listed casinos may be restricted by country or US state. Verify before depositing.
Affiliate disclosure: we earn commission when you sign up at a casino through our links. This is marked with rel="sponsored" on every outbound link and disclosed openly on the About page.
No guarantee of outcome. Educational content about RTP, strategies, and bankroll is not a profit promise. The house always holds a mathematical edge (RTP < 100%).

Your rights under GDPR (UK/EU)

As a data subject in the UK or EU, you have the following rights under the UK GDPR and EU GDPR:

Right of access — confirmation of processing and a copy of the data
Right to rectification — correction of inaccurate or incomplete data
Right to erasure ("right to be forgotten") — deletion of data
Right to restriction of processing
Right to data portability — receive your data in a machine-readable format
Right to object to processing based on legitimate interests
Right to withdraw consent at any time, without affecting prior lawful processing
Right not to be subject to solely automated decision-making

To exercise any right: privacy@crashaudit.com. We respond within 30 days (UK GDPR statutory). If you are not satisfied, you can lodge a complaint with the UK Information Commissioner's Office (ICO): ico.org.uk, or with your country's equivalent supervisory authority in the EU.

Your rights under CCPA / CPRA (California)

California residents have additional rights under the CCPA (as amended by the CPRA, in force since January 2023):

Right to know what personal information is collected, used, shared, or sold
Right to delete personal information collected from you
Right to correct inaccurate personal information
Right to opt out of sale or sharing of personal information — note: we do not sell or share personal information for cross-context behavioural advertising
Right to limit use of sensitive personal information — we do not collect any
Right to non-discrimination for exercising these rights

To exercise any of these: privacy@crashaudit.com. We respond within 45 days (CCPA statutory). Complaints can go to the California Privacy Protection Agency: cppa.ca.gov.

Retention and security

Analytics data is retained for 14 months (GA4 default). Server logs with truncated IP retain for 30 days. Contact emails are deleted after issue resolution, maximum 12 months. We do not sell data — full stop.

Security: HTTPS enforced (TLS 1.2+) with a valid Let's Encrypt certificate. Because the site is static (no backend, no logins, no payments processed here), there are no passwords or card numbers to leak — there is nothing of that kind on the server. Hardened security response headers (HSTS, Content-Security-Policy, X-Content-Type-Options) are on the planned ops backlog and will be added at the edge layer when CDN is migrated; status will be documented here when shipped.

Children and minors

The site is exclusively directed to adults of legal gambling age in their jurisdiction. We do not knowingly collect data from minors. If you are a parent or guardian and discover that a minor has had data collected, write to privacy@crashaudit.com requesting deletion and we will action it within 14 days.

Changes to this policy

Material changes will be announced with at least 30 days' notice on the home page. Minor editorial corrections may be made without notice, but the "Last updated" date at the top of this page always reflects the most recent revision.

Contact

Privacy questions, GDPR/CCPA requests, opt-out: privacy@crashaudit.com
Editorial corrections, content suggestions: editor@crashaudit.com
Response times: privacy 30 days (GDPR) / 45 days (CCPA), editorial 3–5 business days.

Last updated: 02 May 2026