burger icon
William Hill Casino Canada
Log In

Privacy Policy

We value your privacy. This Privacy Policy explains how william-hill-casino-canada collects, uses, discloses, and protects personal information of players and visitors who access and use william-hill-ca.com and related services. It applies to account holders, prospective players, and website/app visitors. Effective date: 29 October 2025. OBSERVE: what we collect and why; EXPAND: applicable legal bases and safeguards; REFLECT: your rights, choices, and how to contact us.

Who We Are

OBSERVE: Identify the data controller(s) for Canadian users. EXPAND: Reflect Ontario vs Rest of Canada operations and licensing. REFLECT: Provide practical contact channels.

  • Operator entities:
    • Ontario: VHL Ontario Limited, a registered operator with iGaming Ontario (iGO) / AGCO, certificate no. 0805128. Acts as data controller for users located in Ontario.
    • Rest of Canada: Virtual Digital Services Limited, licensed by the Malta Gaming Authority (MGA/CRP/543/2018). Acts as data controller for users outside Ontario.
    • Parent company: Evoke plc (formerly 888 Holdings plc).
  • Registered/Legal addresses: Listed on the AGCO/iGO Registered Operators list and the MGA Licensee Register. We will provide the current registered office details upon request.
  • Data Protection contact: Data Protection Team (DPO). Phone (toll‑free Canada): +1 833 677 8890. Online: contact us via the Support section at https://william-hill-ca.com (attention: "Data Protection Officer").

Regional compliance note: We operate in Ontario under iGO/AGCO requirements and in the Rest of Canada under PIPEDA and applicable provincial laws (e.g., Quebec Law 25).

What Personal Data We Collect

OBSERVE: Categories. EXPAND: Gaming/KYC specifics. REFLECT: Limit to what is necessary.

  • Identity and contact: Full name, date of birth, address, email, phone, nationality, government‑issued ID details (and images/video for verification, where required), self‑exclusion and responsible gambling preferences.
  • Account and behavior: Username, preferences, session activity, game play and betting history, deposits/withdrawals, interactions with support, responsible gambling interactions (limits, time‑outs).
  • Payment and financial: Payment instrument tokens (from PCI‑compliant providers), partial card data (masked), bank details (for payouts), transaction logs, fraud risk indicators.
  • Technical: IP address, device identifiers, OS/browser, language, time zone, app version, performance/error logs, approximate geolocation (IP/GPS where permitted).
  • Marketing and communications: Opt‑in/opt‑out status, campaign interactions, click/open data, referral/affiliate IDs.
  • Cookies and similar tech: Session and persistent cookies, SDKs, pixels, beacons for functionality, analytics, and advertising (see "Cookies & Tracking Technologies").

Regional compliance note: Collection is limited to appropriate purposes (PIPEDA s.5(3)) and to legal/regulatory needs (e.g., KYC/AML under applicable rules).

Legal Basis for Processing

OBSERVE: Map bases to uses. EXPAND: Address Canada (PIPEDA), Ontario/iGO, and other regimes. REFLECT: Clarify consent and necessity.

  • Consent: For optional uses (e.g., marketing, certain analytics/advertising cookies). You may withdraw at any time without affecting service essentials.
  • Contractual necessity: To create and service your account, process payments, verify eligibility, provide games, and pay winnings.
  • Appropriate/legitimate interests: To secure our platform, prevent fraud/abuse, ensure game integrity, measure performance, and improve services. In the EEA/UK, we rely on legitimate interests; in Canada, we act for purposes a reasonable person would consider appropriate (PIPEDA s.5(3)).
  • Legal obligations: KYC/age/identity checks, recordkeeping, responsible gambling duties, tax/AML requirements, responding to regulators and lawful requests.

Regional compliance note: Ontario operations follow iGO/AGCO Standards; Rest of Canada follows PIPEDA and relevant provincial rules (e.g., Quebec Law 25). For EU/EEA users, GDPR bases apply; for Mexico, LFPDPPP applies where relevant.

Purpose of Processing

OBSERVE: Why data is used. EXPAND: Gaming, compliance, improvements. REFLECT: No incompatible secondary uses.

  • Service delivery: Account setup, KYC, geolocation eligibility, deposits/withdrawals, gameplay, customer support.
  • Compliance and integrity: Age/identity verification, AML/CTF screening, dispute handling, auditing, responsible gambling measures.
  • Security and fraud prevention: Threat detection, incident response, access controls, chargeback/fraud monitoring.
  • Analytics and improvement: Performance metrics, feature usage, troubleshooting, A/B testing using aggregated or pseudonymized data.
  • Marketing (with consent where required): Offers, bonuses, surveys, personalization, and affiliate attribution; you can opt out anytime.

Regional compliance note: We minimize and limit processing to stated purposes and retain data only as necessary for those purposes.

Disclosure & Sharing

OBSERVE: With whom we share. EXPAND: Processors vs. independent recipients. REFLECT: Contractual safeguards.

  • Service providers (processors): Cloud hosting, IT support, analytics, customer support platforms, marketing tools, KYC/identity verification vendors, geolocation, and anti‑fraud services-bound by data processing agreements.
  • Payment partners: Payment gateways, banks, card schemes for processing and payouts (PCI‑DSS compliant partners).
  • Group companies: Within Evoke plc group for consolidated operations, compliance, and support-subject to intra‑group agreements.
  • Regulators and authorities: iGO/AGCO (Ontario), MGA (RoC), and other competent authorities or courts where legally required.
  • Advertising networks: Only with your consent where required; identifiers may be shared for campaign measurement and personalization.
  • Corporate transactions: In a merger, acquisition, financing, or sale, subject to confidentiality and continuity safeguards.

We do not sell personal information. Regional note: Disclosures are limited to what is necessary and proportionate; processors are contractually obliged to protect your data.

International Transfers

OBSERVE: Likely destinations. EXPAND: Applicable safeguards. REFLECT: Transparency and user protection.

  • Destinations: Canada, Malta, Gibraltar, the EEA/UK, and the United States (for cloud/communications providers).
  • Safeguards: Standard Contractual Clauses (EU SCCs) and UK IDTA where applicable, transfer impact assessments, encryption, and access controls. Canada benefits from EU adequacy for commercial organizations under PIPEDA.
  • Vendor oversight: Due diligence, contractual security obligations, and periodic reviews of subprocessors.

Regional compliance note: We implement supplementary measures where required to ensure essentially equivalent protection across borders.

Data Retention

OBSERVE: Legal and business timelines. EXPAND: Category‑based periods. REFLECT: Secure deletion/anonymization.

  • Account and identity (KYC): Up to 5 years after account closure, or longer if required for AML/regulatory purposes.
  • Transaction and financial records: 7 years from the transaction date (tax/audit/AML requirements).
  • Gameplay and logs: 5 years from record creation, subject to legal holds for disputes/investigations.
  • Responsible gambling data: For the duration of limits/self‑exclusion and as required by regulation thereafter.
  • Marketing data: Until you opt out or after 24 months of inactivity, whichever occurs first.
  • Cookies: See cookie table/controls; session cookies expire on close, persistent cookies per their set lifespan.

Deletion criteria: Upon expiry of retention period, withdrawal of consent (for optional uses), fulfillment of the purpose, or successful objection-subject to legal/regulatory obligations and backup cycle constraints. Data may be anonymized instead of deleted where appropriate.

Your Rights

OBSERVE: Rights landscape. EXPAND: Canada core rights; EU/Mexico alignment. REFLECT: Clear procedures and timelines.

  • Canada (PIPEDA): Access your data; request corrections; withdraw consent for optional uses; challenge compliance; obtain information about our practices. We respond within 30 days and free of charge unless requests are manifestly excessive or repetitive.
  • Quebec (Law 25), where applicable: Enhanced transparency, de‑indexation in some cases, and data portability as prescribed by law.
  • EEA/UK (GDPR): Access, rectification, erasure, restriction, objection (including to direct marketing), and portability; right to withdraw consent; right to lodge a complaint with your supervisory authority.
  • Mexico (LFPDPPP): ARCO rights-Access, Rectification, Cancellation, Opposition. We will acknowledge within statutory periods (generally 20 days to respond and 15 days to implement) and provide services free of charge unless disproportionate.
  • How to exercise: Contact our Data Protection Team at +1 833 677 8890 or via the Support section at https://william-hill-ca.com. We may verify your identity, clarify scope, and respond securely within the applicable timeframe.
  • Marketing choices: Opt out through account settings, unsubscribe links, or by contacting us. Cookie choices can be managed as described below.

Regional compliance note: Rights may vary by jurisdiction; where multiple regimes apply, we will honor the most protective applicable standard.

Cookies & Tracking Technologies

OBSERVE: Types and purposes. EXPAND: Controls. REFLECT: Respect choices.

  • Types:
    • Session cookies: essential, expire when you close your browser.
    • Persistent cookies: preferences, security, analytics, advertising; set durations.
    • Third‑party cookies/SDKs: analytics, anti‑fraud, advertising measurement.
  • Purposes: Functionality (login, load balancing), security/fraud detection, analytics (usage, performance), and advertising/personalization (with consent where required).
  • Controls: Manage via our cookie banner/settings, browser settings (block/delete), and mobile OS ad identifiers. Disabling certain cookies may affect functionality.

Regional compliance note: We obtain consent for non‑essential cookies where required and honor your selections.

Data Security

OBSERVE: Measures. EXPAND: Governance and response. REFLECT: Continuous improvement.

  • Technical controls: TLS 1.2+ in transit; strong encryption at rest (e.g., AES‑256); network segmentation; WAF/DDoS protection; MFA and role‑based access; secure key management; hardened configurations; logging and monitoring.
  • Organizational controls: Security policies and training, background checks where appropriate, least‑privilege access, vendor risk management, incident response and business continuity planning.
  • Testing and assurance: Regular vulnerability scanning, penetration testing, change control, and periodic audits. We align controls with industry standards (e.g., ISO/IEC 27001); select vendors may hold ISO 27001/SOC 2 certifications.
  • Breach handling: We investigate incidents, mitigate risk, and notify affected users and regulators when required by law (e.g., PIPEDA "real risk of significant harm" standard).

Regional compliance note: Security measures are risk‑based and proportionate to the sensitivity of gaming and payment data.

Complaints & Contacts

OBSERVE: Contact channels. EXPAND: Steps and escalation. REFLECT: Timely, fair resolution.

  • Contact us (primary):
    • Data Protection Team / DPO: +1 833 677 8890 (toll‑free, Canada).
    • Online: Support section at https://william-hill-ca.com (mark "Privacy request").
    • Postal: Send correspondence to our registered office (VHL Ontario Limited for Ontario; Virtual Digital Services Limited for RoC) as listed on the AGCO/iGO and MGA registers, addressed to "Data Protection Officer".
  • Complaint procedure: 1) Submit your concern with details; 2) We acknowledge receipt, may request verification/clarification; 3) We aim to resolve within 30 days and provide reasons and remedies. Complex matters may require more time; we will keep you informed.
  • Escalation to authorities:
    • Canada (PIPEDA): Office of the Privacy Commissioner of Canada (OPC), www.priv.gc.ca, 1‑800‑282‑1376.
    • Mexico (LFPDPPP): INAI, www.inai.org.mx, 800‑835‑4324 (800‑TELINAI).
    • EU/EEA: Your local Data Protection Authority (see EDPB list at https://edpb.europa.eu/).

Regional compliance note: You may also have recourse to applicable gaming regulators for regulatory concerns; privacy complaints should go to the DPAs listed above.

Updates

OBSERVE: How we change this policy. EXPAND: Notice and versioning. REFLECT: Your options.

  • Notifications: We will notify you of material changes via email, website banners, and/or account dashboard alerts.
  • Advance notice: For significant changes that affect how we use your data, we will provide at least 30 days' advance notice before the new terms take effect.
  • Your choices: You may object to material changes that rely on consent or close your account before changes take effect. Continued use after the effective date indicates acceptance, where permitted by law.
  • Version control: Last updated: October 2025. We maintain a changelog of material updates upon request.

Regional compliance note: Where local law requires renewed consent, we will seek it before applying changes to your data.