01 Who we are
StealMyBonus is an independent comparison and review site for online casinos and casino games. We do not operate any gambling product ourselves, we do not accept deposits or pay out winnings, and we do not have access to your account at any operator we link to. We earn revenue when a reader clicks through to a partner operator and then registers or deposits (see the Terms of use for a fuller explanation of how we make money).
For the purposes of the EU GDPR and the UK Data Protection Act 2018, the data controller for personal data collected on this site is the entity operating StealMyBonus; for CCPA purposes we are the “business” collecting personal information. Contact details are in section 11.
02 What we collect
We collect the smallest amount of data we can while still running the site responsibly. Concretely:
- Request metadata — IP address, user-agent string, referring URL, the URL you requested, response status and timing. Stored in standard web-server logs to keep the site up and detect abuse.
- Cookie identifiers — first-party session and preference cookies (see section 3) and, with your consent, analytics or affiliate-attribution cookies set by third parties.
- Contact-form input — if you write to us using a form on this site, we receive whatever you typed plus the email address you provided.
- Country signal — an approximate country derived from your IP address so we can show operators that are licensed and available in your jurisdiction. We do not store the underlying IP alongside the country in our analytics database.
We do not knowingly collect special-category personal data (health, political views, biometrics, etc.) and we have no need to. Do not send us special-category data via contact forms.
03 Cookies
A cookie is a small text file a website stores in your browser. We use cookies that fall into four groups: strictly necessary (always on, no consent required), preference (remembering your country selection and consent choice), analytics (only with consent), and affiliate-attribution (only with consent, set by the operator you click through to).
You can manage your consent at any time using the cookie banner footer link, or clear cookies from your browser’s settings. Strictly-necessary cookies cannot be disabled because the site cannot function without them.
04 Analytics
We run privacy-respecting analytics to understand which pages and operator pages readers find useful so we know what to improve. Where the provider supports it, IP addresses are truncated before storage and we do not enable cross-site tracking, behavioural advertising, or device-fingerprinting features. Analytics scripts only load after you give consent.
05 Third-party processors
The following categories of processor may receive your personal data on our behalf or as joint controllers when you choose to interact with their services. Replace this table with the actual vendors used in production before launch.
| Processor | Purpose | Data shared | Region |
|---|---|---|---|
| Hosting provider | Run the web servers | Request metadata, logs | EU |
| CDN / edge network | Cache and accelerate page delivery, block bots | IP, request headers | Global edge |
| Email provider | Receive contact-form submissions | Email, message body | EU / US |
| Analytics provider | Aggregate page-view statistics | Truncated IP, page URL, referrer | EU |
| Affiliate networks | Attribute click-throughs to partner operators | Click identifier, source page | EU / US / UK |
Each processor is bound by a data-processing agreement (DPA) that requires them to handle your data only on documented instructions and to maintain appropriate technical and organisational measures.
06 Data retention
We keep data only for as long as we have a legitimate reason to. In practice:
- Web-server logs — 30 days, then rotated and deleted.
- Analytics events — 14 months in aggregated form; raw events are discarded after 30 days.
- Contact-form messages — up to 24 months from the date of last contact, then archived or deleted.
- Cookie consent record — 12 months from the date consent was given, after which we ask again.
07 Your rights (GDPR & CCPA)
If you are in the European Economic Area, the United Kingdom, or Switzerland, the GDPR or equivalent law gives you the right to:
- access the personal data we hold about you and receive a copy;
- have inaccurate data corrected and incomplete data completed;
- have your data erased where we no longer have a lawful basis to hold it;
- object to or restrict our processing based on legitimate interests;
- withdraw consent at any time, without affecting prior lawful processing;
- port your data to another controller in a commonly used format;
- lodge a complaint with your national supervisory authority.
If you are a California resident, the CCPA / CPRA gives you the right to know what categories of personal information we collect and the purposes for collection, the right to delete personal information we hold about you (subject to the exceptions in the statute), the right to correct inaccurate information, and the right to opt out of any “sale” or “sharing” of personal information as those terms are defined in the CCPA. We do not sell personal information for money. We may “share” it for cross-context behavioural advertising only where you have opted in via the cookie banner; you can opt out at any time using the “Do not sell or share” link in the footer.
To exercise any of these rights, write to the contact address in section 11. We respond within 30 days for GDPR requests and 45 days for CCPA requests and we do not charge a fee for reasonable requests.
08 Children
This site is intended for adults old enough to gamble legally in their jurisdiction (18+ in most countries, 21+ in some U.S. states). It is not directed at children and we do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact us using section 11 and we will delete the data.
09 International transfers
Some of our processors are located outside the European Economic Area or the United Kingdom, including in the United States. Where personal data is transferred outside the EEA / UK, we rely on the European Commission’s Standard Contractual Clauses (and the UK addendum where relevant) and we carry out a transfer impact assessment before onboarding any processor in a country without an adequacy decision.
10 Updates
We update this policy when the law changes, when we add or remove a processor, or when we change how we use data. The date at the top of this page always reflects the most recent material change. We do not separately email readers about routine updates because we do not hold a marketing list; if you are an active contact (e.g. you sent us a message), we will tell you about material changes that affect data you have already given us.
11 Contact
Questions, complaints, or rights-requests: site.contact_email, or use the form on the contact page. Please put “Privacy” in the subject line so the right person sees it quickly.