How we collect, use, and protect your personal information under Malaysia's Personal Data Protection Act 2010. Last updated: 2026-04-01.
U2 Casino collects three categories of personal data from Malaysian players. First, information you provide directly during registration and KYC — full name as it appears on your Malaysian IC or passport, date of birth, registered residential address, phone number (+60 country code verified via SMS), email address, and one government-issued photo ID plus a selfie holding that ID. Second, payment data processed through regulated gateways — your FPX bank choice, DuitNow phone/NRIC reference, Touch 'n Go wallet ID, or USDT wallet address. We never store raw bank account numbers, card PANs, or banking passwords on our servers; all card data is tokenised by our PCI-DSS Level 1 payment processors. Third, technical metadata captured automatically — IP address, device fingerprint, browser user-agent, operating system version, session timestamps, pages visited, games played, wager amounts, and referral source.
Under PDPA 2010 Section 6, personal data processing requires a lawful basis. U2 Casino relies on four overlapping bases depending on the processing purpose. Contractual necessity covers account operation, deposit processing, wager settlement, and withdrawal payments — we cannot deliver the service you signed up for without this data. Legal obligation covers KYC verification, age verification, anti-money-laundering reporting under AMLA 2001, and financial record-keeping under the Income Tax Act 1967. Legitimate interests cover fraud prevention, chargeback dispute handling, account takeover protection, platform security monitoring, and service analytics — all balanced against your privacy rights. Explicit consent covers marketing communications, optional cookie categories, and any processing outside the other three bases; you can withdraw consent at any time via Account Settings or by emailing our DPO without affecting the lawfulness of prior processing.
Your personal data is used for exactly six purposes, each tied to one of the legal bases above. One, to operate your U2 Casino account — login authentication, wallet management, game loading, bet settlement, transaction history. Two, to process deposits and withdrawals — routing transactions through FPX, DuitNow, Touch 'n Go, Boost, GrabPay, or USDT networks. Three, to meet KYC/AML and age-verification obligations under Malaysian law. Four, to prevent fraud and detect suspicious activity including chip dumping, bot play, account takeover, and multi-accounting. Five, to improve the platform — aggregate analytics on which games are popular, which features are used, where users drop off. Six, to send you relevant communications about your account, bonuses you are eligible for, or security alerts. We do not sell your data to third parties. We do not profile you for behavioural ads outside U2 Casino.
U2 Casino uses four categories of cookies and similar tracking technologies. Strictly necessary cookies maintain your session, keep you logged in, remember your language preference, and protect against CSRF — these cannot be disabled without breaking site function. Performance cookies measure page load times, identify broken interfaces, and help us allocate CDN resources — all anonymised. Analytics cookies track aggregate navigation patterns via a first-party analytics engine hosted on our own infrastructure; we do not use Google Analytics, Facebook Pixel, or other third-party trackers by default. Marketing cookies track conversion from promotional campaigns, but only the campaign ID is stored — not your behaviour elsewhere on the web. You can disable non-essential cookie categories via the cookie banner that appears on first visit, or clear them anytime via browser settings.
Operating U2 Casino requires us to share limited data with specific third-party processors, all bound by data processing agreements. Game providers — Evolution Gaming, Pragmatic Play, JILI, PG Soft, Microgaming, Spadegaming, DG Gaming, Playtech Live and 14 others — receive session IDs, bet amounts, and outcome values, but not your name, IC number, or contact details. Payment processors — Paynet (FPX), DuitNow Online Transfer, Touch 'n Go, Boost, GrabPay, Circle/Tether (USDT) — receive the minimum data required to settle transactions, typically your name and banking identifier. Cloud infrastructure providers (AWS Singapore, Cloudflare) host encrypted data but have no key access. KYC verification vendors receive your ID photo and selfie solely for identity validation and purge the data within 90 days per our contract. Customer support tooling processes chat transcripts within our own infrastructure.
Malaysia's PDPA 2010 grants you specific rights over your personal data, all of which U2 Casino honours within 21 working days of a verified request. Right of access — you can request a full copy of the personal data we hold about you. Right of correction — you can request that inaccurate data be fixed. Right to withdraw consent — for any processing based on your consent (primarily marketing), you can opt out and we will stop. Right to prevent processing causing distress — unusual circumstances, handled case by case. Right to prevent direct marketing — a one-click opt-out on every email, plus blanket toggle in Account Settings. Right to data portability — machine-readable export of your account and transaction history. Right to lodge a complaint with the Personal Data Protection Commissioner at JPDP if you believe we have mishandled your data. Contact our DPO at [email protected] to exercise any right — identity verification required to prevent impersonation.
Retention periods are tied to specific legal or operational requirements. KYC documents (ID photo, selfie, proof of address) are retained for 5 years after account closure as required under AMLA 2001 and then permanently deleted from live systems and backup archives. Transaction records (deposits, withdrawals, wager history) are kept for 7 years to satisfy tax and financial record-keeping obligations. Game-level logs (individual slot spins, hand outcomes) are retained for 2 years for dispute resolution and then anonymised. Customer support chat transcripts are retained for 3 years for service quality review. Marketing preferences and non-essential cookie data expire 12 months after your last login. You can request early deletion under your PDPA right to erasure; we honour it unless a specific legal retention override applies (active regulatory investigation, ongoing dispute, unresolved chargeback).
U2 Casino's primary data centres are hosted in Malaysia and Singapore on AWS infrastructure. Some third-party processors we rely on operate outside Malaysia: Evolution Gaming studios in Romania and Armenia, Pragmatic Play infrastructure in Malta, Cloudflare edges globally, Tether Treasury in Hong Kong. Under PDPA 2010 Section 129, international transfers of Malaysian personal data require a lawful basis. We rely on two: first, the recipient jurisdiction has equivalent data-protection laws (EU, UK under GDPR); second, we impose contractual obligations equivalent to PDPA on processors in jurisdictions without comparable legislation. All international transfers are encrypted in transit via TLS 1.2+, identifiers are pseudonymised where technically feasible, and onward transfer by processors is contractually prohibited. A current list of all international processors and their jurisdictions is available on request from [email protected].
U2 Casino Malaysia is strictly a platform for persons aged 18 and above. We do not knowingly collect personal data from minors, do not market to minors on any channel, and do not serve content to minors. Our registration flow captures date of birth at step one, and our KYC process verifies age against a government-issued ID before any withdrawal is processed. Any account discovered to belong to a person under 18 is immediately frozen, all pending wagers voided, the full deposit amount refunded to the original payment source, and the account permanently closed. Identifiable parents or guardians are notified where lawfully possible. If you are a parent or guardian who believes a minor has accessed U2 Casino using your payment method or identity, contact [email protected] and we will freeze the account within minutes. We strongly recommend enabling iOS Screen Time, Android Family Link, or router-level parental controls as a first line of defence.
In the event of a personal data breach affecting U2 Casino players, we follow a documented incident response plan aligned with PDPA 2010 best practice. The incident response team is notified within 60 minutes of detection. The breach scope, affected data categories, and affected user count are established within 24 hours. The Personal Data Protection Commissioner at JPDP is notified within 72 hours where the breach is likely to result in significant harm, following the industry-recognised notification standard. Affected users are notified individually by email and in-app alert within 72 hours of scope confirmation, with clear guidance on mitigation steps (password reset, card cancellation if applicable, account lockdown). Post-incident, a root cause analysis is conducted, remediation actions are tracked to closure, and a summary report is published to affected users. We maintain a breach response log and a public breach notification archive accessible on request.
For any privacy-related question, data-access request, correction request, deletion request, or formal complaint under PDPA 2010, contact our registered Data Protection Officer at [email protected]. For general account questions that touch on privacy, [email protected] or the 24/7 in-app live chat will route you to the right team. Formal PDPA requests receive an acknowledgement within 2 working days and a substantive response within 21 working days as required by law. Identity verification is mandatory before we action any data-access or deletion request — usually a selfie holding your ID matching the one on file — to prevent impersonation attacks. If you are dissatisfied with our response, you have the right to lodge a complaint directly with the Jabatan Perlindungan Data Peribadi (JPDP) at www.pdp.gov.my or by post to their Putrajaya office.
