Legal · Privacy

Privacy Policy.

Last updated 2026-04-25 · Effective 2026-04-25 · Read time ~ 8 min

01Short version

We collect the minimum data needed to run a casino: account identifiers (to log you in), bet records (so the ledger balances), and approximate location (to comply with regulations). We do not sell your data, run ad trackers, or share your information with marketing companies. Two third-party services see narrow slices: a crypto price feed and a geo-lookup.

The sections below contain the full version. If you read only one, read Your rights. It explains how to obtain a copy of your data or delete your account.

02What we collect

The categories of data we collect:

  • Account basics, username, email, a bcrypt hash of your password (the password itself is not visible to us), account creation date, language preference.
  • Location signals, the IP address you connect from and the country or region it resolves to. The IP is used for abuse detection; the country code enforces regional restrictions.
  • Gameplay logs, every bet you place: game, amount, seed, outcome, timestamp. These logs allow any round to be reconstructed in case of a dispute.
  • Balance ledger, every deposit, withdrawal, bet, payout, bonus grant, and bonus forfeiture. Double-entry, immutable.
  • Support communications, the tickets you open, the replies we send, and any attached information.
  • Blockchain addresses, the crypto wallet you deposit from and the wallet you withdraw to. These are public on-chain; we store them to route your funds.

We do not collect: government ID (unless a withdrawal triggers a KYC threshold and only if required by local law), date of birth, phone number (unless you opt into 2FA by SMS), physical address, or browser fingerprints beyond basic user-agent logging.

03Why we collect it

  1. Account authentication. Username, hashed password, and session cookie are required to log you in.
  2. Game integrity. Server-side logs of every bet allow any round to be reconstructed exactly as it occurred.
  3. Anti-fraud. IP patterns, login geography, velocity checks, and wallet-address reuse are used to detect multi-accounting, laundering, and stolen-card deposits. They are not used for behavioral profiling.
  4. Regulatory compliance. We block jurisdictions that ban online casinos, retain ledger records for the period required by law, and enforce self-exclusion commitments.
  5. Support. Resolving a ticket requires being able to look up your account.

We do not use your data for ad targeting, profile-selling, personalized promo timing, or any machine-learning training outside internal fraud models.

04Cookies & sessions

QuiKash uses two things you might call "cookies" or local storage, both strictly necessary:

  • Session cookie (qkc.sid), keeps you logged in across page loads. HttpOnly, Secure in production, SameSite=strict. Expires after 7 days of inactivity.
  • CSRF token, a short-lived token that protects form submissions from cross-site request forgery. It is handled automatically.
  • Language preference, stored in browser localStorage so the language selection persists between visits. Technically not a cookie.

No Google Analytics, no Facebook Pixel, no third-party tracking. No consent banner is required because there is nothing that requires consent.

05Third-party services

Three external services see narrow slices of your activity:

  • CoinGecko, we call their public price API to convert between crypto and USD for display. They see our server's IP, not yours.
  • ipapi.co, on sign-up and first-play, we look up your IP's country code to enforce regional restrictions. ipapi receives your IP; they return a country/region; we store only the country code.
  • Blockchain networks, deposits and withdrawals are broadcast on a public blockchain (Bitcoin, Ethereum, Solana, etc.). These transactions are public by design.

We use no other third-party analytics, tag manager, marketing pixel, or CDN that would see your browsing behavior.

06Who we share with

Almost no one. We share data only when one of the following is true:

  • Hosting providers. Server traffic is visible to our hosting provider. Stored data is encrypted at rest.
  • Law enforcement with a valid legal request in a jurisdiction in which we operate. We comply with lawful requests and do not volunteer data without one.
  • Fraud investigation. If we suspect fraud on your account, we may share the minimum necessary data with other casinos, payment networks, or law enforcement to stop it.

We do not sell or rent your data.

07How long we keep things

  • Account data, while the account is active, plus the shortest retention window the law requires after closure (usually 5 years for financial records).
  • Gameplay logs, 2 years by default. Older than that, we aggregate them into stats and delete the row-level detail.
  • Support tickets, 12 months from last reply, then deleted.
  • IP addresses, 90 days in raw form, then hashed or purged.
  • Ledger entries, indefinitely, in aggregate form. The casino has to be able to prove its books balance.

08Your rights

Depending on where you live (GDPR, CCPA, and a growing list of similar laws), you have some or all of these rights:

  • Access, request a copy of the data we hold on you. Open a ticket; we will send a ZIP within 30 days.
  • Correct, fix any incorrect data. Email, username, and language preference can be changed in-app. Everything else is changed via support.
  • Delete, close your account and remove personal data. Ledger entries required by financial regulation cannot be deleted, but they can be stripped of identifying information.
  • Port, receive your data in a machine-readable format (JSON).
  • Object / restrict, request that we stop processing for a specific purpose where the law allows.

You exercise any of these rights by opening a support ticket.

09Children

QuiKash is for adults. The minimum age is 18 (or higher, where local law requires). We do not knowingly collect data from minors.

If we discover an account belongs to a minor, the account is frozen, any deposits are refunded to the original payment source, the personal data is deleted, and the email and IP are banned from re-registering. Parents who suspect a minor has an account here should contact support.

10Security

The short list of what we do on the technical side:

  • Passwords are stored as bcrypt hashes, never as plaintext. A database leak would still require an attacker to crack each hash.
  • SQL access is 100% parameterized. Injection is structurally prevented, not just filtered.
  • CSRF protection on every state-changing endpoint.
  • Content Security Policy with no inline scripts. Blocks most XSS impact even if a bug is present.
  • HTTPS-only in production, with HSTS.
  • Audit log for every balance change: actor, action, timestamp, and reason. Immutable append-only.

Security reports should be sent to support with "SECURITY" in the subject. We respond within 24 hours and pay for confirmed reports.

11If there's a breach

If we have reason to believe personal data has been accessed by an unauthorized party, we will:

  1. Contain the incident and determine the scope. Typically within hours.
  2. Notify affected users by email within 72 hours, including what we know and the steps you should take (rotate passwords, move funds, as applicable).
  3. Notify the relevant supervisory authority where required by law (typically a 72-hour window under GDPR).
  4. Publish a post-mortem once the incident is closed.

12Changes to this policy

This page is updated when our practices change. The "last updated" date at the top reflects the most recent revision. Material changes (anything that expands what we collect or who we share with) are emailed to you and flagged on your profile. Non-material changes only update the date.

13Contact

For privacy questions, data requests, or clarifications, open a ticket from the Live support page.

QUIKASH · FAIR PLAY, HONEST RULES DOC ID · PP-20260425