Register

The Gransino Data Statement

Editorial desks collect less data than casinos do, but they still collect some. This statement walks through what gets logged here, where it lives, who can read it, when it gets purged, and what to do if any of those answers do not sit comfortably. The framework is UK GDPR with the Data Protection Act 2018 alongside, supervised by the Information Commissioner’s Office. The most recent edit was made in February 2026.

Statement owner: James Whitford, Senior Casino Reviewer
Most recent edit: February 2026

Most recent edit February 2026
Legal framework UK GDPR + DPA 2018
DPO contact [email protected]
Analytics retention 14 months
Cookie inventory /uk/cookies
Supervisor ICO (UK)

1. The desk behind this site

Gransino, hosted at penalty-arena.com, is the independent editorial desk that signs up at offshore casinos, plays a session, files the cash-out and writes about what happened. Within the meaning of UK GDPR, this desk is the data controller for any personal data flowing through the site.

The desk does not operate a casino. There is no deposit handling, no wager processing, no balance custody, no gaming software, no gaming licence. The published output is reviews, comparison tables and explainers; some of the outbound links carry an affiliate tag, meaning a referral fee may be paid if a reader subsequently signs up at the operator on the other side.

2. The data the site touches

No user accounts run on this site, which keeps the data shelf short. The categories that may be processed are:

  • Technical signals from your browser — truncated or anonymised IP, browser type and version, OS, device class, screen size, referring URL, pages requested, time on page, and a city-level location derived from the IP.
  • Contact form payload — name (optional), email address and the body of the message you send through the contact form.
  • Newsletter sign-up record — email address, the opt-in timestamp and the source page recorded against the subscription.
  • Cookie identifiers — pseudonymous tags written by the analytics and consent cookies. The full inventory sits in section 6.

Special category data (health markers, biometrics, religious belief, political affiliation and similar) is never knowingly collected here, and data from anyone under 18 is never knowingly handled either.

3. How the data reaches the desk

  • Passively, via cookies and analogous technologies as you read pages (the Cookie Notice spells out the detail).
  • Through privacy-respecting analytics configured with IP truncation switched on at the collection stage.
  • Directly from you, when you complete the contact form or email the desk.
  • By explicit opt-in, when you tick to subscribe to a newsletter or email update.

4. Why the data gets processed

Personal data is processed for a short, defined list of purposes — nothing else:

  • To run the website, serve pages reliably and shut out abusive, fraudulent or scraping traffic.
  • To measure aggregate readership, work out which reviews land usefully and steer editorial accordingly.
  • To answer enquiries that arrive through the contact form or directly by email.
  • To deliver opt-in newsletters where the reader has explicitly subscribed.
  • To meet legal obligations under British law that apply to this desk.

5. The Article 6 footing

  • Consent — Article 6(1)(a): applied to non-essential cookies, analytics where consent is the chosen footing, and newsletter sign-ups. Consent is freely withdrawn at any time.
  • Legitimate interests — Article 6(1)(f): applied to security logging, abuse blocking and aggregated editorial measurement. The legitimate interest is running a safe and useful review desk; the balancing test favours minimum data over richer data.
  • Legal obligation — Article 6(1)(c): applied where retention or disclosure is mandated by British law.

6. Cookies

A short list of strictly necessary cookies runs at all times, plus audience cookies if (and only if) you consent. Advertising and retargeting cookies are not in use on this site. The exhaustive inventory — cookie name, role, processor and lifetime — is published in the Cookie Notice. The consent banner remains accessible at any time for changing the choice.

7. Sharing with affiliate operators

A meaningful share of outbound links on Gransino are affiliate links (routed through the /go redirector). The moment a reader taps one, the browser is redirected to the operator’s site. At that handover:

  • The operator receives a standard HTTP referer header pointing at penalty-arena.com, plus an affiliate identifier in the query string.
  • The operator does not receive your name, email, contact-form payload or any other personal data from this desk.
  • From the redirect onward, the operator’s own privacy policy governs everything that happens on their domain. The editorial desk has no oversight of those data practices.

A short roster of trusted processors acts strictly under written instruction: the hosting provider, the transactional email provider used for contact and newsletter messages, and the analytics platform. Each operates under a written data processing agreement.

8. Analytics and tracking posture

The analytics layer runs in a privacy-respecting configuration (Google Analytics 4 with IP anonymisation switched on, or a cookieless alternative such as Plausible). The desk works exclusively with aggregate metrics to understand traffic patterns and sharpen editorial work. No advertising profiles are built, no data is sold to third parties, and no cross-site marketing pixel is installed anywhere on the site.

9. Your UK GDPR rights

UK GDPR grants you the following rights against the desk’s handling of your personal data:

  1. Right of access (Art. 15) — request a copy of the personal data the desk holds about you.
  2. Right to rectification (Art. 16) — ask the desk to correct any inaccurate field.
  3. Right to erasure (Art. 17) — ask the desk to delete the data, subject to legal retention duties.
  4. Right to restriction (Art. 18) — ask the desk to pause processing while a query is investigated.
  5. Right to data portability (Art. 20) — receive the data in a machine-readable format suitable for porting elsewhere.
  6. Right to object (Art. 21) — object to processing carried out under legitimate interests.
  7. Right to withdraw consent — at any time, with no impact on the lawfulness of processing already completed.

To exercise any of these rights, email [email protected]. Replies normally land inside one calendar month, the maximum window UK GDPR allows.

10. How the data is protected

  • Encryption in transit — the entire site is served over HTTPS (TLS).
  • Encryption at rest — server storage runs on encrypted disks; the databases holding contact-form and newsletter records are encrypted at rest.
  • Access controls — admin access is restricted to a small editorial circle, guarded by strong passwords and mandatory multi-factor authentication.
  • Monitoring — server and application logs are reviewed weekly for unusual activity, and software is patched on a rolling cadence.

In the unlikely event of a personal data breach that creates a meaningful risk to data subjects, the desk will notify the ICO inside 72 hours and inform affected readers where the law requires.

11. Retention windows

  • Analytics data: 14 months from collection, then aggregated or deleted.
  • Server access logs: up to 100 days, unless retained longer for a specific security investigation.
  • Contact-form messages: 27 months after the most recent correspondence in the thread.
  • Newsletter subscribers: until you unsubscribe, plus a seven-month suppression window to prevent re-mailing.
  • Records mandated by British law: for the statutory retention period and not a day longer.

12. Complaining to the ICO

If our handling of personal data leaves you unhappy, please contact the desk first so the issue can be resolved at source. You retain the right to lodge a complaint with the British supervisory authority, the Information Commissioner’s Office:

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

13. Cross-border transfers

A handful of processors (the analytics platform and the transactional email provider) may store or process data outside the United Kingdom. When data leaves UK soil, the safeguards required by UK GDPR are in place, including:

  • UK adequacy regulations, where the destination country has been recognised as providing adequate protection;
  • The International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses; and
  • Supplementary technical measures such as encryption and pseudonymisation where appropriate to the transfer.

14. When this statement changes

The statement is refreshed periodically to track practice changes, supplier changes or legal developments. When a material change ships, the “Most recent edit” date at the top of the page moves and a homepage notice is published for the first fortnight. Continued use of the site after an update is treated as acceptance of the revised statement. See also the Terms of Use.

15. Reach the desk

Requests are acknowledged inside four working days and completed inside one calendar month, in line with UK GDPR.

Portrait of James Whitford

Casino Review Editor & Non-GamStop Specialist

James Whitford

Nine years of off-scheme casino journalism — specialist in bonus mechanics and crypto banking across Curaçao-licensed platforms.

View James’s profile