Privacy Policy — How 999bad Collects, Uses, and Protects Your Personal Data
Your privacy matters to us. This Privacy Policy explains in plain, formal terms exactly what personal data the 999bad platform collects from you, the lawful basis on which it is processed, how it is stored securely, and what rights you hold over your own information.
1 Data Controller and Contact Details
999bad operates as the data controller in respect of the personal data it collects from users of the platform. As data controller, 999bad determines the purposes and means of processing your personal information in accordance with this Privacy Policy.
If you have any questions, concerns, or requests relating to your personal data or this Privacy Policy, you may contact the 999bad Data Privacy team using the following details:
- Email: [email protected] (plain text — not a clickable link)
- Response time: We aim to respond to all privacy-related enquiries within five business days.
- Support hours: 24 hours a day, 7 days a week, in English.
For formal data subject requests (such as access requests, erasure requests, or objections to processing), please include your full registered name, registered email address, and a clear description of your request in your correspondence to enable efficient handling.
2 Information We Collect
999bad collects personal data from you through several channels — directly when you register an account or interact with platform features, automatically as you use the site, and occasionally from third-party sources such as payment processors and identity verification providers. The categories of data collected are set out in the table below.
| Data Category | Specific Data Points | Collection Method |
|---|---|---|
| Identity Data | Full legal name, date of birth, gender, national ID number, passport number | Registration form, KYC verification documents |
| Contact Data | Email address, Bangladesh mobile phone number, residential address | Registration form, account settings |
| Financial Data | bKash / Nagad / Rocket / Upay account identifiers, Visa / Mastercard partial card numbers, transaction history | Cashier / deposit and withdrawal flows |
| Technical Data | IP address, device type, browser type and version, operating system, screen resolution, time zone | Automatic collection via server logs and analytics |
| Usage Data | Pages visited, games played, session duration, bet history, bonus usage, support chat transcripts | Platform activity tracking |
| Communications Data | Emails sent to support, live chat messages, feedback submissions | Direct communication with 999bad support |
2.1 Data We Do Not Collect
999bad does not collect or store full payment card numbers. Card transactions are processed through PCI-DSS compliant third-party payment gateways; 999bad receives only tokenised or masked references. 999bad also does not collect data on race, ethnicity, religious beliefs, political opinions, or biometric data unless specifically required for identity verification under applicable law, in which case such data is handled with additional safeguards.
2.2 Data from Minors
The 999bad platform is strictly for users aged 18 and above. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that personal data has been submitted by a person under 18, we will delete that data promptly and close the associated account. If you believe a minor has submitted data to 999bad, please contact us immediately at [email protected].
3 Lawful Basis for Processing
999bad processes personal data only where there is a recognised lawful basis for doing so. The primary lawful bases on which 999bad relies are as follows:
- Contractual necessity: Processing your identity, contact, and financial data is necessary to create and manage your account, process deposits and withdrawals, and deliver the services you have requested through the 999bad platform.
- Legal obligation: 999bad is obligated to carry out identity verification (KYC), age verification, and anti-money laundering (AML) checks. Processing data for these purposes is required by applicable law and cannot be refused.
- Legitimate interests: 999bad processes usage and technical data to maintain platform security, detect fraud, prevent collusion, improve service quality, and personalise your experience within the bounds of your reasonable expectations as a registered member.
- Consent: Where 999bad sends you optional marketing communications (such as promotional offers and bonus notifications), this is done on the basis of your prior consent. You may withdraw consent to marketing communications at any time by contacting support or updating your notification preferences in your account settings.
Where processing is based on consent, withdrawal of that consent does not affect the lawfulness of processing that took place prior to the withdrawal. Withdrawal of consent for marketing does not affect your ability to use the platform or access your account.
4 How We Use Your Information
999bad uses the personal data it collects for the following purposes, each of which corresponds to one or more lawful bases described in Section 3:
- Account creation and management: To register your account, verify your identity and age, maintain your account profile, and process account closure requests;
- Service delivery: To process your deposits and withdrawals via bKash, Nagad, Rocket, Upay, Visa, and Mastercard; to credit winnings; and to apply bonuses and promotions to your account;
- Fraud prevention and security: To detect, investigate, and prevent fraudulent activity, money laundering, bonus abuse, multi-accounting, and other conduct prohibited under the Terms & Conditions;
- Responsible gaming compliance: To monitor play patterns that may indicate problem gambling behaviour and to implement self-exclusion, deposit limits, and other player protection measures;
- Customer support: To respond to your enquiries, resolve disputes, investigate complaints, and provide technical assistance;
- Platform improvement: To analyse aggregated usage data, identify technical issues, conduct A/B testing, and develop new features and game categories on the 999bad platform;
- Marketing communications: Where you have provided consent, to send you information about promotions, bonuses, new game releases, and seasonal offers relevant to the Bangladesh market.
4.1 Automated Decision-Making
999bad may use automated systems to assess certain account activities — for example, to flag unusual betting patterns, detect potential bonus abuse, or enforce self-exclusion measures. Where an automated decision has a significant effect on your account (such as a temporary suspension), you have the right to request human review of that decision by contacting the 999bad support team.
5 Data Sharing and Third Parties
999bad does not sell, rent, or trade your personal data to any third party for their own commercial marketing purposes. Personal data is shared only in the following limited and controlled circumstances:
- Payment processors: Financial data necessary to process transactions is shared with our payment provider partners (bKash, Nagad, Rocket, Upay, Visa, Mastercard processing networks). These parties process data only as instructed by 999bad and are bound by strict data processing agreements;
- Identity verification providers: Where KYC or age verification is required, your identity documents may be processed by a trusted third-party identity verification service. These providers are contractually required to handle your data securely and to delete it after verification is complete;
- Game providers: Certain game data (such as bet amounts and game session identifiers) is transmitted to third-party game studios including Evolution Gaming, Pragmatic Play, Ezugi, NetEnt, Microgaming, PG Soft, and Play'n GO to facilitate game delivery. These providers do not receive your full identity or financial data;
- Legal and regulatory authorities: 999bad may disclose personal data to law enforcement, regulatory bodies, or courts where required to do so by applicable law, court order, or legal process;
- Business transfers: In the event of a merger, acquisition, or sale of all or part of the 999bad business, personal data held by 999bad may be transferred to the acquiring entity, subject to equivalent privacy protections remaining in place.
All third-party service providers engaged by 999bad are required to process personal data in accordance with confidentiality obligations and security standards consistent with this Privacy Policy.
6 Cookies and Tracking Technologies
The 999bad platform uses cookies and similar tracking technologies to deliver a functional, personalised, and secure user experience. A cookie is a small text file placed on your device by the website server when you access the platform. Cookies do not contain executable code and cannot access other files on your device.
6.1 Types of Cookies Used
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Session management, authentication, security tokens, CSRF protection | Session / up to 24 hours |
| Functional | Remembering your language preference, display settings, and last-visited game category | Up to 90 days |
| Analytics | Aggregated page view counts, session duration, device types — used to improve platform performance | Up to 12 months |
| Marketing | Tracking referral sources and campaign attribution to measure the effectiveness of promotional activity | Up to 30 days |
6.2 Managing Cookies
You may control or disable cookies through your browser settings. Please note that disabling strictly necessary cookies may prevent the 999bad platform from functioning correctly — in particular, you may be unable to log in or maintain an authenticated session. Functional and analytics cookies can be disabled without affecting core platform access. Detailed instructions for managing cookies in common browsers (Chrome, Firefox, Safari, Edge) are available in each browser's help documentation.
7 Data Retention and Deletion
999bad retains personal data only for as long as it is necessary to fulfil the purpose for which it was collected, or as required by applicable law. The following retention periods apply as general guidance:
- Active account data (identity, contact, financial): Retained for the full duration of your account being open and for a minimum of five years following account closure, to comply with anti-money laundering record-keeping obligations;
- Transaction records (deposits, withdrawals, bets, bonuses): Retained for a minimum of seven years from the date of the transaction for financial and compliance audit purposes;
- KYC and verification documents: Retained for a minimum of five years from the date of account closure or the last KYC submission, whichever is later;
- Support and communication records: Retained for up to three years from the date of the last communication, unless a longer period is required to resolve an open dispute;
- Analytics and usage data: Retained in aggregated, anonymised form indefinitely; individual-level usage logs are deleted or anonymised within 24 months.
Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised. If you request deletion of your account, 999bad will process the deletion of your active profile data within 30 days, subject to the retention obligations noted above — certain records required by law cannot be deleted on request prior to the end of their mandatory retention period.
8 Your Privacy Rights
As a data subject, you hold a number of rights in relation to the personal data that 999bad holds about you. These rights are summarised below. To exercise any of these rights, please contact the 999bad support team at [email protected] with a clear description of your request.
Right of Access
Request a copy of the personal data 999bad holds about you, including the categories of data, the purposes of processing, and any third parties it has been shared with.
Right to Rectification
Request correction of any inaccurate or incomplete personal data held in your 999bad account profile without undue delay.
Right to Erasure
Request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, subject to legal retention obligations.
Right to Restriction
Request that 999bad restricts processing of your data — for example, while an accuracy dispute is being resolved or while an objection is being assessed.
Right to Portability
Request a structured, machine-readable copy of personal data you have provided to 999bad, where processing is based on consent or contractual necessity.
Right to Object
Object to processing of your personal data for direct marketing purposes at any time, with immediate effect. Objections to other processing grounds are assessed case by case.
999bad will respond to all verified data subject requests within 30 calendar days of receipt. In complex cases, this period may be extended by a further 60 days, in which case you will be notified of the extension and the reason for it within the initial 30-day window.
9 Data Security Measures
999bad takes the security of your personal data seriously and has implemented a range of technical and organisational measures to protect it against unauthorised access, accidental loss, alteration, or disclosure. These measures include, but are not limited to:
- 256-bit SSL/TLS encryption applied to all data transmitted between your device and the 999bad servers;
- Encryption at rest for all sensitive personal and financial data stored in 999bad databases;
- Role-based access controls ensuring that staff members can access only the personal data necessary for their specific job function;
- Two-factor authentication (2FA) available to all registered members and mandatory for internal 999bad staff accessing production systems;
- Regular security audits and penetration testing of the platform infrastructure;
- Firewalls and intrusion detection systems monitoring the 999bad network perimeter on a continuous basis;
- Data breach response procedures — in the event of a confirmed personal data breach that poses a risk to your rights, 999bad will notify affected individuals without undue delay and will take immediate remediation steps.
While 999bad employs industry-standard security measures, no online platform can guarantee absolute security against all conceivable threats. You also play a role in protecting your data — please use a strong, unique password for your 999bad account, enable 2FA, and never share your login credentials with any other person.
10 Changes to This Privacy Policy
999bad reserves the right to update or revise this Privacy Policy at any time to reflect changes in our data practices, applicable law, or platform services. When material changes are made, the updated Privacy Policy will be published on this page with a revised effective date. Where the changes are significant and affect how your data is processed, 999bad will also notify registered members by email to their registered address or via an in-platform notification.
Your continued use of the 999bad platform after an updated Privacy Policy has been published constitutes your acknowledgement of, and agreement to, the revised terms. If you do not agree with any changes, you should cease using the platform and may request account closure in accordance with the Terms & Conditions.
We encourage you to review this Privacy Policy periodically — at minimum whenever you receive a notification that it has been updated. Historical versions of the Privacy Policy are available on request by contacting [email protected].
Six Ways 999bad Protects Your Privacy
Beyond legal compliance, these are the practical commitments that define how 999bad handles your personal data every day.
End-to-End Encryption
Every byte of data transmitted between your device and the 999bad platform travels through a 256-bit SSL-encrypted connection. Your login credentials, payment details, and personal information are protected in transit at all times.
No Data Selling
999bad does not sell, rent, or trade your personal data to third-party advertisers or data brokers — ever. Your information is used solely to deliver the 999bad service and to comply with legal obligations.
Minimal Data Collection
We collect only the personal data that is strictly necessary to deliver our services and meet our legal obligations. We do not collect sensitive data categories such as biometrics or political opinions except where required by identity law.
Clear Retention Limits
Personal data is retained only for defined periods aligned with legal requirements. Active session logs and analytics data are anonymised within 24 months. You can request deletion of your account data at any time, subject to mandatory legal retention periods.
Full Data Subject Rights
Access, correct, port, restrict, or erase your personal data at any time by contacting the 999bad support team. All verified data subject requests are processed within 30 calendar days with no charge applied.
Consent-Based Marketing
Promotional emails and bonus notifications are sent only with your explicit prior consent. You can withdraw consent and opt out of all marketing communications at any time through your account notification settings or by emailing support.
Questions About Your Privacy? We Are Here to Help.
If you have any concerns about how 999bad handles your personal data, or if you would like to exercise any of your privacy rights, contact our support team. You can also explore our other policy pages for a complete picture of how the 999bad platform operates.
Terms & Conditions Responsible Gaming Read the FAQ Explore 999bad Casino