wintoto Privacy Policy

wintoto ("wintoto", "we", "us", "our") is the operator of the online gaming platform accessible at wintoto.one. For the purposes of applicable data protection legislation, wintoto acts as the data controller in respect of the personal data of its registered players and platform visitors.

This Privacy Policy applies to all personal data collected through the wintoto Platform, including via registration, gameplay, deposits, withdrawals, customer support interactions, and any communications between you and wintoto. It should be read alongside our Terms & Conditions and Responsible Gaming Policy.

wintoto collects the following categories of personal data from players and platform visitors:

2.1 Registration & Identity Data. When you register a wintoto account, we collect your full name, date of birth, country and state of residence, email address, and mobile phone number. During mandatory KYC (Know Your Customer) verification, we collect copies of identity documents — such as your Malaysian MyKad or passport — and proof of address documentation.

2.2 Financial Data. wintoto collects information relating to deposits and withdrawals, including payment method type (e.g., Touch n Go eWallet, Boost, Maybank, CIMB), transaction amounts, and transaction timestamps. We do not store full bank account or card numbers on our systems; payment processing is handled by certified payment service providers.

2.3 Gaming & Activity Data. We collect records of your gaming activity on wintoto, including games played, bet amounts, game results, session durations, and account balance history. This data is collected for game operation, account integrity, responsible gaming monitoring, and fraud prevention purposes.

2.4 Technical & Device Data. When you access the wintoto Platform, we automatically collect technical data including your IP address, browser type and version, device type, operating system, referring URLs, and session data. This data is used for security, fraud detection, and platform optimisation purposes.

2.5 Communications Data. If you contact wintoto's customer support — via live chat, email, or any other channel — we retain records of those communications, including the content of messages and the date and time of contact.

wintoto uses the personal data we collect for the following purposes:

• Account Registration & Management — to create and maintain your wintoto account, verify your identity under KYC requirements, and manage your account settings and preferences.
• Game & Service Provision — to operate the games, betting markets, and all other services available on the wintoto Platform and to process your deposits and withdrawals in MYR.
• Security & Fraud Prevention — to detect, investigate, and prevent fraudulent transactions, money laundering, account takeovers, and other prohibited activities. This includes profiling of gaming and transaction patterns for anomaly detection.
• Regulatory Compliance — to fulfil our obligations under international gaming authority oversight, including age verification (21+ enforcement), AML (anti-money laundering) obligations, and the maintenance of required records for regulatory audit purposes.
• Responsible Gaming — to monitor gaming activity for signs of problem gambling behaviour, to administer responsible gaming tools (deposit limits, self-exclusion), and to provide appropriate interventions where required under our gaming authority obligations.
• Marketing Communications — where you have consented, to send you information about wintoto promotions, bonuses, and new game launches. You may withdraw this consent at any time via your account settings or by contacting our support team.
• Customer Support — to respond to your enquiries, resolve disputes, and improve our support services based on interaction records.
• Platform Improvement — to analyse aggregated and anonymised usage data to improve the wintoto Platform's functionality, performance, and user experience for all Malaysian players.

wintoto processes personal data on the following legal bases as applicable under data protection law:

• Contractual Necessity — processing required to perform our contract with you (the Terms & Conditions), including account management, game provision, and payment processing.
• Legal Obligation — processing required to comply with applicable legal and regulatory requirements, including gaming licence conditions, AML obligations, and age verification mandates.
• Legitimate Interests — processing necessary for wintoto's legitimate business interests, including fraud prevention, security, and platform improvement, where those interests are not overridden by your rights and freedoms.
• Consent — where we rely on your consent (e.g., for marketing communications), you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

wintoto does not sell or rent your personal data to third parties. We share personal data only in the following limited circumstances:

5.1 Service Providers. We engage trusted third-party service providers to support platform operations, including payment processors (handling Touch n Go eWallet, Boost, GrabPay, and bank transfer transactions), KYC verification services, fraud detection providers, cloud infrastructure providers, and customer support tooling. All such providers are contractually bound to process your data only on our instructions and in accordance with applicable data protection law.

5.2 Regulatory & Law Enforcement. wintoto may disclose personal data to regulatory authorities, law enforcement agencies, or gaming licensing authorities where required to do so by law, court order, or regulatory direction. We will notify affected players of such disclosures to the extent permitted by law.

5.3 Business Transfers. In the event of a merger, acquisition, or sale of all or substantially all of wintoto's assets, personal data held by wintoto may be transferred to the acquiring entity, subject to equivalent privacy protections. Affected players will be notified of any such transfer.

5.4 Responsible Gaming Partners. Where required under our gaming authority obligations, wintoto may share limited player data with approved responsible gaming bodies for the administration of cross-operator self-exclusion programmes.

wintoto uses cookies and similar tracking technologies on the Platform for the following purposes:

• Strictly Necessary Cookies — essential for the operation of the Platform, including maintaining your login session and security tokens. These cannot be disabled.
• Performance & Analytics Cookies — used to collect aggregated, anonymised data on how visitors interact with the wintoto Platform, enabling us to identify and resolve performance issues and improve user experience.
• Functionality Cookies — used to remember your preferences (e.g., language, game lobby view settings) to personalise your wintoto experience.

You may manage cookie preferences through your browser settings. Note that disabling certain cookies may affect the functionality of the wintoto Platform. wintoto does not use third-party advertising cookies or cross-site tracking technologies for advertising purposes.

wintoto implements a comprehensive set of technical and organisational security measures to protect your personal data against unauthorised access, loss, destruction, or alteration:

• 256-bit SSL/TLS encryption for all data transmitted between your device and the wintoto Platform.
• Encrypted storage of sensitive personal data and credentials at rest using industry-standard algorithms.
• Role-based access controls ensuring that only authorised personnel have access to personal data, limited to what is necessary for their specific function.
• Multi-factor authentication for all internal wintoto systems that process player personal data.
• Regular security audits and penetration testing by independent third-party security specialists.
• 24/7 automated monitoring for anomalous access patterns and potential security incidents.

While wintoto takes all reasonable steps to protect your data, no security system is entirely impenetrable. In the event of a security incident affecting your personal data, wintoto will act promptly in accordance with our breach notification obligations.

wintoto retains personal data for the following periods, unless a longer retention period is required by applicable law or regulatory obligation:

• Account & Identity Data — retained for the duration of your wintoto account plus a minimum of five (5) years following account closure, in compliance with our gaming authority obligations and applicable AML record-keeping requirements.
• Transaction & Financial Records — retained for a minimum of seven (7) years from the date of the transaction, in compliance with applicable financial record-keeping regulations.
• Gaming Activity Records — retained for the duration of your account plus three (3) years following closure, for audit, dispute resolution, and responsible gaming monitoring purposes.
• Communications Records — retained for three (3) years from the date of the communication, or longer if the communication relates to an unresolved dispute or regulatory matter.
• Technical & Device Data — retained for a rolling period of twelve (12) months for security and fraud detection purposes.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised in accordance with wintoto's data disposal procedures.

Subject to applicable data protection law, registered wintoto players have the following rights in respect of their personal data:

To exercise any of these rights, please contact our Data Privacy team at [email protected] with a description of your request. We may require identity verification before processing your request.

The wintoto Platform is strictly intended for persons aged 21 and above. wintoto does not knowingly collect personal data from individuals under the age of 21. Our KYC age verification process is designed to prevent under-age registration. If wintoto becomes aware that personal data has been collected from a person under 21, that account will be immediately closed and the personal data deleted, subject to any overriding regulatory obligations.

If you believe that a person under 21 has registered with wintoto, please notify us immediately at [email protected] so that we can take prompt action.

wintoto's primary infrastructure is hosted in data centres that may be located outside Malaysia. Where personal data is transferred internationally, wintoto ensures that appropriate safeguards are in place to protect your data to a standard equivalent to that applicable in Malaysia, including contractual clauses requiring overseas recipients to comply with applicable data protection standards.

By registering with wintoto and accepting these terms, you acknowledge that your personal data may be transferred to and processed in jurisdictions outside Malaysia, subject to the safeguards described above.

wintoto reserves the right to update this Privacy Policy from time to time to reflect changes in our data practices, the services we offer, or applicable legal requirements. The most current version of this Privacy Policy will always be available at wintoto.one/privacy-policy.

Where changes are material, wintoto will notify registered players via the contact details held on their accounts before the changes take effect. Continued use of the wintoto Platform following notification of material changes constitutes your acceptance of the revised Privacy Policy.

If you have any questions, concerns, or requests relating to this Privacy Policy or wintoto's handling of your personal data, please contact us at:

[email protected]

Our Data Privacy team aims to acknowledge all privacy-related enquiries within 5 business days and to provide a substantive response within 30 days. For urgent matters relating to potential data security incidents, please contact us via the 24/7 live chat function in your wintoto account dashboard for the fastest response.