Privacy Policy
This page sets out what personal information Mystake collects from visitors, why it's collected, where it's stored, who it's shared with, and how to use your rights under UK privacy law. The technical companion document — cookies, analytics, browser storage — sits on the Cookie Policy page; this page is the plain-English version of the same arrangement.
Mystake runs as an independent informational platform; the broader context is on the About page. This privacy policy covers the Mystake website only. Once a reader clicks through to an operator's site, that operator's own privacy policy takes over; Mystake does not pass data to operators except in the narrow form described further down.
1. What Mystake is
Mystake publishes reviews and guides covering online casinos available to UK players. The flagship operator review lives on the Mystake Casino homepage. The site does not host games, run player accounts, accept deposits, hold funds or process withdrawals. There's no signup. There's no login. A default visit involves no data exchange beyond standard web traffic. Where Mystake does collect personal data — when you write to us through the contact channels, for instance — this page lays out exactly what happens to it.
2. UK privacy law context
All personal information at Mystake is handled under the UK GDPR and the Data Protection Act 2018, alongside the thirteen UK GDPR principles supervised by the Information Commissioner's Office (ICO). Visitors from inside the European Union are extended the same GDPR rights. Visitors from California get CCPA rights, to the extent those rights actually apply to them. Whenever two frameworks above disagree, the one that gives the visitor more protection wins out — and that's the rule we follow.
3. What data Mystake collects
Three categories in total: technical traffic data, voluntarily submitted contact data, and aggregated analytics.
| Category | What is collected | Why | Legal basis |
|---|---|---|---|
| Technical traffic data | IP address (anonymised after 24h), browser type, device type, page URL requested, timestamp, referrer. | Serve pages, prevent abuse, debug performance issues. | Legitimate interest under UK GDPR Article 6 legitimate interest. |
| Voluntary contact data | Name, email address, message content, supporting documents you choose to attach. Submitted only if you write to us. | Reply to your enquiry. | Consent under UK GDPR consent basis (you provide the data; we use it for the stated purpose). |
| Aggregated analytics | Pseudonymous traffic statistics generated by Google Analytics 4 with IP anonymisation enabled. | Understand which pages are useful and which are not. | Consent (you can decline analytics cookies on first visit). |
A handful of categories Mystake never picks up at all. We don't process financial data, because no payment infrastructure runs on this domain. We don't store gambling-account credentials, because there are no accounts here in the first place. We don't gather biometrics. Location data is restricted to country level, derived from a stripped IP. And special-category material — race, religion, health, sexual orientation, political opinion — is never collected at any point. Targeted advertising and remarketing are off the table; the way the site is actually funded is documented separately on the Affiliate Disclosure page.
4. Cookies and similar technologies
Detail on which cookies Mystake actually sets, which third-party services are responsible for which ones, and the controls available against each — all of that lives on the Cookie Policy page. The short version of the position: strictly necessary cookies (page rendering, the consent banner's own state, abuse-prevention) run regardless; analytics and affiliate-tracking cookies only fire after you accept them through the cookie banner; the choice itself can be revisited any time later via the footer link.
5. Affiliate links and operator-side tracking
Clicking an outbound operator link on Mystake triggers a three-step sequence. Step one: an internal /go redirect logs the click for our analytics — that happens whether you go through with the visit or not. Step two: your browser is handed onward to the operator's site. Step three: the operator may then drop its own cookies and treat the inbound visit as a referral for attribution purposes. What does not get handed across is any personal data — no name, no email, no identifier from Mystake's side. The operator gains a single piece of information: "a visitor arrived from Mystake". Should you then go on to register an account on the operator's site, anything that follows is governed by their privacy policy, not by this one.
6. How long data is retained
- IP addresses: full IPs sit on file for up to 24 hours for abuse-prevention purposes, after which they are anonymised by stripping the final octet (IPv4) or the last 80 bits (IPv6). The anonymised form is then retained for up to 14 months as part of traffic statistics.
- Contact correspondence: emails and any attached files are held for 24 months to support follow-ups and internal audits, and are then deleted unless still part of an active conversation.
- Analytics events: GA4 event data is retained for 14 months under our configuration, then purged automatically.
- Cookie consent record: the record of your selection lives locally in your browser for a 12-month period, after which the consent banner re-appears for renewal.
A handful of records have to sit on file for a longer window because the law requires it — HMRC's record-keeping obligations for the affiliate accounting side being the main example. In those cases the data is stored for the legally mandated period only, and it isn't repurposed beyond that obligation.
7. Who Mystake shares data with
Sharing is restricted to three narrowly scoped buckets. The first is service providers that operate slices of the Mystake stack on our behalf — web hosting, content delivery, transactional email — each working under a written data-processing agreement that limits their use of the material strictly to delivering that service back to us. The second is analytics providers (Google Analytics 4): IP-anonymised traffic data flows out, but never personally identifying information. The third is law-enforcement bodies and regulators, who only receive material in response to a valid legal demand, and only the specific data points that demand actually covers. Mystake does not sell, rent or trade personal data to anybody, under any circumstances.
8. Where data is stored
Mystake infrastructure runs on cloud providers in the UK and the European Economic Area. A handful of service providers — Google Analytics 4 in particular — process data inside the United States. Where data leaves the UK, the recipient is bound either by Standard Contractual Clauses or by an equivalent regime the ICO has assessed as providing protection at least as strong as UK law.
9. Your rights
Under the UK GDPR and equivalent international laws, you have the following rights in relation to any personal data Mystake holds about you.
- Access: request a copy of everything we currently hold about you.
- Correction: request that any inaccurate data on file be put right.
- Deletion: request removal of your data, subject to any overriding legal retention obligations.
- Withdrawing consent: where processing rests on consent, you can pull that consent back whenever you like — earlier lawful processing remains unaffected by the withdrawal.
- Complaint: anyone who believes Mystake has mishandled their data can lodge a complaint with the ICO at ico.org.uk. UK readers are usually best off contacting us first so we have the chance to put the issue right directly.
To put any of these rights into action, drop a note to the privacy address shown on the Contact page. You can expect a reply within the 30-day window the UK GDPR sets out as the maximum response time.
10. Children's privacy
Everything on the site is written with adult UK readers in mind. The content is neither aimed at, nor designed for, anybody under the age of 18. We never knowingly take personal information from a minor — and if it turns out that someone under 18 has submitted data, the record is wiped, with the parent or guardian notified where that's appropriate.
11. Security
Standard industry security controls are layered across the stack: TLS 1.2 or higher on everything in transit; access controls combined with least-privilege rules on every internal system; periodic review of who can reach what; full logging of administrative actions; third-party penetration testing applied at intervals against the public-facing site. No system on the internet is unbreakable, of course. Where a personal-data breach occurs and looks likely to cause serious harm, the affected individuals are notified directly, and a separate notification is filed with the ICO under the breach-notification regime laid out in the UK GDPR.
12. Changes to this policy
If this policy is amended, the "Last updated" date at the top is revised. Material changes — new categories of data collected, new third-party processors, changed retention periods — are flagged with a banner on the home page for a minimum of 30 days. Minor housekeeping changes (rewording, link updates) do not trigger a banner.
13. Contact
Privacy queries are best sent to the dedicated privacy contact on the Contact page. Editorial questions about Mystake material go via the separate editorial channel, while correction requests follow the procedure documented on the Editorial Policy page. For anyone reading the site who wants player-safety guidance, that material is gathered on the Responsible Gambling page.