OnlyWin Casino — Privacy & Data Protection Analysis
By Sylvia Kairouz – Updated June 2026
OnlyWin Casino privacy policy: what Canadian players should know
OnlyWin Casino launched in late 2023-2024 under Goodfly N.V. and a Curacao Gaming Control Board licence, building a library of 7,000 to over 8,000 games from 110-plus providers in a remarkably short operating period. For Canadian players across most provinces, the platform is accessible under standard offshore rules, with Ontario as the notable exception where Curacao-licensed platforms without AGCO registration cannot operate legally. The privacy framework governing how OnlyWin handles Canadian player data is shaped by this offshore licensing structure – Curacao requirements set the baseline, Canada’s federal PIPEDA applies to how Canadian data is handled, and the more demanding provincial layer that AGCO-licensed operators must satisfy is absent. This guide explains what that combination means for the data you share when you play.
About the author
My name is Sylvia Kairouz. I’m a Full Professor in the Department of Sociology and Anthropology at Concordia University in Montreal, where I hold the Research Chair on Gambling and direct the HERMES partnership team and the Lifestyle and Addiction Research Lab. My research examines the multi-level individual and environmental determinants of gambling behaviours from a longitudinal perspective, with funding from the Canadian Institutes of Health Research, the Social Sciences and Humanities Research Council of Canada, and the Fonds de recherche du Québec – Société et Culture. I’ve piloted eight large-scale population surveys in Quebec and Canada over the past decade and won the Brain Star Award from CIHR for my work on the role of social contexts in addictive behaviours. I write independently, without commercial arrangements with any operator I cover.
The regulatory framing: Curacao licence plus PIPEDA for Canadian players
OnlyWin operates under Curacao Gaming Control Board licensing, with licence number 163359 cited by one source and 365/JAZ Sub-License GLH-OCCHKTW0707052023 by another, both reflecting Goodfly N.V. as the operating entity. Canada’s federal Personal Information Protection and Electronic Documents Act applies to any organisation collecting data from Canadians regardless of where the operator is incorporated, meaning Canadian players at OnlyWin retain their PIPEDA rights even under offshore licensing.
What’s absent is the provincial layer: AGCO-licensed Ontario operators face mandatory data handling conditions enforced as part of their operating agreements, with provincial regulatory consequences for non-compliance. At OnlyWin, data handling reflects Curacao policy and PIPEDA’s federal standard, without that additional enforcement layer. For players used to AGCO-licensed platforms, this is a meaningful structural difference to carry into how you evaluate what data you share and on what terms.
What data OnlyWin Casino collects from Canadian players
Data provided directly at registration and throughout account activity:
| Category | Specific data points |
|---|---|
| Identity data | Full legal name, date of birth |
| Contact data | Email address, residential address, phone number |
| Verification data | Government-issued photo ID, proof of address for KYC |
| Financial data | Payment method details, CAD deposit and withdrawal history |
| Account settings | Bonus opt-in status, marketing preferences |
| Support communications | Live chat transcripts, email exchanges |
Data collected automatically during platform use:
| Category | Specific data points |
|---|---|
| Technical data | IP address, device type, browser, operating system |
| Behavioural data | Games played across 7,800-plus title library, session length, bet sizes, win/loss patterns |
| Loyalty program data | Points accumulated, rewards tier progression, prize history |
| Bonus tracking data | Welcome package wagering progress toward 40x requirement across four deposits |
| App-specific data | Engagement with exclusive “secret bonuses” available only through the mobile app |
| Daily Wheels engagement | Frequency of Daily Wheels participation, prizes claimed |
| Cookie and analytics data | Navigation patterns, promotional content engagement |
The app-specific data category is worth noting given OnlyWin’s model of offering exclusive secret bonuses through its mobile application. Players who use the app generate a distinct data stream beyond standard browser session data, recording which exclusive offers were accessed, when, and how behaviour differed across app and browser sessions. This cross-channel behavioural data is considerably richer than what single-access-point platforms collect, and it’s reasonable to ask whether that additional data richness is something you’re comfortable with before enabling app-specific features.
How OnlyWin uses your personal data
OnlyWin processes Canadian player data for the following purposes:
- Account creation, authentication, and ongoing management
- CAD deposit and withdrawal processing, with the same payment method required for both directions as a fraud prevention measure
- Curacao Gaming Control Board compliance and AML obligations under Goodfly N.V.’s licensing
- Security functions including SSL 128-bit encryption, TLS 1.3 protocols, firewalls, and fraud detection
- Game outcome verification alongside trust certificates from independent review platforms
- Loyalty program administration, including the C$255,000 in prizes across the rewards structure cited across reviews
- Bonus tracking across the four-deposit welcome sequence and ongoing promotions including weekly reloads, live casino cashback, and Daily Wheels
- Customer support via 24/7 live chat and email
- Marketing communications with consent, including weekly free spins offers, high roller promotions, and any other opted-in communications
The marketing communications point connects directly to how OnlyWin’s promotional model works. The platform’s promotional calendar – weekly reloads, live casino cashback, high roller offers, Daily Wheels, and app-exclusive secret bonuses – is more active than many comparable platforms, which means players who opt into marketing communications receive a relatively high volume of time-sensitive promotional messaging. From my research perspective on population-level gambling behaviour patterns, frequent promotional communications tied to time-limited offers are a documented mechanism for maintaining engagement between planned play sessions – worth recognising consciously when deciding whether to opt into ongoing marketing.
Third parties who may receive your data
| Third party | Purpose | Notes |
|---|---|---|
| Goodfly N.V. group entities | Shared operational infrastructure | Operator of OnlyWin |
| Payment processors | CAD and alternative payment method processing | Interac plus other methods |
| Identity verification providers | KYC for first withdrawal and threshold-triggered checks | Standard offshore practice |
| Curacao Gaming Control Board | Regulatory compliance reporting under Goodfly N.V. licence | Licensing authority |
| Analytics and security platforms | Session monitoring, fraud detection, TLS/SSL infrastructure | Technical security providers |
| Marketing platforms | Opted-in promotional communications | Consented only |
| Trust certificate providers | Independent platform verification | Referenced across available reviews |
Unlike Dama N.V., which operates multiple well-documented sister sites creating a clear cross-platform data sharing picture, Goodfly N.V.’s broader platform portfolio is less prominently documented in publicly available sources. What’s clear from the payment security design – same method for deposits and withdrawals as a fraud prevention measure – is that OnlyWin has built specific data flow constraints into its financial infrastructure. This is a positive design choice from a security standpoint, even under offshore licensing.
Security infrastructure: 128-bit SSL, TLS 1.3, and what they mean
OnlyWin’s security architecture is notably specified in available sources, covering 128-bit SSL encryption, TLS 1.3 protocols, firewalls, and fraud detection software. TLS 1.3 is the current industry standard for encrypted data transmission, representing a more modern specification than older TLS 1.2 still used by some competing platforms. This technical specificity is worth noting positively: a platform that publishes its specific protocol version is more transparent about its security posture than one that simply says “SSL encryption” without further detail.
The absence of confirmed RNG certification from named third-party testers like eCOGRA is worth balancing against this: OnlyWin holds trust certificates from independent review platforms but not the specific iTech Labs or eCOGRA certifications some competing offshore platforms carry. Players for whom certified fairness testing is a priority should verify the current status of any third-party certification directly.
Your rights under PIPEDA as a Canadian player at OnlyWin
Under Canada’s federal PIPEDA framework, Canadian players at OnlyWin retain:
- Right of access to all personal information the platform holds about them
- Right to correction of inaccurate, incomplete, or outdated information
- Right to withdraw consent to marketing communications
- Right to complain to the Office of the Privacy Commissioner of Canada if a request isn’t addressed
- Right to know what third parties may have received their data
These rights exist independently of OnlyWin’s Curacao licensing status. PIPEDA applies because you are a Canadian and your data was collected in the context of a commercial relationship with you, regardless of where Goodfly N.V. is incorporated.
FAQ
Does OnlyWin Casino collect different data through its mobile app versus browser play?
Yes – the app generates additional data around exclusive “secret bonuses” and app-specific engagement not captured through standard browser sessions.
Is the same payment method required for deposits and withdrawals at OnlyWin?
Yes – OnlyWin uses the same method for both directions as a specific fraud prevention measure, which also shapes how payment data is recorded.
Does OnlyWin hold eCOGRA or iTech Labs certification?
Third-party trust certificates are referenced but specific eCOGRA or iTech Labs certification hasn’t been confirmed across current sources – verify directly with the platform.
What security protocol does OnlyWin use for data transmission?
TLS 1.3 alongside 128-bit SSL encryption, representing a current industry standard for encrypted communications.
Can I request all data OnlyWin holds about me?
Yes – under PIPEDA you can submit an access request, to which the platform must respond within 30 days.
