bastion Privacy Policy
This page describes what we collect when you use bastion and how we keep that data protected. Our approach prioritises minimal collection — we request only the information necessary to operate your account, process deposits and withdrawals, and comply with legal obligations.
When you register with bastion, we collect your legal name, email address, phone number, and date of birth. On your first withdrawal, we request government-issued identification and confirm your registered payment method. We do not collect credit card numbers or full bank account details; payment processors handle those separately using industry-standard encryption.
We keep your data secure by encrypting it at rest and in transit, limiting staff access, and conducting regular security audits. You have rights to access, correct, and delete your personal data — we outline how to exercise those rights below.
What data we collect on bastion
Our collection practices on bastion are limited to what is necessary. We gather:
- Account information: Legal name, email address, phone number, date of birth, username, password (hashed, not stored in plain text).
- Verification data: Government-issued ID (passport or national ID card), proof of address, confirmation of payment method ownership.
- Payment data: We do not store full card or bank account numbers. Our payment processors (DANA, e-wallet, mobile banking, local payment, online payment, e-wallet, mobile banking, local payment) handle payment details directly using tokenization.
- Activity logs: Game play history, market selections, deposit and withdrawal records, login times, device information (browser type, IP address, operating system).
- Support interactions: Chat transcripts, email correspondence, ticket history — stored only to resolve disputes or improve our service.
We do not collect:
- Health or religious information
- Biometric data (fingerprints, facial recognition)
- Social media profiles or browsing history outside bastion
- Information about family members or dependents
How we use your data on bastion
We use your data for specific, lawful purposes:
- Account operation: Creating your bastion account, processing logins, managing password resets, and enabling two-factor authentication.
- Payments: Processing deposits via online payment, e-wallet, mobile banking, local payment, online payment, e-wallet, or bank virtual accounts; confirming withdrawal destinations; detecting fraudulent transactions.
- Verification: Conducting Know Your Customer (KYC) checks to comply with anti-money-laundering regulations. We compare your ID against public registries and may contact you for additional documents.
- Dispute resolution: Reviewing game logs, transaction records, and video feeds (for live-dealer games) to resolve complaints about settlement.
- Security: Detecting hacking attempts, preventing duplicate accounts, and identifying patterns consistent with fraud or money laundering.
- Legal compliance: Responding to law enforcement requests, maintaining records for tax purposes, and fulfilling anti-terrorism financing obligations.
- Service improvement: Analysing aggregate play trends, identifying game popularity, and improving platform stability — without identifying individual users.
We do not use your data to:
- Manipulate odds or outcomes against you
- Target you with unsolicited marketing (we send service notifications only)
- Sell your information to third parties for profit
- Build psychological profiles for exploitative targeting
Third-party processors and data sharing
We share your data only with service providers essential to operate bastion:
- Payment processors: mobile banking, local payment, online payment, e-wallet, mobile banking, local payment, online payment, e-wallet, mobile banking, local payment receive only your name, payment method, and transaction amount. They do not receive your game history or full account details.
- KYC verification partners: Third-party identity verification services compare your ID against public records. We do not provide game history or account balance to these partners.
- Hosting providers: Our servers may sit outside your jurisdiction (we use data centres in Southeast Asia). Data remains encrypted in transit.
- Law enforcement: We comply with valid legal requests from government agencies. We disclose only the specific data requested, not your entire account history.
We do not share your data with marketing companies, data brokers, or advertisers. We do not sell email addresses or phone numbers to third parties.
Data protection on bastion
- We encrypt all personal data at rest using AES-256 encryption.
- We encrypt all data in transit using TLS 1.2 or higher.
- We limit staff access to personal data based on job necessity.
- We conduct annual security audits and respond to vulnerabilities within 24 hours of disclosure.
- We delete account data 12 months after account closure, except where law requires longer retention.
Your rights regarding your data on bastion
You have the right to:
- Access: Request a copy of all data we hold about you. Submit an access request via our support team; we respond within 14 days.
- Correction: Update inaccurate information. You can modify email, phone, and payment method directly in your account settings. For changes to legal name or date of birth, contact support with updated ID.
- Deletion: Request deletion of your data after account closure. We retain KYC records and transaction history for seven years per anti-money-laundering law, but we delete non-essential personal data (preferences, support notes) immediately upon request.
- Portability: Export your account data in a machine-readable format. Submit a portability request to our support team; we provide a downloadable CSV file within 30 days.
- Restrict processing: Limit how we use your data. We will honour restrictions for marketing or analytics, but we cannot restrict processing necessary for account operation or legal compliance.
- Object: Opt out of non-essential data uses. We will not use your data for service improvement analytics if you object.
Cookies and tracking on bastion
We use cookies only for essential account functions:
- Session cookies: Maintain your login state across bastion pages. These expire when you close your browser.
- Preference cookies: Remember your language choice, theme preference (dark/light mode), and device type.
- Security cookies: Track two-factor authentication status and detect suspicious login patterns.
We do not use:
- Tracking pixels or beacons to follow you across other websites
- Third-party analytics (Google Analytics) that profile your behaviour
- Advertising cookies
You can disable cookies in your browser settings; this may impair bastion functionality.
Data retention and account closure on bastion
We retain your data as long as your bastion account is active, plus seven years after closure. This retention period is required by Indonesian anti-money-laundering law and international standards for financial services. After seven years, we delete:
- Transaction records
- Game history
- KYC documents (ID scans, address proofs)
- Support tickets and chat transcripts
If you request account closure, we disable your login immediately and anonymise your account within 30 days. You cannot recover a closed account or its balance.
Contact us about privacy on bastion
If you have questions about our privacy practices, want to exercise your data rights, or believe we have mishandled your information, contact our support team via live chat, email, or in-app help. We respond to privacy requests within 14 days.
If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority. We cooperate with government investigations into data misuse and respond to formal requests within statutory timelines.
Changes to this privacy policy
We update this policy periodically to reflect changes in our practices or legal requirements. We notify you of material changes via email. Continued use of bastion after notification signifies your acceptance of the updated policy.