toyib Casino & Sportsbook Data Care

This page describes what we collect when you use toyib and how we keep that data protected. Our commitment is transparency—we explain which data we collect, why we need it, who has access to it, and how long we keep it. We do not sell your information to third parties, and we do not use it for purposes other than account management, security, and legal compliance.

When you register for toyib, you provide an email address, phone number, and identity documents (Indonesian ID card scan and selfie). We use these to verify your identity, prevent fraud, and comply with Indonesia's financial regulations. Your payment information (DANA, e-wallet, mobile banking, local payment, online payment account details) is encrypted and stored separately from your account profile. We also log your gameplay activity—bets placed, results, withdrawals—so you can verify your history and we can investigate disputes.

Your rights include access to your own data, the ability to request corrections, and (in most cases) the right to delete your account and associated records. This privacy policy explains how we handle each type of data and what choices you have. If you have questions, our support team can walk you through any section.

What data we collect on toyib

We collect data in several categories. First, account data: email address, phone number, name, date of birth, and password (hashed, never stored in plaintext). Second, identity verification data: a scan of your Indonesian ID card (KTP) and a selfie taken during sign-up. Third, payment data: the account details you provide when depositing or withdrawing (DANA, e-wallet, mobile banking, local payment, online payment, e-wallet, or bank account information). Fourth, gameplay data: every bet you place, every game result, every withdrawal request, and every account login.

We also collect technical data: your IP address, browser type, device model, and the city you access toyib from (inferred from IP). This helps us detect fraud—if your account is suddenly accessed from Jakarta one minute and Surabaya the next, we flag it as suspicious and ask you to verify. We use cookies and similar tracking to remember your login session and preferences (language, notification settings).

How we use your data on toyib

We use account and identity data to verify that you are who you claim to be and to prevent duplicate accounts, fraud, and money laundering. Indonesia's financial regulator requires us to collect and maintain this information. Payment data is used only to process your deposits and withdrawals; we never use it for marketing or secondary purposes. Gameplay data is used to settle your bets accurately, calculate payouts, and produce your account history so you can verify every session.

Technical data and cookies help us improve our service. We analyse which games are most played, which payment methods users prefer (mobile banking vs local payment vs online payment, etc.), and where our users are located. This analysis helps us decide whether to add more live-dealer tables during busy hours on Liga 1 match days, or whether to prioritize Piala Indonesia coverage. We do not use your data to profile you or make decisions that affect your eligibility to play.

Your data is not sold

We never sell your personal data to advertisers, data brokers, or other companies. We also do not share gameplay data with third parties unless required by law.

Third parties who may access your data

We use a few external services to run toyib. Our payment processors (the companies behind e-wallet, mobile banking, local payment, online payment, e-wallet, and mobile banking) receive your payment information when you deposit or withdraw; they are bound by strict data protection agreements. Our cloud hosting provider stores our servers and database backups; we choose providers with data centers in Asia to minimise latency and comply with local data residency expectations. Our email service sends you account notifications and security alerts; they cannot access your gameplay data.

We also work with identity verification companies who compare your KTP scan and selfie against government databases to confirm you are not opening duplicate accounts. These companies follow strict data minimization rules and delete your verification images after confirmation (typically within 30 days). We do not retain your KTP scan or selfie on our own servers; we store only a verification token confirming you passed the check.

How long we keep your data

We retain your account data (email, phone, name) for as long as your account is active. Once you delete your account, we keep your account data for six years for tax and legal compliance purposes, then delete it permanently. Your gameplay history (bets, payouts, withdrawals) is kept for seven years—this matches Indonesia's financial record-keeping requirements and allows us to investigate disputes or audit requests from regulators. After seven years, gameplay records are archived and then deleted.

Your identity verification documents (KTP scan, selfie) are deleted within 30 days of verification; we do not store them long-term. Payment information (bank account numbers, e-wallet details) is kept only while necessary to process your transactions and settle disputes—typically three months after your last transaction with that payment method. Once you stop using a payment method, we delete those records unless law requires us to retain them for compliance.

Note: If we receive a legal request from Indonesian authorities (police, tax office, financial regulator), we must comply and provide the data they request, even if you have asked us to delete it.

How we protect your data

We encrypt all data in transit using HTTPS (TLS 1.2 or higher). Data at rest—stored on our servers—is encrypted using AES-256. Your password is hashed with bcrypt and salted, so we cannot read it even if someone breaks into our database. We also use two-factor authentication (2FA) for withdrawal requests, so even if someone steals your password, they cannot move your balance without your phone's verification code.

Our servers are hosted in data centers with physical security (guards, CCTV, badge access). We run automated security scans and penetration testing quarterly. Our team undergoes background checks and signs strict confidentiality agreements. If we discover a data breach, we will notify you within 24 hours and explain what data was affected and what steps we have taken to contain it.

Your rights on toyib

You have several rights regarding your data. First, the right to access: you can request a copy of all data we hold about you. Second, the right to correction: if your profile information is wrong, you can update it in your account settings or ask us to fix it. Third, the right to deletion: you can request that we delete your account and associated data (subject to the seven-year legal retention period mentioned above). Fourth, the right to withdraw consent: if you opted in to promotional emails, you can opt out anytime in your account preferences.

To exercise any of these rights, contact our support team with a description of your request. We will respond within 14 days. If you are in Jakarta, Surabaya, Bandung, Medan, or Semarang and prefer to submit a formal request, you can also email our data protection officer. We do not charge fees for these requests unless they are excessive or repetitive.

Cookies and tracking on toyib

We use cookies to remember your login session, your language preference, and your notification settings. These are functional cookies that make toyib easier to use. We also use analytics cookies to understand how users navigate our site—which pages are visited most, where users drop off, which devices are most common. This helps us improve the user experience and fix bugs. We do not use tracking cookies to follow you across other websites.

You can disable cookies in your browser settings, but this may break some features of toyib (like staying logged in). Our app uses similar technology to store your session locally on your phone. If you delete the app and reinstall it, you will need to log in again.

Data across borders

Our servers are located in Asia, but some of our service providers may store data in other regions. Our cloud hosting company may maintain backup copies in other countries for disaster recovery. Payment processors (local payment, online payment, e-wallet, mobile banking) are Indonesia-based, so your payment data typically stays within Indonesia. When data moves across borders, we ensure contractual protections are in place to maintain the same level of privacy and security you would have in Indonesia.

Indonesia does not have a strict data residency law for non-financial services, so we have flexibility in where we host data. We choose locations based on performance, reliability, and cost. We do not send data outside Asia unless absolutely necessary.

Children and minors on toyib

We do not knowingly collect data from children under 18. Our terms of service require users to be adults. If we discover that a minor has opened an account, we will close it and delete their data (except where legally required to retain it). If you believe a child has accessed toyib using your account or device, contact us immediately so we can investigate and secure the account.

Changes to this privacy policy

We may update this policy from time to time to reflect changes in our practices or to comply with new regulations. When we make material changes (like a new category of data we collect, or a new third party we share data with), we will notify you by email at least 14 days before the change takes effect. You can view the full history of policy changes on our site. If you do not agree with a change, you can delete your account and we will respect your request.

Contacting us about privacy

If you have questions about this privacy policy, how we use your data, or your rights, you can contact our support team through live chat or email. Our data protection officer can also be reached at our support email and will respond within 14 days. If you are unhappy with our response, you also have the right to lodge a complaint with Indonesia's personal data protection authority.

  • For account or gameplay questions, contact support live chat (English available)
  • For data privacy questions, email our support team with "Privacy Request" in the subject line
  • For formal complaints, you may contact Indonesia's personal data protection authority

Privacy policy summary

We collect your account data (email, phone, name, identity documents) to verify your identity and comply with regulations. We collect payment information only to process deposits and withdrawals. We collect gameplay data to settle bets and provide account history. We do not sell your data or use it for marketing without your consent.

We encrypt all data in transit and at rest. We retain account and gameplay data for six to seven years for legal compliance, then delete it. You have the right to access, correct, or delete your data. Our support team can help you exercise these rights within 14 days. If you have concerns about how we handle your data, contact us or lodge a complaint with the appropriate authority.

This policy is effective as of the date posted on our site. We update it occasionally to reflect changes in our practices. Check back regularly or enable notifications so you do not miss important updates.