11bad Privacy
Policy
Your privacy matters to us. This Privacy Policy explains exactly what personal information 11bad collects from players in Bangladesh, how that information is used, who it may be shared with, how long it is retained, and what rights you have over your own data. We handle all personal information in accordance with internationally recognised data protection principles.
At a Glance
Our Core Privacy Commitments
Before diving into the full legal text, here is a plain-language summary of the six most important ways 11bad protects your personal data and respects your privacy as a player.
SSL Encryption on Every Connection
Every page and API call on 11bad is served over HTTPS using TLS 1.3 encryption. Your login credentials, payment details, and personal information travel across the network in an encrypted form that cannot be read by any third party intercepting the connection.
We Never Sell Your Personal Data
11bad does not sell, rent, or trade your personal information to advertisers, data brokers, or any third party for commercial gain. Your data is used exclusively to operate and improve the 11bad platform and to comply with our legal obligations.
Purpose Limitation โ Data Used Only as Stated
Every category of personal data we collect is tied to a specific, documented purpose. We do not repurpose your data for uses that are incompatible with the reason it was originally collected. If a new use case arises, we will notify you and, where required, seek your explicit consent before proceeding.
Data Minimisation โ We Collect Only What We Need
11bad applies a strict data minimisation principle. We collect only the personal information that is genuinely necessary to provide the services you request โ account registration, identity verification, payments, and customer support. We do not collect data "just in case" it might be useful later.
Transparent Retention Periods
We publish clear retention schedules for every category of personal data we hold. Account data is kept for the duration of the player relationship plus five years for AML compliance. Marketing preferences are retained only while your account is active. When retention periods expire, data is securely deleted or anonymised.
Your Rights Are Enforceable
You have the right to access, correct, export, and request deletion of your personal data. You can withdraw marketing consent at any time. You can request that we restrict processing while a dispute is outstanding. These rights are not theoretical โ submit a request to [email protected] and we will respond within 30 days.
Section 1
Information We Collect
11bad collects personal information from you through several channels: directly from you when you register an account, make a deposit, or contact customer support; automatically through your interaction with the platform; and, in limited circumstances, from third-party identity verification providers when we conduct KYC checks. The categories of data we collect are described below.
Identity and Registration Data
When you create a 11bad account, we collect your full legal name, date of birth, nationality, and a copy of your identity document (National Identity Card, passport, or driver's licence). This information is required to verify that you are aged 18 or above and to comply with our Know Your Customer (KYC) obligations.
Contact Data
We collect your email address and mobile phone number at registration. Your mobile number is used to deliver SMS one-time passwords (OTP) for two-factor authentication and transactional alerts. Your email address is used for account notifications, withdrawal confirmations, and โ only if you have opted in โ promotional communications.
Financial and Transaction Data
We record details of every deposit and withdrawal transaction on your account: the payment method used (e.g., bKash account reference, Nagad wallet identifier, bank account last four digits), the amount in BDT, the timestamp, and the transaction status. We do not store full card numbers or mobile banking PINs โ payment processing is handled by our payment partners who operate under their own security and data protection standards.
Gaming Activity Data
We maintain a full record of your wagering activity on 11bad: games played, bet amounts, outcomes, session durations, bonus usage, and self-imposed limits. This data is necessary for account management, responsible gaming monitoring, and dispute resolution.
Technical and Device Data
When you access the 11bad platform, our servers automatically collect your IP address, device type, operating system, browser version, screen resolution, referring URL, and session timestamps. This information is used for security monitoring, fraud detection, and platform performance optimisation.
Communications Data
When you contact 11bad via live chat, email, or any other support channel, we record the content of those communications and any attachments or screenshots you provide. These records are retained for quality assurance, training, and dispute resolution purposes.
Data We Do Not Collect
11bad does not collect sensitive personal data categories such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for identification purposes, health data, or data concerning sexual orientation, unless you voluntarily disclose such information through a support interaction. If such information is incidentally received, it is not processed for any purpose beyond resolving the specific support query.
Section 2
How We Use Your Data
The following table summarises the primary purposes for which 11bad processes your personal data and the corresponding legal basis for each activity.
| Processing Purpose | Data Categories Used | Legal Basis |
|---|---|---|
| Account registration and management | Identity, Contact | Contract performance |
| Age and identity verification (KYC) | Identity, Financial | Legal obligation |
| Processing deposits and withdrawals | Financial, Transaction | Contract performance |
| Fraud prevention and AML monitoring | Identity, Financial, Technical | Legal obligation / Legitimate interest |
| Responsible gaming monitoring | Gaming Activity, Contact | Legal obligation / Legitimate interest |
| Customer support and dispute resolution | Identity, Communications | Contract performance / Legitimate interest |
| Platform security and abuse detection | Technical, Gaming Activity | Legitimate interest |
| Promotional and marketing communications | Contact, Gaming Activity | Consent (opt-in only) |
| Platform analytics and improvement | Technical (anonymised) | Legitimate interest |
Marketing Communications
11bad will only send you promotional emails, SMS messages, or push notifications if you have explicitly opted in to receive such communications during registration or through your account notification settings. Each marketing message contains a clear and functional unsubscribe mechanism. You may also withdraw marketing consent at any time by updating your account preferences or by writing to [email protected]. Withdrawal of marketing consent does not affect the lawfulness of any processing carried out prior to withdrawal.
Automated Decision-Making
11bad uses automated systems to detect potentially fraudulent activity, unusual wagering patterns, and suspected bonus abuse. These automated processes may result in temporary account restrictions pending a manual review by our compliance team. Where an automated decision has a significant effect on you โ for example, a deposit restriction or account suspension โ you have the right to request a manual review by a member of the 11bad compliance team. Contact [email protected] to exercise this right.
Section 3
Data Sharing and Disclosure
Service Providers and Data Processors
11bad shares personal data with the following categories of third-party service providers who process data on our behalf under data processing agreements that require them to maintain appropriate security and confidentiality standards:
- Payment processors: bKash, Nagad, Rocket, Upay, Visa, Mastercard, and banking partners receive transaction data necessary to process deposits and withdrawals.
- Identity verification providers: Third-party KYC service providers receive identity document images and personal details to perform age and identity verification checks.
- Game providers: Pragmatic Play, Evolution Gaming, Ezugi, Spribe, Microgaming, NetEnt, and other content providers receive your player account identifier (not your full identity) to facilitate game session continuity and dispute resolution.
- Cloud infrastructure providers: Our hosting and cloud infrastructure partners process technical data (IP addresses, session logs) as part of delivering the platform.
- Customer support software providers: Our live chat and ticketing platform provider processes communications data when you interact with our support team.
- Analytics providers: We use privacy-respecting, anonymised analytics tools to understand platform usage patterns. No personally identifiable data is passed to analytics providers.
Legal and Regulatory Disclosure
11bad may disclose your personal data to law enforcement agencies, regulatory authorities, or other government bodies where we are required to do so by applicable law, a court order, or a binding regulatory directive. We will notify you of any such disclosure to the extent permitted by law.
Business Transfers
In the event of a merger, acquisition, restructuring, or sale of all or substantially all of 11bad's assets, your personal data may be transferred to the successor entity as part of that transaction. We will notify you via email and a prominent notice on the platform at least 30 days before your personal data becomes subject to a different privacy policy as a result of such a transfer.
International Data Transfers
11bad is an offshore platform and some of our service providers are located outside Bangladesh. Where personal data is transferred internationally, we implement appropriate safeguards to ensure that your data receives a standard of protection equivalent to that described in this Privacy Policy. These safeguards include contractual clauses requiring recipients to meet minimum data protection standards consistent with internationally recognised frameworks.
Section 5
Data Retention
11bad retains personal data only for as long as is necessary to fulfil the purpose for which it was collected, or as required by applicable law. The following retention schedule applies to the main categories of personal data we hold.
| Data Category | Retention Period | Basis for Retention |
|---|---|---|
| Account registration and identity data | Duration of account + 5 years post-closure | AML legal obligation |
| KYC identity documents | Duration of account + 5 years post-closure | AML / KYC legal obligation |
| Transaction records | 7 years from transaction date | Financial regulatory obligation |
| Gaming activity and wagering logs | Duration of account + 3 years post-closure | Responsible gaming / dispute resolution |
| Customer support communications | 3 years from last interaction | Dispute resolution / legitimate interest |
| Marketing consent records | Duration of active consent + 2 years | Proof of consent (legal obligation) |
| Technical and device logs | 90 days rolling | Security / fraud detection |
| Anonymised analytics data | Up to 24 months (aggregated, non-personal) | Legitimate interest (platform improvement) |
When a retention period expires, personal data is either permanently deleted from our systems and backups or irreversibly anonymised so that it can no longer be associated with any identifiable individual. Anonymised data may be retained indefinitely for statistical and analytical purposes.
Where you submit a valid erasure request (see Your Privacy Rights below), we will delete your personal data ahead of the standard retention schedule to the extent permitted by law. Data subject to an overriding legal retention obligation โ for example, transaction records required for AML compliance โ cannot be deleted early regardless of an erasure request, but will be isolated from active processing and deleted as soon as the legal obligation expires.
Section 6
Data Security Measures
Technical Security Controls
All data transmitted between your device and the 11bad platform is encrypted using TLS 1.3. Sensitive data fields stored in our databases โ including identity document images, financial account references, and hashed passwords โ are encrypted at rest using AES-256 encryption. Player passwords are stored using a cryptographically strong one-way hashing algorithm with per-account salting; our staff cannot retrieve your password in plaintext.
Organisational Security Measures
Access to personal data within 11bad's internal systems is governed by a strict role-based access control (RBAC) policy. Staff members are granted access only to the data categories required to perform their specific job functions. All staff with access to personal data undergo data protection training. Access to production systems is protected by mandatory multi-factor authentication.
Two-Factor Authentication for Players
Every 11bad player account is protected by SMS-based two-factor authentication (2FA) using your registered mobile number. A one-time password (OTP) is required for login from new devices, password changes, withdrawal requests above defined thresholds, and any change to your registered email address or mobile number. We strongly recommend that you keep your registered mobile number up to date and report any change promptly to [email protected].
Security Incident Response
In the event of a personal data breach that poses a risk to your rights and freedoms, 11bad will notify affected players without undue delay and in any case within 72 hours of becoming aware of the breach. The notification will describe the nature of the breach, the categories of data affected, the likely consequences, and the steps taken or planned to address the breach and mitigate its effects.
Limitation of Liability for Security Incidents
Whilst 11bad takes all reasonable steps to protect your personal data, no system connected to the internet is completely immune from security threats. 11bad cannot guarantee absolute security and will not be held liable for security incidents that result from circumstances beyond our reasonable control, including sophisticated cyberattacks that circumvent our security measures despite our implementation of industry-standard controls.
Section 7
Your Privacy Rights
As a data subject, you have a number of rights in relation to the personal data that 11bad holds about you. These rights are summarised below. To exercise any of these rights, submit a written request to [email protected] from the email address registered to your 11bad account. We will respond within 30 calendar days of receiving a valid request.
Right of Access
You have the right to request a copy of all personal data that 11bad holds about you, together with information about how it is being used, with whom it has been shared, and for how long it will be retained. This is commonly referred to as a Subject Access Request (SAR). We will provide the information in a structured, commonly used, machine-readable format where technically feasible.
Right to Rectification
If any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or complete it without undue delay. You may update certain account details โ such as your email address and contact number โ directly through your account settings dashboard. For corrections to identity data (name, date of birth, NID number), please contact [email protected] with supporting documentation.
Right to Erasure
You have the right to request that 11bad delete your personal data in certain circumstances โ for example, where the data is no longer necessary for the purpose for which it was collected, or where you withdraw the consent on which processing was based and there is no other legal ground for continued processing. The right to erasure is not absolute; where we are required by law to retain the data (e.g., AML transaction records), we will explain which data cannot be deleted and why.
Right to Restrict Processing
You have the right to request that 11bad restrict the processing of your personal data in certain situations โ for example, while a dispute about the accuracy of the data is being resolved, or while we consider the grounds for an erasure request. Where processing is restricted, we will continue to store the data but will not use it for any other purpose without your consent or a lawful basis.
Right to Data Portability
Where processing is based on your consent or on contract performance, and the processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another service provider. This right applies primarily to your account registration data and transaction history.
Right to Object
You have the right to object to the processing of your personal data where 11bad relies on legitimate interests as the legal basis. In such cases, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary to establish, exercise, or defend legal claims. You may object to marketing communications processing at any time, and we will always honour such objections immediately.
Right to Withdraw Consent
Where processing is based on your consent โ principally marketing communications โ you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. You can withdraw marketing consent through your account notification settings or by contacting [email protected].
Section 8
Contact and Complaints
How to Submit a Privacy Request
To submit any privacy rights request, send an email to [email protected] from the email address registered to your 11bad account. Include your full name, your registered email address, the nature of your request (access, rectification, erasure, portability, objection, or withdrawal of consent), and any relevant details. We may need to verify your identity before processing the request by sending an OTP to your registered mobile number.
We aim to acknowledge all privacy requests within 5 business days and to provide a substantive response within 30 calendar days. If your request is complex or we receive a high volume of requests simultaneously, we may extend the response period by a further 30 days, in which case we will notify you of the extension and the reason for it before the initial 30-day period expires.
Complaints
If you are not satisfied with how 11bad has handled your personal data or responded to a privacy rights request, you have the right to lodge a complaint. In the first instance, we encourage you to raise the complaint directly with 11bad at [email protected] so that we have the opportunity to resolve it internally. If you remain dissatisfied after 11bad's response, you may escalate your complaint to the appropriate data protection supervisory authority in your jurisdiction.
Updates to This Privacy Policy
11bad may update this Privacy Policy from time to time to reflect changes in our data processing practices, changes in applicable law, or changes to the services we offer. Where a material change is made, we will notify registered players by email and by displaying a prominent notice on the platform at least 14 days before the change takes effect. The version number and effective date at the top of this document are updated with each revision. Your continued use of the 11bad platform after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms.
If you have questions about any aspect of this Privacy Policy that are not answered above, please contact us at [email protected]. We are committed to providing clear and transparent information about how we handle your personal data and welcome any questions or feedback you may have.
Your Data is Safe at 11bad
Questions about your privacy, or ready to explore what 11bad has to offer? Browse our game categories, check the FAQ, or log in to manage your account preferences.