mr138 Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how mr138 ("mr138", "we", "us", "our"), the operator of mr138.win, collects, uses, discloses, stores, and protects personal data in connection with your use of our website and services. mr138 is committed to handling your personal data responsibly and in accordance with applicable data protection principles and the requirements of our international gaming licence.

By registering an account on mr138.win or otherwise using the platform, you acknowledge that you have read and understood this Policy. If you do not agree to this Policy, you must discontinue use of the platform.

This Policy applies to all users of mr138.win regardless of location. Users accessing the platform from Malaysia should be aware that local laws — including the Personal Data Protection Act 2010 (PDPA) — may also apply to the processing of their personal data. mr138 aims to meet PDPA principles where they are applicable to its operations.

2. Categories of Personal Data We Collect

mr138 collects the following categories of personal data:

Category	Examples
Identity Data	Full legal name, date of birth, MyKad / passport number, nationality
Contact Data	Email address, Malaysian mobile number, registered address
Financial Data	Bank account details, e-wallet identifiers (Touch n Go / Boost), transaction history, deposit and withdrawal records
KYC / Verification Data	Identity document images, proof of address documents, selfie or liveness verification
Account Data	Username, account preferences, login history, session activity, game play history
Technical Data	IP address, device type, browser type, operating system, screen resolution
Communications Data	Live chat transcripts, support emails, feedback submissions

We do not intentionally collect sensitive personal data such as health information, racial or ethnic origin, or political opinions except where strictly required by our AML obligations or expressly provided by you.

3. How We Collect Your Data

mr138 collects personal data through the following methods:

• Direct collection: Information you provide when registering, completing KYC verification, making deposits or withdrawals, participating in promotions, or contacting support.
• Automated collection: Technical data collected automatically when you access mr138.win, including via cookies, server logs, and analytics tools operated by mr138 internally.
• Third-party verification: Identity and fraud screening data provided by KYC/AML compliance service providers where required to verify your identity or screen for sanctions.
• Payment processors: Transaction confirmation data provided by payment processors when you deposit or withdraw using Touch n Go eWallet, Boost, Maybank, CIMB, Public Bank, or other supported payment methods.

4. How We Use Your Personal Data

mr138 uses your personal data for the following purposes:

• Account management: Creating and maintaining your mr138 account, authenticating your identity at login, and managing account security.
• Service delivery: Processing deposits, withdrawals, bet settlements, and all other platform transactions denominated in MYR.
• Regulatory compliance: Conducting KYC verification, performing AML screening, maintaining transaction records, and responding to lawful requests from regulatory or law enforcement authorities.
• Responsible gaming: Monitoring gaming activity to identify potential problem gambling patterns, implementing deposit limits or self-exclusion where requested, and enforcing the 21+ age restriction.
• Customer support: Responding to your queries, resolving disputes, and maintaining records of communications for quality assurance.
• Security and fraud prevention: Detecting, investigating, and preventing fraudulent activity, cheating, or security breaches affecting the platform or other members.
• Marketing communications: Sending promotional offers, bonus notifications, and news about mr138 products and services — but only to members who have consented to receive marketing communications. You may withdraw consent at any time.
• Platform improvement: Analysing aggregated and anonymised usage data to improve the mr138 platform, game selection, and user experience.

5. Legal Basis for Processing

mr138 processes your personal data on the following legal bases:

• Contractual necessity: Processing required to perform our agreement with you — including account management, transaction processing, and customer support.
• Legal obligation: Processing required to comply with AML regulations, gaming licence conditions, KYC requirements, and lawful authority requests.
• Legitimate interests: Processing for fraud prevention, security monitoring, platform improvement, and responsible gaming monitoring, where these interests are not overridden by your fundamental rights.
• Consent: Processing for marketing communications, where you have given express consent. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.

6. Data Sharing and Disclosure

mr138 does not sell, rent, or trade your personal data. We may share data with the following categories of recipients strictly on a need-to-know basis:

• KYC / AML service providers: Licensed identity verification and fraud screening companies used to fulfil our regulatory obligations.
• Payment processors: Financial institutions and e-wallet operators (including Touch n Go and Boost processors) to facilitate deposits and withdrawals.
• Game providers: Software providers whose games are operated on the mr138 platform may receive the minimum session data required for game operation and dispute resolution.
• IT and platform service providers: Cloud hosting, security, and infrastructure providers who process data on mr138's behalf under strict data processing agreements.
• Regulatory and law enforcement authorities: Where required by law, court order, or gaming licence conditions, mr138 will disclose data to competent authorities.

All third-party service providers are contractually required to handle mr138 member data confidentially and solely for the specified purpose. mr138 does not permit service providers to use member data for their own purposes.

7. Cookies and Tracking Technologies

mr138.win uses the following types of cookies:

• Strictly necessary cookies: Required for login session management, security tokens, and core platform functionality. These cannot be disabled without breaking the platform.
• Performance cookies: Used to measure platform performance and identify errors. These are operated internally by mr138 and do not share data with advertising networks.
• Functional cookies: Store your preferences such as language and display settings to improve your experience.

mr138 does not use third-party advertising or tracking cookies. You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies will prevent you from logging in to your mr138 account.

8. Data Retention

mr138 retains personal data for as long as necessary to fulfil the purposes for which it was collected, including compliance with legal, regulatory, and contractual obligations. Specific retention periods include:

• Account and transaction data: Retained for a minimum of 5 years following account closure, in line with AML and gaming regulatory requirements.
• KYC documents: Retained for a minimum of 5 years following the end of the business relationship.
• Support communications: Retained for 2 years following resolution of the relevant matter.
• Marketing consent records: Retained for the duration of the business relationship and 1 year following consent withdrawal.

Upon expiry of applicable retention periods, personal data is securely deleted or anonymised.

9. Your Data Rights

Subject to applicable law and verification of your identity, mr138 members have the following rights regarding their personal data:

• Right of access: Request a copy of the personal data mr138 holds about you.
• Right of rectification: Request correction of inaccurate or incomplete personal data.
• Right to erasure: Request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, subject to our legal retention obligations.
• Right to data portability: Request your personal data in a structured, machine-readable format where processing is based on consent or contract.
• Right to object: Object to processing based on legitimate interests, including profiling for responsible gaming monitoring purposes.
• Right to withdraw consent: Withdraw marketing consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact mr138 support via live chat or by email at [email protected]. mr138 will respond to data rights requests within 30 days. Where requests are complex or numerous, this period may be extended by a further 30 days with notification to you.

10. Data Security

10.1 mr138 implements technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, disclosure, or destruction. These measures include SSL/TLS encryption for all data in transit, encrypted storage for sensitive data at rest, role-based access controls limiting staff access to personal data on a strict need-to-know basis, regular security assessments and penetration testing, and multi-factor authentication for administrative platform access.

10.2 While mr138 takes reasonable steps to protect your data, no internet transmission or electronic storage system is completely secure. In the event of a data breach affecting your personal data, mr138 will notify you and relevant authorities in accordance with applicable legal obligations.

11. Minors and Age Restriction

mr138 does not knowingly collect or process personal data from individuals under the age of 21. The platform is strictly for adults 21 years and above. If mr138 discovers that personal data has been collected from an individual under 21, the account will be closed immediately and the data deleted, except where retention is required for regulatory compliance purposes.

12. International Data Transfers

As an international gaming operator, mr138 may transfer personal data to countries outside Malaysia, including to Curaçao where our gaming licence is held, and to the locations of our service providers. Where data is transferred internationally, mr138 ensures appropriate safeguards are in place — including contractual protections — to maintain the security and integrity of your personal data consistent with the standards described in this Policy.

13. Changes to This Policy

mr138 may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or platform operations. Material changes will be communicated by prominent notice on the platform or by email to your registered address at least 7 days before they take effect. The effective date of the current version is displayed at the top of this Policy.

14. Contact and Data Enquiries

For any questions, concerns, or requests relating to this Privacy Policy or mr138's handling of your personal data, please contact us via:

• Email: [email protected]
• Live Chat: Available 24/7 via mr138.win
• Response Time: Within 3 minutes (live chat) · Within 2 hours (email) · Data rights requests within 30 days

This Privacy Policy was last reviewed and updated on 11 June 2026.