itchPrivacy Policy

This page describes what we collect when you use itch and how we keep that data protected. We collect personal information during account registration, identity verification (KYC), transaction processing, and customer support interactions. Our commitment is to store this data securely, use it only for the purposes you authorize, and share it only with third parties where necessary for payment processing, compliance, or fraud prevention.

We understand that privacy is essential to trust. When you deposit via DANA, e-wallet, mobile banking, or local payment, or when you provide identity documents during verification, you are entrusting us with sensitive information. We protect that information through encryption, access controls, regular security audits, and clear policies about retention and third-party sharing.

Our privacy practices apply to all itch users regardless of jurisdiction, subject to applicable law in your region. If local privacy regulations (such as data protection laws) impose stricter requirements than our standard practices, we comply with those requirements. This policy sets out our baseline commitments.

What We Collect & How We Use It

We collect information in several categories. Account information includes your email address, password (hashed, never stored in plain text), username, and account creation date. We use this to authenticate you and maintain your itch session. Identity information (collected during KYC) includes your full legal name, date of birth, identity document number, and residential address. We use this to verify your identity, comply with anti-money-laundering (AML) regulations, and prevent fraud.

Transaction information includes deposit and withdrawal details, payment method used, amounts, timestamps, and outcome. We use this to process your requests, reconcile your balance, and maintain audit trails for regulatory compliance. Behavioral information includes your gaming activity—games you enter, stakes placed, rounds played, and outcomes. We use this to personalize your itch experience, detect anomalies (such as unusual betting patterns that might indicate account compromise), and improve our platform.

Device and access information includes your IP address, browser type, operating system, and timestamp. We use this to secure your account (detecting unauthorized access from unfamiliar locations), investigate fraud, and comply with legal requests. Communication information includes emails, chat logs, and support tickets. We use this to respond to your inquiries, resolve disputes, and improve our support processes.

Our Data Retention & Deletion Practices

We retain account information (email, username, account creation date) for as long as your itch account is active. If you close your account, we retain core account data (name, identity document number, transaction history) for five years to meet legal and regulatory requirements. After five years, we delete or anonymize this data unless applicable law requires longer retention.

Transaction data is retained indefinitely to meet regulatory and audit requirements. Payment method information (such as your OVO or e-wallet account details) is retained as long as you keep that payment method linked to itch. If you unlink a payment method or close your account, we delete stored payment details within 30 days unless we are legally obligated to retain them.

You have the right to request deletion of your account and associated data at any time. Upon request, we initiate account closure and deletion of personal data, subject to legal retention obligations. This process typically completes within 30 days. However, we cannot delete transaction records or identity verification data if doing so would violate applicable law or our contractual obligations.

Third-Party Data Sharing & Security

We share your personal data with third parties only in specific circumstances. Payment processors (such as QRIS handlers, bank partners, and e-wallet providers) receive your payment method information and transaction details to process deposits and withdrawals. These processors are contractually bound to protect your data and use it only for payment processing.

Compliance and fraud-prevention partners receive your identity information and transaction history to verify your identity, assess AML risk, and detect fraudulent activity. These partners are regulated financial-services vendors operating under strict confidentiality obligations. Law enforcement and regulatory authorities may request your data as part of legal investigations; we comply with lawful requests and provide data only where required by law.

We do not sell your personal data to marketers, advertisers, or other commercial entities. We do not share your data with itch affiliates or other gaming platforms unless you explicitly consent. Data processors (companies that handle our IT infrastructure, data backups, or customer support tools) receive limited access to your data solely to perform their contracted services. All processors are bound by confidentiality agreements.

We at itch believe that your personal data should remain yours. Third-party sharing is limited, contractually controlled, and subject to your rights.

Our Encryption & Security Standards

We encrypt all personal data in transit using TLS (Transport Layer Security) encryption. This means that when you transmit data to itch over the internet, that data is encrypted and cannot be intercepted by unauthorized parties. We also encrypt sensitive data at rest—identity documents, payment method details, and account credentials are encrypted in our databases.

Our servers are hosted in secure data centers with physical access controls, redundant power supplies, and fire suppression systems. We conduct regular security audits and penetration testing to identify and remediate vulnerabilities. Access to your personal data is restricted to authorized itch employees and contractors who have a legitimate need to access it for their job functions.

We maintain incident response procedures. If we discover a data breach, we notify affected users within 72 hours as required by applicable law. We inform you of the nature of the breach, the types of data compromised, and the steps we are taking to remediate the situation. We also notify relevant regulatory authorities where required by law.

Your Rights & Data Subject Requests

You have several rights regarding your personal data on itch. You have the right to access—you can request a copy of all personal data we hold about you in a portable, machine-readable format. You have the right to correction—if any of your data is inaccurate, you can request that we correct it. You have the right to deletion—you can request that we delete your data, subject to legal retention obligations.

You also have the right to object to certain processing—for example, if we use your data for fraud detection and you believe the processing is excessive, you can object. You have the right to restrict processing—you can request that we limit how we use your data while you investigate a concern. You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

To exercise any of these rights, contact our legal team via the footer contact form or via email. We respond to data subject requests within 30 days. Some requests may require verification of your identity before we proceed. If your request is complex or requires extensive resources, we may extend our response timeline to 60 days and notify you of the extension.

Cookies, Tracking & Analytics

We use cookies on the itch website and mobile app to maintain your login session, remember your preferences, and analyze site usage. Session cookies are deleted when you close your browser. Persistent cookies remain on your device for up to one year to allow us to remember your preferences during subsequent visits.

We use analytics tools (such as Google Analytics) to measure site traffic, user behavior, and engagement. These tools place cookies on your device and collect anonymized data about your browsing. This data is used to improve the itch platform and user experience. You can opt out of analytics tracking by disabling cookies in your browser settings or by using a cookie management tool.

We do not use tracking pixels, web beacons, or fingerprinting technologies to track you across the internet outside of itch. Our tracking is limited to our own platform. Third-party cookies from payment processors and fraud-prevention vendors may be placed on your device; these are governed by their own privacy policies.

Data Transfer & International Compliance

Our itch servers may be located in jurisdictions outside your own country. When you provide personal data to itch, that data may be transferred to and stored in these locations. These jurisdictions may have different data protection laws than your own. By using itch, you consent to this international data transfer, subject to applicable law in your jurisdiction.

If you are located in a jurisdiction with strict data protection requirements (such as regions with EU-style privacy regulations), we comply with those requirements. We implement Standard Contractual Clauses or other legal mechanisms to ensure that your data receives adequate protection during international transfer.

During regional holidays (Idul Fitri, Idul Adha, Imlek, Nyepi), data processing may be slower due to reduced staffing. However, we maintain continuous data protection and security monitoring. If you have urgent privacy concerns during holidays, contact our support team; critical issues are escalated even during closures.

Contact Us About Privacy

If you have questions about our privacy practices, believe we have violated your privacy rights, or wish to exercise your data subject rights, contact our legal and privacy team via the contact form in the footer or by email. We respond to privacy inquiries within 7 business days. For urgent data protection concerns, mark your email as urgent and we will prioritize your request.