Gransino Privacy Notice

Editor: Harry Whitfield, Senior Casino Reviewer
Last updated: January 2026

1. About This Site

Gransino, published at penalty-paris.com, is an independent review site whose editorial team signs up at offshore, non-GamStop casino brands and reports on what they find. Under the UK GDPR we act as the data controller for any personal information that flows through this site.

To be completely clear: we are not a casino. You cannot deposit money here, place a bet, or access any gaming software. What we do is write reviews, put together comparison guides, and link readers towards operators. Some of those links are affiliate links — if you sign up with an operator through one, we may earn a referral fee.

2. The Information We Handle

There are no user accounts on this site, which keeps things straightforward. The only categories of personal data that may pass through our systems are:

• Visitor signals — a truncated IP address, your browser name and version, operating system, device type, screen size, the URL you came from, which pages you visited, how long you spent on each, and a rough location at city level based on IP.
• Messages sent to us — an optional name, your email address, and whatever you write when you use our contact form.
• Newsletter sign-ups — your email address, the date and time you subscribed, and which page you were on when you did so.
• Cookie tokens — pseudonymous tags dropped by our analytics and consent tools. Section 6 covers these in detail.

We never intentionally collect sensitive personal data (things like health information, biometric data, religious beliefs or political views) and we do not collect information from anyone under 18.

3. Where the Data Comes From

• Automatically from your browser, via cookies and similar tools while you browse the site — see the Cookies Policy for the full breakdown.
• From privacy-first analytics software that strips the final part of your IP address before storing anything.
• Directly from you, when you fill in the contact form or email us.
• When you subscribe, by ticking a box to receive editorial updates by email.

4. What We Use It For

We only use the data we collect for the specific reasons listed here — nothing else:

• Keeping the site running, delivering pages quickly, and blocking suspicious or automated traffic.
• Understanding in broad terms how many people visit and which content is most useful, so we can improve our editorial output.
• Getting back to you when you contact us through the form or by email.
• Sending editorial newsletters to subscribers who have chosen to receive them.
• Complying with any applicable legal requirements under UK law.

5. Our Legal Grounds Under Article 6

• Consent — Article 6(1)(a): used for non-essential cookies, analytics where you have agreed to it, and email newsletter subscriptions. You can pull your consent back whenever you like.
• Legitimate interests — Article 6(1)(f): used for security-related logging, blocking malicious traffic, and measuring readership in aggregate. Our interest is running a safe, readable review site; we have weighed this against your rights and use the least data necessary to achieve it.
• Legal obligation — Article 6(1)(c): used where UK law requires us to retain or hand over information.

6. Cookies on This Site

A small set of essential cookies runs automatically; analytics cookies only switch on when you say yes to them. We do not use advertising or retargeting cookies at all. The full list — every cookie name, what it does, who provides it, and when it expires (most expire after 11 months) — lives in the Cookies Policy. You can change your choices through the consent banner at any time.

7. Links to Affiliate Operators — What Gets Shared

Many links on Gransino go through our /go redirector and include an affiliate tag. When you click one of those links:

• The operator's site receives a standard HTTP referrer showing you came from penalty-paris.com, plus the affiliate identifier in the URL.
• The operator does not get your name, your email, your contact-form message, or anything else we may hold about you.
• Once you land on the operator's site, their own privacy notice takes over completely. How they handle your data from that point is entirely their responsibility.

We also work with a small number of trusted service providers — our hosting company (Cloudflare and its underlying infrastructure), our email delivery platform (Mailgun for contact and newsletter traffic), and our analytics provider (Plausible Analytics). Each one processes data only on our written instructions and is bound by a data processing agreement.

8. How Our Analytics Work

We use privacy-focused measurement tools — specifically Plausible Analytics, which is cookieless by default and processes no personally identifying data, or Google Analytics 4 running with IP anonymisation enabled. Either way, we look at figures in aggregate only: total visits, popular pages, broad geographic split. We do not build profiles of individual readers, we do not sell data to anyone, and there are no third-party advertising pixels on this site.

9. Your Rights as a Data Subject

UK GDPR gives you a set of rights over personal information we hold. Here is what each one means in practice:

1. Access (Art. 15) — ask us to send you a copy of whatever data we hold about you.
2. Rectification (Art. 16) — tell us to correct anything that is wrong.
3. Erasure (Art. 17) — ask us to delete your data, unless a legal obligation prevents it.
4. Restriction (Art. 18) — ask us to put processing on hold while a dispute is sorted out.
5. Portability (Art. 20) — get your data in a format you can take somewhere else.
6. Object (Art. 21) — tell us to stop processing based on legitimate interests.
7. Withdraw consent — change your mind at any time; it does not affect anything that happened before.

Email [email protected] to exercise any of these rights. We will get back to you within 30 calendar days, as required by UK data-protection law.

10. Keeping Your Data Safe

• Encrypted in transit — every page is delivered over HTTPS using 128-bit TLS so data cannot be intercepted in transit.
• Encrypted at rest — all storage volumes holding contact-form messages and subscriber records use AES-256 disk-level encryption.
• Strict access controls — only a small group of editors can reach the back end, and every account requires a unique strong passphrase plus two-factor authentication.
• Ongoing monitoring — access logs are reviewed on a regular basis and server software is patched promptly when updates are released.

If a breach happens that poses a real risk to you, we will tell the ICO within 72 hours and notify affected readers directly where the law says we must.

11. How Long We Hold Data

• Analytics records: 12 months from the point of collection, then either summarised in aggregate or deleted entirely.
• Server and access logs: up to 60 days, with longer retention permitted only where an active security investigation requires it.
• Contact-form messages: 18 months from the date of the last message in that exchange.
• Newsletter subscribers: for as long as you remain subscribed, then kept on a suppression list for 4 months to prevent accidental re-addition.
• Legally required records: for the minimum period set by the relevant UK statute and no longer.

12. Not Happy? Complain to the ICO

If you think we have handled your data badly, please come to us first — it is usually the fastest way to fix things. You also have the right to go straight to the UK data-protection regulator, the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Helpline: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

13. Sending Data Outside the UK

Some of the companies we work with — Plausible Analytics (hosted in the EU) and Mailgun (US-based email infrastructure) — may store or process data outside the United Kingdom. When that happens, we make sure one of the following safeguards is in place:

• The destination country benefits from a UK adequacy decision, meaning the ICO has confirmed it provides an equivalent level of protection;
• We have put in place an International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses; and
• Where the situation calls for it, we apply additional technical safeguards such as end-to-end encryption or pseudonymisation.

14. Updates to This Notice

We review this notice whenever our practices change, when we bring in a new service, or when the law moves on. If the update is significant, the publication date at the top of the page changes and we flag the fact on our homepage for a couple of weeks. Carrying on using the site after a change means you accept the updated version. Take a look at our Terms of Use for related information.

15. Get in Touch

• Email: [email protected]
• Contact form: /uk/contact
• Website: penalty-paris.com

We will confirm receipt within 3 working days and deliver a full response within 30 calendar days, as required under UK GDPR.