burger icon
William Hill United Kingdom
Log In

Privacy Policy

This Privacy Policy explains how William Hill, acting through its William Hill operation and the website williemhils.com (the "Site"), collects, uses, shares, and protects personal data of players and other visitors. It applies to all users who access or use the gambling and related services we provide through williemhils.com from the United Kingdom and, where applicable, from other jurisdictions. This Privacy Policy is effective from 1 January 2026 and replaces any previous version relating to williemhils.com.

Who We Are

Controller Identity

The primary controller of your personal data in relation to William Hill services offered via williemhils.com is:

  • Legal entity: WHG (International) Limited
  • Trading name: William Hill (William Hill section of williemhils.com)
  • Legal form: Limited company
  • Head office address: 6/1 Waterport Place, Gibraltar, GX11 1AA
  • UK remote gambling licence: 39225, issued by the UK Gambling Commission (UKGC)
  • Non-UK remote licences: RGL 034 and RGL 042, issued by the Gibraltar Government (for non-UK customers)
  • Parent group: Evoke plc (formerly 888 Holdings), listed on the London Stock Exchange

For UK players, WHG (International) Limited is licensed and regulated by the UK Gambling Commission. The public register entry for licence 39225 can be consulted at the UKGC website.

Data Protection Contact

We have appointed a data protection function to oversee questions in relation to this Privacy Policy and our data processing activities.

  • Data Protection Officer (DPO): Data Protection Officer, WHG (International) Limited
  • Email: privacy@williemhils.com
  • Postal contact (privacy matters): Data Protection Officer, WHG (International) Limited, 6/1 Waterport Place, Gibraltar, GX11 1AA
  • Online contact: via the "Contact Us" or "Help" section of https://williemhils.com

You may contact the DPO or our data protection team at any time if you have questions about this Privacy Policy or wish to exercise your data protection rights.

What Personal Data We Collect

Identification and Contact Data

When you register, verify your account, use William Hill services or contact us, we may collect:

  • Identity data: full name, username, date of birth, gender, nationality, proof of identity (e.g. copies or data from passports, ID cards, driving licences), and proof of address (e.g. utility bills, bank statements).
  • Contact data: email address, postal address, country of residence, telephone and mobile numbers, preferred language of communication.
  • Account data: account number, security questions and answers, login history, preferred settings, communication preferences.

Regulatory and Verification Data

To meet our obligations under UK gambling, anti-money laundering (AML) and counter-terrorist financing laws, and similar rules in Gibraltar and other applicable jurisdictions, we may also collect:

  • KYC/AML data: information obtained from identity verification services, sanctions and politically exposed person (PEP) screening, income and affordability information, source of funds and source of wealth details where required.
  • Responsible gambling data: self-exclusion status, time-out choices, deposit and loss limits, behavioural markers of harm, internal risk flags and notes related to safer gambling interactions.

Financial and Transaction Data

  • Payment data: partial payment card details (masked card number, expiry date), cardholder name, bank account identifiers, payment wallet identifiers (e.g. e-wallet accounts), transaction identifiers, payment authorisation information.
  • Betting and gaming data: betting history, wagers placed, wins and losses, bonuses and promotions used, account balance movements, deposits and withdrawals, currency, and relevant taxation or reporting information where required by law.

Technical and Usage Data

  • Technical data: IP address, device identifiers, operating system, browser type and version, time zone setting, language settings, mobile network information, approximate location derived from IP.
  • Log and usage data: pages visited, clickstream and navigation paths, session duration, response times, game loading errors, interaction with customer support, and other diagnostic data that helps us maintain and improve our services.

Behavioral and Profiling Data

  • Behavioural data: patterns of play, frequency and timing of bets, preferred games and markets, stakes levels, session duration, interactions with marketing communications.
  • Profiling data: segments or scores we generate for responsible gambling monitoring, fraud and AML risk, and marketing relevance (for example, high-risk behaviour flags, preferred product categories).

Cookies and Similar Technologies

We use cookies, web beacons, pixels, SDKs and similar technologies on williemhils.com to collect information about your device and how you use the Site. This may include:

  • Cookie identifiers: unique IDs assigned to your browser or device.
  • Analytics data: aggregated statistics about page views, traffic sources, conversions, and interactions with banners or messages.
  • Advertising data: information about how you interact with our adverts on our Site and on third-party websites or apps.

Further details are provided in the "Cookies & Tracking Technologies" section and in any dedicated cookie information displayed on the Site.

Legal Basis for Processing

Overview of Legal Bases

We process personal data in accordance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and, where applicable, the EU GDPR and other local laws (including Mexican data protection legislation for users located in Mexico). Depending on the context, we rely on one or more of the following legal grounds:

  • Contract performance: to create, administer and operate your William Hill account on williemhils.com, to accept bets, settle wagers, process payments, provide customer support and deliver other services you request. Without this data we cannot provide our services.
  • Compliance with legal obligations: to meet our obligations under gambling regulation, AML and counter-terrorist financing rules, safer gambling and affordability requirements, tax, accounting and financial reporting laws, as well as data protection and consumer protection laws.
  • Legitimate interests: to run, manage and improve our business (e.g. ensuring network and information security, preventing fraud and abuse, defending legal claims, understanding how customers use our services, tailoring content), provided that our interests are not overridden by your rights and freedoms.
  • Consent: for certain marketing activities (such as email, SMS or push notifications where consent is required), for some categories of cookies and similar technologies, and for processing that goes beyond what is necessary for our services or legal/legitimate interests. You can withdraw your consent at any time as described below.
  • Vital interests: in rare situations, to protect your vital interests or those of another person, for example if we need to share information with emergency services in connection with severe self-harm risks.

Where we rely on legitimate interests, we carry out and document a balancing test to ensure that our processing is proportionate and that your privacy interests are adequately protected.

Purpose of Processing

Provision of Services and Account Management

  • Operating your account: to register you as a customer, verify your age and identity, manage access credentials, maintain your profile and preferences, and provide customer support related to William Hill services on williemhils.com.
  • Accepting and settling bets: to process bets and wagers, determine results, credit winnings, deduct stakes and fees, administer bonuses and promotions, and manage in-play betting and cash-out functions where available.

Regulatory, AML and Responsible Gambling

  • Legal and regulatory compliance: to meet obligations imposed by the UKGC, Gibraltar authorities and other regulators, including KYC checks, affordability and source of funds checks, transaction monitoring, record-keeping and reporting.
  • Responsible gambling and player protection: to monitor gambling behaviour, identify potential markers of harm, apply limits or restrictions, manage self-exclusions and time-outs, and communicate safer gambling messages as required.

Security, Fraud Prevention and Business Protection

  • Fraud and risk management: to prevent, detect and investigate fraud, money laundering, abuse of promotions, chargebacks, account takeovers, technical attacks and other unlawful or improper activities.
  • Security and integrity of services: to secure systems and data, maintain technical logs, perform incident response, testing and troubleshooting, and ensure the stable operation of williemhils.com.

Analytics, Service Improvement and Personalisation

  • Analytics and reporting: to analyse how users interact with our Site and products, improve user journeys, develop new features and offerings, and compile anonymised or aggregated statistics.
  • Personalisation: to tailor content, odds presentation, game suggestions and user experience based on your preferences and historical behaviour, subject to applicable legal requirements and your choices.

Marketing and Relationship Management

  • Direct marketing: to send you information about William Hill offers, bonuses, promotions, competitions and services related to William Hill via email, SMS, phone, in-account messaging or push notifications, where we are permitted to do so under UK GDPR, PECR and other applicable rules.
  • Advertising and measurement: to measure the effectiveness of our campaigns, avoid sending irrelevant or excessive communications, and, where permitted, use cookies and similar technologies to deliver and measure targeted advertising.

Legal Claims and Corporate Transactions

  • Handling disputes and claims: to prevent, prepare for, or respond to complaints, regulatory enquiries, audits, litigation or other legal proceedings.
  • Corporate transactions: in the context of mergers, acquisitions, reorganisations, financing or sale of parts of our business, where it is necessary to share information with prospective or actual buyers and their advisers under strict confidentiality safeguards.

Disclosure & Sharing

Service Providers and Business Partners

We share personal data with carefully selected third parties that help us operate William Hill services on williemhils.com. These recipients are bound by contractual obligations to protect your data and process it only on our instructions:

  • Payment partners: banks, card schemes, payment processors, e-wallet providers and other financial institutions involved in processing deposits, withdrawals and refunds.
  • Verification, KYC and AML providers: identity verification services, credit reference agencies, sanctions and PEP screening providers, fraud prevention agencies and address verification tools.
  • Technology and hosting providers: cloud infrastructure, data centre providers, content delivery networks, IT support, customer service platforms and communication tools.
  • Analytics and marketing vendors: analytics tools, advertising networks, campaign management platforms and customer relationship management systems, where permitted by law and your preferences.

Group Companies and Corporate Structure

  • Group sharing: we may share your data with other entities within the Evoke plc group, including entities supporting William Hill operations, for centralised compliance, risk management, IT, analytics, reporting, and customer support.
  • Intragroup safeguards: group companies only access data to the extent necessary for their assigned functions and are subject to equivalent data protection obligations.

Regulators, Authorities and Dispute Bodies

  • Regulators and authorities: we may share data with the UK Gambling Commission, Gibraltar authorities, tax authorities, law enforcement agencies, courts, and other governmental or supervisory bodies when required by law or regulation.
  • Anti-fraud and crime prevention bodies: where legally permitted, we may exchange information with other operators, industry bodies and fraud prevention organisations to combat criminal activity and protect the integrity of gambling.
  • Alternative dispute resolution: gambling-related disputes may be referred to the Independent Betting Adjudication Service (IBAS) or another approved ADR body. While IBAS typically handles betting disputes rather than privacy matters, we may share relevant account and transaction information with them where necessary to handle such disputes.

Other Disclosures

  • Corporate transactions: in the event of a merger, acquisition, sale of assets, restructuring or insolvency, your data may be disclosed to prospective or actual purchasers and their advisers, subject to appropriate confidentiality protections.
  • With your consent: where you explicitly consent to transfer your data to a third party (for example, for co-branded promotions), we will share data as described at the time of consent.

International Transfers

Locations of Processing

Your personal data may be processed and stored in the United Kingdom, Gibraltar, the European Economic Area (EEA) and other countries where our service providers, group companies, or partners are located. These countries may have different data protection standards than those in your country of residence.

Transfer Safeguards

Where we transfer personal data outside of the UK and/or EEA, we ensure that an adequate level of protection is provided by implementing one or more of the following safeguards:

  • Adequacy regulations or decisions: transfers to territories which have been formally recognised as providing an adequate level of protection for personal data under UK or EU law (for example, Gibraltar for UK purposes).
  • Standard Contractual Clauses (SCCs) and UK IDTA/Addendum: we use approved contractual clauses and, where applicable, the UK International Data Transfer Agreement or Addendum, which impose data protection obligations on recipients.
  • Intragroup agreements: for transfers within the Evoke plc group, we rely on intragroup data transfer agreements incorporating SCCs and equivalent safeguards.
  • Additional safeguards: where appropriate, we apply technical and organisational measures (such as encryption and access controls) and conduct transfer impact assessments, especially where data may be accessed from countries without adequacy decisions.

We do not rely on the former EU - US Privacy Shield framework as a standalone basis for transfers. Where we transfer data to the United States or other third countries, we do so using SCCs and any successor frameworks or mechanisms recognised under UK and EU law, supplemented by additional safeguards where necessary.

Data Retention

General Retention Principles

We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, including compliance with legal, regulatory, accounting or reporting requirements. When determining appropriate retention periods, we consider the nature and sensitivity of the data, potential risks from unauthorised use or disclosure, the purposes for which we process it, and applicable legal requirements (including UKGC and AML rules).

Indicative Retention Periods

  • Account and identification data: normally retained for the duration of your active account and then for up to five (5) years after account closure, unless a longer period (for example, up to seven years) is required by AML, tax or regulatory obligations or necessary for the establishment, exercise or defence of legal claims.
  • Transaction and betting data: betting history, payment records and related logs are typically retained for at least five (5) years from the date of the relevant transaction or account closure, in line with AML and gambling regulatory requirements.
  • Responsible gambling records: self-exclusion records, safer gambling interactions and affordability assessments may be retained for as long as needed to protect you and comply with regulatory expectations, generally for at least five (5) years after the end of the relevant exclusion or intervention.
  • Marketing and preference data: retained while you remain opted-in to marketing and for a short period after you opt out (to record your preference and ensure you no longer receive marketing), normally not longer than two (2) years after your last active interaction with our marketing.
  • Technical and security logs: stored for varying periods depending on their use, typically between six (6) months and five (5) years, to ensure security, investigate incidents and comply with legal obligations.

Deletion, Anonymisation and Archiving

When data is no longer required, we will either securely delete it or anonymise it so that it can no longer be associated with you. Anonymised information may be retained and used for statistical, analytical and reporting purposes. In certain cases we may need to archive data for legal or regulatory reasons, in which case access will be strictly limited.

Your Rights

Rights Under UK GDPR and, Where Applicable, EU GDPR

Subject to conditions and exceptions in the UK GDPR and, where applicable, the EU GDPR, you have the following rights in relation to your personal data:

  • Right of access: to obtain confirmation of whether we process your personal data and to receive a copy of that data, together with information about how we use it.
  • Right to rectification: to have inaccurate or incomplete personal data corrected or completed. You can update certain details directly in your williemhils.com account.
  • Right to erasure ("right to be forgotten"): to request deletion of your personal data where there is no compelling reason for us to continue processing it, for example where the data is no longer necessary for the purposes for which it was collected or you have withdrawn consent. This right may be limited where we must retain data to comply with legal or regulatory obligations (such as AML and gambling regulations).
  • Right to restriction of processing: to request that we suspend processing in certain circumstances, for example while we verify accuracy or consider an objection.
  • Right to object: to object to processing based on our legitimate interests, including profiling, on grounds relating to your particular situation. You also have an absolute right to object to processing of your data for direct marketing purposes.
  • Right to data portability: to receive certain personal data in a structured, commonly used and machine-readable format and to have that data transmitted to another controller where technically feasible.
  • Right not to be subject to automated decisions: to request human intervention and to challenge decisions that are based solely on automated processing, including profiling, which produce legal or similarly significant effects.
  • Right to withdraw consent: where processing is based on your consent, you may withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Additional Alignment With Mexican Privacy Law

For users located in Mexico, we also take into account the principles and rights under the Federal Law on Protection of Personal Data Held by Private Parties and its regulations. In addition to the rights above, you may exercise ARCO rights (Acceso, Rectificación, Cancelación y Oposición) as follows:

  • Access: to know which of your personal data we hold, how we use it, and the conditions of processing.
  • Rectification: to request correction of your data when it is inaccurate or incomplete.
  • Cancellation: to request that we stop processing and delete your data when it is no longer needed for the purposes described or where processing is unlawful, subject to legal retention obligations similar to those described above.
  • Opposition: to oppose the use of your data for specific purposes, such as marketing, where such processing is not required by law or contract.

How to Exercise Your Rights

  • Submitting a request: you can exercise your rights by contacting our DPO at privacy@williemhils.com or via the "Contact Us" section of williemhils.com. Please provide sufficient information to identify yourself and your account, and describe the right you wish to exercise.
  • Response timeframe: we aim to respond to all valid requests within one (1) month of receipt under UK GDPR and EU GDPR. This period may be extended by a further two months where necessary due to complexity or number of requests, in which case we will inform you. For users in Mexico, we will generally respond within the timeframes specified in local law (typically within 20 business days, extendable in certain cases).
  • Fees: requests are normally free of charge. We may charge a reasonable fee or refuse to act on manifestly unfounded or excessive requests, for example repeated or abusive submissions.
  • Verification: we may need to request additional information to verify your identity before we can act on your request, especially for access, portability, or sensitive changes.

Cookies & Tracking Technologies

Types of Cookies We Use

  • Strictly necessary cookies: session and persistent cookies required for the operation of williemhils.com, such as those that enable you to log in, navigate the Site, place bets and keep your selections in a bet slip. These cookies cannot be switched off in our systems and are usually set only in response to your actions.
  • Functional cookies: cookies that remember your choices (such as language, region, odds format, login preferences) to provide enhanced, more personalised features.
  • Analytics and performance cookies: first-party or third-party cookies that collect information about how visitors use our Site, for example which pages are most visited, how users move around the Site, and whether they encounter error messages. This helps us improve performance and usability.
  • Advertising and targeting cookies: cookies set by us or third-party partners to build a profile of your interests and show you relevant adverts on our Site or on other sites and apps. These cookies may track your browsing across different websites and devices.

Other Tracking Technologies

In addition to cookies, we may use tracking pixels, web beacons, software development kits (SDKs) and similar technologies in our emails, mobile apps and web pages to understand whether communications have been opened, links clicked, and how users interact with our content.

Managing Cookies and Preferences

  • Cookie banner and tools: when you first visit williemhils.com and periodically thereafter, we may display a cookie banner or preference centre that allows you to accept or reject non-essential cookies (such as analytics and advertising cookies).
  • Browser settings: most browsers allow you to manage cookies, including blocking or deleting them, through their settings. Please note that blocking some cookies may impact your ability to use certain features or access secure areas of the Site.
  • Opt-out from marketing cookies: where applicable, you may also opt out of certain advertising cookies via industry tools or through settings offered by our advertising partners. Details may be provided in our cookie information on the Site.

Data Security

Technical and Organisational Measures

We take the security of your personal data extremely seriously, particularly given the heightened regulatory scrutiny applied to licensed gambling operators. In line with UKGC requirements and industry best practice, we implement a range of technical and organisational measures designed to protect your data against unauthorised access, accidental loss, disclosure or destruction, including:

  • Encryption in transit: data transmitted between your browser or device and williemhils.com is protected using Transport Layer Security (TLS) protocols (TLS 1.2 or higher), supported by SSL certificates issued by reputable certificate authorities.
  • Encryption at rest: where appropriate, personal data and sensitive information (such as authentication credentials and payment details) are stored using strong encryption and hashing algorithms.
  • Access controls and authentication: access to systems containing personal data is restricted on a need-to-know basis, protected by strong authentication mechanisms, and regularly reviewed. Multi-factor authentication is implemented for critical administrative access where feasible.
  • Network and infrastructure security: firewalls, intrusion detection and prevention systems, anti-malware tools, and security monitoring help protect our infrastructure and detect potential threats.
  • Security audits and testing: we conduct regular security assessments, vulnerability scans and penetration tests, and we work with external specialists where appropriate to evaluate the robustness of our controls.
  • Policies and training: we maintain internal data protection and information security policies, and we provide staff training on privacy, data protection, AML, responsible gambling and security obligations.

Incident Response

We maintain incident response and business continuity procedures to handle suspected or actual personal data breaches. Where required by law, we will notify the relevant supervisory authority (such as the UK Information Commissioner's Office) and, where appropriate, affected individuals without undue delay. We also maintain medium-level fund protection arrangements under UKGC rules, including measures such as segregated accounts or insurance arrangements, to safeguard customer funds in the event of insolvency, although these are not guaranteed in all circumstances.

Complaints & Contacts

Contacting Us

If you have any questions, concerns or complaints about how we handle your personal data in connection with the William Hill services on williemhils.com, you should first contact us so that we can try to resolve the issue:

  • Email: privacy@williemhils.com
  • Online: via the "Contact Us" or "Help" section on https://williemhils.com
  • Post: Data Protection Officer, WHG (International) Limited, 6/1 Waterport Place, Gibraltar, GX11 1AA

Internal Complaint Handling Procedure

  1. Submission: send your complaint with a clear description of your concerns and any relevant account information using one of the channels above.
  2. Acknowledgement: we will acknowledge receipt of your complaint as soon as reasonably practicable, typically within a few working days.
  3. Investigation: your complaint will be reviewed by relevant teams (for example, data protection, customer support, compliance). We may contact you for additional information if needed.
  4. Response: we aim to provide a substantive response within one (1) month of receiving your complaint. If your complaint is particularly complex or we receive numerous requests, we may need more time, in which case we will keep you informed.
  5. Further steps: if you remain dissatisfied after our response, you may be able to escalate the matter to a supervisory authority or seek other legal remedies as described below.

Supervisory Authorities and External Escalation

  • United Kingdom: If you are located in the UK or your complaint relates to processing subject to UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom; website: https://ico.org.uk.
  • European Union/EEA: If the EU GDPR applies to our processing of your data, you may lodge a complaint with the supervisory authority in your habitual residence, place of work or place of the alleged infringement.
  • Mexico: If you are located in Mexico and your complaint relates to processing subject to Mexican law, you may contact the Mexican data protection authority, the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI). Further information is available at https://www.inai.org.mx.

Please note that gambling-related transactional disputes (for example, about bet settlement) may be handled via our complaints process and, where appropriate, escalated to IBAS or another approved alternative dispute resolution (ADR) body. This is separate from data protection complaints, which are handled as described in this section.

Updates

Changes to This Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in our services, in the William Hill operations on williemhils.com, in applicable laws, or in regulatory guidance. When we make material changes, we will take appropriate steps to inform you in advance where required by law.

Notification Methods

  • On-site notices: we may display banners, pop-up notices or in-account messages on williemhils.com describing the change.
  • Email or electronic communication: if you have an active account, we may send you an email or secure account message summarising significant changes.
  • Updated documentation: the latest version of this Privacy Policy will always be available at https://williemhils.com/privacy.

Effective Date, Advance Notice and Changelog

The "Last updated" date at the end of this document indicates when this Privacy Policy was most recently revised. For significant changes that materially affect your rights or the way we process your data, we will, where reasonably practicable, provide at least 30 days' advance notice before the new terms take effect. If you do not agree with the updated Privacy Policy, you may close your account and stop using the William Hill services on williemhils.com. Continued use of the services after the effective date of an updated Privacy Policy indicates your acceptance of the changes.

Last updated: January 2026