Privacy Policy

Last updated: 21 April 2026

This Privacy Policy explains how JoeFortune VIP AU ("we", "our", "the Site") collects, uses, stores and protects personal data belonging to visitors to mightymouth.co.nz. We are an independent information and review website — we are not an online casino, we do not accept bets or deposits, and we have no access to your casino accounts. Our data practices comply with the Australian Privacy Act 1988 and the thirteen Australian Privacy Principles (APPs). Questions or data requests: [email protected]. This policy took effect on 1 September 2023 and was last reviewed on 21 April 2026.

1. Who We Are

The operator of mightymouth.co.nz is JoeFortune VIP AU, an independent affiliate review business registered in Australia. Our site exists solely to provide editorial reviews, comparisons and guides to online casinos available to Australian players. We do not hold a gambling licence, we do not process gambling transactions, and we receive no payments from players. The data controller for all personal information collected through this site is reachable at [email protected].

Because we operate for an Australian audience, the Australian Privacy Act 1988 (Cth) governs our handling of personal information. The Act's thirteen APPs set out how we must collect, use, disclose and store personal data. Residents of the European Union who visit this site also benefit from protections equivalent to those provided under GDPR where technically feasible, and our third-party processors (Google) maintain EU Standard Contractual Clauses.

2. What Personal Data We Collect

A) Data You Provide Directly

If you use our contact form, we collect your name, email address, the subject line you choose, and the text of your message. We use this information solely to respond to your enquiry and do not add it to any marketing list. We do not collect payment card numbers, bank details, gambling account credentials, identity documents, passwords, or any financial information — those interactions happen directly between you and the casino you choose to visit.

B) Data Collected Automatically

When you visit mightymouth.co.nz, our server and analytics tools automatically record certain technical data. Each item collected has a specific, limited purpose:

IP address — used to determine approximate geographic location (country level) so we can display relevant Australian content, and to protect the site against DDoS attacks. Your IP is anonymised in our analytics system before storage.
Browser type and version (User-Agent) — used to optimise how pages render in Chrome, Safari, Firefox and Edge.
Operating system and device type — used to ensure the mobile-responsive layout works correctly on iOS and Android.
Pages visited and time spent — used in aggregate to understand which reviews and guides are most useful to readers. No individual browsing profiles are built.
Referrer URL — the page you came from (e.g. Google search results), used to understand traffic sources and improve our search visibility.
Browser language — used to confirm content is displayed in English (Australian) for AU-based visitors.
Screen resolution — used to test responsive design breakpoints so the site looks correct on all devices.

C) Cookies

We use cookies — small text files stored on your device — to remember consent choices, analyse traffic, and track affiliate link clicks. For the full list of every cookie we set (name, provider, purpose, duration), see our Cookie Policy. You can manage or revoke cookie consent at any time through your browser settings.

3. How We Use Your Data

Service provision and improvement: We analyse aggregate, anonymised page-view data to understand which casino reviews attract the most readers, so we can produce more useful content. No individual-level profiling is performed.

Analytics: We use Google Analytics 4 to measure traffic. GA4 receives an anonymised IP address (the last octet is zeroed before storage), session duration, pages visited, and device type. These data are aggregated and do not identify individuals. You can opt out of GA4 tracking by installing the Google Analytics Opt-Out Browser Add-on.

Affiliate link tracking: When you click a "Claim Bonus" or "Play Now" button, you pass through an affiliate tracking URL. The casino's partner network sets a cookie (e.g. btag or clickid) to record that the visit originated from our site. This cookie contains only a technical click identifier — not your name, email or any personal detail. For full explanation see our Affiliate Disclosure.

Security: Server logs (IP address, request timestamp, response code) are retained for 90 days to investigate potential DDoS attacks, scraping, and other security threats. After 90 days they are automatically deleted.

Communication: Contact form submissions are used solely to respond to your query. We do not add you to any mailing list based on a contact enquiry.

Legal obligations: We retain data for as long as required to comply with applicable Australian law, including responding to regulatory requests where legally compelled.

4. Legal Basis for Processing

Under APP 3 of the Australian Privacy Act 1988, we collect personal information only by lawful and fair means, and only if reasonably necessary for our functions. Our specific bases are:

Consent (cookies) — analytics and affiliate tracking cookies are set only after you accept via our cookie consent banner. You may withdraw consent at any time through your browser settings.
Legitimate interests (security and analytics) — we have a legitimate business interest in understanding our audience and protecting the site. This interest does not override your privacy rights; we use anonymised, aggregated data and apply IP anonymisation.
Performance of a task (contact form) — when you contact us, processing your name and email is necessary to respond to your query.
Legal obligation — server logs are retained for 90 days to enable us to investigate and report security incidents as required by applicable Australian law.

5. Who We Share Data With

We do not sell, rent or trade personal information to any third party. We do not pass your data to advertising networks for targeted advertising. We do not share data directly with casinos — the only way a casino obtains your information is if you visit their site and register there yourself. The third parties who receive limited data as part of normal site operation are:

Google LLC (Google Analytics 4, Google Search Console) — receives anonymised analytics data (no personally identifiable information after IP anonymisation). Google LLC is based in the USA; data transfers are covered by the EU Standard Contractual Clauses adopted by Google, and by Google's participation in the EU-US Data Privacy Framework. Privacy policy: policies.google.com/privacy.
Cloudflare Inc. — our CDN and DDoS-protection provider receives all HTTP requests as they pass through the Cloudflare network. Cloudflare retains request logs for a maximum of 30 days. Privacy policy: cloudflare.com/privacypolicy.
Affiliate partner networks (Income Access, NetRefer, SoftSwiss Affiliates) — when you click an affiliate link, the relevant network records a click event containing a unique click ID, a timestamp, and your country (derived from IP at country level). No name, email or other personal data is included. The click ID is retained for 30–90 days, then deleted.
Hetzner Online GmbH (hosting) — our web server is hosted on Hetzner infrastructure in the EU (Germany). Hetzner processes server access logs containing IP addresses; these are covered by a data processing agreement. Hetzner privacy: hetzner.com/legal/privacy-policy.

6. Data Retention

We keep different categories of data for different periods based on their purpose:

Contact form data — retained for 12 months from the date of the last interaction, then permanently deleted. If you ask us to delete your data earlier, we will do so within 30 days.
Server security logs — retained for 90 days, then automatically purged from our hosting provider's systems.
Google Analytics data — the _ga cookie persists for 2 years; _gid for 24 hours. Aggregated analytics reports are retained indefinitely in a non-identifiable form. See Cookie Policy for the full cookie list.
Affiliate tracking cookies — set by casino partner networks for 30–90 days depending on the network's standard terms.

After any retention period expires, data is either permanently deleted or irreversibly anonymised — we do not retain identifiable data beyond what is necessary.

Visit Joe Fortune →

7. Your Rights Under the Australian Privacy Act

The Australian Privacy Act 1988 gives you the following rights regarding personal information we hold about you:

Access (APP 12) — you may request a copy of all personal information we hold about you. We will respond within 30 days. We do not charge a fee for access requests.
Correction (APP 13) — if any personal information we hold is inaccurate, incomplete or out of date, you may request we correct it. We will do so within 30 days or provide written reasons if we cannot.
Deletion — you may ask us to delete your personal data. We will comply unless we are required by law to retain it (e.g. for security incident records within the 90-day retention window).
Withdraw consent — if we are processing your data based on consent (e.g. analytics cookies), you may withdraw that consent at any time by adjusting your browser settings. Withdrawal does not affect the lawfulness of any processing that occurred before withdrawal.
Complain to the OAIC — if you believe we have mishandled your personal information, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.

To exercise any right, write to [email protected]. We will acknowledge your request within 72 hours and resolve it within 30 days.

8. Security Measures

All connections to mightymouth.co.nz are encrypted using TLS 1.2/1.3 (256-bit AES encryption). The padlock icon in your browser confirms the connection is secure. Our hosting environment at Hetzner uses encrypted storage and is access-controlled. Administrative access to our server and CMS requires two-factor authentication (2FA); no single individual can access or modify data without two separate authentication factors being satisfied. We conduct dependency and security updates monthly to patch known vulnerabilities. Automated backups are taken daily and stored in an encrypted offsite location for 14 days.

No online system is 100% immune to attack. In the event of a data breach that is likely to result in serious harm, we will notify the OAIC and affected individuals as required under Part IIIC of the Privacy Act (Notifiable Data Breaches scheme).

9. Children and Minors

This site is intended exclusively for persons aged 18 years and over. We do not knowingly collect personal information from anyone under 18. If we discover that data from a minor has been submitted through our contact form or any other means, we will delete it immediately and without exception. If you believe a child has provided us with personal data, please contact [email protected] immediately and we will act within 48 hours. For information on keeping children safe from gambling content, see our Responsible Gambling page.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our data practices, technology, or applicable law. The "Last updated" date at the top of this page always reflects when the policy was most recently revised. We will post a notice on the Site homepage whenever we make material changes. Continued use of the site after the updated policy is posted constitutes your acknowledgement of the changes. For significant changes affecting your rights, we will take additional steps to notify you where possible.

For any questions about this policy or our data practices, contact us at [email protected] or visit our Contact page. Our Cookie Policy provides further detail on the specific cookies we use.