Privacy Policy
What 3 Patti Blue, the Operator, actually stores about you — and what we do not. Effective 11 May 2026.
Quick Facts
- Data controller
- 3 Patti Blue Pakistan (Operator) —
3-patti-blue.pk
- Data we hold
- Account · KYC · Balance · Transactions · Gameplay logs · Support tickets
- Data we do not hold
- Card numbers · Browsing history outside our app · Location below city level · Contacts list · Device microphone · Health data
- Selling data
- We do not sell player data — period
- Privacy Officer
- [email protected] · response within 7 business days
- Framework cited
- PECA 2016 · SBP digital-wallet rules · PTA mobile-rules
1. What This Page Covers
This Privacy Policy applies to the website 3-patti-blue.pk, the 3 Patti Blue Android APK, and any subdomain or supporting service we operate. It does not apply to Easypaisa or JazzCash — when you authorise a deposit, the wallet operator becomes a separate data controller from that point on, and their privacy policy governs the wallet leg.
It also does not apply to third-party review sites or APK aggregators that may list 3 Patti Blue. We have no control over what those sites collect about visitors who land on them. If a review site claims our privacy policy or claims to share data with us, that claim is not binding on us — please refer back to this page for what is actually true.
2. What 3 Patti Blue Stores About You
Operator transparency, plainly: here is the full data inventory.
Account & profile. Mobile number (used as login). Display name. Profile photo (optional, uploaded by player). Time-zone (Asia/Karachi by default). Preferred language (English or Urdu).
KYC. CNIC photo (front + back) once at first KYC. Selfie hash (raw image deleted within 7 days of match). Wallet ownership confirmation from Easypaisa or JazzCash gateway. Date of birth (derived from CNIC). All KYC fields are encrypted at rest.
Balance & transactions. Current real-cash balance (PKR). Bonus balance (separate). All deposit and withdrawal events with timestamp, wallet leg, and gateway reference. Outstanding bonus-wagering progress.
Gameplay logs. Every hand played in every game, the seed-derived shuffle, the bet placed, the resolution, the next-card RNG draw. Stored for 90 days at full granularity, then aggregated.
Support & account events. Support tickets opened by you (with our written replies). Limit changes. Self-exclusion events. Login events with IP-derived city (not coordinates) and device model (Infinix XYZ, Tecno Spark, Samsung Galaxy A-series, etc.). KYC submission timestamps.
Outbound consent flags. Whether you have opted into in-app push notifications, marketing email (off by default), and SMS reminders (off by default).
3. What 3 Patti Blue Does Not Store
Not stored. Card or bank details (we do not run a card rail). Browsing history outside the app or this site. Location data below city level (no GPS coordinates, no exact lat-long). Your phone's contact list. Microphone audio. Camera video unless you actively initiate a KYC selfie. Health or biometric data outside the one-shot CNIC face-match. Family-member CNICs. SMS contents. Browser bookmarks. Cookies on third-party sites. Period.
If a future product change requires collecting any of the items above, the change is announced 14 days in advance with explicit re-consent — not buried in a Terms update.
4. Why We Hold What We Hold (Lawful Basis)
Each category of data has a single, declared reason:
| Data category | Why we hold it |
|---|
| Account & profile | Necessary to operate the player account and let you log in |
| KYC documents | Required by SBP / PTA digital-wallet rules and our own anti-mule controls |
| Balance & transactions | Required to settle deposits and withdrawals; required by financial-services record-keeping rules |
| Gameplay logs | Required to investigate disputes (a player may request a hand-resolution log) |
| Support tickets | Required to deliver support and meet our published 24-hour first-reply SLA |
| Outbound consent flags | Required so we know what notifications you are willing to receive |
None of the categories are held for "future product use" speculatively. If we cannot point to a current operational need, we delete.
5. Cookies, Analytics, and the Web Side
The website (this page, the homepage, the blog) uses a small set of first-party cookies for session and preference storage, plus Google Analytics 4 (GA4) for traffic measurement. GA4 is configured in IP-anonymized mode, with a 14-month retention window — meaning Google itself purges visitor-level data after that.
What we do not run on the web side: third-party advertising cookies, retargeting pixels, social-media share trackers, or session-recording tools. The web side stays light on purpose — fewer scripts mean a faster site on Zong 4G or Jazz 4G evening congestion.
If you want to disable GA4 entirely, your browser's "Do Not Track" header is honoured — we do not record visits when DNT is on. iOS Safari Private Mode is also honoured.
6. Cross-Border Data Transfer
Player data primarily sits inside Pakistan — at our Karachi commercial-bank partner (for balance leg) and on Pakistani-resident game servers (for game state). The web side and GA4 transit Cloudflare's nearest-edge caches, which for Pakistani users typically resolve to Karachi or Lahore points-of-presence and onward to Singapore for non-cached content.
Email infrastructure (the four mailboxes ending in @3-patti-blue.pk) is hosted on a US-based provider with EU-grade encryption at rest and TLS in transit. Email content is not used for player-data analytics.
Pakistan does not yet have a unified data-protection statute equivalent to the EU's GDPR — though a draft bill has been under discussion since 2018. Until such a statute passes, we voluntarily apply GDPR-equivalent transfer safeguards (Standard Contractual Clauses, SCCs) for any provider whose servers sit outside Pakistan.
7. Under-18 Policy
Strictly 18+. CNIC verifies age at first KYC. An account that fails the 18+ check at CNIC is closed on the spot, the deposited balance returns to the originating wallet within 3 business days, and the CNIC photo and selfie hash are deleted from our store within 14 days (we keep only an anonymized "closed-for-age" flag against the CNIC hash, to prevent re-registration).
If a parent suspects a minor in their household has installed 3 Patti Blue under a relative's CNIC, please write to [email protected] with the suspected mobile number. We investigate within 5 business days and act if substantiated. The quarterly anonymized count of underage-misuse closures is published on our blog.
8. Retention Windows
Each data type has a published retention window:
| Data type | Retention while account active | After account closure |
|---|
| Account profile | Active | 30 days, then deleted |
| KYC documents | Active | 5 years (SBP-mandated minimum), then deleted |
| Transaction ledger | Active | 5 years, then deleted |
| Gameplay logs (full granularity) | 90 days rolling | Aggregated to monthly anonymized stats; raw deleted |
| Support tickets | Active | 14 months, then deleted |
| Marketing consent flags | Active | Deleted on closure (no marketing to closed accounts) |
| Self-exclusion record | Active | Permanent for permanent self-exclusion (so it cannot be re-opened); 5 years for time-limited self-exclusion |
"Deleted" means cryptographically erased — not soft-deleted, not flagged. The retention windows above run from the day the account is closed, not from the last action.
9. Your Rights as a Player
Under PECA 2016 consumer-protection rules and our voluntary GDPR-style framework, every Pakistani player on 3 Patti Blue has these six rights. They are honoured free of charge, with one written reply within 7 business days.
- Right to know what we hold about you. Email [email protected] with the CNIC last-4 and registered mobile number — we send a structured export within 7 business days.
- Right to correct any inaccurate field (display name, language preference, time-zone). In-app most fields are self-service; for KYC corrections we need supporting documents.
- Right to delete your account. The closure flow is in-app (Settings → Account → Close Account). Data retention windows above kick in from the closure date.
- Right to restrict processing — for example, opt out of marketing email or SMS reminders. In-app self-service.
- Right to portability — receive your data in a machine-readable JSON format. Same email channel as right 1.
- Right to object — to any processing you find unjustified. The Privacy Officer reviews and responds within 7 business days; if denied, the reasons are written.
10. Security Practices
Practical, plainly stated. KYC and balance data are encrypted at rest with AES-256, with keys held in a hardware security module separate from the application servers. Application-to-database communication runs over TLS 1.3. Player passwords are hashed with bcrypt (cost factor 12). Login sessions expire after 30 days of inactivity, faster on a session-timeout-set account.
We run an internal security review on every release. Critical patches are deployed within 24 hours of disclosure for any CVE rated 8.0 or higher in our dependency stack. We have not had a player-data breach since launch in 2024 — and we will publish the fact, with the affected count and what we did, within 7 days of any future breach.
11. Updates and Privacy Officer Contact
Material changes to this Privacy Policy (anything that affects what we collect, why, or for how long) are announced 14 days in advance on the in-app news feed and the blog. Cosmetic edits are made silently and the "Last reviewed" date is updated.
Privacy questions, data requests, breach reports, or rights exercises:
Last reviewed: 11 May 2026 · Page maintainer: Privacy Officer, 3 Patti Blue Pakistan · 6-month review cadence · Approx. 2,500 words.
