You uploaded a passport photo, maybe a selfie, maybe a utility bill. The box turned green, your withdrawal cleared, and the whole thing vanished from view. Reasonable question follows: how long does Stake actually keep those files?
Here is the honest answer up front, because the rest of this article is built on it.
Stake.com does not publish a number.
The privacy policy says Stake.com will destroy or permanently de-identify the Personal Information it holds when it is no longer required for any purpose permitted under its legal or operational obligations. That is the whole retention commitment. There is no "five years," no "seven years," no schedule broken out by document type. It is an open-ended clause tied to obligations that Stake itself assesses.
Anyone who quotes you a specific figure for Stake.com is guessing, importing a number from a different company, or reading a different Stake entirely. That last one happens more than you would expect, and it is worth clearing up before going further.
Which Stake Are We Talking About
Search "Stake privacy policy retention" and you will get at least four unrelated companies. One is an Australian sharebroking platform that stores information for at least seven years under financial services law. One is a Dubai real estate business. One is a recruitment site with a one-year retention window.
None of those are the casino, and importing their numbers is how bad information spreads through this topic.
Stake.com is owned and operated by Medium Rare N.V., head office in Curaçao, licensed by the Curaçao Gaming Authority under licence number OGL/2024/1451/0918. That is the entity holding your documents, and its policy is the only one that governs your data.
Stake.us is a separate product on separate terms, and as it happens it is the one place in the Stake family where a real retention number exists. More on that below.
What Stake Actually Asks For
Stake runs verification in four levels rather than one gate. Each unlocks more of the platform, and each asks for more.
Level 1 is your full name, residential address, date of birth and age. This is required to create an account at all. Level 2 is a government-issued document: passport, national ID card, or driver's licence. A colour scan or photo showing all four corners, glare-free and readable. This is required before your first withdrawal. Level 3 is proof of address no older than six months. Bank statements, utility bills, tenancy agreements and tax letters are accepted. Mobile phone bills, internet invoices and medical records are not. Level 4 is proof of source of funds: salary slips, share sale records, inheritance documents, company sale agreements, crypto mining ledgers. All under six months old, showing name, address, issuer and date.Levels 1 and 2 apply to everyone who wants to cash out. Levels 3 and 4 are requested based on your deposit and withdrawal activity, which in practice means volume. Move enough money and they arrive.
There is a common belief that a crypto casino means no ID. It does not. Stake is a licensed operator, and the licence carries KYC and anti-money-laundering obligations that apply regardless of whether you funded the account with Bitcoin or a bank card. The friction is not absent, it is deferred to the withdrawal.
Two clauses in the terms of service are worth knowing here. Section 4.8 lets Stake request whatever KYC documentation it deems necessary at any time, and restrict service, payment or withdrawal until identity is sufficiently determined. Section 8.12 reserves the right to run additional verification on any withdrawal. Neither has a ceiling written into it.
Why It Is Not Deleted When the Check Passes
The instinct is that once verification clears, the evidence should go. The system confirmed you are who you said you are. Why keep the passport scan?
Auditability. A licensed operator does not just need to verify identity, it needs to prove later, to a regulator or auditor, that it verified identity correctly. If a gaming authority asks Medium Rare N.V. to demonstrate that a specific account holder was checked properly in March, "we deleted it, but trust us" does not survive the audit. The record has to exist.
That is the tension underneath this entire topic. Privacy principles push toward deleting data the moment its purpose is served. Compliance pushes toward keeping proof for years. Retention policy is the settlement between them, and the settlement is written mostly by law rather than company preference.
Which is also why "as long as required by our legal or operational obligations" is not necessarily a dodge. It is genuinely difficult to commit to a fixed number when the obligations vary by jurisdiction, by account, and by whether anything is under investigation. The problem is that it is unfalsifiable from the outside. You cannot check it, and you cannot plan around it.
The One Real Number in the Stake Family
Stake.us publishes something Stake.com does not.
If you complete a selfie or liveness check, facial recognition technology from a third-party provider compares your photo against your ID document, and that process collects biometric data. Stake.us states that biometric data is stored by the third-party provider under that provider's own privacy policy, and stored by Stake until the initial purpose for collecting it has been satisfied or within three years of your last interaction, whichever occurs first, provided there is no other legal obligation to retain it longer.
Three specific things are worth pulling out of that sentence.
"Whichever occurs first" is the good part. It is a genuine ceiling, not a floor. Most retention language sets a minimum and leaves the maximum open. This does the opposite. "Your last interaction" is the clock trigger, and it matters more than the number. Three years from your last interaction on a dormant account you never closed is three years from whenever you last logged in, not three years from today. An account you forgot about in 2023 is already most of the way through its window. An account you check quarterly resets the clock every quarter, indefinitely. "Provided we have no other legal obligation" is the escape hatch, and it is doing real work. If an AML obligation requires longer, the three years does not apply.Biometric data gets this treatment because it is regulated more tightly than other identity data. Illinois' Biometric Information Privacy Act and GDPR Article 9, which classifies biometrics as a special category, both impose obligations that ordinary document retention does not carry. The stricter rules produce the clearer commitment. That is not a coincidence, and it is the strongest argument that specific retention language is achievable when something forces the issue.
There is no equivalent published figure for your passport scan or your utility bill on Stake.com.
What "The Verification Details" Actually Covers
The phrase covers more than most people picture, and the pieces are not necessarily treated the same way.
The document images. The passport scan, the licence photo, the bank statement. Most sensitive, usually most tightly controlled. The extracted data. Name, date of birth, document number, expiry, address. This is what actually gets used for matching and screening, it is stored separately from the image, and it tends to persist in the account record even where images are handled differently. The verification metadata. When the check ran, which provider ran it, what came back, whether manual review triggered. This is the audit trail, and it is frequently the piece a regulator cares about most. The biometric template. Covered above, and the only category with a published number. Third-party check results. Sanctions screening, politically exposed person checks, adverse media results.An operator can plausibly purge the raw image relatively quickly while keeping extracted fields and metadata for years. That is defensible architecture, and it means "how long do they keep my documents" and "how long do they keep my data" are genuinely different questions. Stake.com's policy does not distinguish between them, so from the outside you cannot tell which is happening.
The Third-Party Layer
Verification is rarely built in-house. Operators integrate a specialist provider, which means your document may exist in two systems: the casino's and the provider's, governed by different policies and connected by a data processing agreement.
Stake.us's policy makes this explicit for biometrics, stating that the data is stored by the third-party provider in accordance with that provider's privacy policy, separately from Stake's own three-year window. Two retention clocks, two policies, one selfie.
Under GDPR terminology the operator is the data controller and the provider is the data processor. The controller instructs, the processor follows. In principle the provider deletes when told. In practice providers often have their own retention interests, including fraud pattern detection and their own regulatory obligations, and the agreement may permit retention on those grounds.
If you want a complete picture of where your passport scan lives, the operator's policy is the start, not the end.
Asking for Deletion
Stake states the position plainly: you can request to have your personal data deleted if Stake.com no longer has a legal reason to continue to process or store it, and this right is not guaranteed, because Stake cannot comply if it is subject to a legal obligation to store your data. Requests go to support@stake.com.
That is not evasion, it is how the framework works. GDPR Article 17 establishes a right to erasure, and Article 17(3) lists the exceptions. Compliance with a legal obligation is one of them. If an operator must retain KYC records under AML law, a deletion request does not override that. California's CCPA and CPRA work similarly.
What you can realistically get:
- Confirmation of what is held, via a data subject access request
- Deletion of anything not subject to a retention requirement, such as marketing preferences
- Correction of inaccurate information
- Deletion of the rest once the obligation lapses
What you will not get:
- Immediate deletion of KYC records from an active or recently closed account
- Removal of anything under legal hold
- Deletion of records tied to an open investigation
Given that Stake.com publishes no retention period, a DSAR is the more useful request of the two. A deletion request will return the legal-obligation answer. An access request returns an inventory of what is actually held, which is the only way to convert "as long as necessary" into something concrete for your specific account. It costs nothing and carries a one-month statutory response deadline under GDPR. Same email address either way.
Reading the Policy Yourself
If you want to evaluate this independently rather than take anyone's summary:
Find the retention section specifically. Not the summary at the top. On Stake.com it is short, which is itself the finding. Check what the clock measures from. "Three years" means nothing without a trigger. Last interaction, account closure and last transaction produce wildly different real durations, and last interaction is the most easily reset without noticing. Look for category distinctions. Better policies separate images from extracted data from metadata. A policy treating "personal information" as one undifferentiated block is telling you less than it appears to. Note the escape hatches. "As long as necessary," "where required by applicable law," "provided we have no other legal obligation." These are not automatically bad faith, since a policy has to cover legal holds. But they mean any stated period is a floor with a trapdoor, not a ceiling. Check which entity you are reading. Medium Rare N.V. for Stake.com. Not the sharebroker, not the real estate firm.Practical Steps
The Honest Summary
Stake.com holds your verification details for as long as it determines they are required under its legal and operational obligations. No published number, no schedule by document type, no external way to verify it. The one hard figure anywhere in the Stake family is Stake.us's three years from last interaction for biometric data, and even that carries a legal-obligation override.
Realistically, expect KYC records at a licensed operator to persist for years after your relationship ends. AML frameworks generally require it, and Stake's Curaçao licence carries those obligations. Whether that is three years or seven for your specific account is not something the policy will tell you. A DSAR might.
The broader point worth holding onto: this is not primarily a company decision. It is a legal requirement that companies implement, and the lever that moves it is regulatory rather than customer service. Understanding that difference is what separates a productive access request from an unproductive complaint. It is also why the vaguest possible retention language and full legal compliance are entirely compatible, which is the part most people find hardest to accept.
For more on Stake specifically, see the Stake stats hub and the Stake.com tools collection. If gambling is becoming a problem, our responsible gambling page lists support resources.