Locance
Active competitorLocationSmart rebrand (~2021). Cloud-first SaaS geo. 7+ Ontario operators. No desktop plugin.
Detection scorecard
How Locance handles every spoofing technique we test for. Click any cell for findings.
| Competitor | VPN | Proxy | Remote access | Fake GPS app | GPS spoofer | Emulator | Device farm | Jailbreak / Root | Resigned / tampered app | Sideload (PlayCover) | Browser extension | MITM / replay | Tor |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Strongest findings
Failed and partial test outcomes ranked for sales impact — what to lean on in a call.
- MISSED
Locance (LocationSmart) / Luxury Casino Ontario: cross-border play, RDP, and Android VPN gaps; Mac VPN blocked
Full Locance (LocationSmart) integration validation on Luxury Casino Ontario found cross-border wagering possible for multiple kilometres between Ontario and Quebec, remote control via TeamViewer / AnyDesk / HopToDesk undetected on desktop and Android, and Android VPN usage completely unblocked. Mac VPN was detected; iOS blocked VPN access but surfaced no error messaging. Near-border iOS behaviour mis-located users 100–150 m from the Quebec boundary.
LocanceLuxury Casino
Boundary crossingRemote access - MISSED
Locance (LocationSmart) / Luxury Casino Ontario: remote-access block fails on a single retry; iAnyGo GPS spoof undetected
A remote-access retest of Locance (LocationSmart) on Luxury Casino Ontario, run from Tennessee. Remote access via TeamViewer & AnyDesk: an initial geolocation check errored, but after a single retry access was granted and bets were placed — the block did not hold on the second attempt. GPS location spoofing (iAnyGo): blocked only indirectly — Luxury Casino requires a Canadian VPN to load and that VPN was flagged as a proxy; the GPS spoof itself triggered no detection.
LocanceLuxury Casino
Remote accessFake GPS app - MISSED
Locance (LocationSmart) Ontario: real-money deposit with no identity check + detection rules exposed in API
Testing of Locance in Ontario surfaced two issues: a tester completed account registration and a real-money Interac deposit without any identity or location verification — a step that should be mandatory under Ontario iGaming rules — and, when connecting from a Singapore IP, the API response named the exact detection rules that fired (e.g. 'IP proxy detected', 'IP hosting provider'), handing an attacker a map of what to evade.
Locance
ComplianceProxy
All findings
Test results and intel tagged to Locance.
- Locance (LocationSmart) / Luxury Casino Ontario: cross-border play, RDP, and Android VPN gaps; Mac VPN blockedFull Locance (LocationSmart) integration validation on Luxury Casino Ontario found cross-border wagering possible for multiple kilometres between Ontario and Quebec, remote control via TeamViewer / AnyDesk / HopToDesk undetected on desktop and Android, and Android VPN usage completely unblocked. Mac VPN was detected; iOS blocked VPN access but surfaced no error messaging. Near-border iOS behaviour mis-located users 100–150 m from the Quebec boundary.
- Locance (LocationSmart) / Luxury Casino Ontario: remote-access block fails on a single retry; iAnyGo GPS spoof undetectedA remote-access retest of Locance (LocationSmart) on Luxury Casino Ontario, run from Tennessee. Remote access via TeamViewer & AnyDesk: an initial geolocation check errored, but after a single retry access was granted and bets were placed — the block did not hold on the second attempt. GPS location spoofing (iAnyGo): blocked only indirectly — Luxury Casino requires a Canadian VPN to load and that VPN was flagged as a proxy; the GPS spoof itself triggered no detection.
- Locance (LocationSmart) Ontario: real-money deposit with no identity check + detection rules exposed in APITesting of Locance in Ontario surfaced two issues: a tester completed account registration and a real-money Interac deposit without any identity or location verification — a step that should be mandatory under Ontario iGaming rules — and, when connecting from a Singapore IP, the API response named the exact detection rules that fired (e.g. 'IP proxy detected', 'IP hosting provider'), handing an attacker a map of what to evade.
Battle card
Talking points for a live sales call.
Locance (founded ~2005 as LocationSmart, rebranded ~2021) is a cloud-first geolocation platform that has served the Ontario iGaming market since 2023. It competes primarily on its no-download / no-plugin story, a fast 2–3 day integration claim, and rapid CSM-managed rule changes (hours, no code). The product is iGaming-exclusive on the gaming side and is actively expanding into tribal gaming, sweepstakes, prediction markets (Kalshi, Polymarket), and Alberta. Historical baggage matters: the 2019 LocationSmart breach leaked real-time location data of all major US carriers and the company was a tracking source for Securus's illegal law-enforcement tracking.
Watch out for
- First cloud-based geo-compliance claim (NJ + DE, LocationSmart era).
- Sub-5-day integration narrative; rapid CSM-managed rule changes (emergency: hours, no code).
- Ontario iGaming operator base since 2023 — LeoVegas, Royal Panda, Betway, Luxury Casino, Cadtree, Jackpot City.
- Modular session architecture — operators can buy location-only or location + device profiling.
- Geographic-demand analytics in the sportsbook FAQ — early signs of a GeoComply Edge equivalent.
How we win
- No desktop plugin at all — cannot operate in PLC-required US states (PA, NJ, MS, etc.).
- JSON response format with visible flag names — gives fraudsters a detection roadmap vs GeoComply's encrypted XML.
- All spoof testing remains UNVALIDATED: FLA, RDP (AnyDesk/TeamViewer/FaceTime), root/jailbreak, and emulator detection have not been tested by us yet — #1 research priority.
- Luxury Casino ON (Feb 23, 2026, CIV-17) allowed deposit BEFORE documents verified — compliance concern.
- OAuth 2.0 Client Credentials → bearer token (accessTokenExpiresAt) — standard enterprise auth, weaker per-session control than GeoComply's license-string model.
- 2019 LocationSmart breach + Securus association are documented historical risk events that should surface in every competitive conversation.
- Geographic footprint claim: all confirmed gaming clients are Ontario; US gaming presence is limited to historical NJ/DE lottery (LocationSmart era).
- POST-request bypass (DTAP-48): requesting JSON instead of XML bypassed opt-in location data protection entirely (confirmed internal research).
Capability claims
What they say they do, grouped by category. Cross-check against the detection scorecard above — claims and tests don't always match.
Geolocation
How accurately and reliably the product determines a user's real location.
- GPS / OS locationUses native device GPS or OS-level location services.● Yesverified
Mobile SDK (iOS, Android) + browser JS SDK + REST API.
- Wi-Fi triangulation● Yesinferredstale
- IP geolocation● Yesverifiedstale
Marketed 99.9999% IP coverage.
- IP-change detectionContinuously monitors IP and re-runs geolocation on Wi-Fi ↔ cellular or VPN swap (GeoComply MyIP equivalent).· Unknownrumor
Not publicly confirmed; no published IP-change monitoring mechanism.
- Boundary / state-lineHandles users moving across regulated boundaries during an active session.◐ Partialverified
Boundary cross handling lacks published spec.
- Near-border accuracyMulti-point aggregation + buffer-zone handling near regulated borders; measured as pass rate at 250m.· Unknownrumorstale
Not published; testing priority.
- Pre-login pre-check◐ Partialinferredstale
- Multi-jurisdictionSingle integration handling operators in multiple regulated states (GeoComply Multipass / Dynamic Boundaries equivalent).◐ Partialinferredstale
Modular session architecture lets operators buy per-jurisdiction; not the same as Multipass / Dynamic Boundaries.
- Desktop plugin (PLC-class)Native desktop client / plugin required by PA, NJ, MS and most US iGaming regulators.○ Noverified
No desktop plugin at all. Cannot operate in PLC-required US states.
- On-property BLE geofenceBluetooth Low Energy precision geofencing for tribal / on-property venues (PinPoint-class).○ Noverifiedstale
Anti-spoofing detection
Detection coverage for the spoof vectors tested by the Competitive Intelligence team. Cell values reflect SDK-level detection of the listed vector at the most recently tested operator.
- VPN exit nodesDetects commercial VPN exit nodes (NordVPN, ExpressVPN, Surfshark, etc.).◐ Partialverified
Claims VPN/proxy/anonymizer detection; no published DB size or refresh cadence.
- Proxy / residentialDetects datacenter and residential proxies — the harder class of IP obfuscation.◐ Partialinferredstale
- Tor exits· Unknownrumorstale
- Remote desktop (RDP)Detects AnyDesk, TeamViewer, FaceTime, Assistant, HopToDesk, iPhone screen mirroring, RustDesk and similar remote-control sessions.· Unknownrumor
Claims remote-access detection; AnyDesk/TeamViewer/FaceTime/Assistant unvalidated — #1 research priority.
- Fake-location appsDetects iAnyGo / Fake GPS / mock-location apps on iOS and Android.· Unknownrumorstale
Unvalidated — research priority.
- Hardware GPS spooferDetects HackRF / BladeRF and GPS-simulator-device signal injection.◐ Partialinferredstale
Claims GPS-spoofing detection in marketing.
- Emulator / VMDetects Xcode iOS Simulator, BlueStacks, Genymotion and similar virtual environments.· Unknownrumorstale
Claims emulator/VM detection — unvalidated.
- Device farm / VMOSDetects VMOS / virtualized Android device-farm environments used for multi-accounting.· Unknownrumorstale
- Jailbreak / rootDetects jailbroken iOS, rooted Android (incl. Magisk hidden root), and Frida / runtime-hook tampering.· Unknownrumorstale
Claims device-manipulation detection — unvalidated.
- Resigned / tampered appDetects iOS apps that have been re-signed / Android apps that have been repackaged with injected code.· Unknownrumorstale
Not yet tested — Alberta-launch retest priority (Apr 28 + May 5 + May 11 syncs).
- Sideload (PlayCover)Detects ARM-macOS iOS sideloading via PlayCover and equivalent hardware-abstraction loaders.· Unknownrumorstale
- Browser extension spoofDetects Chrome / browser extensions that spoof location (Location Guard, Hola, etc.).· Unknownrumorstale
- Session terminationTerminates session when location services are disabled mid-game or device leaves the jurisdiction.· Unknownrumorstale
- MITM / replay attackResists network-level interception, request tampering, and replay attacks against the SDK ↔ backend channel.· Unknownrumorstale
Identity & KYC
Document verification, biometric liveness, sanctions screening.
- Document scan / OCR○ Noverifiedstale
Not a Locance product.
- Biometric liveness○ Noverifiedstale
- Sanctions / PEP○ Noverifiedstale
- AML / responsible gaming○ Noverifiedstale
- Reusable identity· Unknowninferredstale
Platform coverage
Which surfaces the SDK / product runs on.
- iOS native● Yesverifiedstale
- Android native● Yesverifiedstale
- Web / browser● Yesverifiedstale
Browser JS SDK is the primary 'no-download' sales wedge.
- React Native· Unknownrumorstale
- Flutter· Unknownrumorstale
- Unity· Unknowninferredstale
- .NET / desktop○ Noverifiedstale
No desktop plugin equivalent.
- Server-side API● Yesverifiedstale
REST API.
Compliance & certification
Regulatory coverage and certifications.
- US state-licensed (iGaming/sportsbook)○ Noverified
No PLC equivalent — cannot operate in PLC-required US iGaming states. Historical NJ/DE lottery presence under LocationSmart only.
- US tribal / on-property○ Noinferredstale
Active expansion pitch (Indian Gaming Tradeshow 2026); no confirmed deployments.
- Canadian provincial● Yesverifiedstale
Ontario iGaming since 2023.
- European (MGA/UKGC)○ Noinferredstale
- LatAm (Brazil SPA)○ Noinferredstale
- SOC 2 Type II· Unknowninferredstale
- ISO 27001· Unknowninferredstale
- GLI-certified· Unknownrumorstale
Fraud & device intelligence
Device fingerprinting, IP intelligence, behavioral signals, account-takeover detection.
- Device fingerprint◐ Partialinferredstale
Device Profile API exists; depth not independently validated.
- IP intelligence DBMaintained DB of VPN / TOR / proxy / hijacked-residential IPs with documented refresh cadence (GeoGuard equivalent).◐ Partialinferredstale
Marketing claims VPN/proxy detection; no published DB size.
- Behavioral signals◐ Partialrumorstale
Claims behavioral biometrics.
- Velocity / impossible travel◐ Partialinferredstale
Claims impossible-travel detection.
- Bot detection· Unknowninferredstale
- Account takeover◐ Partialinferredstale
- Chargeback mgmt○ Noverifiedstale
Ops & integration
How easy the product is to integrate, observe, and operate.
- Self-serve onboarding· Unknowninferredstale
- Case management UI◐ Partialinferredstale
- Webhook delivery● Yesinferredstale
- Real-time API● Yesverifiedstale
- Analytics dashboard◐ Partialinferredstale
- Audit log export◐ Partialinferredstale
- Encrypted responseDetection flag names hidden from the end user (GeoComply uses encrypted XML; most challengers expose JSON flag names).○ Noverified
JSON over HTTPS; flag names visible. POST-request JSON bypass confirmed internally (DTAP-48). Re-confirmed in Apr 28 monthly brief: 'a fraudster can reverse-engineer exactly what triggered a block'.
- SDK hardeningSDK is signed, obfuscated, and license-bound — not findable / patchable to inject coordinates client-side.· Unknownrumorstale
Check count unpublished; SDK hardening posture not yet validated.
Commercial
Pricing model and go-to-market shape.
- Usage-based pricing● Yesinferredstale
Cloud/SaaS API; specific pricing not public.
- Flat license / enterprise◐ Partialinferredstale
- Free tier / trial· Unknowninferredstale
- Publicly listed pricing○ Noverifiedstale
- Bundled with platformGeo is bundled inside a broader platform deal (OpenBet, GeoLocs/Mkodo, Playtech).○ Noverifiedstale
Modular session architecture — operators choose session type per call.
Resources
Briefings, source docs, and external links.
Case study (1)
- Locance (LocationSmart) Competitive Intelligence Brief — April 2026docs.google.com
Primary briefing — Ontario footprint, 2019 breach, Securus history, JSON-vs-XML POST bypass (DTAP-48).
Drive doc (1)
- Locance — Full competitive datadocs.google.com
Capability matrix + tested behaviors (CIV-17 Luxury Casino notes).
Website (1)
News (1)
- 2019 LocationSmart breachkrebsonsecurity.com
Historical context: real-time location data leaked for all major US carriers without user consent. Locance's FAQ now explicitly states 'Locance does not sell location data' — a direct counter.
Drive folder (1)
2019 data breach — LocationSmart leaked real-time location data of all major US carriers without user consent. Securus association — LocationSmart was a tracking source for Securus's illegal law-enforcement tracking. POST-request bypass — requesting JSON instead of XML bypassed opt-in location protection entirely (internal DTAP-48). Surface these events in any competitive conversation where Locance is in the mix.
Confirmed gaming clients (April 2026)
| Operator | Segment | Market | Notes |
|---|---|---|---|
| LeoVegas | Casino / iGaming | Ontario | Geo compliance |
| Royal Panda | Casino / iGaming | Ontario | Geo compliance |
| Cadtree Limited (multi-brand) | Casino / iGaming | Ontario | Geo compliance |
| Betway | Sportsbook + casino | Ontario | Geo compliance |
| Luxury Casino | Casino | Ontario | Tested Feb 23, 2026 (CIV-17) — deposit allowed BEFORE documents verified. |
| Jackpot City | Casino | Ontario | Observed Apr 2024 |
| Gamesys (Virgin/Tropicana) | Casino / gaming | NJ (historical 2016–17) | Carrier-based geo fallback |
| Unnamed "leading platform provider" | Multi-op | US multi-state + international | Multi-jurisdiction compliance |
All confirmed gaming clients are in Ontario, Canada. US footprint is limited to historical LocationSmart-era lottery; post-2023 US client list is unvalidated and a research priority.
Strategic risks
- No-download / no-plugin pitch. Creates real friction at the integration-decision point for operators tired of PLC install rates. Sub-5-day integration narrative restructures the time-to-market conversation.
- Modular session architecture. Operators may pick the cheapest session type (location only) and skip device profiling — reducing fraud coverage. GeoComply bundles 820+ checks by default.
- Geographic-demand analytics (visible in sportsbook FAQ) is a partial GeoComply Edge replication — monitor whether this becomes a real product pitch.
- Active expansion targets. Tribal gaming (Indian Gaming Tradeshow 2026), sweepstakes, prediction markets (Kalshi, Polymarket), Alberta — all segments GeoComply serves or is moving into.
- The 2019 breach + Securus history is a permanent talking point. Locance's FAQ now explicitly says "Locance does not sell location data" — that disclaimer exists because of the history.
- Alberta-launch retest [CRITICAL — action now]. May 5 + May 11 weekly syncs both put "Ontario Competitor Analysis — Mkodo + LocationSmart retest in anticipation of Alberta launch" as the top Field Testing priority. Betting Hero's May 5 scope adds "Locance (LocationSmart) — Full Validation" and "first-ever Locance spoofing tests (RDP, FLA, emulator, JSON flag exposure)" is in the 15-ticket queue (Apr 28 monthly brief).