Privacy Policy
Last updated May 27, 2026
This policy explains what personal data planpokr.app processes, why, how long we keep it, and the rights you have over it. It applies to everyone with a planpokr account: the members of the organisations and teams that use the Service. We keep the legalese light because we still process very little about you.
1. Who controls your data
The data controller is the operator of planpokr.app. The service operator is currently an independent maintainer based in Ukraine; this notice will be updated when a registered legal entity is established. You can reach us about anything in this policy at privacy@planpokr.app.
2. What we process and why
| Category | What it is | Why | Lawful basis (GDPR Art. 6) |
|---|---|---|---|
| Identity | Display name you type when joining a room | So other participants can recognise you | Contract (Art. 6(1)(b)): you ask to join the room |
| Device identifier | Anonymous random ID (nanoid) we generate in your browser | Restore your session if you reload or switch rooms | Legitimate interest (Art. 6(1)(f)): service continuity |
| Room content | Room title, story titles, votes, final estimate | The product itself: this is the planning poker | Contract (Art. 6(1)(b)) |
| Infrastructure logs | IP address, user agent, request path, Cloudflare ray ID, error traces | Operate the Service, prevent abuse, debug incidents, enforce rate limits | Legitimate interest (Art. 6(1)(f)): security and reliability |
| Product analytics | Aggregate counts of rooms / rounds / votes, deployment SHA, no personal identifiers | Understand product usage in aggregate | Legitimate interest (Art. 6(1)(f)): product improvement |
3. Accounts, organisations, and teams
Using planpokr requires an account. When you sign up (to manage an organisation, invite colleagues, and run estimation rooms), we additionally process:
| Category | What it is | Why | Lawful basis |
|---|---|---|---|
| Account identity | Email address, display name, optional avatar URL, OAuth provider identifier (Google / GitHub / Microsoft sub-claim) when you sign in with a provider | Create and authenticate your account; gate access to private organisation data | Contract (Art. 6(1)(b)) |
| Session credentials | Short-lived JWT access cookie (15 min, __Host-auth.session) and rotating refresh token (30 day, __Host-auth.refresh) stored hashed in our database | Keep you signed in safely; rotate credentials on every refresh | Contract (Art. 6(1)(b)) |
| Magic-link tokens | Email-bound one-time tokens, hashed in our database; deleted on first use or after 15 min | Passwordless email sign-in | Contract (Art. 6(1)(b)) |
| Organisation data | Org name, slug, billing plan, team names, member rosters, role assignments (owner / admin / billing / team-lead), invitation tokens, team-scoped rooms | Run the multi-tenant product for your team. Org members can see one another's display names + roles + team rosters | Contract (Art. 6(1)(b)) |
| Audit log | Records of org-level actions (create / invite / remove member, role change, team rename, deletion), with actor user id, timestamp, IP, and user-agent | Security and accountability: let org owners answer “who did what when” | Legitimate interest (Art. 6(1)(f)) |
Controller / processor model. When you create an organisation, you (the org owner) become the data controller for personal data about that organisation's members and rooms. planpokr.app acts as a processor for that data under Art. 28 GDPR. We process it on your instructions and only to operate the Service. You decide who you invite and what they can see; we decide nothing about your members on our own initiative.
4. What we do not collect
- No passwords. We never store account passwords. Sign-in is via OAuth (Google / GitHub / Microsoft) or one-time magic links.
- No payment-card numbers. That's handled by Stripe when paid plans launch.
- No social-network identifiers, biometrics, or location.
- No third-party advertising or cross-site tracking pixels. Cloudflare Web Analytics, which we use, is cookieless and does not fingerprint visitors.
- No AI training on your data. Your room content, votes, and audit logs are not used to train any model.
5. How long we keep it
- Room metadata, participants, rounds, votes: kept for up to 365 days after the last activity in the room, then purged.
- Refresh tokens: hashed and stored for up to 30 days; rotated on every use; revoked on sign-out. Expired tokens are hard-deleted on a daily schedule.
- Magic-link tokens: stored hashed; deleted on first use or after 15 minutes, whichever comes first.
- Audit log: retained 90 days on Free / Pro plans; 1 year on Enterprise.
- Invitation tokens: expire in 7 days; expired rows hard-deleted by a daily purge job.
- Soft-deleted organisations: 30-day grace period, recoverable on owner request, hard-deleted after.
- Account on user-initiated delete: removed within 30 days, including audit-log redaction for non-actionable identifiers (we keep a tombstone row so audit history remains coherent for other org members).
- Browser storage (display name, device id, room session, theme): lives on your device until you clear it. We never see its contents directly.
- Infrastructure logs: retained at the Cloudflare-platform default (typically 30 days for Workers Logs).
6. Third-party processors
We use the following processors to deliver the Service. They handle data on our behalf under written contracts that include EU Standard Contractual Clauses where applicable:
- Cloudflare, Inc.: edge compute (Workers), database (D1), realtime broadcast (Durable Objects), object storage (R2, used for optional avatar uploads), email forwarding, DNS, TLS, DDoS protection, cookieless Web Analytics, Workers Analytics Engine. Cloudflare runs from a global network of points of presence with an EU-region option for stored data.
- Resend, Inc.: transactional email delivery (magic-link sign-in, organisation invitations). Processes recipient address and email body for the duration required to deliver the message.
- OAuth identity providers: when you choose to sign in with one, we share only the OAuth handshake (we never see your provider password):
- Google LLC (Google Sign-In)
- GitHub, Inc. (GitHub OAuth)
- Microsoft Corporation (Microsoft Entra / Azure AD)
- GitHub, Inc.: source code hosting and CI (does not see runtime traffic).
We do not use third-party advertising networks, analytics tools that profile individuals, or session-replay tools. When paid plans launch, Stripe will be added as a processor for billing data; this notice will be updated before the change goes live.
7. International transfers
The Service runs on Cloudflare's global network. Edge requests may be served and infrastructure logs may be processed in regions outside your country, including the United States. Cloudflare offers EU SCCs and an EU-resident option for stored data (D1, KV, R2 in our region selection). We rely on these mechanisms for transfers outside the EEA / UK.
8. Your rights
If you are in the EEA, UK, Switzerland, or a US state with a comprehensive privacy law (California / Colorado / Connecticut / Virginia / Utah and similar), you have the right to:
- access the personal data we hold about you;
- rectify inaccurate data, e.g. correct your display name in-room;
- erase data we hold about you (“right to be forgotten”);
- restrict or object to processing based on legitimate interest;
- receive a copy of your data in a portable format (data portability);
- withdraw consent where processing is based on consent (we currently rely on contract and legitimate interest, not consent, but if that changes, you can withdraw at any time).
How to exercise these rights:
- Local session data: clear browser storage for planpokr.app to erase the local device id + display name used for room sessions, and email privacy@planpokr.app for server-side erasure of rooms your team created.
- If you have an account: you can review your profile (email, display name, avatar, locale) in account settings. To export or delete your account, email privacy@planpokr.app from the address on file. Note: if you are the last ownerof an organisation, you must transfer ownership or delete the organisation first. We protect the remaining members from being orphaned. Deletion completes within 30 days; audit-log entries that name you are redacted to a tombstone so other org members' histories stay coherent.
- If you are an organisation member (not the owner), you can ask your org owner or admin to remove you; they have admin tools for this. If they don't respond, you may also email us and we'll mediate.
You also have the right to lodge a complaint with your local supervisory authority (in the EU, the list is at edpb.europa.eu).
9. Security
Traffic is encrypted in transit (TLS 1.2+ enforced by Cloudflare, HSTS preloaded). Room passwords are hashed with bcrypt; refresh and magic-link tokens are stored as SHA-256 hashes; OAuth flows use PKCE. Session cookies use __Host- prefixes, Secure, HttpOnly, and SameSite=Lax; CSRF is mitigated by SameSite policy and Auth.js's state token. The Service is protected by Cloudflare WAF, rate limiting, geo-blocking of sanctioned regions, and a strict Content Security Policy. No system is perfectly secure, but we treat security as a first-class engineering concern. See our source code.
10. Children
The Service is not directed at, and we do not knowingly process personal data of, individuals under 16. If you believe a child has provided us data, please email privacy@planpokr.app and we will delete it.
11. Cookies and browser storage
Detailed list in the Cookie & Storage Policy. Short version: no third-party tracking; all browser storage is strictly functional.
12. Changes to this policy
We may update this policy. The “last updated” date at the top reflects the latest version. Material changes will be highlighted at the top of this page for at least thirty days.
13. Contact
Privacy questions or requests: privacy@planpokr.app.