Privacy Policy

1. Data Controller

The data controller responsible for your personal data is Fahri Mert Gundogan, operating under the trading name infwrite, developer and operator of Scrum Poker Online (scrumpokerplay.com). Contact: contact@scrumpokerplay.com. For GDPR purposes, Fahri Mert Gundogan acts as the data controller for all personal data processed by this Service.

2. Data We Collect

We collect only the data necessary to provide the Service:

• Account data: Name, email address, password (stored as a bcrypt hash — never in plain text). Collected when you register.
• Profile data: Avatar selection. Stored in your account.
• Session data: Room creation events, vote values, chat messages. Chat and vote data are held in server memory during the session only and deleted 1 hour after the room becomes empty. They are not persisted to the database.
• Payment data: Billing is handled entirely by Paddle, our Merchant of Record. We receive only a subscription status (active/cancelled) and a Paddle customer ID. We never see or store your card number, CVV, or full billing address.
• OAuth data: If you sign in with Google or GitHub, we receive your name and email from that provider. No other data is retrieved.
• Technical data: Browser type and language preference (stored in localStorage on your device). We do not collect IP addresses for analytics or advertising.

3. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases under GDPR Article 6:

• Contract performance (Art. 6(1)(b)): Processing your account data and subscription status is necessary to provide the Service you have signed up for.
• Legitimate interest (Art. 6(1)(f)): We process minimal technical data (browser type, language preference) to ensure the Service functions correctly and to debug issues. This interest does not override your fundamental rights.
• Legal obligation (Art. 6(1)(c)): We may process or retain data where required by applicable law.
• Consent (Art. 6(1)(a)): Where we rely on consent (e.g. optional features), you may withdraw consent at any time without affecting the lawfulness of prior processing.

4. How We Use Your Data

• To create and authenticate your account.
• To provide real-time planning poker sessions.
• To manage your subscription and communicate subscription-related events (renewal, cancellation).
• To debug technical issues and improve the Service.
• We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described in Section 6.

5. Data Retention

• Account data: Retained for as long as your account exists. When you delete your account, all account data (name, email, hashed password, subscription status) is permanently deleted from our database within 30 days.
• Session data (votes, chat): Deleted from server memory 1 hour after the room becomes empty. Not stored in the database.
• Payment records: Paddle retains payment transaction records as required by financial regulations. We do not control this retention period.
• Backups: Deleted account data may persist in encrypted database backups for up to 30 days before those backups are rotated and permanently destroyed.

6. Third-Party Services

We share data with the following sub-processors only to the extent necessary to operate the Service:

• Cloudflare, Inc. (USA): Provides DNS, CDN, and DDoS protection. Your IP address passes through Cloudflare infrastructure. Cloudflare is certified under the EU–US Data Privacy Framework.
• Paddle.com Market Limited (UK): Our Merchant of Record for payments. Paddle processes all billing data under their own privacy policy and is responsible for GDPR compliance regarding payment data. See paddle.com/legal/privacy.
• Google LLC (USA): Optional OAuth sign-in provider. If used, Google receives your sign-in request and shares your name and email with us. Subject to Google's Privacy Policy.
• GitHub, Inc. (USA): Optional OAuth sign-in provider. If used, GitHub shares your name and email with us. Subject to GitHub's Privacy Policy.
• Our hosting provider: The database and application server are hosted on infrastructure within the EU.

7. International Data Transfers

Our primary database and application server are located within the European Union. Some sub-processors (Cloudflare, Google, GitHub) are based in the United States. Where personal data is transferred outside the EEA, we rely on the EU–US Data Privacy Framework (where applicable) or Standard Contractual Clauses (SCCs) adopted by the European Commission to ensure an adequate level of protection.

8. Cookies and Local Storage

We use the following storage mechanisms:

• Session cookie: A secure, HTTP-only cookie used to maintain your login session. This is strictly necessary and does not require consent under the ePrivacy Directive.
• localStorage: Used on your device to store your language preference and guest profile settings. This data never leaves your device.
• We do not use advertising cookies, analytics cookies, or any third-party tracking pixels.

9. Children's Privacy

The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are under 16, please do not use the Service or submit any personal data. If we become aware that we have collected data from a child under 16 without parental consent, we will delete it promptly. Parents or guardians who believe their child has provided data should contact us at contact@scrumpokerplay.com.

10. Your Rights

If you are in the European Economic Area, UK, or another jurisdiction with applicable data protection law, you have the following rights:

• Right of access (Art. 15 GDPR): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17 GDPR): Request deletion of your personal data ("right to be forgotten"). You can also delete your account directly from the app.
• Right to restriction of processing (Art. 18 GDPR): Request that we limit how we use your data in certain circumstances.
• Right to data portability (Art. 20 GDPR): Request your data in a structured, machine-readable format.
• Right to object (Art. 21 GDPR): Object to processing based on legitimate interest.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence. In the EU, find your authority at edpb.europa.eu/about-edpb/about-edpb/members_en.
• To exercise any of these rights, contact: contact@scrumpokerplay.com. We will respond within 30 days.

11. Security

We implement industry-standard technical and organisational measures to protect your data:

• All data in transit is encrypted using TLS (HTTPS). HTTP requests are permanently redirected to HTTPS.
• Passwords are hashed with bcrypt (work factor 12). Plain-text passwords are never stored or logged.
• Sessions are managed with signed, HTTP-only JWT cookies with short expiry.
• Security headers are enforced: HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options.
• Database access is restricted to application servers via private networking.
• Despite these measures, no system is 100% secure. In the event of a data breach affecting your rights, we will notify you without undue delay as required by GDPR Art. 34.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. For significant changes, we will notify registered users by email. Continued use of the Service after a change constitutes acceptance of the updated policy.

13. Contact

For any privacy-related questions, requests, or complaints: contact@scrumpokerplay.com. We aim to respond within 5 business days.