What we collect
You can use Play Scrum Poker Online without creating an account. In that case, we store only the display name you choose and a randomly generated avatar seed. We create an anonymous guest profile linked to an HttpOnly cookie so we can recognise you across page refreshes and sessions. If you create a permanent account, we additionally store your email address, a hashed password (for email accounts), your sign-in provider (Google or email), and any passkey credentials you register. We also store the rooms you host or participate in, including round history, linked to your profile.How we use your data
Your display name and votes are shared with other participants in the same room in real time. Your email address is used only to send transactional messages you explicitly request, such as password reset emails or a welcome message when you create an account. We do not use any data for advertising, profiling, or any purpose beyond operating the service.Cookies
We set one first-party HttpOnly cookie named pp_pid. It holds your profile identifier and is used to keep you signed in for up to 90 days. It is not a tracking cookie and contains no personally identifiable information beyond the opaque profile ID. We do not use any third-party cookies or advertising cookies.Data retention
Guest profiles that have not been active for 7 days are automatically deleted, along with all associated room data. Permanent accounts persist until you delete them. You can permanently delete your account at any time from your profile page. Room data and round history are deleted when you delete your account, or when a hosted room is manually deleted.Third-party services
We use Supabase to store data and deliver real-time room updates. We use Resend to send transactional emails (password reset and welcome messages). Avatar images are generated on-demand using the DiceBear API with your avatar seed. We do not use analytics providers, advertising networks, or any other tracking services.Data security
All communication between your browser and our servers is encrypted via HTTPS. Passwords are hashed before storage and never transmitted in plain text. Passkey credentials are stored as public keys only; your biometric data never leaves your device. We apply server-side validation on all inputs. No system is completely secure and we cannot guarantee absolute security.Your rights
If you are located in the European Economic Area, United Kingdom, or California, you may have rights under applicable law (including GDPR and CCPA) to access, correct, or erase your data; to restrict or object to processing; to data portability; and to withdraw consent. You can delete all data associated with your account directly from the profile page. For any other requests or questions, contact us at [email protected] and we will respond within 30 days.Changes to this policy
We may update this policy from time to time. The date at the top of this page reflects the most recent revision. We will notify users of any material changes by posting a prominent notice in the app before the changes take effect.