Privacy Policy

Welcome to Scrum Poker Game (“scrumpokergame.com”, “we”, “our”, or “us”). We are committed to protecting your privacy and being transparent about how we handle information when you use our real-time planning poker service.

Our service is designed with privacy by default. We do not require account creation, email addresses, or any personal identifying information to use our platform. This policy explains what minimal data we do collect and why.

Our service runs on infrastructure we operate directly, including self-hosted database, authentication, and analytics software. Your data is not transferred to any third-party cloud provider or commercial SaaS vendor.

We collect the minimum amount of information necessary to provide our planning poker service:

• Anonymous Session ID — A randomly generated UUID assigned automatically when you visit the site. This is not linked to any personal identity.
• Display Name — The name you choose when creating or joining a poker room. This can be any name and does not need to be your real name.
• Room Name — The title you give to a poker room when creating one.
• Votes — Story point estimates you submit during planning poker sessions.

We process the information described above based on our legitimate interest (GDPR Art. 6(1)(f)) in operating and securing the service, and on the necessity of performing the service you request when you join a room (Art. 6(1)(b)). The information is used solely for the following purposes:

• Providing the Service — Enabling real-time planning poker sessions, vote synchronization, and team collaboration.
• Session Management — Maintaining your active session within a poker room using anonymous authentication.
• Security & Rate Limiting — Protecting the service from abuse by enforcing rate limits and anti-bot measures. IP addresses are used transiently for rate limiting and are not stored permanently.
• Service Improvement — Aggregated, anonymized analytics data (via Plausible) helps us understand how the service is used and where to improve. No opt-in is required as Plausible does not collect personal data.

We do not sell, rent, or share your information with third parties for marketing purposes.

We use a minimal set of strictly-necessary cookies and local storage entries for essential functionality. No tracking or advertising cookies are used.

Our self-hosted Plausible analytics installation does not use cookies or persistent client-side identifiers. You can clear local storage at any time through your browser settings.

We run a self-hosted instance of the open-source Plausible Analytics software on our own infrastructure. Analytics data is not shared with Plausible Insights OÜ or any other third party.

Our analytics installation collects only an aggregate visitor count and is configured to be cookie-free. It does not create user profiles, does not track individuals across sessions, and does not use device fingerprinting. IP addresses are processed transiently to derive the visitor count and are not written to persistent storage.

Our service is designed to be ephemeral by nature:

• Poker rooms expire automatically 24 hours after creation.
• Player data (display names, votes) is cascade-deleted when the room expires.
• IP addresses used for rate limiting are held in-memory only and are never written to persistent storage.

We do not maintain long-term user profiles, browsing histories, or activity logs.

We operate our own infrastructure rather than relying on commercial cloud or SaaS providers. The platform is powered by the following open-source software, all of which we host ourselves:

• Supabase (self-hosted) — Open-source software used for our database, anonymous authentication, and real-time communication. The Supabase company has no access to our data.
• Plausible Analytics (self-hosted) — Open-source software used to produce an aggregate visitor count. Plausible Insights OÜ has no access to our data.

Your data is processed entirely on infrastructure under our direct control and is not transferred to third parties for any purpose. We do not sell, rent, or share your data.

Depending on your jurisdiction, you may have the following rights regarding your data:

• Right to Access — Request information about what data we hold about you.
• Right to Deletion — Request deletion of your data. Note that all room and player data is automatically deleted within 24 hours.
• Right to Opt Out — Our analytics provider (Plausible) does not use cookies and does not track individual users. You can block the analytics script using any ad blocker or browser privacy extension.
• Right to Portability — Request a copy of your data in a portable format.
• Right to Lodge a Complaint — If you are in the EU, UK, or EEA, you have the right to lodge a complaint with your local data protection supervisory authority if you believe your rights have been infringed.
• Right to Withdraw Consent / Object — Where processing is based on consent or legitimate interest, you may withdraw consent or object to processing at any time.

We do not engage in automated decision-making or profiling within the meaning of GDPR Art. 22.

Because we collect minimal, anonymous data that auto-deletes within 24 hours, most data subject requests are satisfied automatically by the design of our service. For any specific requests, please contact us using the information below.

We implement multiple layers of security to protect the service and your data:

• Row-Level Security (RLS) — Database policies ensure users can only access and modify their own data.
• Rate Limiting — API-level (5 requests per minute per IP) and database-level (10 rooms per hour per user) limits prevent abuse.
• Anti-Bot Protection — Honeypot fields and form timing validation prevent automated abuse.
• Vote Masking — During voting rounds, other participants' votes are hidden until the facilitator reveals them.
• Encrypted Connections — All data is transmitted over HTTPS/WSS encrypted connections.

Our service is not directed at children under the age of 13. We do not knowingly collect personal information from children. Because our service requires no personal identifying information to use, the risk of inadvertent collection of children's data is minimal.

If we become aware that data associated with a child under 13 has been collected, it will be automatically deleted within the standard 24-hour data retention window.

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. Any changes will be reflected by an updated “Effective” date at the top of this page.

Your continued use of the service after changes are posted constitutes your acceptance of the updated policy.