Privacy Policy — Sprint Poker Online

Sprint Poker Online ("we", "us", or "our") is a real-time Scrum planning poker application. This policy explains what personal data we collect, how we use it, and your rights under GDPR and applicable privacy laws.

1. Who We Are (Data Controller)

For the purposes of GDPR, the data controller is the operator of this Sprint Poker Online instance. Contact information is available in the repository's README or via the GitHub repository page.

2. Data We Collect

Account Data

Data	Purpose	Legal basis
Email address	Authentication, password reset	Contract (Art. 6(1)(b))
Display name	Shown to room participants	Contract
Password hash (bcrypt)	Authentication	Contract
Google ID / avatar URL	Google OAuth login	Contract
Account creation timestamp	Record-keeping	Legitimate interest

Room & Voting Data

Data	Purpose	Legal basis
Room name, join code, settings	Room management	Contract
Story point votes per round	Core product functionality	Contract
Voting history (aggregated stats)	Historical reporting	Contract
Active Jira issue reference	Sprint planning	Contract

Technical Data

Data	Purpose	Legal basis
IP address	Rate limiting, security	Legitimate interest
Refresh token hash	Session management	Contract
Password reset token hash	Account recovery	Contract
WebSocket session data (Redis, TTL 24h)	Real-time features	Contract

3. Data We Do NOT Collect

We do not collect payment information
We do not use advertising cookies or third-party trackers
We do not sell personal data to any third party
We do not perform profiling or automated decision-making

4. How Long We Keep Your Data

Data	Retention period
Account data	Until account deletion
Room and vote data	Until the room is deleted or archived (inactive rooms archived after 30 days by default)
Refresh tokens	7 days, or until revoked
Password reset tokens	1 hour, or until used
Jira OAuth tokens	Until you disconnect your Jira account
Live voting state (Redis)	24 hours TTL
Server logs	30 days (configurable)

5. Data Sharing

We share personal data only in these circumstances:

Jira / Atlassian: When you connect your Jira account, we send your story point estimates to Atlassian's API on your explicit request. Atlassian's privacy policy applies to that data.
Infrastructure providers: Hosting, database, and Redis providers process data as data processors under data processing agreements.
Legal requirements: We may disclose data if required by law or to protect the rights, property, or safety of users.

We do not share data with any other third parties.

6. Your Rights (GDPR)

If you are in the European Economic Area, you have the following rights:

Right	How to exercise
Access – request a copy of your data	Email the data controller
Rectification – correct inaccurate data	Update your profile in-app or email us
Erasure ("right to be forgotten") – delete your account and all associated data	Use the "Delete Account" option in your profile settings, or email us
Portability – receive your data in a machine-readable format	Email the data controller
Restriction – limit processing of your data	Email the data controller
Objection – object to processing based on legitimate interest	Email the data controller
Withdraw consent – for Jira integration	Disconnect Jira in your account settings

Requests will be fulfilled within 30 days. We may need to verify your identity before acting on a request.

You also have the right to lodge a complaint with your national data protection authority (e.g. the ICO in the UK, or your EU member state's supervisory authority).

7. Account Deletion & Right to be Forgotten

Deleting your account from the Profile page immediately:

Deletes your user record and all associated personal data
Revokes all active sessions and refresh tokens
Removes your participation records from all rooms
Cascades to delete your votes and Jira connection

Room data (names, voting history) may persist if you were a participant but not the owner, as it belongs to the room. Room owners can delete the entire room including all voting history.

8. Security Measures

We implement appropriate technical and organisational measures to protect your data, including:

bcrypt password hashing (cost factor 12)
AES-256-GCM encryption for third-party OAuth tokens
SHA-256 hashing for refresh and reset tokens
HTTPS-only communication in production
Account lockout after repeated failed login attempts
Rate limiting on all authentication endpoints
Input validation and sanitisation on all user-supplied data

For a detailed security overview, see our Security Policy.

9. Cookies

Cookie	Purpose	Duration
google_oauth_state	CSRF protection during Google OAuth flow	10 minutes

We do not use cookies for tracking or advertising. Authentication tokens are stored in the browser's localStorage.

10. International Transfers

If this service is hosted outside your country, your data may be transferred internationally. We ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses) when transferring data outside the EEA.

11. Changes to This Policy

We will notify users of material changes to this policy via a notice in the application. The "Last updated" date at the top of this document will always reflect the most recent revision.

12. Contact

For privacy-related requests or questions, contact the data controller via the information provided in the repository README or GitHub profile.