Privacy Policy

Last updated: April 1, 2026

This Privacy Policy explains how Pocket-Tracker ("we", "us", "the Service") collects, uses, stores, and protects your personal data in compliance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and French data protection law (Loi Informatique et Libertés).

1. Data Controller

The data controller for the Service is the Pocket-Tracker project maintainer, based in France. For any data-related inquiries, contact us at [email protected].

2. Data We Collect

We collect the following personal data:

• Account data: Username, email address, hashed password (for email registration), or Google account ID and profile picture URL (for Google Sign-In)
• Usage data: Deck lists you import, match results and notes you record, tour completion status, supporter/donation status
• Session data: Session identifiers stored in cookies for authentication
• Technical data: IP address and user agent (for rate limiting and security purposes only — not stored long-term)
• Advertising data: When you consent to advertising cookies, Google AdSense may collect data such as your IP address, device identifiers, browsing activity, and ad interaction data to serve personalized advertisements. See Section 7 for details.
• Analytics data: When you consent to analytics cookies, Google Analytics collects anonymized usage data such as pages visited, session duration, referral source, and general geographic location. See Section 7 for details.

3. Legal Basis for Processing

We process your data based on the following legal grounds under GDPR Article 6:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service (account management, deck storage, match tracking)
• Legitimate interest (Art. 6(1)(f)): Security measures, rate limiting, and abuse prevention
• Consent (Art. 6(1)(a)): Advertising cookies, analytics cookies, and personalized ads — you may grant or withdraw consent at any time via our cookie consent banner

4. How We Use Your Data

• To create and manage your account
• To provide the Service's features (deck prediction, tracking, leaderboard)
• To send transactional emails (account verification, password reset)
• To protect the Service against abuse and unauthorized access
• To display advertisements via Google AdSense (with your consent)

We do not sell or rent your personal data to third parties. We do not use your data for profiling or automated decision-making beyond what is necessary for ad personalization (which requires your consent).

5. Data Storage and Security

Your data is stored in a SQLite database on our servers. Passwords are hashed using bcrypt and are never stored in plaintext. Sessions are stored server-side with HttpOnly cookies. We implement reasonable technical and organizational measures to protect your data against unauthorized access, alteration, or destruction.

6. Data Retention

• Account data: Retained as long as your account is active. Deleted upon account deletion request.
• Session data: Automatically expired and cleaned up after 30 days of inactivity.
• Match and deck data: Retained as long as your account is active.
• Advertising cookies: Retention periods are set by Google. See Google's Advertising Policies.

7. Third-Party Services

• Google AdSense: We use Google AdSense to display advertisements. When you consent to advertising cookies, Google may collect and process data (including cookies, device identifiers, and browsing information) to serve personalized ads. You can manage your ad personalization preferences at Google Ads Settings. Google processes this data according to Google's Privacy Policy. If you do not consent, Google will serve non-personalized ads only.
• Google Analytics (GA4): We use Google Analytics to understand how visitors interact with the Service (pages visited, session duration, traffic sources). Google Analytics uses cookies and collects anonymized usage data. This data is only collected after you consent via our cookie consent banner. Google processes this data according to Google's Privacy Policy. You can opt out at any time via the consent banner or by using Google's opt-out browser add-on.
• Google Funding Choices: We use Google's Consent Management Platform (Funding Choices) to collect and manage your cookie consent in compliance with the GDPR and ePrivacy Directive. This service may set a cookie to remember your consent preferences.
• Google Sign-In: If you use Google Sign-In, Google processes your authentication data according to Google's Privacy Policy. We only receive your Google ID, email, and profile picture URL.
• Ko-fi: If you make a voluntary donation via Ko-fi, Ko-fi processes the payment. We only receive a webhook notification with your email to grant supporter status.

8. Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of access (Art. 15): Request a copy of your personal data
• Right to rectification (Art. 16): Request correction of inaccurate data
• Right to erasure (Art. 17): Request deletion of your account and all associated data
• Right to data portability (Art. 20): Request your data in a structured, machine-readable format
• Right to restriction (Art. 18): Request restriction of processing in certain circumstances
• Right to object (Art. 21): Object to processing based on legitimate interest
• Right to withdraw consent: Where processing is based on consent (including advertising cookies), you may withdraw it at any time via the cookie consent banner or by contacting us

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. International Transfers

Your data is primarily stored and processed within the European Union. Google, as a third-party advertising partner, may transfer data outside the EU. Google relies on Standard Contractual Clauses (SCCs) and other approved mechanisms for such transfers. For details, see Google's data transfer frameworks.

10. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us to request deletion.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Continued use of the Service after changes constitutes acceptance.

12. Contact and Complaints

For any privacy-related questions or to exercise your rights, contact us at [email protected].

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In France, the supervisory authority is the CNIL (Commission Nationale de l'Informatique et des Libertés) — www.cnil.fr.