Privacy policy
Last updated: April 27, 2026
Pokor ("we", "us", "our") operates the planning poker service at pokor.dev. This policy explains what data we collect, how we use it, and your rights, including how anonymous session data is removed when you sign out.
1. Data We Collect
Account Information (Authenticated Users)
When you sign in via email, Google, GitHub, Atlassian, Notion, Discord, or Microsoft, we receive and store:
- Your name and email address
- Your profile picture URL (OAuth sign-in only)
- Your OAuth provider ID (OAuth sign-in only)
We do not store passwords. Email sign-in uses a one-time confirmation code sent to your email address; the code is ephemeral and deleted after use or expiry. OAuth authentication is handled entirely by the respective provider (Google, GitHub, Atlassian, Notion, Discord, or Microsoft).
Email Subscriptions
If you subscribe to our newsletter (on the landing page or via Settings → Notifications), we collect your email address and store your marketing opt-in preference. For registered users this preference is stored on your account; for guests it is stored only with Brevo (see Section 4). You can unsubscribe at any time from Settings → Notifications or via the unsubscribe link in any marketing email.
Anonymous Users
You can use Pokor without creating an account. When you choose a display name, we store:
- Your chosen display name
- A random anonymous token (to identify you across page refreshes)
If you sign out as an anonymous user, we clear the related cookies and delete the anonymous participation data linked to that token.
Session & Voting Data
When you participate in planning sessions, we store:
- Session names and settings
- Story titles, descriptions, and links
- Your votes and voting history
- Final estimates and external write-back status when a Jira or GitHub story sync is enabled
- Your role in the session (organizer, voter, spectator)
Billing Information (Subscribers)
If you subscribe to the Organizer plan, payment processing is handled entirely by Stripe. We do not store your payment card information. We store:
- Your Stripe customer ID
- Subscription status and billing interval
- Subscription start and end timestamps
Slack Integration Data
If you use the Pokor Slack integration, we store:
- Slack workspace ID and name
- Slack channel ID where the session was started
- Slack user ID of the session creator
This data is used solely to link Pokor sessions to the originating Slack workspace and channel.
Discord Integration Data
If you use the Pokor Discord integration, we store:
- Discord server (guild) ID and name
- Discord channel ID where the session was started
- Discord username of the session creator
This data is used solely to link Pokor sessions to the originating Discord server and channel.
Notion Integration Data
If you connect your Notion workspace to Pokor, we access:
- Your Notion workspace ID
- Database and page titles from databases you choose to import from
- Page content (titles, descriptions) that you select for import as stories
Notion data is fetched on demand when you use the import feature and is not continuously synced. Imported story titles, descriptions, and Notion page links are stored as part of your Pokor session data. You can disconnect Notion at any time from Settings, which revokes our access to your workspace.
GitHub Integration Data
If you connect GitHub to Pokor via the GitHub App, we access:
- Your GitHub user ID and email
- Repository names and metadata from repositories where the app is installed
- Issue titles, descriptions, labels, and URLs that you select for import as stories
GitHub data is fetched on demand when you use the import feature and is not continuously synced. We store an encrypted access token and refresh token, plus your write-back preference. Imported issue titles, descriptions, labels, and GitHub issue links are stored as part of your Pokor session data. If estimate sync is enabled for a session, Pokor can write the finalized estimate back to the source issue as a comment, an estimate label, or both. You can disconnect GitHub at any time from Settings.
Jira Integration Data
If you connect Jira to Pokor, we access:
- Your Jira Cloud site ID and name
- Project names and keys from your connected Jira site
- Issue keys, summaries, descriptions, and statuses that you select for import as stories
- Jira field metadata used to choose the story points field for write-back
Jira data is fetched on demand when you use the import feature and is not continuously synced. We store an encrypted access token, refresh token, selected Jira Cloud site identifier, and selected story points field ID. Imported issue summaries, descriptions, and Jira issue links are stored as part of your Pokor session data. If estimate sync is enabled for a session, Pokor writes numeric finalized estimates back to the configured Jira story points field. You can disconnect Jira at any time from Settings.
Session Moderation Data
When a session organizer removes or bans a participant, we store:
- The banned participant's user ID (if authenticated) or anonymous token
- The participant's IP address at the time of the ban (used to prevent rejoining)
- The participant's display name at the time of the ban
- The user ID of the organizer who issued the ban
- The timestamp of the ban
When a session requires join approval, pending requests are stored temporarily (up to 10 minutes) and include the applicant's display name, requested role, and IP address. This data is automatically deleted after the request is resolved or expires.
Technical Data
Our server automatically collects:
- IP address and browser user agent (used for session security and stored with your participant record)
- Error reports including stack traces, request URLs, and browser information (sent to Sentry for debugging)
- Application performance data such as request timing and database query metrics (sent to Nightwatch for monitoring)
2. Cookies and Browser Storage We Use
We use essential cookies to run Pokor. Optional analytics and external-widget cookies or scripts only load after you accept those categories in the cookie banner. You can change your choices from the Cookie Settings link in the footer.
| Cookie | Purpose | Duration |
|---|---|---|
| pokor_cookie_consent | Remembers your cookie consent choices (analytics, external widgets). Set on the parent domain so your preference is shared between landing and app. | 1 year |
| pokor_session | Keeps you signed in | 2 hours |
| XSRF-TOKEN | Security (prevents cross-site request forgery) | 2 hours |
| anonymous_token | Identifies anonymous users | 1 year |
| anonymous_name | Remembers your display name | 1 year |
| pokor_theme | Remembers light/dark theme preference | 1 year |
| pokor_a11y | Remembers your accessibility preferences (motion, contrast, link underline, text size) | 1 year |
| ph_* | PostHog analytics, only if analytics cookies are accepted | 1 year |
| Google / Buy Me a Coffee cookies | Optional advertising or donation widgets, only if external widgets are accepted | Set by the provider |
3. How We Use Your Data
We use your data solely to provide and improve the planning poker service:
- To identify you in planning sessions
- To display your votes and session history
- To enable real-time collaboration during sessions
- To remember your preferences (theme, display name)
- To enforce session moderation (bans and join approval)
- To write finalized estimates back to Jira or GitHub when an organizer enables that feature
- To understand how the service is used and improve it, if analytics cookies are accepted
We do not sell or share your personal data with third parties for their own marketing purposes.
4. Third-Party Services
Authentication
You can sign in with your email address using a one-time confirmation code. No third-party service is involved in email authentication; the code is sent directly from our server. Alternatively, you can sign in via:
- Google OAuth — Google Privacy Policy
- GitHub OAuth — GitHub Privacy Statement
- Discord OAuth — Discord Privacy Policy
- Atlassian OAuth — Atlassian Privacy Policy
- Notion OAuth — Notion Privacy Policy
- Microsoft OAuth — Microsoft Privacy Statement
Analytics
We use PostHog for product analytics to understand how the service is used. PostHog initializes only after analytics consent. When enabled, it collects usage data such as page views, feature interactions (e.g., session creation, voting), and basic device information. Data is processed in the EU. For more details, see the PostHog Privacy Policy.
Error Tracking
We use Sentry to detect and diagnose errors. When an error occurs, Sentry may collect error details (stack traces, error messages), the request URL and method, browser and device information, and your user ID and email (if you are signed in). You may also be prompted to submit optional feedback when an error occurs. Data is processed in the EU. For more details, see the Sentry Privacy Policy.
Application Monitoring
We use Laravel Nightwatch to monitor application health and performance. Nightwatch collects request and response data, database query performance, background job execution, and application logs. This data is used solely to identify and resolve performance issues. For more details, see the Nightwatch Terms of Service.
Slack
Pokor offers an optional Slack integration that lets teams start planning poker sessions directly from Slack using the /pokor command. When you install the app, we store a bot access token (encrypted), workspace metadata, and channel/user identifiers to link sessions to your Slack workspace. For more details, see the Slack Privacy Policy.
Discord
Pokor offers an optional Discord integration that lets teams start planning poker sessions directly from Discord using the /pokor command. When the bot is added to your server, we store the server (guild) ID, channel identifiers, and the username of the session creator to link sessions to your Discord server. For more details, see the Discord Privacy Policy.
Notion
Pokor offers an optional Notion integration that lets you import stories from your Notion databases into a planning poker session. When you connect your Notion workspace, we store an encrypted access token and your workspace identifier. During import, we read database and page titles from databases you select. Imported content is stored as session stories. You can disconnect Notion at any time from Settings. For more details, see the Notion Privacy Policy.
GitHub
Pokor offers an optional GitHub integration that lets you import issues from your GitHub repositories into a planning poker session and, if enabled, write finalized estimates back as issue comments or labels. When you install the Pokor GitHub App, we store an encrypted access token, refresh token, your GitHub user ID, and your write-back preference. During import, we read repository names and issue data from repositories where the app is installed. Imported content is stored as session stories. You can disconnect GitHub at any time from Settings. For more details, see the GitHub Privacy Statement.
Jira
Pokor offers an optional Jira integration that lets you import issues from your Jira projects into a planning poker session and, if enabled, write finalized numeric estimates back to the configured story points field. When you connect Jira, we store an encrypted access token, refresh token, the identifier of your selected Jira Cloud site, and the selected story points field ID. During import, we read project names and issue data from your connected site. Imported content is stored as session stories. You can disconnect Jira at any time from Settings. For more details, see the Atlassian Privacy Policy.
Stripe (Payment Processing)
Payments for the Organizer plan are processed by Stripe. When you subscribe, Stripe receives your email address, name, and payment information. Stripe may set cookies for fraud prevention. We do not store your card details. For more details, see the Stripe Privacy Policy.
Brevo (Email Marketing)
We use Brevo to send marketing emails to users who have opted in. When you subscribe, Brevo receives your email address, name, plan tier, signup timestamp, and subscription status (opted in or out). Brevo is used solely for sending product updates and newsletters — not for transactional emails (such as billing or magic-link emails). For more details, see the Brevo Privacy Policy.
Buy Me a Coffee
We can load a Buy Me a Coffee widget for voluntary donations after you accept optional external widgets. The widget loads an external script that may collect technical data (such as your IP address and browser information). If you choose to make a donation, your payment is processed entirely by Buy Me a Coffee under their own Privacy Policy. We do not receive or store any payment details.
Advertising
We may load Google AdSense on selected public content pages after you accept optional external widgets. AdSense may process technical data and set cookies under Google's policies. We do not load AdSense on privacy, terms, contact, pricing, security, trust, status, or authenticated app pages.
The third-party services described above are used for authentication, analytics, error tracking, application monitoring, integrations, payments, donations, and optional advertising widgets.
5. Data Retention
- Sessions and votes: Stored until the session organizer deletes them or the session is removed. Sessions with no participants are automatically deleted.
- User accounts: Stored until you delete your account.
- Anonymous data: Stored until you sign out or the anonymous cookies expire. Signing out clears anonymous cookies and queues deletion of anonymous participant records and any sessions organized under that anonymous identity.
- Ban records: Stored for the lifetime of the session. When a session is deleted, all associated ban records are deleted with it.
- Billing data: Subscription records are retained for tax and legal compliance. Stripe retains payment data per their own retention policy.
- Newsletter subscription: Your email and marketing opt-in preference are retained in Brevo until you unsubscribe or delete your account. Deleting your account removes your contact from Brevo. Unsubscribing updates your preference to opted-out; your contact record is removed from Brevo when you delete your account.
6. Your Rights
You have the right to:
- Access your data — view your sessions, votes, and profile information within the app.
- Export your data — use the CSV or PDF export feature for voting history.
- Delete your data — sign out to remove anonymous participant data and guest-created sessions, or delete your account to remove all associated data.
- Rectify your data — change your display name at any time.
7. Data Security
All connections to Pokor are encrypted via HTTPS/TLS. Session data is stored in a secured database. We do not store passwords.
8. Changes to This Policy
We may update this policy from time to time. Changes will be posted on this page with an updated date.
9. Contact
If you have questions about this privacy policy or your data, please contact us at [email protected].