Security & data
How Pokor handles authentication, payments, and your integration data. For legal specifics, see the privacy policy and terms of service.
No password storage
Auth via one-time email codes or OAuth providers. We never hold your password.
Stripe for payments
Card numbers never touch Pokor servers. Stripe handles billing end-to-end.
Encrypted transport
Every connection uses TLS. Integration tokens are encrypted at rest.
Anonymous data deletion
Sign out as a guest and the session token + related data are wiped.
Scoped integrations
Pokor only reads the Jira / Notion / GitHub items you explicitly select.
Hosted in Europe
All infrastructure runs in the EU. See the privacy policy for details.
Authentication
Pokor does not store passwords. You sign in with a one-time email code or via a third-party provider (Google, GitHub, Atlassian, Notion, Discord, or Microsoft). One-time codes are ephemeral and deleted after use. OAuth tokens from integration providers are stored encrypted at rest and used only for the scopes you authorized.
Integration data
For Jira, Notion, and GitHub, Pokor reads only the issues, pages, or databases you explicitly select when importing. No continuous background sync and no cached backlog copies; Jira and GitHub write-back only runs when an organizer enables estimate sync for a session. CSV imports are parsed client-side — only the rows you pick reach Pokor servers. Slack and Discord bots only see the channels where you invoke /pokor.
Payments
All billing is handled by Stripe. Pokor never receives or stores card numbers, CVCs, or bank details. We hold a Stripe customer ID, your subscription interval, and lifecycle timestamps — nothing more.
Anonymous data
Guest participation uses a random token (no email, no account). Signing out as a guest deletes the related cookie and session data linked to that token.
Transport & hosting
All connections are encrypted. Infrastructure is hosted in Europe. Ephemeral state — such as pending join requests — expires automatically after 5 minutes.
Compliance & posture
We're a small team and we try not to overclaim. Here's where we actually stand today.
- GDPR support: EU hosting, a Data Processing Addendum you can sign, and a sub-processor list kept current.
- Encryption everywhere: TLS in transit on every connection, integration OAuth tokens encrypted at rest.
- Breach notification: 72-hour customer notification commitment in our DPA.
Data Processing Addendum
Our DPA covers GDPR processor obligations, sub-processors, breach notification, and international transfers. Review it, sign it, and email it back to [email protected].
Download DPAService status
Current uptime and any active incidents are on the Pokor status page.
Reporting a security issue
Found something that looks off? Email [email protected] with the details. We respond to every report.