Sign up Login

Privacy Policy

Last updated: 29 May 2026

Scrum Poker Online is a planning-poker tool for agile teams, run by a two-person team based in Switzerland. We keep this policy short and honest. If anything is unclear, drop us a line: scrumpoker.online@gmail.com.

1. Controller

The controller responsible for processing under the GDPR and the Swiss Federal Act on Data Protection (FADP) is:

Petersen Software
Goldbacherstrasse 38
8700 Küsnacht, Switzerland
Email: scrumpoker.online@gmail.com
Website: scrumpoker-online.org

2. What data we process and when

2.1 When you visit the website

When you access scrumpoker-online.org, we process the technical information your browser sends automatically: IP address, date and time, browser type, operating system, the page you requested, and the referring URL. We need this data to deliver the site, defend against attacks, and diagnose errors. Legal basis: our legitimate interest (Art. 6(1)(f) GDPR). Server logs are automatically deleted after 30 days.

2.2 When you create or join a planning-poker room

You can create or join rooms without an account. We then process the data you enter yourself: a display name, the votes you cast, and — if added by the moderator — user stories or estimation items. This data is visible to all participants in the room. Rooms are stored temporarily in the Firebase Realtime Database and are automatically deleted after 30 days of inactivity. Legal basis: performance of the service you requested (Art. 6(1)(b) GDPR).

2.3 When you create an account

An account is optional and enables features like personal card decks and saved room settings. If you create one, we store, depending on your sign-up method: email address and password hash (email registration), or the basic data passed by the sign-in provider, such as name and email (sign-in with Google, Facebook, Twitter, or GitHub). Anonymous sessions are also possible — in that case we issue only a technical identifier and collect no personal data. Passwords are stored only as salted hashes; we cannot see them in plaintext.

2.4 When you write to us

If you contact us by email (for support or feedback), we keep the conversation so we can reply, and delete it after no more than 24 months — unless legal retention obligations require otherwise.

3. Where your data is processed — and why we use US infrastructure despite our Swiss base

We are a Swiss team, but technically we run Scrum Poker Online on Google Firebase (hosting, authentication, realtime database, cloud functions). Firebase is a service provided by Google LLC (USA), operated through Google Cloud EMEA Limited (Ireland). In practical terms: your room and account data sits primarily in Google data centers within the EU, but access by US authorities under the US CLOUD Act cannot be legally ruled out.

We use Firebase because, as a small team, it lets us run a reliable, scalable service without operating our own server infrastructure. A fully Swiss or European alternative is currently not economically viable for us — we'd rather say that openly than hide behind a "Swiss Made" label and suggest a level of data sovereignty that doesn't actually exist.

The legal basis for the transfer to the US or to US affiliates is the EU Standard Contractual Clauses under Art. 46(2)(c) GDPR (see Google Cloud Data Processing Addendum) and the EU-US Data Privacy Framework.

4. Third-party services

4.1 Google Analytics 4

We use Google Analytics 4 (provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin, Ireland) to understand which content on our site and which tool features are in demand. We anonymize IP addresses, use neither Google Signals nor User-IDs, and run no ads through GA4. The cookies GA4 sets are functional cookies. Retention: 14 months. You can object to tracking via the Google Analytics opt-out add-on or your browser settings. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

4.2 Sign-in providers (OAuth)

If you choose to sign in to Scrum Poker Online via Google, Facebook, Twitter, or GitHub, the provider in question passes the basic data needed for sign-in to us (typically: email and name). At the same time, the provider learns that you signed in to Scrum Poker Online. This data flow only happens once you actively click the corresponding sign-in button — as long as you don't use these buttons, no data flows to these providers. Privacy policies:

5. What we don't do

  • We do not run a Facebook Pixel, Meta Conversion Tracking, or LinkedIn Insight Tag. Facebook is integrated exclusively as an optional sign-in provider (see 4.2).
  • We do not sell your data — neither room data, nor email addresses, nor behavioral profiles.
  • We do not build advertising profiles based on your use of Scrum Poker Online.
  • We do not share data with other planning-poker tools or Jira/Confluence hosts, unless you actively initiate it via a future integration.

6. Cookies and local storage

  • Necessary cookies / local storage: to keep you signed in and to make your room session work technically. Cannot be turned off.
  • Analytics cookies (Google Analytics 4): see 4.1. Can be blocked via your browser.

7. Your rights (EU, EEA, Switzerland, UK)

If you reside in the EU, EEA, Switzerland, or the UK, you have the following rights vis-à-vis us under the GDPR or FADP:

  • Access to the personal data we hold about you (Art. 15 GDPR);
  • Rectification of inaccurate data (Art. 16 GDPR);
  • Erasure of your data ("right to be forgotten", Art. 17 GDPR);
  • Restriction of processing (Art. 18 GDPR);
  • Data portability (Art. 20 GDPR);
  • Objection to processing based on legitimate interest (Art. 21 GDPR);
  • Withdrawal of consent with effect for the future (Art. 7(3) GDPR);
  • Complaint to a supervisory authority (Art. 77 GDPR). UK: ICO. Switzerland: FDPIC.

Simply email us at scrumpoker.online@gmail.com — we respond within 30 days.

8. Your rights (US residents)

If you are a resident of a US state with a comprehensive consumer-privacy law — including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana, Delaware, Iowa, Tennessee, and others — you have, broadly, the following rights regarding personal information we have collected about you in the previous 12 months:

  • Right to know / access: request the categories and specific pieces of personal information we have collected.
  • Right to delete: request that we delete the personal information we have collected from you, subject to legal exceptions.
  • Right to correct: request that we correct inaccurate personal information.
  • Right to opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information for cross-context behavioral advertising as those terms are defined under US state laws. No opt-out is required because there is nothing to opt out of.
  • Right to limit use of sensitive personal information. We do not use sensitive personal information for the purpose of inferring characteristics about you.
  • Right to non-discrimination: we will not discriminate against you for exercising any of these rights.
  • California "Shine the Light" (Cal. Civ. Code § 1798.83): we do not disclose personal information to third parties for their direct marketing purposes.

To exercise any of these rights, email scrumpoker.online@gmail.com. We may need to verify your identity. You may also designate an authorized agent to make a request on your behalf.

We do not have actual knowledge of selling or sharing the personal information of consumers under 16 years of age.

9. Retention

  • Server logs: 30 days
  • Room data (sessions, votes, stories): until 30 days of inactivity, then automatic deletion
  • Account data: as long as you have an account, or up to 30 days after account deletion
  • Support conversations: max. 24 months
  • Google Analytics: 14 months

10. Data security

Scrum Poker Online is served exclusively over HTTPS. Passwords are stored as hashes. Database access is restricted via Firebase Security Rules so that each room can only be read and edited by its participants. Despite technical and organizational safeguards, no internet-based service can guarantee 100% security.

11. Changes to this policy

If our services or the legal landscape change, we update this policy. The date of the most recent update is shown at the top.

12. Contact

Privacy questions? Email us: scrumpoker.online@gmail.com.