Zum Hauptinhalt springen

Privacy Policy

Last updated: 4 July 2026

This policy explains what personal data we collect when you use PokerGTO Pro, why we collect it, how long we keep it, and the rights the EU General Data Protection Regulation (GDPR) gives you. The binding German version is available at /datenschutz.

1. Data controller

The controller of your personal data within the meaning of Art. 4(7) GDPR is Adriano Zuccala (Anbieterangaben werden vor Verkaufsstart vervollständigt.). You can reach us at adriano.zuccala.hh@gmail.com.

2. Data we collect

  • Account data — email, password hash (bcrypt, cost 12), optional display name, and account creation / last login timestamps.
  • Profile data — the self-reported game format, stakes level, and study goals you enter during onboarding.
  • Usage data — pages visited, ranges you studied, equity queries you ran, and every quiz question + answer (used to compute your accuracy and surface weak spots).
  • Billing data (Pro) — payment card details are handled exclusively by Stripe; we never see or store them. We store the Stripe customer + subscription IDs and a record of successful/failed charges (amount, currency, date).
  • Technical logs — IP address and user-agent string for each login, retained for 30 days to detect abuse.

3. Purposes and legal bases

  • Provide the service (account, quiz engine, range viewer): Art. 6(1)(b) GDPR — performance of a contract.
  • Take payment for Pro: Art. 6(1)(b) — performance of a contract; retention of invoices: Art. 6(1)(c) — legal obligation (§147 AO).
  • Security logging and fraud prevention: Art. 6(1)(f) — legitimate interest in running a secure product.
  • Marketing emails / waitlist: Art. 6(1)(a) — your explicit consent when you signed up; you can withdraw it at any time.

4. Who we share data with (processors)

We use the following sub-processors under Art. 28 GDPR:

  • Stripe Payments Europe, Ltd. (Ireland) — payment processing. Stripe is GDPR-compliant and transfers card data to the US under Standard Contractual Clauses.
  • Resend (USA) — transactional email (email verification, welcome, Pro upgrade, password reset). Only your email address is transmitted; the US transfer is covered by Standard Contractual Clauses.
  • PostHog Inc. (EU region, eu.i.posthog.com) — product analytics. Loads only after you consent via the cookie banner; IP addresses are anonymised before storage.
  • Sentry (Functional Software, Inc.) (USA) — error tracking. Receives stack traces and request metadata; for logged-in users additionally the account ID and email address so we can attribute and reproduce reported errors. The US transfer is covered by Standard Contractual Clauses.

The application and its database run on a self-managed server in Germany. No transfer outside the EEA takes place for account data beyond the processors listed above.

We do not sell your data. We do not share it with advertising networks.

5. Your rights

Under Articles 15–22 GDPR you have the right to:

  • Access the data we hold about you (Art. 15).
  • Rectify inaccurate data (Art. 16).
  • Erasure (“right to be forgotten”, Art. 17) — use the Delete account button in Settings, or email us. We soft-delete the account, anonymise the email, and revoke all sessions within 24 hours.
  • Portability (Art. 20) — export your data in a machine-readable format. Email us to request it.
  • Object to processing based on legitimate interests (Art. 21).
  • Withdraw consent you gave for marketing emails (Art. 7(3)) at any time — unsubscribe link in every email.

6. Retention

  • Account data — until you delete the account.
  • Billing records — 10 years, as required by German tax law (§147 AO).
  • Technical logs — 30 days.
  • Waitlist emails — until you unsubscribe.

7. International transfers

Primary storage is on a server in Germany. Stripe processes payment data and Resend processes email addresses in the US under Standard Contractual Clauses and adequacy decisions approved by the European Commission. No other transfers outside the EEA are made.

8. Cookies

Strictly necessary cookies — the HttpOnly refresh-token cookie that keeps you signed in — are always set and require no consent under Art. 5(3) ePrivacy.

If you opt in via our cookie banner (“Alle akzeptieren”), we additionally load PostHog for product analytics — which anonymous events (e.g. a range was opened, a quiz answered) you trigger while using the app. We use this to understand how the product is used and spot bugs. You can withdraw consent at any time by clearing cookie_consent in your browser’s local storage.

9. Supervisory authority

You have the right to complain to a data-protection authority. For users in Germany, the competent authority is the data protection commissioner of the federal state where we are registered (see bfdi.bund.de).

10. Changes to this policy

We will post any change to this policy on this page and, for material changes, notify registered users by email at least 14 days before the change takes effect.