Privacy Policy

Last updated: May 26, 2026

Poker Republic ("we", "the app") is a private group-management app for tracking home poker nights. This page explains exactly what data we collect, how it's used, and your rights over it.

What we collect

Account identity — your email address, display name, and authentication provider (Google or Apple), via Firebase Authentication.
Profile information you enter — display name, optional phone number (used for WhatsApp event notifications), profile picture.
Group + game data — group names, event details, RSVPs, game results (buy-in, profit), poll responses, and notification messages you create.
Push notification tokens — the FCM token your device generates so we can send event notifications.
Age verification — on first sign-in we ask for your date of birth to confirm you are at least 18 years old. We store only your year of birth (not the full date) plus the timestamp of when the check succeeded. If you indicate you are under 18, your account is deleted immediately and no birth-related data is retained.

We do not collect: precise location, payment information, contacts, browsing history, advertising identifiers, microphone/camera audio, or biometric data. The app does not run any third-party analytics, advertising, or tracking SDKs.

How we use it

To run the core app — show you your groups, events, leaderboards, and notifications.
To send push notifications about events you're invited to or RSVP'd for.
To enforce abuse and security rules (e.g., rate-limiting suspicious activity).

We do not sell, rent, share, or trade your personal information with advertisers, data brokers, or any third party for marketing purposes. We do not use your data for cross-context behavioral advertising.

Where it's stored

Your data is stored on Google Cloud (Firebase) servers in the United States. Group and event data is private to the members of that specific group; users in other groups cannot see your data. Firebase's own privacy practices are documented at firebase.google.com/support/privacy.

Who can see your data

Members of the same group — can see your display name, avatar, and event/game stats within that group.
Group admins — can manage member status, events, and seasons within their own group.
The app operator (a single super-admin account) — has access to all data for support and abuse-handling purposes.
No third party other than Google Cloud / Firebase as our infrastructure provider.

Your rights

Universal rights

Access and correction — open the Profile page in the app to view or update your information.
Deletion — Profile → "Delete account" permanently removes your account, profile, game results, and push tokens. This action is irreversible. If you are the sole admin of a group with other members, the app will ask you to either transfer admin to another member or delete the group first — this prevents accidentally orphaning other people's data. If you cannot access the app (you've uninstalled it, lost the device, or otherwise can't sign in), email support@poker-republic.com from the address on your account with the subject line "Delete my account." We will verify your identity by replying to that email and complete the deletion within 30 days. The data removed in either path is identical: account record, profile, game results, group memberships, and push notification tokens.
Data export (portability) — Profile → "Download my data" produces a JSON file containing your account data and game history. You can use this file with any compatible service.
Group exit — Profile → Leave for any group removes your membership.
Push opt-out — disable notifications in your device's settings.

If you are in California (CCPA / CPRA)

In addition to the universal rights above, California residents have the following statutory rights:

Right to know what personal information we have collected about you and how we use it. Everything is enumerated in the "What we collect" and "How we use it" sections above.
Right to delete your personal information. Use the in-app delete-account flow, or email us.
Right to correct inaccurate personal information. Use the in-app profile page, or email us.
Right to opt out of sale or sharing of your personal information. We do not sell or share personal information. There is no opt-out to enable because the underlying activity does not occur. If we ever change this, we will update the policy and surface an in-app notice before any change takes effect.
Right to limit use of sensitive personal information. We do not collect sensitive personal information as defined by the CPRA (precise geolocation, racial/ethnic origin, religion, biometrics, etc.).
Right to non-discrimination for exercising any of the above. We will not deny service, charge different prices, or degrade quality based on your exercise of these rights.

To exercise any of these rights, use the in-app tools or email the address at the bottom of this page. We will respond within 45 days. We honor Global Privacy Control (GPC) browser signals where they apply.

If you are in the European Economic Area, UK, or Switzerland (GDPR / UK GDPR)

Our legal basis for processing your personal data is:

Performance of a contract (GDPR Art. 6(1)(b)) — to provide the service you signed up for.
Legitimate interests (Art. 6(1)(f)) — to keep the service secure and prevent abuse.
Consent (Art. 6(1)(a)) — for push notifications (you grant via your device).

You have the right to:

Access your personal data (Art. 15) — use the in-app "Download my data" tool.
Rectify inaccurate data (Art. 16) — use the in-app profile page.
Erasure / "right to be forgotten" (Art. 17) — use the in-app delete-account flow.
Restrict processing (Art. 18) — email us.
Data portability (Art. 20) — use the in-app "Download my data" tool to receive a structured JSON.
Object to processing (Art. 21) — email us.
Withdraw consent at any time, where consent is the legal basis.
Lodge a complaint with your national supervisory authority.

We do not transfer your personal data outside the EEA except to our cloud-infrastructure provider (Google LLC, United States), which operates under Standard Contractual Clauses approved by the European Commission.

The data controller is the individual operator of Poker Republic, contactable at the email below.

Data retention

We retain your personal data for as long as your account is active.

What happens when you delete your account

Account deletion runs immediately, not after 30 days. The flow is:

Fully deleted — your profile (name, email, avatar, phone number, year of birth, all preferences), your group memberships, your push-notification tokens, and your Firebase Authentication identity. Nothing identifiable about you remains.
Anonymized but kept — the rows recording the games you played and your placement / buy-in / cash-out in those games. Your display name on those rows is replaced with a stable opaque tag (e.g. Past player A3F2) and your avatar URL is removed. The same tag is used across every game you played, so a reader can tell "the unknown player in game A is the same person as the unknown player in game B" without learning who you were.

We do this because the alternative — wiping the game records entirely — would damage the historical accuracy of stats for the other members of the groups you played in. They have a legitimate interest in their own honest history (who they played against, what the pot was, who won), and GDPR Article 17(3) recognizes that interest as a permissible carve-out from full erasure. The records that remain are no longer linked to a person; they are records about a game that happened.

If you want even the anonymized rows removed (for example, the rows themselves embarrass you somehow), email the address at the bottom of this page and explain. We will consider the request and respond within 30 days.

What happens when you leave a group (without deleting your account)

You're removed from the group's member list. Your existing game results in that group are kept as-is, with your real display name attached — because you're still a Poker Republic user, those records still describe you. If you rejoin the same group later, your history reconnects naturally. If you want to fully delete your account, use the in-app delete flow (or email us); the anonymization above kicks in then.

What happens when a group is empty or its admin leaves

If you are the sole admin of a group with other members, the app blocks account deletion until you either transfer admin to another member or remove the other members. This is to avoid orphaning a group that other people are actively using. If you are the only member of a group, deleting your account also deletes the group and the events in it. If every member of a group leaves independently, the group is automatically deleted within a few minutes along with all events and game records in it.

Security

Data in transit is encrypted with TLS. Data at rest is encrypted by Google Cloud. Access to your data is restricted by Firestore security rules to members of your group(s). If you discover a security vulnerability, please report it via our security.txt contact.

If a breach happens

If we become aware of a personal data breach that poses a risk to you, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33.
Notify you directly, by email, if the breach is likely to result in a high risk to your rights — for example, exposure of account credentials or contact information in a way that could enable phishing.
Tell you what happened, what data was affected, what we've done, and what you should do.

We will not minimize, delay, or hide an incident. The notification timeline above is a firm commitment.

Children

Poker Republic is not directed at children under 13 (or under 16 in the EU). We do not knowingly collect data from children. If you are a parent or guardian and believe a child under 13 has signed up, contact us at the address below and we will delete the account.

Changes to this policy

If we make material changes, we will update the "Last updated" date and surface a notice in the app before the change takes effect.

Contact

Questions, requests, or reports of abuse: support@poker-republic.com