Privacy Policy

Last updated: 2026-05-27

This policy describes how Pokefin handles personal data. Pokefin is operated as a personal project; the operator is the data controller for the purposes of GDPR / UK GDPR. The legal basis for processing is your consent and the performance of the service you signed up for.

Data we collect

• Account data: your email address, an optional username, and an encrypted password (managed by Supabase Auth).
• Portfolio data: products you add to your portfolio, quantities, purchase prices and dates, and any free-form notes you choose to write.
• Box-calculator data: recipes you save, including their names and pack compositions.
• Operational data: timestamps of authentication events (signup, password change, account deletion) in an audit log accessible only to the operator.

What we do not collect

• No advertising or third-party analytics cookies.
• No payment information; the service is free.
• No tracking across other websites.

How we use it

Personal data is used solely to operate the service: authenticate you, render your portfolio, calculate values, and provide the box calculator. Aggregated, non-identifiable usage data may be used to improve the application.

Sub-processors

• Supabase (database, authentication, file storage).
• Vercel (hosting, edge functions, application logs).
• Cloudflare Turnstile (bot protection on signup and login).
• Sentry (error reporting, when configured; PII is scrubbed before events leave the server).

Retention

Personal data is retained for as long as your account exists. When you delete your account, all per-user rows (profile, portfolios, holdings, lots, box recipes) are removed atomically. An audit log entry recording the deletion is kept indefinitely for security purposes; it contains your user id and event type, not your email or content.

Your rights

Under GDPR / UK GDPR you can:

• Access & portability — export every record we hold about you as a single JSON file from your account page.
• Rectification — edit your username and portfolio fields directly in the app.
• Erasure — delete your account from your account page; this triggers a cascading delete across all per-user tables.
• Restriction & objection — contact the operator to discuss.
• Complaint — you may lodge a complaint with your local supervisory authority.

Security

Data is transmitted over TLS, stored encrypted at rest by Supabase, and isolated per-user by Postgres row-level security. Sessions are held in HttpOnly, SameSite=Lax cookies and rotated on every request. Destructive endpoints require an origin allowlist and a custom request header to defeat CSRF.

Contact

For privacy questions, reach the operator via the contact channel listed on the Pokefin GitHub repository.