Privacy Policy

This Privacy Policy explains how Verbas (“we”, “us”, or “our”) collects, uses, and protects information when you use Pocket Kings at pocketkings.app. We operate under UK GDPR and the UK Data Protection Act 2018.

1. What We Collect

We collect the minimum data necessary to operate the Service:

• Email address: used to create and identify your account, send one-time login codes, password reset links, and service notifications.
• Password (hashed): stored as a bcrypt hash by Supabase Auth. We never see or store your plaintext password.
• Tournament data: games, blind structures, player names, buy-ins, results, and eliminations that you enter while using the Service.
• Player photos: if you are on the Pro plan and choose to upload them. Photos are stored in Supabase Storage and are only visible within your own games.
• Stripe customer ID and subscription metadata: if you subscribe to the Pro plan. This includes your subscription status and billing period. We do not store payment card details; those are held exclusively by Stripe.

We do not collect any data beyond what is listed above. We do not use tracking pixels, analytics SDKs, or third-party advertising tags.

2. How We Use Your Data

We use the data we collect for the following purposes:

• To provide and operate the Service, including storing your tournament data and serving it back to you.
• To authenticate you and maintain your session securely.
• To send transactional emails: one-time login codes, password reset links, and payment receipts or subscription notifications from Stripe.
• To enforce plan limits and manage your subscription.
• To detect abuse, prevent fraud, and maintain the security of the Service.

We do not sell your data, share it with advertisers, or use it for any purpose other than those listed above.

3. Subprocessors

We use the following third-party services to operate Pocket Kings:

• Supabase: database, authentication, and file storage. Our Supabase project is hosted in the EU region. Supabase processes your account data and all tournament data you create.
• Stripe: payment processing. If you subscribe to the Pro plan, Stripe processes your payment information and stores your card details. Stripe is PCI-DSS compliant. We receive only a customer reference ID and subscription metadata from Stripe.

Both subprocessors are bound by data processing agreements and are required to process data only on our instructions.

4. Cookies

We use a single session cookie to keep you logged in. This cookie is set by Supabase Auth and contains an encrypted session token. It is strictly necessary for the Service to function.

We do not use marketing cookies, tracking cookies, or any third-party analytics cookies. No cookie consent banner is shown because we only set the one strictly necessary cookie described above.

5. Data Retention

Your data is retained for as long as your account is active. If you wish to have your account and all associated data deleted, please email us at info@verbas.io with the subject line “Account deletion request”. We will process the request within 30 days and confirm once complete.

Where we are required by law to retain certain records (for example, financial records for tax purposes), we will retain only the minimum necessary for the required period.

6. Your Rights Under UK GDPR

Under UK GDPR you have the following rights regarding your personal data:

• Right of access: you can request a copy of the personal data we hold about you.
• Right to rectification: you can ask us to correct inaccurate data.
• Right to erasure: you can ask us to delete your personal data, subject to any legal obligations we may have to retain it.
• Right to data portability: you can ask us to provide your data in a structured, commonly used, machine-readable format.
• Right to object: you can object to our processing of your personal data in certain circumstances.

To exercise any of these rights, email info@verbas.io. We will respond within one calendar month. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7. Children

The Service is not directed at, and is not intended for use by, anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child under 18 has provided us with personal data, we will delete it promptly. If you believe a child has registered an account, please contact us at info@verbas.io.

8. International Data Transfers

Your tournament and account data is stored by Supabase in the EU, which provides equivalent data protection to the UK.

Stripe is headquartered in the United States. Where Stripe transfers personal data outside the UK, it does so under the UK's International Data Transfer Agreement or equivalent Standard Contractual Clauses, ensuring your data receives an adequate level of protection.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email before they take effect. The current version is always available at pocketkings.app/privacy with the date it was last updated.

10. Contact

For any questions or concerns about this Privacy Policy or how we handle your data, please contact us at info@verbas.io.