.hrcz) and hand-history text you send us. Stored as files on the same server, tied to your account.Email (verification codes, password reset) is sent through Gmail SMTP using our own authenticated account. Nothing else leaves our server.
Hand histories from poker sites include screen names of other players. We process that data only to display statistics back to you and anyone you share with. We do not build a cross-user player database, do not sell stat data, and do not surface nicknames to users outside the share/group relationship.
You can delete individual hands from the library. Ask the maintainer directly if you want the full account removed — we wipe your user row, sessions, uploads, share records, and group memberships.
Passwords are bcrypt-hashed. Sessions are server-side tokens that can be revoked instantly. Rate limits sit on login, signup, password reset, uploads, and group-join. During the beta the app runs over HTTP on a private IP known only to invited testers — public HTTPS rollout is planned before open signup.
We keep rolling daily backups of the database and uploads on the same server, retained for 7 days. They exist to recover from a bug or accidental delete — not as a long-term archive.
Privacy questions go to the maintainer's inbox provided at invite time.