Legal
Privacy policy
Last updated 5 July 2026Pointing is free forever and needs no account to plan. We collect as little as possible, and this page lays out exactly what that means: what we hold, which cookies we set, how long we keep things, your rights, and who processes your data.What we collect
Only what a room needs to run — nothing sold, nothing extra.- Anonymous session IDA signed anon_id cookie holding an opaque random ID — HttpOnly, Secure, SameSite=Lax, and HMAC-signed. It carries no email, name, or IP, and is set on your first room so you can rejoin without an account.
- Ephemeral room stateWhile a room is live we hold its state in memory (Upstash Redis): the join code, mode, chosen deck, and each participant's display name and role. Hidden votes are stored server-side only and deleted the moment a round is revealed. Anonymous rooms write nothing to our database.
- Optional account dataOnly if you choose to create an account: Clerk handles sign-in and we store your name, email, and avatar (from your sign-in provider) in our database. No account is ever required to plan.
- Donation recordsIf you donate, Stripe processes the payment. We keep a donation record — including the donor email Stripe returns — for receipts and accounting.
- Abuse-prevention signalsTo rate-limit creating, joining, and voting we count requests against your IP in a short-lived counter. That IP is never written to our database and never logged in clear text — the counter expires within the rate-limit window.
Cookies
Essential (always on, exempt from consent)
The anon_id session cookie and, if you sign in, the Clerk session cookie. Both are needed to run a room and carry no marketing use.Analytics & attribution (only with your consent)
First-party product analytics and future donation-attribution cookies run only after you accept them in the cookie banner. Change your choice at any time:How long we keep it
Anonymous data self-destructs; you control everything else.- Anonymous roomsAnonymous rooms and their anon_id cookie expire 7 days after creation. After that the room state is deleted and is unrecoverable.
- Hidden votesDeleted the instant a round is revealed — never persisted.
- Rate-limit countersThe per-IP abuse counter expires within the rate-limit window (seconds).
- Registered account dataKept until you delete it. Team and organisation retention windows are configurable for workspaces (on the roadmap).
- DonationsRetained as financial records for accounting and tax obligations, and anonymised when you delete your account.
Your rights
Access, export, correction, and erasure — exercised from your account settings, no request form required.- Access & exportDownload everything tied to your account — sessions you own, your participation and votes, donations, and memberships — as one JSON file.Export your data in Settings
- ErasurePermanently delete your account and personal data. This removes your Clerk sign-in and anonymises your Stripe donor record.Delete your account in Settings
- RectificationYour profile name and photo come from your sign-in provider — update them there and they refresh across Pointing.
- Cookie choicesAccept or reject non-essential cookies at any time. Essential cookies always stay on so a room keeps working.
- Using Pointing anonymouslyThere's nothing to export or erase — anonymous data isn't tied to you and auto-expires within 7 days.
Who processes your data
The third parties Pointing relies on, and what each one touches.- ClerkAuthentication for registered users. Name, email, and avatar from your chosen sign-in provider.
- NeonOur Postgres database. Registered accounts, saved sessions, and donation records.
- UpstashIn-memory store (Redis). Ephemeral anonymous room state and short-lived rate-limit counters.
- StripeDonation payments. Donor email and payment details for one-time and recurring donations.
- VercelApplication hosting and delivery. Serves the app and keeps standard operational request logs.
Contact
Questions about your privacy, or want to make a data request? Email us at privacy@pointing.dev.