Privacy Policy

Last updated: July 15, 2026  ·  Effective: February 23, 2026

1. Who We Are

HandTrack ("we", "us", or "our") is a Progressive Web App (PWA) for tracking poker games among friends. The service is operated under the brand name HandTrack and is accessible at handtrack.app.

For privacy inquiries, contact us at: [email protected]

2. Data We Collect

We collect the following categories of personal data:

Category	Data	Source
Account	Phone number, email address, display name	You provide it during sign-up
Profile	Display name, profile avatar (first letter only, auto-generated)	You provide it
Game Data	Buy-in amounts, cash-out amounts, profit/loss, transfer records, game dates	You enter it during gameplay
Social	Friend connections (who you've added as a friend)	Your actions in the app
Technical	IP address, browser type, device type, language preference, session tokens	Automatically collected
Usage	Pages visited, features used, time spent (via Google Analytics)	Automatically collected
Push Notifications	Notification subscription endpoint (technical identifier), device type	When you enable notifications

We do not collect: real names (unless you choose them as your display name), financial account information, location data, or any sensitive personal data.

3. How We Use Your Data

We use the data we collect for the following purposes:

• Authentication — Verify your identity via phone OTP or Google Sign-In
• Core Functionality — Run and track poker games, calculate transfers, display results
• Social Features — Enable you to add friends, view their stats, and play together
• Leaderboard — Display aggregate (non-sensitive) statistics among friends
• Security — Detect abuse, prevent spam, protect user accounts (via Cloudflare CAPTCHA)
• Analytics — Understand how the app is used so we can improve it
• Communication — Send OTP SMS messages (only when you request them)

We do not use your data for advertising, profiling, or selling to third parties.

4. Third-Party Services

HandTrack relies on the following third-party services to operate. Each has its own privacy policy:

Service	Purpose	Data Shared	Privacy Policy
Supabase	Database & authentication backend	All user data (stored in their infrastructure)	supabase.com/privacy
Google Sign-In	OAuth authentication	Email, name (from Google account)	policies.google.com/privacy
Twilio	SMS delivery for OTP codes	Phone number	twilio.com/legal/privacy
Cloudflare Turnstile	CAPTCHA / bot protection	IP address, browser fingerprint	cloudflare.com/privacypolicy
Vercel	Web hosting & CDN	IP address, request logs	vercel.com/legal/privacy-policy
Google Analytics	Usage analytics	Anonymous usage data, IP address (anonymized)	policies.google.com/privacy
Firebase Cloud Messaging (FCM)	Push notifications delivery	Device token (technical identifier)	firebase.google.com/support/privacy
Sentry	Error monitoring & crash reporting	Error details, browser type, OS, page URL, anonymized IP	sentry.io/privacy

Push Notifications

If you enable push notifications, we store a technical subscription endpoint (provided by your browser or device) to deliver notifications to you. This endpoint is a random identifier that does not contain personal information.

We send notifications when:

• Someone adds you to a poker game
• A game you participated in needs your approval
• Someone sends you a friend request
• A friend request you sent is accepted

You can disable notifications at any time through your profile settings in the app, or through your browser/device notification settings. When you disable notifications, we delete your subscription endpoint from our database.

5. Analytics & Cookies

Google Analytics

We use Google Analytics to understand how users interact with HandTrack (e.g., which features are used most, general usage patterns). Google Analytics collects data such as pages visited, time on page, device type, and general geographic region. IP addresses are anonymized.

You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.

Local Storage & Cookies

HandTrack uses browser local storage (not traditional cookies) to store:

• Your session token (to keep you logged in)
• Your language preference (Hebrew or English)
• Temporary game state (to restore your game after a page refresh)

This data stays on your device and is not transmitted to our servers (except the session token, which is used for authentication).

Future: Passkeys Planned

We may in the future offer Passkey authentication (WebAuthn standard) as an alternative login method. Passkeys are stored locally on your device and biometric data (fingerprint, Face ID) never leaves your device — it is not transmitted to HandTrack or any third party. We will update this policy when this feature is introduced.

6. Data Sharing

We do not sell, rent, or trade your personal data.

We share data only in the following limited cases:

• With other users you choose: Your display name and game statistics are visible to your friends within the app. Your phone number and email are never shown to other users.
• With service providers: As listed in Section 4, only what's necessary to operate the service.
• Legal requirements: If required by law, court order, or to protect the rights and safety of users or the public.

7. Data Retention

We retain your data for as long as your account is active.

• Active account: All data retained as long as you use the app
• Account deletion: All personal data is permanently deleted within 30 days of account deletion. Game records involving guest players (no account) may be retained in anonymized form.
• Analytics data: Google Analytics data is retained for 14 months (Google's default), in anonymous/aggregated form.
• OTP SMS logs: Twilio may retain SMS delivery logs per their own policy.

You can delete your account at any time from within the app: Profile → Delete Account. This permanently removes all your personal data, game records, friendships, and transfers.

8. Your Rights

Regardless of where you live, you have the following rights:

• ✅ Access — Request a copy of the data we hold about you
• ✅ Correction — Update or correct your display name via the app
• ✅ Deletion — Delete your account and all data directly from the app
• ✅ Portability — Request your data in a portable format
• ✅ Objection — Object to specific uses of your data

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. GDPR — European Users

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR).

Legal Basis for Processing:

Processing Activity	Legal Basis
Account creation & authentication	Contract performance (Art. 6(1)(b))
Game data, friends, statistics	Contract performance (Art. 6(1)(b))
Analytics (Google Analytics)	Legitimate interests (Art. 6(1)(f))
Security & fraud prevention	Legitimate interests (Art. 6(1)(f))

Additional GDPR Rights:

• Right to erasure ("right to be forgotten") — Delete your account in-app or email us
• Right to restrict processing — Contact us to limit how we use your data
• Right to lodge a complaint — You may file a complaint with your local data protection authority (DPA)

Data transfers outside the EEA: Your data is stored on Supabase (AWS us-east-1, United States). This transfer is covered by Standard Contractual Clauses (SCCs) as implemented by Supabase. See Supabase's privacy policy for details.

10. CCPA — California Users

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Right to Know — What personal information we collect and how we use it (see Section 2)
• Right to Delete — Request deletion of your personal information (available in-app)
• Right to Opt-Out — We do not sell personal information. No opt-out needed.
• Right to Non-Discrimination — We will not discriminate against you for exercising your rights

To exercise your CCPA rights, email [email protected] with the subject line "CCPA Request".

11. Children's Privacy

HandTrack is not directed at children under the age of 13 (or under 16 for users in the European Economic Area, as required by GDPR).

We do not knowingly collect personal information from children. If we become aware that a child under the applicable minimum age has provided personal information, we will delete it promptly. If you believe a child has used our service, please contact us at [email protected].

12. Security

We take security seriously and implement the following measures:

• Row Level Security (RLS) — All database access is restricted per user at the database level
• CAPTCHA protection — Cloudflare Turnstile on all authentication flows
• HTTPS — All data in transit is encrypted via TLS
• No plaintext passwords — Authentication is handled by Supabase (OTP or OAuth only)
• Phone/email privacy — Your contact info is never visible to other users
• Secure RPC functions — Sensitive database operations are protected server-side

Despite these measures, no system is 100% secure. In the event of a data breach that affects your rights, we will notify you as required by applicable law.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page.

We encourage you to review this policy periodically. Continued use of HandTrack after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: