Privacy Notice

1. Who is the data controller?

Poké Memory is operated by Frazzled Productions. For questions about this notice or your personal data, contact privacy@pokememory.com.

2. Guest use vs. signed-in use

Poké Memory works in two modes and the data flows are very different.

Guest mode

All card progress and review history stays in your browser’s local storage. Nothing is transmitted to any server we operate. Pokémon sprites are served as static files from the same Vercel infrastructure that hosts the app; no third-party image CDN is involved.

Signed-in mode (GitHub or Google OAuth)

When you sign in with GitHub or Google, your per-card review history is synchronised to a Supabase Postgres database so you can continue across devices. This is where personal data processing begins and this notice applies in full.

3. What data do we collect?

We collect only what is necessary to provide the spaced-repetition service. No payment data, no advertising identifiers, no precise location.

Per-card review state (authenticated users)

For each Pokémon flashcard you review, we store the FSRS spaced-repetition parameters needed to schedule your next review:

• Card type and subject identifier (e.g. which Pokémon)
• Stability and difficulty (FSRS algorithm parameters)
• Scheduled interval in days
• Repetition count and lapse count
• FSRS state (new / learning / review / relearning)
• Due date, date of last review, date first seen

Our review-history, settings, streak, and grade-log tables are keyed by your account’s opaque user identifier (a UUID issued by Supabase Auth). They do not contain your username, email address, or any profile information beyond that identifier.

Separately, Supabase Auth maintains your account record. When you sign in via GitHub or Google, the OAuth provider returns a profile to Supabase Auth that typically includes the email address and display name associated with the account you signed in with; Supabase Auth stores this on the account record so it can identify you on your next sign-in. We use it only for authentication; it is never written into our review-history tables and is never used for marketing or tracking.

Settings and preferences

If you sign in, your application preferences (daily review limits, practice scope, theme, timezone, etc.) are also synchronised so they persist across devices.

Daily review activity (authenticated users)

We record which calendar dates you completed at least one review. This is stored in a streak_days table and used to calculate your review streak. It is an append-only log: dates are never removed except by a full progress reset.

Grade event log (authenticated users)

Each time you grade a card we append a row to a grade_log table recording the card type, subject identifier, the grade you chose, the entry date, and the precise timestamp it occurred (occurred_at). This log is used to compute per-user FSRS optimiser weights and review statistics. It is append-only: individual entries are never mutated or deleted except by a full progress reset.

Web Push subscriptions (opt-in, signed-in PWA users only)

If you install the app to your Home Screen and opt in to daily review reminders, we store the Web Push subscription details your browser issues for that device: the push service endpoint URL, and the two cryptographic keys (p256dh and auth) the standard requires to deliver an encrypted notification. These are kept in a push_subscriptions table, scoped to your account.

We use these values for one purpose only: to send a single daily notification when you have Pokémon cards due for review. The subscription is deleted as soon as you turn the toggle off, when you delete your account, or when your browser or operating system invalidates the endpoint. No notification content includes personal data beyond the count of cards waiting for review.

Aggregate analytics (all users)

Vercel Analytics and Speed Insights collect anonymous, aggregate metrics: page path, referrer, country, device type, and Core Web Vitals. This data does not include card progress, review history, or any personally identifying information. It goes to Vercel’s infrastructure, not ours.

Authentication cookie (signed-in users only)

When you sign in, Supabase Auth sets an HTTP-only session cookie containing a signed JWT that keeps you authenticated across requests. This cookie is strictly necessary for the signed-in service to function; it is not used for tracking or advertising, and it is not set in guest mode. See §4 below for our PECR position on this cookie.

4. Cookies and similar technologies

This section sets out our position under the UK Privacy and Electronic Communications Regulations 2003 (PECR), which governs the use of cookies and similar client-side storage.

What we use

• Browser local storage (guest path). We store your card review state, application settings, and temporary superuser QA flags in localStorage. This storage never leaves your device; nothing is transmitted to any server we operate. It is strictly necessary for the app to function in guest mode.
• Supabase Auth session cookie (signed-in path only). When you sign in with GitHub or Google, Supabase Auth sets an HTTP-only session cookie containing a signed JWT. This cookie is strictly necessary to keep you authenticated across requests. It is not set in guest mode and is not used for advertising or tracking.

What we do not use

We do not use tracking cookies, advertising cookies, or third-party profiling cookies of any kind. Vercel Analytics and Speed Insights are client-side scripts that collect aggregate, anonymous metrics (page path, referrer, country, device type, Core Web Vitals). They set no cookie and write nothing to localStorage or any other terminal-equipment storage, so PECR Regulation 6 is not engaged, and they do not identify individual users.

PECR position: no consent banner required

Under PECR, consent is only required for cookies and similar storage that are not strictly necessary. Every item of client-side storage used by this app is strictly necessary for the service to function (the auth cookie and SRS state in local storage). Vercel Analytics and Speed Insights are client-side scripts that set no cookie and write nothing to terminal-equipment storage, so PECR Regulation 6 is not engaged by them at all. No consent banner is required. We disclose this position here for transparency.

5. Why do we process your data and on what lawful basis?

6. Sub-processors and third-party sign-in services

Sub-processors (DPA in place)

The following companies process personal data on our behalf as data processors. We have a data processing agreement in place with each.

Row-Level Security in Supabase ensures each user can only read and write their own rows.

Third-party sign-in services

When you sign in via GitHub or Google, that provider processes the authentication interaction as an independent controller under its own terms of service and privacy policy, not as our processor. We do not have a controller-to-processor DPA with these providers, and we do not instruct or control how they handle their side of the authentication flow.

For details on how each provider handles the authentication interaction, see the GitHub Privacy Statement and the Google Privacy Policy.

7. International transfers

The third-party services listed in §6 (Vercel, Supabase, and, if you choose to sign in, GitHub or Google) may process data outside the UK / EEA. Vercel and Supabase (our sub-processors) operate under the EU Standard Contractual Clauses (SCCs), providing equivalent safeguards via the UK International Data Transfer Agreement (IDTA) addendum. GitHub and Google act as independent controllers under their own applicable transfer mechanisms, including their own published SCCs with end-users.

8. How long do we keep your data?

Your review history, daily activity log, grade event log, and settings are retained for as long as your account is active. If you delete your account or request erasure (see Your rights), all rows associated with your user identifier are permanently deleted from Supabase via a cascading delete. There is currently no separate point-in-time backup retained for this project, so deletion is effectively immediate and permanent.

9. Your rights

Under UK GDPR and GDPR, you have the following rights where they apply:

• Access: request a copy of the personal data we hold about you.
• Rectification: ask us to correct inaccurate data.
• Erasure: ask us to delete your data (“right to be forgotten”). You can also do this yourself from the Settings page: Reset all progress deletes your review history immediately, and Delete account permanently erases your account, all cloud data, and your sign-in identity, with no email request needed.
• Data portability: receive your data in a structured, machine-readable format. The Export progressoption on the Settings page downloads your locally-cached review history as JSON. Note that this export reflects the data held in your browser’s local storage, not necessarily the full authoritative copy in the cloud. If you are signed in and require a complete copy of the data we hold for you in Supabase, please contact us at privacy@pokememory.com and we will provide a full export.
• Objection: object to processing carried out under legitimate interest.
• Restriction: ask us to restrict processing while a dispute is resolved.

To exercise any of these rights, email privacy@pokememory.com from the email address associated with the GitHub or Google account you signed in with, so we can verify the request. We will respond within one month.

10. Right to complain to the ICO

If you are in the UK and are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO): ico.org.uk/make-a-complaint. If you are in the EU, contact your national data protection authority.

11. Children’s data

Poké Memory is not directed at children under the age of 13. We do not knowingly collect personal data from under-13s. If you are under 13, please do not sign in; use guest mode instead, which stores nothing outside your own device. For a plain-language version of this notice suited to younger readers, see the summary above. If you believe a child under 13 has signed in, please contact us at privacy@pokememory.com and we will delete the data promptly.

12. Changes to this notice

We may update this notice when the data flows change (for example, if we add a new sub-processor or card type). Material changes will be announced via the What’s new page. The “last updated” date at the top of this page will always reflect the most recent revision.

13. Third-party content and intellectual property

Poké Memory is an unofficial fan project. It is not affiliated with, endorsed by, or in any way connected to Nintendo, Game Freak, or The Pokémon Company.

Pokémon and all related names, characters, sprites, cries, and other creative assets are trademarks and/or copyrights of Nintendo / Creatures Inc. / GAME FREAK inc. All rights remain with their respective owners. These assets are reproduced here for fan and educational purposes.

Pokémon species data and sprites are sourced from PokéAPI (an open Pokémon data API). Sprites are self-hosted and served as static files from the same infrastructure as the app; no runtime requests are made to PokéAPI or any Nintendo-affiliated server.

14. Terms of Use

For the terms that govern use of the hosted service (including disclaimers, liability limitations, acceptable use, and governing law), see the Terms of Use.