Privacy Notice
Last updated: 11 June 2026
In plain language: what does Poké Memory do with your data?
- Just playing (no sign-in). When you play without signing in, the app saves your Pokémon progress only on your own device, and nothing is sent to us or stored anywhere on the internet.
- Signing in. If you sign in with GitHub, Google, or a username and password, we save your card progress to a secure database so you can keep it across different devices. If you are under 13, please use the app without signing in instead.
- What we save. We only save which Pokémon cards you've practised, how well you know them, and when you last practised, and nothing else. We don't know your name, your address, or anything about you as a person.
- Who else can see it. Nobody else can see your progress. Only you can see your own cards. We never share your progress with anyone else or use it to show you adverts.
- You're in control. You can export your progress or reset all progress at any time from the Settings page. You don't need to ask us; you can do it yourself, right now.
- Feedback. If you send us feedback, we keep your message for up to 12 months to help us fix things, and then it is automatically deleted.
1. Who is the data controller?
Poké Memory is operated by Frazzled Productions Ltd (company number 17258540), registered in England and Wales. Frazzled Productions Ltd is registered with the Information Commissioner’s Office (ICO), registration number ZC165261. For questions about this notice or your personal data, contact privacy@pokememory.com.
Frazzled Productions Ltd, a company registered in England and Wales (company number 17258540). Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.
2. Guest use vs. signed-in use
Poké Memory works in two modes and the data flows are very different.
Guest mode
All card progress and review history stays in your browser’s local storage. Nothing is transmitted to any server we operate. Pokémon sprites are served as static files from the same Vercel infrastructure that hosts the app; no third-party image CDN is involved.
Signed-in mode (GitHub, Google, or username and password)
When you sign in, via GitHub, Google, or a username and password you create directly, your per-card review history is synchronised to a Supabase Postgres database so you can continue across devices. This is where personal data processing begins and this notice applies in full.
3. What data do we collect?
We collect only what is necessary to provide the spaced-repetition service. No payment data, no advertising identifiers, no precise location.
Per-card review state (authenticated users)
For each Pokémon flashcard you review, we store the FSRS spaced-repetition parameters needed to schedule your next review:
- Card type and subject identifier (e.g. which Pokémon)
- Stability and difficulty (FSRS algorithm parameters)
- Scheduled interval in days
- Repetition count and lapse count
- FSRS state (new / learning / review / relearning)
- Due date, date of last review, date first seen
Our review-history, settings, streak, and grade-log tables are keyed by your account’s opaque user identifier (a UUID issued by Supabase Auth). They do not contain your username, email address, or any profile information beyond that identifier.
Separately, Supabase Auth maintains your account record. If you sign in via GitHub or Google, the OAuth provider returns a profile to Supabase Auth that typically includes the email address and display name associated with the account you signed in with; Supabase Auth stores this on the account record so it can identify you on your next sign-in. If you create a username and password account, Supabase Auth stores your chosen username (which may be personal data if it identifies you) and a synthetic internal email address that is not a real address and is never shown to you or used to send you mail. In both cases this data is used only for authentication; it is never written into our review-history tables and is never used for marketing or tracking.
Settings and preferences
If you sign in, your application preferences (daily review limits, practice scope, theme, timezone, etc.) are also synchronised so they persist across devices.
Daily review activity (authenticated users)
We record which calendar dates you completed at least one review. This is stored in a streak_days table and used to calculate your review streak. It is an append-only log: dates are never removed except by a full progress reset. If you have turned on the streak reminder (see Web Push subscriptions below), this table is also read server-side, late in your local day, to decide whether you have an active streak and have not yet reviewed today.
Grade event log (authenticated users)
Each time you grade a card we append a row to a grade_log table recording the card type, subject identifier, the grade you chose, the entry date, and the precise timestamp it occurred (occurred_at). This log is used to compute per-user FSRS optimiser weights and review statistics. It is append-only: individual entries are never mutated or deleted except by a full progress reset.
Web Push subscriptions (opt-in, signed-in PWA users only)
If you install the app to your Home Screen and opt in to daily review reminders, we store the Web Push subscription details your browser issues for that device: the push service endpoint URL, and the two cryptographic keys (p256dh and auth) the standard requires to deliver an encrypted notification. These are kept in a push_subscriptions table, scoped to your account.
We use these values to send Web Push notifications: a daily reminder when you have Pokémon cards due for review, and, if you have an active review streak and have separately turned on the streak reminder toggle, an additional late-day reminder if you have not yet reviewed that day. You will never receive more than two notifications in a day. The subscription is deleted as soon as you turn the daily reminder toggle off, when you delete your account, or when your browser or operating system invalidates the endpoint. Notification content is limited to the number of cards waiting for review (daily reminder) or your current streak length (streak reminder); no other personal data appears in a notification.
Aggregate analytics (all users)
Vercel Analytics and Speed Insights collect anonymous, aggregate metrics: page path, referrer, country, device type, and Core Web Vitals. This data does not include card progress, review history, or any personally identifying information. It goes to Vercel’s infrastructure, not ours.
On app open, a custom event is also sent to Vercel Analytics recording two bucketed, non-identifying properties: whether you are a new visitor, a returning guest, or signed in; and a coarse bucket for how many Pokémon you have mastered (0, 1–10, 11–50, or 50+). No raw counts, user IDs, or card content are included.
Authentication cookie (signed-in users only)
When you sign in, Supabase Auth sets an HTTP-only session cookie containing a signed JWT that keeps you authenticated across requests. This cookie is strictly necessary for the signed-in service to function; it is not used for tracking or advertising, and it is not set in guest mode. See §4 below for our PECR position on this cookie.
Feedback submissions (all users)
If you use the in-app feedback form, we collect:
- Feedback category (e.g. bug report, suggestion)
- Free-text message (up to 2,000 characters). This message may contain personal data you choose to include; please do not include your name, email address, or other personal information in your message.
- The page pathname from which the feedback was submitted
- App version at the time of submission
- If you are signed in: an opaque user identifier (UUID) so we can follow up if needed. If you are a guest, no user identifier is included and your feedback is not linked to any identifiable account.
Feedback is used only to improve the service and to investigate reported issues. It is not used for profiling or marketing. Bug reports trigger an automated notification to a private, maintainer-only Discord channel used for triage: this notification includes a capped preview (up to 500 characters) of the message, plus the non-identifying metadata above (page, app version, timestamp). No user identifier is included. Discord is a sub-processor under a data processing agreement (see §6).
4. Cookies and similar technologies
This section sets out our position under the UK Privacy and Electronic Communications Regulations 2003 (PECR), which governs the use of cookies and similar client-side storage.
What we use
- Browser local storage (guest path). We store your card review state, application settings, and temporary superuser QA flags in
localStorage. This storage never leaves your device; nothing is transmitted to any server we operate. It is strictly necessary for the app to function in guest mode. - Supabase Auth session cookie (signed-in path only). When you sign in, via GitHub, Google, or username and password, Supabase Auth sets an HTTP-only session cookie containing a signed JWT. This cookie is strictly necessary to keep you authenticated across requests. It is not set in guest mode and is not used for advertising or tracking.
What we do not use
We do not use tracking cookies, advertising cookies, or third-party profiling cookies of any kind. Vercel Analytics and Speed Insights are client-side scripts that collect aggregate, anonymous metrics (page path, referrer, country, device type, Core Web Vitals). They set no cookie and write nothing to localStorage or any other terminal-equipment storage, so PECR Regulation 6 is not engaged, and they do not identify individual users.
PECR position: no consent banner required
Under PECR, consent is only required for cookies and similar storage that are not strictly necessary. Every item of client-side storage used by this app is strictly necessary for the service to function (the auth cookie and SRS state in local storage). Vercel Analytics and Speed Insights are client-side scripts that set no cookie and write nothing to terminal-equipment storage, so PECR Regulation 6 is not engaged by them at all. No consent banner is required. We disclose this position here for transparency.
5. Why do we process your data and on what lawful basis?
| Purpose | Lawful basis |
|---|---|
| Store and synchronise your review history across devices | Contract performance: this is the core service you signed up for |
| Optimise the FSRS scheduler parameters for your retention target | Contract performance / legitimate interest in improving the service |
| Aggregate, anonymous page-view analytics | Legitimate interest in understanding usage patterns (no cookie, no individual tracking) |
| Receive and act on feedback you submit voluntarily | Legitimate interest in improving the service and resolving reported issues |
6. Sub-processors and third-party sign-in services
Sub-processors (DPA in place)
The following companies process personal data on our behalf as data processors. We have a data processing agreement in place with each.
| Processor | Role | Data transferred |
|---|---|---|
| Vercel | Hosting and static asset delivery | Aggregate, anonymous analytics only; no card data |
| Supabase | Postgres database for authenticated users | Per-card review state, daily activity dates, grade event log, settings, and auth session (authenticated users only) |
| Discord | Maintainer notification channel for bug-report triage | A capped preview (up to 500 characters) of the free-text message, plus non-identifying metadata (page, app version, timestamp). No user identifier is included. Sent to a private, maintainer-only channel. |
Row-Level Security in Supabase ensures each user can only read and write their own rows.
Third-party sign-in services
When you sign in via GitHub or Google, that provider processes the authentication interaction as an independent controller under its own terms of service and privacy policy, not as our processor. We do not have a controller-to-processor DPA with these providers, and we do not instruct or control how they handle their side of the authentication flow.
| Provider | Role | Data shared at sign-in |
|---|---|---|
| GitHub (OAuth) | Optional sign-in provider, used only if you choose “Continue with GitHub” | The OAuth token exchange is handled server-side by Supabase Auth; the app itself never sees the OAuth token. The provider returns a profile (typically email and display name) to Supabase Auth, which holds it on your account record for authentication. Our own review-history tables store only the opaque user identifier. |
| Google (OAuth) | Optional sign-in provider, used only if you choose “Continue with Google” | The OAuth token exchange is handled server-side by Supabase Auth; the app itself never sees the OAuth token. The provider returns a profile (typically email and display name) to Supabase Auth, which holds it on your account record for authentication. Our own review-history tables store only the opaque user identifier. |
For details on how each provider handles the authentication interaction, see the GitHub Privacy Statement and the Google Privacy Policy.
7. International transfers
The third-party services listed in §6 (Vercel; Supabase if you sign in by any method, including username and password; Discord for bug-report triage notifications; and, if you sign in via GitHub or Google, those providers) may process data outside the UK / EEA. Vercel, Supabase, and Discord (our sub-processors) operate under the EU Standard Contractual Clauses (SCCs), providing equivalent safeguards via the UK International Data Transfer Agreement (IDTA) addendum. GitHub and Google act as independent controllers under their own applicable transfer mechanisms, including their own published SCCs with end-users.
8. How long do we keep your data?
Your review history, daily activity log, grade event log, and settings are retained for as long as your account is active. If you delete your account or request erasure (see Your rights), all rows associated with your user identifier are permanently deleted from Supabase via a cascading delete. There is currently no separate point-in-time backup retained for this project, so deletion is effectively immediate and permanent.
Feedback submissions are retained for 12 months from the date of submission and then automatically deleted, regardless of account status.
9. Your rights
Under UK GDPR and GDPR, you have the following rights where they apply:
- Access: request a copy of the personal data we hold about you.
- Rectification: ask us to correct inaccurate data.
- Erasure: ask us to delete your data (“right to be forgotten”). You can also do this yourself from the Settings page: Reset all progress deletes your review history immediately, and Delete account permanently erases your account, all cloud data, and your sign-in identity, with no email request needed. Deleting your account also permanently deletes any feedback submissions linked to it.
- Data portability: receive your data in a structured, machine-readable format. The Export progressoption on the Settings page downloads your locally-cached review history as JSON. Note that this export reflects the data held in your browser’s local storage, not necessarily the full authoritative copy in the cloud. If you are signed in and require a complete copy of the data we hold for you in Supabase, please contact us at privacy@pokememory.com and we will provide a full export.
- Objection: object to processing carried out under legitimate interest.
- Restriction: ask us to restrict processing while a dispute is resolved.
To exercise any of these rights, email privacy@pokememory.com. If you signed in with GitHub or Google, please write from the email address associated with that account so we can verify the request. If you have a username and password account with no email address, please include your username in your message and we will ask you to confirm your identity by other means. We will respond within one month.
10. Right to complain to the ICO
If you are in the UK and are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO): ico.org.uk/make-a-complaint. If you are in the EU, contact your national data protection authority.
11. Children’s data
Poké Memory is not directed at children under the age of 13. We do not knowingly collect personal data from under-13s. If you are under 13, please use guest mode only and do not create an account or sign in; guest mode stores your progress on your own device and nothing is sent to us. For a plain-language version of this notice suited to younger readers, see the summary above. If you believe a child under 13 has created an account, please contact us at privacy@pokememory.com and we will delete the data promptly.
12. Changes to this notice
We may update this notice when the data flows change (for example, if we add a new sub-processor or card type). Material changes will be announced via the What’s new page. The “last updated” date at the top of this page will always reflect the most recent revision.
13. Third-party content and intellectual property
Poké Memory is an unofficial fan project. It is not affiliated with, endorsed by, or in any way connected to Nintendo, Game Freak, or The Pokémon Company.
Pokémon and all related names, characters, sprites, cries, and other creative assets are trademarks and/or copyrights of Nintendo / Creatures Inc. / GAME FREAK inc. All rights remain with their respective owners. These assets are reproduced here for fan and educational purposes.
Pokémon species data and sprites are sourced from PokéAPI (an open Pokémon data API). Sprites are self-hosted and served as static files from the same infrastructure as the app; no runtime requests are made to PokéAPI or any Nintendo-affiliated server.
14. Terms of Use
For the terms that govern use of the hosted service (including disclaimers, liability limitations, acceptable use, and governing law), see the Terms of Use.