PokerPath Privacy Policy

Last Updated: May 26, 2026 Effective Date: May 26, 2026

PokerPath is operated by PokerPath LLC, owned by James Shouey.

1. Who We Are

PokerPath (“we,” “us,” or “PokerPath”) operates the website at https://pokerpath.app and any associated subdomains (collectively, the “Service”). PokerPath is a US-based service that helps poker players discover live tournaments, save tournaments they’re interested in, plan their travel, and use related player tools.

If you have questions about this Privacy Policy or about your personal information, see Section 18 (Contact Information).

2. Scope of This Policy

This Privacy Policy applies to information we collect through the Service. It does NOT apply to:

  • Third-party websites we link to (each operates under its own privacy policy).
  • Tournament-host casinos or card rooms (governed by their own policies).
  • Sponsors, partners, or other operators when they appear on the Service.

PokerPath does not currently operate a native mobile app. If we publish one, this policy will be updated.

3. Information We Collect

We collect only what we need to operate the Service.

3.1 Account Information

When you create an account, we collect:

  • Username (you choose this; used for sign-in)
  • Email address (used for sign-in, password recovery, transactional emails, and — only with your consent — notifications about tournaments you’ve saved)
  • Password (stored as a one-way cryptographic hash — we cannot read or recover your actual password)
  • Display name (optional; defaults to your username)
  • Self-declared home state (optional; used to power region-level aggregate reporting)

3.2 Google Sign-In Information

If you sign in using Google, we additionally collect a Google account identifier that links your PokerPath account to your Google sign-in. See Section 11 for the explicit scope of Google data we access.

3.3 Tournament Interest and Saved Tournaments

When you save a tournament, mark interest, or save a tour, we record the tournament identifier, the time you saved it, and the link to your PokerPath account. This is used to power your “My Tournaments” view, the interest indicator, and notifications you’ve opted into.

3.4 Player Plus Feature Data

If you subscribe to Player Plus and use the bankroll or travel-planning features, we record the data you enter into those tools (bankroll settings, travel trip details, coaching session data). This data is yours; we do not analyze it for any purpose other than running the feature you’re using.

3.5 Authentication and Session Data

When you sign in, an authentication cookie is set in your browser (expires in 48 hours, or 14 days if “Remember me” is selected), and a “last login” timestamp is recorded on your account. If you use the Service before signing in, a short-lived guest session cookie may be set so we can remember the tournament you tapped “save” on; it expires after 24 hours.

3.6 Security Log

We maintain an internal security log to detect and respond to abuse. The log records event types such as failed sign-in attempts, password reset requests, promo-code redemptions, and rate-limit threshold breaches. The log records an opaque internal identifier and event metadata; it does NOT record your full email, your password, or any payment information.

3.7 Analytics and Operational Measurement

PokerPath uses two complementary first-party, privacy-preserving measurement pipelines:

Plausible Analytics is our website analytics tool. Plausible is:

  • Cookie-free. Plausible does not set any cookie in your browser.
  • No persistent identifier. Plausible does not write localStorage or fingerprint your device.
  • No cross-site tracking. Plausible cannot link your activity here to your activity elsewhere.
  • EU-hosted. Plausible operates servers in Germany. Pageview data stays in the EU.
  • Aggregate-only. Outputs are daily totals, popular pages, and source/referrer summaries — never individual user activity.

You may opt out of Plausible by using your browser’s “Do Not Track” preference (honored by Plausible) or by using a privacy extension that blocks Plausible’s domain.

Aggregate tournament-interaction metrics are an internal pipeline that powers a future partner-reporting product. The pipeline:

  • Stores NO user identity. The internal event table contains no `user_id`, email, name, IP address, or User-Agent string.
  • Stores only aggregate counts (page views, saves, calendar adds, share clicks) per tournament, per day.
  • Aggregate-only outputs to verified partners (when partner dashboard launches); never per-user data.

3.8 What We Do NOT Collect

  • No advertising tracking. We embed no advertising SDKs and allow no third-party ad networks to track via our Service.
  • No data sales. See Section 5 (No Sale / No Sharing).
  • No precise location. No GPS, no IP-derived position. The region dimension uses only your self-declared home state.
  • No biometric, health, or financial data beyond the future Stripe payment processing described in Section 4.
  • No native-app device identifiers (the Service is a website).
  • No contact list, address book, camera roll, microphone, or camera access.

4. How We Use Your Information

We use the data we collect only for:

  1. Operating the Service — authenticating sign-ins, rendering tournament listings, powering saved tournaments, running the features you use.
  2. Communicating with you — transactional emails (welcome, password reset, partner application acknowledgment) and, only if you’ve opted in, notifications about saved tournaments.
  3. Aggregate measurement — Plausible Analytics and aggregate tournament-interaction metrics, as described in Section 3.7.
  4. Security — detecting and responding to abuse, fraud, and security incidents.
  5. Legal compliance — responding to lawful requests, preserving evidence during incidents, fulfilling privacy-rights requests.

When PokerPath introduces paid subscriptions, payment information will be handled by Stripe (we will never see or store your card number). This policy will be updated to describe Stripe’s role at that time.

We do NOT use your information for advertising targeting, sale to third parties, behavioral profile resale, or AI model training.

5. No Sale / No Sharing

PokerPath does not sell your personal information.

PokerPath does not share your personal information with third parties for cross-context behavioral advertising.

This applies under all definitions of “sale” and “sharing” applicable to PokerPath’s users in the relevant states (including California’s CCPA / CPRA framing of cross-context behavioral advertising, and parallel definitions under other US state privacy laws).

6. How We Share Your Information (Third-Party Service Providers)

We use a small set of third-party service providers (“processors”) to run the Service. Each processor has access only to the data necessary to perform their function, under contractual confidentiality and data-protection obligations.

Processor Function Jurisdiction Data Accessed
WP Engine Website hosting United States All stored data (database, file system)
Sentry Error monitoring United States Technical error metadata; opaque user identifier; no email, no IP, no full request body, no cookies
Resend Transactional email delivery United States Recipient email address and message content
Google (only if you use Google Sign-In) Authentication United States We receive limited Google profile data per Section 11; we send Google no information about your activity on PokerPath
Plausible Analytics Aggregate website analytics European Union (Germany) Request envelope (IP + User-Agent) processed server-side then discarded; aggregate-only output; no cookies set

Future Stripe integration. When PokerPath adds paid subscriptions through Stripe, Stripe will become an additional processor. Stripe handles all payment card data; we will never see or store card numbers. This policy will be updated at that time.

7. Your Privacy Rights — General

You have rights with respect to your personal information. Under applicable US state and international privacy law, these rights typically include:

  • Right of access — request a copy of the personal information we hold about you.
  • Right of correction — request that we correct information that is wrong.
  • Right of deletion — request that we delete your account and personal information.
  • Right of portability — request your data in a structured, machine-readable format.
  • Right to opt out of marketing/notification emails — use the unsubscribe link or your account preferences.
  • Right to opt out of analytics — Plausible honors “Do Not Track.”

To exercise any of these rights, email privacy@pokerpath.app with your request, including the email address associated with your account so we can verify the request comes from the account owner. We will respond within 30 days, or sooner if required by applicable law.

8. California Residents — CCPA / CPRA Rights

If you live in California, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act.

Categories of personal information we collect (CCPA framing):

  • Identifiers (username, email address)
  • Customer records (account profile)
  • Commercial information (Player Plus subscription status, if applicable)
  • Internet activity (your saved tournaments on our Service)
  • Geolocation: none at user-identifiable resolution
  • Sensitive personal information: none

Sources: Directly from you; from Google if you choose Google Sign-In.

Business purposes: As described in Section 4.

Sale or sharing for cross-context behavioral advertising: None. See Section 5.

How to Exercise Your California Rights

California residents may submit access, deletion, correction, or opt-out requests by emailing privacy@pokerpath.app. We will respond within 45 days as required by CCPA/CPRA. If we deny your request, you may appeal by replying to the denial email within 30 days. Authorized agent submissions are accepted with written authorization from you; we may verify by contacting you directly.

9. Texas Residents — Texas Data Privacy and Security Act (TDPSA)

Texas residents have rights under the Texas Data Privacy and Security Act including:

  • The right to access the personal data we process about you.
  • The right to correct inaccurate personal data.
  • The right to delete personal data we have collected.
  • The right to obtain a portable copy of your personal data in a usable format.
  • The right to opt out of the sale of personal data, targeted advertising, and profiling for decisions with significant effects (PokerPath does not engage in any of these activities).
  • The right to appeal a denial of any of the above requests.

To exercise any of these rights, email privacy@pokerpath.app. We will respond within the timeframe required by TDPSA. If we deny your request, you may appeal by replying to the denial email within 30 days. If your appeal is also denied, you may contact the Texas Attorney General to file a complaint.

10. EU / UK Residents

PokerPath does not actively market to or solicit EU or UK residents and is operated as a US-only service. PokerPath’s vendors that may process EU resident data (such as Plausible) operate from EU jurisdictions or under standard data protection frameworks.

If you are nonetheless located in the European Union, the United Kingdom, or another jurisdiction with GDPR-equivalent rights, the following rights may apply to you under applicable law:

  • Right of access
  • Right to rectification
  • Right to erasure / “right to be forgotten”
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing
  • Right not to be subject to automated decision-making with significant effect (we do not make automated decisions of this kind)

To exercise any of these rights, email privacy@pokerpath.app. You also have the right to lodge a complaint with your country’s supervisory authority.

11. Google Sign-In — Explicit Scope

When you sign in with Google, PokerPath only accesses basic Google account information necessary for authentication: your email address, display name, and avatar. We request only the minimum scopes necessary for authentication (email and profile). PokerPath does not access your Gmail, contacts, Google Drive, calendar, or any other Google account content.

You may revoke PokerPath’s access to your Google account at any time via https://myaccount.google.com/permissions.

12. Children’s Privacy

PokerPath is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we discover we have collected personal information from a child under 13, we will delete it.

If you believe a child has provided us with personal information, please contact privacy@pokerpath.app and we will investigate and delete as required.

Independently, the Service is intended for adults only (minimum age 18) and many tournaments listed on the Service require players to be 21 or older at the venue. You are solely responsible for verifying and complying with the minimum age requirements at any venue you attend.

13. Cookies and Similar Technologies

PokerPath uses a minimal set of cookies, all of which are essential for core functionality (sign-in, session, and recording your cookie-consent choice):

  • WordPress authentication cookie (48 hours, or 14 days if “Remember me” selected)
  • WordPress test cookie (verifies your browser accepts cookies; required for sign-in flow)
  • PokerPath guest session cookie (24 hours; remembers your pre-sign-in intent)
  • Cookie-consent preference cookie (set by our cookie banner when you make a choice, to remember your selection so you are not asked on every visit)

We do NOT use analytics cookies, advertising cookies, social-media tracking pixels, cross-domain tracking, or any fingerprinting technology. Plausible Analytics is intentionally cookie-free.

Cookies you can disable in your browser, but if you do, sign-in will not work.

14. Data Retention

We retain your information only as long as needed for the purposes described in this policy, or as required by law.

Category Retention Period
Active account profile and saved tournaments Retained while account active + 90 days post-deletion
Player Plus feature data While Plus subscription active + 90 days post-deletion
Authentication sessions 48 hours (or 14 days if “Remember me”)
Guest session tokens 24 hours
Security logs Retained 12 months for investigation purposes
Backups Deleted data may persist in backups for up to 30 days
Plausible aggregate data Retained indefinitely (non-personal aggregate)
Aggregate tournament-interaction metrics Retained indefinitely (non-personal aggregate; contains no per-user record)

When you delete your account, we delete the data above per the schedule and ask our processors to delete any of your data they hold on our behalf.

If your account or data is involved in an active security incident or legal matter, we may retain the relevant records longer than the schedule above, until the matter is resolved.

15. Security

We take reasonable measures to protect your data:

  • Passwords are stored as one-way cryptographic hashes. We cannot read your password.
  • Connections to the Service are encrypted in transit (HTTPS / TLS).
  • The site sends modern security headers including HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
  • We operate a Content Security Policy that helps detect and prevent script injection.
  • Sensitive operations are rate-limited to prevent brute-force attacks.
  • We do not store payment card numbers. When paid subscriptions launch, Stripe will handle all card data.
  • External JavaScript dependencies we load are pinned with Subresource Integrity (SRI) hashes where applicable.

No system is perfectly secure, and we do not claim ours is. We work continuously to find and fix issues and we take security incidents seriously.

16. Breach Notification

In the event of a security incident involving your personal information, we will notify you and any required regulator consistent with applicable law:

  • Florida residents: notification within 30 days of breach determination.
  • California residents: notification “without unreasonable delay” as required under California law.
  • Texas residents: notification within 60 days as required under TDPSA.
  • All other US residents: notification within the timeframe required by your state’s breach-notification law.
  • EU / UK residents: where applicable, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach likely to result in risk to your rights.

17. Governing Law

This Privacy Policy is governed by the laws of the State of Texas, without regard to conflict of laws principles. Any disputes arising under this Privacy Policy are subject to the jurisdiction and venue provisions of our Terms of Service.

18. Contact Information

Privacy requests (access, deletion, correction, opt-out, appeals): privacy@pokerpath.app

General contact: support@pokerpath.app

19. Responsible Gaming

PokerPath promotes responsible gaming. For PokerPath’s complete Responsible Gaming statement and resources (including the National Council on Problem Gambling helpline), see Section 18 of our Terms of Service at https://pokerpath.app/terms.

20. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will:

  • Update the “Last Updated” date at the top of this policy.
  • Notify signed-in users by email when changes materially affect them.
  • Post the updated policy on the Service before the change takes effect.

We will not make a material change with retroactive effect. New data uses apply only to data collected from the effective date of the updated policy forward.

21. Effective Date

Effective Date: May 26, 2026 Last Updated: May 26, 2026