Privacy Policy

Overview

PointPoker ("we", "us", "our") is a real-time planning poker tool operated by MHSCentral LLC. This policy covers how we collect, use, and protect your data across all PointPoker platforms: the web application (pointpoker.co), Jira integration, Slack bot, and Microsoft Teams app.

We are committed to collecting the minimum data necessary to provide the service and retaining it for the shortest time possible.

Data we collect

The data we collect depends on which platform you use:

Web application (pointpoker.co)

• Display name (entered when joining a room)
• Vote values (the estimates you cast)
• Room settings chosen by the facilitator

Jira integration (Forge app)

• Atlassian Account ID (opaque identifier)
• Display name and avatar URL (from your Jira profile)
• Issue key and title (e.g., PROJ-123)
• Vote values
• Story Points field ID (cached per project for field discovery)

Slack bot

• Slack user ID and display name
• Workspace ID and channel ID
• Vote values

Microsoft Teams app

• AAD Object ID and display name
• Tenant ID and conversation reference
• Vote values

Data we do NOT collect

• Email addresses (except for Pro tier accounts)
• Passwords (Jira/Slack/Teams authentication is handled by those platforms)
• Issue descriptions, attachments, or source code
• Browsing history or device fingerprints
• Payment card details (handled entirely by Stripe)

How we use your data

• Display your identity to other participants in a voting session
• Record and reveal votes when the facilitator triggers a reveal
• Write the agreed estimate back to Jira (Jira integration only, facilitator-initiated)
• Post session summary comments in Jira (Jira integration only)
• Send voting notifications in Slack or Teams channels

We do not sell, share, or use your data for advertising, analytics profiling, or any purpose beyond delivering the PointPoker service.

Where data is stored

Data is stored in the following locations:

• Upstash Redis (US region) — ephemeral session data (room state, votes, participant info). Encrypted at rest with AES-256.
• Atlassian Forge Storage (Jira integration only) — session tokens and field discovery cache. Managed and encrypted by Atlassian.
• Railway (US region) — application hosting. No persistent user data storage beyond Redis.

Data retention

All session data is ephemeral and automatically deleted:

• Web rooms: expire after 72 hours of inactivity
• Jira sessions: expire after 2 hours maximum
• Slack/Teams sessions: expire with the room (72 hours max)
• Rooms idle for 30 minutes are garbage collected
• Forge Storage keys are deleted when a Jira session ends

We do not retain vote data, session history, or participant information beyond these windows. There is no long-term data persistence.

Sub-processors

We use the following third-party services to provide PointPoker:

Title Privacy Mode (Jira)

Teams using the Jira integration can enable Title Privacy Mode on a per-project basis. When enabled, issue titles are not sent to our backend — only the issue key (e.g., PROJ-123) is transmitted. The full title is displayed locally within the Jira panel only.

Your rights

You can:

• Leave any session at any time — your data is removed from the room immediately
• Request deletion of any data we hold by contacting us
• Request information about what data we process

Because all session data is ephemeral (max 72 hours), in most cases your data will have already been automatically deleted before any request is processed.

Children

PointPoker is not directed at children under 16. We do not knowingly collect data from children.

Changes to this policy

We may update this policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of PointPoker after changes constitutes acceptance of the revised policy.

Contact

Questions about this policy? Contact us at support@pointpoker.co.