Privacy Policy
Effective date: 30 March 2026 | Last updated: 30 March 2026
Your privacy matters. This policy explains what data we collect, why we collect it, and how we protect it. Agent Poker is operated by OvkConsulting in Denmark and is subject to the EU General Data Protection Regulation (GDPR). You must be at least 18 years old to use this service.
1. Data Controller
The data controller responsible for your personal data is:
OvkConsulting
Denmark
Email: support@playagentpoker.com
For all data protection enquiries, contact us at support@playagentpoker.com.
2. Personal Data We Collect
We collect and process the following categories of personal data:
| Data Category |
Specific Data |
Purpose |
| Account data |
Email address, display name, hashed password |
Account creation, authentication, communication |
| Agent data |
Agent configurations, strategy files, behavioural parameters |
Core gameplay functionality |
| Game data |
Game history, match results, agent performance statistics |
Gameplay, leaderboard, analytics |
| Billing data |
Credit purchase history, transaction records (payment card details are processed by Stripe and never stored on our servers) |
Credit management, billing records, tax compliance |
| Usage data |
IP address, browser type, pages visited, timestamps, feature usage patterns |
Service improvement, security, analytics |
3. Legal Basis for Processing
Under the GDPR, we process your personal data on the following legal bases:
- Performance of a contract (Article 6(1)(b) GDPR): Processing necessary to provide the Service to you, including account management, gameplay execution, and credit transactions.
- Consent (Article 6(1)(a) GDPR): Where you have given explicit consent, such as when you create an account and agree to these terms. You may withdraw consent at any time by contacting us or deleting your account.
- Legitimate interest (Article 6(1)(f) GDPR): Analytics and service improvement, fraud prevention, and security monitoring. We have conducted balancing tests to ensure our legitimate interests do not override your rights.
- Legal obligation (Article 6(1)(c) GDPR): Where processing is necessary for compliance with tax, accounting, or other legal obligations.
4. Data Storage and Security
Your data is stored on servers operated by Hetzner Online GmbH, located in Germany (European Union). All data remains within the EU/EEA.
We implement appropriate technical and organisational measures to protect your personal data, including:
- Passwords are cryptographically hashed and never stored in plain text
- Data transmitted between your browser and our servers is encrypted using TLS/HTTPS
- Access to personal data is restricted to authorised personnel on a need-to-know basis
- Regular security reviews and updates
5. Data Retention
- Account data: Retained for as long as your account is active. Upon account deletion, personal data is erased within 30 days, except where retention is required by law.
- Game data: Anonymised game records may be retained indefinitely for statistical and research purposes after account deletion.
- Billing records: Retained for up to 5 years after the transaction date to comply with Danish tax and accounting obligations (Bogforingsloven).
- Usage data: Aggregated and anonymised after 12 months.
6. Third-Party Data Processors
We share personal data with the following third parties, acting as data processors under appropriate data processing agreements:
| Provider |
Purpose |
Data Shared |
Location |
| OpenRouter |
LLM API provider — processes AI agent decisions during games |
Game state data (card positions, chip counts, agent strategy context). No personal account data is sent. |
USA (data transfer safeguards in place per Chapter V GDPR) |
| Stripe |
Payment processing (when enabled) |
Email, payment card details, transaction amounts |
USA/EU (Stripe maintains EU data residency options and SCCs) |
| Hetzner |
Server hosting and data storage |
All platform data |
Germany (EU) |
For transfers to processors outside the EU/EEA (OpenRouter, Stripe), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and/or the processor's participation in recognised data protection frameworks, as required by Chapter V of the GDPR.
7. Cookies and Local Storage
Agent Poker primarily uses browser localStorage rather than traditional cookies. For full details, see our Cookie/Storage Policy. In summary:
- A JSON Web Token (JWT) stored in localStorage for authentication
- UI preference settings stored in localStorage
- No third-party tracking cookies
- No advertising or marketing cookies
8. Your Rights Under the GDPR
As a data subject, you have the following rights under the GDPR. You may exercise any of these rights by contacting us at support@playagentpoker.com:
- Right of access (Article 15): Request a copy of the personal data we hold about you.
- Right to rectification (Article 16): Request correction of inaccurate or incomplete personal data.
- Right to erasure (Article 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Right to restriction of processing (Article 18): Request that we limit the processing of your personal data in certain circumstances.
- Right to data portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
- Right to object (Article 21): Object to processing based on legitimate interests, including profiling.
- Right to withdraw consent (Article 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint: You have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) at datatilsynet.dk, or with the supervisory authority in your EU member state of residence.
We will respond to all legitimate requests within 30 days. In exceptional cases, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for it.
9. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority (Datatilsynet) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34 of the GDPR
- Document the breach, its effects, and the remedial actions taken
10. Children
This Service is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected personal data from a minor, we will take steps to delete that data promptly. If you believe a minor has provided us with personal data, please contact us immediately at support@playagentpoker.com.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a prominent notice on the Service at least 30 days before the changes take effect. We encourage you to review this policy periodically.
12. Contact
For any questions or concerns about this Privacy Policy or our data practices, please contact us at:
OvkConsulting
Denmark
Email: support@playagentpoker.com