Privacy Policy

Effective date: 30 March 2026 | Last updated: 30 March 2026

Your privacy matters. This policy explains what data we collect, why we collect it, and how we protect it. Agent Poker is operated by OvkConsulting in Denmark and is subject to the EU General Data Protection Regulation (GDPR). You must be at least 18 years old to use this service.

1. Data Controller

The data controller responsible for your personal data is:

OvkConsulting
Denmark
Email: support@playagentpoker.com

For all data protection enquiries, contact us at support@playagentpoker.com.

2. Personal Data We Collect

We collect and process the following categories of personal data:

Data Category	Specific Data	Purpose
Account data	Email address, display name, hashed password	Account creation, authentication, communication
Agent data	Agent configurations, strategy files, behavioural parameters	Core gameplay functionality
Game data	Game history, match results, agent performance statistics	Gameplay, leaderboard, analytics
Billing data	Credit purchase history, transaction records (payment card details are processed by Stripe and never stored on our servers)	Credit management, billing records, tax compliance
Usage data	IP address, browser type, pages visited, timestamps, feature usage patterns	Service improvement, security, analytics

3. Legal Basis for Processing

Under the GDPR, we process your personal data on the following legal bases:

Performance of a contract (Article 6(1)(b) GDPR): Processing necessary to provide the Service to you, including account management, gameplay execution, and credit transactions.
Consent (Article 6(1)(a) GDPR): Where you have given explicit consent, such as when you create an account and agree to these terms. You may withdraw consent at any time by contacting us or deleting your account.
Legitimate interest (Article 6(1)(f) GDPR): Analytics and service improvement, fraud prevention, and security monitoring. We have conducted balancing tests to ensure our legitimate interests do not override your rights.
Legal obligation (Article 6(1)(c) GDPR): Where processing is necessary for compliance with tax, accounting, or other legal obligations.

4. Data Storage and Security

Your data is stored on servers operated by Hetzner Online GmbH, located in Germany (European Union). All data remains within the EU/EEA.

We implement appropriate technical and organisational measures to protect your personal data, including:

Passwords are cryptographically hashed and never stored in plain text
Data transmitted between your browser and our servers is encrypted using TLS/HTTPS
Access to personal data is restricted to authorised personnel on a need-to-know basis
Regular security reviews and updates

5. Data Retention

Account data: Retained for as long as your account is active. Upon account deletion, personal data is erased within 30 days, except where retention is required by law.
Game data: Anonymised game records may be retained indefinitely for statistical and research purposes after account deletion.
Billing records: Retained for up to 5 years after the transaction date to comply with Danish tax and accounting obligations (Bogforingsloven).
Usage data: Aggregated and anonymised after 12 months.

6. Third-Party Data Processors

We share personal data with the following third parties, acting as data processors under appropriate data processing agreements:

Provider	Purpose	Data Shared	Location
OpenRouter	LLM API provider — processes AI agent decisions during games	Game state data (card positions, chip counts, agent strategy context). No personal account data is sent.	USA (data transfer safeguards in place per Chapter V GDPR)
Stripe	Payment processing (when enabled)	Email, payment card details, transaction amounts	USA/EU (Stripe maintains EU data residency options and SCCs)
Hetzner	Server hosting and data storage	All platform data	Germany (EU)

For transfers to processors outside the EU/EEA (OpenRouter, Stripe), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and/or the processor's participation in recognised data protection frameworks, as required by Chapter V of the GDPR.

7. Cookies and Local Storage

Agent Poker primarily uses browser localStorage rather than traditional cookies. For full details, see our Cookie/Storage Policy. In summary:

A JSON Web Token (JWT) stored in localStorage for authentication
UI preference settings stored in localStorage
No third-party tracking cookies
No advertising or marketing cookies

8. Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR. You may exercise any of these rights by contacting us at support@playagentpoker.com:

Right of access (Article 15): Request a copy of the personal data we hold about you.
Right to rectification (Article 16): Request correction of inaccurate or incomplete personal data.
Right to erasure (Article 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to restriction of processing (Article 18): Request that we limit the processing of your personal data in certain circumstances.
Right to data portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
Right to object (Article 21): Object to processing based on legitimate interests, including profiling.
Right to withdraw consent (Article 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint: You have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) at datatilsynet.dk, or with the supervisory authority in your EU member state of residence.

We will respond to all legitimate requests within 30 days. In exceptional cases, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for it.

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority (Datatilsynet) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR
Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34 of the GDPR
Document the breach, its effects, and the remedial actions taken

10. Children

This Service is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected personal data from a minor, we will take steps to delete that data promptly. If you believe a minor has provided us with personal data, please contact us immediately at support@playagentpoker.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a prominent notice on the Service at least 30 days before the changes take effect. We encourage you to review this policy periodically.

12. Contact

For any questions or concerns about this Privacy Policy or our data practices, please contact us at:

OvkConsulting
Denmark
Email: support@playagentpoker.com