Privacy Statement

Last updated: March 2026

1. Introduction

Poker Tournament Manager ("PTM", "we", "us", or "our") operates the poker.reneo.io platform and associated services. This Privacy Statement explains how we collect, use, store, and protect your personal information when you use our service.

By using PTM, you agree to the collection and use of information as described in this statement. If you do not agree, please do not use the service.

2. Information We Collect

2.1 Account Information (Optional)

You may choose to create an account. If you do, we may collect:

  • Email address — used for account registration, login, verification, and service communications.
  • Display name — a name you choose to identify yourself within the service.
  • Password — stored in hashed form; we never store or have access to your plaintext password.
  • Profile picture — an optional image you may upload to personalise your account.

2.2 Phone Number (Optional)

You may optionally provide a mobile phone number. If provided, it may be used for:

  • Account recovery and password resets.
  • Tournament notifications, if you opt in.

Providing a phone number is entirely voluntary. The service is fully functional without one.

2.3 Player Card Association

PTM supports linking physical cards (RFID/NFC) to your account for streamlined tournament check-in. When you link a card:

  • Card identifier — a unique ID read from the physical card is stored and associated with your account.
  • Card type and metadata — the technology type of the card (e.g., RFID, NFC, MIFARE), Answer-To-Reset data, card standard, and other reader-reported metadata.
  • Enrollment metadata — which staff member enrolled the card, the date of enrollment, and any enrollment notes.
  • Usage data — when and how often the card is used for check-in, rebuys, or other tournament actions.

Card linking is optional. You can participate in tournaments without linking a card. You may request removal of a card association at any time.

2.4 Tournament and Venue Data

When you register for or participate in tournaments, we collect:

  • Tournament registration details (venue, date, status).
  • Buy-in and fee payment status (we do not process or store credit card or bank details).
  • Tournament results, standings, chip counts, table assignments, and elimination data.
  • Rebuy, add-on, and re-entry activity during the tournament.

2.5 Feature Voting and Feedback

When you vote on feature requests or submit feedback, we may collect:

  • Email address — required for vote verification and optional for feedback.
  • Marketing consent — whether you have opted in to receive product updates and news (opt-in only).
  • Feedback content — the subject, description, and any supplementary details you provide.
  • Your name and organisation — optional, only if you choose to provide them in feedback forms.
  • IP address and browser information — collected alongside votes and feedback for verification and fraud prevention.

2.6 Automatically Collected Information

When you use our service, we may automatically collect:

  • IP address — for security, fraud prevention, and audit logging.
  • Browser/device information — user agent strings for session management and bug reporting context.
  • Analytics data — page views and interactions, collected only with your consent via Google Analytics.

2.7 Cookies and Similar Technologies

We use cookies and similar technologies for the following purposes:

  • Session cookies — essential for authentication and maintaining your session while you use the service.
  • Voter verification cookies — used to remember your verified status on the feature voting page, avoiding repeated email verification (valid for 30 days).
  • Analytics cookies — set only with your explicit consent for Google Analytics tracking.
  • CAPTCHA cookies — set by Cloudflare Turnstile to distinguish genuine users from automated bots on certain forms.

You can control cookies through your browser settings. Disabling essential session cookies may impair your ability to use the service.

2.8 Guest Users

You may use parts of the service as a guest without providing personal information. Guest sessions are identified by a secure random token and do not require an email address, phone number, or any personally identifiable information.

2.10 Email Signup / Mailing List

When you sign up for early access or beta testing via our email signup form, we collect:

  • Name — to personalise communications.
  • Email address — to contact you about early access, beta hardware, and product updates.
  • Game type — to understand your poker context (e.g., home game, pub league, card room).
  • Feature interest — optional free-text description of what interests you most.

This information is collected with your explicit consent at the point of submission. An administrator is notified by email of each new signup. You may request removal of your mailing list entry at any time by contacting us using the details in Section 15.

2.9 IoT Device Data

PTM supports IoT hardware (tournament display devices and card readers) at participating venues. When these devices connect to the service, we may collect:

  • Device identifiers — MAC addresses, device names, and firmware versions.
  • Connection data — IP addresses and connection timestamps.
  • Telemetry data — battery status and device health information.

This data is collected to operate the tournament management service and is associated with venue organisations, not with individual player accounts.

3. How We Use Your Information

We use the information we collect to:

  • Provide and operate the tournament management service.
  • Verify your identity and secure your account.
  • Enable card-based tournament check-in when you choose to link a card.
  • Send service-related communications (e.g., verification codes, tournament updates).
  • Process and verify feature votes and feedback submissions.
  • Send marketing communications where you have given explicit consent.
  • Deliver real-time tournament updates via WebSocket connections.
  • Improve the service through analytics (with your consent).
  • Protect the service against spam and abuse (via CAPTCHA verification).
  • Maintain security and prevent fraud.
  • Comply with legal obligations.

4. Information Sharing

We do not sell your personal information. We may share information only in these circumstances:

  • Venue operators — tournament venues you register with can see your display name, registration status, and card check-in data for their events.
  • Service providers — we use third-party services for email delivery (Resend, Mailgun), hosting, bot protection (Cloudflare Turnstile), and analytics (Google Analytics). These providers process data on our behalf under contractual obligations.
  • Notification channels — where configured by venue operators, tournament event notifications may be sent via email, Slack, Discord, SMS, or webhook integrations. These notifications contain operational data, not your personal information, unless you are a venue administrator who configured these channels.
  • Legal requirements — we may disclose information if required by law, regulation, or legal process.

5. Card Data and Physical Identification

Your linked card identifier is treated as sensitive data. Specifically:

  • Card IDs are associated with your account globally — a linked card works across all venues.
  • Only the card's unique identifier and technical metadata (card type, standard, ATR) are stored; we do not read or store any other data from the card.
  • Venue staff who enroll your card can see that a card is linked to your display name.
  • You can have multiple cards linked to your account.
  • You can request unlinking of any card at any time by contacting venue staff or our support.
  • Unrecognised card reads at venues are temporarily logged for enrollment purposes and are cleared once resolved or expired.

6. Analytics and Consent

We use Google Analytics to understand how the service is used. Analytics tracking is opt-in only. You can grant or withdraw analytics consent at any time through your account settings. We record the date you gave or withdrew consent.

7. Data Retention

  • Account data is retained for as long as your account is active.
  • Tournament records are retained for historical and statistical purposes.
  • Audit logs (profile changes, login events) are retained for security purposes.
  • Verification codes expire after 15 minutes and are cleared from our system.
  • Feature votes and verified voter records are retained while the feature voting system is active.
  • Feedback submissions are retained for service improvement and support purposes.
  • Unrecognised card reads are temporary and are resolved or cleared within a short period.
  • Mailing list entries (email signup) are retained until you request removal or the mailing list is retired.

If you delete your account, we will remove your personal information within a reasonable timeframe, except where retention is required by law or for legitimate business purposes (e.g., completed tournament records).

8. Data Security

We take reasonable measures to protect your information, including:

  • Passwords are hashed and never stored in plaintext.
  • Sessions are secured with token-based authentication (JWT).
  • Email verification uses time-limited, single-use codes with attempt limits.
  • Profile changes are tracked in an audit log for security monitoring.
  • CAPTCHA protection (Cloudflare Turnstile) is used on public-facing forms to prevent automated abuse.
  • Real-time WebSocket connections are authenticated and scoped to authorised tournaments.
  • IoT device connections are authenticated via unique API tokens.

9. GDPR Compliance

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent local laws apply to our processing of your personal data. This section outlines our commitments under those regulations.

9.1 Legal Bases for Processing

We process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR) — processing necessary to provide you with the tournament management service, including account management, tournament registration, and card-based check-in.
  • Consent (Art. 6(1)(a) GDPR) — for analytics tracking (Google Analytics), marketing communications, and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Legitimate interests (Art. 6(1)(f) GDPR) — for service security, fraud prevention, audit logging, service improvement, and CAPTCHA verification. We have assessed that these interests do not override your fundamental rights and freedoms.
  • Legal obligation (Art. 6(1)(c) GDPR) — where we are required to retain data by law or respond to legal processes.

9.2 Your Rights Under GDPR

You have the following rights with respect to your personal data:

  • Right of access (Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17) — request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
  • Right to restriction of processing (Art. 18) — request that we limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20) — receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests, including profiling.
  • Right to withdraw consent (Art. 7(3)) — withdraw consent for analytics, marketing, or other consent-based processing at any time.

To exercise any of these rights, contact us using the details in Section 15. We will respond to your request within 30 days. If we need additional time, we will inform you within the initial 30-day period.

9.3 Data Transfers

Our servers and some of our third-party service providers may be located outside the EEA. Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or reliance on an adequacy decision.

9.4 Data Protection Officer

For GDPR-related enquiries, you may contact us at the address listed in Section 15. If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority (data protection authority).

9.5 Data Processing Records

We maintain records of our processing activities in accordance with Art. 30 GDPR. Our marketing consent records include the date, time, and IP address at which consent was given, ensuring a clear audit trail.

10. Your Rights (General)

Regardless of your jurisdiction, you may:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your account and personal data.
  • Withdraw consent for analytics or marketing at any time.
  • Unlink cards from your account.
  • Export your data in a portable format.
  • Unsubscribe from marketing communications at any time.

To exercise any of these rights, contact us at the address listed below.

11. Marketing Communications

We will only send marketing communications if you have explicitly opted in. You can unsubscribe at any time. Service-related messages (such as verification codes and critical account notifications) are not considered marketing and may still be sent while your account is active.

Marketing consent given through the feature voting system is tracked separately. You may opt out at any time, and we record unsubscribe requests with a timestamp for compliance purposes.

If you sign up via our email signup / early access form, you consent to receiving communications about the beta programme, early access opportunities, and product updates. You may request removal from the mailing list at any time.

12. Children's Privacy

PTM is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal data, please contact us so we can take appropriate action.

13. Third-Party Services

We use the following categories of third-party services:

  • Email delivery — Resend and/or Mailgun for transactional and verification emails.
  • Bot protection — Cloudflare Turnstile for CAPTCHA verification on public forms.
  • Analytics — Google Analytics (opt-in only) for understanding service usage.
  • Content management — Wagtail CMS for managing informational pages, documentation, and blog content.
  • Hosting and infrastructure — cloud hosting providers for application deployment and data storage.

Each of these services has its own privacy policy. We encourage you to review them if you have concerns about their data practices.

14. Changes to This Statement

We may update this Privacy Statement from time to time. Changes will be posted on this page with an updated revision date. Continued use of the service after changes constitutes acceptance of the revised statement.

15. Contact Us

If you have questions about this Privacy Statement, wish to exercise your data rights, or have a GDPR-related enquiry, please contact us at:

Back to Home