Last updated: 31.03.2026
Welcome to PocoBit. We are committed to protecting and respecting your privacy. This Privacy Policy describes how PocoBit’s app and services collect, use, store, and protect your personal data when you use the PocoBit platform (“Platform”).
1. Introduction
PocoBit (“we,” “us,” “our”) provides a platform for creating, managing and sharing training games, tests, surveys, and other interactive learning content (the “Experiences”). This Privacy Policy applies to all users (“you,” “your”) of our Platform. By using our Platform you accept and agree to this Privacy Policy and our Terms and Conditions.
2. Data We Collect
We collect the following types of data when you use our Platform:
- Personal Information: Name, email address, company name, and company registration number.
- Technical Data: IP address, browser type, usage logs.
- User-Generated Content and Related Metadata: Content, prompts, submissions, responses, uploads, and related metadata that you choose to provide or generate through the Platform, to the extent processed or retained by PocoBit.
- OAuth Profile Data: From Google or Microsoft logins (e.g., name, email address).
- Analytics Data: Pseudonymized usage data for improving the service.
- Security, Audit, and Activity Log Data: We may collect and store security, authentication, audit, and usage logs relating to activity in the Platform, such as account identifier, actor type, company/workspace identifier, role/access level at the time of the event, session identifiers, request or trace identifiers, IP address, approximate location derived from IP, device, operating system, browser, authentication method, MFA status, timestamps, actions performed, resources accessed, inputs submitted to features, event outcomes, error messages, access attempts, administrative actions, API/integration activity, shareable link access, exports/downloads, and other security-relevant events.
Note: We do not generally store files or materials uploaded as input for generating Experiences beyond what is necessary to provide the Platform. However, we may retain certain prompts, submissions, outputs, excerpts, and related metadata where needed for platform operation, security, abuse prevention, troubleshooting, observability, auditability, or legal compliance.
3. How We Use Your Data
We use your data for the following purposes:
- Platform Operation: To facilitate the creation, management, sharing, and delivery of training games, tests, surveys, and other interactive learning content.
- Account Management: To manage your account and provide customer support.
- Improvement of Services: To analyze usage patterns and enhance Platform functionality.
- Communication: To send service-related updates and notifications.
- Legal Compliance: To comply with legal obligations.
- Security and Abuse Prevention: To monitor, detect, investigate, and prevent unauthorized access, misuse, fraud, security incidents, and violations of our terms, and to maintain audit trails.
3.1 Legal Basis for Processing
| Purpose | Description | Legal Basis |
|---|---|---|
| Platform Operation | Enabling users to create, manage, share, and deliver training games, tests, surveys, and other interactive learning content | Performance of a contract (Art. 6(1)(b)) |
| Account Management & Support | Managing user accounts and delivering support | Performance of a contract (Art. 6(1)(b)) |
| Communication | Service notifications, security alerts | Legitimate interest (Art. 6(1)(f)) |
| Analytics & Improvements | Improving the Platform and user experience | Legitimate interest (Art. 6(1)(f)) |
| Compliance | Fulfilling legal obligations | Legal obligation (Art. 6(1)(c)) |
| Security, Audit Logging, and Abuse Prevention | Protecting accounts, enforcing access controls, investigating incidents, and maintaining audit trails | Legitimate interest (Art. 6(1)(f)); where applicable, legal obligation (Art. 6(1)(c)) |
3.2 Use of Google and Microsoft User Data
Our application may integrate with Google and Microsoft services. We collect and use OAuth data as follows:
- Access: We may access profile information (e.g., name, email) for login and account linking.
- Storage: OAuth profile data is stored securely and in compliance with provider policies.
- Use: Used only for login, personalization, or relevant Platform functionality.
- Sharing: Never shared with third parties without your consent unless required by law.
- Compliance: We adhere to the Google API Services User Data Policy and Microsoft’s applicable policies.
4. Data Sharing and Disclosure
We do not sell or rent your data. We only share your data under the following circumstances:
a. Service Providers
We work with trusted third-party providers who help deliver our services:
- Hosting: Supabase, Vercel.
- AI Services: Used to generate, process, evaluate, or support training games, tests, surveys, and other interactive learning content.
- Google Services (if integrated): Used for authentication, user identification, or analytics. Any Google user data accessed or processed via OAuth (e.g., name, email) is used only to provide functionality within the PocoBit Platform and is not shared with any third parties. We do not access or use additional Google account data unless specifically required for a feature the user enables, and we always follow the Google API Services User Data Policy.
- Microsoft Services (if integrated): Used for authentication and user identification. Any Microsoft user data accessed or processed (e.g., name, email) is used solely to enable login and Platform functionality. We do not share Microsoft account data with any third parties, and all processing complies with Microsoft’s data usage policies.
- Analytics, Monitoring, and Observability: Used for usage analytics, service monitoring, logging, tracing, troubleshooting, abuse prevention, and service improvement.
b. Legal Compliance
Data may be disclosed when required to:
- Comply with legal obligations or law enforcement
- Protect rights, property, or safety
c. With Your Consent
We will only share your data with third parties for optional features or integrations if you explicitly agree.
d. Aggregated or Anonymized Data
Used for insights, trends, and service improvement without identifying individual users.
5. Roles and Responsibilities
- PocoBit as Processor: When clients upload third-party data (e.g., employees), PocoBit acts as the data processor.
- Client as Controller: Clients are data controllers and must ensure they collect and process data lawfully and transparently.
Controller obligations include:
- Ensuring appropriate legal bases for processing;
- Providing privacy notices to their end-users;
- Handling data subject rights requests that relate to their own collected data.
6. GDPR Compliance
PocoBit adheres to the General Data Protection Regulation (GDPR):
- Processed lawfully, fairly, and transparently
- Collected for legitimate purposes
- Data minimization
- Accuracy and integrity
- Secure storage and handling
Your rights under GDPR:
- Access your data
- Correct inaccuracies
- Request deletion
- Restrict processing
- Data portability
- Withdraw consent
To exercise these rights, email support@pocobit.io or use our DSAR form.
7. Sub-processors
We use third-party providers (sub-processors) to assist in delivering the Platform. Each is bound by GDPR-compliant data processing agreements.
| Sub-Processor | Function | Location |
| Supabase | Database & Authentication | EU (Germany) |
| Vercel | Web Hosting | Local to the user |
| Amazon Web Services (AWS) | Compute/networking for private AI instance | EU (Sweden — Stockholm, eu-north-1) |
| Anthropic (Claude, private instance) | AI model inference | EU (Sweden — Stockholm) |
| Langfuse | LLM observability, tracing, prompt/log analytics, and monitoring | EU (Ireland, AWS eu-west-1) |
| Stripe | Internet payments processing | EU/US (regional, per user) |
| Google/Microsoft (OAuth) | Authentication Services | Regional, per user |
8. Data Transfers Outside the EU
Most processing now occurs within the EU (Germany & Sweden). Transfers outside the EU/EEA may still occur for global edge delivery (e.g., Vercel CDN) and certain payment/auth providers depending on your location; for these we rely on SCCs, adequacy decisions, or other approved safeguards.
If data is transferred outside the EU/EEA, we ensure:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions
- Other legally approved safeguards
9. Automated Decision-Making & AI Use
PocoBit uses AI to assist with generating, processing, evaluating, and supporting training games, tests, surveys, and other interactive learning content based on user input. This:
- Is not used to make legally significant decisions about you; and
- is user-controlled and, where applicable, editable or reviewable.
10. Data Retention
We retain personal data only as long as necessary for its intended purpose or legal requirements.
| Data Type | Retention Period |
| Account/Profile Data | While active, then up to 12 months |
| Experiences Content | While active, then up to 12 months |
| Security, Authentication, Audit, and Technical Logs | Up to 12 months |
| OAuth Login Metadata | Until deleted by the user or upon account closure |
Note: We do not store plaintext passwords. Authentication is handled using industry-standard security practices and, where applicable, third-party authentication providers. We may store authentication-related metadata, such as login method, login attempts, MFA status, password reset events, session expiry, logout events, and other security-relevant authentication records.
11. Data Subject Rights & DSAR Process
You may exercise your rights by:
- Emailing support@pocobit.io
- Using our Data Subject Access Request (DSAR) form
We respond within 30 days in accordance with GDPR.
12. Data Processing Agreements
If you are an organization using PocoBit for your users, a Data Processing Agreement (DPA) is available. Contact support@pocobit.io to request or sign a DPA.
13. Security Measures
We implement appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, including:
- Encryption of data in transit (TLS) and at rest (where applicable)
- Access controls and authentication mechanisms
- Logging, monitoring, tracing, and audit trails for security, incident response, and abuse prevention
- Session and access controls designed to detect unauthorized access attempts and misuse
- Regular backups and data integrity checks
- Secure development practices and vulnerability assessments
- Restricted access to personal data to authorized personnel only
These measures are reviewed regularly and updated as needed to maintain data protection.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email to the address on file.
Changes affecting OAuth data (Google or Microsoft) will be explicitly highlighted.
15. Contact Information
- Data Protection and Privacy Contact:
Paul Sokk
Email: paul.sokk@pocobit.io - General Contact:
Email: support@pocobit.io
Website: https://pocobit.io