Privacy Policy

We collect the following categories of information:

2.1 Account and Identity Data

• Email address — collected at registration, used for authentication and service communications.
• Display name — provided by you or derived from your Google account if you sign in via Google OAuth.
• Profile picture URL — optionally provided via Google OAuth; stored as a reference URL only.
• Password hash — if you register with email/password, we store a bcrypt-hashed version of your password. We never store your plain-text password.
• Subscription tier — your current plan (Free, Basic, Pro, Scholar Max, or VIP Unlimited).

2.2 Usage and Activity Data

• Search queries — the words and phrases you search for, along with the language and category filters selected. Stored to power search history and usage analytics.
• AI Tutor conversations — messages you send to the AI Tutor and the responses generated, associated with your account for context and logged for abuse monitoring.
• Usage counters — monthly counts of searches performed, AI chat sessions initiated, and AI Sparks (tokens) consumed. These counters reset monthly and are used to enforce your plan's limits.
• Language and category preferences — your last-used search language and category filters, persisted to improve your experience across sessions.

2.3 Technical and Device Data

• IP address — logged on authentication events and API requests for security and rate-limiting purposes.
• Browser type and version — collected to ensure platform compatibility and diagnose technical issues.
• Device type and operating system — used for analytics and debugging.
• Referrer URL and page navigation patterns — used for understanding how users discover and move through the Service.

2.4 Payment and Billing Data

Payment processing is handled exclusively by Polar.sh. We do not collect, see, or store your full credit card number, CVV, or bank account details. PokiSpokey only stores:

• Polar Customer ID — a unique identifier assigned by Polar that links your PokiSpokey account to your Polar billing identity. This is permanent and persists even if you cancel and resubscribe.
• Subscription records — the history of your subscriptions including plan, status (active, canceled, revoked), billing period dates, and cancellation date if applicable.

We use the data we collect strictly for the following purposes. We do not sell your personal data to any third party.

• Service delivery: To authenticate you, personalize your experience, serve search results, deliver video playback, and operate the AI Tutor.
• Usage limit enforcement: To track your monthly search count and Sparks balance, enforce plan-based rate limits, and display your usage statistics in the dashboard.
• Billing and subscription management: To process payments via Polar, manage subscription lifecycle events (creation, renewal, cancellation, revocation), and update your account tier accordingly.
• Security and fraud prevention: To detect and prevent unauthorized access, abuse of the free tier, automated scraping, and other malicious activity.
• Service improvement: To understand aggregate usage patterns, identify features that are used heavily or rarely, and prioritize platform improvements. We use anonymized and aggregated data for this purpose.
• Communications: To send you transactional emails such as email verification codes (OTP), password reset links, and billing receipts. We do not send unsolicited marketing emails without your explicit opt-in.
• Legal compliance: To comply with applicable laws, respond to lawful requests from authorities, and enforce our Terms of Service.

PokiSpokey uses a stateless JWT (JSON Web Token) authentication system. When you log in, we issue a short-lived access token (30 minutes) and a longer-lived refresh token (7 days). The refresh token is stored securely in Redis and rotated on each use (refresh token rotation). This means each refresh generates a new refresh token, and the old one is immediately invalidated.

Access tokens are stored in your browser's memory or secure cookie storage and are used to authenticate requests to our API. We do not use persistent tracking cookies for advertising purposes. The only cookies we set are strictly necessary for authentication and maintaining your logged-in session.

To operate PokiSpokey, we work with the following third-party providers. Each has access only to the data necessary to perform their specific function.

• Polar.sh (Payment Processing): Handles all payment card data, subscription billing, and invoicing. Polar is PCI-DSS compliant. When you subscribe, you interact directly with Polar's checkout interface. Polar's privacy policy governs the data they collect during payment.
• Groq (AI Inference): Powers the AI Tutor feature. When you send a message to the AI Tutor, the conversation context is transmitted to Groq's API to generate a response. Groq's data retention and privacy policies apply to this processing. We do not send personally identifiable information to Groq beyond what is contained in your message.
• YouTube / Google (Video Delivery): Video playback is delivered via the YouTube IFrame API. When you watch a video clip, YouTube may set its own cookies and collect data about your viewing activity in accordance with Google's Privacy Policy. We have no control over YouTube's data collection practices.
• Vercel (Frontend Hosting): Our Next.js frontend is hosted on Vercel. Vercel may collect standard server logs including IP addresses for infrastructure operation purposes.
• Our own VPS / Docker infrastructure (Backend): Our FastAPI backend, PostgreSQL database, Redis cache, and Manticore search engine run on a private VPS. All data is stored within this self-hosted environment. We do not use third-party cloud databases for your core account data.

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

• Account data is retained until you request account deletion.
• Usage counters (search count, Sparks balance) reset monthly but historical totals are retained for analytics.
• AI Tutor conversation logs may be retained for up to 90 days for abuse monitoring purposes, then deleted.
• Authentication refresh tokens expire after 7 days of inactivity and are purged from Redis automatically.
• Subscription history is retained for a minimum of 5 years for financial record-keeping compliance.

Depending on your location, you may have the following rights regarding your personal data under applicable law (including GDPR for EU residents and CCPA for California residents):

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your account and associated personal data from our systems.
• Right to Restriction: Request that we limit processing of your data in certain circumstances.
• Right to Data Portability: Request an export of your data in a structured, machine-readable format.
• Right to Object: Object to processing of your personal data for certain purposes.
• Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, please contact us at support@pokispokey.com. We will respond to verified requests within 30 days. Note that deleting your account will immediately terminate your access to the Service and any remaining paid subscription credits will not be refunded.