Privacy Policy
Last updated: March 28, 2026
1. Introduction
ScrumPlay (“the Service”) is a free Planning Poker tool operated by DAYLAB (데이랩), a company registered in the Republic of Korea. This Privacy Policy explains how we collect, use, store, and protect information when you use our Service at scrumplay.daylab.dev.
We are committed to protecting your privacy and complying with the Korean Personal Information Protection Act (PIPA), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Brazilian General Data Protection Law (LGPD), and Japan’s Act on the Protection of Personal Information (APPI).
2. Data Controller
Company: DAYLAB (데이랩)
Representative: Dasong Sim (심다송)
Business Registration No.: 401-23-55110
Address: 10, 11, 91 Baumoe-ro, Seocho-gu, Seoul, Republic of Korea
Email: contact@daylab.dev
3. Information We Collect
ScrumPlay is designed to minimize data collection. We do not require account registration, login, or any form of identity verification.
3.1 Information You Provide Directly
- Nickname: A temporary display name you choose when joining a session. This is not linked to any real identity.
- Vote data: Story point estimates you submit during planning sessions.
- Chat messages: Messages sent within a planning session.
3.2 Information Collected Automatically
- IP address: Collected by analytics and error tracking services. Google Analytics anonymizes IP addresses.
- Browser and OS information: Browser type, version, operating system, device type, and screen resolution.
- Cookie identifiers: Unique identifiers assigned by analytics and advertising cookies (see Section 9).
- Advertising identifiers: Used by Google AdSense to serve relevant advertisements.
- Usage data: Page views, session duration, referral source, general geographic region, and interaction patterns (clicks, scrolls).
- Error data: Stack traces, request URLs, and browser/OS context when errors occur in the application.
4. Purposes of Processing
We process information for the following purposes:
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Provide real-time planning poker sessions | Nickname, votes, chat messages | Legitimate interest (service delivery) |
| Analyze and improve the Service | Usage data, browser/OS info, IP address | Consent |
| Display advertisements to sustain the free Service | Cookie IDs, advertising IDs, usage data | Consent |
| Monitor and fix errors | Error data, IP address, browser/OS info | Legitimate interest (service stability) |
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Session data (nickname, votes, chat) | 24 hours (automatically deleted via Redis TTL) |
| Google Analytics data | 14 months |
| Microsoft Clarity data | 30 days (session recordings), 13 months (aggregated metrics) |
| Sentry error tracking data | 90 days |
| Google AdSense data | Per Google’s data retention policies |
6. Disclosure to Third Parties
We do not sell, rent, or share your personal information with third parties for their own marketing purposes. We do not provide personal information to any third party beyond what is described in the processing entrustment (Section 7) and international transfers (Section 8) below.
7. Processing Entrustment
We entrust certain data processing activities to the following service providers (per PIPA Article 26):
| Entrusted Party | Entrusted Tasks | Data Processed |
|---|---|---|
| Google LLC | Web analytics (Google Analytics GA4) | Usage data, IP address (anonymized), cookie IDs, browser/OS info |
| Google LLC | Advertising (Google AdSense) | Cookie IDs, advertising IDs, usage data |
| Microsoft Corporation | Session replay and heatmap analytics (Microsoft Clarity) | Usage data, interaction patterns, cookie IDs, browser/OS info |
| Functional Software, Inc. (Sentry) | Error monitoring and tracking | Error data, IP address, browser/OS info, request URLs |
8. International Data Transfers
Your information may be transferred to and processed in countries outside of your country of residence, including the United States. These transfers are made for the purposes described in Section 4.
| Recipient | Country | Purpose | Data Transferred |
|---|---|---|---|
| Google LLC | United States | Analytics, Advertising | Usage data, IP address, cookie IDs, advertising IDs |
| Microsoft Corporation | United States | Session replay, Heatmaps | Usage data, interaction patterns, cookie IDs |
| Functional Software, Inc. (Sentry) | United States | Error monitoring | Error data, IP address, browser/OS info |
For transfers from the EEA, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission or adequacy decisions where applicable. Each provider maintains appropriate data protection measures in compliance with applicable regulations.
9. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to operate and improve the Service. Cookies are small text files stored on your device by your browser.
9.1 Essential Cookies
- NEXT_LOCALE: Stores your language preference. This is a first-party cookie necessary for the Service to function in your preferred language.
9.2 Analytics Cookies
- Google Analytics (_ga, _ga_*): Used to distinguish users and track usage patterns. Set by Google LLC. Expires after up to 2 years.
- Microsoft Clarity (_clck, _clsk, CLID, MUID, SM): Used to track user interactions for session replays and heatmaps. Set by Microsoft Corporation.
9.3 Advertising Cookies
- Google AdSense (__gads, __gpi, IDE, DSID, NID, etc.): Used to serve personalized advertisements and measure ad performance. Set by Google LLC.
9.4 How to Manage or Refuse Cookies
You can manage your cookie preferences through the cookie consent banner displayed when you first visit the Service. You can also control cookies through your browser settings:
- Chrome:Settings → Privacy and security → Cookies and other site data
- Firefox:Settings → Privacy & Security → Cookies and Site Data
- Safari:Preferences → Privacy → Manage Website Data
- Edge:Settings → Privacy, search, and services → Cookies
You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on. You can opt out of personalized ads from Google at Google Ads Settings. Microsoft Clarity respects Do Not Track (DNT) browser signals.
Please note that disabling cookies may affect your ability to use certain features of the Service.
10. Data Destruction Procedures and Methods
When personal information reaches the end of its retention period or is no longer needed for its purpose, it is destroyed without delay using the following methods:
- Session data (Redis): Automatically deleted via Redis Time-To-Live (TTL) mechanism after 24 hours. No manual intervention is required.
- Electronic records: Deleted using technical methods that render the data irrecoverable (electronic file deletion).
- Third-party data:Destroyed in accordance with each provider’s retention and deletion policies (see Section 5).
11. Your Rights and How to Exercise Them
You have the following rights regarding your personal information. Since ScrumPlay does not require accounts or login, most session data is automatically deleted within 24 hours and cannot be linked to your identity.
11.1 Under Korean PIPA
- Right to access your personal information
- Right to request correction of inaccurate information
- Right to request deletion of your information
- Right to request suspension of processing of your information
11.2 Under GDPR (EEA Residents)
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure / “right to be forgotten” (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object to processing (Art. 21)
- Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
- Right to lodge a complaint with a supervisory authority in your country of residence
11.3 Under CCPA (California Residents)
- Right to know what personal information is collected
- Right to request deletion of personal information
- Right to opt out of the sale of personal information
- Right to non-discrimination for exercising your rights
We do not sell personal information as defined by the CCPA.
11.4 Under LGPD (Brazil) and APPI (Japan)
If you are a resident of Brazil, you have rights under the LGPD including access, correction, anonymization, portability, and deletion of personal data. If you are a resident of Japan, you have rights under the APPI including disclosure, correction, and cessation of use of personal information.
11.5 How to Exercise Your Rights
To exercise any of the above rights, please contact us at contact@daylab.dev. We will respond to your request within 10 days (PIPA) or 30 days (GDPR/CCPA). You may also submit a request through a legal representative or an authorized agent.
If you believe your rights have been violated, you may file a complaint with:
- Korea:Personal Information Protection Commission (PIPC) — pipc.go.kr
- EEA: Your local Data Protection Authority (DPA)
12. Measures to Ensure the Safety of Personal Information
We implement the following technical and organizational measures to protect your personal information:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
- Data minimization: We collect only the minimum information necessary for each purpose. No account registration is required.
- Automatic deletion: Session data is automatically deleted after 24 hours via Redis TTL.
- Access controls: Access to server infrastructure and data is restricted to authorized personnel only.
- Third-party security: All third-party service providers maintain their own security certifications and data protection measures.
13. Chief Privacy Officer (CPO)
Per PIPA Article 31, we designate the following person as our Chief Privacy Officer, responsible for overseeing all matters related to personal information protection:
For any privacy-related inquiries, complaints, or requests to exercise your rights, please contact the CPO at the email address above.
14. Children’s Privacy
ScrumPlay is not directed at children under the age of 16 (or 13 in jurisdictions where applicable). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at contact@daylab.dev and we will promptly delete it.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. Changes will be posted on this page with an updated “Last updated” date. If we make material changes, we will notify users through the Service before the changes take effect.
This policy is effective as of March 28, 2026.
16. Contact Us
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us: