Privacy Policy
Last updated: April 2026
Preamble
Pauthom (hereinafter "Pauthom", "we", "our", "us") is committed to protecting the personal data of its users and all individuals whose data is processed in connection with the GrindLab service.
This Privacy Policy explains how Pauthom collects, uses, stores and protects personal data, in compliance with Regulation (EU) 2016/679 of 27 April 2016 (hereinafter the "GDPR") and French Law No. 78-17 of 6 January 1978, as amended.
This Privacy Policy forms an integral part of the Terms of Use of the GrindLab service.
Article 1 — Data Controller
The data controller is:
Pauthom
Simplified Joint-Stock Company (SAS) with a share capital of €600.00
Registered office: 26 Rue Lalande, 69006 Lyon, France
RCS Lyon: 103 033 486
SIRET: 103 033 486 00012
Contact: grindlab.gg@gmail.com
Pauthom has not appointed a Data Protection Officer (DPO) at this time, as such appointment is not mandatory under Article 37 of the GDPR given the nature and scale of the processing activities carried out.
Article 2 — Data Collected
2.1 — Data collected directly
Identification and account data:
- Third-party account identifier used for authentication (Google or Discord)
- Email address
- Display name
- Avatar / profile picture
Content data (User Content):
- Poker hand histories imported by the User
- Custom ranges created in the range editor
- Notes, tags and favorites associated with analysis sessions
- Equity simulation and Risk Premium calculation results
- Session configuration parameters
2.2 — Data collected automatically
Technical and browsing data:
- IP address
- Browser type and version, operating system
- Screen resolution and device type
- Pages visited, visit duration, browsing path
- Date and time of connection
2.3 — Third-Party Player data
Hand histories imported by Users contain information about other players at the table (pseudonym, game actions, position, stack amount).
Third-Party Player pseudonyms may constitute indirect personal data within the meaning of Article 4(1) of the GDPR. The processing of such data is governed by Article 5 of this Policy.
Article 3 — Purposes and Legal Bases
| Purpose | Legal basis | Data |
|---|---|---|
| Account creation and management | Performance of contract (Art. 6.1.b) | Identification data, email |
| Provision of the Service | Performance of contract (Art. 6.1.b) | User Content, technical data |
| Saving session history | Performance of contract (Art. 6.1.b) | User Content |
| Displaying Third-Party Player data | Legitimate interest (Art. 6.1.f) | Third-Party Player pseudonyms and actions |
| Aggregated anonymized statistics (MDA) | Legitimate interest (Art. 6.1.f) | Anonymized game data |
| Service improvement | Legitimate interest (Art. 6.1.f) | Usage and browsing data |
| Communication (support, notifications) | Performance of contract (Art. 6.1.b) | Email, identifier |
| Payment management | Contract (Art. 6.1.b) and legal obligation (Art. 6.1.c) | Billing data |
| Audience measurement | Consent (Art. 6.1.a) | Analytics cookies |
| Marketing communications | Consent (Art. 6.1.a) |
Article 4 — Data Retention Periods
| Data category | Retention period |
|---|---|
| Account data | Duration of registration + 12 months after deletion |
| User Content | Duration of registration, deleted within 30 days after termination |
| Third-Party Player data | Duration of importing User's registration, deleted within 30 days after termination |
| Anonymized data (MDA) | No time limitation |
| Billing data | 10 years (accounting obligation) |
| Browsing data and logs | 12 months |
| Cookies | See Article 8 |
Article 5 — Processing of Hand Histories and Third-Party Player Data
5.1 — Nature of the data
A poker hand history contains data relating to the importing User as well as other players at the table (pseudonyms, game actions, positions, amounts wagered).
5.2 — Use within the User's personal space
Third-Party Player data is displayed within the importing User's personal space. It is never shared with other Users or made public.
Legal basis: legitimate interest (Article 6.1.f GDPR).
5.3 — Anonymization for aggregated analysis (MDA)
Pauthom may use game data to produce aggregated and anonymized statistical analyses. The anonymization process includes:
- Removal of pseudonyms — permanently and irreversibly
- Removal of session identifiers — hand numbers, table and tournament IDs
- Aggregation — over sufficient volume to prevent individualization
- Retention of abstract game data only — actions, sizing, position, board texture
5.4 — What Pauthom does NOT do
- Never builds individual player profiles (HUD-type)
- Never sells or communicates identifiable or pseudonymized player data
- Never centralizes Third-Party Player profiles across Users
- Never enables search or lookup by Third-Party Player pseudonym
5.5 — Rights of Third-Party Players
Third-Party Players have the same rights as described in Article 7. They may request erasure of their pseudonym or object to MDA processing by contacting grindlab.gg@gmail.com.
Article 6 — Data Recipients
6.1 — Internal access
Personal data is accessible to authorized persons within Pauthom, strictly limited to what is necessary.
6.2 — Sub-processors
| Sub-processor | Role | Location | Safeguards |
|---|---|---|---|
| Vercel Inc. | Hosting | United States | SCCs + DPF |
| Google LLC (OAuth) | Authentication | United States | SCCs + DPF |
| Discord Inc. (OAuth) | Authentication | United States | SCCs |
| Stripe, Inc. | Payments | US (processed in EU) | SCCs + DPF, PCI-DSS |
| Google LLC (GA4) | Audience measurement | United States | SCCs + DPF, Consent Mode v2 |
| Mixpanel, Inc. | Product analytics | US (processed in EU) | SCCs + DPF, EU residency |
6.3 — Other recipients
Apart from the sub-processors above, personal data is not communicated to any third party, except where required by law or in the event of a restructuring of Pauthom.
Article 7 — Rights of Data Subjects
In accordance with Articles 15 to 22 of the GDPR, you have the following rights:
- Right of access (Article 15) — Obtain a copy of your data
- Right to rectification (Article 16) — Correct inaccurate data
- Right to erasure (Article 17) — Request deletion of your data
- Right to restriction (Article 18) — Obtain restriction of processing
- Right to data portability (Article 20) — Receive your data in a structured format
- Right to object (Article 21) — Object to processing based on legitimate interest
- Post-mortem directives — Define directives regarding your data after death
How to exercise your rights: email grindlab.gg@gmail.com. Response within one (1) month maximum.
Complaint: you may lodge a complaint with the CNIL — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07.
Article 8 — Cookies and Trackers
8.1 — Strictly necessary cookies (exempt from consent)
- Session and authentication cookies
- Technical preference cookies (language, theme)
- Security cookies (CSRF)
8.2 — Cookies subject to consent
- Google Analytics 4 (GA4) — Audience measurement. Consent Mode v2 enabled. Duration: 13 months maximum.
- Mixpanel — Product analytics. Duration: 12 months maximum.
Pauthom does not use any advertising cookies or behavioral targeting cookies.
8.3 — Cookie management
On your first visit, a banner allows you to accept or refuse non-essential cookies. You can change your preferences at any time via the "Manage Cookies" link in the footer.
Article 9 — Data Transfers Outside the European Union
Certain data may be transferred to the United States. These transfers are governed by:
- EU-US Data Privacy Framework (DPF) — adequacy decision of 10 July 2023
- Standard Contractual Clauses (SCCs) — Implementing Decision (EU) 2021/914
- Supplementary measures: TLS encryption, EU data residency where possible, access restrictions
Article 10 — Data Security
Pauthom implements appropriate technical and organizational measures (Article 32 GDPR):
- Encryption of data in transit (HTTPS/TLS) and at rest
- Secure authentication via OAuth 2.0
- Restriction of data access to authorized persons
- Logging of access and sensitive operations
- Regular backups
- Regular updates of systems and dependencies
In the event of a data breach, Pauthom will notify the CNIL within 72 hours (Article 33 GDPR) and inform individuals concerned if the risk is high (Article 34).
Article 11 — Children's Data
The Service is reserved for persons aged eighteen (18) or over. Pauthom does not knowingly collect data from minors. If we discover such data, it will be deleted as soon as possible.
Article 12 — Changes to This Policy
Pauthom reserves the right to modify this Policy at any time. Substantial changes will be notified at least fifteen (15) days before taking effect.
Article 13 — Governing Law
This Privacy Policy is governed by French law and European Union law, in particular Regulation (EU) 2016/679 (GDPR).
Article 14 — Contact
Pauthom — GrindLab
Data Protection
26 Rue Lalande, 69006 Lyon, France
Email: grindlab.gg@gmail.com