Privacy Policy
Last updated: June 16, 2026
Who we are
PokeFeed ("PokeFeed", "we", "us", "our") is a community-driven, fan-made website for competitive Pokémon Champions teams, where users can publish, share, and vote on team compositions. PokeFeed is a personal, non-commercial project operated by Lorenzo Boffredo, based in Italy, who acts as the data controller.
For any privacy-related request or question, contact us at privacy@pokefeed.app.
This Privacy Policy explains what personal data we collect, why, how we use it, who we share it with, and the rights you have. It applies to all visitors and registered users worldwide. Because we are based in the European Union, we follow the EU General Data Protection Regulation (GDPR), and these protections apply to all users regardless of where they live.
What data we collect
We keep data collection to the minimum needed to run the service.
Account data (when you register)
- Email address: used to create and secure your account, and to send essential service emails (for example account confirmation or password reset). Your email is never shown publicly on the site.
- Password: stored only in hashed form by our authentication provider. We never store your password in readable form.
- Username: chosen by you, shown publicly as your profile identifier.
Profile data (optional, added by you)
- Display name: shown publicly, optional.
- Bio: shown publicly, optional.
- Avatar: selected from a fixed set of Pokémon sprites. This is a preset choice, not an uploaded image, and contains no personal information.
Content you create ("user content")
- Teams you publish, including team title, description, and an optional rental code.
- Your votes (upvotes), saved teams, and the count of how many times a team's rental code has been copied.
Technical data
- Standard server logs and a session cookie required to keep you logged in (see "Cookies" below).
- Aggregated, anonymous usage statistics (see "Analytics" below).
- Your IP address, also processed for bot and abuse protection on the login and signup pages (see "Bot and abuse protection" below).
We do not ask for your real name, date of birth, address, phone number, or payment information. We do not knowingly collect any data beyond what is listed above.
How we use your data
We use your data only to:
- create, secure, and operate your account;
- display the content you choose to publish;
- run core site features (voting, saving, rental code copy counts);
- send essential service emails (account confirmation, password reset);
- check user-submitted text against automated moderation to keep the community safe (see "Content moderation");
- maintain security, prevent abuse, and keep the service working, including an automated anti-bot check on the login and signup pages;
- understand general, anonymous usage trends to improve the site.
We do not sell your data, and we do not use it for advertising or profiling.
Legal bases (GDPR)
Where the GDPR applies, we rely on the following legal bases:
- Performance of a contract: to provide the account and features you sign up for, including saving and displaying your content and checking submitted text through moderation before it is published.
- Legitimate interests: to keep the service secure, prevent abuse, and understand anonymous usage. We balance these interests against your rights.
- Consent: where specifically requested (for example, agreeing to these terms at sign-up). You can withdraw consent at any time.
- Legal obligation: where we must process data to comply with the law.
Who we share data with
We do not sell or rent your data. We share it only with the service providers ("processors") needed to run PokeFeed, and only as required for them to perform their function:
- Supabase: authentication and database hosting. Stores your account and content data. Data is hosted in the European Union (Frankfurt).
- Vercel: website hosting and content delivery. Vercel is based in the United States; this means some technical data (such as requests and server logs) may be processed outside the EU.
- Cloudflare: provides bot and abuse protection (Turnstile) on our login and signup pages, processing your IP address and browser and device signals to tell humans from bots. United States.
- OpenAI: automated content moderation. When you submit certain text (such as a team title, description, display name, or bio), that text is sent to OpenAI's moderation service to check it against safety categories before it is saved. This text is processed for moderation only.
- Vercel Web Analytics: anonymous, aggregated usage statistics, without cookies (see "Analytics").
- Resend: delivery of essential service emails (for example account confirmation and password reset).
Each provider processes data under its own privacy and security terms. We choose providers that offer appropriate safeguards.
International data transfers
Some of our providers (such as Vercel, OpenAI, and Cloudflare) are based in the United States. Where data is transferred outside the European Economic Area, we rely on the safeguards offered by those providers (such as standard contractual clauses or equivalent mechanisms) to protect your data in line with GDPR requirements. Cloudflare is certified under the EU-US Data Privacy Framework, which it relies on for personal data transferred to the United States, with Standard Contractual Clauses as an additional safeguard.
Cookies
PokeFeed uses the minimum cookies necessary to function:
- Essential session cookie: set by our authentication provider (Supabase) to keep you logged in. This cookie is strictly necessary for the site to work and cannot be turned off without breaking login. No consent is required for strictly necessary cookies.
We do not use advertising cookies, tracking cookies, or third-party marketing cookies. Because of this, PokeFeed does not show a cookie consent banner.
Our bot-protection provider (Cloudflare Turnstile) does not set cookies on this site. Cloudflare may use storage strictly necessary to run its security check on its own domain when you visit the login or signup pages.
Analytics
We may use Vercel Web Analytics to understand general, anonymous usage trends (such as total page views, which pages are most visited, and the general country traffic comes from). This analytics service does not use cookies, does not track you across other websites, and does not collect or store information that could identify you personally. Data is aggregated and anonymous.
Content moderation
To keep the community safe, certain text you submit (team title and description, display name, and bio) is automatically checked by OpenAI's moderation service before it is saved. This check looks for harmful content (such as hateful, violent, sexual, or otherwise unsafe material). The text is sent for this purpose only and is not used for advertising or profiling. If content is flagged, it may be blocked from being published.
Bot and abuse protection
To protect our login and signup pages from automated abuse, we use Cloudflare Turnstile, a bot-detection service. When you sign in or create an account, Turnstile runs a security check that processes your IP address and signals about your browser and device to distinguish real users from automated bots. This check runs only on the login and signup pages. The result is verified by our authentication provider; we never receive your raw verification data. The legal basis for this processing is our legitimate interest in keeping the service secure and preventing automated abuse (Article 6(1)(f) GDPR). Cloudflare acts as a processor and is based in the United States. Turnstile does not set cookies on this site; Cloudflare may use storage strictly necessary to run the security check on its own domain.
How long we keep your data
We keep your account and content data for as long as your account is active. If your account is deleted, your personal data and the content associated with it are permanently removed from our database. We do not keep hidden backups of deleted accounts beyond what our infrastructure providers retain for their own short-term technical and backup purposes.
Server logs and anonymous analytics are kept only for a limited period for security and operational purposes.
Your rights
Under the GDPR, you have the right to:
- access the personal data we hold about you;
- correct inaccurate or incomplete data;
- delete your data ("right to be forgotten");
- restrict or object to certain processing;
- data portability: receive your data in a portable format;
- withdraw consent at any time, where processing is based on consent;
- lodge a complaint with a data protection authority (in Italy, the Garante per la protezione dei dati personali).
You can edit much of your profile data directly from your account settings. To request access to, or deletion of, your data, contact us at privacy@pokefeed.app.
Children
PokeFeed is not intended for anyone under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact us at privacy@pokefeed.app and we will remove it.
Security
We rely on reputable providers (Supabase, Vercel, Cloudflare) and standard security practices to protect your data. Passwords are stored in hashed form. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.
Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "last updated" date at the top of this page. We encourage you to review this page periodically.
Contact
For any privacy question or request, contact us at privacy@pokefeed.app.