Privacy Policy
Last updated: 2026-07-03
Pogo is built to need very little personal data: no passwords, no third-party trackers, no ads, and analytics only if you opt in. This page explains what we do process, why, and what rights you have under the GDPR.
Who is responsible (controller)
Pogo Robotics
Augsburg, Germany
Email: hello@pogorobotics.io
We have not appointed a data protection officer.
What we process, why, and on what legal basis
Using the tool without an account
You can upload and analyse a board without signing in. The uploaded fabrication zip is processed server-side to run the analysis. We also process the technical data any web server needs — IP address, request metadata, browser type — in server logs, to deliver the site and keep it secure (rate limiting, abuse and error diagnosis).
- Upload processing: Art. 6(1)(b) GDPR (performing the service you requested).
- Server logs and security: Art. 6(1)(f) GDPR (our legitimate interest in operating the service securely).
Note that fabrication files are design data about a circuit board and normally contain no personal data — but they're treated confidentially either way (see Terms of Service, "Your files stay yours").
Accounts (magic-link sign-in)
Sign-in is passwordless: you enter your email address, we send you a one-time sign-in link, and that email address is the only identifier we store for your account. No password, no profile, no name required.
- Email address, sign-in emails, session handling: Art. 6(1)(b) GDPR (providing the account you asked for).
Saved projects and exports
With an account, your uploaded projects (currently up to three on the free tier) and their analysis state are stored so you can come back to them, and probe-plan CSVs are generated on request.
- Legal basis: Art. 6(1)(b) GDPR.
Analytics (only with your consent)
See Analytics below.
- Legal basis: Art. 6(1)(a) GDPR (consent via the cookie banner). You can withdraw it at any time — see Withdrawing consent.
Cookies
We set exactly three cookies, none of them for tracking or advertising:
| Cookie | Purpose | Type | Lifetime |
|---|---|---|---|
| session cookie | Signed cookie that keeps you logged in after magic-link sign-in. | Essential | Session / until sign-out |
pogo-theme | Remembers your dark/light choice (also read by this docs site so the theme carries over). | Functional | 1 year |
pogo-consent | Remembers your choice in the cookie banner, so we don't ask again. | Consent | 1 year |
Essential and functional cookies are set on the basis of § 25 (2) TDDDG and Art. 6(1)(f) GDPR (they're required for the service or a function you chose, like the theme). No consent-requiring cookies are set unless you accept analytics — and even then, the analytics itself is cookieless.
Local storage on your device
Like the functional cookies, the app also keeps a few settings in your browser's local storage. This data stays on your device — it is never transmitted to us — and you can clear it at any time via your browser's site-data settings:
| What | Purpose |
|---|---|
| Theme choice | Your dark/light preference (app and docs site each keep their own copy). |
| View state | Which project you last had open and whether you preferred the landing or the app view, so a reload puts you back where you were. |
| Per-project analysis settings | Your probe-class overrides (pitch / min Ø per fixture class) and similar preferences, stored per uploaded project. |
| Sign-in hand-off | While you sign in, the action that triggered it (e.g. "export CSV") is remembered so it can resume afterwards; cleared once used. |
| Analytics opt-out flag | If you decline analytics after previously accepting, a flag makes sure the tracker stays off. |
| Per-tab UI state | Small interface states (e.g. which panel was expanded), kept only for the lifetime of the tab. |
These are stored on the basis of § 25 (2) TDDDG (strictly necessary for a function you explicitly requested); none of them contain personal data or identifiers usable for tracking.
Analytics (self-hosted, consent-based, cookieless)
If — and only if — you click Accept in the consent banner, we load Umami, an open-source analytics tool that we run ourselves at analytics.pogorobotics.io, on our own server in the EU. It tells us which pages are used and roughly how many people use them.
Umami as we run it:
- sets no cookies and does no cross-site tracking or fingerprinting,
- does not store IP addresses,
- sends data only to our own EU server — no third party ever receives it.
If you decline (or never answer the banner), the analytics script is not loaded at all. There are no third-party analytics services and no advertising on Pogo.
Recipients & processors
We don't sell or share your data. Two infrastructure providers process data on our behalf under Art. 28 GDPR data-processing agreements:
| Provider | What for | Where |
|---|---|---|
| Hetzner Online GmbH | Cloud hosting (application server) and encrypted off-site database backups (Hetzner Object Storage). | Germany / EU |
| Resend (resend.com) | Sending magic-link sign-in emails. Processes your email address when you sign in. | USA |
How long we keep data
- Anonymous uploads: processed for the analysis session, not kept as a saved project.
- Account data & saved projects: kept while your account exists. Ask us to delete your account and it goes — email hello@pogorobotics.io from your account address.
- Server logs: kept only as long as needed for security and troubleshooting, then deleted or anonymised.
- Backups: encrypted database backups (Hetzner Object Storage, EU) rotate out on a fixed schedule; deleted data disappears from backups as they expire.
Your rights
Under the GDPR you can ask us at any time for:
- Access (Art. 15) — what data we hold about you,
- Rectification (Art. 16) — fixing incorrect data,
- Erasure (Art. 17) — deleting your data / account,
- Restriction of processing (Art. 18),
- Data portability (Art. 20) — your data in a machine-readable format,
- Objection (Art. 21) — to processing based on legitimate interests.
Just email hello@pogorobotics.io. You also have the right to lodge a complaint with a supervisory authority — for us that's the Bavarian Data Protection Authority (BayLDA), Promenade 18, 91522 Ansbach, Germany (lda.bayern.de), but you can also complain to the authority where you live.
No automated decision-making
We don't do any automated decision-making or profiling within the meaning of Art. 22 GDPR. (The board analysis is automated, of course — but it evaluates your circuit board, not you.)
Withdrawing consent
You can withdraw your analytics consent at any time, with effect for the future: open the cookie settings to reopen the consent banner and change your choice. Declining stops the analytics script from loading from then on.
Changes to this policy
We'll update this policy when the service or the law changes — for example, if we add a processor. The "Last updated" date at the top always tells you the current version, and we'll announce material changes in the app or by email to account holders.
Contact
Privacy questions or rights requests: hello@pogorobotics.io.