Privacy notice
Call It A Five is a tool for live estimation (planning poker). This notice explains, in line with Article 13 GDPR, what data is processed, for what purpose, on what legal basis and for how long. In short: only a self-chosen display name, no account, no cookies, no tracking, no AI, EU hosting, deletion after 8 hours.
The essentials in one sentence
- Only a display name. The only piece of personal data is a freely chosen name that you enter to join. No email, no account, no password.
- Deletion after 8 hours. Each session lives for at most 8 hours, after which the session storage is deleted.
- No cookies, no tracking, no AI. AI: none No analytics scripts run, and there is no AI or language model.
- EU hosting. Session data sits in a European region (Frankfurt or Dublin) with Cloudflare acting as a processor.
Data controller (Verantwortliche Stelle)
The controller within the meaning of the GDPR is:
Frederik Metz
Ridlerstrasse 9
80339 Muenchen
Germany
Email: Address is loaded via JavaScript
Data categories
The table below is an exhaustive list of all data that the application processes.
| Data | What it is | Where it lives |
|---|---|---|
| Display name | A freely chosen name (up to 80 characters) that you enter to join. A nickname is fine. No email, no account. | On the session server, deleted after 8 hours. |
| Submitted estimate | The card you pick for the current item. Hidden from others until the facilitator reveals it. | On the session server, deleted after 8 hours. In anonymous mode without a name. |
| Round result | Aggregated metrics per round: median, mode, minimum, maximum, agreement rate and which votes were outliers. | On the session server, as an aggregate only. The round history stores no personal individual votes. |
| Rejoin note | A small entry in your browser holding the most recently used room code and the name you used, so you can rejoin after closing the tab. | Only on your device (browser storage), for up to 8 hours. Never transmitted. |
No email address, no account, no password and no phone number are processed. The application stores no IP address. Some technical processing of the IP address by the hosting provider when a connection is established is operationally unavoidable (see the Hosting section).
Purpose and legal basis
The data is used solely to run the live estimation: to show who has joined, to keep votes hidden until they are revealed, and to compute the round result for the shared discussion.
- Article 6(1)(f) GDPR (legitimate interest): providing a working, collaborative estimation session. The legitimate interest is being able to offer and operate the tool at all.
- Article 6(1)(a) GDPR (consent): where you voluntarily join by entering a name, that constitutes your consent to the processing of that name for the duration of the session.
- The rejoin note on your device serves only the function you asked for, namely re-entering a running session, and never leaves your device.
If the tool is used in an employment context, your employer may be the controller; in that case your employer confirms the exact legal basis under the GDPR and the German Works Constitution Act (Betriebsverfassungsgesetz, BetrVG).
Hosting and EU data residency
The session server runs on Cloudflare. The session-related storage (names, votes, results) is pinned to a European jurisdiction and is therefore held in a European region (Frankfurt or Dublin). EU data residency applies to the session data.
Cloudflare acts as a processor (Auftragsverarbeiter) within the meaning of Article 28 GDPR; a data processing agreement (Auftragsverarbeitungsvertrag, AVV) is in place. When a connection is established, Cloudflare necessarily processes your device's IP address in order to deliver the request. The operator does not build any personal profiles from this.
Web fonts (self-hosted)
The typeface (Plus Jakarta Sans) is embedded directly in the page (self-hosted, WOFF2 as a data URI). When the pages load, no request is made to Google Fonts or any other third party; no IP address is sent to Google.
No names, votes or session content are transmitted to third parties. The pages load only from this domain.
No cookies, no tracking, no AI AI: none
The application sets no cookies and uses no analytics or advertising scripts and no tracking pixels. The only piece of data placed on your device is the functional rejoin note in browser storage described above (not a cookie, never transmitted).
There is no processing by artificial intelligence. All metrics (median, mode, minimum, maximum, agreement rate, outliers) are derived by simple calculation from the votes in the current round. There is no model, no inference and no AI provider that any data would be sent to.
Retention period
Each session has a lifetime of 8 hours. After that the session storage is deleted; the names, votes and results it contained are then gone. The rejoin note on a device is also no longer offered after 8 hours. No data is kept centrally beyond the lifetime of a session.
Your rights
Under the GDPR you have the following rights:
- access (Article 15), rectification (Article 16) and erasure (Article 17),
- restriction of processing (Article 18) and data portability (Article 20),
- objection to processing based on legitimate interests (Article 21),
- withdrawal of a consent you have given, with effect for the future (Article 7(3)),
- lodging a complaint with a supervisory authority (Article 77).
Because data is deleted after 8 hours and there are no accounts, the practical route is to leave the session or wait for the automatic deletion. For anything else, contact the controller named above. The supervisory authority responsible for the operator is the Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt fuer Datenschutzaufsicht, BayLDA).
Changes
If the data processing changes materially (for example the hosting region, the position on AI, or how the web font is embedded), this notice will be updated. The date and version appear in the footer of this page.