Privacy Policy

June 20, 2026

1. Data Controller

pokemongofriendscode.com is operated by an individual based in Brazil. For questions about this policy, contact us at suporte@pokemongofriendscode.com.

2. Data We Collect

2.1 Email address

Collected at checkout. Used to send payment confirmation and plan-related communications.

  • Legal basis: contract performance (GDPR Art. 6(1)(b) / LGPD Art. 7, V) — necessary to deliver the contracted service.

2.2 Pokémon GO Trainer Code

Provided at checkout. Used solely to submit automated friend requests to your account for the duration of the plan.

  • Legal basis: contract performance (GDPR Art. 6(1)(b) / LGPD Art. 7, V) — necessary to deliver the contracted service.

2.3 Administrative session cookie

Created on admin panel login — exclusive to the operator, does not affect service users.

  • Legal basis: legitimate interest (GDPR Art. 6(1)(f) / LGPD Art. 7, IX) — securing administrative access.

2.4 Abuse control (rate limiting)

To protect the service against abuse, IP addresses are anonymized via a one-way SHA-256 hash with a random salt immediately upon extraction from the request header. The raw IP is never stored in logs, databases, or any other persistent medium. Only the hash — which cannot be used to reconstruct the original IP — is kept in memory for the duration of the rate-limiting window and automatically discarded when that window expires.

  • Legal basis: legitimate interest (GDPR Art. 6(1)(f) / LGPD Art. 7, IX) — abuse prevention and infrastructure protection.
  • Data processed: SHA-256 hash of the IP address (anonymized data — GDPR Recital 26 / LGPD Art. 12).
  • Retention: maximum 5 minutes in volatile memory; discarded on window expiry or process restart.

3. How We Use Your Data

  • Service delivery: your Trainer Code is used by our automated system to send daily friend requests for the duration of your plan.
  • Transactional communication: sending the payment confirmation email via Resend.
  • Support: your email may be used to respond to support requests.
  • Security: SHA-256 hash of the IP address for rate limiting — the raw IP is never stored.

4. Third-Party Services (Data Processors)

We have Data Processing Agreements (DPAs) in place with all processors listed below, as required by LGPD (Art. 28) and GDPR (Art. 28).

  • Google Cloud Platform (GCP): database and application hosting in Brazil (southamerica-east1, São Paulo). Data processed: email, Trainer Code, subscription records.
  • Cloudflare: reverse proxy and DDoS protection at the network edge. Processes all HTTP headers including IP addresses (before reaching our application).
  • Mercado Pago: payment processing in BRL. We never store card numbers, CVV, or banking data — these are handled directly by Mercado Pago.
  • Stripe: payment processing in USD. Same restrictions apply.
  • Resend: transactional email delivery. Data processed: email address and confirmation email content.
  • Google Analytics (GA4): traffic and behaviour analytics — enabled only after explicit consent. Data processed: browsing behaviour, device type, approximate location. See Google's Privacy Policy for details.

4.1 Publication of Your Trainer Code on Public Directories

The service delivers what it promises by submitting your Trainer Code (only the 12-digit code — never your email) to public Pokémon GO community directories. These sites are independent data controllers of your data under LGPD (Art. 5 VI) and GDPR (Art. 4(7)) — they publish the Trainer Code as public information so other players can send friend requests. We do not maintain DPAs with them because the act of submitting is equivalent to you posting your code on a public forum yourself:

  • pokemongofriendcodes.com — public Trainer Code directory.
  • pogocodes.com — public Trainer Code directory.
  • pokemon-friends.eu — public Trainer Code directory.
  • friend-code.com — public Trainer Code directory.
  • pokemonroom.com — public Trainer Code directory.

Trainer Codes are not considered personal data in isolation (they are a public identifier within a game), but their publication is described here for full transparency. To remove your code from any of these directories, you must contact them directly — we do not have access to delete entries they index. You may request cancellation of our future submissions at any time via the deletion procedure in section 7 below.

5. Storage and Security

We implement the following technical measures to protect your data:

  • HTTPS with HSTS — all communication is encrypted in transit.
  • HttpOnly + SameSite=Strict session cookie — not accessible by JavaScript.
  • IP anonymization: IP addresses are converted to a one-way SHA-256 hash with a random salt immediately upon extraction — the raw IP is never stored.
  • Rate limiting on all API routes — protection against abuse and brute-force attacks.
  • Cloud SQL on a private network (VPC) — the database is not publicly accessible.
  • Encryption at rest — all stored data is encrypted by GCP by default.

6. Data Retention

  • Subscription records (email, Trainer Code, plan, date, status): retained for 5 years for tax and audit purposes.
  • Cookie consent records (consent_records): retained for 3 years to prove consent in disputes; automatically purged after that period.
  • IP hashes (rate limiting): automatically discarded from memory when the rate-limiting window expires (maximum 5 minutes) or on process restart — never persisted.
  • GCP infrastructure logs (Cloud Run HTTP access logs): retained for 30 days and then automatically deleted by the platform.
  • After the periods above, data is permanently deleted.

7. Data Deletion

To request deletion of your data, visit: https://www.pokemongofriendscode.com/en/request-deletion. You will receive a confirmation email with a link. After confirming, your data will be automatically deleted within 7 days. You can cancel the request at any time during this period.

Note: subscription records may be retained for the legal retention period of 5 years for tax and accounting purposes, even after a deletion request.

8. Cookies

This site uses cookies grouped into three categories. You can manage your preferences at any time via the cookie banner.

  • Necessary: a technical session cookie for the admin panel and the cookie_consent cookie that stores your preference — always active, no consent required.
  • Analytics (requires consent): Google Analytics (GA4) cookies for traffic analysis and purchase funnel tracking — enabled only if you accept this category.
  • Marketing (requires consent): not currently used.
Cookies
CookiePurposeDurationType
__Secure-authjs.session-tokenAdmin panel session via Google OAuth (operator only)30 daysNecessary · HttpOnly · Secure
cookie_consentStores your per-category consent preference (JSON)Up to 365 days / 30 days if declinedNecessary · technical
_gaIdentifies unique visitors (Google Analytics)2 yearsAnalytics · requires consent
_ga_3CDM03FM7CGA4 session state2 yearsAnalytics · requires consent
_gidDistinguishes daily sessions (Google Analytics)24 hoursAnalytics · requires consent

9. Your Rights (GDPR Art. 15–22 / LGPD Art. 18)

You have the right to:

  • Confirmation of whether we process your personal data
  • Access to your data in a structured, machine-readable format (portability)
  • Correction of incomplete, inaccurate, or outdated data
  • Erasure of data processed with consent or processed unnecessarily
  • Restriction of processing in certain circumstances
  • Object to processing based on legitimate interest
  • Information about who we share your data with
  • Withdraw consent at any time (without affecting processing carried out before withdrawal)
  • Lodge a complaint with a supervisory authority: Brazil — ANPD (anpd.gov.br) | EU residents — your national data protection authority

To exercise your access and portability rights, visit: https://www.pokemongofriendscode.com/en/request-export. You will receive an email with a link to download your data in JSON format. To request data deletion, visit: https://www.pokemongofriendscode.com/en/request-deletion.

10. Security Incident Notification

In the event of a security incident that may affect your personal data, we will notify affected individuals without undue delay and notify the competent supervisory authority within 72 hours, as required by LGPD and GDPR. The notification will include the nature of the incident, the data affected, the measures taken, and a contact channel for clarifications.

11. Children

This service is intended for users aged 13 and over. We do not knowingly collect data from children under 13. If you believe a child has provided us with data, please contact us for removal.

12. Non-Affiliation Notice

Pokémon GO is a registered trademark of Niantic, Inc. and The Pokémon Company. This service is not affiliated with, endorsed by, or sponsored by Niantic or The Pokémon Company.

13. Changes to This Policy

We may update this policy periodically. The date above reflects the current version. Significant changes will be communicated by email.

14. Contact

For questions about this policy or to exercise your data subject rights, contact: suporte@pokemongofriendscode.com

Data Protection Officer (DPO): This organisation is not required to appoint a DPO under ANPD Resolution CD/ANPD No. 2/2022 (micro-enterprise / sole trader). To exercise your rights under the LGPD (art. 18) or GDPR (arts. 15–22), use the email address above or the self-service mechanisms described in sections 7 and 9 of this policy.

← Back to home