MyBacked

Privacy Policy

Effective date: May 14, 2026

1. Who We Are

MyBacked is operated by Backed LLC, a Nevada limited liability company ("MyBacked," "we," "us," or "our"). MyBacked is a record-keeping and communication platform for poker staking arrangements.

If you have questions about this Privacy Policy or how we handle your data, contact us at team@mybacked.com.

2. What This Policy Covers

This Privacy Policy describes what information we collect when you use MyBacked, how we use it, who we share it with, how long we keep it, and the rights you have over it. It applies to MyBacked's web application at mybacked.com, our iOS and Android apps, and our APIs.

This policy does not cover:

  • Third-party services we link to or that you choose to use alongside MyBacked
  • The privacy practices of payment processors (Stripe holds your payment method information, not us)
  • Any data the parties to a stake exchange off-platform

3. Information We Collect

Information you provide

  • Account information: email address, display name, password (stored as a salted hash), avatar image (optional), timezone (optional)
  • Subscription information: plan tier and billing period. We do not store your card number — Stripe holds that.
  • Stake content: stake names, deal terms, slice configurations, session results, buy-ins, cash-outs, payouts, settlement records, transfer records, change history, audit notes
  • Communications: chat messages exchanged with other stake participants, support emails to us
  • Contact list: email addresses you have added to your in-app contacts list

Information collected automatically

  • Device and usage information: browser type, operating system, IP address, timestamps of requests, pages or screens viewed, error reports
  • Cookies and local storage: session cookies for authentication, preference storage, and (for Encrypted Stakes only) your locally-generated encryption keys (see Section 5)

Information from third parties

  • Confirmation from Stripe that a subscription transaction succeeded or failed (we do not see card details)

We do not collect:

  • Government IDs, Social Security numbers, or driver's license numbers
  • Bank account numbers or full payment card numbers
  • Biometric data
  • Precise GPS location

4. How We Use Your Information

We use the information we collect to:

  • Operate the Service: render the app, run calculations, deliver notifications, process subscription payments
  • Authenticate users and prevent unauthorized access
  • Send transactional emails (account confirmations, password resets, invite delivery, settlement notifications, billing receipts)
  • Send the daily digest email if you have it enabled in your notification preferences
  • Diagnose and fix bugs (via Sentry error reports)
  • Understand product usage patterns in aggregate (via PostHog and Vercel Analytics)
  • Comply with legal obligations
  • Enforce our Terms of Service

We do not use your information to:

  • Sell to data brokers, advertisers, or third parties
  • Train artificial intelligence or machine learning models
  • Build profiles for targeted advertising

5. Encrypted Stakes

MyBacked offers an optional encryption feature on a per-stake basis. When you enable encryption on a stake:

  • The dollar-value fields throughout that stake are encrypted in your browser using AES-256-GCM before being sent to our servers
  • The encryption key is generated and stored locally in your browser (in IndexedDB). We do not persist the key in our database.
  • When you invite another participant to an encrypted stake by email, the key is included in the URL fragment of the invite link. To send that email, the key briefly passes through our server memory and through our email-delivery vendor (Resend), and is then delivered to the recipient's email provider. We do not log or persist the key during this transit. After delivery, the key continues to exist within the email message (retained by the recipient's mail provider per their policies) and on the recipient's device once they accept the invite. See our Security page for a detailed discussion of this email-channel tradeoff and the alternative paste-key flow.
  • When the invitee opens the invite link in their browser, the URL hash fragment containing the key is parsed entirely client-side and is never sent in the HTTP request to our servers — so for the recipient's click, we have no record of the key's value.
  • We hold only the encrypted ciphertext for the protected fields. We have no ability to decrypt those without a participant's key, which we do not store.
  • A small "verification blob" (an encrypted version of a known fixed string) lets us confirm that a participant has the correct key without us ever holding the key.

What is encrypted vs. plaintext on an Encrypted Stake

Encrypted at rest: session buy-ins, cash-outs, and payouts; rakeback amounts; money-movement transfer amounts; settlement records (each backer's profit, the player's profit, makeup at settlement, amount owed); per-slice migration values (starting P/L, starting money balance, prior all-time P/L); stake-level migration values (player starting money balance, all-time P/L).

Plaintext at rest (visible to us): the stake name, status, dates, currency, and notes; slice metadata such as investment percentages, deal types, profit-split percentages, and markup rates; session metadata such as date, game type, stakes description, location, tournament name, finish position, hours played, and session notes; participant identities (display name, email, avatar); chat messages exchanged on the stake. The audit trail for edits (Edit Stake history, Forgive Makeup) currently records the old and new values in plaintext, even on Encrypted Stakes — we'll address this in a follow-up release.

See our Security page for the technical detail on transient processing windows (specific actions where decrypted amounts pass through Vercel server memory for the duration of a single request, e.g. migration settlements, transfer logging, rakeback logging) and for the lazy-backfill mechanism that converts legacy plaintext on older Encrypted Stakes the next time a participant with the key opens them.

Consequences of this design

  • For Encrypted Stakes, the protected fields listed above cannot be read by an attacker who obtains our database.
  • For Encrypted Stakes, we cannot produce decrypted values for the protected fields in response to a subpoena, search warrant, or other legal demand. We can produce only the ciphertext we hold, plus the plaintext metadata listed above and in Section 3.
  • If every participant on an Encrypted Stake loses their key, the encrypted data on that stake becomes permanently unreadable. We cannot recover it.

You are responsible for backing up and safeguarding your encryption keys. The Service provides a key backup tool to help with this.

6. How We Share Your Information

We do not sell, rent, or trade your personal information.

We share information in these limited circumstances:

With other users on a stake

When you invite another user to a stake or accept an invite, the participants on that stake can see the stake details, sessions, and financials relevant to their role on the stake. If the stake has the "Hide Backer Details" feature enabled, backers cannot see other backers' deal terms or balances.

With service providers

We use the following service providers to operate MyBacked:

  • Supabase — database hosting and authentication
  • Vercel — application hosting and edge compute
  • Stripe — subscription billing and payment processing
  • Resend — transactional email delivery
  • Sentry — error monitoring and crash reporting
  • PostHog — aggregate product analytics
  • Apple App Store and Google Play — native app distribution

Each provider processes data on our behalf under their own privacy and security commitments.

To comply with the law

We may disclose information if we believe in good faith that doing so is required by law, court order, subpoena, or other legal process, or is necessary to protect the rights, property, or safety of MyBacked, our users, or the public. We will resist overly broad or improper requests where reasonable to do so.

For Encrypted Stakes, we cannot produce decrypted financial data in response to any legal demand, because we do not hold the keys. (See Section 5.)

In the event of a business transfer

If MyBacked is acquired, merged, or sells substantially all of its assets, your information may be transferred to the acquiring entity, subject to this Privacy Policy.

7. Cookies and Analytics

We use cookies and similar technologies for:

  • Authentication (keeping you signed in)
  • Storing your preferences and settings
  • Aggregate product analytics

We currently use the following analytics and monitoring tools:

  • Vercel Analytics — page view counts and basic visitor metrics
  • PostHog — aggregate product event tracking (e.g. "stake created," "session logged" — without dollar amounts)
  • Sentry — error and performance monitoring

These tools collect standard technical data (IP address, browser, device type) and product usage events. They do not display advertising and we do not use them to build advertising profiles.

We do not currently use third-party advertising cookies. We do not sell information to data brokers.

You can clear cookies in your browser settings, but doing so will sign you out and may limit your ability to use the Service.

8. Data Security

We implement security measures appropriate to the sensitivity of the data we hold, including:

  • HTTPS encryption for all data in transit
  • Postgres Row Level Security policies that scope every database query to the requesting user
  • Encrypted database backups
  • Limited administrative access to production systems
  • Optional client-side AES-256-GCM encryption for sensitive financial data (see Section 5)

No system is completely secure. We cannot guarantee absolute security, but we work to apply reasonable safeguards proportional to the sensitivity of the data.

9. Data Retention and Deletion

We retain account information and stake content for as long as your account is active.

You can delete:

  • Individual stakes, sessions, transfers, and contacts at any time from within the app
  • Your entire account from the Settings page

When you delete your account:

  • Your profile, contacts, personal sessions, and account-level notifications are permanently removed from our active systems within thirty (30) days
  • Stake content where you are a participant alongside other users is anonymized — your name is replaced with "(deleted)" so the other participants retain their record-keeping, but your user ID is removed
  • Encrypted backup copies in our disaster-recovery system are retained for up to seven (7) days, after which they are permanently deleted
  • Information we are legally required to retain (e.g. for tax or audit purposes) is retained for the required period

For Encrypted Stakes, deleting the only copy of the encryption key effectively destroys the encrypted data — sometimes called "crypto-shredding." We treat this as the strongest form of deletion available.

10. Your Rights

You have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate information
  • Delete your account and the personal information associated with it
  • Receive a copy of your data in a portable format
  • Object to or restrict certain types of processing
  • Opt out of marketing communications (we send only transactional and notification emails — there is no marketing list to opt out of)

To exercise any of these rights, email team@mybacked.com from the email address associated with your account. We will respond within thirty (30) days. We will not retaliate against you for exercising any of these rights.

If you are in the European Economic Area, the United Kingdom, or California, you have additional rights under the GDPR and CCPA respectively, including the rights listed above plus the right to lodge a complaint with your local supervisory authority. We act as the "data controller" for the personal information described in this policy.

We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under the CCPA.

11. International Users

MyBacked is operated from the United States. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States, which may have data-protection laws different from those in your country.

12. Children's Privacy

MyBacked is intended only for users who are at least 18 years old. We do not knowingly collect information from anyone under 18. If you become aware that a person under 18 has used the Service, please contact us at team@mybacked.com and we will delete the account and associated data.

13. Breach Notification

If we discover a security incident that compromises your personal information, we will:

  • Notify affected registered users by email without undue delay, and in any event within seventy-two (72) hours of confirming the scope of the incident where reasonably possible
  • Provide a description of what happened, what information was affected, what we are doing about it, and what you can do to protect yourself
  • Notify regulators where required by law

14. Law Enforcement and Subpoena Requests

We respond to valid law enforcement and government requests in accordance with the law.

For Encrypted Stakes, the dollar-value fields listed in Section 5 are encrypted with keys we do not hold. We can produce ciphertext and the plaintext metadata listed in Sections 3 and 5 (stake names, dates, deal types, participant identities, etc.) — we cannot produce decrypted amounts for the protected fields because we do not have access to the decryption key.

We will, where legally permitted, notify users of legal demands targeting their accounts before producing any data.

15. Changes to This Privacy Policy

We may update this Privacy Policy. If we make material changes, we will notify registered users by email and post a notice on the Service at least seven (7) days before the changes take effect. The "Effective date" at the top of this page shows when the policy was last revised.

16. Contact

Backed LLC
Las Vegas, Nevada
team@mybacked.com