Security and privacy

Your player data stays with you.

No cloud, no subscription, no player data leak. Everything runs locally, in a SQLite database secured by Windows secrets. PokClock makes no unsolicited outbound call.

The principle: zero outbound by default

Player records (name, email, federation license, date of birth, private notes) are stored in a local SQLite database, on your PC, under your user profile. The only possible outbound call is the cloud backup to OneDrive, Dropbox or Google Drive, which is strictly opt-in and encrypted client-side before upload.

Screenshot of the PokClock Backup settings tab with three cloud backup providers available: OneDrive Microsoft 365, Dropbox, and Google Drive (OAuth2 via official SDK)

The 6 mechanisms in place

From storage to licensing to backup.

100% offline

Local SQLite database, no server. The only possible outbound call is the opt-in Drive backup. Updates upload nothing.

SHA-256 snapshots

Every snapshot (every 30 seconds) is SHA-256 signed. Any modification to the backup file breaks the signature and is detected at restore.

Windows DPAPI secrets

SMTP passwords, OneDrive, Dropbox and Google Drive tokens, license keys: all encrypted via DPAPI (Windows Data Protection API). Inaccessible to other users on the same PC.

Hardware ID

License is tied to your PC via CRC32 over MachineName + UserName + OSVersion. Stolen key without the PC is unusable.

Registry anti-rollback

PokClock detects if the system clock is rolled back to extend a trial. Blocks trial-fraud attempts.

Native GDPR

Local player data, CSV-exportable, removable per player. You are the data controller, with no third party.

Full dealer audit log

Every dealer action is logged and signed: elimination, rebuy, stack edit, from which tablet, at what time. Bubble dispute, federation audit, player claim: the history is there, defensible.

TD panic button

Stolen dealer tablet, dealer let go, end of shift: one button revokes every active session. Tablets prompt for a PIN at the next refresh.

Triple-layer tablet auth

PokClock-generated six-digit PIN + HttpOnly cookie + dual-layer rate-limit. A compromised tablet exposes neither your database nor your players nor your tournament.

Obfuscated and signed binary

ConfuserEx 2 obfuscation (rename + control flow) plus Authenticode signature. Reverse-engineering becomes tedious, and any binary modification breaks the signature instantly detected by Windows.

Validation and guarantees

Three concrete commitments, no marketing.

Obfuscated code + signatures

The binary is Authenticode-signed and obfuscated. No one can inject a silent payload without breaking the signature.

Client-side encrypted cloud

If you enable cloud backup (OneDrive, Dropbox or Google Drive), snapshots are encrypted on your PC before upload. Microsoft, Dropbox and Google receive unreadable ciphertext, you keep the key.

Offline license validation

SHA-256 + local secret salt. No server call at activation. Your license works even if our site is down.

In screenshots

Security mechanisms, in plain view

Encrypted OneDrive, Dropbox and Google Drive backup, dealer tablet security, native GDPR.

Screenshot of the PokClock tournament context menu with actions Registrations, Activate, Edit, Open clock, Manage tables, Pause, End, Cancel, Backup, Reset, Delete — Quick action menu on a tournament
One click and every piloting action is there: registrations, activate, open clock, manage tables, pause, end, cloud backup, reset. Full tournament control in two seconds.

Screenshot of the PokClock Dealer Tablet mode with PIN code 401 380, access QR code, auto-lock options, actions per minute limit and Revoke all sessions button — Dealer tablet security
A six-digit PIN and a QR code to authorize the tablet. Auto-lock on inactivity, per-minute action limit per dealer, instant revocation of all sessions.

Screenshot of the PokClock Local network settings tab with local IP, port 5050, Start server button, Running status and two QR codes Player read-only and Dealer tablet — Local network and QR codes
Start the PWA server in one click. Local IP address, port, status "running". Two auto-generated QR codes: one for players, one for the dealer tablet.

FAQ about security and GDPR

Does PokClock send data to a third-party server?+

No, unless you explicitly enable the cloud backup to OneDrive, Dropbox or Google Drive (opt-in and client-side encrypted). No unsolicited outbound call.

Am I GDPR compliant if I run my club with PokClock?+

Yes. Data stays on your PC, exportable and removable player by player. You are the data controller, with no cloud sub-processor to declare.

How does the cloud backup encryption work?+

Client-side AES encryption, before upload to OneDrive, Dropbox or Google Drive. The key is derived from a local secret stored via DPAPI. Microsoft, Dropbox and Google receive unreadable ciphertext.

What happens if I change PC?+

Transfer your license via deactivation then reactivation from your account. No double activation possible.

Is PokClock code-auditable?+

The code is not open source. However, the binary is Authenticode signed, and the SQLite database is readable with any third-party tool to verify your own data.

Serious for your players, serious for your club.

GDPR-ready out of the box, local data, direct dev support.