Privacy Policy
This Privacy Policy ("Policy") describes how [Controller legal name] ("we", "us", "our", or the "Controller"), a [entity type, e.g. Texas limited liability company] with a registered place of business at [registered address], processes Personal Information when you access or use the ChessTrophies website, mobile application, related application programming interfaces, and any other online services that link to this Policy (collectively, the "Service").
By accessing or using the Service, you acknowledge that you have read and understood this Policy. Where required by applicable law, your continued use of the Service constitutes your consent to the processing described herein. Where consent is not a permissible legal basis under your local law, we rely on the alternative bases identified in Section 4 below.
Contents
- Scope and Definitions
- Categories of Personal Information We Process
- Sources of Personal Information
- Purposes and Legal Bases for Processing
- Recipients and Disclosures
- International Data Transfers
- Retention
- Security Measures
- Cookies and Similar Technologies
- Children and Minors
- Automated Decision-Making and Profiling
- Your Rights
- Notice for California Residents
- Notice for Other U.S. State Residents
- Notice for EU, EEA, UK, and Swiss Residents
- Notice for Other Jurisdictions
- Do Not Track and Global Privacy Control
- Data Protection Officer and Representatives
- Changes to This Policy
- How to Contact Us
1. Scope and Definitions
This Policy applies to all Personal Information processed by the Controller in connection with the Service. It does not apply to processing by third parties whose products or services may be accessed through the Service, which are governed by their own privacy notices.
Capitalized terms have the meanings set out below:
- "Personal Information" means any information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device, including but not limited to the meanings ascribed under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA/CPRA"), and "personal data" as defined by Regulation (EU) 2016/679 ("GDPR") and analogous laws.
- "Sensitive Personal Information" has the meaning given in Cal. Civ. Code § 1798.140(ae), and includes "special categories of personal data" as defined in GDPR Article 9. We do not knowingly collect Sensitive Personal Information; if you choose to provide it (for example, in free-form chat), we treat it under the heightened protections applicable to such data.
- "Processing" means any operation or set of operations performed on Personal Information, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
- "Service Provider" and "Processor" have the meanings under CCPA/CPRA and GDPR respectively.
- "Sale" and "Share" have the meanings ascribed to those terms under CCPA/CPRA.
- "Data Subject" means an identified or identifiable natural person whose Personal Information is processed.
2. Categories of Personal Information We Process
We process the following categories of Personal Information. The CCPA/CPRA statutory category in parentheses is provided for the assistance of California residents.
| Category | Examples | CCPA Category |
|---|---|---|
| Identifiers | Email address, username, account ID, IP address, device identifiers | (A) Identifiers |
| Authentication Data | Salted password hash (never plain text), session tokens | (A) / (B) Customer records |
| Customer Records | Username, region (city, country, if provided) | (B) Customer records under Cal. Civ. Code § 1798.80(e) |
| Commercial Information | Subscription status, transaction history (limited; payment card data is processed by Stripe, not by us) | (D) Commercial information |
| Internet/Network Activity | Pages viewed, features used, referring URL, request timestamps, browser type, approximate device characteristics | (F) Internet or network activity |
| Geolocation | Coarse geolocation derived from IP address; user-supplied region if you choose to enter one. We do not collect precise GPS location. | (G) Geolocation |
| Inferences | ELO rating, skill level, lesson progress, playing patterns derived from gameplay | (K) Inferences |
| Audio/Visual | None collected. We do not access camera or microphone. | (H) |
| Professional / Employment | None collected. | (I) / (J) |
| Sensitive Personal Information | None collected by design. | (L) |
3. Sources of Personal Information
We obtain Personal Information from the following sources:
- Directly from you when you create an account, complete a profile, send a message, accept an invitation, or submit a support request;
- Automatically when you interact with the Service, through cookies, browser local storage, server logs, and analytics tools further described in Section 9;
- From third-party service providers, including payment processors (subscription status only), hosting providers (server logs), ad networks (interaction signals), and authentication providers if you use a federated sign-in.
4. Purposes and Legal Bases for Processing
We process Personal Information for the purposes described below. Where the GDPR or a substantially similar law applies, we identify the legal basis on which we rely under Article 6(1) of the GDPR (and Article 9(2) where applicable).
| Purpose | Categories Used | Legal Basis (GDPR) |
|---|---|---|
| Account creation, authentication, and operation of the Service | Identifiers, Authentication Data, Customer Records | Performance of a contract (Art. 6(1)(b)) |
| Matchmaking, rankings, and game-state synchronization | Identifiers, Inferences, Internet Activity | Performance of a contract (Art. 6(1)(b)) |
| Processing subscription payments | Commercial Information (via Stripe) | Performance of a contract (Art. 6(1)(b)) |
| Service-related communications (account, billing, security alerts) | Identifiers, Commercial Information | Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) where required |
| Marketing communications | Identifiers | Consent (Art. 6(1)(a)); legitimate interests in direct marketing to existing customers under the soft opt-in (Art. 6(1)(f); ePrivacy Directive) |
| Fraud, abuse, and cheat prevention | Identifiers, Internet Activity, Inferences | Legitimate interests (Art. 6(1)(f)) and, where applicable, legal obligation (Art. 6(1)(c)) |
| Security monitoring and logging | Identifiers, Internet Activity | Legitimate interests (Art. 6(1)(f)); legal obligation |
| Aggregated and anonymized analytics for product improvement | De-identified Internet Activity | Legitimate interests (Art. 6(1)(f)) |
| Advertising to free-tier users | Identifiers, Internet Activity, Inferences (limited; see Section 9 and Section 17) | Consent (Art. 6(1)(a)) where required; legitimate interests for non-targeted ads |
| Compliance with law, regulatory inquiries, legal process | As applicable | Legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)) |
| Defense or assertion of legal claims | As applicable | Legitimate interests (Art. 6(1)(f)); establishment, exercise or defense of legal claims (Art. 9(2)(f) if applicable) |
You may withdraw consent at any time where consent is the legal basis. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Balancing test (legitimate interests): Before relying on legitimate interests, we conduct a balancing test weighing our interests against the rights and freedoms of Data Subjects. A summary of the balancing test is available on request.
5. Recipients and Disclosures
We disclose Personal Information only as described below. In the twelve (12) months preceding the effective date of this Policy, we have disclosed each category identified in Section 2 to the recipient categories below for the operational purposes indicated.
5.1 Service Providers and Processors
We engage Service Providers and Processors who process Personal Information on our behalf and only pursuant to written contracts that satisfy the requirements of CCPA/CPRA § 1798.140(ag) and GDPR Article 28. Categories include:
- Hosting and infrastructure: [e.g. Vercel, Railway, Cloudflare] — provide server, database, content-delivery, and DDoS protection services.
- Payment processing: Stripe, Inc. — processes subscription payments. Stripe acts as an independent controller of payment-card data; see https://stripe.com/privacy.
- Email delivery: [e.g. Resend, Postmark] — delivers transactional emails.
- Analytics: [e.g. Plausible Analytics, Cloudflare Web Analytics] — privacy-preserving usage analytics.
- Error monitoring: [e.g. Sentry] — error and crash reporting.
5.2 Advertising Partners
For free-tier accounts, we work with advertising partners including [Google AdSense / AdMob]. These partners may set cookies or similar identifiers to deliver and measure advertisements. To the extent these activities constitute "sharing" under CCPA/CPRA or third-party "tracking" requiring consent under ePrivacy law, we honor opt-out signals as described in Section 13 and obtain prior consent where required.
5.3 Other Users of the Service
Your username, region (if provided), ELO, win/loss/draw record, trophies, and game history are visible to other users of the Service through rankings, friend lists, and shared game records. Do not include sensitive information in your username.
5.4 Corporate Transactions
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, Personal Information may be transferred or disclosed to successors, advisors, and counterparties subject to confidentiality obligations, in accordance with applicable law.
5.5 Legal Requirements and Protection
We may disclose Personal Information when we believe in good faith that disclosure is necessary to: (i) comply with applicable law, court orders, subpoenas, or governmental requests; (ii) enforce our Terms of Service; (iii) detect, prevent, or address fraud, security, or technical issues; or (iv) protect against harm to the rights, property, or safety of the Controller, our users, or the public.
6. International Data Transfers
The Service is operated from [primary country, e.g. United States]. Personal Information may be transferred to, stored in, and processed in countries other than the country in which it was collected, including the United States and other jurisdictions that may have data-protection rules different from those of your country.
Where we transfer Personal Information of Data Subjects in the EEA, the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of protection (an "adequacy decision"), we implement appropriate safeguards including:
- The European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) as supplemented by the UK International Data Transfer Addendum and the Swiss FDPIC-recognized variant;
- The EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework where the recipient is self-certified;
- Supplementary technical, organizational, and contractual measures consistent with the EDPB's Recommendations 01/2020 on supplementary measures.
You may request a copy of the safeguards in place by contacting us using the details in Section 20.
7. Retention
We retain Personal Information only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements, and to establish, exercise, or defend legal claims. The criteria we use to determine retention periods include:
- The duration of our ongoing relationship with you;
- Statutory limitation periods for legal claims, generally [four (4) to six (6) years] after termination of your account;
- Specific retention obligations imposed by applicable law (for example, tax records retention);
- Operational security and abuse-prevention needs (server logs are typically retained for [thirty (30) to ninety (90)] days).
On verified deletion request, we delete Personal Information within [thirty (30)] days, subject to exceptions enumerated in Section 12 below, and instruct our Service Providers to do the same. Backups containing your Personal Information are purged on the regular backup-rotation cycle, typically within [ninety (90)] days.
8. Security Measures
We implement reasonable and appropriate technical and organizational measures designed to protect Personal Information against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure, including:
- Encryption in transit via TLS 1.2 or higher;
- Password hashing with bcrypt at industry-standard work factors;
- Signed authentication tokens (JWT) with limited lifetimes;
- Parameterized database queries to prevent injection;
- Logical access controls and principle of least privilege for personnel;
- Vendor due diligence and contractual data-protection commitments;
- Incident response procedures including notification of competent authorities and affected Data Subjects where required by applicable law (e.g., GDPR Articles 33-34; state-specific U.S. breach-notification statutes).
No method of transmission or storage is completely secure. We cannot guarantee absolute security, and you transmit information at your own risk.
9. Cookies and Similar Technologies
The Service uses cookies, browser local storage, session storage, pixel tags, and similar technologies (collectively, "Cookies"). Cookies fall into four categories:
- Strictly necessary — required to operate the Service (e.g., authentication tokens, security state). These cannot be disabled.
- Functional — remember preferences (theme selection, sound on/off).
- Analytics — measure aggregate usage; we use privacy-preserving analytics that do not set cross-site identifiers wherever possible.
- Advertising — set by ad networks for free-tier users; these may track activity for personalized advertising. We obtain consent prior to setting these where required by ePrivacy law and offer an opt-out mechanism elsewhere.
You can manage Cookies through your browser settings and through our in-app cookie banner where one is presented. EU, UK, and other ePrivacy-jurisdiction users will be shown an explicit consent banner before non-essential Cookies are set.
10. Children and Minors
The Service is not directed to children. We do not knowingly collect Personal Information from:
- Children under the age of thirteen (13) in the United States, in accordance with the Children's Online Privacy Protection Act ("COPPA") and the Federal Trade Commission's COPPA Rule, 16 C.F.R. Part 312;
- Children under the age of sixteen (16) in jurisdictions that have implemented a higher age of digital consent under Article 8(1) of the GDPR (this includes Germany, Ireland, the Netherlands, and others);
- Children under the local age of digital consent in any other jurisdiction.
If you are a parent or legal guardian and you become aware that your child has provided Personal Information without your verifiable consent, please contact us using the details in Section 20. We will delete the information promptly upon verification of parental status.
11. Automated Decision-Making and Profiling
We do not engage in automated decision-making that produces legal effects or similarly significant effects within the meaning of GDPR Article 22 or analogous laws. We do conduct limited automated profiling (e.g., ELO rating, matchmaking eligibility, lesson tier suggestions), but these processes do not produce decisions with legal or similarly significant effects.
12. Your Rights
Depending on your residence and applicable law, you may have the following rights with respect to your Personal Information. To exercise any right, please contact us as described in Section 20.
- Right of access — to obtain confirmation as to whether Personal Information about you is being processed and, if so, a copy of that information.
- Right to rectification — to correct inaccurate or incomplete Personal Information.
- Right to erasure / deletion — to request deletion of your Personal Information, subject to legal exceptions.
- Right to restrict processing — to limit how we use Personal Information in certain circumstances.
- Right to data portability — to receive Personal Information in a structured, commonly used, and machine-readable format and to transmit it to another controller.
- Right to object — to object to processing based on legitimate interests, including profiling, and to direct marketing at any time.
- Right to withdraw consent — where processing is based on consent.
- Right to opt out of "Sale" or "Sharing" for cross-context behavioral advertising.
- Right to limit use and disclosure of Sensitive Personal Information.
- Right to non-discrimination for exercising any privacy right.
- Right to lodge a complaint with a supervisory authority (see Section 18).
12.1 Verifying Requests
To protect your information, we verify your identity before responding to a rights request, including by asking you to authenticate to your account and, where appropriate, requesting additional information sufficient to establish that you are the person to whom the data pertains or an authorized agent. We will not require you to create an account solely to make a request.
12.2 Authorized Agents
You may designate an authorized agent to make requests on your behalf. The agent must provide signed written permission and we may require you to verify your identity directly.
12.3 Response Times
We respond to verified consumer requests within forty-five (45) days under CCPA/CPRA (extendable by an additional forty-five days where reasonably necessary, with notice), and within one (1) month under the GDPR (extendable by two further months for complex requests, with notice).
12.4 Appeals
If we deny your request, you may appeal that decision by contacting us at the address in Section 20 and identifying the request and the basis for your appeal. We will respond within sixty (60) days. If your appeal is denied and you believe we have unlawfully refused, you may contact the relevant state attorney general or supervisory authority. This procedure satisfies the appeal requirements of Virginia (VCDPA § 59.1-577), Colorado (CPA § 6-1-1306(3)), and Connecticut (CTDPA § 42-518) consumer-privacy statutes.
13. Notice for California Residents
This section supplements the foregoing for California residents and is provided in accordance with the CCPA, as amended by the CPRA, and its implementing regulations.
13.1 Notice at Collection
We collect the categories of Personal Information identified in Section 2 for the purposes described in Section 4. The retention periods are described in Section 7.
13.2 Sale, Sharing, and Sensitive Personal Information
We do not "sell" Personal Information for monetary consideration in the traditional sense. However, our use of advertising cookies and similar technologies for cross-context behavioral advertising may constitute a "Sale" or "Sharing" under the CPRA. You have the right to opt out of such Sale or Sharing.
To exercise your right to opt out, you may: (i) click "Do Not Sell or Share My Personal Information" in the footer; or (ii) configure a recognized Global Privacy Control (GPC) signal in your browser, which we will honor. We do not knowingly Sell or Share the Personal Information of consumers under age sixteen (16) without affirmative opt-in.
We do not use or disclose Sensitive Personal Information for purposes other than those permitted under CCPA/CPRA § 1798.121(a) without offering a right to limit. Because we do not collect Sensitive Personal Information by design, this right is largely inapplicable.
13.3 Shine the Light
California Civil Code § 1798.83 ("Shine the Light") permits California residents to request information about disclosures of Personal Information to third parties for those third parties' direct marketing purposes. We do not make such disclosures.
13.4 Financial Incentives
Premium subscriptions are not "financial incentive programs" within the meaning of CCPA/CPRA. We do not offer reduced pricing in exchange for retention of Personal Information.
14. Notice for Residents of Other U.S. States
This section applies to residents of Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Tennessee (TIPA), Iowa (ICDPA), Delaware (DPDPA), New Hampshire (NHDPA), New Jersey (NJDPL), Florida (FDBR), Indiana (INCDPA), and any other state that adopts a substantially similar comprehensive consumer-privacy law.
You have rights to access, correct, delete, and obtain a portable copy of your Personal Information. You also have the right to opt out of: (a) targeted advertising; (b) the sale of Personal Information; and (c) profiling in furtherance of decisions that produce legal or similarly significant effects. We respond to verifiable requests within forty-five (45) days. Where the applicable statute provides an appeal right, the appeal procedure in Section 12.4 applies.
15. Notice for EU, EEA, UK, and Swiss Residents
For residents of the European Economic Area, the United Kingdom, and Switzerland, the controller for the processing described in this Policy is [Controller legal name and address].
15.1 Your Rights Under the GDPR
The rights set out in Section 12 reflect GDPR Articles 15-22. You have the right to lodge a complaint with the supervisory authority in your country of residence, workplace, or where the alleged infringement occurred. A directory of EU supervisory authorities is maintained by the European Data Protection Board at https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents may contact the Information Commissioner's Office at https://ico.org.uk/make-a-complaint/. Swiss residents may contact the Federal Data Protection and Information Commissioner at https://www.edoeb.admin.ch/.
15.2 EU/UK Representative
Where required by GDPR Article 27 or UK GDPR, our EU and UK representative is [Representative name and address, e.g. EDPO or PrivacyLink]. You may contact the representative directly on all issues related to the processing of your Personal Information.
16. Notice for Other Jurisdictions
16.1 Brazil (LGPD)
For residents of Brazil, we comply with the Lei Geral de Proteção de Dados (Lei nº 13.709/2018, "LGPD"). Our legal bases for processing parallel those identified in Section 4 and correspond to LGPD Article 7 (or Article 11 for sensitive data). Brazilian Data Subjects may exercise rights under LGPD Article 18, including confirmation of processing, access, correction, anonymization, blocking, deletion, portability, and information about sharing. The Autoridade Nacional de Proteção de Dados ("ANPD") supervises our compliance.
16.2 Canada (PIPEDA)
For residents of Canada, we comply with the Personal Information Protection and Electronic Documents Act and applicable provincial laws (including Québec's Law 25). You may contact the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca/ for complaints.
16.3 Australia (Privacy Act)
For residents of Australia, we comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. The Office of the Australian Information Commissioner accepts complaints at https://www.oaic.gov.au/.
16.4 Singapore (PDPA), South Korea (PIPA), Japan (APPI), India (DPDPA)
We process Personal Information in accordance with applicable local statutes. Data Subjects in these jurisdictions may exercise the rights granted by their applicable local laws by contacting us.
17. Do Not Track and Global Privacy Control
Some browsers transmit "Do Not Track" ("DNT") signals. Because no industry standard currently governs DNT signals, we do not respond to them. However, we recognize and honor the Global Privacy Control ("GPC") signal as an opt-out preference signal under CCPA/CPRA § 7025 of the implementing regulations, and we treat receipt of a GPC signal from a known California user as a valid request to opt out of the Sale and Sharing of Personal Information.
18. Data Protection Officer and Supervisory Authority Contacts
Although we are not strictly required to designate a Data Protection Officer ("DPO") under GDPR Article 37, we have voluntarily appointed a Privacy Lead to coordinate compliance. Reach the Privacy Lead at [privacy@chesstrophies.com].
19. Changes to This Policy
We may amend this Policy from time to time. Material changes will be communicated in-app, via email to account holders, or by a prominent notice on the Service at least fourteen (14) days before the changes take effect (or such longer period as required by applicable law). The "Last revised" date at the top of this Policy reflects the most recent revision. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.
20. How to Contact Us
For privacy questions, requests, and complaints:
- Email: [privacy@chesstrophies.com]
- Postal: [Controller legal name, attn: Privacy, full postal address]
- EU/UK Representative: [Representative contact]
This Policy was prepared as a template using attorney-style drafting conventions and addresses commonly required disclosures under leading privacy regimes. It is not legal advice. Before publication, this document should be reviewed and customized by an attorney admitted in each jurisdiction where the Controller does business, in light of actual data flows, vendor agreements, and applicable sector-specific laws (including, where relevant, the U.S. GLBA, HIPAA, FCRA, FERPA, COPPA, the EU GDPR, the UK GDPR, the ePrivacy Directive, applicable state comprehensive privacy laws, and applicable foreign laws).