Privacy Policy

1. Introduction

Chess365 ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

We comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Data Controller

For the purposes of the GDPR, the data controller is Chess365. For any privacy-related inquiries, please contact us at contact@chess365.ai.

3. Personal Data We Collect

We collect the following personal data:

• Email Address: Collected through Google OAuth when you sign in. Used for account identification and sending notifications.
• Account Preferences: Your tournament subscriptions, player tracking preferences, and notification settings.
• Usage Data: Basic usage information such as when you access the service. We do not track detailed browsing behavior.

We do NOT collect: Payment information (the service is free), location data, device fingerprints, or any sensitive personal data.

4. How We Use Your Data

We use your personal data exclusively for:

• Providing the core service: tracking chess tournaments and sending notifications about player results
• Account management and authentication
• Responding to your inquiries or support requests
• Improving our service based on aggregated, anonymized usage patterns

We do NOT: Sell your data, use it for advertising, create user profiles for marketing, or share it with third parties for their own purposes.

5. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on:

• Contract Performance (Article 6(1)(b)): Processing necessary to provide the service you requested when creating an account.
• Consent (Article 6(1)(a)): For sending email notifications. You can withdraw consent at any time by unsubscribing.
• Legitimate Interests (Article 6(1)(f)): For service improvement and security, balanced against your privacy rights.

6. Third-Party Services

We use the following third-party services that may process your data:

• Google OAuth: For authentication. Google receives your authentication request. See Google's Privacy Policy.
• Supabase: Our database and authentication provider (EU-hosted). Supabase is GDPR compliant. See Supabase Privacy Policy.
• Resend: For sending email notifications. See Resend Privacy Policy.
• Vercel: Our hosting provider. See Vercel Privacy Policy.

7. Chess Tournament Data

We collect publicly available chess tournament data from chess-results.com, including player names, rankings, ratings, and game results. This is public information that players have consented to publish when registering for rated tournaments. We do not collect any private information about chess players.

8. Data Retention

We retain your data as follows:

• Account data: Until you delete your account
• Subscription data: Until you unsubscribe or delete your account
• Tournament data: 90 days after a tournament ends
• Notification history: 30 days

Upon account deletion, we will delete all your personal data within 30 days, except where retention is required by law.

9. Your Rights Under GDPR

If you are in the European Economic Area (EEA), you have the following rights:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restriction: Request limitation of processing
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at contact@chess365.ai. We will respond within 30 days.

10. Your Rights Under CCPA (California Residents)

If you are a California resident, you have the right to:

• Know what personal information we collect about you
• Request deletion of your personal information
• Opt-out of the sale of personal information (we do not sell personal information)
• Non-discrimination for exercising your privacy rights

11. Cookies

We use only essential cookies required for the service to function:

• Authentication cookies: To keep you signed in
• Security cookies: For CSRF protection

We do NOT use: Analytics cookies, advertising cookies, tracking cookies, or third-party cookies for marketing purposes.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including: encryption in transit (HTTPS/TLS), encryption at rest, access controls, and regular security reviews. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

13. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. We ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission, where required.

14. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us and we will delete such information.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

16. Complaints

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority. In the EU, you can find your local authority at EDPB Members.

17. Contact Us

For any questions about this Privacy Policy or our data practices, please contact us at: contact@chess365.ai