Privacy Policy for Chessbuddy

Effective Date: 12/23/2025

This Privacy Policy explains how Chessbuddy (“we”, “us”, or “our”) collects, uses, shares, and protects your personal data when you visit or use the web application at https://chessbuddy.app (the “Service”). We are committed to protecting your privacy in accordance with applicable law, including the General Data Protection Regulation (GDPR).

1. Data Controller

Chessbuddy is operated by:

Daniel Mecke
Email: [email protected]
Country: Germany

Hereafter, “Chessbuddy”, “we”, “us” and “our” refer to this controller.

2. Scope of this Policy

This Privacy Policy applies to personal data processed when you use the Service or interact with us (e.g., account creation, emails, payments).

3. Personal Data We Collect

3.1 Data You Provide

We collect only the data you actively submit when using the Service:

  • Your email address
  • Your username
  • Your password (stored only in hashed form)

We do not provide fields or require:

  • real names
  • postal addresses
  • phone numbers

3.2 Automatically Processed Data

We also process technical and usage data necessary to operate the Service and improve functionality:

  • Session-related technical identifiers
  • Usage events (features used, pages visited)

We do not retain IP addresses in user profiles. IP addresses may appear in backend server logs for short‑term technical and security purposes and are automatically rotated/deleted after a short period.

4. Analytics (PostHog)

We use PostHog Cloud to collect anonymous analytics (page views, feature interactions, event data, and session recordings) for product improvement.

  • PostHog is hosted in the EU (European Union)
  • Data is collected without identifying individuals

No advertising or cross‑site tracking is performed.

5. Cookies and Similar Technologies

We use only technically necessary cookies required for:

  • Session management
  • Authentication
  • Security (e.g. CSRF protection)

We do not use any advertising, marketing, or third‑party tracking cookies.

6. Payments (Stripe)

If you use paid features:

  • Payments are processed via Stripe
  • Stripe collects and processes payment data under its own privacy practices
  • Chessbuddy does not store or access full card details

7. Emails and Communication

We may send you:

  • Transactional emails (account updates, password resets, receipts)
  • Marketing or informational emails (product news, feature announcements)

You can unsubscribe from marketing and information communications at any time via provided opt‑out links or by contacting us.

8. Hosting & Backups

  • The Service is hosted on Hetzner Cloud servers in Germany
  • Cloudflare is used as a proxy for security and reliability
  • Daily database backups are maintained in Germany

Backups are stored within the EU and are managed per our internal retention practices.

9. Legal Basis for Data Processing (GDPR)

We process personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR): Account setup and Service provision
  • Legitimate interest (Art. 6(1)(f) GDPR): Security, abuse prevention, product improvement
  • Compliance with legal obligations (Art. 6(1)(c) GDPR): E.g., billing regulations

Marketing communications are processed on consent where required by law.

10. Data Retention

We retain personal data only as long as necessary:

  • Account data: Until the account is deleted
  • Transactional / billing data: As required by law
  • Technical logs: Short duration for operational purposes

11. Data Sharing and Disclosure

We do not sell or rent your personal data.

We may share personal data only with:

  • Service providers under contract (e.g., Stripe, PostHog, hosting infrastructure)
  • Authorities, if required by law (e.g., valid court order or legal obligation)

All service providers are required to protect your data and may not use it for other purposes.

12. Your Data Protection Rights

Under GDPR and applicable law, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Restrict or object to processing
  • Receive your data in a portable format
  • Lodge a complaint with a supervisory authority

You can exercise these rights by contacting us at [email protected].

13. Age Requirement

Under Article 8 of the GDPR, processing personal data based on consent requires that a user be at least 16 years old in Germany. For users under 16, lawful processing may require verified parental consent. Accordingly, the Service is intended for users aged 16 and older.

This is a legal requirement related to data protection law, not a statement about content suitability.

14. Changes to this Policy

We may update this Privacy Policy at any time. The latest version will be published on the Service with an updated effective date.

15. Contact

If you have questions about this Privacy Policy or our practices, please contact:

[email protected]