Privacy Policy

Last updated: 8 April 2026 — Notice version: 2026-04-08

1. Who we are

PlayChess is a UK chess education service for children and families. We provide online chess learning for children aged 4–18, managed by parents and coaches through a secure platform at app.playchess.uk.

We are committed to the UK Children's Code (Age Appropriate Design Code) principles, including high-privacy defaults, data minimisation, and no behavioural advertising.

Contact: [email protected]

2. ICO registration

PlayChess is registered with the Information Commissioner's Office (ICO) as a data controller. ICO registration pending — registration number will be added here once issued. You can verify UK data controller registrations at ico.org.uk.

3. Services covered

This policy covers both playchess.uk (our public marketing site) and app.playchess.uk (our platform for registered users). Both are operated by the same controller under the same policy.

4. What data we collect

Adults (parents and coaches)

Name and email address
Account role (parent or coach)
Communications preferences
Technical data: IP address, device type, browser, access logs

Children

We collect the minimum data necessary to provide the service. We never collect a child's full date of birth, real name, home address, or school name.

Age band (e.g. 4–8, 9–12) — derived from birth month and year supplied by the parent or coach at account creation. The birth month and year are used only to calculate the age band and are not retained after derivation.
Display name / alias — an auto-generated username (e.g. swift-knight-42). This is never a real name. Adults may request a change; children cannot self-change.
Guardian email — the responsible adult's email address, used for parental consent, account management, and safety alerts.
Gameplay and learning progression data — moves played, lessons completed, results. Used to provide the learning experience.
Safety signals — minimal technical data required to enforce session limits and rate limiting.

5. How data is collected

Directly — from application forms, sign-up, and gameplay activity.
From parents and coaches — when an adult creates or manages a child account on their behalf.
Automatically — session logs and security signals collected when the platform is used.

6. Why we use your data (purposes and lawful bases)

Purpose	Data categories	Lawful basis
Providing the chess education service	All account and gameplay data	Contract (adult); Parental consent (child under 13)
Account security and fraud prevention	Technical data, session logs	Legitimate interests
Parental consent and audit trail	Guardian email, consent records	Legal obligation (UK GDPR Article 7, Children's Code)
Communications about your account	Email address	Contract / Legitimate interests
Compliance with legal obligations	Audit logs, consent records	Legal obligation

We do not use personal data for behavioural advertising, sell data to third parties, or carry out automated decision-making with significant legal or similar effects.

7. Children's data and parental responsibility

PlayChess is designed for children aged 4–18. Children under 13 require verified parental or guardian consent before an account is activated. We operate a consent-first model: no child identity or data is created until the responsible adult confirms consent via a secure email link.

Parents and coaches create and manage child accounts. Children's accounts are linked to a responsible adult at all times. Parents retain the right to:

Reset a child's login credentials at any time
Withdraw consent, which triggers deletion of the child's account and data
Set session time limits (in line with the Children's Code)
Submit a data subject access request on behalf of a child

Our platform applies high-privacy defaults for all children: no public profiles, no open chat with strangers, no location tracking, no profiling for advertising.

Children aged 13 and over may exercise certain rights independently (see section 11). This will be available as a self-service flow in a future update.

8. Who we share data with

We share data only with processors who help us deliver the service:

Supabase Inc. — database hosting, authentication, and storage. Data is stored in the eu-west-2 (London) AWS region. Supabase acts as a data processor under a Data Processing Agreement and cannot use your data for their own purposes.
Resend Inc. — transactional email delivery (account invites, consent emails, security alerts). Email metadata is processed in the United States under Standard Contractual Clauses and the UK International Data Transfer Agreement.

We do not sell data to, or share data with, any advertising networks, data brokers, or third-party analytics providers. No analytics are collected at this stage of the platform.

9. International data transfers

Your data is stored primarily in the UK/EU via Supabase on AWS eu-west-2 (London). Where transfers outside the UK occur (specifically for email delivery via Resend), they are protected by:

UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs)
The UK extension to the EU–US Data Privacy Framework where applicable

10. How long we keep your data

Data type	Retention period
Active account data (adult)	Life of account + 30 days after deletion request
Active account data (child)	Life of account; deleted on consent withdrawal
Parental consent records	Life of child account + 7 years (Limitation Act 1980; tolling for minors)
Security and audit logs	90 days (rolling)
Beta application records	12 months after application closes or is rejected

When an account is deleted, all associated personal data is removed except where we are legally required to retain it (e.g. consent audit records).

11. Your rights

Under UK GDPR you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — ask us to correct inaccurate data
Erasure — ask us to delete your data (“right to be forgotten”)
Restriction — ask us to pause processing in certain circumstances
Portability — receive your data in a machine-readable format
Objection — object to processing based on legitimate interests
Rights related to automated decisions — we do not carry out automated decision-making with significant effects, but you may request human review of any automated process that affects you

Children have the same rights as adults. Parents may act on behalf of younger children. Older children (13+) may exercise rights themselves — this will be available as a self-service flow in a future release.

12. How to exercise your rights

Your name and the email address associated with your account
A description of your request
If acting on behalf of a child, confirmation of your relationship to them

We will respond within one month. If the request is complex we may extend this by a further two months and will notify you.

13. How to complain

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the ICO:

ico.org.uk/make-a-complaint
Telephone: 0303 123 1113

We would always appreciate the opportunity to resolve your concerns directly first — please contact us at [email protected].

14. Security

We take security seriously. Our technical measures include:

All data encrypted in transit (TLS 1.2+)
Authentication cookies are HTTP-only and not accessible to JavaScript
Child login credentials never stored in plaintext
Rate limiting on child authentication to prevent brute-force attacks
Role-based access controls enforced at the database level
Service-role API keys never exposed to browsers or client bundles

15. Changes to this policy

If we make material changes to this policy, we will notify registered users by email and display a notice in the platform. The “last updated” date at the top of this page reflects the most recent revision.

Consent records link to the version of this notice that was in force at the time consent was given. Version identifier: 2026-04-08.