Deutsch (binding version)

Privacy Policy

Last updated: 31 May 2026

This Privacy Policy explains how Chessivity FlexCo (“Chessivity”, “we”, “us”) processes personal data when you use our website, our platform and our related services (the “Service”).

The German-language version is the authoritative version. An English-language version may additionally be provided; in the event of any discrepancies, the German-language version shall prevail.

We process personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”), the Austrian Data Protection Act (“DSG”), the Austrian Telecommunications Act 2021 (“TKG 2021”) and other applicable legislation.

1. Controller

The controller within the meaning of the GDPR is:

Chessivity FlexCo
Trummelhofgasse 10/2
1190 Vienna, Austria
Company register number: FN 679909t
Company register court: Commercial Court of Vienna
Email address for data protection enquiries: privacy@chessivity.com

Represented by its Managing Director: Valentin Dragnev.

2. Scope

This Privacy Policy applies to visitors to our website and to registered users of Chessivity.

It does not apply to third-party websites, platforms or services to which we link or which you use independently of Chessivity. The respective providers’ privacy notices apply to such services.

3. Personal Data We Process

Depending on how you use the Service, we may process the following categories of personal data in particular.

3.1 Account and Profile Data

This includes in particular:

  • username or handle;
  • email address;
  • password hash, if you register using an email address and password;
  • display name;
  • profile text;
  • profile picture, if you upload one;
  • chess-related profile information, such as title, rating information, preferred platforms or other voluntary information;
  • privacy settings, such as whether your profile is public or restricted;
  • notification settings;
  • marketing and communication preferences and records of consent given;
  • account creation date, last login and similar technical account information;
  • age confirmation, where required as part of the registration process.

The information marked as required for registration, login and use of the respective functions is necessary in order to provide the Service. Without this information, we cannot provide the user account or the respective function. Other profile information is voluntary.

3.2 Login and Authentication Data

Depending on the login method selected, we process:

  • for email/password login: email address, password hash, login timestamps and technical security data;
  • for Lichess login or Lichess account linking: technical OAuth data and the Lichess information required for the account link;
  • for Google login: data transmitted by Google, such as Google ID, email address, name and profile picture, to the extent provided by Google;
  • session and security tokens, in particular access tokens, refresh tokens and CSRF values.

Passwords are not stored in plain text.

3.3 Content and Social Activity

This includes in particular:

  • posts, comments and other content published by you;
  • uploaded or entered games, PGNs, positions, training content or puzzle interactions;
  • likes, reactions, follows, follow requests, blocks, saved content, flags, pinned content and other interactions;
  • timestamps and technical metadata relating to such activity.

Depending on your settings, profile information, posts, comments, reactions, followers/following information and chess-related activity data may be publicly visible. Your handle, display name, profile text and profile picture are always publicly visible. Visibility and private-profile settings determine who may view content; they do not restrict access by authorised personnel for moderation, security and legal compliance purposes. Publicly visible content may be viewed, shared, quoted, copied or stored outside Chessivity by other users. We cannot prevent publicly accessible content from being copied, archived, indexed or captured by search engines.

3.4 Uploads and Media

If you upload profile pictures, image posts or other media attachments, we process in particular:

  • the respective file;
  • technical metadata such as file type, file size and timestamps;
  • results of automated image checks, such as probabilities for content categories and an aggregated assessment score;
  • the association with the relevant user account and the relevant purpose, such as profile picture or post attachment;
  • links between uploads and profiles, posts or comments.

Profile pictures are publicly visible through our site (not as directly guessable storage links). Post images are served only to viewers allowed to see the linked post. We strip embedded photo metadata (such as GPS) when you upload.

Uploaded images are automatically checked for clearly impermissible content. This check is carried out by systems operated by us within the European Economic Area. No images are transmitted to external cloud moderation APIs for this purpose.

We do not use profile pictures for biometric identification and do not use facial recognition to uniquely identify individuals.

3.5 Lichess-Related Data

If you link your Lichess account to Chessivity or log in via Lichess, we process in particular:

  • your public Lichess username;
  • the link between your Chessivity account and your Lichess account;
  • profile and activity information publicly available via Lichess, to the extent used for Chessivity functions;
  • public Lichess profile data, such as title status, ratings, profile information, country information, playing times, activity data and other information made publicly available by Lichess;
  • where synchronisation is enabled: periodic retrievals of publicly available Lichess activity data, in particular playing-time and activity data for specific time periods.

The sources of this data include the public interfaces and publicly accessible information provided by Lichess. Lichess access tokens are not stored permanently in our database and are processed only temporarily as part of the login, linking or profile-retrieval process.

You may remove a link to your Lichess account in the account settings. Removing the link ends future synchronisation.

3.6 Chess-Related Usage and Analytics Data

We may process chess-related data that you provide yourself or that arises when you use Chessivity. This may include in particular:

  • information about openings, variations, positions and games;
  • topics appearing in posts, comments or games;
  • puzzle and training interactions, such as attempts to solve tasks;
  • statistical information relating to chess-related activity;
  • other interactions with content within Chessivity.

This data may be used for the operation and improvement of Chessivity, product recommendations, content organisation, security and abuse prevention, and aggregated and anonymised statistics.

3.7 Calendar and Event Data

If you use the calendar, we process event data, such as title, description, location, meeting link, times and visibility settings, as well as invitations, RSVP information, personal notes and reminder settings that are visible only to you. Depending on the selected settings, other users, such as invitees, followers or registered calendar users, may be able to see event details.

Calendar subscription (ICS): You may generate a subscription link. Any person who has access to this link may read the events made available through the link and visible to you without logging in to Chessivity. You may revoke or regenerate the link.

3.8 Technical Data, Security Data and Server Logs

When you access our Service, technical data may be processed, including in particular:

  • IP address;
  • date and time of access;
  • pages or endpoints accessed;
  • browser type, operating system and device information;
  • referrer URL;
  • technical error data;
  • login attempts;
  • security and abuse-prevention logs;
  • data relating to rate limiting, spam detection and protection of the Service.

3.9 Communication and Support

If you contact us, we process the information you provide, in particular your name, email address, the content of your enquiry, the time of the enquiry and the communication history.

3.10 Special Categories of Personal Data

We do not ask you to disclose special categories of personal data within the meaning of Article 9 GDPR, such as health data, political opinions, religious beliefs or comparable sensitive information, on Chessivity.

If you manifestly make such information public yourself in publicly visible profiles, posts, comments or profile pictures, we may process it in connection with providing the Service, the publication selected by you, and our moderation, security and legal enforcement processes. The legal basis in such cases is Article 9(2)(e) GDPR.

4. Purposes and Legal Bases

We process personal data in particular for the following purposes and on the following legal bases.

4.1 Provision of the Service

We process account data, profile data, content data, interaction data and technical data in order to provide Chessivity, manage user accounts, enable login functions and display profiles, posts, comments, games, puzzles, feeds, reactions, follows, calendars, invitations, RSVPs and other platform functions. In relation to the calendar, this includes reminders and, where configured by you, the provision of visible events through an ICS subscription link.

Legal basis: performance of a contract or steps taken at your request prior to entering into a contract, Article 6(1)(b) GDPR.

4.2 Security, Abuse Prevention and Technical Operation

We process technical data, logs and security data in order to protect the Service, detect abuse, spam, fraud, attacks or impermissible use, correct technical errors and ensure the stability of the platform.

Legal basis: legitimate interests, Article 6(1)(f) GDPR, and, where required, performance of a contract, Article 6(1)(b) GDPR.

4.3 Chess-Related Analysis, Product Improvement and Recommendations

We may analyse chess-related content and activity data in order to improve the Service, organise content more effectively, optimise search and feed functions, recommend relevant content or functions, identify trends and develop new functions.

Legal basis: legitimate interests in product improvement, platform operation, relevance and further development of the Service, Article 6(1)(f) GDPR; where a function is directly part of the platform functions used by you, also performance of a contract, Article 6(1)(b) GDPR.

4.4 Aggregated and Anonymised Statistics

We may use chess-related content, activity data and usage data to create aggregated or anonymised statistics, for example regarding frequently discussed openings, training interests, puzzle results, platform trends or general usage developments.

Such statistics are intended not to allow any conclusions to be drawn about individual users. We may use or provide aggregated or anonymised statistics for product development, market analysis, public communications, research and cooperation projects.

Legal basis for the preceding processing of personal data: legitimate interests in product development, market analysis, platform improvement and the economic development of Chessivity, Article 6(1)(f) GDPR. To the extent that data has been effectively anonymised, it no longer falls within the scope of the GDPR.

4.5 Lichess Account Linking and Lichess Synchronisation

If you use Lichess for login or account linking, we process the data required for this purpose in order to verify your Lichess identity, link your account and use publicly accessible Lichess information within Chessivity.

If you enable optional synchronisation functions, publicly accessible Lichess data may be retrieved regularly and analysed or displayed within Chessivity.

Legal basis: performance of a contract or provision of the account-linking and synchronisation functions requested by you, Article 6(1)(b) GDPR; to the extent that public data is used for analysis, product improvement or platform functions, legitimate interests, Article 6(1)(f) GDPR.

4.6 Google Login

If you log in via Google or link a Google account, we process the data transmitted by Google to the extent required for authentication, account creation, login or account linking.

Legal basis: performance of a contract or steps taken at your request prior to entering into a contract, Article 6(1)(b) GDPR.

Google processes personal data in accordance with its own privacy notices and may process data outside the European Economic Area.

4.7 Analytics with Umami

We use an Umami Analytics instance operated by us for aggregated usage measurement and product improvement. Umami is used on our infrastructure within the European Economic Area and without analytics cookies.

Without your consent, we collect data-minimised usage statistics that are not linked to your user account, in particular page views and technical usage data. Linking data to user accounts or using internal user ID or event tracking takes place only with your consent.

Legal basis: legitimate interests in data-minimised reach measurement, error analysis and product improvement, Article 6(1)(f) GDPR. For linking data to user accounts or for extended event tracking, the legal basis is your consent pursuant to Article 6(1)(a) GDPR.

4.8 Error Analysis and Technical Monitoring

For error analysis and technical monitoring, we may use a system operated by us, in particular GlitchTip, in order to detect and correct technical errors, crashes and security issues. In this context, technical error data, stack traces, request context and device/browser information may be processed.

Legal basis: legitimate interests in the security, stability and troubleshooting of the Service, Article 6(1)(f) GDPR.

4.9 Email Communications and Notifications

We process email addresses and message metadata in order to inform you by in-app notification and/or email in accordance with your settings, in particular about account-related and security-related events, registration, login, password resets, important Service information and activity-related notifications. Emails generally include a subject line, a brief message, where applicable the name or handle of the person triggering the notification, and a link to the relevant content. You may withdraw your consent to marketing communications at any time with effect for the future, in particular by using the unsubscribe link in the relevant email.

We may use Brevo as an email service provider for transactional emails. For support, legal and data protection communications, we use Proton.

Legal basis: performance of a contract, Article 6(1)(b) GDPR, where notifications are required for the account, security or use of the Service; legitimate interests, Article 6(1)(f) GDPR, where communication serves administration, security or improvement of the Service; consent, Article 6(1)(a) GDPR, where we send optional marketing communications.

4.10 Communication and Support

We process communication data in order to respond to enquiries, provide support, handle legal matters and protect our rights.

Legal basis: legitimate interests, Article 6(1)(f) GDPR; Article 6(1)(b) GDPR for contract-related enquiries; Article 6(1)(c) GDPR where legal obligations apply.

4.11 Legal Obligations and Enforcement

We may process data where necessary to comply with legal obligations, respond to requests from authorities, enforce our terms or assert, exercise or defend legal claims.

Legal basis: Article 6(1)(c) GDPR where a legal obligation applies; otherwise legitimate interests, Article 6(1)(f) GDPR.

4.12 Moderation and Enforcement of Platform Rules

We use authorised personnel to operate Chessivity, process reports, enforce our platform rules, investigate abuse and security incidents, and review unlawful or impermissible content. For these purposes, authorised persons may review stored posts, comments, profile information and uploaded media, including content that is not visible to other users, for example due to a private profile, content flagged for review or content that has already been deleted but remains stored in our systems. Access is limited to what is necessary for these purposes and does not take place for advertising purposes or general profile inspection.

Legal basis: legitimate interests in the secure operation of the platform, the protection of users and the enforcement of our terms, Article 6(1)(f) GDPR; Article 6(1)(c) GDPR where a legal obligation applies; Article 6(1)(b) GDPR where processing is required for performance of the user agreement.

5. Cookies, Local Storage and Similar Technologies

We use technically necessary cookies and comparable technologies in order to provide the Service.

5.1 Authentication and Security

For logged-in users, the following cookies in particular may be set:

  • chessivity_session: access token, typically approximately 15 minutes;
  • chessivity_refresh: refresh token, typically approximately 7 days;
  • chessivity_auth_csrf: CSRF protection for registration and login;
  • google_oauth_state and google_oauth_return_to: short-lived technical cookies for Google login, typically approximately 10 minutes;

These cookies are used for authentication, security, abuse prevention, session management and secure login. They are necessary for use of the relevant functions.

Where possible, we use security-oriented settings such as HttpOnly, Secure and SameSite.

5.2 sessionStorage and localStorage

We may use sessionStorage for short-lived technical login and OAuth support values, such as Lichess PKCE/state, onboarding prefill, feed mode or return paths after login.

We may use localStorage to store your theme preference, such as light or dark mode.

5.3 Analytics and Non-Essential Technologies

Umami is operated without analytics cookies. For technically non-essential cookies, comparable storage access, extended event tracking or tracking technologies requiring consent, we obtain consent where required by law.

6. Social Login and Third-Party Providers

6.1 Login Using Email and Password

If you register using an email address and password, we store your email address and a password hash. Your password is not stored in plain text.

6.2 Lichess OAuth

If you log in via Lichess or link your Lichess account, you will be redirected to Lichess. Lichess processes data in accordance with its own privacy notices. We receive the data required for authentication, account linking and use of the relevant function, in particular your public Lichess username and technically required OAuth data.

Lichess access tokens are not stored permanently in our database and are processed only temporarily during token exchange and profile retrieval.

6.3 Google Login

If you log in via Google, you will be redirected to Google. Google processes data in accordance with its own privacy notices. We receive the data required for authentication, account creation or account linking, in particular your Google ID, email address, name and profile picture, to the extent transmitted by Google.

Google may process personal data outside the European Economic Area. Google is responsible for its own processing activities.

7. Hosting, Infrastructure, Processors and Recipients

We operate Chessivity on infrastructure controlled by us within the European Economic Area. Uploads, profile pictures and other media may be stored in object storage and delivered from there.

For transactional emails, such as registration, login, password resets and activity-related notifications, we may use Brevo. For support, legal and data protection communications, we use Proton.

Recipients of personal data may include in particular:

  • authorised members of our team, to the extent required for operation, moderation, security or legal compliance;
  • hosting, infrastructure, database and storage providers;
  • email and communication service providers;
  • domain, DNS and security service providers;
  • analytics, error analysis and logging systems;
  • legal advisers, tax advisers, public authorities or courts, where required.

Where service providers process personal data on our behalf, we enter into appropriate agreements pursuant to Article 28 GDPR. Where service providers act as independent controllers, their own privacy notices additionally apply.

We aim to process platform data within the European Economic Area wherever possible. Individual service providers, in particular email, security or authentication providers, may nevertheless be established in third countries or use subprocessors in third countries. In such cases, we rely on appropriate safeguards under the GDPR, in particular adequacy decisions, standard contractual clauses and, where required, supplementary measures. Further information regarding the safeguards used and a copy of the relevant safeguards are available upon request at privacy@chessivity.com.

8. Moderation and Automated Decisions

For moderation purposes, content may be reviewed by authorised personnel, in particular in response to user reports, automated flags, security incidents or where necessary to enforce our rules (see Section 4.12).

We may use technical and rule-based checks in order to detect spam, abuse, security risks or potential breaches of our rules. Such checks may generate internal signals or flag content for review.

Where we use automated systems, classifiers or language models to support moderation, these are used for preliminary checks and to support human decision-making. Permanent sanctions, such as account suspensions, are not imposed exclusively by automated means.

We do not make decisions based solely on automated processing within the meaning of Article 22 GDPR that produce legal effects concerning you or similarly significantly affect you.

9. Visibility, Search Engines and External Distribution

Parts of Chessivity are designed as a public or partially public platform. Depending on the relevant function and settings, content and profile information may be publicly visible.

Public content may be indexed by search engines, shared, quoted, copied or stored outside Chessivity by other users. Even if you later delete content or close your account, copies or quotations outside our control may continue to exist.

We recommend that you do not publish information that you do not wish to make publicly accessible.

10. Retention Periods and Deletion

We retain personal data only for as long as required for the relevant purposes, unless longer retention is required by law or further storage is necessary for legal enforcement.

The following principles apply in particular:

  • Account and profile data: retained for the duration of the user account. When an account is deleted, profile data is deleted or anonymised unless legal requirements or legitimate reasons require longer retention.
  • Public content:posts, comments, games, puzzles and other content may be retained until deleted by the user or until the account is deleted. When an account is deleted, the user's own posts and comments are deleted or redacted and separated from the user profile. Anonymised or redacted residual records may remain where necessary to preserve the integrity of the Service or the rights of other users.
  • Uploads and profile pictures: uploads and profile pictures are generally removed when an account is deleted, unless legal or technical reasons prevent this. Temporary, pending or orphaned media may be deleted automatically after technical retention periods.
  • Lichess and Google account links: account-linking data is generally removed when an account is deleted.
  • Calendar: events, invitations, personal notes and reminder settings are retained until you delete them, the organiser deletes them or you close your account. You may revoke or regenerate ICS subscription tokens at any time; an old link will then cease to be valid.
  • Security and server logs: generally retained for up to 90 days, and longer only in the event of security incidents, suspected abuse, technical error analysis or legal enforcement.
  • Error analysis and monitoring data: retained only for as long as required for error analysis, security and stability, and at most for the retention period set for the relevant system.
  • Support communications: generally retained for up to 3 years after the enquiry has been closed, and longer where legally necessary.
  • Backups: deleted data may remain in backups for a limited period until overwritten as part of our backup cycles. Data is restored from backups only where technically or legally necessary.
  • Aggregated or anonymised statistics: may be stored and used permanently, provided that no conclusions can be drawn about individual users.

When processing deletion requests, we follow documented deletion and anonymisation procedures. Complete deletion of personal data may be restricted where statutory retention obligations apply or where further processing is required for the establishment, exercise or defence of legal claims. Anonymised or redacted residual records without personal references may remain.

11. Your Rights

Subject to the requirements of the GDPR, you have the following rights in particular:

  • right of access;
  • right to rectification;
  • right to erasure;
  • right to restriction of processing;
  • right to data portability;
  • right to object to processing based on legitimate interests;
  • right to withdraw consent with effect for the future;
  • right to lodge a complaint with a supervisory authority.

Where we process data on the basis of legitimate interests, you may object on grounds relating to your particular situation.

To exercise your rights, please contact us at privacy@chessivity.com. We may request proof of identity where required in order to process your request securely.

12. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. In Austria, this is in particular:

Austrian Data Protection Authority
Barichgasse 40–42
1030 Vienna
Website: www.dsb.gv.at

You may also contact the supervisory authority responsible for your habitual residence, place of work or the place of the alleged infringement.

13. Changes to this Privacy Policy

We may amend this Privacy Policy if our Service, our data processing activities or the applicable legal framework change. The current version will be published on our website.

In the event of material changes to our data processing activities, we will notify you separately where required by law.

14. Contact

For data protection enquiries, please contact us at:

privacy@chessivity.com

or by post at the address stated in Section 1.