Privacy Policy
Last updated: 18 April 2026 — Notice version: 2026-04-18
1. Who we are
MyChessFamily is a UK chess education service for children and families. We provide online chess learning for children aged 4–18, managed by parents and guardians through a secure platform at app.mychessfamily.uk.
We are committed to the UK Children's Code (Age Appropriate Design Code) principles, including high-privacy defaults, data minimisation, and no behavioural advertising.
Contact: [email protected]
2. ICO registration
MyChessFamily is registered with the Information Commissioner's Office (ICO) as a data controller. ICO registration pending — registration number will be added here once issued. You can verify UK data controller registrations at ico.org.uk.
3. Services covered
This policy covers both mychessfamily.uk (our public marketing site) and app.mychessfamily.uk (our platform for registered users). Both are operated by the same controller under the same policy.
4. What data we collect
Adults (parents and guardians)
- Name and email address
- Account role (parent or guardian)
- Communications preferences
- Technical data: IP address, device type, browser, access logs
Children
We collect the minimum data necessary to provide the service. We never collect a child's full date of birth, real name, home address, or school name.
- Age band (e.g. 4–8, 9–12) — derived from birth month and year supplied by the parent or guardian at account creation. The birth month and year are used only to calculate the age band and are not retained after derivation.
- Display name / alias — an auto-generated username (e.g. swift-knight-42). This is never a real name. Adults may request a change; children cannot self-change.
- Guardian email — the responsible adult's email address, used for parental consent, account management, and safety alerts.
- Gameplay and learning progression data — moves played, lessons completed, results and bot game outcomes. Used to provide the learning experience.
- Live game records — when a child plays a live (human-vs-human) match, the game moves and final result are stored. These are retained for game review, rating calculation, and opponent history integrity. See section 10 for our anonymise-and-retain policy on account deletion.
- Chess rating — a Glicko-2 rating (numeric score, deviation, and volatility) is calculated from live game results and stored in the child's profile. This is used only to provide the matchmaking and progression features.
- Safety signals — minimal technical data required to enforce session limits and rate limiting.
5. How data is collected
- Directly — from application forms, sign-up, and gameplay activity.
- From parents and guardians — when an adult creates or manages a child account on their behalf.
- Automatically — session logs and security signals collected when the platform is used.
6. Why we use your data (purposes and lawful bases)
| Purpose | Data categories | Lawful basis |
|---|---|---|
| Providing the chess education service | All account and gameplay data | Contract (adult and solo 16-17); Parental consent (child under 16) |
| Account security and fraud prevention | Technical data, session logs | Legitimate interests |
| Parental consent and audit trail | Guardian email, consent records | Legal obligation (UK GDPR Article 7, Children's Code) |
| Communications about your account | Email address | Contract / Legitimate interests |
| Live game records, move history, and rating | Live game data, rating history | Contract / Legitimate interests (game integrity; opponent history) |
| Pseudonymised product analytics | Anonymised usage events (see §8) | Legitimate interests (service improvement) — no personal data transmitted |
| Compliance with legal obligations | Audit logs, consent records | Legal obligation |
We do not use personal data for behavioural advertising, sell data to third parties, or carry out automated decision-making with significant legal or similar effects.
7. Children's data and parental responsibility
MyChessFamily is designed for children aged 4–18. Children under 16 require verified parental or guardian consent before an account is activated. We operate a consent-first model: no child identity or data is created until the responsible adult confirms consent via a secure email link.
Parents and guardians create and manage child accounts. Children's accounts are linked to a responsible adult at all times. Parents retain the right to:
- Reset a child's login credentials at any time
- Withdraw consent, which triggers deletion of the child's account and data
- Set session time limits (in line with the Children's Code)
- Submit a data subject access request on behalf of a child
Our platform applies high-privacy defaults for all children: no public profiles, no open chat with strangers, no location tracking, no profiling for advertising.
Users aged 16-17 may also sign up through the public intake form as solo accounts, while still receiving high-privacy defaults.
8. Who we share data with
We share data only with processors who help us deliver the service:
- Supabase Inc. — database hosting, authentication, and storage. Data is stored in the eu-west-2 (London) AWS region. Supabase acts as a data processor under a Data Processing Agreement and cannot use your data for their own purposes.
- Resend Inc. — transactional email delivery (account invites, consent emails, security alerts). Email metadata is processed in the United States under Standard Contractual Clauses and the UK International Data Transfer Agreement.
- PostHog Inc. (EU region) — pseudonymised product analytics. Before any event is sent, your user ID is one-way hashed (SHA-256 with a server-held salt) to produce an opaque pseudonym. Events describe product interactions only (e.g. “game started”) and never contain names, email addresses, IP addresses, chess moves, or board positions. PostHog is configured with
persistence: 'memory'— it does not set cookies. Data is stored on PostHog's EU-hosted infrastructure.
We do not sell data to, or share data with, any advertising networks or data brokers.
9. International data transfers
Your data is stored primarily in the UK/EU via Supabase on AWS eu-west-2 (London). Where transfers outside the UK occur (specifically for email delivery via Resend), they are protected by:
- UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs)
- The UK extension to the EU–US Data Privacy Framework where applicable
10. How long we keep your data
| Data type | Retention period |
|---|---|
| Active account data (adult and solo 16-17) | Life of account + 30 days after deletion request |
| Active account data (linked child under 16) | Life of account; deleted on consent withdrawal |
| Parental consent records | Life of child account + 7 years (Limitation Act 1980; tolling for minors) |
| Live game move records | Retained indefinitely for game integrity (opponent history and replay). On account deletion, the deleted player's identity fields are replaced with an anonymous system placeholder — move data itself is retained. See our Anonymise-and-Retain policy below. |
| Chess rating history | Retained indefinitely as part of the game record. On account deletion, the rating history row is anonymised (user identity replaced with the system placeholder) but the rating values are retained to preserve opponent rating integrity. |
| Security and audit logs | 90 days (rolling) |
| Beta application records | 12 months after application closes or is rejected |
When an account is deleted, all personal data directly identifying the account holder is removed. An exception applies to game records — see below.
Anonymise-and-retain policy for game records
When a player's account is deleted, we retain their game move records but replace all personal identity references with an anonymous system placeholder (a non-login sentinel entry). This means:
- The deleted player's name, email, and account are fully deleted.
- The game moves and result are retained so that the opponent's game history, replay access, and rating record are not destroyed — those belong to the opponent, not to the deleted player.
- The retained data is no longer attributable to any real person.
This approach is consistent with UK GDPR Article 17: erasure rights apply to personal data attributable to the data subject. Anonymised data that cannot be re-linked to a person does not constitute personal data and is not subject to erasure obligations. Retaining anonymised game data is also necessary to protect the legitimate interests of the opponent (a third party) whose own data — their game history and rating — would otherwise be destroyed.
11. Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your data (“right to be forgotten”)
- Restriction — ask us to pause processing in certain circumstances
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interests
- Rights related to automated decisions — we do not carry out automated decision-making with significant effects, but you may request human review of any automated process that affects you
Children have the same rights as adults. Parents may act on behalf of younger children. We assess and handle rights requests in line with age and account pathway.
12. How to exercise your rights
Contact us at [email protected] with the subject line “Data Subject Request”. Please include:
- Your name and the email address associated with your account
- A description of your request
- If acting on behalf of a child, confirmation of your relationship to them
We will respond within one month. If the request is complex we may extend this by a further two months and will notify you.
13. How to complain
If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the ICO:
- ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
We would always appreciate the opportunity to resolve your concerns directly first — please contact us at [email protected].
14. Security
We take security seriously. Our technical measures include:
- All data encrypted in transit (TLS 1.2+)
- Authentication cookies are HTTP-only and not accessible to JavaScript
- Child login credentials never stored in plaintext
- Rate limiting on child authentication to prevent brute-force attacks
- Role-based access controls enforced at the database level
- Service-role API keys never exposed to browsers or client bundles
15. Changes to this policy
If we make material changes to this policy, we will notify registered users by email and display a notice in the platform. The “last updated” date at the top of this page reflects the most recent revision.
Consent records link to the version of this notice that was in force at the time consent was given. Version identifier: 2026-04-18.