PRIVACY POLICY – CHESSTIMER Last updated: 2 January 2026 1. CONTROLLER Controller: Jens Allmer Hochschule Ruhr West, University of Applied Sciences Institute for Measurement Engineering and Sensor Technology Medical Informatics and Bioinformatics Duisburger Str. 100 Building 02, floor 1, room 118 45479 Mülheim an der Ruhr Germany Email: info@allinapps.de No Data Protection Officer (DPO) has been appointed. 2. SCOPE This Privacy Policy applies to the ChessTimer Progressive Web App (PWA) and the related web services used to provide account management, synchronization across devices, and paid features. 3. CATEGORIES OF PERSONAL DATA Depending on how ChessTimer is used, the following categories of personal data may be processed: Account and profile data: - Email address (used for authentication) - Optional first and last name - Profile settings - Tenant identifier used for application separation Game data: - Chess games and game metadata - Time controls, increments, results, termination reasons - Optional player names or display names - Optional PGN data - Optional club or event references Club and event data (if used): - Club details such as name and logo - Club membership data - Event details - Event participant information, including optional birthdate or rating snapshot Subscription and entitlement data: - Subscription plan flags (free, premium, club_pro, lifetime) - Expiry dates where applicable Technical data: - Necessary server-side logs required to operate the service - Local device storage used for offline functionality 4. PURPOSES AND LEGAL BASES Personal data are processed for the following purposes and legal bases: - Provision of the ChessTimer service, including account management and synchronization Legal basis: Art. 6(1)(b) GDPR (performance of a contract) - Operation of club and event features, where used Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR (legitimate interest) - Security, abuse prevention, and service integrity Legal basis: Art. 6(1)(f) GDPR - Compliance with legal obligations Legal basis: Art. 6(1)(c) GDPR 5. LOCAL STORAGE AND SYNCHRONIZATION For unpaid accounts, game data are stored locally on the user’s device only. For paid accounts, game data and related information are synchronized with the server to enable cross-device use. 6. DATA SHARING AND PROCESSORS Personal data are shared only to the extent necessary to operate the service, with the following processors: - Supabase (authentication and database hosting, EU region) - Amazon Web Services (AWS Lambda for transient backend processing) - Stripe (payment processing) No personal data are sold. 7. INTERNATIONAL DATA TRANSFERS Where service providers process data outside the European Economic Area, appropriate safeguards such as Standard Contractual Clauses (SCCs) are used in accordance with GDPR requirements. 8. VISIBILITY WITHIN THE APPLICATION If club or event features are used, certain information may be visible to other users as required for the functionality of clubs and events. 9. DATA RETENTION AND DELETION Users may delete their account immediately or choose a recoverable deletion. - Immediate deletion: personal data are deleted without undue delay. - Recoverable deletion: personal data are retained for up to 90 days to allow account recovery, with a warning approximately 7 days before final deletion. After deletion, remaining references are anonymized, for example by replacing names with “unknown user”. 10. CHILDREN ChessTimer is not specifically targeted at children. Where minors use the service, this should occur with parental or legal guardian consent where required by applicable law. 11. USER RIGHTS Users have the right to: - Access their personal data - Rectification of inaccurate data - Erasure of personal data - Restriction of processing - Data portability - Lodge a complaint with a supervisory authority Requests may be sent to: info@allinapps.de 12. SECURITY Appropriate technical and organizational measures are implemented to protect personal data. However, no method of transmission or storage is completely secure. 13. CHANGES TO THIS POLICY This Privacy Policy may be updated from time to time. The date at the top of the document indicates the most recent version.