Privacy Policy

Last Updated: March 10, 2025

Introduction: Your privacy and the security of your personal data are of utmost importance to us. This Privacy Policy explains what information we collect, how we use and protect it, and your rights regarding your personal data when you use chess.org (the “Site”) or purchase our digital chess products and courses (the “Services”). Caissa Bohemica, s.r.o., the company operating chess.org (referred to in this policy as “we” or “us”), is the “data controller” of your personal information, which means we determine the purposes and means of processing that information.

By using our Site or Services, or by providing us with your personal information, you agree to the terms of this Privacy Policy. If you do not agree, please refrain from using the Site or providing personal data.

We undertake to comply with applicable privacy laws, including the European Union’s General Data Protection Regulation (GDPR) and relevant local laws in the jurisdictions where we operate. We strive to process your data lawfully, transparently, and fairly.

1. Information We Collect

We collect personal data that you voluntarily provide to us as well as some information automatically when you interact with our Site. “Personal information” (or “personal data”) means any information that can identify you or that relates to an identified or identifiable individual. The types of personal information we may collect include:

• Contact and Identity Details: When you make a purchase or create an account (if applicable) on our Site, we may collect information such as your name, email address, and possibly your phone number. We need your email to deliver digital products and to communicate with you about your order.
• Billing Information: To process payments for our digital goods, we (or our payment processor) collect billing details. This includes billing name and address, and payment method details. Note: We use Stripe for payment processing, so your payment card information (credit card number, expiration, CVV) is collected directly by Stripe. We do not store full credit card numbers or sensitive payment details on our servers. We may retain non-sensitive payment identifiers such as a transaction ID, card type, or the last four digits of your card for record-keeping and receipt generation.
• Transaction Information: Details of products you have purchased or considered, the date and time of your orders, and any relevant order numbers or download codes. We keep records of your purchases to provide you access to those digital products and for our financial accounting.
• Correspondence: If you contact us for support, inquiries, or feedback (via email, contact form, or phone), we will collect the information you choose to share in that communication. This could include your name, email, the content of your message, and any attachments or screenshots you provide.
• Device and Usage Data: When you visit chess.org, certain information is collected automatically:
• Technical Information: This can include your IP address, browser type and version, operating system, language preference, and device type (desktop, mobile, etc.).
• Usage Data: We may collect information about your activity on our Site, such as the pages or content you view, the dates/times of your visits, the page you visited before coming to our Site, and interactions with our website features. We may use cookies and similar tracking technologies (such as web beacons or pixels) to collect this info (see Cookies and Tracking below).
• Newsletter/Marketing Signup: If you opt in to receive our newsletter or marketing emails (for example, by ticking a box to receive updates), we will collect your email address and record your consent for that purpose. You can unsubscribe at any time (each marketing email will include an “unsubscribe” link).
• Other Information: We might collect any other information you voluntarily provide on our Site. For instance, if our Site allows user profiles, forum posts, or comments, any information you include in those areas will be collected. (At present, chess.org’s primary function is eCommerce for digital goods, so user-generated content may be minimal or not applicable.)

We only collect information that is relevant for the purposes described in this policy. You have the choice not to provide certain personal data (e.g. you can choose not to fill optional fields), but note that some data is necessary for us to provide the Services (for example, we need an email address to deliver your digital purchase).

2. How We Use Your Information

We use the collected information for the following purposes, all in accordance with applicable data protection laws:

• To Fulfill Orders and Provide Services: The primary use of your information (name, email, billing info) is to process your purchase and deliver the digital goods you ordered. For example, we use your email to send you download links or access codes for chess programs or courses, and we use your payment information to complete the transaction through Stripe.
• To Communicate with You:
• Transactional Communications: We will send you necessary emails about your purchase, such as order confirmations, receipts/invoices, delivery of digital content, and any updates or technical notices of the product you purchased (e.g. if there is an important update or change to the software/course).
• Customer Support: If you reach out with questions or concerns, we will use your contact information to respond and assist in resolving any issues.
• Marketing Communications: If you have given consent, we may send you newsletters, promotions, or information about new chess products and updates. We will only send you marketing emails if you have opted in. You can withdraw your consent at any time by unsubscribing.
• To Improve Our Services and Website: We may use usage data and feedback to understand how our Site and digital products are used. This helps us troubleshoot performance issues, analyse what content or features are popular, and improve the user experience (for example, by making our site more user-friendly or adding content that users find valuable). We might use aggregated, non-identifiable data for analytics purposes, often with the help of analytics tools (which might use cookies). For instance, we might track how many users download a particular course or which website pages are visited most frequently.
• To Enforce Our Terms and Prevent Fraud: Information may be used to monitor for and prevent fraudulent transactions or unauthorized use of the digital products. For example, we may use certain data to ensure download links are not misused or shared beyond the license terms. If we suspect any violation of our Terms of Service (such as piracy or sharing of our content), we might use relevant data to investigate and take appropriate action. We also may use personal data to protect the security of our Site, our users, and our company’s rights (for instance, detecting malicious activity).
• For Legal Compliance: We are required to retain and sometimes use certain data to comply with legal obligations. For example, for accounting and tax purposes, we have to keep records of transactions (which include personal data like name, address, and purchase details). We might also use and disclose information as required by law, court order, or regulatory authorities (see also Data Disclosure below).
• Testing and Development: On occasion, we might use certain data for testing new features or services, but typically this would use anonymized data wherever possible. If personal data is used in testing (for example, testing an email delivery system might involve your email address), we ensure it remains secure and confidential.

We will not use your personal information for purposes that are incompatible with those listed above without asking for your consent or unless required/permitted by law. If we plan to process your data for a new purpose, we will provide you with notice and, if required, request your consent.

3. Legal Basis for Processing (GDPR compliance)

For individuals in the European Economic Area (EEA) or where GDPR applies, we must have a valid legal basis to process your personal data. We generally rely on the following legal grounds:

• Performance of a Contract: When you purchase a digital product or otherwise use our Services, we process your personal data to perform our contract. This includes processing payments, delivering the product, and communicating about the order. For example, using your email to send the download link is necessary to fulfill our contract (the sale) with you.
• Consent: We will ask for your consent in situations where it is needed. The most common example is for sending marketing communications. If you opt in to our newsletter or promotional emails, our legal basis for using your email for that purpose is your consent. You have the right to withdraw consent at any time (such as by unsubscribing from marketing emails or contacting us).
• Legitimate Interests: We may process certain data for the purposes of our legitimate interests, provided those are not overridden by your data protection rights. Examples of these legitimate interests include: improving and personalizing our services, preventing fraud, securing our website, and understanding how customers use our products. When we rely on legitimate interests, we consider and balance any potential impact on your rights. For instance, collecting usage data via analytics cookies is done to improve our site (a legitimate interest), and we ensure this does not unduly infringe on your privacy by, for example, using aggregated data and providing opt-outs for non-essential cookies.
• Legal Obligation: Sometimes we have to process or retain your data to comply with laws. For instance, financial transaction records containing personal data must be kept for a certain number of years under tax laws. If authorities lawfully require information (e.g. for a legal investigation), we may need to process and provide data to comply with such legal obligations.
• Protection of Vital Interests or Public Task: These bases are less likely to apply to our eCommerce context. They typically cover situations like emergency medical data processing or public authority tasks. We will typically not process your data under these bases except in extremely rare circumstances (such as if there is an immediate threat to life).

If you have questions about the legal basis of how we process your personal data, feel free to contact us (see the Contact section of this Policy). We can provide additional explanation or documentation if needed.

4. Disclosure of Your Information

We treat your personal data with care and confidentiality. We do not sell or rent your personal data to third parties for their marketing purposes. However, in the course of running our business, there are situations where we share your data with third parties, as outlined below:

• Service Providers (“Processors”): We use trusted third-party companies to perform certain functions on our behalf, and they may have access to personal data as needed to perform their services. These include:
• Payment Processing: As noted, we use Stripe to process payments. When you enter your payment details, that information goes directly to Stripe. Stripe operates in compliance with stringent security standards and uses your payment data only for processing the transaction. We share with Stripe the necessary information to charge you (e.g. transaction amount, currency, your billing info). Stripe may also receive your IP address and other technical data as part of the payment process. (Please refer to Stripe’s privacy policy for details on how they process your data.)
• Email Delivery and Communications: We may use an email service provider (for instance, a service like SendGrid, Mailchimp, or similar) to send out transactional emails (like your order confirmation and delivery emails) and any newsletters or marketing messages you signed up for. These providers would have access to your email address and the content of the emails they send on our behalf. They are not allowed to use your email for any other purpose.
• Website Hosting and IT Infrastructure: chess.org might be hosted on a third-party hosting platform or cloud provider (such as AWS, Azure, etc.). These providers are technically able to access data stored on their servers but they are bound by strict confidentiality and security obligations. We ensure that any hosting provider we use is reputable and compliant with relevant data protection standards.
• Analytics and Cookies: If we use third-party analytics tools (like Google Analytics or similar) or advertising partners, those services may collect usage data through your browser. Such data is typically aggregated and does not directly identify you. (See Cookies and Tracking below for more details and choices regarding analytics cookies.)
• Other Contractors: We might engage other companies or individuals to assist with services like technical support, development, or consulting. Such parties will only access data to the extent necessary for their function and are under contractual obligations to protect your data.
• Legal Requirements and Protection of Rights: We may disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g. a court order, subpoena, or government investigation). Additionally, we may disclose data if we believe in good faith that such action is necessary to:
• Comply with a legal obligation or regulation,
• Protect and defend the rights, property, or safety of Caissa Bohemica (chess.org), our customers, or others,
• Investigate and defend ourselves against any third-party claims or allegations,
• Prevent or stop illegal, unethical, or legally actionable activity (for example, addressing fraud or security issues).
• With Your Consent: Apart from the cases above, if we ever need to share your data for other purposes, we will ask for your consent. You will have the choice to let us know if you agree to the sharing.

When we share the data with service providers, we only provide the data that is necessary for them to provide the service. We also ensure that they are contractually obligated to process your data securely and in compliance with applicable privacy laws (including GDPR, where applicable). These third parties must not use your personal data for their own purposes and must delete or return personal data once the service is completed (unless they are legally required to retain it, such as for their own compliance reasons).

5. International Data Transfers

We are based in the Czech Republic but the nature of digital services means that your data may be transferred to or accessed from other countries. For example:

• Servers and Cloud Storage: If our website hosting or cloud storage provider stores data on servers located outside of the country where you reside, your personal data might be transferred to that location. We primarily aim to use servers within the European Union (EU)/European Economic Area (EEA) for EU customer data when possible. However, some data may be stored or backed up in the cloud, which could be in data centers in the United States or other jurisdictions.
• Service Providers in Other Countries: Some of our third-party providers might be located outside your country. For example, Stripe and many email service providers are U.S.-based companies (though they often have EU subsidiaries or data centers). Likewise, if we use Google Analytics, the data might be processed in the U.S. or other countries.

Whenever we transfer personal data out of the EEA (or your home jurisdiction) to a country that is not deemed by the relevant authorities to have “adequate” data protection (for instance, the EU considers the U.S. not to have equivalent privacy laws), we will ensure appropriate safety measures are in place as required by GDPR or other applicable laws. These safety measures may include:

• Standard Contractual Clauses (SCCs): We can enter into EU-approved standard data protection clauses with the receiving party, which legally commit them to protect your data to EU standards.
• Consent in Certain Cases: In some cases, we might ask for your explicit consent for an international transfer if no other legal transfer mechanism is available and the circumstances warrant it (this is rare).

You can contact us for more information about the safety measures we have in place for international transfers. We understand this can be a complex area and are happy to clarify how your data is handled in cross-border scenarios.

6. Data Retention

We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, as described in this Privacy Policy, or as required by law. How long we keep data depends on the type of data and the purpose of processing. Here are some general guidelines:

• Account and Contact Information: If you create an account on our platform, we will retain your account information for as long as your account is active. If you request to delete your account or if your account is inactive for an extended period, we may delete this information, provided we do not need to keep for legal reasons.
• Purchase and Transaction Records: We keep records of your purchases (including personal data, such as name, contact, and transaction details) for a minimum period as required by tax and accounting laws. In the Czech Republic and under EU law, for instance, we might need to keep invoice information for 10 years from the date of the transaction for audit purposes. Even if you request the deletion of your data, we may retain necessary transactional records to comply with these legal duties.
• Customer Support Correspondence: Communications with our support team may be retained until the issue is resolved and for a short period thereafter; in case you have follow-up queries.
• Marketing Data: If you have consented to receive marketing emails, we will keep your contact information on our mailing list until you unsubscribe or withdraw consent. Once you unsubscribe, we may keep your email on a suppression list to ensure we honour your opt-out (to make sure we do not accidentally send you emails again), but we will not use it for further marketing.
• Usage Data: Analytics data is often kept in aggregate form. If we have raw logs, we may retain those for a short period (a few months) for analysis and troubleshooting, then either delete or anonymize them. Aggregated data (which does not identify individuals) may be retained longer for statistical purposes.
• Legal Requirements: If there is a legal claim or dispute, or if law enforcement or regulators ask us to retain data, we will preserve relevant information as needed even if it goes beyond the typical retention schedule. Also, as mentioned, certain data must be held for fixed periods due to legal requirements (e.g., finance records).

When we no longer have a legitimate need or legal obligation to retain your personal data, we will securely erase, anonymize, or pseudonymize the information. For example, instead of deleting a purchase record that must be kept for tax reasons, we may detach it from your direct identity if possible (though usually the identity is part of the invoice). Our goal is not to keep personal data indefinitely unless it is truly necessary.

If you have specific questions about our data retention practices for different types of data, you can contact us for more details.

7. Your Rights and Choices

You have certain rights regarding your personal data that we retain, especially if you are in the European Union or a region with similar laws. We are committed to respecting your rights and have processes in place to allow you to exercise them. These rights include:

• Right of Access: You have the right to request confirmation that we are processing your personal data and to obtain a copy of the personal data we retain about you. We will provide you with a summary of the data, along with details on how it is used, who it is shared with, and other required information. (In GDPR terms, this is your right to a “data subject access request.”)
• Right of Rectification: If any of your personal data we have is incorrect or incomplete, you have the right to ask us to correct or update it. For example, if you realize we have an outdated email or a misspelled name, you can request a fix. We rely on you to provide accurate information, and we encourage you to keep your details up to date.
• Right to Erasure: Also known as the “right to be forgotten,” this right allows you to request that we delete your personal data. You can ask for the erasure of your data when it is no longer necessary for the purposes for which we collected it, or if you withdraw consent (where applicable) or if you believe we are unlawfully processing it. Please note that we cannot delete data that we are required to keep by law (e.g., transaction records needed for tax purposes) or data that is necessary for legal claims. We will inform you if that is the case. In practice, if you request deletion, we will remove what we can and suppress further use of any information we must keep.
• Right to Restrict Processing: You have the right to request that we limit the processing of your data under certain circumstances. For example, if you contest the accuracy of your data, you can ask us to restrict processing while we verify the information. Or if you object to our use of your data (see the right to object below), you can request restriction during our review. When processing is restricted, we will still store your data but will not use it until the issue is resolved.
• Right to Data Portability: For data you have provided to us and that we process by automated means on the basis of consent or contract. This allows you to take your data to another service if you wish. For example, if you want a record of all the courses you bought and your associated data to use elsewhere, we can provide that. You may also request that we transmit this data directly to another controller where technically feasible.
• Right to Object: You have the right to object to certain types of processing. For instance, you can object to processing based on legitimate interests if you believe it impacts your rights. If you object, we will consider whether our legitimate grounds for processing override your rights and freedoms. You can also object to your personal data being used for direct marketing purposes (if we were sending marketing, which we only do with consent, but you have an absolute right to object/opt out of it at any time).
• Right to Withdraw Consent: If we process your personal data based on your consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of any processing we did based on your consent before withdrawal. For example, if you consented to receive newsletters, you can opt out later, and we will stop sending them.
• Right to Lodge a Complaint: If you believe we have infringed your data protection rights or processed your data unlawfully, you have the right to lodge a complaint with a data protection supervisory authority. For individuals in the Czech Republic, the relevant authority is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů). If you are in another EU country, you can contact your local authority. We encourage you to contact us first so we can address your concerns directly, but you are free to contact the authority at any time.

To exercise any of these rights, please contact us using the contact details provided in this Privacy Policy. We may need to verify your identity before fulfilling certain requests (to ensure we do not disclose data to the wrong person or delete the wrong account, for example). We will respond to your request as soon as possible, and in any case within the time limit required by law (under GDPR, typically within 1 month, extendable to 3 months for complex requests, in which case we will inform you of the need for more time).

Please note that some rights have limitations. For example, if you request data portability, it only applies to data you provided and that we process automatically. If you request deletion, we might not delete data we absolutely need (as described). If we decline any part of your request, we will explain the reason to you.

8. Cookies and Tracking Technologies

Cookies: Like most websites, we use “cookies” and similar tracking technologies to collect certain usage data automatically. Cookies are small text files that are placed on your device (computer, smartphone, etc.) when you visit a website. They serve a variety of functions, such as remembering user preferences, enabling certain features, and collecting analytical data about site usage.

We may use different types of cookies on chess.org, including:

• Essential Cookies: These are necessary for our site to function properly. For example, if our site has a login or a shopping cart, essential cookies would keep you logged in or remember items in your cart. Without these, basic services you have asked for cannot be provided. These cookies do not require consent.
• Analytics Cookies: We might use these to understand how visitors use our site (e.g. which pages are visited, how long users stay, how they navigate). This helps us improve site content and design. We may use third-party analytics tools (like Google Analytics), which set their own cookies. The information collected is typically aggregated and not used to identify individuals. We will ask for your consent to use analytics cookies where required by law (e.g. via a cookie banner when you first visit).
• Functional Cookies: These cookies remember choices you make to provide a more personalized experience (for example, your language preference or other customizations).
• Advertising/Marketing Cookies: Currently, chess.org’s primary function is to sell our own products; we do not show third-party ads on our site. However, if we ever engage in advertising or re-marketing campaigns, cookies might be used to track browsing habits to show relevant ads on other platforms. If we use such cookies, we will explicitly ask for consent.
• Third-Party Integrations: If our site includes content or plugins from third-party services (like a YouTube video, social media share buttons, or an embedded widget), those third parties may set cookies. For example, clicking a “Share on Facebook” button might set a cookie from Facebook. These third-party cookies are governed by the third party’s own privacy policy.

Your Choices Regarding Cookies: On your first visit to our site (and periodically thereafter), you may see a cookie notice or banner. You can choose whether to accept non-essential cookies. Essential cookies cannot be declined if you want to use our site (as they are needed for basic functionality) but you can always block them via your browser settings (though parts of the site might not work correctly).

You can also manage cookies through your web browser settings:

• Most browsers allow you to view what cookies are stored and to clear them, either on a per-site or overall basis.
• You can typically also block cookies from third parties or even all cookies. However, blocking all cookies may affect your browsing experience.
• There are also browser extensions and tools that can help manage cookies and trackers.

For more detailed information on our use of cookies and how to manage them, please refer to our Cookie Policy (if we have a separate one) or contact us with any questions.

Do Not Track: Some browsers offer a “Do Not Track” (DNT) feature that, when enabled, sends a signal to websites indicating that you do not wish to be tracked. Our site currently does not respond to DNT signals in a different way from normal, because there is not yet a universally agreed standard for what websites should do when they receive such signals. We treat all visitors’ data according to this Privacy Policy. However, as mentioned, you can adjust cookie settings to control tracking to some extent.

9. Data Security

We take security measures seriously to protect your personal data from unauthorized access, alteration, disclosure, or destruction. While no website or internet transmission is completely secure, we implement appropriate technical and organizational measures to safeguard the data we hold. These measures include:

• Encryption: Our website is secured via SSL/TLS encryption. You can verify this by the “https://” and padlock symbol in your browser’s address bar when connecting to chess.org. This means that information you send through forms (such as personal details or login credentials) is encrypted in transit to prevent eavesdropping.
• Access Controls: Personal data stored in our systems or those of our service providers is restricted to authorized personnel who need to access it for the purposes described (e.g. our staff handling customer support or fulfilling orders). These individuals are bound by confidentiality obligations. We use password protection, two-factor authentication, and similar access controls where appropriate to prevent unauthorized access to systems that contain personal data.
• Secure Data Storage: We ensure that our hosting providers or servers employ up-to-date security protocols, firewalls, and intrusion detection systems. Data is backed up regularly to prevent loss. For particularly sensitive information (like passwords), we use hashing or encryption at rest.
• Payment Security: We do not process or store sensitive payment card details ourselves. By using Stripe, we leverage their secure, PCI-DSS-compliant systems to handle all payment transactions. Stripe is audited regularly for security standards. Any payment information we do store (like transaction IDs or last 4 digits for reference) is minimal and stored securely.
• Monitoring and Testing: We keep our website software, plug-ins, and systems up to date to patch security vulnerabilities. We may perform periodic security audits, vulnerability scans, or penetration testing (either internally or via third-party experts) to identify and address potential security risks.
• Staff Training and Policies: We train our team about best practices in data protection and security, ensuring they understand the importance of handling personal data properly. We also have internal policies and incident response plans in case of a security breach.

Despite all these efforts, it is important to note that no method of transmission over the Internet, or method of electronic storage, is 100% secure. We cannot guarantee absolute security. However, in the unfortunate event of a data breach that affects your personal data, we will notify you and the relevant authorities as required by law (for example, under GDPR we would report certain breaches to the supervisory authority within 72 hours and to affected individuals without undue delay if there is a high risk to rights and freedoms).

Your Responsibility: You also play a role in keeping your data secure. For instance, if you create an account on our site, choose a strong password and do not share it. Be cautious of phishing attacks or scams — we will never ask you for your password via email, and any payment should only be submitted through our official payment page, not via email. If you suspect any unauthorised access or encounter any security issues with our Services, please notify us immediately.

10. Children’s Privacy

Our Services and Site are not directed to children under the age of 13, and we do not knowingly collect personal data from children under 13. If you are under 13, please do not use our Site or provide any information about yourself. If you are between 13 and 16 (or the applicable age of digital consent in your country), you should only use our Services with the involvement and consent of a parent or guardian.

For parents and guardians, if you believe that a minor under your care has provided us with personal data without your consent, please contact us. We will take steps to remove that information from our systems. In any case, individuals under 16 years of age should not make purchases on chess.org; purchases should be made by an adult or with adult authorisation, as financial transactions are involved.

We recognise the importance of protecting children’s privacy and will update our practices if our audience expands to younger users in any way. If in future, we intend to collect data from children for any reason, we will comply with applicable laws (such as the U.S. Children’s Online Privacy Protection Act (COPPA) and GDPR’s provisions regarding children’s data) and obtain proper parental consent beforehand.

11. Changes to this Privacy Policy

We may update or modify this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make changes, we will post the updated Policy here, with an updated “Last Updated” date at the top. For significant changes, we may also provide a more prominent notice, such as a banner on our website or an email notification, to inform you of what is different.

Your Responsibility to Review: We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. If you continue to use the Site or our Services after any changes to the Privacy Policy take effect, it will be deemed as your acceptance of the updated terms.

If we ever were to use your personal data in a manner significantly different from what was stated at the time of collection, we would notify you in advance and, if required by law, seek your consent.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please do not hesitate to contact us. We are here to help and are committed to addressing any issues you may have.

Contact Information for Privacy Inquiries:

• Caissa Bohemica, s.r.o. (Chess.org) – Data Protection Team
  Address: Skalní 494/3, 460 05 Liberec, Czech Republic
  Email: privacy@chess.org (for privacy-related inquiries)
  Alternate Email: support@chess.org (general support, will route to privacy team as needed)

You also have the right to lodge a complaint with the Office for Personal Data Protection (ÚOOÚ) in the Czech Republic or your local data protection authority if you believe we have not handled your data lawfully. However, we kindly invite you to contact us first, as we value your privacy and would appreciate the chance to address your concerns directly.

Thank you for entrusting us with your personal data. We will continue to work hard to keep that trust and protect your privacy while providing you with quality chess products and services.