ChessRiddle

🔒

Datenschutzerklärung

This is a convenience translation. The legally binding version is the . The contract language is German.

ChessRiddle – Chess Training App

Last updated: April 7, 2026

Preamble

ChessRiddle is a chess training app that enables users to improve their tactical and visualisation-related chess skills through interactive puzzles and computer-assisted analyses.

The app is available as:

Web application at chessriddle.com
Mobile app for iOS (Apple App Store)
Mobile app for Android (Google Play Store)

This privacy policy informs you about the nature, scope and purpose of the processing of personal data within our app and the associated websites, features and content.

We, ChessRiddle (hereinafter also "we" or "us"), take the protection of your personal data seriously and would like to inform you about data protection in our company.

Within the scope of our responsibility under data protection law, the entry into force of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: "GDPR") has imposed additional obligations on us to ensure the protection of personal data of the persons affected by processing (we also address you as a data subject with "customer", "user", "you" or "data subject").

Insofar as we decide alone or jointly with others on the purposes and means of data processing, this includes above all the obligation to inform you transparently about the nature, scope, purpose, duration and legal basis of the processing (cf. Art. 13 and 14 GDPR). With this statement (hereinafter: "privacy notice"), we inform you about the manner in which your personal data is processed by us.

Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is

ChessRiddle, Inh. Felix Beck

Kraillinger Weg 9

82061 Neuried

Germany

Phone: +49 156 79761842

E-mail: info@chessriddle.com

A Data Protection Officer has not been appointed, as the requirements under Section 38 of the German Federal Data Protection Act (BDSG) (fewer than 20 persons constantly engaged in automated data processing) are not met.

General Information

Definitions

In accordance with Art. 4 GDPR, this privacy notice is based on the following definitions:

"Personal data" (Art. 4(1) GDPR) means any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Identifiability may also be established through the combination of such information or other additional knowledge. The form or embodiment of the information is irrelevant (photographs, video or audio recordings may also contain personal data).

"Processing" (Art. 4(2) GDPR) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, as well as the modification of a purpose or intended use originally underlying the data processing.

"Controller" (Art. 4(7) GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

"Third party" (Art. 4(10) GDPR) means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data; this also includes other affiliated legal entities within a group of companies.

"Processor" (Art. 4(8) GDPR) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, in particular in accordance with the controller's instructions (e.g. IT service providers). In terms of data protection law, a processor is not a third party.

"Consent" (Art. 4(11) GDPR) of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Legal bases for data processing

By law, any processing of personal data is in principle prohibited and only permitted if the data processing falls under one of the following legal justifications:

Art. 6(1)(a) GDPR ("Consent"): Where the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Art. 6(1)(b) GDPR: Where processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract;
Art. 6(1)(c) GDPR: Where processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. a statutory retention obligation);
Art. 6(1)(d) GDPR: Where processing is necessary in order to protect the vital interests of the data subject or of another natural person;
Art. 6(1)(e) GDPR: Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
Art. 6(1)(f) GDPR ("Legitimate interests"): Where processing is necessary for the purposes of the legitimate interests (in particular legal or economic interests) pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (in particular where the data subject is a child).

For each processing operation we carry out, we indicate the applicable legal basis below. Processing may also be based on several legal bases.

Data deletion and storage duration

For each processing operation we carry out, we indicate below how long the data is stored by us and when it is deleted or blocked. Unless an explicit storage period is stated below, your personal data will be deleted or blocked as soon as the purpose or legal basis for storage ceases to apply. As a rule, your data is only stored on our servers in Germany, subject to the cases expressly named in this privacy notice. However, storage may continue beyond the stated period in the event of (threatened) legal disputes with you or other legal proceedings, or if storage is required by statutory provisions to which we as controller are subject (e.g. Section 257 of the German Commercial Code (HGB), Section 147 of the German Fiscal Code (AO)). When the storage period prescribed by statutory provisions expires, the personal data will be blocked or deleted, unless further storage by us is necessary and a legal basis exists for this.

Data security

We employ appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorised access by third parties (e.g. TLS encryption for our website), taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of the processing, as well as the existing risks of a data breach (including the likelihood and impact thereof) for the data subject. Our security measures are continuously improved in line with technological developments. We are happy to provide you with further information on request.

Cooperation with processors

Where we use external service providers to handle our business operations (e.g. in the areas of IT, logistics, telecommunications, sales and marketing), they only act on our instructions and are contractually obliged in accordance with Art. 28 GDPR to comply with data protection regulations.

Requirements for the transfer of personal data to third countries

In the course of our business relationships, your personal data may be disclosed or transferred to third-party companies. These may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing takes place exclusively to fulfil contractual and business obligations and to maintain your business relationship with us. We inform you about the respective details of the transfer in the relevant sections below. The European Commission certifies an adequate level of data protection for some third countries through so-called adequacy decisions. In other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of statutory provisions. Where this is the case, we ensure that data protection is adequately guaranteed. This is possible through binding corporate rules, Standard Contractual Clauses of the European Commission for the protection of personal data, certificates or recognised codes of conduct.

No automated decision-making (including profiling)

We do not intend to use the personal data collected from you for any automated decision-making process (including profiling).

No obligation to provide personal data

We do not make the conclusion of contracts with us conditional on you providing personal data to us in advance. As a customer, there is generally no statutory or contractual obligation for you to provide us with your personal data; however, it may be that we can only offer certain services on a limited basis or not at all if you do not provide the data required for this. If this is exceptionally the case within the scope of the products we offer below, you will be specifically informed.

Legal obligation to transmit certain data

We may in certain circumstances be subject to a special statutory or legal obligation to make lawfully processed personal data available to third parties, in particular public authorities (Art. 6(1)(c) GDPR).

Changes to this privacy notice

In the course of the development of data protection law and technological or organisational changes, our privacy notice is regularly reviewed for any need for adjustment or supplementation.

Your Rights

You may assert your rights as a data subject with regard to your processed personal data at any time using the contact details provided above. As a data subject, you have the right:

pursuant to Art. 15 GDPR, to obtain from us confirmation as to whether or not personal data concerning you are being processed. In particular, you may request information about the purposes of the processing, the categories of data, the categories of recipients to whom your data have been or will be disclosed, the envisaged period of storage, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, and the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
pursuant to Art. 16 GDPR, to obtain from us without undue delay the rectification of inaccurate personal data or the completion of incomplete data stored by us;
pursuant to Art. 17 GDPR, to obtain the erasure of personal data stored by us, unless processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims;
pursuant to Art. 18 GDPR, to obtain the restriction of processing of your data, insofar as the accuracy of the data is contested by you or the processing is unlawful;
pursuant to Art. 20 GDPR, to receive your personal data which you have provided to us in a structured, commonly used and machine-readable format, or to request the transmission to another controller ("data portability");
pursuant to Art. 21 GDPR, to object to the processing at any time, where processing is based on Art. 6(1)(e) or (f) GDPR. This is particularly the case where the processing is not necessary for the performance of a contract with you. Unless it is an objection to direct marketing, we ask you, when exercising such an objection, to state the reasons why we should not process your data as we have done. In the event of your justified objection, we will examine the situation and will either cease or adjust the data processing, or demonstrate to you our compelling legitimate grounds on the basis of which we will continue the processing;
pursuant to Art. 7(3) GDPR, to withdraw your consent at any time — that is, your freely given, specific, informed and unambiguous indication expressed by a statement or other clear affirmative action that you agree to the processing of the personal data in question for one or more specific purposes — if you have given such consent. The consequence is that we may no longer continue the data processing based on this consent for the future; and
pursuant to Art. 77 GDPR, to lodge a complaint with a supervisory authority about the processing of your personal data by our company.

Data we collect when using the app

Registration and user account

During registration, we collect:

Data	Required/Optional	Purpose	Legal basis
E-mail address	Required	Account management, authentication, transactional emails	Art. 6(1)(b)
Password (hashed)	Required	Authentication	Art. 6(1)(b)
Username	Optional	Display in leaderboards and profile	Art. 6(1)(b)
Avatar (profile picture)	Optional	Profile personalisation	Art. 6(1)(a)
Country	Optional (auto via GeoIP, editable)	Country flag display, currency selection	Art. 6(1)(f)

User registration serves as identification for the purpose of contract performance pursuant to Art. 6(1)(b) GDPR.

Data will be deleted as soon as it is no longer necessary for the purpose for which it was collected. For data collected during the registration process for the performance of a contract or for the implementation of pre-contractual measures, this is the case when the data is no longer required for the performance of the contract. Even after the conclusion of the contract, it may be necessary to store personal data of the contractual partner in order to comply with contractual or statutory obligations.

As a user, you have the option to cancel your registration at any time. You may have the data stored about you amended at any time. If the data is required for the performance of a contract or for the implementation of pre-contractual measures, early deletion of the data is only possible insofar as no contractual or statutory obligations prevent such deletion.

Usage data

When using the app, we collect the following data, also pursuant to Art. 6(1)(b) GDPR for the purpose of contract performance:

Puzzle attempts (result, number of attempts, solving time, puzzle type)
Evaluation attempts (rating estimate, result, solving time)
Glicko-2 ratings (separate ratings for tactics, visualisation and positional, each automatically calculated)
Streak data (Riddle Streak, Evaluation Streak)
Coordinate training results (stored locally in the browser and server-side)
Incorrect puzzle attempts (for the "Practice Mistakes" feature — repetition of previously incorrectly solved puzzles)
Statistics and progress

Settings

Users can configure over 40 settings (e.g. language, board design, move notation, sound, difficulty levels). These are stored server-side on the basis of Art. 6(1)(b) GDPR and synchronised across devices.

Technical data

When accessing our app, the following data is automatically collected:

IP address (temporarily in server logs)
Device type, operating system, browser version
Time zone
Date and time of access

The legal basis for the temporary storage of data and log files is Art. 6(1)(f) GDPR.

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's device. For this purpose, the user's IP address must be stored for the duration of the session.

The storage of additional metadata in log files is necessary to ensure the functionality of the website. The data also serves us for technical optimisation of the website and to ensure the security of our information technology systems. No evaluation of the data for marketing purposes takes place in this context.

Geolocation (GeoIP)

We use the MaxMind GeoLite2 database, which is stored locally on our server, to derive the user's country from their IP address. The IP address is not transmitted to any third party for this purpose. The lookup is performed exclusively server-side.

Purpose: Country flag display, currency selection (EUR/USD)

Legal basis: Art. 6(1)(f) GDPR (Legitimate interest)

Our legitimate interest lies in providing users with a user-oriented presentation of the website upon access, in particular by displaying the presumed relevant country flag and pre-selecting the appropriate currency (e.g. EUR or USD). The processing thus serves the user-friendly, efficient and consistent design of the user experience.

Payment data

Payment processing is handled exclusively via Stripe (including purchases from the mobile app — these redirect to the Stripe Checkout page). There are no in-app purchases through the app stores.

We do not store any credit card numbers or bank details. We only receive from Stripe:

Payment confirmation
Payment method (type, last 4 digits)
Billing periods
Stripe customer ID

Legal basis: Art. 6(1)(b) GDPR (Performance of a contract)

Payment processing enables contract performance by the user.

Social Features

a) Friendships

Users can send friend requests to other users. Only after a request is accepted are the following data shared with the respective friend:

Public profile (username, avatar, rating, statistics)
Puzzle solving history subject to the conditions of lit. b)

Legal basis: Art. 6(1)(b) GDPR (Performance of a contract). The friendship feature is part of the contractually agreed scope of the app. The sharing of public profile data with accepted friends is necessary to provide this feature.

b) Sharing puzzle solving history with friends

Users can enable in the privacy settings that their puzzle solving history is visible to accepted friends. This feature is disabled by default.

Legal basis: Art. 6(1)(a) GDPR (Consent). Consent is given by actively enabling the corresponding option in the privacy settings. It may be withdrawn at any time by disabling the option. The withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

c) Friend suggestions

Users can set in the privacy settings whether they appear in other users' friend suggestions. This feature is enabled by default.

Legal basis: Art. 6(1)(f) GDPR (Legitimate interest). The legitimate interest lies in promoting social interaction within the app. Users may object to the processing at any time by disabling visibility in friend suggestions in the privacy settings.

d) Blocking

Users can block other users. Blocked users cannot send friend requests to the blocking user and cannot view their profile.

Email Communication

Transactional emails

We send transactional emails via the service provider Mailjet SAS (France/EU) for the following purposes:

Registration confirmation
Password reset
Email address change
Magic link login

These emails are sent in the language selected by the user (7 languages: German, English, Spanish, French, Portuguese, Russian, Chinese).

Legal basis: Art. 6(1)(b) GDPR (Performance of a contract — required for the operation of the user account)

Newsletter (planned)

We plan to send a newsletter with information about new features, tips and app updates. The newsletter will be sent via Mailjet.

Legal basis: Art. 6(1)(a) GDPR (Consent)
Sign-up: Voluntary, via a separate opt-in
Unsubscribe: Possible at any time via the unsubscribe link in each newsletter email or in the account settings

When signing up for the newsletter, we store:

E-mail address
Time of sign-up
IP address at sign-up (proof of consent)

Hosting, Processors and Third Parties

We have concluded Data Processing Agreements with the following providers. For the transfer of personal data to the processor and the processing by the processor, no further legal basis within the meaning of Art. 6 to 10 GDPR is required beyond the one on which we ourselves as controller base the processing.

Netcup GmbH – Hosting

Service: Hosting (backend, API server)

Provider: Netcup GmbH, Daimlerstr. 25, 76185 Karlsruhe, Germany

Server location: Germany

Data processed: All access data, IP addresses, HTTP requests

Supabase Inc. – Database and Authentication

Service: PostgreSQL database, authentication (Auth), Row Level Security

Provider: Supabase Inc., 970 Toa Payoh North #07-04, 318992 Singapore (US company)

Server location: Frankfurt am Main (eu-central-1, AWS infrastructure)

Data processed: User account data, e-mail, password (hashed via bcrypt), puzzle data, settings, ratings, friendships

Third-country transfer mechanism: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs)

DPA: Supabase Standard Data Processing Agreement

Stripe Inc. – Payment Processing

Service: Payment processing, subscription management, Billing Portal

Provider: Stripe Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA

Data processed: Payment data, billing information, e-mail address; after browser redirect, Stripe also processes IP address and connection metadata

Legal basis: Art. 6(1)(b) GDPR

Third-country transfer mechanism: EU-US Data Privacy Framework (DPF)

Note: Payments from the mobile app are also processed via Stripe Checkout (redirect to Stripe page). No in-app purchases are made through the app stores.

Sentry (Functional Software Inc.) – Error Monitoring

Service: Error tracking, performance monitoring

Provider: Functional Software Inc. (Sentry), 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA

Data region: Frankfurt am Main (ingest.de.sentry.io)

Data processed: Pseudonymised user ID (UUID), error reports (stack traces, browser info, URL), performance data

Not processed: E-mail addresses, IP addresses (sendDefaultPii is disabled), names

Legal basis: Art. 6(1)(f) GDPR (Legitimate interest in error resolution)

Third-country transfer mechanism: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs)

Retention: 90 days

Plausible Analytics (Self-Hosted) – Website Analytics

Service: Privacy-friendly website usage analytics

Provider: Self-hosted (Plausible Community Edition), no third-party data processor

Server location: Germany (same server as the application)

Data processed: Page URL, referrer, browser type, operating system, device type, country (derived from IP address — IP address itself is not stored)

Not processed: Cookies, personal identifiers, IP addresses, cross-site tracking

Legal basis: Art. 6(1)(f) GDPR (Legitimate interest in understanding website usage to improve the service)

Retention: Aggregated statistics only, no personal data retained

Mailjet SAS – Email Delivery

Service: Transactional emails, newsletter

Provider: Mailjet SAS, 13-13bis Rue de l'Aubrac, 75012 Paris, France

Server location: European Union

Data processed: E-mail address, email content, delivery status, language

Legal basis: Art. 6(1)(b) GDPR (transactional emails), Art. 6(1)(a) GDPR (newsletter)

DPA: Data Processing Agreement concluded

App Store Distribution

Apple App Store and Google Play Store serve exclusively for the distribution of the app. Payments are not processed through the app stores but through Stripe. The respective privacy policies of Apple Inc. and Google LLC apply to the data collected by them in the context of app store usage.

When downloading the app, the information required for this purpose is transmitted to the respective app store operator, in particular username, e-mail address, customer number of your app store account, time of download, payment information and individual device characteristics.

Further information on data processing by the app store operators can be found in their privacy notices:

Apple Distribution International Ltd. (Ireland): https://www.apple.com/legal/privacy
Google Ireland Limited: https://policies.google.com/privacy

Cookies, Local Storage and Technical Storage

We do not use any tracking cookies or advertising cookies. For website analytics, we use Plausible Analytics (self-hosted), which does not use cookies and does not collect personal data (see the Services section above for details).

All local storage is strictly necessary for the operation of the app and does not require consent pursuant to Section 25(2)(2) of the German Telecommunications Digital Services Data Protection Act (TDDDG).

Overview of local storage

Storage	Type	Purpose	Lifetime
sb-*-auth-token	Cookie / localStorage	Supabase session token (authentication)	Until logout / session end
chess-tactics-settings	localStorage	User settings (language, board design, etc.)	Persistent
chess-riddle-daily-limit-reached	localStorage	Daily puzzle limit for free users	1 day
chessriddle_seen_modes	localStorage	Tracks whether first-time user hints have been shown	Persistent
coord-scores-*	localStorage	Local high scores in coordinate training	Persistent
cached-puzzle-data	sessionStorage	Cached puzzle data	Browser session
submitted-puzzle-id-*	sessionStorage	Prevents duplicate puzzle submissions	Browser session
streak-playing	sessionStorage	Marks active streak session (navigation guard)	Browser session
chess-tactics-session-id	sessionStorage	Anonymous session ID for usage statistics	Browser session
bestEvalStreak	localStorage	Evaluation streak personal best (local)	Persistent

Data Security and Retention

Technical and organisational measures

Transport encryption: All data is transmitted via HTTPS/TLS
Password hashing: Passwords are hashed with bcrypt (via Supabase Auth)
Row Level Security: Database access is secured by Supabase Row Level Security (RLS) — users can only read and edit their own data
Access controls: Administrative access to infrastructure and database is restricted to the controller

Retention periods

Data type	Retention period	Legal basis
User account data	For the duration of the contractual relationship; after account deletion, only insofar as individual data is still required due to statutory obligations or for legal defence.	Art. 6(1)(b) GDPR during the contract term, Art. 6(1)(f) post-contractually.
Payment data (Stripe)	10 years after end of contractual relationship	Section 147 AO in conjunction with Section 257 HGB
Error logs (Sentry)	90 days	Art. 6(1)(f) GDPR
Support enquiries (email)	Until final resolution, max. 3 years	Art. 6(1)(f) GDPR
Newsletter consent record	3 years after unsubscription	Art. 6(1)(f) GDPR to fulfil the burden of proof under Section 7(2) of the German Act Against Unfair Competition (UWG)

International Data Transfers

Overview of third-country transfers

Provider	Server location	Registered office	Transfer mechanism
Netcup	Germany	Germany	– (no third country)
Supabase	Frankfurt (AWS eu-central-1)	USA (Singapore)	EU-US DPF + SCCs
Stripe	USA	USA	EU-US DPF
Sentry	Frankfurt (ingest.de.sentry.io)	USA	EU-US DPF + SCCs
Mailjet	EU	France	– (no third country)
MaxMind GeoLite2	Local (no transfer)	USA	– (local database only)

Note on the EU-US Data Privacy Framework (DPF)

The EU-US Data Privacy Framework was declared valid on 10 July 2023 by an adequacy decision of the European Commission. The validity was confirmed in September 2025 by the General Court of the European Union (EGC). At the time of this privacy policy, an appeal before the Court of Justice of the European Union (CJEU) is pending.

In addition to the DPF, we have agreed Standard Contractual Clauses (SCCs) with the relevant providers as a supplementary safeguard.

Minors

The app is intended for users who have reached the age of 16.

Users under the age of 16 may only use the app with the express consent of a parent or guardian (Art. 8 GDPR).

USA / COPPA:Children under the age of 13 may not use the app. We do not knowingly collect personal data from children under 13 within the meaning of the Children's Online Privacy Protection Act (COPPA). Should we become aware that data of a child under 13 has been collected, it will be deleted without delay.

Notice for Users from California (CCPA/CPRA)

For users residing in California, the provisions of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) additionally apply.

"Do Not Sell or Share"

We do not sell any personal data of our users and do not share it with third parties for advertising purposes within the meaning of the CCPA/CPRA.

Your Rights under CCPA/CPRA

Right to Know: You may request information about the personal data collected
Right to Delete: You may request the deletion of your data
Right to Opt-Out: As we do not sell or share data, an opt-out is not required
Right to Non-Discrimination: You will not suffer any disadvantage from exercising your rights

Contact

Requests under CCPA/CPRA should be directed to: info@chessriddle.com

Automated Decision-Making

The app automatically calculates several Glicko-2 ratings (for tactics, visualisation and positional) based on the user's puzzle solutions and evaluation attempts. These ratings serve exclusively for the selection of appropriate puzzle difficulty levels and for display in leaderboards.

No automated decision-making within the meaning of Art. 22 GDPR takes place that produces legal effects or similarly significantly affects the user. The rating affects neither access to features nor the terms of the subscription.

Data Export and Account Deletion

Data export

Users can export their personal data via the account settings. The export includes all stored account data, settings and usage statistics in a machine-readable format.

Account deletion

Users can delete their account at any time in the account settings. Upon account deletion:

Profile, settings, puzzle data, ratings and friendship data are removed.
Payment data is retained in accordance with statutory retention periods (Section 147 AO, Section 257 HGB: 10 years) and deleted thereafter.
Error logs in Sentry are automatically deleted after a maximum of 90 days.

Contact and Support

When contacting us by email (info@chessriddle.com), we process the data provided by the user (email address, name, content of the enquiry) to handle the matter.

Legal basis:

Art. 6(1)(b) GDPR (for enquiries related to an existing contract)
Art. 6(1)(f) GDPR in conjunction with Recital 47 GDPR (for general enquiries — legitimate interest in responding, which corresponds to the user's expectation that their data will be used for the response)

The data will be deleted after final resolution of the matter, unless statutory retention obligations apply.

Changes to this Privacy Policy

We reserve the right to update this privacy policy to adapt it to changes in the legal situation, technical changes or new features.

For material changes affecting the rights of users, we will notify you:

By email to the registered email address, and/or
By a notice upon the next login in the app

The current version is always available at chessriddle.com/privacy.

Contact and Supervisory Authority

Controller

ChessRiddle, Inh. Felix Beck

Kraillinger Weg 9

82061 Neuried

Germany

Phone: +49 156 79761842

E-mail: info@chessriddle.com

Competent supervisory authority

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

(Bavarian State Office for Data Protection Supervision)

Promenade 18

91522 Ansbach

Germany

Phone: +49 981 180093-0

E-mail: poststelle@lda.bayern.de

https://www.lda.bayern.de