knightvision.

Legal

Privacy Policy

Effective [PLACEHOLDER: effective date, e.g. 1 May 2026]

1. Who is the controller

The controller of your personal data is [PLACEHOLDER: legal company name, e.g. ACME s. r. o.], IČO [PLACEHOLDER: IČO], with its registered office at [PLACEHOLDER: registered office address](“Knight Vision”, “we”).

For any privacy-related question or to exercise your rights, contact us at [PLACEHOLDER: privacy@yourdomain — can be the same]. We are not required to appoint a Data Protection Officer, but the person responsible for privacy questions is the company’s managing director.

2. The short version

We collect the minimum we need to run a chess-training service: your email (so you can sign in), what you do in the app (so we can show you ratings and stats), optionally your Lichess username (so we can pull in your games for personal drills), and a payment reference if you buy Pro. We don’t sell your data, we don’t run third-party advertising trackers, and we delete your data when you ask us to (subject to a few legal record-keeping duties).

3. What data we process and why

The categories below describe what we process, what for, and on which legal basis under Article 6(1) of the EU General Data Protection Regulation (GDPR).

Account and authentication

Data: email address, optional display name, the magic-link tokens we email you (single-use, short-lived), session tokens, IP address and user-agent of the device that signed in, timestamps.

Purpose: creating and maintaining your account, authenticating you, securing the service against abuse.

Legal basis: performance of a contract with you (Art. 6(1)(b)) for account and login data; legitimate interest in keeping the service secure (Art. 6(1)(f)) for the IP / user-agent / session metadata.

Drill activity and ratings

Data: drill attempts, answers, times, ratings (Glicko-2), streaks, leaderboard entries.

Purpose: running the drills, computing your personal stats and leaderboards, choosing what to show you next.

Legal basis: performance of a contract (Art. 6(1)(b)).

Lichess integration (optional)

Data: the Lichess username you provide; the games we fetch from the public Lichess API associated with that username (PGN, ratings, results, time control).

Purpose: generating personal drills based on blunders and patterns from your own games.

Legal basis: performance of a contract (Art. 6(1)(b)) when you opt in by setting a Lichess username. You can disconnect at any time from your profile, which stops further imports; previously generated drills can be removed by deleting your account or by writing to us.

Payments and tax records

Data: a Stripe payment-intent reference, the date and amount of the payment, your billing country (for VAT), and the invoice / receipt that Stripe issues. We do notsee or store your card number, CVC, or full bank details — those are handled directly by Stripe.

Purpose: taking payment, issuing invoices, charging the correct VAT, complying with our accounting and tax duties.

Legal basis: performance of a contract (Art. 6(1)(b)) for taking the payment; legal obligation (Art. 6(1)(c)) under Slovak Act No. 431/2002 Coll. on Accounting and the Slovak VAT Act for keeping invoice and tax records.

Communications

Data: emails you send to us and our replies; the magic-link emails we send you; transactional emails about your account, payments, or material changes to the service.

Purpose: answering your questions, running the service, fulfilling our duties to you.

Legal basis: performance of a contract and legitimate interest in operating the business. We do not send marketing emails without your consent.

4. Cookies and similar technologies

We use a small number of strictly necessary cookies / local-storage entries:

  • an authentication session cookie set after sign-in, so you stay signed in;
  • short-lived cookies set by Stripe during checkout for fraud prevention and to keep your payment session alive.

These are essential to deliver a service you have explicitly asked for and do not require consent under the ePrivacy Directive. We do not use advertising cookies or cross-site trackers.

Analytics: we run a self-hosted Umami instance at umami.hrvn.eu to count page views and a handful of click events on the marketing pages. Umami is cookieless, stores no personal data, hashes IP addresses without retaining them, and does not track you across other sites. Because no personal data is stored and no cookies or similar identifiers are used, this does not require consent under the ePrivacy Directive; the legal basis is our legitimate interest under GDPR Art. 6(1)(f) in understanding which parts of the site work.

5. Who we share data with (recipients and processors)

We share personal data only with service providers we need to run Knight Vision. Each of them processes data on our instructions under a written data-processing agreement.

  • Stripe Payments Europe, Limited(Ireland) and Stripe’s group companies — payment processing, fraud prevention, invoicing, VAT collection.
  • [PLACEHOLDER: e.g. Hetzner / Vercel / Fly.io]— application hosting.
  • [PLACEHOLDER: where the Postgres database is hosted]— hosting of the Postgres database that stores your account and drill data.
  • [PLACEHOLDER: e.g. Resend, Postmark, Amazon SES]— sending magic-link and transactional emails on our behalf.

We may also disclose data when required by law, by valid legal process, or to defend our legal rights.

Lichess.org is notour processor. When you opt in to the Lichess integration, we make calls to the public Lichess API in order to fetch your games; what we send Lichess is your username and the request itself. Lichess’s own privacy policy applies to that interaction.

6. International transfers

Most of our processors are based in the European Economic Area. Some (notably Stripe’s US affiliates and certain support subprocessors) may process limited data outside the EEA. Where that happens, transfers are protected by the European Commission’s Standard Contractual Clauses or another safeguard recognised under Articles 45 to 47 GDPR. You can ask us for a copy of the relevant safeguards at [PLACEHOLDER: privacy@yourdomain — can be the same].

7. How long we keep data

  • Account, profile, drill history, ratings: for as long as your account exists, plus a short clean-up window after you delete it.
  • Session metadata (IP / user-agent / timestamps): up to 12 months from the session expiry, then deleted.
  • Magic-link tokens: deleted automatically after they are used or after they expire (at most 15 minutes).
  • Imported Lichess games: while your account exists and your Lichess username is connected. Disconnecting the username stops further imports.
  • Invoices and accounting records: 10 years from the end of the accounting period, as required by Slovak Act No. 431/2002 Coll. on Accounting and the VAT Act.
  • Email correspondence: typically up to 3 years, longer if needed to defend a legal claim.

8. Your rights

As a data subject under the GDPR you have the following rights with respect to your personal data:

  • Access— ask whether we process data about you and get a copy.
  • Rectification— correct inaccurate or incomplete data.
  • Erasure(“right to be forgotten”) — ask us to delete your data, subject to legal record- keeping duties.
  • Restriction— ask us to pause processing in certain situations.
  • Portability— receive your data in a structured, machine-readable format and have it transferred to another controller where technically feasible.
  • Objection— object to processing based on our legitimate interest.
  • Withdraw consent— where we rely on consent you can withdraw it at any time, without affecting the lawfulness of processing before withdrawal.

Email [PLACEHOLDER: privacy@yourdomain — can be the same] to exercise any of these. We aim to reply within 30 days.

You also have the right to lodge a complaint with the Slovak supervisory authority, Úrad na ochranu osobných údajov Slovenskej republiky, Hraničná 12, 820 07 Bratislava 27 (dataprotection.gov.sk), or with the supervisory authority of the EU country where you live or work.

9. Security

We use industry-standard measures to protect your data: TLS for all traffic to [PLACEHOLDER: knightvision.app or your domain], hashed authentication tokens, principle of least privilege for who can access production data, regular dependency updates, and isolated payment processing through Stripe. No system is perfectly secure; if a breach happens, we will follow Articles 33 and 34 GDPR and notify you and the regulator where required.

10. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16 without parental consent. If you believe a child has created an account without that consent, please contact us and we will delete the account.

11. Automated decision-making

We do not use your data for automated decision-making with legal or similarly significant effects on you. The drill ratings (Glicko-2) are statistical scores about your performance — they do not decide anything about you outside the Service.

12. Changes to this policy

When we change this policy we will update the date above and, for material changes, notify you by email at least 14 days before the change takes effect.

13. Contact

Privacy questions: [PLACEHOLDER: privacy@yourdomain — can be the same]. General support: [PLACEHOLDER: support@yourdomain].