Back

Privacy Policy

Last updated: April 6, 2026

1. Introduction

QuadChess ("the Platform," "we," "us," or "our") is committed to protecting the privacy of our users ("you" or "your"). This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

By using the Platform, you consent to the data practices described in this policy. If you do not agree, discontinue use of the Platform.

2. Information We Collect

2.1 Information from OAuth Providers

When you sign in via Google or GitHub, we receive:

  • Email address
  • Display name
  • Profile picture URL

We do not receive or store your OAuth provider password.

2.2 Information You Provide

  • Display name (if modified)
  • Avatar image
  • Country selection
  • Polygon wallet address (for deposits and withdrawals)

2.3 Information Generated Through Use

  • Gameplay data: moves, scores, match results, ratings, and game history
  • Transaction data: deposit and withdrawal amounts, timestamps, transaction hashes, and wallet addresses
  • Technical data: error logs (via Sentry — no personally identifiable information), connection status reports

2.4 Information We Do NOT Collect

  • We do not use advertising or tracking cookies
  • We do not collect IP addresses for profiling or marketing
  • We do not collect device fingerprints
  • We do not integrate with any third-party analytics or advertising services

3. Lawful Basis for Processing (GDPR)

For Users in the European Economic Area (EEA), United Kingdom, or other jurisdictions that require a lawful basis for processing personal data, we process your data on the following grounds:

  • Contract performance: Processing necessary to provide our service — account management, matchmaking, game execution, transaction processing (Article 6(1)(b) GDPR)
  • Legitimate interests: Fraud prevention, platform security, service improvement, and enforcing our Terms of Service (Article 6(1)(f) GDPR)
  • Legal obligation: Compliance with applicable laws, including financial record-keeping requirements (Article 6(1)(c) GDPR)
  • Consent: Where required by law and not covered by the bases above (Article 6(1)(a) GDPR)

4. How We Use Your Information

We use your information exclusively to:

  • Provide, maintain, and operate the Platform;
  • Create and manage your account;
  • Process deposits, withdrawals, and prize distributions;
  • Calculate Elo ratings and perform skill-based matchmaking;
  • Detect and prevent fraud, collusion, and abuse;
  • Enforce our Terms of Service and Fair Play rules;
  • Respond to support requests;
  • Comply with legal obligations.

We do not use your data for advertising, marketing, or profiling purposes.

5. Blockchain Data

Deposit and withdrawal transactions are recorded on the Polygon blockchain. By using the Platform's financial features, you acknowledge:

  • Transaction hashes, wallet addresses, and amounts are publicly visible and permanently recorded on the blockchain;
  • Blockchain data is inherently immutable and cannot be deleted, modified, or made private — this is a fundamental property of blockchain technology, not a Platform limitation;
  • Your wallet address may be linked to your Platform activity by any third party analyzing public blockchain data.

6. Data Storage and Security

Your data is stored in a self-hosted PostgreSQL database on our infrastructure. We implement the following security measures:

  • Server-side access control on all database tables — no direct client access;
  • HTTPS encryption for all data in transit;
  • Content Security Policy (CSP) headers with auto-generated nonces — no unsafe-inline scripts;
  • Server-side input validation on all API endpoints;
  • Request body size limits (100 KB) to prevent abuse;
  • Rate limiting per endpoint to prevent brute-force attacks;
  • Smart contract safeguards: operator rate limits, daily withdrawal caps, per-user cooldowns, and nonce-based replay protection.

While we implement industry-standard security practices, no system is perfectly secure. We cannot guarantee absolute security of your data.

7. Data Retention

  • Account data (profile, email, display name): retained for the lifetime of your account and deleted upon account deletion request, subject to legal holds;
  • Gameplay data (match history, moves, ratings): retained indefinitely for platform integrity, rating accuracy, and anti-fraud purposes;
  • Transaction records (deposits, withdrawals): retained for a minimum of 5 years after account closure, as required by financial record-keeping regulations;
  • Error logs (Sentry): automatically purged according to Sentry's retention policy (90 days).

8. Data Sharing

We do not sell, rent, or trade your personal information to any third party.

We may share limited data with:

  • VPS hosting provider — server infrastructure (data processor);
  • Sentry — error monitoring service (no personally identifiable information transmitted);
  • Law enforcement or regulatory authorities — only when required by law, valid legal process, or court order.

All third-party service providers are bound by data processing agreements and are prohibited from using your data for their own purposes.

9. Public Profile Information

The following information is visible to other players on the Platform:

  • Display name
  • Country flag (if set)
  • Elo rating
  • Game statistics (games played, wins, losses)
  • Avatar image

Your email address and wallet address are never displayed to other users.

10. Cookies

We use only essential cookies required for authentication and session management. We do not use:

  • Advertising cookies
  • Analytics or tracking cookies
  • Third-party cookies
  • Persistent tracking mechanisms

Because we use only strictly necessary cookies, no cookie consent banner is required under GDPR.

11. International Data Transfers

Your data may be processed in jurisdictions outside your country of residence. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

  • Selecting service providers in jurisdictions with adequate data protection (EU adequacy decisions);
  • Contractual standard data protection clauses (SCCs) where required.

12. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Right of access: Request a copy of the personal data we hold about you;
  • Right to rectification: Request correction of inaccurate data (you can update your display name, avatar, and country directly in your profile);
  • Right to erasure: Request deletion of your account and personal data, subject to legal retention obligations (financial records) and blockchain immutability;
  • Right to data portability: Request your data in a structured, machine-readable format;
  • Right to restrict processing: Request that we limit how we use your data;
  • Right to object: Object to processing based on legitimate interests;
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at support@quadchess.com. We will respond within 30 days.

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.

13. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required by GDPR);
  • Notify affected Users without undue delay if the breach is likely to result in a high risk to their rights and freedoms;
  • Document the breach, its effects, and remedial actions taken.

14. Automated Decision-Making

The Platform uses automated systems for:

  • Matchmaking: Elo-based pairing to match players of similar skill levels;
  • Game adjudication: Server-authoritative move validation and result determination;
  • Fraud detection: Automated monitoring for suspicious patterns.

These systems do not make decisions that produce legal effects or similarly significant effects on you. Matchmaking and game adjudication are essential to the Platform's core function. If you believe an automated decision has affected you unfairly, contact us for human review.

15. Children's Privacy

The Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will delete that data promptly and terminate the associated account.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the Platform at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.

Continued use of the Platform after the effective date of revised policy constitutes acceptance of the changes.

17. Contact

For privacy-related questions, data requests, or concerns, contact us at:

support@quadchess.com