White KnightAcademy
Online chess lessons
Live, small-group classes with a real coach.
Chess lessons for beginners
Start from zero — complete beginners welcome.
Online chess coaching
A coach who knows your child — group or 1-on-1.
Learn chess online
A parent’s guide — and the fastest way to improve.
Free self-study
A free account: puzzles, homework and a report.
How it worksPricingCoachesFAQBlog
Log inStart for €5

Privacy

Privacy PolicyChildren's Privacy NoticeCookie PolicySubprocessors

Terms

Terms of Service — Parent / Guardian (for Child Accounts)Terms of Service — Adult Users (Self-Registered, Age 18+)Coach Contractor AgreementBeta Test Addendum

Conduct & safeguarding

Acceptable Use PolicySafeguarding PolicyCoach Code of Conduct

Support

Contact & Complaints
← All policies

Privacy Policy — WhiteKnight Academy

Effective date: 2026-07-02 Language: English (master). Polish and French (Quebec) translations required per Law 25 and consumer-protection practice — to be produced from this master after lawyer sign-off.


§ 0. Short summary (plain-language, non-binding)

This summary is provided for readability. The full terms in §§ 1–19 govern our obligations.

  • We are TheBroda sp. z o.o., a Polish company. We run WhiteKnight Academy across our public site https://whiteknight.academy and the learning platform https://analytics.whiteknight.academy — a chess-education platform used by children aged 6–14 with their parents'/guardians' consent.
  • We collect (i) account data, (ii) chess-performance data, (iii) messages between coaches and students, (iv) billing data (for paid plans), (v) basic usage telemetry, and (vi) lesson recordings only when a participant explicitly starts a recording (§ 7.3). We do not sell your or your child's data, and we never use children's data for advertising. On our public marketing site we use analytics and advertising cookies only if you consent (§ 3.6); a logged-in child's session blocks all such tags entirely.
  • A parent or guardian creates the child's account, consents on the child's behalf, and can delete the account or export data at any time.
  • We use sub-contractors ("subprocessors") listed in § 9. Your data may be stored or processed outside your country, with safeguards described in § 9.
  • You have rights to access, correct, delete, export, and object to processing of your data. See § 10 for the list by jurisdiction, and § 11 for how to exercise them.
  • Contact for any privacy question: privacy@whiteknight.academy.

§ 1. Who we are

Data controller: TheBroda sp. z o.o. ul. Wierna 12, Warszawa, Poland KRS: 0000677402 NIP / VAT: 5242831345 (PL5242831345) REGON: 367267919 Email: privacy@whiteknight.academy General contact: contact@whiteknight.academy

The company is the controller of personal data processed via the Service within the meaning of GDPR Art 4(7). For data subjects in the United States we are the "business" within the meaning of CCPA §1798.140(d) and the "operator" within the meaning of COPPA 16 CFR §312.2. For Canadian data subjects we are the "organization" within the meaning of PIPEDA s.2(1) and the "enterprise" within the meaning of Quebec Law 25.

Privacy contact: We have not formally designated a Data Protection Officer under GDPR Art 37, as our core activities do not meet the thresholds of Art 37(1)(b)–(c) at beta scale. All privacy correspondence is handled by the general privacy mailbox privacy@whiteknight.academy; we will revisit DPO designation when operating at scale or if special-category processing is introduced.

Representative in the EU: TheBroda sp. z o.o. is itself established in the EU (Poland) — no Art 27 representative needed.


§ 2. Scope of this Policy

This Policy applies to:

  • use of the websites at https://whiteknight.academy (our public marketing and information site) and https://analytics.whiteknight.academy (the learning platform) (together, the "Site"),
  • use of any connected application, chess-board interface, live lesson room, puzzle/homework interface, or coach dashboard (collectively, the "Service"),
  • related email, support, and billing communications.

It does not apply to:

  • Chess.com or Lichess websites or services, which we only connect to in read-only mode using the public username you supply;
  • third-party websites linked from the Service.

§ 3. Categories of personal data we collect

We collect only the categories listed below. We do not collect special-category data within the meaning of GDPR Art 9 (e.g., health, biometrics, religion) and we do not knowingly collect data beyond what the Service needs.

are required by the beta flow but not yet implemented — must ship before Privacy Policy goes live.]

3.1. Account and identity data

Data Source table/field Provided by
Email address auth.users.email User / Parent (at sign-up)
Display name profiles.display_name User / Parent
Avatar URL profiles.avatar_url OAuth provider / user upload
Role on platform profiles.role (admin / coach / student / parent) System-assigned
Language preference profiles.languages User
Timezone profiles.timezone Browser-detected
Learning goals, free-text profiles.goals User
Age group (categorical: child/teen/adult) profiles.age_group User / Parent
Date of birth profiles.date_of_birth [to be added] Parent (for child) / user (for adult)
Parent/guardian email (for child accounts) profiles.guardian_email [to be added] Parent at consent capture
Relationship of guardian profiles.guardian_relationship [to be added] Parent at consent capture
Parental consent record consent_records table [to be added] Captured during VPC flow

3.2. Coach profile data (coaches only, age ≥18)

Data Source
Biography (free text) coach_profiles.bio
Chess.com / Lichess handle, FIDE ID, FIDE rating coach_profiles.chesscom_username, lichess_username, fide_id, fide_rating
Teaching title, specialties, approach coach_profiles.title, specialties, teaching_approach
Application form data (for approval) coach_applications.form_data (JSONB)

3.3. Chess-performance data

Data Source
Imported games (PGN, result, time control, opponent handle) games
Stockfish analysis results per game (move evaluations, accuracy scores) game_analysis
Linked Chess.com / Lichess usernames + cached public profile/ratings chess_sources
Puzzle solving attempts (correctness, time spent, hints used) homework_attempts
Aggregate puzzle progress, XP, streaks, themes strong/weak student_puzzle_stats, student_badges

3.4. Communications and lesson content

Data Source
Direct messages between coach and student (text, attachments) coach_messages
Coach-authored notes about a student coach_notes
Live lesson metadata: room ID, slot, participants, join/leave events lesson_rooms, lesson_presence_events
Lesson recordings (audio + video, only when explicitly started by a participant) — stored by Daily.co in its cloud recording storage in the United States; retained 30 days then auto-deleted lesson_recordings (planned — storage URL + metadata only; no media held by us)
Homework assignment records and student responses homework_assignments, student_response
In-product notifications notifications

Audio and video of live lessons are recorded only when a participant clicks "Start recording" and only for accounts whose parental consent covers recording. See § 7.3 for the full recording policy, retention, and access controls.

3.5. Payment data (paid plans only)

Data Source
Stripe customer identifier profiles.stripe_customer_id
Subscription metadata (tier, status, expiry, plan, billing period) profiles.subscription_*, subscription_history
Transaction history (amounts, currencies, discounts, coupons) subscription_history
Stripe checkout session reference subscription_history.stripe_checkout_session_id

We do not store card numbers, CVV, or bank-account details. Full payment-method data is held by Stripe, our PCI-DSS Level 1 payment processor. We receive only a token and limited metadata.

3.6. Product telemetry

Data Source
Event type (page view, feature click, upgrade intent, report generated, filter applied, coaching interest, onboarding step, error) user_events.event_type
Event payload (JSON; contains only non-sensitive context like page path, button id, chart id) user_events.event_data
Browser family, operating system family, device type (mobile / desktop) user_events.browser, os, device_type
Event timestamp user_events.created_at

IP address is not stored in our internal telemetry table.

In addition to our internal telemetry, we use Google Analytics 4 ("GA4", measurement ID G-X7TK9CHRJ5) on the public marketing pages of our Site and on adult-authenticated dashboards, subject to your analytics consent through the cookie banner. GA4 processes an anonymised IP address, page URLs and referrer, device/OS/browser family, session events, and a GA4-generated client identifier. Retention is set to 2 months. We enforce consent-mode v2: no identifying data is sent before you grant consent.

We also run advertising and remarketing pixels for our paid-acquisition campaigns on Google Ads, Meta (Facebook / Instagram), TikTok, and X. These pixels measure campaign effectiveness (conversion tracking) and may build audience-similarity segments for our own campaigns on those platforms. They fire only when you grant advertising consent through the cookie banner.

All of the above — GA4 and the advertising pixels — are loaded through Google Tag Manager (container ID GTM-5TF7QK4N), which does not itself set tracking cookies. Full details on cookie names, expiries, and retention are in the Cookie Policy §§ 3.3–3.4.

AI-assisted features (coach chat, weakness summaries, insights) call the OpenAI API directly from our backend. We send aggregated chess-performance statistics and chat-session content; we do not send your name, email, date of birth, or payment data. Under OpenAI's API terms, content submitted via the API is not retained or used to train their models. We do not use any other LLM provider (OpenRouter, Anthropic, DeepSeek, etc.).

Children's accounts are excluded from every analytics and advertising tag. When a user is logged in as a Child (under 16), no analytics or advertising pixel is loaded on any page of the session, irrespective of consent state — a tag-manager-level safeguard aligned with California AADC §22675 and ICO Children's Code. AI-assisted features for Child accounts run only when the parent has given consent during sign-up; OpenAI API requests for a Child account carry no user identifiers (no name, email, DOB, payment).

We do not use session-replay or behaviour-watching services (no Hotjar, Clarity, FullStory, LogRocket, etc.) and do not currently use the advanced product-analytics class of tools (Amplitude, Mixpanel, PostHog, etc.). Any future addition will be disclosed here, in § 9, and in the Subprocessor List, and will require consent where law requires.

3.7. Administrative logs

For users holding the admin role only, admin_audit_log may retain an IP address (admin_audit_log.ip_address) alongside administrative actions, for security and breach-forensics purposes. For non-admin users no IP is persisted by our application.

3.8. Cookies and local browser storage

See § 12 below. Short version: only strictly-necessary cookies (Supabase authentication session) are set prior to consent; UI-state items (sidebar collapse, page filters, cached chart data) are written to localStorage on the user's own device and are not transmitted to us as tracking cookies.


§ 4. Sources of personal data

  • Directly from you: sign-up form, profile edits, parental-consent form (for child accounts), coach application, homework submissions, messages, billing forms.
  • From your actions on the platform: telemetry events, chess-performance data generated as you use the Service, authentication session data.
  • From third parties with your authorisation:
    • Chess.com public API — only the usernames you provide; we retrieve your public profile and game archive.
    • Lichess public API — same as above.
    • Google OAuth (if you use "Sign in with Google") — we receive your Google email, name, and profile picture URL under the email + profile scopes.
  • Automatically: device/browser family via user-agent string; HTTP/app errors from the runtime.

We do not acquire personal data from data brokers or marketing lists.


§ 5. Purposes of processing and legal bases

The table below is the GDPR Art 13(1)(c)–(d) / Art 14(1)(c)–(d) disclosure. For CCPA/CPRA compliance, the "purpose" column doubles as the "business or commercial purpose" under §1798.100(a)(2); we list retention in § 8. For PIPEDA compliance, purposes are stated expressly per Principle 2 (Identifying Purposes).

# Purpose Categories used GDPR legal basis COPPA basis PIPEDA basis
P1 Create, authenticate, and secure your account 3.1 Art 6(1)(b) contract § 312.5(c)(1) internal operations Express consent
P2 Provide the chess-analytics, coaching, lesson-room, and puzzle/homework features you request 3.1, 3.3, 3.4 Art 6(1)(b) contract § 312.5(c)(1) internal operations Express consent
P3 Capture and record parental consent for child accounts 3.1 (parent contact, consent record) Art 6(1)(c) legal obligation (GDPR Art 8); Art 8(1) parental authorisation for children under 16 § 312.5 VPC Consent under PIPEDA Principle 3 + guidance on minors
P4 Charge for paid plans, issue invoices, comply with accounting law 3.1, 3.5 Art 6(1)(b) contract + Art 6(1)(c) Polish Accounting Act, Ordynacja podatkowa § 312.5(c)(1) internal operations Necessary for a transaction (PIPEDA Principle 3, s.7(1)(a))
P5 Operate, maintain, and improve the Service (bug fixes, performance, aggregated product analytics) 3.6 Internal telemetry: Art 6(1)(f) legitimate interest, with opt-out via § 10.1 and no IP stored. Google Analytics 4: Art 6(1)(a) consent, captured via cookie banner; denied by default for Children § 312.5(c)(2) "support for internal operations" for internal telemetry; § 312.2 "directed to children" rules exclude GA4 on Child-account pages Consent per Cookie Policy
P6 Generate AI-assisted insights (coach reports, personalised tips, weakness detection) 3.3 + aggregated stats Art 6(1)(b) contract (user-requested feature) § 312.5(c)(1) internal operations — AI output is shown only to the child, parent and linked coach Express consent at the feature-enablement point
P7 Send transactional email (password reset, homework assigned, lesson reminders, account notices) 3.1 Art 6(1)(b) contract § 312.5(c)(1) Implied consent — transactional relationship
P8 Prevent fraud and abuse; enforce our Terms 3.1, 3.6, 3.7 Art 6(1)(f) legitimate interest § 312.5(c)(4) safety and security Security exception (PIPEDA s.7(3))
P9 Comply with legal obligations, respond to lawful requests Any as applicable Art 6(1)(c) § 312.5(c)(6) compliance with law PIPEDA s.7(3)(c)
P10 Measure paid-acquisition campaign effectiveness and build audience-similarity segments on ad platforms — public marketing pages only, never for Children 3.6 Art 6(1)(a) consent, via the cookie banner § 312.2 — not directed to children; blocked on Child-account pages Consent per Cookie Policy

We do not process your data for:

  • advertising profiling or targeting that uses a child's personal data — a logged-in child's session blocks all analytics and advertising tags at the tag-management layer (see § 6 and Cookie Policy § 3.5),
  • selling or sharing personal data for a third party's own advertising within the meaning of CCPA/CPRA §1798.120,
  • automated decisions with legal or similarly significant effects under GDPR Art 22 (see § 14).

On our public marketing pages only, and only with your consent, we use analytics (GA4) and advertising/remarketing cookies to measure and improve our paid-acquisition campaigns — see § 3.6 and purpose P10 below.


§ 6. Children's data — how we handle it

This section is in addition to the rest of the Policy. For a plain-language version specifically for parents and children, see our separate Children's Privacy Notice at https://whiteknight.academy/legal/children.

6.1. Our age model

  • Under age 16 ("Children"): account may be created only by a parent or legal guardian. The parent is the party agreeing to our Terms and providing consent. The child is the user, but not the contracting party.
  • Ages 16–17: may register themselves, but we treat their data with the same safeguards as Children's data and recommend parental involvement.
  • Age 18 and over: may register themselves. Only users aged 18+ may register as Coaches.

We chose 16 as the single threshold because:

  • it is the highest digital-consent age permitted by GDPR Art 8 and the figure set by Poland under ustawa o ochronie danych osobowych of 10 May 2018 (Art 5), the member state of our establishment;
  • it maintains compliance with COPPA (16 CFR §312) for all US under-13 users — who are subject to COPPA regardless of threshold choice, because our Service is "directed to children under 13" within the meaning of §312.2 (target audience 6–14, chess puzzles, XP/badges, child-oriented visuals);
  • it yields a single, uniform consent flow rather than country-specific branching, reducing the risk of misapplied consent.

6.2. Parental consent — how we obtain it

We obtain Verifiable Parental Consent ("VPC") before we collect, use, or disclose personal information from a Child, as required by 16 CFR §312.5 (COPPA) and GDPR Art 8.

For the free beta period we rely on the "email-plus" method authorised by 16 CFR §312.5(c)(2), because:

  • we do not disclose personal information to third parties for the third party's own purposes — our subprocessors (§ 9) are contractually limited to processing on our instructions;
  • consent use is confined to providing the Service and sending notices to the parent about the child's account.

The email-plus flow:

  1. Parent fills the consent form, supplying their own email, relationship to the child, and the child's date of birth.
  2. Parent confirms consent via a link sent to their email.
  3. We send a follow-up confirmation email to the same address at least 24 hours later to the same parent address, providing an option to withdraw consent.
  4. We store a consent record containing: timestamp, parent email, parent IP at consent, consent-text version, child reference.

For paid accounts (Phase 2), we will upgrade to a VPC method meeting §312.5(b)(2)(ii) — card-verification consent (paired with the payment transaction), per U.S. FTC guidance.

6.3. What parents can do

A parent or guardian who has provided consent may at any time:

  • review the Child's personal information (COPPA §312.6(a)(1)),
  • refuse to permit further collection (§312.6(a)(2)),
  • request deletion of the Child's personal information (§312.6(a)(3)).

Requests can be submitted via privacy@whiteknight.academy or via the in-app DSAR portal (§ 11). We will verify the parent's identity via the email on file for the child's account and complete the request within 10 business days (COPPA FTC guidance) and in any case within 30 days (GDPR Art 12(3), PIPEDA Principle 9).

6.4. What we do NOT do with children's data

  • We do not condition participation in an activity on disclosure of more personal information than reasonably necessary (COPPA §312.7).
  • We do not use children's data for behavioural advertising, profiling to predict/influence behaviour, or cross-context ad tracking (California AADC §22675 — high-privacy default).
  • We do not sell or share children's personal information for cross-context behavioural advertising under CCPA/CPRA §1798.120, §1798.121.
  • We do not use "dark patterns" to obtain consent (California AADC §22677; CPRA §1798.140(l)).
  • We do not apply automated decision-making that produces legal or similarly significant effects on a child (GDPR Art 22(1); Quebec Law 25, art. 12.1).

6.5. Data Protection Impact Assessment (AADC)

As required by California AADC §22676, we conduct and maintain a Data Protection Impact Assessment for each feature accessible to children. The current DPIA is held internally (see legal/internal/dpia.v1.md); we will make it available to the California Attorney General on written request.


§ 7. Specific processing activities

7.1. Chess-performance analysis

We run positional analysis on imported games using the Stockfish chess engine:

  • lightly (single positions) in the user's browser via WebAssembly;
  • more deeply (full-game batch) on our Hostinger VPS server (§ 9).

Results are written to game_analysis and shown only to the child, their parent, and coaches linked to the child.

7.2. AI-assisted insights (OpenAI API)

Some features (coach report summaries, personalised tips, weakness detection, the AI-coach chat) call OpenAI's API directly from our Supabase Edge Functions (§ 9). What we send:

  • aggregated chess performance statistics (games played, rating trend, opening mix, accuracy percentiles),
  • recent game summaries (opening, result, accuracy — no PGN by default),
  • the conversation history of the current AI-chat session.

What we do not send:

  • the user's name or email,
  • the user's date of birth,
  • payment information,
  • messages from coach-student chat.

Per OpenAI's API terms of use, content submitted via the API is not retained beyond 30 days for abuse monitoring and is not used to train OpenAI's models. We do not use any other LLM provider — no OpenRouter, no Anthropic, no DeepSeek, no Google Gemini. If we later add a provider, we will update this Policy, the Subprocessor List, and the RoPA/DPIA in advance.

7.3. Live video lessons and recordings

Live lessons are provided via Daily.co (§ 9). When a lesson starts:

  • we create a room on Daily.co with an opaque random identifier;
  • no name, email, or child metadata is sent to Daily.co at room creation;
  • the room is set to expire 4 hours after creation.

Recording is disabled by default. A recording only begins if a participant with appropriate role (coach, or the student themselves) explicitly clicks "Start recording" during the session. When a recording is active:

  • a visible "REC" indicator is shown to every participant throughout the session;
  • if the session involves a Child account whose parent has not ticked the "allow lesson recording" box at account creation (§ 6.2), our client blocks the recording action and displays a message explaining that parental consent for recording was not granted;
  • the audio+video stream is stored in Daily.co cloud recording storage (United States);
  • we store in our database only the recording metadata (lesson_recordings table, planned): recording ID, lesson slot, start/end timestamps, initiator user ID, Daily.co storage URL.

Retention: recordings auto-delete 30 days after the recording end. The auto-deletion is configured on Daily.co (recordings_storage_retention_days: 30) and the metadata row is also purged from our database on the same schedule.

Who can access a recording:

  • the student whose lesson was recorded,
  • the parent/guardian linked to that child account,
  • the coach who led the session (and only that coach),
  • our administrative staff, for the limited purpose of safeguarding investigations and abuse-report handling (GDPR Art 6(1)(f) legitimate interest; COPPA §312.5(c)(4)). Every admin access is logged in admin_audit_log with a purpose field and is subject to need-to-know review.

What we do NOT do with recordings:

  • train artificial intelligence on them,
  • share them with third parties (other than the Daily.co storage subprocessor),
  • use them for marketing, advertising, product demos, or any secondary purpose,
  • export them outside the authorised access list above.

Parents may withdraw recording consent at any time; from that moment no new recordings can be made on the child's account, and the parent can request deletion of existing recordings via § 11. Under COPPA §312.6(a)(3), the parent may also request deletion before the 30-day window.

7.4. Notifications

We send transactional email via Hostinger SMTP (§ 9) for password reset, homework-assigned notices, lesson reminders, and billing events. We do not send marketing email during the beta period; a separate opt-in will govern any future marketing under CASL s.6, CAN-SPAM, GDPR Art 6(1)(a), and PECR.


§ 8. Retention

Current state (as of effective date): account and related records are retained for the lifetime of the account; we do not currently run automated deletion.

Data category Proposed retention Rationale
Account (profiles, auth, consent records) While account is active, plus 30 days grace after explicit deletion request User-driven deletion
Chess-performance data (games, analyses) Same as account; deleted on account deletion Bound to account lifecycle
Coach–student messages 2 years rolling; deletable per request Pedagogical history + safeguarding audit
Homework attempts, stars, XP Same as account Progress continuity
Parental consent records 10 years from consent or until dispute-resolution period ends (whichever is longer) Proof of consent (COPPA §312.5 + limitation periods in PL/US/CA)
Billing records (invoices, Stripe references) 5 years (Polish Accounting Act, Art 74(2)(4)) Tax/accounting law — overrides deletion requests
Product telemetry Rolling 18 months aggregated, 0 day user-identified (planned hash-and-discard) Service-improvement window
Admin audit logs 3 years Security / breach forensics
Live-lesson metadata (room, presence events) Same as account lifecycle Pedagogical record
Lesson recordings (audio + video) 30 days from recording end, then auto-deleted Limited pedagogical replay window + safeguarding-review window (see § 7.3)
Daily.co room metadata Rooms expire 4 h after creation (server-side); presence log retained per row above Ephemeral resource

When a retention period ends or a valid deletion request is honoured, we delete the data or irreversibly pseudonymise it such that it cannot be linked to an individual.


§ 9. Sub-processors and international data transfers

We use the following sub-processors to provide the Service. "Data categories" refers to the categories defined in § 3. Our public, always-current subprocessor list is at https://whiteknight.academy/legal/subprocessors; where that list differs from this table, the public list controls.

Sub-processor Role Location Data categories Safeguard for EU/UK transfers
Supabase Inc. Authentication, database, storage, edge functions United States (US East / Virginia) 3.1–3.7 (essentially all) EU Commission SCCs (2021/914) incorporated in Supabase's DPA; Transfer Impact Assessment held internally
Hostinger International Static site hosting + KVM VPS (Node.js API + Stockfish batch analysis) + transactional SMTP Lithuania / global 3.1 (email body), 3.3 chess data (via VPS), 3.4 metadata Processor DPA + SCCs where applicable
Stripe Payments Europe Ltd. (EU) / Stripe Inc. (US) Payments, billing Ireland + United States 3.1 (email, name), 3.5 (tokenised payment data) Intra-EU for EU-issued cards; SCCs for US processing
Daily.co (Pluot Inc.) WebRTC live video rooms; cloud recording storage when recording is explicitly triggered (§ 7.3) United States Room traffic: no personal identifiers sent at room creation. Recordings: audio + video of the session, retained 30 days SCCs incorporated in Daily.co's DPA
OpenAI OpCo LLC Direct LLM provider for AI-coach chat and insights United States 3.3 aggregated chess stats + recent game summaries; AI-chat session content (no name, email, DOB, payment) SCCs via OpenAI DPA; EU-US DPF; no training on API content per OpenAI API terms
Google LLC (OAuth) OAuth identity provider (only when user signs in with Google) United States + global Email, profile name, avatar URL at moment of sign-in Google Cloud DPA + SCCs; EU-US Data Privacy Framework certification
Google LLC (Google Tag Manager) Tag container GTM-5TF7QK4N loading the analytics and advertising tags below based on consent state United States + global Page-load events; dataLayer events (consent state, page path, content_group) — no tracking cookies set by GTM itself Google Cloud DPA + SCCs + DPF
Google LLC (Google Analytics 4) Web analytics on public marketing pages and adult-authenticated dashboards — only when analytics consent is granted; never on Child-account pages United States + global Anonymised IP, page URLs, device/OS/browser family, session events, GA4 client ID stored in _ga/_ga_* cookies Google Ads Data Processing Terms + SCCs + DPF; consent-mode v2 enforced
Google LLC (Google Ads) Paid-ads conversion tracking and remarketing — only when advertising consent is granted; never on Child-account pages United States + global Conversion events, Google advertising ID, page URL Google Ads Data Processing Terms + SCCs + DPF
Meta Platforms Ireland Ltd. Meta Pixel for Facebook / Instagram Ads conversion tracking and custom audiences — only when advertising consent is granted; never on Child-account pages Ireland + United States Meta browser ID (_fbp), conversion events, coarse page URL Meta Business Data Processing Terms + SCCs + DPF
TikTok Technology Ltd. TikTok Pixel for TikTok-Ads conversion tracking — only when advertising consent is granted; never on Child-account pages Ireland + global TikTok Pixel ID (_ttp), conversion events, coarse page URL TikTok Business Data Processing Terms + SCCs
X Corp. X Pixel for X-Ads conversion tracking — only when advertising consent is granted; never on Child-account pages United States X advertising IDs (muc_ads, personalization_id), conversion events, coarse page URL X Data Processing Addendum + SCCs
Cloudflare Inc. (Turnstile) Bot challenge / human-verification widget on the parent-with-child registration form. Triggered only for unauthenticated visitors of that one form to prevent automated mass-registration United States + global edge 3.1 (email entered into the form), source IP, browser fingerprint signals (User-Agent, screen size, language). A short-lived cf_chl_ cookie is set on challenges.cloudflare.com only when a visible CAPTCHA is required (the default "managed" mode skips the cookie when the visitor is judged human) Cloudflare Customer DPA + SCCs (2021/914); EU-US Data Privacy Framework certification
Chess.com Inc. (public API, outbound read) Read-only game sync at user request United States Outbound only: username the user chose to link Not a processor — user-initiated disclosure to an independent service
Lichess.org (public API, outbound read) Read-only game sync at user request France / global Outbound only: Lichess username Intra-EU for hosting

International transfers, EU/UK data subjects: transfers to the United States and other non-EU jurisdictions are made under Commission Implementing Decision (EU) 2021/914 Standard Contractual Clauses, supplemented where required by Transfer Impact Assessment (TIA) and technical and organisational measures described in § 13. You may request a copy of the SCCs applicable to your data at privacy@whiteknight.academy.

Canadian data subjects: transfers to the United States and Europe are made subject to contractual protections equivalent to the PIPEDA's Accountability Principle. For Quebec residents, we maintain the written Privacy Impact Assessment required by Law 25 art. 17, covering each transfer outside Quebec.

Changes to sub-processors: we post new subprocessors to https://whiteknight.academy/legal/subprocessors at least 30 days before they begin processing personal data, giving data subjects and coach-contractors time to object.


§ 10. Your rights

This section lists your rights. See § 11 for how to exercise them.

10.1. Data subjects in the EU / EEA (GDPR Arts 15–22)

Right GDPR Short description
Access Art 15 Get a copy of your data
Rectification Art 16 Fix errors
Erasure ("right to be forgotten") Art 17 Delete your data (subject to exceptions in Art 17(3))
Restriction Art 18 Temporarily pause processing
Portability Art 20 Get a machine-readable export
Object Art 21 Object to processing based on legitimate interest (P5, P8)
Not be subject to automated decisions Art 22 We do not make such decisions — see § 14
Withdraw consent Art 7(3) Where processing is based on consent, withdrawal takes effect going forward

10.2. Data subjects in Poland (GDPR + Polish ustawa o ochronie danych osobowych)

In addition to § 10.1, you have the right to lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, UODO) — see § 17.

10.3. California residents (CCPA/CPRA)

Right CCPA/CPRA Short description
Right to know §1798.110, §1798.115 Categories and specific pieces of personal information we collect
Right to delete §1798.105 Subject to §1798.105(d) exceptions
Right to correct §1798.106
Right to opt out of sale or sharing §1798.120 We do not sell or share personal information.
Right to limit use of sensitive personal information §1798.121 We do not use sensitive PI beyond the purposes in §1798.121(a)(1)(A)–(E).
Right to non-discrimination §1798.125 We will not penalise you for exercising rights

California consumers under 16: we must obtain opt-in consent to sell or share their personal information under §1798.120(c). Since we do not sell or share, this is stated here for transparency.

10.4. Virginia / Colorado / Connecticut / Utah / Texas etc. (state privacy laws)

Data subjects in states with omnibus privacy laws have rights substantially similar to § 10.3, including access, correction (where applicable), deletion, portability, and opt-out of targeted advertising and sale. We do not engage in targeted advertising or sale. We will honour these rights per the applicable state's requirements.

10.5. Canadian residents (PIPEDA)

Right PIPEDA Short description
Access Principle 9 (s.8–9) Request access to personal information
Correction Principle 9 (s.9(5)) Request correction of inaccurate information
Withdrawal of consent Principle 3 (s.4.3.8) Subject to legal/contractual restrictions
Complaint s.11 Lodge a complaint with us or the OPC — see § 17

10.6. Quebec residents (Law 25)

In addition to § 10.5:

Right Law 25 Short description
Right of access and correction Art 27, 28 Same as PIPEDA but with 30-day response deadline
Right to data portability Art 27 (as amended Sept 2024) Machine-readable export
Right to cessation of dissemination / de-indexing Art 28.1 For harm to reputation/privacy
Right to be informed of automated decisions Art 12.1 See § 14

10.7. Children's rights

Rights above apply equally to children. For Children under the age threshold (see § 6.1), rights are exercised by the parent/guardian who consented. A Child who becomes an adult while holding an account may elect to convert their account to adult status.


§ 11. How to exercise your rights

  • In-app DSAR portal: https://analytics.whiteknight.academy/dashboard/settings/privacy — export, delete, correct your data with a single click (T4 + T5 in our roadmap; will be live by effective date).
  • Email: privacy@whiteknight.academy. Please state which right you are exercising, the account email or child's account email, and the jurisdiction whose law you are invoking.
  • Post (if you prefer): TheBroda sp. z o.o., ul. Wierna 12, Warszawa, Poland, attention: "Privacy".

11.1. Verification

For security reasons we verify identity via the account email on file. For child accounts, the parent/guardian on file verifies. If we cannot verify your identity with the information available, we may ask for reasonable additional information (CCPA Regs. §7062; COPPA §312.6(a); PIPEDA s.9(1)).

11.2. Response times

  • GDPR: within 1 month of receipt (Art 12(3)); extendable by 2 months for complex requests with notice.
  • CCPA/CPRA: within 45 days, extendable by 45 days with notice (§1798.130(a)(2)).
  • PIPEDA / Quebec Law 25: within 30 days.
  • COPPA parental requests: "reasonably timely" (FTC guidance ≈ 10 business days for straightforward requests).

We will honour the shortest applicable deadline if multiple laws apply to your request.

11.3. Fees

Requests are free. We may charge a reasonable fee for manifestly unfounded or excessive requests, or refuse to act, per GDPR Art 12(5), CCPA §1798.145(g)(3), PIPEDA s.9(4).

11.4. Appeals

If we deny your request in whole or in part, you may:

  • in the EU: lodge a complaint with your supervisory authority (§ 17),
  • in California: appeal to us within 45 days of the denial; we will respond within 45 days (Virginia §59.1-577 and similar states have identical appeal mechanics),
  • in Canada: lodge a complaint with the Office of the Privacy Commissioner of Canada (§ 17),
  • in Quebec: lodge a complaint with the Commission d'accès à l'information (§ 17).

§ 12. Cookies and similar technologies

See our full Cookie Policy at https://whiteknight.academy/legal/cookies.

Short version:

  • Strictly necessary (set without consent — ePrivacy Art 5(3) carve-out, CCPA "service provider" carve-out): Supabase auth-session cookie, CSRF token, consent record.
  • Functional (set after consent): language preference, sidebar collapse state (stored in localStorage, not a cookie).
  • Analytics (set only after you consent; never on Child pages): Google Analytics 4 (_ga, _ga_*).
  • Advertising / remarketing (set only after you consent; never on Child pages): Google Ads, Meta, TikTok and X conversion / retargeting pixels — see Cookie Policy § 3.4 for names and expiries.

Our cookie banner lets you accept, reject, and configure categories, and remembers your choice. You can change your preferences at any time via https://analytics.whiteknight.academy/dashboard/settings/cookies.


§ 13. Security

We apply the technical and organisational measures required by GDPR Art 32 and expected under COPPA §312.8. Current measures include:

  • encryption in transit (TLS 1.2+) between all clients and all our servers and sub-processors;
  • encryption at rest for Supabase-managed databases and Hostinger-managed VPS volumes;
  • Row-Level Security on every user-scoped table (so that users cannot access other users' data via the API even if a bug in the app were present);
  • principle of least privilege for internal staff access; no routine access by any staff member to live user data;
  • separation of the SUPABASE_SERVICE_ROLE_KEY to server-only contexts; frontend code never holds it;
  • regular password-rotation policy for administrative accounts; 2FA required for administrative accounts;
  • automated security updates on the VPS host;
  • logging of administrative actions in admin_audit_log.

No security measure is perfect. Please tell us if you see anything that could be a security issue: security@whiteknight.academy.


§ 14. Automated decision-making and AI

We do not use automated decision-making that produces legal or similarly significant effects on you within the meaning of GDPR Art 22(1), Quebec Law 25 art. 12.1, or California Civil Code §1798.185(a)(16).

We do use AI models for feature P6 (insights and tips). Those outputs are advisory content shown to users; no account access, pricing, or other consequential decision is made automatically by the AI.

When required by law (e.g., Law 25 art. 12.1), we will give the user, on request:

  • a description of the personal information used by the decision,
  • the reasons and principal factors and parameters leading to the decision,
  • the right to submit observations for reconsideration by a natural person.

§ 15. Automated decision logging is disabled for children

Per California AADC §22675(d) and ICO Code "Best interests of the child", we disable any automated profiling of children by default. Children will not receive content recommendations based on inferences about their behaviour unless the parent has expressly configured it.


§ 16. Marketing communications

During the free beta, we do not send marketing communications. Transactional email (account, billing, homework, lesson reminders) is sent as described in § 7.4.

When we introduce marketing (Phase 2), we will:

  • obtain express consent under CASL s.6, PECR regulation 22, and GDPR Art 6(1)(a) — or rely on the soft opt-in where its conditions are met (existing customer, similar products, clear opt-out — PECR reg. 22(3));
  • provide a working unsubscribe link in every marketing message (CAN-SPAM §7704(a)(3), CASL s.11, PECR reg. 22(2));
  • never send marketing communications to known-child accounts.

§ 17. Supervisory authorities / complaint bodies

You may always contact us first (privacy@whiteknight.academy). If you believe our handling of your personal data violates applicable law, you may also file a complaint with the authority competent for your jurisdiction:

  • Poland / EU: Prezes Urzędu Ochrony Danych Osobowych (President of the Personal Data Protection Office), ul. Stawki 2, 00-193 Warszawa, Poland. https://uodo.gov.pl/
  • Other EU member states: your national Data Protection Authority (list: https://edpb.europa.eu/about-edpb/about-edpb/members_en ).
  • United States federal (COPPA): Federal Trade Commission, Consumer Response Center — https://reportfraud.ftc.gov/
  • California: California Privacy Protection Agency — https://cppa.ca.gov/
  • Virginia, Colorado, Connecticut, Texas, Utah, etc.: State Attorney General's office.
  • Canada federal: Office of the Privacy Commissioner of Canada — https://www.priv.gc.ca/
  • Quebec: Commission d'accès à l'information du Québec — https://www.cai.gouv.qc.ca/
  • British Columbia / Alberta: respective provincial privacy commissioners.

§ 18. Changes to this Policy

We may update this Policy from time to time. When we make material changes we will:

  • post the updated Policy with a new "Effective date";
  • notify account holders by email at least 15 days before the change takes effect;
  • for changes that materially expand processing of children's data, obtain fresh parental consent (COPPA §312.5(a)(2) — material change).

A full version history is kept at https://whiteknight.academy/legal/privacy/history.


§ 19. Contact

  • Privacy contact: privacy@whiteknight.academy
  • Security: security@whiteknight.academy
  • General: contact@whiteknight.academy
  • Post: TheBroda sp. z o.o., ul. Wierna 12, Warszawa, Poland

Annex A — Data categories quick reference (for data-mapping)

(For lawyer cross-reference with RoPA Annex 1 and DPIA §4. To be kept consistent with §§ 3 and 9 of the Policy.)

Category Sensitive (Art 9)? Source table Recipients Retention (target)
Account identity No profiles, auth.users Supabase, VPS, Hostinger SMTP (email only) Account lifetime
Child's DOB, parent contact, consent No — but high-risk per AADC/ICO profiles + consent_records (planned) Supabase only 10 yrs (consent), account lifetime (DOB)
Chess-performance No games, game_analysis, puzzle_* Supabase, VPS (Hostinger), OpenAI (aggregated) Account lifetime
Messages No — but may contain sensitive text coach_messages, coach_notes Supabase only 2 yrs rolling
Lesson metadata No lesson_rooms, lesson_presence_events Supabase, Daily.co (opaque IDs only) Account lifetime
Lesson recordings (audio + video) No (likeness, not GDPR Art 9 biometric) — but classed "high-risk" per AADC/ICO lesson_recordings (URL + metadata in Supabase); media in Daily.co cloud storage (US) Supabase, Daily.co 30 days (auto-delete)
Billing No subscription_history Supabase, Stripe, accounting system 5 yrs (PL Accounting Act)
Telemetry No — but linked to child user_events Supabase only 18 months rolling
Admin audit No admin_audit_log Supabase only 3 yrs

Annex B — Statute short-form citations

Short form Full name
GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
ePrivacy Directive Directive 2002/58/EC
UŚUDE Ustawa z dnia 18 lipca 2002 r. o świadczeniu usług drogą elektroniczną (Dz.U. 2020 poz. 344)
PL-DPA Ustawa z dnia 10 maja 2018 r. o ochronie danych osobowych
DSA Regulation (EU) 2022/2065
COPPA 16 CFR Part 312
CCPA/CPRA California Civil Code §§1798.100–1798.199.100
AADC (California) California Civil Code §§1798.99.28–40 (Age-Appropriate Design Code Act)
VCDPA Va. Code §§59.1-571–581
CPA (Colorado) Colo. Rev. Stat. §§6-1-1301–1313
PIPEDA Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5
Quebec Law 25 An Act respecting the protection of personal information in the private sector (CQLR c. P-39.1), as amended
PECR Privacy and Electronic Communications (EC Directive) Regulations 2003 (UK)
CASL An Act to promote the efficiency and adaptability of the Canadian economy (S.C. 2010, c. 23)
CAN-SPAM Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003, 15 U.S.C. §§7701–7713
SCCs Commission Implementing Decision (EU) 2021/914

Effective date: 2026-07-02 · TheBroda sp. z o.o. · KRS 0000677402, NIP 5242831345Back to site →
White Knight Academy

Live online chess lessons for children, taught by real, vetted coaches.

Lessons
Online chess lessonsFor beginnersOnline coachingLearn chess onlineFree self-study
Academy
How it worksPricingCoachesFAQBlog
Trust
About usOnline safetySafeguardingPrivacy & GDPRTermsCookie preferences
Contact
contact@whiteknight.academyLog inStart for €5
© 2026 White Knight Academy. All rights reserved.Made with Help Context