White KnightAcademy
Online chess lessons
Live, small-group classes with a real coach.
Chess lessons for beginners
Start from zero — complete beginners welcome.
Online chess coaching
A coach who knows your child — group or 1-on-1.
Learn chess online
A parent’s guide — and the fastest way to improve.
Free self-study
A free account: puzzles, homework and a report.
How it worksPricingCoachesFAQBlog
Log inStart for €5

Privacy

Privacy PolicyChildren's Privacy NoticeCookie PolicySubprocessors

Terms

Terms of Service — Parent / Guardian (for Child Accounts)Terms of Service — Adult Users (Self-Registered, Age 18+)Coach Contractor AgreementBeta Test Addendum

Conduct & safeguarding

Acceptable Use PolicySafeguarding PolicyCoach Code of Conduct

Support

Contact & Complaints
← All policies

Subprocessors — WhiteKnight Academy

Scope — where this applies. This document covers WhiteKnight Academy as a whole: both the public website at whiteknight.academy and the learning platform at analytics.whiteknight.academy. Where it refers to "the Site", "the Service", or "the Platform", it means both unless a specific one is named.

Effective date: 2026-07-02


What is a sub-processor?

A sub-processor is a third-party service that handles personal data on our behalf while we run WhiteKnight Academy. We remain responsible for what our sub-processors do with your data: each one is bound by a written Data Processing Agreement (DPA), uses your data only on our instructions, and cannot repurpose it.

We (TheBroda sp. z o.o.) act as the data controller. Our sub-processors below act as data processors.

Current sub-processor list

Last updated: 2026-07-02.

Sub-processor Role Region Data categories it processes DPA EU/UK transfer safeguard
Supabase, Inc. Authentication, database, file storage, edge functions (incl. AI-proxy to OpenAI) United States (US East / Virginia) All account, coaching, chess, billing metadata supabase.com/legal/dpa EU SCCs (Commission Implementing Decision 2021/914) incorporated in Supabase DPA
Hostinger International Ltd. Static site hosting; KVM VPS that runs the Node.js API + Stockfish batch-analysis worker; transactional SMTP for system emails Lithuania / global Chess games and positional analysis (VPS), account email + system-mail body (SMTP), static SPA bundle hostinger.com/legal/data-processing-agreement Processor DPA + SCCs for any non-EU processing
Stripe Payments Europe Ltd. (EU) / Stripe, Inc. (US) Payment processing, billing, invoicing Ireland + United States Email, name, Stripe customer ID, subscription metadata, card data (tokenised) stripe.com/legal/dpa EU SCCs via Stripe DPA; EU-issued cards processed intra-EU
Daily.co (Pluot Inc.) Live video rooms; cloud recording storage (only when recording is explicitly triggered) United States Live lesson audio/video only during the session; recordings stored 30 days then auto-deleted (see Privacy Policy § 7.3) daily.co/legal/dpa EU SCCs via Daily.co DPA
OpenAI OpCo LLC Large-language-model provider used directly via API for AI-coach chat and insights United States Aggregated chess performance statistics, recent game summaries, AI-chat conversation content (no name, email, date of birth, payment) openai.com/policies/data-processing-addendum — no training on API content per Enterprise API terms EU SCCs via OpenAI DPA; EU-US Data Privacy Framework certification
Google LLC (OAuth) OAuth identity provider — only when a user chooses "Sign in with Google" United States + global Email, profile name, avatar URL received once at sign-in cloud.google.com/terms/data-processing-addendum EU SCCs; EU-US Data Privacy Framework certification
Google LLC (Google Analytics 4) Web analytics on public marketing pages + adult-authenticated dashboards — only when the user grants analytics consent via the cookie banner; never for child accounts (see Cookie Policy § 3.5) United States + global Anonymised IP, page URLs, device/OS/browser family, session events, GA4 client ID business.safety.google/adsprocessorterms/ EU SCCs via Google DPA; EU-US Data Privacy Framework certification; GA4 consent-mode v2 enforced
Google LLC (Google Tag Manager) Tag management container (GTM-5TF7QK4N) that loads the other analytics and advertising tags based on consent state United States + global Page load events, dataLayer events (consent state, page path, content_group) — GTM itself does not set tracking cookies cloud.google.com/terms/data-processing-addendum Covered by the Google Cloud DPA + SCCs; EU-US DPF
Google LLC (Google Ads) Conversion tracking and remarketing-audience membership for our paid-acquisition campaigns — only when the user grants advertising consent United States + global Conversion events, Google advertising ID (when applicable), page URL business.safety.google/adsprocessorterms/ EU SCCs; EU-US DPF
Meta Platforms Ireland Ltd. (Facebook / Instagram Ads) Meta Pixel conversion tracking and custom-audience measurement for our campaigns on Facebook and Instagram — only when the user grants advertising consent Ireland + United States Meta browser ID (_fbp), conversion events, coarse page/URL data, hashed event parameters business.facebook.com/legal/customcontrollerterms / Meta Business Data Processing Terms EU SCCs via Meta DPA; EU-US DPF
TikTok Technology Ltd. (TikTok for Business) TikTok Pixel conversion tracking and custom-audience measurement for our TikTok-Ads campaigns — only when the user grants advertising consent Ireland + global TikTok Pixel ID (_ttp), conversion events, coarse page/URL data ads.tiktok.com/i18n/official/policy/data-processing-agreement EU SCCs via TikTok DPA
X Corp. (X Ads, formerly Twitter Ads) X Pixel conversion tracking for our X-Ads campaigns — only when the user grants advertising consent United States X advertising ID (muc_ads, personalization_id), conversion events, coarse page/URL data business.x.com/en/help/ads-policies/general-guidelines-and-policies/x-data-processing-addendum EU SCCs via X DPA
Cloudflare, Inc. (Turnstile) Bot challenge / human-verification widget on the parent-registration form — protects against mass account-creation. Triggered only when an unauthenticated user opens the parent-with-child registration page United States + global edge Source IP, browser fingerprint signals (User-Agent, screen size, language), Turnstile challenge token. No persistent identifier is set when widget runs in "managed" mode without challenge; if a visible CAPTCHA is required, a short-lived cf_chl_ cookie may be set on challenges.cloudflare.com. Discarded after the verification round-trip; not stored on our side beyond the resulting success: true response cloudflare.com/cloudflare-customer-dpa EU SCCs via Cloudflare DPA; EU-US Data Privacy Framework certification

Notes

(a) AI provider — OpenAI only. All AI features (coach chat, insights) call the OpenAI API directly from our Supabase Edge Functions. We do not use OpenRouter, Anthropic, DeepSeek, or any other LLM provider. No child or user data is transferred to the People's Republic of China.

(b) Session-replay and behaviour-watching — not used. We do not use Hotjar, Clarity, FullStory, LogRocket, or any similar session-replay service. We do not use the advanced product-analytics class of tools (Amplitude, Mixpanel, Heap, PostHog, Segment) either.

(c) Analytics and advertising off for children. Google Analytics 4 and every advertising pixel above are configured to skip any page served to a logged-in Child account, enforced at the tag-management layer (see Cookie Policy § 3.5). Children's behaviour is not aggregated, profiled, retargeted, or sent to any ad or analytics provider.

(d) No sale or share under CCPA/CPRA. The retargeting and conversion-tracking above is conducted under each platform's data-processor terms; it is not a "sale" or "share" of personal information as defined in California Civil Code §1798.140(ad).

External services we integrate with (not sub-processors)

These services are accessed only on the user's request, are not given access to data they did not already possess, and are not our sub-processors:

  • Chess.com public API (United States) — we read the linked user's public game archive using the chess.com username the user supplied. We send no personal data beyond that username.
  • Lichess public API (France / global) — same pattern with Lichess usernames.

Notice of change

When we add a new sub-processor, or change the scope of an existing one, we will:

  1. Update this page with the new row at least 30 days before the new processing begins;
  2. Email every active account holder at the registered address; and
  3. For changes that materially expand processing of children's data, obtain fresh parental consent (COPPA 16 CFR §312.5(a)(2)).

How to object

If you object to a new sub-processor, you may request to have your account suspended or deleted before the new processing begins, without penalty. Write to privacy@whiteknight.academy within 30 days of the change notice. If you are a data subject in the EU/EEA, you may also lodge a complaint with your supervisory authority (see Privacy Policy § 17).

Version history

  • 2026-07-02 — v1 (initial publication; accompanies Privacy Policy v1).

Contact

  • Privacy questions: privacy@whiteknight.academy
  • General: contact@whiteknight.academy
  • Post: TheBroda sp. z o.o., ul. Wierna 12, Warszawa, Poland

Effective date: 2026-07-02 · TheBroda sp. z o.o. · KRS 0000677402, NIP 5242831345Back to site →
White Knight Academy

Live online chess lessons for children, taught by real, vetted coaches.

Lessons
Online chess lessonsFor beginnersOnline coachingLearn chess onlineFree self-study
Academy
How it worksPricingCoachesFAQBlog
Trust
About usOnline safetySafeguardingPrivacy & GDPRTermsCookie preferences
Contact
contact@whiteknight.academyLog inStart for €5
© 2026 White Knight Academy. All rights reserved.Made with Help Context