Privacy Policy — Realtime Chess

This privacy policy describes what data is processed when using the "Realtime Chess" app and the associated website. Since the app operates without user accounts, data processing is minimal.

As of: March 20, 2026

Table of Contents

• Controller
• Overview of Processing Activities
• Applicable Legal Bases
• Security Measures
• Data Storage and Deletion
• Rights of Data Subjects
• Web Hosting and Server Log Files
• Mobile App: Local Data Storage
• Game Server Communication
• Referral Program
• App Analytics with Firebase Analytics
• What We Do Not Process
• Contact
• Changes and Updates

Controller

Jirko Cernik
Ursrainer Ring 89/1
72076 Tübingen, Germany
Tel.: +49 7071-9209314

Email: realtimebudget@intercyloon.de

Legal notice: link

Overview of Processing Activities

Types of Processed Data

• Usage data (game moves, matchmaking requests).
• Log data (server log files).
• Meta and procedural data (IP addresses, timestamps, HMAC signatures, random tokens).
• Referral data (referral codes, MD5-hashed IP addresses).

Categories of Affected Individuals

• App users (players).
• Website visitors.
• Communication partners.

Purposes of Processing

• Providing the real-time chess game (online matches, AI games).
• Matchmaking (finding opponents by rating and mode).
• Referral program (associating referral links with app installations).
• Security measures (HMAC signing, rate limiting).
• Communication (responding to inquiries).

Applicable Legal Bases

Applicable legal bases under the GDPR: Below, you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. If more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6(1)(a) GDPR) — The data subject has given consent to the processing of their personal data for a specific purpose or multiple specific purposes.
• Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR) — The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures requested by the data subject.
• Legitimate interests (Art. 6(1)(f) GDPR) — The processing is necessary to protect the legitimate interests of the controller or a third party, provided that the interests, fundamental rights, and freedoms of the data subject requiring the protection of personal data do not outweigh those interests.

National data protection regulations in Germany: In addition to the GDPR, national data protection regulations apply in Germany. This includes the Federal Data Protection Act (Bundesdatenschutzgesetz — BDSG). The BDSG contains special provisions regarding the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making on an individual basis, including profiling. Furthermore, state data protection laws of individual federal states may also apply.

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of threats to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, availability, and separation. Furthermore, we have established procedures to ensure the exercise of data subjects' rights, data deletion, and responses to data threats. We also consider the protection of personal data during the development or selection of hardware, software, and procedures in accordance with the principles of data protection by design and by default.

TLS/SSL encryption (HTTPS): All data transmissions between the app and the server, as well as between the website and the browser, are conducted over HTTPS (TLS-encrypted).

HMAC-SHA256 signing: All API requests from the app are signed with HMAC-SHA256. Each request includes a timestamp and a unique random number (nonce) to prevent replay attacks and tampering. The server rejects requests with an invalid or missing signature.

Data Storage and Deletion

We delete personal data as soon as the purpose of processing no longer applies and no legal retention obligations exist. The following specific retention periods apply:

• Game rooms (online matches): Automatically deleted after 2 hours (7,200 seconds TTL).
• Matchmaking queue: Entries are deleted immediately after a successful match or cancellation.
• Referral click data (MD5-hashed IPs): Automatically deleted after 24 hours.
• Referral activation records: Stored permanently (abuse prevention — prevents multiple activations of the same code).
• Server log files: Maximum 30 days, then deleted or anonymized.
• Game statistics: Stored permanently, aggregated and without player identifiers.

Rights of Data Subjects

Under the GDPR, data subjects have various rights, particularly arising from Articles 15 to 21 of the GDPR:

• Right to Object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions.
• Right to Withdraw Consent: You have the right to withdraw consent you have given at any time.
• Right to Access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and to access this data, along with additional information and a copy of the data in accordance with legal requirements.
• Right to Rectification: You have the right, in accordance with legal requirements, to request the completion of your personal data or the rectification of inaccurate data concerning you.
• Right to Erasure and Restriction of Processing: You have the right, in accordance with legal requirements, to request the immediate erasure of personal data concerning you or, alternatively, to request restriction of processing of the data.
• Right to Data Portability: You have the right to receive the personal data concerning you that you have provided to us, in a structured, commonly used, and machine-readable format, or to request its transmission to another controller in accordance with legal requirements.
• Right to Lodge a Complaint with a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or the place of the alleged infringement, if you believe that the processing of personal data concerning you violates the provisions of the GDPR.

Web Hosting and Server Log Files

We use rented storage space and computing capacity for providing our website and game server. The server is located in Germany.

• Processed data types: Usage data (pages accessed, access times); Meta and procedural data (IP addresses, timestamps, browser type, operating system, referrer URL). Log data (server log files).
• Affected individuals: Website visitors, app users.
• Purposes of processing: Providing the website and game server; security measures (detection of DDoS attacks and abuse); ensuring server stability.
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized.

Mobile App: Local Data Storage

The app stores the following data exclusively on your device (using SharedPreferences). This data is not transmitted to our server (exceptions noted below):

• Avatar seed (random number for generating your procedural pixel-art avatar)
• Elo rating and HMAC-signed rating proof
• XP, level, daily quest progress, streak counter
• Preferred matchmaking mode (realtime, blitz, random)
• Cosmetic selections (board theme, piece set, board border, background, effects, etc.)
• Referral code, referral status, reward counter

Exceptions: During online matches, the rating proof and avatar seed are transmitted to the server to enable matchmaking and display your avatar to your opponent.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — required for the functionality of the app.

Game Server Communication

During online matches, the following data is transmitted to our server and stored temporarily:

• Game room: Room ID (random 5-digit number), board position, moves, player tokens (randomly generated per game), avatar seeds of both players. Automatically deleted after 2 hours.
• Matchmaking: Elo rating, preferred game mode, avatar seed, and a random token. Entries are deleted immediately after a successful match or cancellation.
• Game statistics: Game results are stored per month for aggregate statistics. These contain no player identifiers.
• AI games: For games against AI, only the difficulty level and result are transmitted to the server (for statistics). No personal data is processed.

Player tokens are randomly generated per game and do not enable cross-session identification.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — required for providing the online chess game.

Referral Program

The app includes a referral program through which players can invite other players. How it works:

• Each player receives a locally generated 6-character alphanumeric referral code (e.g., "A1B2C3").
• Deferred deep linking: When someone clicks a referral link on the website, the visitor's IP address is MD5-hashed server-side and stored together with the referral code for a maximum of 24 hours. This serves to associate the website click with a subsequent app installation.
• Association on app launch: On first launch, the app checks via the (server-side hashed) IP address whether a matching referral code exists. If a match is found, the entry is deleted.
• Activation: After completing a full game (at least 10 moves), the referral is marked as activated. The server records which referral IDs have already been activated (flag to prevent double-counting) and an activation counter per referrer code.

Stored data: No names, email addresses, or user accounts are collected — only random 6-character codes and MD5-hashed IP addresses.

Note: MD5-hashed IP addresses may still qualify as personal data under the GDPR. The 24-hour deletion period and the singular purpose (code association during installation) minimize the impact on your privacy.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — required for associating referrals without user accounts.

App Analytics with Firebase Analytics

We use Firebase Analytics, an analytics service by Google, to better understand app usage and improve the app.

• Collected data: Anonymized usage events (e.g., game start, game end, tutorial completion), device type, app version, and operating system. No personal data such as names, email addresses, or user accounts is collected.
• Data processing: Data is processed by Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland) under a data processing agreement on EU servers.
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — improving the app and optimizing user outreach.
• Opt-out: You can disable analytics in your device settings (iOS: Settings > Privacy > Analytics; Android: Settings > Google > Ads).

What We Do Not Process

• No user accounts: The app does not require registration — no email addresses, no names, no passwords.
• No third-party advertising or ad tracking: No ad networks, no ads, no ad tracking.
• No sharing with third parties: Data is not sold, transmitted, or disclosed to third parties.
• No profiling: No automated decision-making or profiling.
• No cookies: Neither the app nor the website use cookies.
• Purely local push notifications: The app can display optional reminders. These are scheduled entirely locally — no push tokens are transmitted to a server.

Contact

When contacting us (e.g., by email), the information provided by the inquiring person is processed as necessary to respond to the inquiry.

• Processed data types: Contact data (email address, possibly name); content data (your message).
• Affected individuals: Communication partners.
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Changes and Updates

We kindly ask you to regularly review the content of our privacy policy. We adjust the privacy policy whenever changes to the data processing we perform require it. We will inform you if any changes necessitate your action (e.g., consent) or any other individual notification.

If we provide addresses and contact information in this privacy policy, please note that these may change over time, and we recommend verifying the details before contacting us.

This is a translation of the German privacy policy. In case of discrepancies, the German version at https://realtimechess.intercyloon.de/privacy_de.html shall prevail.