This is a translation of this document, from French to English language.

Last updated: January 7th, 2021

lichess.org ("LICHESS") is an online chess site. As a player in the digital economy, we are particularly concerned with the protection of the personal data of our users.

You will find below the LICHESS Privacy Policy, in other words the explanation of our practices and our commitments with regard to the processing of your personal data.

We implement a process of continuous improvement of our compliance with the general data protection regulations (GDPR) as well as with the law n ° 78-17 of January 6, 1978 known as the "Data Protection Act" to ensure the best level of protection to your personal data. For any information on the protection of personal data, you can also consult the website of the National Commission for Computing and Liberties (CNIL) www.cnil.fr.

Aware of the importance of clear and transparent information in this area, we have included various tables to help you better understand and exercise your rights.

Who is responsible for processing your personal data?

The controller is, within the meaning of the GDPR, the entity that defines how your personal data is used, and for what purposes.

The data controller is Lichess.org, an association governed by the law of July 1, 1901, whose head office is located at Mr. Lucas Bonnet, 9 rue Flachet in Villeurbanne (69100). This means that we are your point of contact for any questions or concerns regarding the collection and use of this data. You can write to us at gdpr@lichess.org.

LICHESS notably publishes the website https://lichess.org/ which promotes the teaching and practice of chess without advertising. Use of the site is also completely free.

As part of our activities, we may collect and process personal data relating to our users. These different data processing operations are detailed in this Privacy Policy.

What data is collected about you and for what reasons?

1. Connection to the lichess.org site

When you connect to the lichess.org site, a certain amount of data is automatically collected by the site host concerning your terminal (computer, smartphone, tablet) and your browser. This includes in particular your IP address.

This data is collected for the purpose of ensuring the connection between your terminal and the site's servers, as well as subsequently to detect bugs (a bug is a design flaw in a computer program that causes a malfunction) and cyberattack attempts.

The collection and processing of this data are thus justified by LICHESS's legitimate interest in providing a functional, secure site suitable for the various types of terminals and browsers on the market, in accordance with article 6.1.f) of the GDPR.

2. Service registration

We collect the information you provided to us when you registered such as your last name, first name, email address, username, FIDE title or any other optional information that you have provided to us to complete your profile.

All this data is kept as part of your use of our services or until your consent is withdrawn with regard to the optional information that you have provided to us, then for the applicable limitation period for the purposes of managing disputes described under the point 9. below.

This data processing is based, for optional information, on your consent, in accordance with Article 6.1.a) of the GDPR and, for other information, justified by LICHESS's legitimate interest in managing its registered users, as well as to avoid the multiplication of accounts, in accordance with article 6.1.f) of the GDPR.

In addition, when you are registered for the service, the lichess.org site uses session cookies. These cookies temporarily store the information you have given us and thus allow us to track your movements from one page to another without asking you again for this information to authenticate you.

This data processing is based on LICHESS's legitimate interest in improving the browsing experience on its site, in accordance with Article 6.1.f) of the GDPR.

You can configure these cookies from your browser settings.

3. User management

In order to ensure the proper monitoring of our relationship as well as your relationship with other users and to manage the various aspects of these relationships (including competition and results), we collect a certain amount of information such as your last name, first name and email address. We also keep a copy of our written exchanges as well as private or public messages that you can exchange with other users of the site.

All this data is kept as part of your use of our services, then for the applicable limitation period for the purposes of managing the disputes described in point 9. below.

This data processing is justified by LICHESS's legitimate interest in managing its users, in accordance with Article 6.1.f) of the GDPR.

4. Technical support

When you ask us to resolve a technical problem, we collect a certain amount of information such as your name, first name, email address and username, the date and time of your request, as well as the circumstances of the reported problem.

In addition, it may happen that our moderators need to access your account to see a problem or take action for you.

This data is kept until the problem is resolved, then for the applicable limitation period for the purposes of managing the disputes described in point 9. below.

This data processing is justified by LICHESS's legitimate interest in providing technical support to its users, in accordance with Article 6.1.f) of the GDPR.

5. Improvement of our services

We use data relating to the use of our teaching and chess services to evolve these services in such a way that they are always more effective for our users.

The data processed for this include navigation data of users on our services.

We only keep this data for as long as necessary for the analysis allowing us to identify areas for improving our services.

This data processing is justified by LICHESS's legitimate interest in developing and improving its services, in accordance with Article 6.1.f) of the GDPR.

6. Donations

If you make a donation for the benefit of our association, we will collect, with your agreement, your email address, the amount and the number of the transaction in order to publish on our site your username and the amount of your donation, in a concern for transparency.

This data processing is based, on your consent, in accordance with Article 6.1.a) of the GDPR.

7. Litigation management (possible or current)

We will likely keep any data where conservation of such data appears necessary or useful to us to prevent a dispute and to manage any litigation or pre-litigation.

We will use it, where appropriate, to prevent, initiate or respond to a dispute of this type, whether or not you are a party to this dispute (for example a dispute relating to the use of our services).

This retention is justified by LICHESS's legitimate interest in protecting and defending its rights and interests, including in court, in accordance with Article 6.1.f) of the GDPR.

We will thus keep all relevant data from a probationary point of view for the legally applicable limitation period, in principle 5 years (civil limitation under common law).

8. Compliance with a legal obligation

We will likely keep any data where conservation of such data appears necessary or useful to us to comply with our legal obligations, for the time necessary to comply with these obligations.

This retention is justified by compliance with a legal obligation to which LICHESS is subject, in accordance with Article 6.1.c) of the GDPR.

9. Summary table

markdown
Data collected | Purposes (intended or possible use of data) | Justification of the purpose under the GDPR | Maximum data retention period in a form that allows you to be identified
--- | --- | --- | ---
Information relating to your Internet browser and your terminal (HTTP request) | Allow your connection to the lichess.org site; detect bugs and attempted cyber attacks | Legitimate interest of LICHESS (article 6.1.f) RGPD) | 1 year following data collection, then legally applicable limitation period (in principle 5 years) (retention as evidence for possible litigation)
Identification data | Management of registered users | Consent (article 6.1.a) GDPR) for optional information; Legitimate interest of LICHESS (article 6.1.f) RGPD) for other information and session cookies | 1 year following data collection, subject to withdrawal of consent for optional information, then legally applicable limitation period (in principle 5 years) (retention as evidence for possible litigation); The time of the browsing session for session cookies
Identification data | User management | Legitimate interest of LICHESS (article 6.1.f) RGPD) | 1 year following data collection, then legally applicable limitation period (in principle 5 years) (retention as evidence for possible litigation)
Technical support data | Technical support | Legitimate interest of LICHESS (article 6.1.f) RGPD) | Resolution of the technical problem then legally applicable limitation period (in principle 5 years) (retention as evidence for a possible dispute)
Data related to service improvement | Improvement of services | Legitimate interest of LICHESS (article 6.1.f) RGPD) | Time needed to identify avenues for improving services then legally applicable limitation period (in principle 5 years) (retention as evidence for possible litigation)
Donation data | Transparency | Consent (article 6.1.a) GDPR) | Duration of the fiscal year, subject to withdrawal of consent
All data appearing relevant for the management of a dispute, litigation or pre-litigation | Litigation, litigation and pre-litigation management | Legitimate interest of LICHESS (article 6.1.f) RGPD) | Legally applicable limitation period (in principle 5 years)
Identification data | Compliance with a legal obligation | LICHESS legal obligation (article 6.1.c) RGPD) | 1 year, then legally applicable limitation period according to the legal obligations concerned

As an association, we strive to put all technical measures in place to achieve the retention periods set out above.

In any case, you remain in control of your data through the right to erasure mentioned below. We will notify you when a request for erasure does not comply with our legal obligations.

Who has access to your data?

Your data is hosted by a secure professional service provider, on servers located in the European Union. LICHESS teams, moderators and employees are likely to access it within the framework and the limits of their functions.

Some of your data may also be viewed or at least hosted by the following people and organizations:

Technical service providers assisting LICHESS for the maintenance and development of the lichess.org site;

LICHESS legal advisers, accounting firms and lawyers;

Payment service providers and banking establishments used by LICHESS in connection with its collection of donations.

These providers are all located in the European Union or the United States. Transfers made in the United States are done by our subcontractors who are well-known service providers making every effort to offer the appropriate guarantees to supervise these transfers.

On this point, we are closely following the analyses of the European Data Protection Supervisor (EDPS) and the CNIL following the recent invalidation of the Privacy Shield, the mechanism which ensured the compliance of data transfers to the United States.

Regarding your donations that you have authorized us to publish for the sake of transparency, all users can consult them from this table.

What rights do you have to control the processing of your personal data?

You have, like any other person whose personal data we collect and process, a number of rights provided for by the regulations.

You will find the details below, followed by a summary table.

You can exercise these rights simply by writing directly to the following email address: gdpr@lichess.org.

Remember to clearly indicate in your email the nature of the right you wish to exercise and the reasons which justify, if applicable, your request to exercise this right.

1. Right of access

You can ask us for confirmation that personal data concerning you is or is not being processed and, when it is being processed, access to such data. You can access your personal data via this link, while logged in: https://lichess.org/account/personal-data.

As such, you have the right to ask us for a copy of the personal data we have about you, in an easily understandable format, as well as a copy of this Policy on a durable medium.

2. Right to rectification

You can ask us to correct, complete or update the data we have about you, if it seems to you to be inaccurate, incomplete or obsolete.

In this case, we thank you for kindly communicating to us spontaneously, as far as possible, the new information necessary to proceed to the correction, completion or update requested.

3. Right to withdraw consent

With regard to processing based on your consent, you can withdraw this consent at any time, without justification. Withdrawing your consent results in the cessation of processing in the future.

4. Right of objection

With regard to the data processing listed above which is justified by the legitimate interests of LICHESS, you have the right to oppose it for reasons relating to your particular situation.

In other words, you can ask LICHESS to stop one and / or the other of these treatments with regard to you, by setting out the specific reasons which justify this request.

However, it may happen that LICHESS refuses to respond to your request, if the continuation of this processing is necessary for compelling reasons from our point of view (for example: if the data concerned are necessary for the protection and defense of the rights of LICHESS in court).

The opposition (if it is based on valid reasons and there are no compelling reasons against it) will result in the cessation of processing for the future, but not necessarily the destruction of the data concerned: to obtain this destruction, you must exercise your right to erasure under the conditions described below, it being specified that the latter is subject to limitations, for example, again, with the need to keep the data for the protection and defense of LICHESS's interests in court.

5. Right to erasure

You can ask us to delete all or part of the data we have about you, provided that at least one of the following conditions is met:

The data concerned no longer appears necessary for any of the purposes previously explained;

You have withdrawn your consent in accordance with point 3. above, and this data is not processed for any purpose other than that for which you have withdrawn your consent;

You have objected to the continuation of this processing in accordance with point 4. above, and furthermore want LICHESS to destroy the data concerned;

You consider that your personal data have been the subject of unlawful processing by LICHESS;

The data concerned must be erased as a legal obligation;

The data concerned relate to a person who was less than fifteen (15) years old when the data was collected.

Please note, however, that LICHESS is entitled to oppose the deletion of certain data, when their retention is necessary for particularly important reasons, such as the protection and defense of its interests in court.

In addition, we may choose, instead of deleting the data, to proceed with their complete and irreversible anonymization. In this way, we will be entitled to keep this data in a format that no longer allows you to be identified (for example: for statistical purposes).

6. Right to restriction of processing

Failing, for example, to exercise your right to erasure, you can also ask LICHESS to "set aside" certain data concerning you, that is to say to keep these data separately, without using them any longer. (except legal obligations).

You can make such a request when at least one of the following conditions is met:

The data concerned appear to you to be inaccurate, and you prefer that LICHESS stop using them in time to verify them and correct them if necessary.

You consider that your personal data have been the subject of unlawful processing by LICHESS, but you choose to limit their use rather than delete them;

The data concerned are no longer necessary for any of the purposes set out above, but you want LICHESS to keep them anyway for the purposes of defending your legal interests;

You have exercised your right of opposition in accordance with point 4. above, and you prefer that LICHESS cease using the data concerned while it is time to verify the merits of your opposition.

In these cases, we will put the data "in quarantine" for the necessary time, for example by means of a "Do not use - Right to restriction exercised" marking.

7. Right to data portability

You can ask us to send you a copy of the data collected on the basis of your consent, allowing their reuse by you or another service provider.

This "right to portability" differs from the right of access mentioned in point 1. above in that its purpose is not to obtain a copy that is necessarily readable by yourself, but a reusable copy of the data. , in particular with a view to a change of service provider.

8. Right to define directives relating to the fate of your data after your death

Finally, you have the right to tell us how you want us to deal with your data in the unfortunate event of your death.

In particular, you can ask us to proceed with the destruction of all your data (subject to imperative conservation needs that we may have, for example for the purposes of defending LICHESS's rights in court), or to transmit a copy of all this data to the person of your choice.

You can also designate any person of your choice to be responsible for the execution of these "last wishes"; this person does not necessarily have to be one of your heirs or even the executor in charge of your estate.

9. Summary table

markdown
Your rights | What they let you get | Processing / data concerned | Conditions, exceptions or limitations
--- | --- | --- | ---
**Right of access** | A readable and understandable copy of the data LICHESS has about you, as well as a durable copy of this Policy | All | Limits: unfounded or excessive demand; rights and freedoms of others
**Right of rectification** | Rectification, update or completion of data concerning you | All | Clearly indicate the data to be corrected, completed or updated, as well as new data if necessary
**Right to withdraw consent** | Discontinuation of Treatment for the Future | Processing based on your consent | Any
**Right of opposition** | Stopping the processing of your data for the future | Processing based on a legitimate interest of LICHESS | State the reasons relating to your particular situation which justify the cessation of treatment
**Right to erasure** | The deletion of your data, or their complete and irreversible anonymization | All | See the relevant assumptions in the text above
**Right to restriction of processing** | Retention of your data without further use | All | See the relevant assumptions in the text above
**Right to data portability** | A copy of your data in a reusable computer format | Data collected on the basis of your consent | Clearly indicate, if applicable, the identity of the person or organization to whom you want LICHESS to send a copy of the data
**Right to define directives relating to the fate of your data after your death** | Respect for your "last wishes" with regard to your personal data (for example: deleting them or transmitting them to any person of your choice) | All | Clearly indicate the people responsible for monitoring the proper execution of your directives, who will be our contacts after your death

Do you consider that we have not responded satisfactorily to your request, or that we are processing your data unlawfully?

We invite you of course first of all to get closer to LICHESS, so that we discuss the problem together, and try to solve it together in the best possible way. You can write to us at gdpr@lichess.org.

If you wish, however, you have the right to contact the competent authority for data protection in France, namely the CNIL, via its website www.cnil.fr or by post to the following address: CNIL - 3, Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07.

This right can be exercised at any time and does not incur any costs for you, apart from the costs of sending the postal mail if applicable, and the possible costs of assistance or representation if you choose to be assisted in this procedure by a third party.