This is a translation of this document, from French to English language.

Last updated: March 07, 2021

Lichess.org ("LICHESS") is an online chess site. As a player in the digital economy, we are particularly concerned with the protection of the personal data of our users.

You will find below the LICHESS Privacy Policy - the explanation of our practices and our commitments with regard to the processing of your personal data.

We implement a process of continuous improvement of our compliance with the general data protection regulations (GDPR) as well as with the law n ° 78-17 of January 6, 1978 known as the "Data Protection Act" to ensure the best level of protection to your personal data. For any information on the protection of personal data, you can also consult the website of the National Commission for Computing and Liberties (CNIL) www.cnil.fr.

Being aware of the importance of clear and transparent information in this area, we have included various tables to help you better understand and exercise your rights.

Who is responsible for processing your personal data?

The controller is, within the meaning of the GDPR, the entity that defines for what purpose(s) and how your personal data is used.

The data controller is Lichess.org, an association governed by the Law of Associations of July 1, 1901, whose head office is located at Mr. Lucas Bonnet, 9 rue Flachet in Villeurbanne (69100). This means that we are your point of contact for any questions or concerns relating to the collection and use of this data. You can write to us at gdpr@lichess.org.

LICHESS notably publishes the website https://lichess.org/ which promotes the teaching and practice of chess without advertising. Use of the site is also completely free.

As part of our activities, we may collect and process personal data relating to our users. These different data processing operations are detailed in this Privacy Policy.

What data is collected about you and for what reasons?

1. Connection to the lichess.org site

When you connect to the lichess.org site, a certain amount of data is automatically collected by the site host concerning your terminal (such as a computer, smartphone or tablet) and your browser. This particularly includes your IP address.

This data is collected for the purpose of ensuring the connection between your terminal and the site's servers, as well as to subsequently detect bugs (a bug is a design flaw in a computer program which causes a malfunction) and attempted cyber attacks.

The collection and processing of this data are thus justified by LICHESS's legitimate interest in providing a functional, secure site suitable for the various types of terminals and browsers on the market, in accordance with article 6.1.f of the GDPR. .

These data are kept for one year following their collection, then for the applicable limitation period for the purposes of managing the disputes described in point 7. below.

2. Creation of an account and management of registered users

Information needed to create an account and manage registered users: we collect the information you provided to us when you registered, such as your last name, first name, email address and username. In order to ensure the proper monitoring of our relationship as well as your relationship with other users and to manage the various aspects of these relationships (including competitions and results), we also keep a copy of our written exchanges as well as public messages or those which you exchanged with other users of the site.

This data processing allows LICHESS to ensure the management of its registered users and is justified by the execution of the contract to which you are a party, namely the LICHESS Terms of Service, in accordance with article 6.1.b of the GDPR.

These data are kept for the duration of the contract, then for the applicable limitation period for the purposes of managing the disputes described in point 7. below.

Optional information for creating an account and managing registered users: we also collect any optional information you provide to us to complete your profile, such as your FIDE title.

This data processing is based on your consent, in accordance with Article 6.1.a of the GDPR.

This data is kept until you withdraw your consent, then for the applicable limitation period for the purposes of managing disputes described in point 7. below.

Session cookies: LICHESS also uses session cookies. These cookies temporarily store the information you have given us and thus allow us to track your movements from one page to another without asking you again for this information to authenticate you.

This data processing is based on LICHESS's legitimate interest in improving the browsing experience on its site, in accordance with Article 6.1.f of the GDPR.

These data are kept for the duration of the browsing session. You can configure these cookies from your browser settings.

3. Technical support

When you ask us to resolve a technical problem, we collect a certain amount of information such as your name, first name, email address and username, the date and time of your request, as well as the circumstances of the reported problem.

In addition, it may occur that our moderators need to access your account to see a problem or take an action on your behalf that you have requested.

This data processing is justified by LICHESS's legitimate interest in offering technical support to its users, in accordance with Article 6.1.f of the GDPR.

This data is kept until the problem is resolved, then for the applicable limitation period for the purposes of managing disputes described in point 7. below.

4. Improvement of our services

We use data relating to the use of our teaching and chess services to evolve these services in such a way that they are always more effective for our users.

The data processed for this include navigation data of users on our services.

This data processing is justified by LICHESS's legitimate interest in developing and improving its services, in accordance with Article 6.1.f of the GDPR.

We only keep this data for as long as necessary for the analysis allowing us to identify areas for improving our services.

5. Fraud prevention

In order to prevent fraud on our site and in particular the multiplication of accounts, we collect a certain amount of information such as your last name, first name, email address and username.

This data processing is based on LICHESS's legitimate interest in preventing and combating fraud on its site, in accordance with Article 6.1.f of the GDPR.

These data are kept for one year following their collection, then for the applicable limitation period for the purposes of managing the disputes described in point 7. below.

6. Donations and purchases of goods

• If you donate to our association or purchase goods from our online stores, we will collect your email address, the amount and the transaction number.

This data processing is justified by the execution of the contract, namely the transaction, in accordance with Article 6.1.b of the GDPR.

This data is kept until full payment is made, then for the applicable limitation period for the purposes of managing disputes described in point 7. below.

• With your consent, we will publish your username and the amount of your donation on our site, in the interests of transparency.

This data processing is based, on your consent, in accordance with Article 6.1.a of the GDPR.

This data is kept until you withdraw your consent, then for the applicable limitation period for the purposes of managing disputes described in point 7. below.

7. Litigation management (possible or current)

We will be likely to keep any data the conservation of which seems necessary or useful to us to prevent a dispute and to manage any litigation or pre-litigation.

We will use it, where appropriate, to prevent, initiate or respond to a dispute of this type, whether or not you are a party to this dispute (for example a dispute relating to the use of our services).

This retention is justified by LICHESS's legitimate interest in protecting and defending its rights and interests, including in court, in accordance with Article 6.1.f of the GDPR.

We will thus keep all relevant data from a probationary point of view for the legally applicable limitation period, i.e. in principle 5 years (civil limitation under common law).

8. Compliance with a legal obligation

We are likely to keep any data the retention of which appears necessary to us to comply with our legal obligations, for the time necessary to comply with these obligations.

This retention is justified by compliance with a legal obligation to which LICHESS is subject, in accordance with Article 6.1.c of the GDPR.

We will keep this data for one year, then for the legally applicable limitation period according to the legal obligations concerned.

9. Further processing of data for statistical purposes

In order to maintain statistics relating to the games that took place on the lichess.org site and in particular to allow you to know your history of the games played as well as your ranking, we will keep your username and other non-personal information, such as party metadata.

This further processing is compatible with the initial collection of your username, justified by the execution of the contract in accordance with Article 6.1.b of the GDPR as indicated in point 2 above, in accordance with recital 50 and Articles 5 and 89 of the GDPR.

Summary table

markdown
Data collected | Purposes (intended or possible use of data) | Justification of the purpose under the GDPR | Maximum data retention period in a form that allows you to be identified
--- | --- | --- | ---
Information relating to your Internet browser and your terminal (HTTP request) | Connection to the lichess.org site; detection of bugs and attempted cyber attacks | Legitimate interest of LICHESS (article 6.1.f) GDPR) | 1 year following data collection, then legally applicable limitation period (in principle 5 years)
Identification data | Creation of an account and management of registered users (mandatory information) | Execution of the contract (article 6.1.b) GDPR) | During the term of the contract, then legally applicable limitation period (in principle 5 years)
Identification data | Creation of an account and management of registered users (optional information) | Consent (article 6.1.a) GDPR) | Until withdrawal of consent, then legally applicable limitation period (in principle 5 years)
Identification data | Improved browsing experience for registered users (collection of information through session cookies) | Legitimate interest of LICHESS (article 6.1.f) GDPR) | The duration of the browsing session, subject to the configuration of these cookies by the user
Identification data | Technical support | Legitimate interest of LICHESS (article 6.1.f) GDPR) | Until the technical problem is resolved then the legally applicable limitation period (in principle 5 years)
Identification data | Improvement of services | Legitimate interest of LICHESS (article 6.1.f) GDPR) | Time needed to identify avenues for improving services then legally applicable limitation period (in principle 5 years) (retention as evidence for possible litigation)
Identification data | Fraud prevention | Legitimate interest of LICHESS (article 6.1.f) GDPR) | 1 year following data collection, then legally applicable limitation period (in principle 5 years)
Identification and payment data | Donations and Purchase of Goods | Execution of the contract (article 6.1.b) GDPR) | Until full payment, then legally applicable limitation period (in principle 5 years)
Identification data | Publication of username and donation amount for transparency | Consent (article 6.1.a) GDPR) | Until withdrawal of consent, then legally applicable limitation period (in principle 5 years
Identification data | Litigation management | Legitimate interest of LICHESS (article 6.1.f) GDPR) | Legally applicable limitation period (in principle 5 years)
Identification data | Compliance with a legal obligation | LICHESS legal obligation (article 6.1.c) GDPR) | 1 year, then legally applicable limitation period according to the legal obligations concerned
Username | Statistical purposes | Performance of the contract (articles 5, 6.1.b), 89 and recital 50 GDPR) | Time required to keep statistics

As an association, we strive to put all technical and organizational measures in place to achieve the retention periods set out above.

In any case, you remain in control of your data through the right to erasure mentioned below. We will notify you when a request for erasure does not comply with our legal obligations.

Who has access to your data?

Your data is hosted by a secure professional service provider, on servers located in the European Union. LICHESS teams, moderators and employees are likely to access it within the framework and the limits of their functions.

Some of your data may also be viewed or at least hosted by the following people and organizations:

Technical service providers assisting LICHESS for the maintenance and development of the lichess.org site;

LICHESS legal advisers, accounting firms and lawyers;

Chess game database editing services, which aggregate public games;

Payment service providers and banking establishments used by LICHESS in connection with its collection of donations.

These providers are all located in the European Union or the United States. Transfers made in the United States are done by our subcontractors who are well-known service providers making every effort to offer the appropriate guarantees to supervise these transfers.

On this point, we are closely following the analyses of the European Data Protection Supervisor (EDPS) and the CNIL following the recent invalidation of the Privacy Shield, the mechanism which ensured the compliance of data transfers to the United States.

Regarding your donations that you have authorized us to publish for the sake of transparency, all users can consult them from this table.

What rights do you have to control the processing of your personal data?

You have, like any other person whose personal data we collect and process, a number of rights provided for by the regulations.

You will find the details below, followed by a summary table.

You can exercise these rights simply by writing directly to the following email address: gdpr@lichess.org.

Remember to clearly indicate in your e-mail the nature of the right you wish to exercise and the reasons which justify, if applicable, your request to exercise this right.

1. Right of access

You can ask us for confirmation that personal data concerning you is or is not being processed and, when it is, access to such data. You can access your personal data via this link, by being logged in: https://lichess.org/account/personal-data.

As such, you have the right to ask us for a copy of the personal data we have about you, in an easily understandable format, as well as a copy of this Policy on a durable medium.

2. Right to rectification

You can ask us to correct, complete or update the data we have about you, if it seems to you to be inaccurate, incomplete or obsolete.

In this case, we thank you for kindly communicating to us spontaneously, as far as possible, the new information necessary to proceed to the correction, completion or update requested.

3. Right to withdraw consent

With regard to processing based on your consent, you can withdraw this consent at any time, without justification. Withdrawal of your consent results in the cessation of processing in the future.

4. Right of objection

Data processing based on the legitimate interest of LICHESS: with regard to the data processing listed above which is justified by the legitimate interests of LICHESS, you have the right to oppose it for reasons relating to your particular situation.

In other words, you can ask LICHESS to stop one and / or the other of these treatments with regard to you, by setting out the specific reasons which justify this request.

However, it may happen that LICHESS refuses to respond to your request, if the continuation of this processing is necessary for legitimate and compelling reasons from our point of view (for example: if the data concerned are necessary for the protection and defence of LICHESS's rights in court or for public information reasons).

Data processed for statistical purposes: with regard to data processing for statistical purposes, you have the right to oppose it for reasons relating to your particular situation, unless the processing is necessary for the performance of a mission of public interest.

The opposition (if it is based on valid reasons and there is no compelling legitimate reason or the processing is not necessary for the performance of a task of public interest) will result in the termination processing for the future, but not necessarily destruction of the data concerned: to obtain this destruction, you must exercise your right to erasure under the conditions described below, it being specified that the latter is subject to limitations, set out below after.

5. Right to erasure

You can ask us to delete all or part of the data we have about you, provided that at least one of the following conditions is met:

The data concerned no longer appears necessary for any of the purposes previously explained;

You have withdrawn your consent in accordance with point 3. above;

You have objected to the continuation of this processing in accordance with point 4. above, and furthermore want LICHESS to destroy the data concerned;

You consider that your personal data have been the subject of unlawful processing by LICHESS;

The data concerned must be erased as a legal obligation;

The data concerned relates to a person who was younger than fifteen (15) years old when the data was collected.

Please note, however, that LICHESS is entitled to oppose the deletion of certain data, when their retention is necessary for particularly important reasons, such as the protection and defence of its interests in court.

In addition, we may choose, instead of deleting the data, to proceed with their complete and irreversible anonymization. In this way, we will be entitled to keep this data in a format that no longer allows you to be identified (for example: for statistical purposes).

6. Right to restriction of processing

Failing, for example, to exercise your right to erasure, you can also ask LICHESS to “set aside” or “freeze” certain data concerning you, that is to say to keep this data separately, without using them anymore (except legal obligations).

You can make such a request when at least one of the following conditions is met:

The data concerning you appears to be inaccurate to you, and you prefer that LICHESS stops using it, until the data is verified and corrected if necessary.

You consider that your personal data have been the subject of unlawful processing by LICHESS, but you choose to limit its use rather than delete them;

The data concerned are no longer necessary for any of the purposes set out above, but you want LICHESS to keep them anyway for the purposes of defending your legal interests;

You have exercised your right of opposition in accordance with point 4. above, and you prefer that LICHESS cease using the data concerned while it is time to verify the merits of your opposition.

In these cases, we will "freeze" the data for the necessary time, for example by means of a "Do not use - Right to limitation exercised" marking.

7. Right to data portability

You can ask us to send you a copy of the data collected on the basis of your consent, allowing their reuse by you or another service provider.

This "right to portability" differs from the right of access mentioned in point 1. above in that its purpose is not to obtain a copy that is necessarily readable by yourself, but a reusable copy of the data. , in particular with a view to a change of service provider.

8. Right to define directives relating to the fate of your data after your death

Finally, you have the right to tell us how you want us to deal with your data in the unfortunate event of your death.

In particular, you can ask us to proceed with the destruction of all your data (subject to imperative conservation needs that we may have, for example for the purposes of defending LICHESS's rights in court), or to transmit a copy of all this data to the person of your choice.

You can also designate any person of your choice to be responsible for the execution of these "last wishes"; this person does not necessarily have to be one of your heirs or even the executor in charge of your estate.

Summary table

markdown
Your rights | What they let you get | Processing / data concerned | Conditions, exceptions or limitations
--- | --- | --- | ---
**Right of access** | A readable and understandable copy of the data LICHESS has about you, as well as a durable copy of this Policy | All | Clearly state the right of access request. Limits: unfounded or excessive demand; rights and freedoms of others
**Right of rectification** | Rectification, update or completion of data concerning you | All | Clearly indicate the data to be corrected, completed or updated, as well as new data if necessary
**Right to withdraw consent** | Discontinuation of Treatment for the Future | Processing based on your consent | None
**Right of opposition** | Stopping the processing of your data for the future | Processing based on a legitimate interest of LICHESS | State the reasons relating to your particular situation which justify the cessation of treatment. Limits: legitimate and compelling reasons (processing based on legitimate interest); processing necessary for the performance of a task of public interest (statistics); consent
**Right to erasure** | The deletion of your data, or their complete and irreversible anonymization | All | Limits: freedom of expression and information; legal obligation ; statistical purposes; establishment, exercise or defense of legal claims
**Right to restriction of processing** | Retention of your data without further use | All | Limits: use of data only in the following cases: agreement; establishment, exercise or defense of legal claims; protection of the rights of another person; important reasons of public interest
**Right to data portability** | A copy of your data in a reusable computer format | Data collected on the basis of your consent | Clearly indicate, if applicable, the identity of the person or organization to whom you want LICHESS to send a copy of the data
**Right to define directives relating to the fate of your data after your death** | Respect for your "last wishes" with regard to your personal data (for example: deleting them or transmitting them to any person of your choice) | All | Clearly indicate the people responsible for monitoring the proper execution of your directives, who will be our contacts after your death

Do you feel that we have not responded satisfactorily to your request, or that we are processing your data unlawfully?

In the first instance, we kindly invite you to directly contact LICHESS, so that we discuss the problem together, and try to solve it together in the best possible way. You can write to us at gdpr@lichess.org.

If you wish, however, you have the right to contact the competent authority for data protection in France, namely the CNIL, via its website www.cnil.fr or by post to the following address: CNIL - 3, Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07.

This right can be exercised at any time and does not incur any costs for you, apart from the costs of sending the postal mail if applicable, and the possible costs of assistance or representation if you choose to be assisted in this procedure by a third party.