Privacy Policy

Last updated: 2 June 2026

In short: Schackappen is built around data minimisation. To make the school and family services work we store a limited amount of data — all storage takes place within the EU. For a student we only store the first name and chosen avatar, never an email address, surname or personal identity number. We show no ads, use no tracking cookies, and never sell data.

Who is the data controller?

Schackappen is run by Ulf Austin Cato, Sweden. For questions about this policy or your data, contact ulf@schackappen.se.

When a school uses Schackappen, the school is the data controller for its students' data, and Schackappen is the data processor that handles the data on the school's behalf. We sign data processing agreements (DPAs) with schools that require one.

What data do we collect?

We only collect what is needed for the service to work, and it differs depending on who you are:

About the student (child):

First name (chosen by the teacher or the student)
Chosen avatar/figure
Gameplay statistics: rating (ELO), number of games, wins, completed sagas and lessons, stars, and when the student was last active

The student logs in with a class code and a personal PIN from the teacher — no email, no surname and no personal identity number. We never ask children for contact details.

About the teacher or principal (adult):

Name and email address (for account and login)
Role (teacher or principal) and which school and classes they belong to
Passwords are never stored in plain text — they are handled securely (hashed) by our authentication provider

About the school:

The school's name and a contact email
Subscription and payment status (payments are handled by Stripe — we never store card numbers)
Email addresses of teachers invited to the school

Where is the data stored?

All storage of personal data takes place with the following providers (our processors/sub-processors), and within the EU:

Supabase — database and authentication. Servers within the EU.
Netlify — hosting that delivers the website and the apps.
Stripe — payments (activated during 2026). Handles payment data; we never see or store card numbers.

We have or are entering into data processing agreements (DPAs) with these providers. No personal data is transferred to third countries outside the EU/EEA.

Legal basis

We process data to deliver the service (performance of a contract with the school or family) and to keep it secure and functional (legitimate interest). For school students' data we process it on the school's behalf under a DPA.

No ads, no tracking

No ads and no advertising pixels
No third-party tracking cookies (only necessary cookies for login)
No analytics tracking such as Google Analytics
We never sell or share data for marketing

Children are not a target to monetise. We do not profile students for marketing.

External resources

The website and apps currently load some resources from external sources (fonts, chess piece images and the chess.js library). These sources can see your IP address when the resources are fetched, just like with any website visit. We send no personal information to them, and we are working to move these resources to our own servers to minimise even this.

How long is data kept?

Data is kept for as long as the account, class or school is active. When a student, class or school is removed, the associated data is deleted. You can request deletion at any time — for student data this is normally done via the school.

Your rights

Under the GDPR you have the right to request access to, rectification of, erasure of and portability of your data, and to object to certain processing. Contact us at ulf@schackappen.se. If it concerns a student's data, please contact the school first, as it is the data controller.

Security

Access to data is controlled so that a teacher only sees their own classes and students (row-level security in the database). We rate-limit and log login attempts to protect against misuse.

Children and minors

The service is built for children with data minimisation as a principle: only first name and avatar, no contact information and no profiling. Parents and schools can let children use Schackappen without worrying about ads, tracking or sale of data.

Supervisory authority

If you believe we process your data incorrectly, you can contact the Swedish Authority for Privacy Protection (IMY), imy.se.

Changes to this policy

If the policy is updated, the new version is published on this page with a new date above.

Contact
Questions about your data? Write to ulf@schackappen.se

← Back to Schackappen