Schackappen is run by Ulf Austin Cato, Sweden. For questions about this policy or your data, contact ulf@schackappen.se.
When a school uses Schackappen, the school is the data controller for its students' data, and Schackappen is the data processor that handles the data on the school's behalf. We have a data processing agreement (DPA) that governs this, which you can read, print and sign.
We only collect what is needed for the service to work, and it differs depending on who you are:
About the student (child):
The student logs in with a class code and a personal PIN from the teacher — no email, no surname and no personal identity number. We never ask children for contact details.
About the teacher or principal (adult):
About the school:
Personal data is processed with the help of the following providers (our sub-processors):
We have data processing agreements (DPAs) with these providers. Students' and teachers' data is stored within the EU (Supabase). Netlify, Resend and Sentry are US-based providers; such transfers are made under the EU-US Data Privacy Framework and/or the European Commission's Standard Contractual Clauses (SCCs). The error monitoring (Sentry) is moreover configured so that no personal data is sent to it. See our data processing agreement for details.
We process data to deliver the service (performance of a contract with the school or family) and to keep it secure and functional (legitimate interest). For school students' data we process it on the school's behalf under a DPA.
We do not profile students for marketing and show no ads.
The website and apps currently load some resources from external sources (fonts, chess piece images and the chess.js library). These sources can see your IP address when the resources are fetched, just like with any website visit. We send no personal information to them, and we are working to move these resources to our own servers to minimise even this.
Data is kept for as long as the account, class or school is active. When a student, class or school is removed, the associated data is deleted. You can request deletion at any time — for student data this is normally done via the school.
Under the GDPR you have the right to request access to, rectification of, erasure of and portability of your data, and to object to certain processing. Contact us at ulf@schackappen.se. If it concerns a student's data, please contact the school first, as it is the data controller.
Access to data is controlled so that a teacher only sees their own classes and students (row-level security in the database). We rate-limit and log login attempts to protect against misuse.
The service is built for children with data minimisation as a principle: only first name and avatar, no contact information and no profiling. Parents and schools can let children use Schackappen without worrying about ads, tracking or sale of data.
If you believe we process your data incorrectly, you can contact the Swedish Authority for Privacy Protection (IMY), imy.se.
If the policy is updated, the new version is published on this page with a new date above.