1. What we collect
When you create an account on ChessPD we collect your name, email address, mobile number, and a password (stored only as a one-way bcrypt hash with cost factor 12, never in plain text). If you sign in with Google we receive your name, email, and Google account id from Google's OAuth server in addition to the above.
When you create a tournament workspace we collect the tournament name, dates, location, the prize pool description, and the player roster you upload (player names, ratings, ages, federation ids, and other fields you choose to include in your XLSX file). When you purchase event credits we collect the amount, the UPI transaction id you supply, the payment screenshot you upload, and an optional GSTIN.
Web-server access logs capture your IP address, browser user-agent, and the URL you requested, for the purpose of security monitoring, abuse prevention, and capacity planning. These logs are retained for ninety days and then automatically deleted.
2. Why we collect it
Account fields (name, email, mobile, password hash) let us authenticate you, send you order receipts, send tournament-event reminders, and let our admin team reach you for payment verification or support. Email address is also used for transactional emails such as password reset, email verification, and pack-expiry warnings (T-30 / T-7 / T-1 days before unused credits forfeit).
Tournament and player data is processed solely to compute the prize distribution your tournament asked for. We do not enrich it, sell it, share it with third parties, or use it to train any machine-learning model. The player roster never leaves your tournament workspace and is visible only to you and any teammates you explicitly add.
Payment data (amount, UPI transaction id, screenshot) is used to verify your bundle-pack purchase manually. Once the payment is approved, the screenshot is retained for one year as audit evidence, then automatically deleted.
3. How long we keep it
Account data is retained for as long as your account is active. If you delete your account, all personal data tied to it (name, email, mobile, payment history, tournament workspaces, player rosters) is permanently deleted within thirty days, except for legally-required financial records (invoices, GST data) which are retained for the statutory period under Indian law.
If your account becomes inactive (no login for twenty-four months), we send a notice email and, absent a response, schedule the account for deletion. You can request immediate deletion at any time from /account/security or by emailing us at the address in section 9.
Tournament workspaces you do not delete are retained for the lifetime of your account so that you have permanent access to your historical prize distributions, certificates, and exports.
4. Who we share it with
We do not sell your personal data. We do not share it with advertisers. We do not transfer it across borders without your explicit consent. The only third parties who receive your data are sub-processors we use to run the platform itself:
Database hosting (Supabase / PostgreSQL) - stores your account, tournament, and payment rows. Data resides in a region of our choosing within the EU or India; we will publish the exact region once production launches.
Transactional email delivery (Resend) - sends you account, order, and reminder emails; receives only the recipient email and the rendered email body.
Object storage (Supabase Storage) - stores XLSX roster uploads, payment screenshots, and PDF / Excel exports.
Web analytics (privacy-preserving, no cookies, no cross-site tracking) - aggregates anonymous page-view counts. No personal data is sent.
We disclose data to government authorities only when compelled by a valid legal order under Indian law and only the specific data the order requires.
5. Cookies and local storage
We use one HTTP-only cookie to keep you signed in (the JWT refresh token; expires fourteen days after your last login). We do not use cookies for advertising, profiling, or cross-site tracking.
We store a small amount of preference data in your browser's localStorage (theme: light or dark; toast dismissal state). This data never leaves your browser and is not associated with your account.
6. Security
We use bcrypt cost-12 password hashing, transport-layer TLS on every endpoint, parameterised SQL queries to block injection, magic-byte image validation on every upload, and per-IP rate limiting on every authentication, order-create, and password-reset surface.
We follow the principle of least privilege internally: only specifically promoted admin accounts (super_admin staff role) can access cross-account data, and every administrative action is written to an append-only audit log.
Despite these measures, no system is perfectly secure. If you suspect your account has been compromised, change your password immediately at /account/security and notify us at the address in section 9.
7. Your rights
Under the Indian Digital Personal Data Protection Act 2023, you are entitled to: access the personal data ChessPD holds about you; correct it if inaccurate; ask us to delete it; withdraw consent for any processing that depends on consent (with the consequence that the related feature stops working for your account); and complain to the Data Protection Board of India about how we process your data.
To exercise any of these rights, write to us at the address in section 9. We will respond within thirty days. For correction and deletion you can also use the self-service controls on /account/profile and /account/security without contacting us.
8. Changes to this policy
We may update this policy when we add new features that change what data we collect or how we process it, or when Indian law changes. Material changes will be notified to every active user by email at least seven days before they take effect.
The current version of this policy is the only one in force. We do not maintain a public changelog because the policy is short enough that the entire current text is always available on this page.
9. Contact
ChessPD is a sole-proprietor product run by Sai Tarun, registered in India. For any privacy-related question, including the rights listed in section 7, write to support@chesspd.com or use the contact form linked below.
For DPDP Act-specific notices, see the dedicated DPDP Statement linked below.
Last updated: 12 June 2026.
