Privacy Policy
Last updated: February 24, 2026
1. Data Controller
Bar Blitz, based in Amsterdam, the Netherlands, is the data controller for personal data collected through the Platform at barblitz.co. For any questions regarding your data, contact us at [email protected].
2. What Data We Collect
We collect and process the following categories of personal data:
Data you provide directly
- Account data: first name, last name, username, email address, and password (stored as a secure hash).
- Profile data: profile picture, date of birth, sex, federation, FIDE ID, and FIDE rating (all optional).
- Chess accounts: Lichess and Chess.com usernames (optional).
- Payment data: processed securely by Stripe. We do not store your full credit card details.
Data collected automatically
- Usage data: pages visited, tournament participation, match results, and rating changes.
- Technical data: IP address, browser type, device information, and access timestamps (via server logs).
- Analytics data: anonymised usage statistics via Google Analytics.
Data from third parties
- Google OAuth: if you sign in with Google, we receive your name and email address from your Google account.
- FIDE: publicly available FIDE rating and title data when you link your FIDE ID.
3. Why We Process Your Data
We process your personal data for the following purposes and legal bases under the GDPR:
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b)) |
| Tournament registration and management | Contract performance (Art. 6(1)(b)) |
| Processing payments and token transactions | Contract performance (Art. 6(1)(b)) |
| Maintaining ratings and rankings | Legitimate interest (Art. 6(1)(f)) |
| Sending tournament-related notifications | Contract performance (Art. 6(1)(b)) |
| Improving the Platform and fixing bugs | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations (e.g. tax records) | Legal obligation (Art. 6(1)(c)) |
| Analytics and website performance | Legitimate interest (Art. 6(1)(f)) |
4. Data Sharing
We share your personal data only in the following circumstances:
- Tournament organisers: your name, username, and rating are shared with tournament organisers for events you register for.
- Public profiles: your username, rating, and tournament history are publicly visible on the Platform. Your email address is never publicly displayed.
- Service providers: we use third-party services to operate the Platform:
- Stripe (payment processing, based in the US — covered by EU-US Data Privacy Framework)
- Google (authentication and analytics)
- Amazon Web Services (hosting and file storage)
- SendGrid (email delivery)
- Heroku (application hosting)
- Legal requirements: we may disclose data if required by law, court order, or governmental authority.
We do not sell your personal data to third parties.
5. International Data Transfers
Some of our service providers are based outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:
- EU-US Data Privacy Framework certification (Stripe, Google).
- Standard Contractual Clauses (SCCs) approved by the European Commission.
6. Data Retention
- Account data: retained for as long as your account is active. Upon account deletion, personal data is anonymised within 30 days.
- Tournament and game data: match results and ratings are retained indefinitely in anonymised form to maintain tournament integrity.
- Payment records: retained for 7 years as required by Dutch tax law.
- Server logs: automatically deleted after 90 days.
7. Your Rights Under the GDPR
As a data subject in the EU/EEA, you have the following rights:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — request deletion of your personal data, subject to legal retention obligations.
- Right to restrict processing — request that we limit processing of your data in certain circumstances.
- Right to data portability — request your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests.
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
8. Cookies
The Platform uses the following types of cookies:
- Strictly necessary cookies: required for authentication, session management, and CSRF protection. These cannot be disabled.
- Analytics cookies: Google Analytics cookies to understand how visitors use the Platform. These are anonymised.
You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies may prevent you from using certain features of the Platform.
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (HTTPS/TLS) and at rest.
- Secure password hashing (no plaintext passwords are stored).
- Access controls limiting who can view personal data.
- Regular security reviews.
10. Children's Privacy
The Platform is not intended for children under 16 without parental consent. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without appropriate consent, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "last updated" date at the top of this page indicates when the policy was last revised.
12. Contact
For any privacy-related questions or to exercise your data rights, contact us at:
Bar Blitz
Amsterdam, the Netherlands
[email protected]