Privacy Policy

Last updated: 2026-04-08

Računarsko programiranje "EREBUS" s.p. ("we", "us", "our") operates the Chesspoint platform at chesspoint.io. This Privacy Policy explains what personal data we process, on what legal basis, with whom we share it, and what rights you have as a data subject under the EU General Data Protection Regulation (GDPR).

1. Data Controller

The data controller responsible for the processing of your personal data is:

2. Categories of Personal Data We Process

a) Account data

Email address, username, hashed password, date of registration, and preferences. Provided directly by you during signup.

b) Subscription and billing data

Subscription status, start and renewal dates, invoice records, and an opaque transaction identifier returned by our payment processor. We do not store your full card number, CVV, or expiry date — these are handled entirely by Monri WebPay in a PCI DSS compliant environment.

c) Usage data

Lessons accessed, puzzles attempted, training sessions completed, and feature interactions. Used to provide the service and to enforce subscription-gated content limits.

d) Technical and log data

IP address, user agent string, request metadata, and error traces. Used for security, fraud prevention, debugging, and operational stability.

e) Analytics data (optional, consent-based)

If you consent, aggregated page views, navigation flow, approximate location (country/region), and device type. You can withdraw consent at any time via the cookie banner or by clearing your browser storage.

3. Legal Basis for Processing (Art. 6 GDPR)

We process your personal data on the following lawful bases:

• Art. 6(1)(b) — Contractual necessity: Account, subscription, and billing data are processed to perform the contract for provision of the Chesspoint service.

• Art. 6(1)(c) — Legal obligation: Invoices and accounting records are retained for tax and bookkeeping obligations under applicable BiH and EU law.

• Art. 6(1)(f) — Legitimate interests: Security logging, fraud prevention, and diagnostic error reporting are carried out on the basis of our legitimate interest in operating a secure and stable service, balanced against your rights and freedoms.

• Art. 6(1)(a) — Consent: Optional analytics cookies and similar technologies are only activated after you give explicit, informed consent via the cookie banner. Consent can be withdrawn at any time.

4. Processors and Subprocessors

To operate Chesspoint we rely on the following third parties, all of which act as processors under a data processing agreement (Art. 28 GDPR):

Where transfers to third countries outside the EEA are involved, we rely on the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) and, where applicable, the EU-U.S. Data Privacy Framework.

5. Retention Periods

• Account data: retained while your account is active; deleted within 30 days of account deletion, except where retention is legally required.

• Invoice and billing records: retained for up to 11 years to comply with tax and accounting obligations in BiH and the EU.

• Server and security logs: retained for a maximum of 90 days.

• Error monitoring data (Sentry): retained for a maximum of 90 days.

• Analytics data: retained for a maximum of 14 months.

6. Your Rights as a Data Subject

Under the GDPR, you have the following rights:

• Right of access (Art. 15)

• Right to rectification (Art. 16)

• Right to erasure / "right to be forgotten" (Art. 17)

• Right to restriction of processing (Art. 18)

• Right to data portability (Art. 20)

• Right to object (Art. 21)

• Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Art. 7(3))

To exercise any of these rights, please contact us at chesspoint.io@gmail.com. We will respond within one month of receipt of the request, in accordance with Art. 12(3) GDPR.

7. Right to Lodge a Complaint (Art. 77 GDPR)

If you believe that our processing of your personal data infringes the GDPR or other applicable data protection law, you have the right to lodge a complaint with a supervisory authority. In Bosnia and Herzegovina, the competent authority is the Personal Data Protection Agency of Bosnia and Herzegovina (Agencija za zaštitu ličnih podataka u Bosni i Hercegovini). EU residents may also lodge a complaint with the supervisory authority of their habitual residence, place of work, or place of the alleged infringement.

8. Cookies and Similar Technologies

We use the following categories of cookies and similar browser storage:

• Strictly necessary: required for login sessions, CSRF protection, and remembering your consent choice. These are set without consent as they are necessary to deliver the service you requested.

• Analytics (optional): Google Analytics tracking is loaded only after you give explicit consent via the cookie banner. You can withdraw consent at any time.

We do not use advertising, profiling, or cross-site tracking cookies.

9. Automated Decision-Making

We do not carry out any automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The most recent version will always be available on this page, together with the date of the last update. For material changes we will notify registered users by email.

11. Contact

If you have any questions about this Privacy Policy or how your personal data is processed, please contact us at: