Privacy Policy for Pawn Forward
Last Updated: January 31, 2026
1. Introduction
Pawn Forward ("we," "our," or "us"), developed and operated by Digital Apptivity, LLC, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application, mobile application, and related services (collectively, the "Service").
By using the Service, you agree to the collection and use of information in accordance with this policy.
1.1 Data Controller
Digital Apptivity, LLC is the data controller for the Service. You can contact us at:
Email: privacy@pawnforward.net
Website: https://pawnforward.net
For mailing address inquiries, please contact us via email.
1.2 Geographic Scope
The Service is operated from the United States and is primarily intended for users located in the United States. If we expand availability to other regions, we will update this policy accordingly.
2. Information We Collect
2.1 Information You Provide
Account Information:
- Email address (required)
- Password (stored securely as a hash, never in plaintext)
- First name, last name, and preferred name (optional)
- Role type (student, teacher, or individual)
Chess Platform Identifiers (optional):
- Chess.com username
- Lichess username
- USCF ID
- FIDE ID
Study Data:
- Study session details (duration, category, notes, start/end times)
- Study goals and progress
- Study resources you create or save
- Homework assignments and completion status
- Session templates
Teacher-Student Relationships:
- Teacher invitation data
- Student progress notes
- Assignment tracking
2.2 Information Collected Automatically
Usage Data:
- Study session analytics (total time, categories, streaks)
- Rating history and trends from connected chess platforms
- Feature usage patterns
Technical Data:
- IP address (for rate limiting and security)
- Device type (web or mobile)
- Browser type and version
- Access timestamps
Authentication Data:
- JWT tokens (stored in httpOnly cookies)
- CSRF tokens (for web security)
- Session refresh tokens
2.3 Information from Third Parties
Chess Platforms (when you connect your account):
- Chess.com: Player ratings (daily, rapid, blitz, bullet)
- Lichess: Player ratings and percentile rankings
- USCF: Regular, quick, blitz, and online ratings
- FIDE: Standard, rapid, and blitz ratings
Payment Processors:
- Stripe: Subscription status, payment events (we do not store your credit card details)
- RevenueCat: Mobile subscription status and entitlements
2.4 Teacher Features
If you link your account with a teacher, that teacher may view:
- Your email address (for roster management and communication)
- Your study activity and session history
- Assignment completion status and time spent
- Any notes you choose to share within the teacher-student features
- Your chess ratings from connected platforms
Teachers cannot access your password or payment details. Students can view their teacher's name and any homework assignments or resources shared with them.
3. How We Use Your Information
We use the information we collect to:
- Provide the Service: Create and manage your account, track study sessions, manage goals and homework
- Sync Chess Ratings: Retrieve and display your ratings from connected chess platforms
- Process Payments: Manage subscriptions through Stripe (web) and RevenueCat (mobile)
- Send Communications: Email verification, password reset, teacher invitations (via Resend). We send only service-related emails unless you opt in to marketing communications (if offered).
- Improve Security: Bot protection (Cloudflare Turnstile), rate limiting, fraud prevention
- Generate Analytics: Provide insights into your study habits and progress
- Support Teacher Features: Enable teachers to assign homework and track student progress
4. Third-Party Services
We use the following third-party services that may process your data:
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Web payment processing | Email, subscription metadata, transaction/billing events |
| RevenueCat | Mobile payment processing | App user ID, purchase/entitlement data, subscription status |
| Resend | Email delivery | Email address, name |
| Chess.com API | Rating synchronization | Username (public API) |
| Lichess API | Rating synchronization | Username (public API) |
| Cloudflare Turnstile | Bot protection | Challenge tokens |
| Cloudflare R2 | File storage | Uploaded study resources |
| Supabase (PostgreSQL) | Database hosting | All stored data |
These providers process personal information on our behalf as service providers/processors, under agreements that limit their use of the data to providing services to us.
Each third-party service has its own privacy policy. We encourage you to review them:
- Stripe: https://stripe.com/privacy
- RevenueCat: https://www.revenuecat.com/privacy
- Resend: https://resend.com/legal/privacy-policy
- Cloudflare: https://www.cloudflare.com/privacypolicy/
- Chess.com: https://www.chess.com/legal/privacy
- Lichess: https://lichess.org/privacy
- Supabase: https://supabase.com/privacy
5. Data Security
We implement security measures to protect your information:
- Password Security: Passwords are hashed using industry-standard algorithms
- Secure Transmission: All data transmitted over HTTPS/TLS
- Cookie Security: Authentication tokens stored in httpOnly, secure cookies
- Webhook Verification: Payment webhooks verified via cryptographic signatures
- Rate Limiting: Protection against brute force and abuse
- CSRF Protection: Token-based protection against cross-site request forgery
6. Data Retention
We retain your personal information for as long as your account is active or as needed to provide the Service. Upon account deletion:
- Your account data will be deleted within 30 days
- Anonymized analytics data may be retained for service improvement ("anonymized" means data that cannot reasonably be used to identify you)
- Payment records may be retained as required by law
You can request account deletion by emailing privacy@pawnforward.net or via in-app settings if available.
Backups and Logs: Copies of your data may remain in encrypted backups for up to 60 days after deletion. Security logs (e.g., IP-based rate limiting records) are retained for up to 14 days unless we need them longer for security or legal compliance.
Uploaded Content: Study resources and files you upload to Cloudflare R2 are deleted as part of account deletion, subject to backup retention periods.
7. Your Rights
Depending on your location, you may have the following rights:
- Access: Request a copy of your personal data
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your personal data
- Portability: Request your data in a portable format
- Objection: Object to certain types of processing
- Withdrawal: Withdraw consent where processing is based on consent
To exercise these rights, contact us at privacy@pawnforward.net.
7.1 California Residents (CCPA/CPRA)
California residents have additional rights under the California Consumer Privacy Act and California Privacy Rights Act.
Your Rights:
- Right to know what personal information is collected
- Right to know if personal information is sold or disclosed
- Right to delete your personal information
- Right to correct inaccurate personal information
- Right to opt-out of sale or sharing of personal information
- Right to non-discrimination for exercising privacy rights
No Sale or Sharing: We do not sell personal information. We also do not share personal information for cross-context behavioral advertising (as those terms are defined under CPRA).
Disclosures for Business Purposes: We may disclose the following categories of personal information to service providers that help us operate the Service:
- Identifiers: Email address, name, chess platform usernames
- Commercial Information: Subscription status, purchase history
- Internet Activity: Basic usage data, security logs
- User Content: Study sessions, goals, homework, and notes you submit
Categories of Sources: We collect personal information from:
- Directly from you (registration, study data entry)
- Automatically (usage data, device information)
- Third parties (chess platform ratings, payment processors)
Retention: See Section 6 for our data retention practices.
7.2 European Residents (GDPR)
If you access the Service from the European Economic Area or United Kingdom, the following disclosures apply to you under the General Data Protection Regulation.
Legal Bases for Processing:
| Purpose | Examples | Legal Basis |
|---|---|---|
| Provide the Service | Account creation, session tracking, teacher features | Contract performance |
| Payments & Billing | Subscription status, invoices | Contract + Legal obligation |
| Security & Fraud Prevention | Rate limiting, bot protection, abuse detection | Legitimate interests |
| Communications | Email verification, password reset, teacher invitations | Contract (service messages) |
| Product Improvement | Aggregated internal analytics | Legitimate interests |
Your Additional Rights:
- Right to lodge a complaint with your local supervisory authority
- Right to withdraw consent at any time (where processing is based on consent)
International Transfers: Where our service providers process personal data outside the EEA/UK, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms recognized under applicable law. Our primary service providers (including Stripe, Cloudflare, and Supabase) maintain their own data transfer mechanisms compliant with GDPR requirements.
8. Children's Privacy
The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected data from a child under 13, please contact us immediately.
9. Cookies and Tracking
We use cookies for:
- Essential Cookies: Authentication tokens, CSRF protection (required for the Service)
- Functional Cookies: User preferences and settings (e.g., dark mode preference)
We do not use third-party advertising cookies or sell/share personal information for cross-context behavioral advertising. Some service providers (e.g., security and payment providers) may set essential cookies or similar technologies to operate reliably and prevent fraud. These include:
- Cloudflare security cookies for bot protection
- Stripe cookies when using payment flows
We do not use Google Analytics or other third-party behavioral analytics services. If we introduce third-party analytics in the future, we will update this policy.
Some browsers offer "Do Not Track" signals; we currently do not respond to these signals as there is no industry-standard interpretation.
10. Data Transfers
Your information may be transferred to and processed in countries other than your own, primarily the United States where our servers and service providers are located. We ensure appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws, including Standard Contractual Clauses where required.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by:
- Posting the new Privacy Policy on this page
- Updating the "Last Updated" date
- Sending an email notification for material changes
12. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
Digital Apptivity, LLC
Email: privacy@pawnforward.net
Website: https://pawnforward.net
Summary of Data Collection
| Category | Data Collected | Purpose |
|---|---|---|
| Account | Email, password hash, name, role | Service access |
| Chess Profiles | Platform usernames/IDs | Rating sync |
| Study Data | Sessions, goals, homework | Core functionality |
| Payments | Subscription events | Billing |
| Technical | IP, device type, timestamps | Security |