Privacy Policy

Last updated: April 5, 2026

1. Introduction

EloVault (“we,” “us,” or “our”) operates a peer-to-peer competitive chess platform at elovault.gg. This Privacy Policy describes how we collect, use, share, and protect your personal information when you use our Platform. By creating an account or using the Platform, you consent to the practices described in this Policy.

2. Information We Collect

2.1 Information You Provide

  • ·Account information: first name, last name, username, email address, password (hashed — we never store plaintext passwords).
  • ·Identity verification (KYC): when required, your government-issued photo ID, legal name, date of birth, mailing address, and Social Security Number or Taxpayer ID (for IRS reporting). Identity documents are processed by Stripe Identity and are not stored on EloVault servers.
  • ·Phone number: for phone verification via SMS (processed by Twilio).
  • ·Chess.com account: if you link your Chess.com account, we store your Chess.com username and imported ratings.
  • ·Financial information: deposit and withdrawal amounts, transaction history, wager history. Payment card details are processed by Stripe and never touch our servers.
  • ·Communications: messages sent through in-game chat or to our support email.
  • ·Responsible gaming preferences: deposit limits, loss limits, and self-exclusion settings you configure.

2.2 Information Collected Automatically

  • ·IP address: collected on every request. Used for geolocation (jurisdiction compliance), fraud detection, and security logging.
  • ·Device information: browser type, operating system, screen resolution, and a device fingerprint hash. Used for multi-account detection and ban enforcement.
  • ·Usage data: pages visited, actions taken, timestamps, and session duration.
  • ·Gameplay data: all moves made in each game, move timestamps, game results, wager amounts, Glicko-2 ratings, and game analysis data.
  • ·Anti-cheat telemetry: browser focus/blur events (whether you navigate away from the game window), move timing patterns, and engine correlation scores. This data is essential for detecting computer-assisted cheating.
  • ·Geolocation: IP-based location (country, state, city) via MaxMind GeoLite2 database. Used to enforce jurisdiction restrictions. We do not use GPS or precise device location.

3. How We Use Your Information

  • ·To operate, maintain, and improve the Platform.
  • ·To process deposits, withdrawals, wager escrow, and payouts.
  • ·To verify your identity for KYC/AML compliance.
  • ·To enforce jurisdiction restrictions and prevent wagering from prohibited states.
  • ·To detect and prevent cheating, fraud, collusion, multi-accounting, and money laundering.
  • ·To calculate and maintain your Glicko-2 rating and game statistics.
  • ·To provide post-game analysis powered by the Stockfish chess engine.
  • ·To send transactional communications: game results, withdrawal confirmations, security alerts, and account notifications.
  • ·To enforce responsible gaming limits and self-exclusion.
  • ·To comply with applicable laws, including IRS reporting (1099-MISC for net winnings exceeding $600 per calendar year).
  • ·To respond to legal process, court orders, and lawful requests from government authorities.
  • ·To protect the safety, rights, and property of EloVault, our users, and the public.

4. Information Sharing

We do not sell your personal information to third parties. We do not use advertising trackers. We share data only with the following service providers and only as necessary to operate the Platform:

  • ·Stripe, Inc. — Payment processing (deposits, withdrawals) and identity verification (Stripe Identity for KYC). Stripe processes your payment card details and, when applicable, your identity documents.
  • ·Supabase, Inc. — Database hosting, user authentication, and real-time infrastructure. Your account data and game records are stored on Supabase-managed PostgreSQL databases.
  • ·Twilio, Inc. — SMS delivery for phone verification.
  • ·MaxMind, Inc. — IP geolocation database (GeoLite2) used for jurisdiction compliance. MaxMind does not receive your personal data; we query their database locally.
  • ·Vercel, Inc. — Frontend hosting and CDN. Vercel processes your HTTP requests and may log IP addresses.
  • ·Railway — Backend game server hosting. Railway processes WebSocket connections.

We may also share information with law enforcement, regulators, or courts when required by law, subpoena, court order, or government request; or when we believe disclosure is necessary to protect the rights, property, or safety of EloVault, our users, or the public. This includes IRS Form 1099-MISC reporting for net winnings exceeding $600.

5. Data Retention

We retain your data for the following periods:

  • ·Account information: retained for as long as your account is active, plus 30 days after voluntary closure.
  • ·Financial records (transactions, deposits, withdrawals, wagers): retained for a minimum of 7 years as required by federal tax and financial record-keeping laws.
  • ·Game history and move data: retained indefinitely for competitive integrity, anti-cheat analysis, and dispute resolution.
  • ·Anti-cheat data (cheat scores, flags, device fingerprints): retained for 3 years after the last game played.
  • ·Identity verification documents: processed and stored by Stripe Identity according to Stripe's retention policy. EloVault stores only the verification status (verified/not verified) and the date of verification.
  • ·IP addresses and geolocation logs: retained for 1 year for security and compliance purposes.
  • ·Responsible gaming audit logs: retained for 5 years for regulatory compliance.

6. Security

We implement industry-standard security measures including: encrypted connections (TLS/HTTPS) for all data in transit; hashed passwords (bcrypt via Supabase Auth); Row-Level Security (RLS) policies on all database tables; server-side input validation; CORS and CSP headers; rate limiting on authentication and API endpoints. Despite these measures, no system is completely secure. We cannot guarantee absolute security, and you use the Platform at your own risk.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • ·Right to access: request a copy of the personal data we hold about you.
  • ·Right to correction: request that we correct inaccurate data.
  • ·Right to deletion: request deletion of your personal data, subject to our legal retention obligations (financial records must be retained for 7 years; game data retained for integrity).
  • ·Right to data portability: request your personal data in a machine-readable format (JSON or CSV).
  • ·Right to opt out of non-essential communications.
  • ·Right to opt out of sale (California — CCPA/CPRA): we do not sell your personal data. If this changes, we will provide an opt-out mechanism.
  • ·Right to non-discrimination: we will not discriminate against you for exercising your privacy rights.

California residents (CCPA/CPRA): You have the right to know what categories of personal information we collect and the purposes for which it is used. You may request disclosure of the specific data collected about you. You have the right to request deletion, subject to legal exceptions.

Virginia residents (VCDPA): You have similar rights to access, correct, delete, and obtain a portable copy of your data. You may also appeal a denied request by contacting support@elovault.gg.

To exercise any of these rights, email support@elovault.gg with your request. We will respond within 30 days.

8. Cookies & Local Storage

EloVault uses the following client-side storage mechanisms:

  • ·Authentication cookies: set by Supabase Auth for session management. These are essential — without them, you cannot log in. They are first-party, secure, HttpOnly, and SameSite.
  • ·Theme preference (localStorage): stores your light/dark mode preference locally on your device.
  • ·Sound preferences (localStorage): stores your sound/volume settings locally.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies. We do not use Google Analytics, Facebook Pixel, or any similar service. You cannot opt out of essential authentication cookies without losing access to the Platform.

9. Children’s Privacy

EloVault is not intended for use by anyone under the age of 18 (or 21 in certain jurisdictions). We do not knowingly collect personal information from children. If we discover that a user is under the applicable minimum age, we will immediately suspend the account, refund any remaining balance, and delete the account data. If you believe a minor has created an account, please contact support@elovault.gg.

10. International Users

EloVault is currently available in the United States only. If you access the Platform from outside the United States, you do so at your own risk and are responsible for compliance with your local laws. Your data is processed and stored in the United States. By using the Platform, you consent to the transfer and processing of your data in the United States.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notification at least 14 days before changes take effect. The “Last updated” date at the top of this page indicates the most recent revision. Your continued use of the Platform after changes become effective constitutes acceptance.

12. Contact

For privacy-related questions, data requests, or concerns, contact us at support@elovault.gg.

This Privacy Policy was last reviewed on April 5, 2026. Final attorney review is pending (see EloVault Development Roadmap, Item #22).