Privacy policy

Operated by Checkmate Live Pty Ltd (ACN 694 727 743) Last Updated: 25 Feb 2026

P. Jurisdiction and Primary Regulatory Framework

Checkmate Live is established and operated from New South Wales, Australia. Our primary regulatory framework includes compliance with applicable Australian legislation, including but not limited to:

• Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)

• Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act)

• Competition and Consumer Act 2010 (Cth) including the Australian Consumer Law (ACL)

• Spam Act 2003 (Cth)

• Online Safety Act 2021 (Cth) (where applicable)

• and other applicable Commonwealth and State/Territory laws governing digital services, consumer protection, financial compliance, and online platform operations.

We are committed to complying with all applicable Australian legal and regulatory obligations relevant to our operations.

We provide services globally. Where we offer services to users located outside Australia, additional data protection laws (including the EU General Data Protection Regulation (GDPR), UK GDPR, or other local laws) may apply to specific processing activities. Where such laws apply, we comply with those mandatory legal requirements in addition to our Australian obligations.

Nothing in this Policy is intended to create an establishment or primary regulatory seat outside Australia. Australian law governs the operation of the platform, subject only to mandatory rights that apply in the user's jurisdiction.

1. Introduction

Welcome to Checkmate Live ("we", "us", "our").

Checkmate Live is an Australia-based online chess platform offering free-to-play gameplay, competitive tournaments, and optional subscriptions and in-app purchases. Certain features — including prize-bearing formats, supervised events, Pro or Echess tournaments, and specific competitive modes — may require identity verification (KYC), wallet linkage, age verification, or enhanced compliance checks.

Some features are restricted to users who meet minimum age and identity requirements as set out in our Age Policy and Terms of Service. Access to competitive, prize-bearing, or identity-transparent formats may be limited to users aged 18+ or those who satisfy additional eligibility conditions.

We are committed to protecting your privacy, maintaining competitive integrity, and ensuring the security of our platform and community. This Privacy & Compliance Policy explains how we collect, use, disclose, store, and protect personal information across all services, including gameplay, competitive events, integrity monitoring, supervised formats, VOIP and communications features, payment processing, blockchain interactions, and website usage.

1.1 Minimum Age Requirements

Account creation requires users to provide their date of birth at registration. We currently use date-of-birth self-declaration at registration to assess age eligibility in accordance with our Age Policy.

Where users under 18 are permitted to create accounts, access to prize-bearing formats, KYC-requiring features, identity-transparent events, and certain supervised or broadcast formats is restricted to users aged 18 and over. Additional safeguards described in our Age Policy apply to users identified as minors.

We are implementing additional age assurance measures to strengthen age eligibility controls. These measures may include third-party age estimation or age verification services in future development releases. Where implemented, such technologies will be disclosed in this Policy and in our Data Recipients and Service Providers document prior to activation.

1.2 Player Overview

We know privacy policies can feel dense. Here's what this document covers in plain language:

• What information we collect when you create an account, play games, subscribe, or participate in tournaments

• How we use data to run the Platform, process payments, and deliver features

• How we protect competitive integrity, detect cheating, and keep players safe

• When identity verification (KYC) is required and why

• How we handle voice, chat, and supervised play

• When and why we may disclose information to federations, integrity bodies, regulators, or law enforcement

• How long we keep information and how we protect it

• How we restrict internal access to sensitive data on a strict need‑to‑know, role‑based basis to protect your privacy and security

We are an Australia‑based platform built around fair competition and community protection. We aim to collect only what we need, use it responsibly, and be transparent about how integrity and security systems operate — while protecting those systems from misuse.

This Privacy & Compliance Policy explains how Checkmate Live collects, uses, discloses, stores, and protects personal information when you use our online chess platform, including free-to-play gameplay, subscriptions, in-app purchases, tournaments, supervised events, VOIP services, and integrity enforcement systems.

We take a safety-and-fair-play approach: we collect what we need to run the Platform, protect players, and keep competitive events credible. We aim to be transparent about what we do, while also limiting detail where disclosure would undermine security or enable cheating or abuse.

By accessing or using the Platform, you acknowledge this Policy.

1.3 Related Policies and Documents

This Privacy & Compliance Policy should be read together with our:

• Terms of Service — the primary contract governing platform access, user obligations, enforcement powers, dispute processes, and limitations of liability.

• FairPlay Policy — how competitive integrity is protected (cheating, engine use, multi‑accounting, collusion, tournament interference), how reviews are conducted, what evidence may be used, and what sanctions may apply.

• Community Code of Conduct — behavioural standards for chat, voice, messaging, tournaments, and community interaction, including reporting and moderation processes.

• Age Policy — age eligibility requirements, youth protections, parental/guardian conditions where applicable, and age‑restricted feature rules.

• Account Policy — account creation standards, account security expectations, credential sharing restrictions, ban evasion rules, identity tier requirements, and account linkage controls.

• Account Deletion Policy — how account closure requests are handled, what data may be deleted or retained, integrity and legal retention carve‑outs, and what information cannot be removed (such as official competitive records).

• Tournament and Prize Terms — eligibility requirements, payout conditions, supervised play rules, identity transparency formats, and AML/CTF compliance obligations.

• Security / Acceptable Use Policy — cyber security rules, prohibited technical conduct, incident response posture, and cooperation obligations.

• Cookie Policy and Consent Preferences — how we use cookies, tags, pixels, analytics, and how you manage consent.

These documents form part of the overall governance framework of the Platform. Where there is any inconsistency, mandatory law prevails. Otherwise, the Terms of Service governs the contractual relationship and incorporate the above policies by reference where stated.

2. Collection Notice

At or before the time we collect personal information, we take reasonable steps to inform you of:

• the identity and contact details of the data controller

• the purposes for which the information is collected

• the consequences (if any) of not providing requested information

• the types of entities to which we may disclose the information (including service providers, federations, integrity bodies, regulators, and law enforcement)

• how you may access and correct your personal information

• how you may lodge a complaint and how we will handle that complaint

This Privacy Policy forms part of that notice.

2.1 Account Creation and Express Acknowledgement

When registering an account, users are presented with the statement:

"By clicking Sign Up, you agree to Checkmate's Terms and Conditions and Privacy Policy."

Account creation cannot proceed unless the user actively clicks the Sign Up button. This action constitutes an express acknowledgement that the user has read and agreed to the Terms of Service and this Privacy Policy. This acknowledgement is recorded within our systems.

This acceptance forms part of the contractual basis for core platform processing (including account administration, gameplay functionality, integrity monitoring, and security operations).

Where a specific processing activity requires separate consent under applicable law (for example, marketing communications or non-essential cookies), that consent is obtained independently.

2.2 Cookie and Tracking Consent

We use Usercentrics as our Consent Management Platform (CMP).

Non-essential cookies and similar technologies are only activated after the user provides consent via the Usercentrics banner or settings interface. Consent preferences are logged and retained as compliance evidence and may be modified at any time.

Where enabled, we may use tag management and advertising/analytics pixels (for example Google Tag Manager and pixels from advertising platforms) to measure marketing effectiveness, understand site usage, and deliver relevant communications. These technologies are treated as non-essential where required by applicable law and are only activated after the relevant consent is provided.

Integrity-related technologies necessary for platform security and competitive functionality are categorised as strictly necessary and do not rely on marketing or analytics consent.

3. Data Controller

Controller: Checkmate Live Pty Ltd (Australia) Address: 81-83 Campbell St, Surry Hills NSW 2010, Australia Email: [email protected]

Unless otherwise stated, Checkmate Live Pty Ltd is the primary data controller.

Checkmate Live Pty Ltd is the sole contracting entity and operator of the Platform. No affiliate, supplier, or service provider assumes any duty or liability to users except where required by mandatory law.

4. Categories of Personal Data We Collect

4.1 Account & Identity Data

• Email address

• Username / alias

• Country of residence

• Date of birth

• FIDE / federation identifiers

• Player ID

• Wallet address

• IP address

• Device metadata

• Login history

FIDE ID Synchronisation and Federation Integration

Where a user elects to synchronise a FIDE ID with their Checkmate Live account:

• We may import and display the official FIDE identifier and rating

• We may verify identity through approved KYC providers to prevent impersonation and federation identity fraud

• We may share relevant participation and rating data with the relevant federation for official rating integration, eligibility confirmation, and integrity oversight in federation-aligned events

FIDE ratings are used as a competitive baseline reference only. Synchronisation does not exempt any player from Fair Play monitoring and does not determine integrity outcomes.

For federation-aligned formats (including Echess events), verified identity information and official competitive records may be retained and shared in accordance with federation governance requirements.

Country of Residence (Required)

Country of residence is required when creating an account. We collect this information to: (a) manage eligibility for tournaments, region-limited formats, and compliance-related access controls; and (b) protect the Platform, including FairPlay enforcement, fraud prevention, account security, and risk monitoring.

We may compare your stated country with technical signals such as IP-derived location, device/network metadata, and travel patterns to help detect suspicious activity (for example, account takeover, ban evasion, collusion, tournament interference, or other integrity risks).

The use of VPNs, proxy services, or other location-masking tools to misrepresent location, circumvent regional restrictions, evade sanctions, or interfere with competitive integrity is prohibited under our Security and FairPlay policies.

A material mismatch between declared country and technical location signals, evidence of impossible travel patterns, or the use of location-masking tools for prohibited purposes may result in restrictions, suspension, or termination of access, including without prior notice where reasonably necessary to protect competitive integrity, platform security, or compliance obligations.

If you do not provide your country of residence, you may not be able to create an account or access certain events or features.

Once an email address is registered and linked to an account, it becomes part of the platform's identity framework. For ongoing Fair Play protections, fraud prevention, and ban evasion detection, email identifiers may be retained in hashed or pseudonymised form even where an account is closed or deactivated, subject to applicable legal retention requirements.

4.2 Gameplay, Integrity & Risk Signals

We collect gameplay, integrity, and risk signals to operate competitive play, detect cheating and fraud, prevent abuse, secure accounts and infrastructure, and enforce our Terms and tournament rules.

This information may include:

• Persistent device identifiers

• Linkage tokens

• Browser/OS metadata

• Gameplay telemetry and timing data

• Behavioural analytics outputs

• Integrity scores

• Account linkage indicators

• Multi-accounting, collusion, and tournament-interference indicators

• Investigation-related communications

• Publicly available information used in investigations

4.3 Supervised Event Data

• Webcam video

• Screen sharing / screen capture

• Audio (where enabled)

• Supervision metadata (for example, timestamps, check-in status, device/environment checks, and arbiter notes)

Supervised tournaments (including finals and other nominated events) use our Arbiter Mode.

In supervised events, webcam streaming is a core part of the competition format and broadcast model. By default, your primary webcam feed is streamed live on the Platform for transparency, spectator viewing, and commercial broadcast purposes. This is a baked‑in feature of supervised formats and is not optional once you elect to participate in that event.

Broadcast, replay, and highlight footage may continue to be displayed after the event has concluded as part of the Platform's archive, official records, promotional materials, and event coverage.

Supervision requirements may apply to semi-finals, finals, Pro stages, Echess formats, specific rounds, or an entire tournament or tournament series, depending on the event rules. In some events, supervised mode applies from the outset; in others, it may be introduced at later stages (for example, elimination rounds or prize-bearing stages).

As part of our Fair Play protections and commercial broadcast model, we reserve the right to require webcam supervision, screen sharing, or additional supervision measures at any stage of a tournament, match, or series where reasonably necessary to protect competitive integrity, administer the event, meet federation requirements, support broadcast and media rights, or comply with legal and regulatory duties. Where supervision is introduced or escalated, reasonable notice will be provided through the tournament page, onboarding flow, or official event communications, except where immediate activation is reasonably necessary to protect integrity or security.

Participation in an event subject to supervision constitutes acknowledgement and agreement that:

• your primary webcam feed will be broadcast live on the Platform and may be recorded

• recordings may be used for official results, highlights, replays, promotional content, and archival purposes

• supervision requirements may evolve during the course of the competition in accordance with the event rules and our Terms of Service

We do not guarantee uninterrupted transmission, recording availability, or continuous broadcast functionality in supervised events. Network conditions, technical disruptions, third‑party platform dependencies, integrity interventions, federation requirements, or security responses may result in temporary interruption, modification, suspension, or termination of supervised feeds or broadcasts. Such interruptions do not invalidate competitive outcomes unless expressly determined under the applicable Tournament Rules or Terms of Service.

A secondary or observer camera (for example, a room view or alternative angle) is not required in all events but may be required where an event is formally produced, broadcast, or subject to enhanced integrity controls. Where used, this may also be streamed or recorded as part of the event production. By participating in such events, you grant us the necessary consent and release to capture, broadcast, reproduce, and publish that footage for integrity, transparency, and commercial broadcast purposes.

Arbiters and supervision personnel may be located in different jurisdictions (for example, federation-appointed arbiters such as ACF or FIDE arbiters operating across time zones). Supervision data may therefore be accessed and reviewed across jurisdictions in accordance with this Policy and applicable safeguards.

Explicit permission and tournament-only use.

• Permissions are requested during tournament onboarding / check-in.

• If you do not grant required permissions, you cannot participate in that supervised tournament.

• These permissions are used for supervised and broadcast-enabled tournament formats only. We do not use Arbiter Mode capture for ordinary free-to-play matches.

Arbiters and authorised Fair Play personnel may review tournament games, supervision materials, gameplay telemetry, and related integrity data at any time before, during, or after an event where reasonably necessary to protect competitive integrity, investigate potential breaches of our FairPlay Policy or Terms of Service, comply with federation or regulatory requirements, or resolve disputes. This review right applies regardless of whether the event is live, completed, prize-bearing, federation-aligned, or subject to later appeal or investigation.

What we capture and why. During supervised tournaments we may capture and retain:

• live-streamed webcam video (and audio where enabled)

• screen sharing video (your shared desktop / application view)

• secondary/observer camera feeds where required

• supervision metadata (for example, session start/stop times, permission states, connectivity/quality diagnostics, and arbiter actions)

• communications related to supervision (for example, arbiter instructions and acknowledgements)

Recordings and supervision artefacts are retained in accordance with our FairPlay Policy and applicable legal, regulatory, federation, broadcast, dispute-resolution, and integrity-enforcement requirements.

Computer vision and face tracking (supervision). As part of Arbiter Mode and other supervised formats, we use computer vision techniques to support Fair Play, safety, and event administration. This may include face presence tracking (for example, detecting whether a player is on camera), liveness checks, environment and device compliance checks (for example, confirming camera/screen sharing is active), and other visual integrity signals designed to deter and detect unauthorised assistance.

Where required by applicable law, any processing that is treated as sensitive information (including biometric information) is handled with additional safeguards and, where required, your explicit consent.

In supervised tournaments, consent is collected during onboarding and check‑in as a condition of entry. If you do not grant required permissions, you cannot participate in that supervised event.

We do not use computer vision outputs for advertising or marketing profiling. We use them only for tournament supervision, Fair Play enforcement, safety, dispute resolution, and legal/compliance purposes.

We may generate and retain derived supervision signals (for example, presence/absence indicators, timestamps, and integrity flags) and may retain recordings and related artefacts in accordance with our FairPlay Policy and this Privacy Policy. We aim to minimise retention of sensitive derived data where feasible, but we may retain it where reasonably necessary for integrity enforcement, dispute resolution, federation obligations, regulatory compliance, or legal proceedings.

4.4 Payments & Financial Data

• Transaction IDs

• Subscription history

• Wallet addresses

• Blockchain transaction hashes

• Refund history

We do not collect, store, or process full credit card numbers or complete card details. All card payments are processed directly by Stripe as our payment service provider. Stripe stores and processes cardholder data in accordance with its own security and regulatory obligations (including PCI-DSS requirements). We receive only limited transaction information necessary to confirm payment status, manage subscriptions, and maintain financial records.

Blockchain-based payments (including USDC, ETH or other supported digital assets) are recorded on public distributed ledgers. Blockchain transactions are publicly visible and permanently recorded outside our control. Wallet addresses and transaction hashes may therefore be visible to third parties and may be screened for fraud, sanctions, or prohibited activity risk.

Where personal information (such as wallet addresses or transaction identifiers) has been recorded on a public blockchain, erasure of that on-chain data is not technically feasible. In such cases, we will erase, restrict, or anonymise any off-chain records we control where required by applicable law, but we cannot remove information that exists on public distributed ledgers outside our control.

4.5 KYC & Compliance Data

• Identity verification results

• Date-of-birth declaration and age eligibility status (self-declared at registration)

• AML screening outputs

Pro Pass and Echess Pass subscriptions require identity verification (KYC) prior to activation. Users applying for or holding these subscription tiers must successfully complete identity verification through our approved verification providers.

Age verification is currently based on date-of-birth self-declaration at registration, except where identity verification (KYC) is required for Pro Pass, Echess formats, prize payouts, or Fair Play reviews. In those contexts, age may be confirmed through identity verification providers. We are implementing additional age assurance controls which may include third-party age estimation or verification services in future releases.

Identity verification (KYC) is required only for:

• Pro Pass subscription activation

• Echess formats (including FIDE ID synchronisation and identity-transparent federation-aligned events)

• Prize payouts where AML/CTF verification is required under applicable law

We do not require KYC for standard free‑to‑play gameplay.

However, identity verification may be required where a Fair Play meeting, integrity interview, or formal review is requested, including for free‑to‑play users, where we reasonably consider verification necessary to protect competitive integrity, prevent fraud or ban evasion, investigate serious misconduct, or comply with regulatory or federation obligations.

Failure to complete requested verification in connection with a Fair Play review may result in suspension, restriction, ineligibility for competitive formats, or permanent platform ban, subject to applicable law.

Identity documents (including passports, driver licences, and similar government-issued identification), biometric imagery, and liveness verification data are processed and stored by authorised third-party verification providers (for example, Sumsub (Sum & Substance Ltd.) or equivalent providers engaged from time to time). Checkmate Live does not ordinarily collect, store, or retain copies of passports, driver licences, or raw biometric templates.

Instead, we receive and retain verification outcome data, which may include verification status (e.g., verified / rejected / pending), risk or confidence scores, sanctions screening results, compliance flags, reference IDs, timestamps, audit logs, and related compliance metadata. This verification outcome data is retained only as reasonably necessary for integrity enforcement, fraud prevention, dispute resolution, regulatory compliance (including AML/CTF and CARF obligations), prize eligibility checks, and legal defence purposes.

In connection with identity verification for Pro Pass, Echess formats (including FIDE ID synchronisation), Fair Play reviews, and AML-triggered payouts, we may also receive and retain core identity attributes from our verification provider, including the verified full legal name, date of birth (or age confirmation), and country of residence. We use this information solely for identity confirmation, eligibility checks, federation compliance, Fair Play enforcement, regulatory compliance, and prevention of fraud or ban evasion. We do not ordinarily receive or retain full document scans unless strictly required for legal or enforcement purposes.

Prize payments may be subject to Anti‑Money Laundering and Counter‑Terrorism Financing (AML/CTF) verification requirements. Where requested, users must provide proof of identity and proof of residential address (dated within the previous 90 days). Where required by applicable law for tax or reporting purposes, users may also be required to provide a Tax File Number (TFN) or equivalent tax identification number. Any TFN we collect (if collected by us rather than a payment provider) is collected and handled in accordance with the Privacy (Tax File Number) Rule 2015 and is used only for lawful reporting, verification, and compliance purposes. Failure to provide requested AML/CTF or tax information may result in delayed, restricted, or withheld prize payments where permitted by law.

Certain payments, rewards, or transactions may also be subject to tax reporting and information collection obligations under the OECD Crypto-Asset Reporting Framework (CARF) and/or other applicable tax transparency regimes. Where requested, users must provide tax residency information, a valid tax file number or equivalent tax identification number, and other information reasonably necessary to meet reporting obligations (including, where relevant, wallet ownership/association confirmations and transaction reference details). Failure to provide requested CARF-related information may result in delayed, restricted, or withheld payouts or rewards where permitted by law.

4.6 Support & Communications

• Support tickets and service requests

• Account correspondence (including verification, payments, and integrity communications)

• Investigation records and case notes

We may monitor, record, and retain support communications and in-platform interactions where reasonably necessary for safety, integrity enforcement, dispute resolution, abuse prevention, and compliance with applicable law (including the Online Safety Act 2021 (Cth)).

We may comply with lawful removal, preservation, or information‑gathering notices and requests issued by competent authorities (including the eSafety Commissioner) under the Online Safety Act 2021 (Cth) or similar regimes, and may retain relevant records to the extent reasonably necessary to meet those obligations.

Voice, Chat, and VOIP Features

The Platform may provide text chat, voice chat / VOIP, messaging, and other real-time communications features (together, "Comms Features"). Depending on the feature, region, and settings, we may collect and process:

• Text chat messages (including attachments, emojis, and message metadata)

• Voice audio streams and voice-channel metadata (e.g., channel, participants, timestamps, device/network quality metrics)

• Abuse reports, user blocks/mutes, moderator actions, and outcomes

• Technical diagnostics (e.g., jitter, packet loss, latency) to improve voice quality and detect abuse

Moderation and Safety. We may use automated and human review tools to detect, prevent, investigate, and enforce against harassment, threats, grooming, hate speech, doxxing, extortion, coercion, cheating coordination, match manipulation, fraud, and other behaviour that undermines player safety or competitive integrity.

Recording / Capture. We do not seek to record all communications by default. However, where lawful and reasonably necessary for safety, integrity, dispute resolution, or incident response, we may:

• retain text chat logs

• capture and retain limited voice snippets or session clips associated with a report or investigation

• retain moderation artefacts (e.g., hashes, transcripts, timestamps, channel membership, report IDs)

• retain evidence where a Fair Play review, integrity interview, cyber security incident response, or compliance matter is active

Where feasible, we apply a metadata-first approach for Comms Features (for example, using timestamps, channel identifiers, and moderation outcomes rather than full content). Where content capture is necessary, it is limited, access-restricted, and retained only as long as reasonably required for the relevant purpose (including legal holds).

User Reporting. Users may report communications. Reports may include the content reported, surrounding context necessary to evaluate the report, and relevant metadata. We may use reports to take action under our Terms and tournament rules.

Third-Party Comms Providers. Comms Features may be provided using third-party infrastructure or SDKs. Those providers may process certain technical and routing data to deliver the feature. We contractually require appropriate confidentiality and security protections and limit processing to service delivery, safety, and security purposes.

Disclosures. Communications and related evidence may be disclosed to recipients described in this Policy (including federations, integrity bodies, regulators, and law enforcement) where reasonably necessary and lawful, including without prior notice where non-notification is required or reasonably necessary to preserve investigation integrity.

4.7 Security & Infrastructure Logs

• Server logs

• Error logs

• Access logs

• Abuse detection signals

• Network flow logs and connection metadata (e.g., request headers, timestamps, routing and edge metadata)

• Real-time communications security telemetry (e.g., voice/chat session identifiers, channel membership events, abuse reports, moderation outcomes, and connection-quality metadata)

• DDoS and abuse-mitigation telemetry (e.g., rate-limit events, challenge outcomes, bot scores, WAF actions, edge/caching logs, scrubbing/mitigation status)

• Security fingerprints and device/network integrity signals (including CDN/WAF fingerprints where available)

• Forensic artefacts generated during incident response (e.g., indicators of compromise, hashes, signatures, correlation IDs, and case notes)

Metadata-first security monitoring: we primarily use connection metadata and security telemetry (not content) to detect and mitigate abuse. Where reasonably necessary and lawful, and only to the minimum extent required: within systems and infrastructure under our control we may use limited packet inspection or tightly‑scoped payload sampling for attack validation (including volumetric and protocol abuse), exploit verification, malware analysis, incident containment, and evidence preservation. Wherever feasible, we use headers, hashes, signatures, and indicator‑only artefacts rather than full content. Any payload samples are access‑restricted, time‑limited, and handled under strict forensic controls.

4.8 Websites, Social Media, and Marketing Technologies

When you visit our websites, landing pages, or marketing surfaces, we may collect information using cookies and similar technologies (subject to your consent settings where required). This may include:

• Website and campaign analytics: page views, clicks, scroll depth, referrers, UTM parameters, conversion events, and session identifiers.

• Advertising and social pixels / tags: for example, Google tags (including tag management such as Google Tag Manager) and pixels from platforms such as Meta (Facebook/Instagram), Reddit, and other advertising networks we use from time to time.

• Community and social platform integrations: including Discord integrations used for community engagement, event coordination, announcements, and support communications, where users choose to interact with us via those platforms.

• Device and browser information: IP address, approximate location derived from IP, device type, operating system, browser type and version, and language settings.

• Marketing communications interactions: email opens/clicks and in-product notification interactions where lawful.

These technologies help us measure marketing performance, prevent abuse (including bot and fraud traffic), improve user experience, and better understand how users discover and engage with our Platform. For more detail on cookies and consent controls, see §2.2 Cookie and Tracking Consent.

Error Monitoring and Diagnostics (Sentry)

We may use error monitoring tools (for example, Sentry or equivalent services) to collect diagnostic information about crashes, errors, and performance issues. This may include error logs, stack traces, timestamps, device and browser details, and pseudonymous identifiers. We use this information to troubleshoot, improve reliability, and protect the Platform from misuse.

Configuration controls. Third‑party monitoring tools must be configured to minimise data collection and avoid capturing sensitive content (for example, full message bodies, session replays, payment details, or identity documents), except where strictly necessary and lawful. Where we discover that a tool, SDK, or service has been enabled or configured in a way that exceeds our intended collection settings (including through vendor misconfiguration or unauthorised enablement), we may promptly disable or reconfigure it, investigate the scope of data affected, preserve evidence for integrity/cyber and legal purposes, update this Policy and/or our Data Recipients where appropriate, and make any notifications required by applicable law.

Internal Telemetry and Monitoring

We operate internal monitoring systems to log gameplay and platform telemetry for:

• cheat detection and Fair Play enforcement

• security monitoring and incident response

• performance monitoring and reliability

• product improvement and feature development

• where lawful, measuring the effectiveness of marketing services and user acquisition

We take a metadata-first approach wherever feasible and limit data collection to what is reasonably necessary for these purposes.

5. Purposes and Legal Bases

We process personal data for the following purposes, including to protect the competitive integrity of events and the competitive protection of players.

5.1 Regulatory, Integrity, and Security Priority

Where compliance with legal obligations, regulatory requirements, integrity frameworks, or cyber security duties reasonably requires us to take protective steps (including monitoring, evidence preservation, verification, disclosure, restrictions, or delayed notification), those obligations and duties prevail to the extent permitted by law. Nothing in this Policy limits any non‑excludable rights you have under mandatory law.

This includes preventing cheating, fraud, intimidation, harassment, and other conduct that undermines fair competition or player safety.

• Operating and moderating Comms Features (text chat, voice/VOIP, messaging) to support gameplay, community interaction, and accessibility, and to prevent and respond to harmful or unlawful conduct (including harassment, threats, grooming, doxxing, extortion, and cheating coordination), and to support incident response and dispute resolution (Contract necessity / Legitimate interests / Legal obligation).

• Operating our websites, marketing surfaces, and measurement technologies (including cookies, tags, and pixels where enabled) to understand usage, measure campaign performance, prevent abuse, improve services, and (where lawful) personalise communications and promotions (Consent / Legitimate interests).

• Conducting identity verification (KYC), enhanced due diligence, and age verification for subscription tiers, prize eligibility, Fair Play enforcement, fraud prevention, sanctions screening, regulatory compliance, and security protection, including AML/CTF compliance for prize payments, CARF and other tax transparency reporting obligations where applicable, and tax reporting obligations (Legal obligation / Contract necessity / Legitimate interests).

• Establishing, exercising, and defending legal claims (Legitimate interests / Legal obligation), including investigating, documenting, and pursuing claims against cheat developers, bot operators, fraud networks, ban evaders, and other actors who harm the Platform, our users, or our partners.

• Assessing and documenting the operational impact of cheating and interference (including investigation time, security response costs, prize pool distortion, chargebacks, and reputational harm) for the purpose of integrity enforcement and legal recovery (Legitimate interests / Legal obligation).

• Maintaining and defending the integrity, credibility, and commercial viability of competitive events (including preserving official results, placements, and prize determinations, and enforcing prize and reward outcomes) (Legitimate interests). This includes reserving discretion to modify, suspend, escalate supervision measures, or adjust operational controls where reasonably necessary to respond to evolving cheating methods, cyber threats, federation requirements, or integrity risks.

• Protecting intellectual property, confidential systems, integrity technology, and cyber security posture (Legitimate interests), including detecting and responding to circumvention, reverse engineering, scraping, automation, tampering, botting, exploit use, account takeovers, credential stuffing, DDoS and availability attacks, traffic flooding, protocol abuse, malware delivery, phishing, social engineering, data exfiltration attempts, vulnerability scanning, reconnaissance, and other interference with the Platform, our infrastructure, or our users. We take a metadata-first approach. Where reasonably necessary and lawful, and only to the minimum extent required, we may perform limited packet inspection or tightly-scoped payload sampling to validate and mitigate attacks, verify exploits or malware, preserve evidence, and improve defensive controls. Wherever feasible, we rely on headers, hashes, signatures, and indicator-only artefacts rather than content.

• Cyber security forensics, tracing, and attribution (Legitimate interests / Legal obligation), including correlating identifiers, logs, integrity signals, and third‑party threat intelligence to investigate, contain, and remediate security incidents; to trace and disrupt malicious infrastructure; to recover accounts or assets; to pursue civil remedies; and to support referrals to competent authorities. Where required, we may seek court orders or lawful third‑party disclosures to identify responsible actors.

5.2 Integrity, Compliance, and Fair Play Governance

We may share relevant personal information with integrity and governance bodies where reasonably necessary to ensure fair competition, prevent fraud, or comply with legal or regulatory obligations. This may include disclosures to:

• recognised federation partners and tournament organisers

• sports and esports integrity bodies (including, where applicable, the Esports Integrity Commission, the Asian Chess Federation, the International Games & Esports Tribunal, the Abu Dhabi Sports Council, and the Arab Esports Federation)

• regulatory authorities

• law enforcement agencies

• national or sectoral cyber security authorities (including, where applicable, the Australian Cyber Security Centre (https://www.cyber.gov.au/) and relevant Abu Dhabi cyber security units)

• professional advisers supporting integrity, compliance, cyber security, or enforcement functions

In the event of a Fair Play report, fraud review, or integrity investigation, we may collect, retain, and organise relevant user information into a dedicated integrity file. This file may include account data, gameplay telemetry, integrity indicators, communications, supervision materials, and investigation records. Such files are retained solely for integrity, compliance, security, dispute resolution, regulatory engagement, or enforcement purposes.

5.3 Profiling, Automated Decision-Making, and Compliance-as-Code

We use automated systems, deterministic rules engines, behavioural analytics, integrity risk scoring, sanctions screening, and fraud detection systems to support platform operations, Fair Play enforcement, security monitoring, and regulatory compliance.

These systems may include:

• deterministic rule-based engines (including compliance-as-code frameworks)

• integrity scoring models

• anomaly detection systems

• device and network correlation logic

• sanctions and risk screening systems

• tournament eligibility and rule validation engines

• workflow automation for enforcement and compliance processes

In an online competitive game environment, many operational decisions must occur in real time. Automated systems may therefore:

• validate tournament eligibility requirements

• enforce format restrictions (e.g., supervised mode requirements)

• trigger step-up verification controls

• restrict access pending review

• generate integrity or risk scores

• flag suspected multi-accounting, collusion, automation, or ban evasion

• apply temporary safeguards to protect competitive integrity

These systems are designed to apply tournament rules, integrity controls, and compliance requirements consistently and deterministically.

5.4 Material Adverse Decisions

Where a decision may have a material adverse effect on a user (for example, permanent suspension, prize forfeiture, publication of a sanction, or long-term competitive ineligibility), the decision is not based solely on automated processing. Such decisions may include human review, contextual assessment, or escalation through defined enforcement workflows, except where immediate automated action is reasonably necessary to:

• prevent ongoing cheating or fraud

• stop active security threats or cyber abuse

• comply with a legal or regulatory obligation

• preserve evidence or investigation integrity

Even where automated systems initiate a restriction, further review may occur.

5.5 Bias Reduction and Platform Discretion

Our automated and rules-based systems are designed to promote consistency, proportionality, and competitive fairness. By embedding certain tournament, eligibility, and integrity requirements directly into platform logic, we aim to reduce arbitrary enforcement, minimise bias, and apply standards uniformly across users.

However, as with any risk-based system operating in a live competitive environment, false positives may occur. Automated outputs (including flags, integrity scores, or restriction triggers) are signals — not conclusions. Where appropriate, contextual assessment, human review, escalation workflows, or additional verification steps may be applied before final enforcement decisions are made.

Checkmate Live operates as a private platform. Subject to applicable non-excludable rights under mandatory law, we reserve the right to determine — acting reasonably and based on available evidence — whether continued access to the Platform, specific tournament formats, prize eligibility, or supervised modes will be provided. Participation in competitive formats is conditional on compliance with our Terms of Service, FairPlay Policy, and tournament rules.

5.6 Protection of Fair Play Evidence and Detection Systems

To protect competitive integrity, we do not disclose sensitive detection methodologies, model parameters, thresholds, internal rule triggers, correlation logic, proprietary signals, or investigative techniques.

Where users request information about an integrity decision, we may provide high-level reasons or categories of factors considered (for example, gameplay analysis, device correlation, supervision findings, or rule-based eligibility checks). However, we will not provide detailed technical evidence where disclosure would reasonably risk:

• circumvention of anti-cheat systems

• reverse engineering of detection logic

• interference with ongoing investigations

• exposure of confidential commercial information

• harm to the rights and safety of other users

Nothing in this section limits any mandatory transparency rights under applicable law. However, users acknowledge that full disclosure of detection systems would undermine Fair Play protections and the integrity of competitive events.

5.7 Automated Decision-Making and Integrity Systems

We use automated systems, rule-based engines, and behavioural analytics to support tournament eligibility validation, Fair Play enforcement, fraud detection, AML/CTF screening, tax transparency obligations (including CARF where applicable), account security, and integrity risk management.

Certain operational decisions (such as eligibility validation, format restrictions, step-up verification triggers, and temporary safeguards) may be applied automatically where real-time enforcement is necessary to operate an online competitive platform.

Where a decision may have a material adverse effect (for example, permanent suspension, prize forfeiture, or long-term competitive ineligibility), the decision is not based solely on automated processing and may include contextual assessment and human review, except where immediate automated action is reasonably necessary to protect platform integrity, security, or comply with law.

Further detail regarding our automated decision-making framework, including categories of data used and the general logic involved, is available in our separate Automated Decision-Making & Integrity Systems Disclosure document, which forms part of our broader governance framework.

6. International Transfers

6.1 Global Compliance Posture

Checkmate Live is established in Australia. Depending on where you live and how we offer services to you, additional laws (including GDPR/UK GDPR or other local privacy laws) may apply to specific processing activities.

We apply strong baseline privacy protections globally and layer mandatory local requirements where legally triggered.

Personal information may be processed or stored in Australia, the United Arab Emirates (including Abu Dhabi Global Market), Singapore, the United States, and certain European Economic Area member states, as well as other jurisdictions where our cloud infrastructure or service providers operate from time to time. A current list of key service providers and their locations is published in our Data Recipients and Service Providers document.

In supervised or federation‑aligned events, authorised arbiters, officials, and integrity personnel may access event data from other jurisdictions (for example, where an arbiter is located overseas or operating across time zones). Cross-border processing occurs for purposes including hosting, security operations, identity verification, payment processing, fraud detection, integrity enforcement, and regulatory compliance.

We implement technical, organisational, and contractual safeguards appropriate to the risk profile of the processing, including access controls, encryption, audit logging, and (where required) Standard Contractual Clauses or equivalent safeguards.

• We take reasonable steps to ensure overseas recipients do not breach the Australian Privacy Principles.

• Where GDPR or UK GDPR applies and data is transferred from the EU/EEA or UK to countries not recognised as providing an adequate level of data protection, we use Standard Contractual Clauses (SCCs) and, where appropriate, supplementary technical and organisational measures to protect the transferred data.

Remote access across borders (arbiters and integrity personnel). In supervised or federation-aligned events, authorised arbiters, officials, and integrity personnel may access event data (including supervision recordings, gameplay telemetry, and integrity case files) from their own jurisdictions as part of the event and integrity review model. This is an inherent feature of operating cross-border supervised competitions and is subject to the safeguards described in this section and in §4.3 Supervised Event Data.

Public blockchains. Blockchain transactions recorded on public distributed ledgers are publicly visible and outside our control. Recording wallet addresses or transaction hashes on-chain is not a "transfer" or "disclosure" we can restrict, recall, or erase. For further detail on blockchain erasure limitations, see §4.4 Payments & Financial Data.

Where you can learn more. A current list of key service providers, their processing roles, and the countries from which they operate is published in our Data Recipients and Service Providers document. You may request a copy of the Standard Contractual Clauses we use (redacted for commercial confidentiality where necessary) by contacting our Privacy Officer (§14 Contact).

6.2 Integrity / Fair Play Essential Processing

Certain processing is essential to platform integrity and may continue where legally permitted even if a user objects, including processing necessary to:

• detect and prevent cheating and engine use

• detect multi-accounting and ban evasion

• prevent fraud and abuse

• enforce tournament and federation rules

6.3 Intercompany Data Governance

Where data is shared between affiliated entities for operational, legal, compliance, or integrity purposes, such transfers are governed by an Intercompany Data Protection Agreement incorporating appropriate safeguards (including SCCs where required).

Unless otherwise stated, Checkmate Live Pty Ltd remains the primary contact point.

We may share relevant information within our corporate group and with our professional advisers where reasonably necessary to investigate, prevent, or respond to cheating, fraud, cyber abuse, or other harmful or unlawful activity, and to establish, exercise, or defend legal claims.

7. Data Retention

7.1 Retention Schedule

7.2 Fair Play Rulings — Ongoing Effect

For clarity, Fair Play rulings, sanctions, competitive findings, disqualifications, and related integrity determinations are not extinguished by the passage of time, account closure, withdrawal from the Platform, settlement of prizes, or subsequent reinstatement unless expressly revoked in writing by Checkmate Live or a competent authority.

We may retain, rely on, reference, and publish (where applicable under our Terms and tournament rules) prior integrity findings for purposes including ban‑evasion detection, federation coordination, eligibility assessment, repeat‑offender analysis, risk monitoring, dispute resolution, regulatory compliance, and legal enforcement. Nothing in this Policy creates a right to automatic expungement of integrity rulings.

7.3 Evidence Preservation and Legal Hold

Where we reasonably suspect cheating, fraud, tournament interference, unauthorised access, cyber abuse, or other misconduct that may give rise to enforcement action or legal proceedings, we may preserve relevant records (including logs, identifiers, supervision footage, screen share recordings, chat/VOIP artefacts, and integrity case files) for longer than standard retention periods. This may occur under a legal hold, litigation hold, investigation hold, or equivalent preservation process.

No adverse inference from continued access. Where a user is permitted to continue accessing the Platform temporarily while monitoring, investigation, or evidence collection occurs, that does not constitute clearance, waiver, or acceptance of conduct, and does not limit our rights to take later action consistent with our Terms, tournament rules, or applicable law.

8. Public Profiles, Official Records, and Integrity Disclosures

Certain information may be visible to other users or the public as part of operating competitive play and publishing official results.

8.1 Public and Competitive Information

Depending on your settings and the formats you enter, we may publish or display:

• username / alias

• country (or region)

• tournament participation and results

• ratings, performance statistics, and match history

• federation identifiers (where required for eligibility or official recordkeeping)

• sanctions or disqualifications in official records where required to maintain integrity

Official results, placements, and prize or reward determinations form part of the Platform's historical competitive record and may be retained and referenced indefinitely for integrity, audit, legal, federation, and archival purposes. Account closure or deletion does not require removal or alteration of official competitive records.

8.2 Identity-Transparent Formats (Real Name Publication)

Some formats are identity-transparent by design.

• Echess tournaments require real-name publication for participation, official results, and (where applicable) Fair Play rulings, in accordance with federation and event requirements.

• Pro tournaments may require real-name publication where identity transparency is a stated condition of entry and is reasonably required for Fair Play, broadcast transparency, federation requirements, or administration of the competition (including official results and rulings).

You may withdraw from an identity-transparent format prior to participation. However, official results and formally recorded competitive records cannot usually be retroactively anonymised once participation has occurred and results have been recorded or published.

For Echess and other federation-aligned formats, participant data (including verified identity details and relevant competitive records) may be shared with the relevant federation or governing body as part of eligibility checks, official rating integration, and integrity oversight. Checkmate Live acts as the event host and platform operator. Where events are co-sanctioned or federation-aligned, both Checkmate Live and the relevant federation may retain official records in accordance with their respective governance and integrity obligations.

8.3 Live Streams, Replays, and Broadcast Surfaces

Where an event uses supervised mode, live webcam feeds and related match broadcasts may be visible to other users on the Platform (for example, spectators, viewers, and authorised event participants) and may be featured in replays, highlights, and official event archives.

Depending on the event rules and production settings, content may also be distributed via third‑party broadcast and social platforms (for example, embedded players, clips, or official channels) as part of event coverage and promotion.

8.4 Integrity, Safety, and Compliance Disclosures

We may disclose relevant information (including identity data where necessary) to tournament officials, federation partners, integrity bodies, regulators, law enforcement, cyber security authorities, and professional advisers where we reasonably consider it necessary to:

• maintain competitive integrity and enforce event rules

• investigate or prevent cheating, collusion, fraud, account compromise, or cyber abuse

• protect players, staff, and the public

• comply with legal or regulatory obligations (including AML/CTF, tax reporting, and Online Safety obligations)

• establish, exercise, or defend legal claims

Where lawful and reasonably necessary to preserve investigation integrity, prevent harm, or comply with legal constraints (including restrictions on "tipping off"), we may delay or withhold notice to affected users.

8.5 Where the Enforcement Rules Live

This Privacy Policy explains how we process data. The binding rules for:

• tournament participation conditions (including identity transparency)

• sanctions, disqualifications, prize reversals and forfeiture

• publication of integrity outcomes

• Fair Play meeting obligations and consequences

• procedural fairness / review settings and limits

• remedies, relief, and liability settings

sit in (and are governed by) our Terms of Service, Tournament and Prize Terms, FairPlay Policy, Community Code of Conduct, and Security / Acceptable Use Policy.

If there is any inconsistency, mandatory law prevails. Otherwise, the Terms of Service governs the contractual relationship.

9. Security Measures

We take the protection of your personal information seriously. Access to sensitive data is restricted, monitored, and role‑based, and we design our systems to minimise exposure while maintaining competitive integrity, regulatory compliance, and platform security.

We implement encryption in transit and at rest, access controls, audit logging, pseudonymisation, and incident response procedures.

9.1 Access Controls and Data Segregation

Access to personal information is strictly controlled and permission‑based.

• Personal data access is role‑based and limited to authorised personnel who require access for legitimate operational, compliance, security, integrity, or legal purposes.

• Sensitive Personal Information (including identity verification outcomes, compliance flags, and financial metadata) is logically segregated and access‑restricted within our systems.

• Access to high‑level Fair Play, integrity investigation files, and supervision materials (including Arbiter Mode recordings) is restricted to designated Checkmate Live staff and authorised arbiters who require the information for Fair Play, event administration, dispute resolution, federation compliance, regulatory compliance, or enforcement purposes.

• Identity documents, biometric imagery, and liveness verification data are stored and processed by our authorised third‑party KYC providers. Checkmate Live does not ordinarily store raw identity documents or standalone biometric templates.

• Credit card and full cardholder data are stored and processed exclusively by our authorised payment provider (for example, Stripe) in accordance with PCI‑DSS and related security obligations. We receive only limited transaction confirmation data necessary to operate subscriptions and financial records.

• Financial, identity, integrity, and communications systems are subject to access logging, monitoring, and internal audit controls.

We apply the principle of least privilege and restrict access to Personal Information to those who need it for defined, legitimate purposes. Unauthorised access, misuse, or disclosure is prohibited and subject to disciplinary and legal consequences.

10. Personal Data Breaches

Where required by applicable law, we will notify relevant authorities and affected individuals without undue delay following a qualifying personal data breach.

For Australian users, this includes compliance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth), including notification to the Office of the Australian Information Commissioner (OAIC) and affected individuals where an eligible data breach has occurred.

11. Your Rights

11.1 GDPR / EU Users

Where GDPR applies, you may have the following rights:

• Right to be informed (Arts 13–14)

• Right of access (Art 15)

• Right to rectification (Art 16)

• Right to erasure (Art 17)

• Right to restriction (Art 18)

• Right to data portability (Art 20)

• Right to object (Art 21)

• Right not to be subject to solely automated decisions (Art 22)

• Right to lodge a complaint (Art 77)

• Right to withdraw consent (Art 7(3))

For information about the categories of automated decisions we make and how to raise concerns about automated processing, please refer to our Automated Decision-Making & Integrity Systems Disclosure.

Where we rely on legitimate interests as a legal basis for processing under GDPR, we have assessed that our interests in protecting competitive integrity, platform security, fraud prevention, regulatory compliance, and enforcement are not overridden by the rights and freedoms of affected individuals, taking into account the nature of the data processed and the safeguards we apply.

11.2 Australian Users — Complaints

Australian users may lodge complaints with the Office of the Australian Information Commissioner (OAIC).

11.3 Response Timeframes

We aim to acknowledge privacy-related requests and complaints within 10 business days.

We aim to provide a substantive response within 30 days where reasonably practicable. Complex matters (including requests involving large volumes of data, multiple systems, third‑party processors, identity verification steps, or legal/integrity holds) may require additional time. Where we need more time, we may extend our response period and will notify you of the extension and the reasons for it where we are permitted to do so.

Where GDPR (or UK GDPR) applies, we generally respond within one month of receiving a verified request, and may extend by up to two further months where the request is complex or numerous, consistent with applicable law.

11.4 Access and Correction Rights (APPs 12 and 13)

Under the Australian Privacy Principles (APPs 12 and 13), you have the right to request access to the personal information we hold about you and to request correction of any information that is inaccurate, out of date, incomplete, irrelevant, or misleading.

To make a request for access or correction, please contact our Privacy Officer using the details provided in §14 Contact.

11.5 Verification of Requests

To protect your privacy and security, we may need to verify your identity before responding to access, correction, deletion, or portability requests. Verification may include confirming account control (for example, by requiring you to sign in, confirm an email, or provide account and transaction details). We may decline, defer, or limit a request where we cannot reasonably verify identity, where the request would adversely affect the rights and freedoms of others, where the request is manifestly unfounded or excessive, or where retention or restricted handling is reasonably required for security, integrity enforcement, dispute resolution, regulatory compliance, or legal claims.

Privacy and data protection requests should ordinarily be submitted via our in‑platform chat system. Where a request is submitted through in‑platform chat, we may continue correspondence within that channel unless you reasonably request an alternative communication method. For security reasons, we may decline to process privacy requests received through unofficial social media channels or unverified email addresses.

Where permitted by law, we may defer, limit, or refuse access, deletion, rectification, restriction, objection, or portability requests to the extent necessary to avoid prejudicing Fair Play, fraud, cyber security, AML/CTF, tax reporting (including CARF where applicable), or regulatory investigations; to protect confidential detection methods, threat intelligence, and privileged material; to preserve evidence and legal holds; or to comply with lawful directions from competent authorities.

12. Disclosures and Sharing

12.1 No Sale of Personal Information

We do not sell personal information to third parties. We may share personal information with service providers, integrity bodies, federations, regulators, and law enforcement as described in this Policy, but we do not trade or sell user data for commercial advertising purposes.

12.2 Disclosures for Safety, Integrity, and Legal Processes

We may disclose personal information where we reasonably believe it is necessary to:

• comply with law, regulation, court order, lawful request, or applicable reporting obligation

• prevent, detect, investigate, mitigate, or respond to cheating, multi-accounting, collusion, tournament interference, fraud, cyber abuse, account compromise, DDoS/traffic flooding, malware, phishing, exploitation attempts, security incidents, or other harmful or unlawful activity

• coordinate incident response, vulnerability management, threat intelligence sharing, and defensive actions with relevant third parties

• protect the rights, property, and safety of Checkmate Live, our users, federations, integrity partners, service providers, and the public

• establish, exercise, or defend legal claims

• detect, evidence, refer, and pursue remedies in relation to tournament interference, unauthorised access, prize/payment-related misconduct, or other activity that harms the Platform or its stakeholders, including by issuing sanctions, seeking civil remedies, and making reports to relevant stakeholders or competent authorities

12.3 Tracing, Attribution, and Recovery (Cyber and Fraud)

Where we reasonably suspect cheating, fraud, account compromise, cyber abuse, or other unlawful or harmful activity, we may take steps to trace, attribute, contain, and remediate the activity. This may include correlating account data, device and network identifiers, security fingerprints, integrity indicators, and infrastructure logs; performing forensic analysis; and using threat intelligence sources.

We may disclose relevant identifiers, logs, indicators, and supporting evidence to third parties where reasonably necessary to trace or disrupt malicious activity, mitigate DDoS/availability attacks, recover accounts or assets, or pursue enforcement. This may include disclosures to ISPs and network operators, DDoS mitigation and scrubbing providers, registrars and domain operators, hosting providers and CDNs, app stores and platform operators, payment and financial services, fraud and identity providers, and incident response partners.

We may also request information from third parties (including ISPs, DDoS mitigation/scrubbing providers, registrars, hosting providers, CDNs, platform operators, identity/fraud vendors, and payment or financial service providers) where we reasonably consider it necessary to investigate or prevent cheating, fraud, cyber abuse, account compromise, unauthorised access, DDoS/availability attacks, tournament interference, prize or payment-related misconduct, or other harmful or unlawful activity affecting the Platform or its stakeholders. Such requests may be made where we hold a reasonable suspicion or reasonable grounds to believe misconduct or a security risk may be present. Any request is made lawfully, in good faith, on reasonable grounds, and limited to what is reasonably necessary for the relevant purpose. Third parties may decline or may disclose information only where they are permitted or required to do so (for example, under their policies, applicable law, contractual rights, or compulsory legal process).

Civil process and pre-action steps. Where reasonably necessary to protect the Platform or recover losses, we may pursue lawful civil processes to identify responsible persons and preserve evidence, including pre-action discovery or equivalent mechanisms, subpoenas, and court orders.

Cheat developer and facilitator targeting. We may use collected signals and evidence to identify and pursue claims not only against end-user accounts, but also against operators, sellers, distributors, promoters, or facilitators of cheating, automation, or interference services, to the extent permitted by law.

Where necessary, we may seek lawful assistance, compulsory process, court orders, or other legal mechanisms (including pre‑action discovery or equivalent processes) to identify responsible persons, preserve evidence, and enforce our rights.

12.4 Cyber Security Reporting and Threat Intelligence Sharing

We may disclose information (including user identifiers, device and network indicators, relevant logs, and supporting evidence) to local and international cyber security and fraud reporting bodies, incident response coordinators, and threat intelligence networks where we reasonably consider it necessary to prevent or respond to cyber threats or unlawful activity. This may include disclosures to:

• national or sectoral cyber security authorities and reporting channels (for example, CERT/CSIRT functions, cybercrime reporting portals, the Australian Cyber Security Centre (https://www.cyber.gov.au/), and relevant Abu Dhabi cyber security units)

• integrity and fraud reporting bodies, tournament and federation integrity units, and sports/esports integrity organisations

• law enforcement and international cooperation bodies

• security vendors and service providers supporting incident response, abuse mitigation, and infrastructure protection

• registrars, hosting providers, platforms, and payment/financial service providers where needed to disrupt malicious infrastructure or prevent fraud

• coordinated vulnerability disclosure programs or coordinators where responsible disclosure is appropriate

Where practical and appropriate, we seek to share information in a proportionate way (for example, using hashes, pseudonymised identifiers, or indicator-only formats) and limit sharing to what is reasonably necessary for security, integrity, and compliance purposes.

In connection with Fair Play, integrity, fraud, or security investigations, we may disclose the identity of a user and relevant supporting evidence (including account data, integrity indicators, investigation records, supervision materials, and related communications) to federations, integrity bodies, law enforcement agencies, courts, regulators, and other competent authorities where reasonably necessary and permitted by applicable law. Such disclosures may occur to protect competitive integrity, enforce tournament or federation rules, prevent harm, or comply with legal or regulatory obligations.

Disclosures may occur without prior user notification where lawful and reasonably necessary to preserve the integrity of an investigation relating to cheating, financial fraud, behavioural misconduct, online safety risks, or breaches of our Terms of Service.

To avoid compromising an investigation, enabling evasion, or where notification is restricted by law (including restrictions commonly referred to as "tipping off"), we may not be able to notify users about certain monitoring, verification steps, information requests, disclosures, or enforcement cooperation at the time they occur.

12.5 Marketing Communications

Where permitted by applicable law, we may send service-related communications (for example, account notices, integrity updates, subscription confirmations, and security alerts) on a contractual or legitimate interest basis.

Marketing communications (including promotional offers, newsletters, and product updates) are sent only where:

• you have provided consent where required by law (including under the Spam Act 2003 (Cth) or applicable international law); or

• another lawful basis applies.

All marketing communications include an unsubscribe mechanism. You may opt out at any time using the unsubscribe link or by contacting us. Opting out of marketing communications does not affect service or compliance-related communications.

13. Changes to This Policy

We may update this Policy from time to time. Where we make material changes, we will notify you by publishing an updated version on our website, updating the "Last Updated" date, and where reasonably practicable providing notice via in-platform notification or email. Continued use of the Platform after publication of an updated Policy constitutes acknowledgement of the changes. We encourage you to review this Policy periodically.

14. Contact

Privacy Officer Checkmate Live Pty Ltd 81-83 Campbell St, Surry Hills NSW 2010 Australia

Primary Contact Method: We use secure in‑platform chat as our primary method of communication with users. Privacy requests, access requests, correction requests, deletion requests, and related data protection enquiries should be submitted via the official Checkmate Live in‑platform chat interface.

Requests submitted via in‑platform chat are logged, timestamped, and securely retained for compliance and audit purposes.

Alternative Contact Method: [email protected]

Checkmate Live is committed to maintaining a secure, fair, and privacy-conscious competitive environment.

15. Related Documents and Navigation

To keep this Privacy Policy clear and easy to read, some supporting materials are published as separate documents.

You may also wish to review:

• Data Recipients and Service Providers (2026 Edition) This document lists the main third‑party providers we use (such as cloud hosting, payment processing, analytics, communications tools, and verification services) and explains how they help us operate the Platform.

• Contractual & Enforcement Allocation Framework This document explains where specific rules live across our Terms of Service, Tournament and Prize Terms, FairPlay Policy, Code of Conduct, and Security / Acceptable Use Policy.

Together, these documents form part of the overall Checkmate Live governance framework. They are published separately to make navigation simpler and to keep version updates transparent.