← Back to Chess Explain
Privacy Policy
Last updated: 31 May 2026
1. Who We Are
Chess Explain ("we", "us", "our") is the data controller for personal data collected through the Service.
To contact the data controller for privacy enquiries or data subject requests, email info@chessexplain.com or use the contact form on this website.
2. Data We Collect
| Category |
Data |
Source |
| Account data |
Email address, username, bcrypt-hashed password |
You provide at registration |
| Usage / rate-limiting |
IP address, API endpoint called, timestamp |
Automatically collected on each request |
| Game data |
Chess games and PGN files you save to your collection, move annotations, AI commentary you store |
You provide by using the Service |
| Payment data |
Stripe customer ID and subscription ID (no card numbers — those are held by Stripe) |
Generated when you subscribe |
| Session data |
A JWT auth token stored in an HttpOnly cookie |
Set by the server on login |
| Contact form submissions |
Name, email address, subject, and message text |
You provide when sending us a message |
We do not collect names, phone numbers, postal addresses, or any sensitive special-category data.
3. How We Use Your Data
- Account data — to authenticate you, display your username, and manage your plan.
- IP address / API calls — to enforce free-tier monthly limits, protect against abuse, and monitor service costs.
- Game data — to display your saved collection and send chess positions to Google Gemini for analysis.
- Stripe IDs — to link your account to a Stripe subscription and allow you to manage billing.
- Contact form data — to respond to your message. We retain contact submissions for up to 12 months, then delete them.
We do not use your data for advertising, profiling, or sale to third parties. We do not send marketing emails.
4. Legal Basis for Processing (GDPR)
If you are in the European Economic Area, our legal bases are:
- Contract performance (Art. 6(1)(b)) — processing your account data and game data to provide the Service you signed up for.
- Legitimate interests (Art. 6(1)(f)) — logging IP addresses and API calls for rate-limiting, abuse prevention, and cost management. These interests do not override your fundamental rights.
- Legal obligation (Art. 6(1)(c)) — retaining financial records to comply with applicable tax and accounting law.
5. Third-Party Data Processors
We share data with the following processors under contractual data protection terms:
-
Hetzner Online GmbH — provides the server infrastructure on which Chess Explain runs. All data stored on the Service passes through their infrastructure. See Hetzner Privacy Policy.
-
Google LLC (Gemini API) — chess position data and commentary requests are sent to Google's servers for AI processing. Google acts as a data processor under its Data Processing Addendum. See Google Privacy Policy.
-
Stripe, Inc. — handles all payment card processing. Stripe is an independent data controller for payment data. See Stripe Privacy Policy.
-
Resend, Inc. — sends transactional emails (email verification, password resets) on our behalf. Your email address is transmitted to Resend solely for this purpose. See Resend Privacy Policy.
-
Lichess.org — when you import games from Lichess, your provided Lichess username is sent to the Lichess public API. No account credentials are shared. See Lichess Privacy Policy.
No other third parties receive your personal data.
6. Data Retention
- Account data — retained until you delete your account.
- IP address / API call logs — retained for up to 90 days for rate-limiting and abuse prevention, then automatically deleted.
- Operational cost logs — anonymised token-usage and cost data (used to monitor service costs) may be retained for up to 12 months.
- Game data — retained until you delete your account or manually remove games from your collection.
- Stripe IDs — retained while an active or historical billing relationship exists, and for up to 7 years thereafter to comply with financial record-keeping obligations.
7. Your Rights
Under the GDPR and equivalent laws you have the right to:
- Access — request a copy of your personal data.
- Rectification — correct inaccurate data (e.g., username change).
- Erasure — delete your account and all associated data via Settings → Security → Delete Account, or by contacting us.
- Restriction — ask us to limit processing while a dispute is resolved.
- Data portability — receive your game collection in a machine-readable format (PGN export is available in the app).
- Object — object to processing based on legitimate interests.
- Lodge a complaint — with your local supervisory authority (e.g., your national data protection authority).
To exercise any right, contact us via the contact form on this website. We will respond within 30 days.
8. Cookies and Local Storage
Cookie — we set one browser cookie:
| Name | Purpose | Type | Duration |
|---|
cc_token |
Keeps you logged in by storing a signed JWT authentication token |
Strictly necessary, HttpOnly, Secure, SameSite=Lax |
30 days |
This cookie is strictly necessary for the Service to function. No marketing, analytics, or tracking cookies are used. Because this cookie is essential, no consent banner is displayed.
Local storage — the Service also stores the following data in your browser's localStorage. This data never leaves your device and is used solely to restore your preferences between visits:
| Key | Purpose |
|---|
theme | Dark / light mode preference |
boardSettings | Board colour and piece-set preferences |
gameplaySettings | Play-mode settings (time control, skill level, etc.) |
chess-coach-collection | Local copy of unsaved games (cleared when you log out) |
stockfish-lines-open, ann-toolbar-open | UI panel open/closed state |
All local-storage entries are functional and strictly necessary to provide the Service. You can clear them at any time by clearing your browser's site data.
9. Data Security
We take the following security measures:
- Passwords are hashed with bcrypt (cost factor 12) and never stored in plain text.
- Authentication cookies are HttpOnly and SameSite=Lax to prevent XSS and CSRF.
- Security headers (Content-Security-Policy, X-Frame-Options, etc.) are applied to all responses.
- Rate limiting is applied to authentication and analysis endpoints.
- Source code, databases, and logs are not exposed via the web server.
No security measure is 100% guaranteed. In the event of a data breach affecting your rights, we will notify you as required by law.
10. Children's Privacy
The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
11. International Data Transfers
Chess Explain is hosted in the EU/EEA. Where your data is processed by third parties outside the EEA (e.g., Google, Stripe in the US), those transfers are protected by Standard Contractual Clauses or equivalent adequacy decisions under GDPR Art. 46.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect any changes. For material changes we will notify registered users by email or an in-app notice.
13. Contact
For privacy enquiries, data subject requests, or to report a concern, email info@chessexplain.com or use the contact form on this website.
