Privacy Policy

Effective Date: [FILL IN BEFORE PUBLISHING]
Last Updated: [FILL IN BEFORE PUBLISHING]

Coachess respects your privacy and is committed to handling your personal data with care. This Privacy Policy explains what data we collect, why we collect it, how we use it, who we share it with, how long we keep it, and what rights you have over it under the EU General Data Protection Regulation (GDPR) and other applicable laws.

This Policy is part of our Terms of Service. Words defined in the Terms have the same meaning here.

Who We Are (Data Controller)

The data controller responsible for your personal data is:

Coachess SRL
A Romanian limited liability company (societate cu răspundere limitată)
Registered office: [FILL IN REGISTERED ADDRESS]
Trade Registry number: [FILL IN J40/... NUMBER]
Tax identification code (CUI): [FILL IN CUI]
Email: privacy@coachess.org

If you have any questions about this Policy, how we use your data, or how to exercise your rights, please contact us at the email above.

What Data We Collect

We collect only the data we need to run the Service. Specifically:

2.1 Account Data

When you sign in with Google, we receive and store:

Your email address
Your name (as provided by Google)
Your Google profile picture URL
An internal user ID we generate to identify your Account in our database
Account creation and last-update timestamps
Your subscription tier (“free” or “pro”)

We do not ask for or store your Google password. We do not access any Google service other than the basic profile endpoint required for sign-in.

2.2 Authentication Data

To keep you signed in between visits, we store:

OAuth tokens returned by Google (access token, refresh token, scopes, expiry) — stored server-side, encrypted at rest
A session token in a secure, HTTP-only cookie on your browser. This cookie is strictly necessary for the Service to function.

2.3 Learning and Progress Data

As you use the Service, we store data about your chess learning, so that we can track your progress, resume lessons where you left off, and adapt training to your level. This includes:

Which lessons you have started, your current step in each lesson, completion status, and mistake counts
Rating test attempts and scores
Board-vision training results
Spaced-repetition training card state (difficulty, next review date)
Daily and weekly training session logs

2.4 Imported Chess Games

If you use the Game Diagnosis feature, you explicitly ask us to retrieve your public games from a third-party platform (currently Lichess and Chess.com). For each imported game we store:

The full PGN (moves and annotations)
Player handles, ratings, and result
Time class and time control
Opening ECO code and name
The date the game was played
Per-move evaluations generated by the Stockfish chess engine on our servers
Derived metrics such as opening / middlegame / endgame accuracy

Only games where you are one of the two players are imported. Games are linked to your Account and are visible only to you.

2.5 Diagnostic Reports

From your imported games we generate a diagnostic report that includes pattern findings (e.g. “thrown winning positions,” “weak openings,” endgame vs. opening accuracy). Reports contain text summaries, linked lesson recommendations, and references to specific positions in your games.

2.6 Payment Data (Future)

When we launch the PRO subscription, payments will be processed by Stripe, Inc. Coachess does not receive, handle, or store your payment card number, CVC, or bank account details. Stripe provides us with:

A Stripe customer ID linked to your Coachess Account
Subscription status, billing interval, and next billing date
Transaction history sufficient for invoicing and refunds
The billing country you provided at checkout (for VAT purposes)

Stripe is an independent data controller for the card details you provide on its payment form. Stripe's privacy policy is at stripe.com/privacy.

2.7 Technical Data and Server Logs

Our servers automatically receive certain technical information when you use the Service:

IP address of the incoming request (for security and abuse prevention)
Browser user-agent string
The page or API endpoint you requested and the timestamp
HTTP response status and error details, if any

This information is kept in short-lived server logs for operational and security purposes. We do not build behavioral profiles from it and we do not sell it.

2.8 Analytics

We use a self-hosted installation of Umami, a privacy-friendly web analytics tool, to understand aggregate usage of the Service (page views, referrers, device type). Umami as we run it is cookieless and does not use fingerprinting. It does not collect personal data such as name or email. Analytics data is not shared with any third party.

2.9 Coach Chat (Future)

We plan to offer an AI-powered chat with the “Boris” coach character using a large language model from Anthropic, PBC. When that feature ships, messages you send to Boris will be transmitted to Anthropic's API to generate a response. See Section 4 for third-party disclosures.

Why We Collect Your Data (Legal Basis)

Under the GDPR we must have a lawful basis for processing your personal data. The basis depends on the purpose:

Performance of a contract (Article 6(1)(b) GDPR) — for Account creation, authentication, lesson progress tracking, rating tests, training sessions, and (when PRO launches) Subscription billing and delivery. We need this data to provide the Service you signed up for.
Consent (Article 6(1)(a) GDPR) — for game imports from Lichess and Chess.com. You explicitly trigger the import by entering your platform username. You can withdraw consent at any time by deleting your imported games (see Section 6).
Legitimate interests (Article 6(1)(f) GDPR) — for security logging, abuse prevention, fraud detection, and aggregated cookieless analytics. We assess that these interests do not override your fundamental rights and freedoms because the data is minimal, short-lived, and not used to profile individuals.
Legal obligation (Article 6(1)(c) GDPR) — for invoicing, accounting, and tax reporting records we are required by Romanian and EU law to retain.

Who We Share Your Data With

We do not sell your personal data. We share data only with the following categories of recipients, and only to the extent necessary for the purposes described:

Google LLC (United States) — provides the Sign-In with Google flow. You authenticate directly with Google; Google returns your profile data to us. Governed by the EU–US Data Privacy Framework.
Lichess (France) and Chess.com, LLC (United States) — public APIs from which we retrieve your own games when you ask us to. We only query these with the username you provide.
Stripe, Inc. (United States; future) — will process PRO subscription payments when the paid tier launches. Stripe is certified under the EU–US Data Privacy Framework and is itself an independent data controller for card data.
Anthropic, PBC (United States; future) — will process messages you send to the Boris coach chat to generate responses. Anthropic offers data processing terms consistent with GDPR.
Resend, Inc. (United States) — delivers transactional email (e.g. sign-in notifications, subscription receipts). Resend acts as our data processor.
Hosting and infrastructure providers — Coachess is hosted on servers located in the European Union. Our infrastructure, databases, and engine analysis all run on our own servers; user data does not leave our infrastructure except where sent to the specific third parties listed above.
Legal and professional advisors — lawyers, accountants, and auditors bound by confidentiality, where disclosure is necessary for legal, accounting, or compliance reasons.
Authorities — if we are legally required to disclose data in response to a valid order from a competent court or authority, or where disclosure is necessary to protect the rights, safety, or property of Coachess, our users, or the public.

We do not share your data for advertising, retargeting, or any form of behavioral profiling by third parties.

International Transfers

Coachess' servers are located in the European Union. Some third parties we use (notably Google, Stripe, Anthropic, Resend) are based in the United States. When personal data is transferred outside the European Economic Area, we rely on one or more of the following safeguards:

The EU–US Data Privacy Framework, where the recipient is certified under it;
Standard Contractual Clauses approved by the European Commission;
Your explicit consent, where the transfer is triggered by your specific action (e.g. signing in with Google).

You can request a copy of the relevant safeguards by emailing privacy@coachess.org.

How Long We Keep Your Data

Account data and learning progress — for as long as your Account exists. If you delete your Account, this data is removed within 30 days, except for records we must keep for legal reasons.
Imported games and diagnostic reports — until you delete them from your Account or delete your Account. You can request deletion at any time by emailing privacy@coachess.org.
Server and security logs — retained for up to 90 days and then automatically purged, unless retained longer for investigation of a specific security incident.
Payment and invoicing records — retained for the period required by Romanian and EU accounting and tax law (currently up to 10 years for some records), even if you close your Account.
Analytics — aggregated, non-identifying usage data is retained for up to 12 months.

Your Rights Under the GDPR

If you are in the European Economic Area, the United Kingdom, or another jurisdiction that grants similar rights, you have the following rights in relation to your personal data:

Right of access (Article 15) — obtain confirmation of whether we process your data, and a copy of the data.
Right to rectification (Article 16) — have inaccurate or incomplete data corrected.
Right to erasure / “right to be forgotten” (Article 17) — have your data deleted in the circumstances set out in the GDPR.
Right to restriction of processing (Article 18) — ask us to stop processing your data while a dispute is resolved.
Right to data portability (Article 20) — receive the data you provided to us in a structured, commonly used, machine-readable format, and transmit it to another controller.
Right to object (Article 21) — object to processing based on legitimate interests.
Right not to be subject to automated decision-making (Article 22) — we do not use your data for any decision that has legal or similarly significant effects on you without human involvement.
Right to withdraw consent — where processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of processing already carried out.

To exercise any of these rights, email privacy@coachess.org. We will respond within 30 days (extendable by another 60 days for complex requests, in which case we will let you know). We may need to verify your identity before acting on a request, to protect you from impersonation.

You also have the right to lodge a complaint with a supervisory authority. In Romania that is the National Supervisory Authority for Personal Data Processing (ANSPDCP), dataprotection.ro. You may also complain to the supervisory authority of the EU Member State where you live or work.

Cookies and Similar Technologies

Coachess uses a minimal set of cookies strictly necessary for the Service to function (session authentication, CSRF protection). We do not use third-party advertising cookies and we do not use cross-site tracking. For details, see our Cookie Notice.

Children

The Service is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact privacy@coachess.org and we will delete the data.

10.

Security

We take the security of your personal data seriously. Our technical and organizational measures include:

Encryption in transit (HTTPS / TLS) for all connections to the Service
Encryption of secrets and authentication tokens at rest
Access controls limiting who in our organization can access personal data
Regular software updates and security patches
Separation of production and development environments
Database backups stored in the European Union

No system can be guaranteed 100% secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by Article 33 GDPR, and we will notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms (Article 34 GDPR).

11.

Automated Decision-Making

The Service uses automated processing to generate chess analysis and training recommendations (for example, Stockfish evaluations and diagnostic findings). This processing does not produce legal or similarly significant effects on you within the meaning of Article 22 GDPR — it is an educational tool you consult voluntarily.

12.

Changes to This Policy

We may update this Privacy Policy to reflect changes in the Service, in applicable law, or in our data-handling practices. If we make material changes, we will notify you by email and by posting a notice on the Service at least 30 days before the changes take effect, unless the changes are required by law or relate to a new feature. The “Last Updated” date at the top of this page tells you when the Policy was most recently revised.

13.

Contact

For any privacy-related question, complaint, or request, contact us at:

Coachess SRL
[FILL IN REGISTERED ADDRESS]
Romania
Email: privacy@coachess.org

“An old saying goes: a secret shared with two is no longer a secret. Here at Coachess, your games stay between you, me, and the chess engine. Engine does not gossip.”

— Boris Shakhmatinskiy, Grandmaster