Privacy
How Chessou collects, uses, and protects your data. Information according to Articles 13 and 14 of the General Data Protection Regulation (GDPR).
Controller
The controller responsible for the processing of personal data on this website is the operator listed in the Imprint. You can reach us via the contact details there.
What we collect
Account data
When you create an account we store your email address, a hashed password (or, if you sign in via Google, a unique identifier from Google), the timestamp of your sign up, and any onboarding preferences you provide such as your selected chess platform and training time budget. We also store activity timestamps such as when you last visited the dashboard and when you were last active, which are used to provide the service and to clean up inactive anonymous accounts.
Linked chess profiles
To analyze your games we store the Lichess or Chess.com username you connect, the time controls you choose to import, and metadata about your import jobs.
Chess data
We fetch your public games from the connected platform and store the PGN of each game, derived analysis results (moves, evaluations, detected patterns), personalized training items (puzzles, reviews, plans), your training history (which puzzles you solved and when), and rating snapshots that let us show your progress over time.
Training and settings
Your daily time budget, spaced repetition intensity, appearance preferences, and your email notification preferences are stored on your account.
Server logs
When you visit Chessou our hosting providers automatically log technical request data such as IP address, user agent, request path, timestamp, and response status. These logs are used for security and debugging and are retained for a short period by the respective provider.
Analytics
We use Umami for usage analytics. Umami is cookieless and does not track you across sites. It records aggregated page views, referrer, browser type, country at country level, and screen size. No personal identifiers and no cross site tracking are involved.
Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Providing the account and training service | Art. 6(1)(b) GDPR (contract performance) |
| Importing and analyzing your games | Art. 6(1)(b) GDPR (contract performance) |
| Sending transactional emails (sign in, password reset, account updates) | Art. 6(1)(b) GDPR (contract performance) |
| Sending optional product or marketing emails | Art. 6(1)(a) GDPR (consent), revocable at any time |
| Server logs and security | Art. 6(1)(f) GDPR (legitimate interest in a secure service) |
| Cookieless usage analytics | Art. 6(1)(f) GDPR (legitimate interest in improving the product) |
Subprocessors
We use the following service providers to operate Chessou. Each acts as a processor under Art. 28 GDPR and a data processing agreement is in place.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Authentication, database, file storage | Frankfurt, Germany |
| Vercel | Frontend hosting and edge delivery | Frankfurt, Germany (parent company in the USA) |
| Railway | Backend worker and import jobs | Amsterdam, Netherlands |
| Hetzner | Chess engine server | Germany |
| Resend | Transactional and product emails | Ireland (eu-west-1) |
| Paddle | Payment processing and merchant of record (subscription billing, invoices, tax, refunds) | United Kingdom |
| Lichess | Importing your public Lichess games via the public Lichess API | France (Lichess non-profit) |
| Chess.com | Importing your public Chess.com games via the public Chess.com API | USA |
| Umami | Cookieless analytics | Self hosted in the EU |
International data transfers
Some of the providers above are headquartered outside the EU or process data there: in the United States (Vercel parent company, Chess.com) and in the United Kingdom (Paddle). Where a third country transfer occurs, we rely on the relevant EU Commission adequacy decision (the UK adequacy decision, and the EU US Data Privacy Framework) or on the Standard Contractual Clauses (Art. 46 GDPR) as a safeguard.
How long we keep your data
Account and chess data are kept for as long as your account exists. If you start onboarding but do not convert your anonymous account into a real account, your data is automatically deleted after 1 day by a scheduled cleanup job. When you delete your account, your account data, linked profiles, games, analyses, and derived training items are removed immediately through a cascading database delete. There is no soft delete and no grace period. Server logs are kept by the respective hosting provider for a short period. Aggregated analytics events do not allow your identification and are kept for the lifetime of the project.
Your rights
Under the GDPR you have the following rights regarding your personal data:
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21)
- Right to withdraw consent at any time, where processing is based on consent
- Right to lodge a complaint with a data protection supervisory authority
You can exercise these rights directly inside the app (Settings, Privacy section) or by contacting us via the email address listed in the Imprint. For data export, the app provides a self service export of all data we hold about you.
Cookies and local storage
Chessou only uses cookies that are strictly necessary to operate the service, namely the authentication session cookie provided by Supabase. No tracking cookies, no marketing cookies, no third party advertising. Our analytics provider Umami is cookieless and does not set identifiers on your device.
We also store a small number of values in your browser local storage and session storage. These stay on your device and are not sent to external services:
- Onboarding preferences (selected platform, training time budget) so we can continue the flow without asking again.
- A temporary password during the email confirmation step of sign up. This value is single use and is removed automatically within 30 minutes.
- Your appearance preference (light or dark theme).
- A short lived flag that confirms you reached the sign up screen through the regular flow.
Automated decision making
Chessou does not use automated decision making that produces legal effects or similarly significantly affects you within the meaning of Art. 22 GDPR. The training plan recommendations are not legal decisions; they are content suggestions based on patterns detected in your own games.
Changes to this policy
We may update this policy as the product evolves or as legal requirements change. The current version is always available at this page with the last updated date shown below.
Last updated: June 1, 2026