Section 1
Overview
CipherChess is a chess analysis platform that helps you import, study, and improve your games. We take privacy seriously: most of what we do runs in your browser, and we collect only the information needed to provide and improve the service.
This Privacy Policy explains what information we collect about you, how we use and share it, the choices you have, and the rights you can exercise. It applies to cipherchess.com and the related applications and services operated by us (collectively, the "Service").
Reading the whole document takes about ten minutes. If you only have a moment, the "Overview" box below summarises the key points.
At a glance
- We collect account data (email, profile) and the games and repertoires you choose to save.
- Most analysis runs locally in your browser — your PGNs and PDFs are not uploaded unless you save them.
- We use cookies for authentication and preferences, plus optional analytics that you can turn off.
- We never sell your personal information, and we do not show ads.
- You can access, export, correct, or delete your data at any time. See Your rights & choices.
Section 2
Who we are (Data Controller)
For the purposes of the EU and UK General Data Protection Regulations ("GDPR" and "UK GDPR") and analogous laws elsewhere, the "controller" of your personal information is:
Based in South Africa
You can contact us about anything in this policy — including to exercise your privacy rights — using the details in the Contact us section.
Section 3
Scope of this policy
This policy covers personal information that we collect and process when you:
- visit cipherchess.com or any subdomain we operate;
- create or sign in to a CipherChess account;
- connect a Lichess or Chess.com account to import your games;
- use any feature of the Service, including engine analysis, opening explorer, repertoire builder, PDF book scanner, or game viewer;
- contact us, send feedback, or otherwise communicate with us.
It does not cover personal information processed by independent third parties whose services you choose to connect (such as Lichess, Chess.com, or Google) when you use them outside CipherChess. Those services are governed by their own privacy policies.
Section 4
Information we collect
We collect three broad categories of information.
4.1 Information you give us directly
| Account information | Email address and password (the password is hashed by our auth provider; we never see it in clear text). Optional display name and profile metadata you provide on sign-up. |
| Linked-account identifiers | Your Lichess username and access token (when you authorise the OAuth connection), and your Chess.com username (when you enter it for game import). |
| User-generated content | Games, annotations, comments, evaluation arrows, repertoires, opening trees, collections, and tags you create or save inside the Service. |
| Uploaded files | PGN files and PDF chess books you load. PDFs are stored only in your browser (IndexedDB) and are not transmitted to our servers. PGN files are processed in your browser and only persisted server-side if you explicitly save them. |
| Communications | The contents of feedback, bug reports, and support requests, including any attachments, plus your email so we can reply. |
| Preferences | Settings such as board theme, dark mode, opening-book source, sound preferences, and tutorial progress. |
4.2 Information we collect automatically
| Log and connection data | IP address, request timestamps, HTTP method and path, response codes, user-agent string. Collected by our hosting and CDN providers as part of normal operation, and used for security, debugging, and abuse prevention. |
| Device and browser data | Browser type and version, operating system, screen size, language, and time zone — used to render the Service correctly and diagnose layout issues. |
| Usage data | The pages and features you interact with inside CipherChess, navigation events, and aggregate timing information. Most product analytics is gated behind your consent (see Cookies). |
| Cookies and local storage | Detailed in the Cookies section below. |
4.3 Information we receive from third parties
| Lichess | When you connect your Lichess account via OAuth, we receive your username, public profile, and the games you choose to import. We use Lichess's Cloud Eval API to fetch position evaluations; only the chess position (FEN) is sent — no personal identifier. |
| Chess.com | When you enter a Chess.com username, we query Chess.com's public Player API to verify it and to import your public game archives. No password or token is involved; we never see your Chess.com credentials. |
| Authentication providers | If we offer social sign-in (e.g., Google) and you choose to use it, we receive the basic profile fields the provider returns — typically a verified email address and a stable user identifier. |
| Supabase | Our authentication and database provider issues a session token that is stored in your browser; we receive metadata about that session (user ID, sign-in time, etc.) so we can authorise your requests. |
4.4 Information we do not collect
We do not collect government-issued identifiers, payment card details, biometric data, precise GPS location, contacts lists, or special categories of personal data (such as data about race, ethnicity, religion, political opinions, sexual orientation, or health) other than what you may voluntarily include in feedback or user-generated content.
Section 5
How we use information
We use the information described above for the following purposes:
| Purpose | What it involves |
|---|---|
| Provide the Service | Create and authenticate your account; save your games, repertoires, and preferences; import games from connected platforms; render analysis; serve content from our CDN. |
| Maintain the Service | Monitor uptime and performance, debug issues, prevent abuse and fraud, enforce our Terms of Service, and keep the Service secure. |
| Improve the Service | Understand which features people use and where the interface trips them up, prioritise our roadmap, and reduce friction. Most product analytics relies on your consent. |
| Communicate with you | Respond to support requests and feedback; send service-related messages such as password resets and security alerts. We do not currently send marketing emails. |
| Comply with the law | Meet legal obligations, respond to lawful requests from authorities, and exercise or defend legal claims. |
Section 6
Lawful bases for processing (EEA / UK)
If you are in the European Economic Area or the United Kingdom, we rely on the following lawful bases under Article 6 of the GDPR / UK GDPR:
| Lawful basis | When we rely on it |
|---|---|
| Performance of a contract (Art. 6(1)(b)) | Creating and operating your account, providing the features you use, processing your saved games and repertoires. |
| Legitimate interests (Art. 6(1)(f)) | Securing the Service against abuse, fixing bugs, defending legal claims, and basic server-log analysis. We balance these interests against your rights — see Your rights below to object. |
| Consent (Art. 6(1)(a)) | Optional analytics cookies (Google Analytics and Microsoft Clarity), and any future marketing communications. You can withdraw consent at any time without affecting prior processing. |
| Compliance with legal obligation (Art. 6(1)(c)) | Retention of records required by law, and responding to lawful requests from authorities. |
Section 9
Sub-processors and service providers
We engage the following organisations to process personal information on our behalf. Each is bound by a data-processing agreement that requires them to protect your information at least to the standard of this policy.
| Provider | Purpose | Region |
|---|---|---|
| Vercel Inc. | Hosting, edge network, request logs. | United States (global edge) |
| Supabase, Inc. | Authentication, Postgres database, secure file storage for saved games and repertoires. | United States / EU (depending on project region) |
| Google LLC (Google Analytics 4) | Aggregate product analytics, gated by your consent. | United States |
| Microsoft Corporation (Clarity) | Anonymised session replay and heatmaps, gated by your consent. | United States |
| Lichess (Association Lichess) | OAuth login, opening explorer, cloud-eval, game import — only when you initiate. | France |
| Chess.com, LLC | Public game-archive lookups when you provide a username. | United States |
| Puter.com (HeyPuter, Inc.) | Optional cloud engine analysis when you opt in. | United States |
| Cloudflare, Inc. (CDN) | Static asset delivery (e.g., PDF.js library). | Global |
| Google Fonts | Web font delivery. | Global |
Section 10
International data transfers
CipherChess operates globally. The sub-processors listed above are based in several countries, including the United States, France, and others. This means your personal information may be transferred to, stored in, or processed in a country other than the one in which you live.
When we transfer personal information from the EEA, UK, or Switzerland to a country that has not received an adequacy decision from the relevant authority, we rely on appropriate safeguards under Article 46 GDPR / UK GDPR, including:
- Standard Contractual Clauses (the EU SCCs and the UK International Data Transfer Addendum) with our sub-processors;
- where applicable, the EU-U.S. Data Privacy Framework, the UK Extension to the DPF, and the Swiss-U.S. DPF;
- supplementary technical measures such as encryption in transit and at rest.
You can request a copy of the transfer mechanisms in place by contacting us.
Section 11
Data retention
We keep personal information only for as long as we need it to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Specifically:
| Data | Typical retention |
|---|---|
| Account record | Until you delete your account; then deleted or anonymised within 30 days, except where law requires longer. |
| Saved games and repertoires | Kept for as long as the account exists, or until you delete them. Deletion is immediate from our database; backups are purged on rotation. |
| Authentication tokens | Refresh tokens rotate; idle sessions expire. You can revoke active sessions at any time. |
| Server logs | Up to 30 days, then deleted or aggregated. |
| Analytics data | Google Analytics: up to 14 months in identifiable form. Microsoft Clarity: up to 13 months. |
| Feedback / support correspondence | Up to 24 months after the issue is closed, then deleted. |
Section 12
How we protect your information
We take reasonable and appropriate technical and organisational measures to protect your information from unauthorised access, alteration, disclosure, and destruction. Those measures include:
- encryption in transit (HTTPS / TLS) for all traffic to and from the Service;
- encryption at rest for the databases that hold your account and content;
- password hashing with industry-standard algorithms (handled by our auth provider);
- token-based session authentication with refresh-token rotation;
- least-privilege access controls for our team and our sub-processors;
- regular dependency updates and security patching;
- logging and monitoring designed to detect abnormal activity.
No system is perfectly secure. If we ever discover a breach affecting your personal information, we will notify you and the relevant supervisory authority in line with applicable law (within 72 hours under GDPR / UK GDPR where the breach is likely to result in a risk to your rights and freedoms).
Section 13
Your rights and choices
Wherever you live, you have meaningful choices about your personal information. The list below applies broadly; jurisdiction-specific rights are detailed in the next sections.
- Access. Request a copy of the personal information we hold about you.
- Correction. Ask us to fix information that is inaccurate or incomplete.
- Deletion. Ask us to delete your account and associated data.
- Portability. Receive a machine-readable export of the data you provided. Saved games can be exported as PGN at any time inside the app.
- Restriction or objection. Ask us to limit or stop certain processing.
- Withdraw consent. Turn off optional analytics any time via the cookie settings.
- Opt out of communications. Use the unsubscribe link in any non-essential email, or contact us.
To exercise any of these rights, email us at the address in the Contact us section. We will reply within 30 days. We may need to verify your identity before acting; we will only ask for the minimum information necessary to do so.
Section 14
Additional rights for EEA and UK residents
If you are in the EEA, the UK, or Switzerland, the GDPR / UK GDPR grants you all of the rights listed above plus the following:
- the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (we do not carry out such processing — see Automated decisions);
- the right to lodge a complaint with your local supervisory authority. You can find the relevant authority at edpb.europa.eu/members (EEA) or ico.org.uk (UK).
We would appreciate the chance to address your concerns first — please contact us before lodging a complaint.
Section 15
California residents (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA"), provides you with specific rights regarding your personal information.
15.1 Categories of personal information we collect
In the past 12 months we have collected the following CCPA categories:
- Identifiers — email address, account identifier, IP address, device identifiers.
- Internet or other electronic network activity — browsing history within the Service, interaction information, and information about your interactions with our pages.
- Geolocation data — coarse location inferred from IP address (country / region only).
- Inferences — limited usage-pattern inferences drawn from analytics events.
The sources, purposes, and recipients of each category are described in Sections 4, 5, and 8 above.
15.2 Sale and sharing
We do not sell your personal information, and we do not share it for cross-context behavioural advertising. We have not sold or shared personal information in the previous 12 months.
15.3 Sensitive personal information
We do not collect or use sensitive personal information for purposes that would require a separate notice or opt-out under CPRA Section 1798.121.
15.4 Your CCPA rights
- Right to know what personal information we collect, use, disclose, and share.
- Right to delete personal information we have collected from you, subject to certain exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing — not applicable, because we do not sell or share.
- Right to limit use of sensitive personal information — not applicable, see 15.3.
- Right to non-discrimination for exercising your rights.
To exercise any of these rights, email us at the address in Contact us. You may designate an authorised agent to act on your behalf; we will require written authorisation and will verify your identity directly where the law allows.
Section 16
Other jurisdictions
Residents of other regions — including Brazil (LGPD), Canada (PIPEDA), Australia (Privacy Act 1988), South Africa (POPIA), Japan (APPI), and similar jurisdictions — have rights broadly equivalent to those described above. If your local law grants you additional rights, you may exercise them by contacting us.
Section 17
Children's privacy
The Service is not directed to children under the age of 13 (or 16 in the EEA and UK), and we do not knowingly collect personal information from them. If you are a parent or guardian and believe a child has provided us with personal information without your consent, please contact us and we will delete the information promptly.
Section 18
Do Not Track and Global Privacy Control
Some browsers transmit a "Do Not Track" (DNT) signal. Because there is no industry standard for how to interpret DNT, we do not currently respond to it.
We do honour the Global Privacy Control (GPC) signal where legally required. If your browser sends a GPC signal, we treat it as a request to opt out of the "sale" or "sharing" of personal information under CCPA — even though we do not sell or share to begin with — and we will not enable optional analytics until you affirmatively choose to.
Section 19
Automated decision-making and profiling
We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing. The chess engines and analytics tools inside CipherChess operate on chess positions, not on you as a person.
Section 20
Third-party links
The Service may contain links to third-party websites or services (for example, Lichess game pages, Chess.com profiles, GitHub repositories, or Discord). When you follow such a link you leave CipherChess; we are not responsible for the content or privacy practices of the site you arrive at. Read their privacy policies before submitting personal information.
Section 21
Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or legal requirements. When we do, we will:
- update the "Last updated" date at the top;
- increment the version number;
- where the change is material, surface it in the cookie banner or by email so you can review it before continuing to use the Service.
Your continued use of the Service after a revised policy takes effect constitutes acceptance of the changes, to the extent permitted by law.
Section 22
Contact us
For any privacy-related question, request, or complaint, please reach out:
Email:
app.cipherchess@gmail.comIn-app: use the Feedback form
We aim to respond to all requests within 30 days. If you are not satisfied with our response, you may have the right to lodge a complaint with a supervisory authority — see Sections 14 and 15.
Document version 1.0 · April 30, 2026
Back to top