Privacy Policy

Chessco (“we”, “us”) is operated by Foto Master LLC, a Delaware limited liability company at 1013 Centre Road, STE 403-B, Wilmington, DE 19805, United States. We run the website at chessco.org and the related services described on it.

For all privacy questions, contact support@chessco.org.

Account data: when you create an account we collect your email address (or the email associated with your Google sign-in), a chosen username, an optional display name, and your country. If you sign in via Google OAuth we receive the standard OAuth profile claims (subject id, name, email, picture URL).

Linked external accounts: when you link a chess.com or Lichess account, we store the platform name, the external account identifier, and the verification status of the link.

Public chess data we index: independently of any user account, we maintain an index of publicly available chess data: player handles, games (PGNs), ratings, titles, and federation information sourced from chess.com, Lichess, FIDE, USCF, and the Israeli Chess Federation. This data describes people who may not have a Chessco account. See §4 for your rights regarding this index.

Derived data: from indexed games we compute style fingerprints, opening repertoires, and per-position statistics used to generate prep reports and Scout matches.

Billing and transaction data: subscription status, invoices, tax data, and payment confirmations provided by Paddle or other billing processors we use. We do not receive or store full card numbers.

Server logs: IP address, user agent, timestamps, requested URLs, and response codes. We retain these for security and reliability investigation.

Where the EU/UK General Data Protection Regulation applies, we rely on the following legal bases:

• Performance of a contract: to provide the account, prep, and (in future) paid services you sign up for.
• Legitimate interest: to index publicly available chess data for the purpose of providing scouting and preparation tools to the chess community, and to investigate abuse and secure the Service. We have weighed this interest against the privacy impact on data subjects and provide an opt-out mechanism described below.
• Consent: if and when we introduce analytics or marketing cookies, we will request consent before any such cookie is set. We do not currently use any such cookies (see §5).
• Legal obligation: where retention or disclosure is required by applicable law.

Chessco indexes publicly available chess data from chess.com, Lichess, FIDE, USCF, and the Israeli Chess Federation. Lichess publishes its monthly game dumps under the Creative Commons CC0 1.0 Universal dedication; for other sources we operate within their published terms and at conservative rate limits.

If you do not want your public handle to appear in Chessco, email support@chessco.org from any address with the platform and handle, and we will remove the handle and its associated games from the index within 14 days. We honour these requests regardless of jurisdiction. If your data is in our index because you have a Chessco account linked to that handle, you can also unlink the account from your settings page or delete your Chessco account entirely.

Under GDPR Article 21 you have the right to object to processing based on legitimate interest. The email above is how you exercise that right with us. We will stop the processing unless we can demonstrate compelling legitimate grounds that override your interests.

Chessco uses a small number of strictly-necessary cookies for authentication and session management. These cookies are set by our authentication provider (Supabase) and are exempt from prior-consent requirements under the EU ePrivacy Directive and UK PECR because they are necessary to deliver a service you explicitly requested (signing in).

We do not currently set any analytics, advertising, social-media, A/B-testing, fingerprinting, or other non-essential cookies. If we introduce any in the future we will display a cookie-consent banner with a reject option of equal prominence before setting them.

• To create and operate your account.
• To produce prep reports, opening trees, and Scout matches you request.
• To measure and improve the accuracy of our Scout matcher.
• To send transactional emails (account, security, important service notices).
• To detect, investigate, and prevent abuse, fraud, and cheating.
• To comply with legal obligations.

We do not sell your personal data. We share data with the following sub-processors that are necessary to run the Service:

• Supabase: managed PostgreSQL and authentication. Hosts account, profile, link, and prep data.
• Vercel: hosting and edge delivery of the web application.
• Google: if you sign in with Google, receives the standard OAuth request from your browser. Google's own privacy policy governs that interaction.
• Paddle: billing, payments, and tax (merchant of record). UK / Global. Receives billing and transaction data described in §2 when you subscribe to a paid plan.
• Source platforms (chess.com, Lichess, FIDE, USCF, ICF): we fetch public data from their public endpoints; they receive only what their endpoints would normally receive (request metadata) and not your Chessco account data.

We may disclose information to comply with valid legal process, to enforce our Terms, or to protect the safety of users.

We use sub-processors with infrastructure in the European Economic Area, the United Kingdom, and the United States, depending on the region selected for each sub-processor. Paddle is based in the United Kingdom; transfers of billing data to Paddle from the EEA are covered by the UK adequacy decision. Where personal data is transferred from the EEA or the UK to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (or the UK Addendum to them) as the safeguard for the transfer.

• Account data: while your account exists, plus 30 days after deletion to reverse accidental deletion and to retain integrity-related records.
• Server logs: 30 days, then deleted or fully aggregated.
• Public-data index: retained indefinitely unless a removal request is received (see §4).
• Billing records: retained by Paddle as our merchant of record for the period required by applicable tax and consumer-protection law (typically 7–10 years). We retain our own copy of invoice metadata for the duration of your subscription plus 7 years after the last transaction.

Data is encrypted in transit (HTTPS/TLS). Sign-in credentials are stored as cryptographic hashes by our authentication provider. Database access is restricted by row-level security policies. We do not claim that our security is perfect; we will notify affected users and competent authorities of material incidents as required by applicable law.

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Have inaccurate data corrected.
• Have your data erased.
• Receive your data in a portable format.
• Restrict or object to certain processing.
• Withdraw consent where processing is based on consent.

To exercise any of these rights, email support@chessco.org. We may need to verify your identity before responding to a request that concerns an account.

EU/UK residents: you have the right to lodge a complaint with your national data-protection authority. Israeli residents: you may complain to the Israeli Privacy Protection Authority (PPA). California residents: you have rights under the CCPA/CPRA. We do not sell or share personal data as those terms are defined under California law.

The Service is not directed to children under 13 (or under 16 in the EEA, UK, and other jurisdictions with a higher digital-services age of consent). We do not knowingly collect personal data from children below those thresholds. If you believe we have, contact support@chessco.org and we will delete the data.

We will post a new version of this Policy at this URL with a new effective date. For material changes we will give signed-in users at least 14 days' notice by email or in-app notice before the change takes effect.

For any privacy question, request, or complaint, email support@chessco.org.