Privacy Policy

Last updated: April 18, 2026

This Privacy Policy describes how Chess DNA ("we", "us", or "our") collects, uses, discloses, and protects your information when you use our web application and iOS/Android apps (together, the "Service"). By using the Service you agree to the terms described below.

1. Information We Collect

1.1 Information you provide directly

• Account information. When you sign up we store your email address (or OAuth identity from Google / Apple / chess.com), a display name, and any preferences you configure.
• Chess identifiers. Your chess.com or Lichess username, provided voluntarily to enable game imports.
• Optional API keys. If you choose to supply your own Claude, OpenAI, or Gemini API keys for AI features, they are stored encrypted at rest and transmitted only to the provider whose key you supplied.
• Feedback & support correspondence. Bug reports, support emails, or content you submit through in-app forms.

1.2 Information imported from third-party chess services

• Chess games. When you connect a chess.com or Lichess username, we fetch your public game history (PGNs, timestamps, opponents, ratings, outcomes) via their official public APIs. We never receive passwords for those services.
• Public profile data. Public avatar URL and country from chess.com's public player endpoint, displayed in share cards.

1.3 Information collected automatically

• Usage analytics. Aggregate token usage counters (inputs/outputs for AI features) used to show cost estimates. These are tied to your account but never shared with third parties for advertising.
• Technical logs. Standard server logs (IP address, user-agent, timestamps) retained for a maximum of 30 days for debugging and abuse prevention, then deleted.
• No advertising identifiers. We do not use IDFA, AAID, or any ad-tracking SDK.
• Push-notification token (mobile apps only). When you install the iOS or Android app and grant notification permission, our push provider OneSignal generates an anonymous device push token so we can send you transactional notifications. The token is not linked to advertising IDs and you can revoke it any time in your device settings.

2. How We Use Your Information

• To provide the core Service: run engine analysis on your games, compute your skill profile, detect weakness patterns, generate training plans.
• To send AI prompts to the provider of your choice (Claude, OpenAI, Gemini) when you use AI features like commentary or exercise generation.
• To synthesize audio game reviews when you request them.
• To respond to support requests.
• To improve the Service (aggregate, de-identified usage metrics only).

We do not sell your personal data. We do not use it to target you with advertising.

3. When We Share Information

Your data is shared only with the following categories of service providers, and only to the extent necessary to deliver the feature you're using:

• Backend infrastructure. Base44 (our managed backend platform) stores your account, games, and analyses.
• AI providers (optional). When you use AI features, the specific prompt is forwarded to the provider whose API key is active (Anthropic Claude, OpenAI, Google Gemini). Their data retention and training terms apply to those requests; we recommend using zero-retention API keys if possible.
• Text-to-speech. OpenAI's TTS endpoint is used for audio game reviews. Only the generated script (no identifiers) is sent.
• Chess game APIs. chess.com and Lichess public APIs receive only the username you entered.
• Flag CDN. Your country flag (if shown on a share card) is fetched from flagcdn.com as a static PNG; no personal data is sent.
• Legal compliance. We may disclose information if required by valid legal process (subpoena, court order) and only the minimum necessary.

4. Data Retention

• Account and game data are retained as long as your account is active.
• If you delete your account (in-app: Settings → Danger Zone, or via the Data Access Request form), all game, analysis, pattern, preference, and AI-generated records are permanently removed from our database.
• Server logs are rotated and deleted after 30 days.
• Backups are retained for up to 60 days before being overwritten.

5. Your Rights

Depending on your jurisdiction (EU/UK GDPR, California CCPA/CPRA, UK DPA, Brazil LGPD, and similar), you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your account and associated data.
• Export (portability) a copy of your data in a machine-readable format.
• Restrict or object to certain processing.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with your supervisory authority (e.g. your national data protection regulator).

To exercise any of these rights, submit the Data Access Request form or email us at yuval@chessdna.app. We respond within 30 days.

6. Children's Privacy

Chess DNA is rated 4+ but the Service is not directed at children under 13. We do not knowingly collect personal information from children under 13 (or the equivalent minimum age in your jurisdiction). If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

7. Security

• All data in transit is protected by TLS 1.2+ (HTTPS).
• Data at rest is encrypted by our backend provider (Base44).
• API keys supplied by you are stored encrypted and accessible only to your session.
• We use role-based access controls; only the operator has admin access, and only for debugging or support.
• No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you within 72 hours where required by law.

8. International Data Transfers

Our infrastructure, AI providers, and TTS services operate in the United States and other jurisdictions. When you use the Service from outside those regions, your data is transferred under Standard Contractual Clauses (SCCs) or equivalent safeguards provided by the relevant provider.

9. Cookies & Local Storage

Chess DNA uses only strictly necessary browser storage (localStorage and IndexedDB) to keep you signed in, remember your preferences, and cache audio sessions so they survive a page reload. We do not use third-party tracking cookies or advertising pixels.

10. Third-Party Links & Content

The Service may link to third-party websites (chess.com, Lichess, provider docs). We are not responsible for their privacy practices; please review their policies separately.

11. Changes to This Policy

We may update this Privacy Policy occasionally. When we make material changes, we'll update the "Last updated" date above and, where required, notify active users by email or in-app banner before changes take effect.

12. Contact

Questions or requests about this policy?
Email: yuval@chessdna.app
Data request form: /data-access-request.html

© 2026 Chess DNA. All rights reserved.