Back

Data Privacy Policy

1. Responsible Person

Responsible for data processing according to GDPR:

Stefan Nothegger

2. User Account and Authentication

You can use this application without creating an account. All learning progress is stored locally in your browser. However, if you choose to create an account, we store the following data on our servers:

  • Account data: Your email address, name (if provided), and a securely hashed password. Passwords are hashed using bcrypt and are never stored in plain text.
  • Learning progress: Your lesson completions, quest progress, streak data, tactic puzzle results, and other learning events. This data is synchronized between your browser and our server so you can access your progress from multiple devices.
  • User settings: Your language preference, theme setting, and selected coach personality.

You can use the application fully without an account. Creating an account is optional and only needed for cross-device synchronization.

3. Google Sign-In (OAuth)

You can sign in using your Google account. When you do, we receive the following data from Google:

  • Email address — used as your account identifier
  • Name — displayed in your profile
  • Profile picture — displayed in your profile

We do not access your Google contacts, calendar, drive, or any other Google services. We only request the minimum scopes needed for authentication (email and profile). You can revoke access at any time in your Google Account settings.

4. Local Storage

Regardless of whether you have an account, this application stores data in your browser's Local Storage:

  • Learning events: Your progress data (lesson completions, quest progress, streaks) for immediate access without server delays.
  • API key: If you provide a Google Gemini API key for AI features, it is stored exclusively in your browser and is never sent to our servers.
  • Preferences: Language, theme, coach personality, and other settings.

You can clear all locally stored data at any time by clearing your browser's Local Storage for this site.

5. Cookies

We use a single session cookie for authentication purposes when you are logged in. This cookie:

  • Is required for maintaining your login session
  • Is httpOnly and secure (cannot be accessed by JavaScript)
  • Is deleted when you sign out or when it expires
  • Is not used for tracking or analytics

We do not use cookies for advertising, analytics, or any purpose other than authentication.

6. Third-Party Services

  • Google Gemini API: When you use the AI Tutor feature, your game state (chess position) and your personally provided API key are sent to Google's servers to generate the AI response. We do not store or process your API key on our servers. Please refer to Google's Privacy Policy for how they handle this data.
  • Google OAuth: For Google Sign-In, authentication is handled by Google's OAuth 2.0 service. See section 3 above for details on what data is shared.
  • Lichess: The tactical puzzle database uses publicly available puzzle data from lichess.org. No personal data is sent to Lichess.

7. Data Retention and Deletion

Your account data and learning progress are stored as long as your account exists. You can request deletion of your account and all associated data at any time by contacting us. Upon deletion:

  • Your user account and all personal information will be permanently deleted from our servers.
  • Your learning progress, quest history, and all associated events will be permanently deleted.
  • Data stored in your browser's Local Storage is not affected by server-side deletion — clear it manually if desired.

8. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access: You can request a copy of all data we store about you.
  • Right to rectification: You can update your personal information in your profile settings.
  • Right to erasure: You can request complete deletion of your account and data.
  • Right to data portability: You can request your data in a machine-readable format.
  • Right to object: You can object to data processing at any time.

To exercise any of these rights, please contact the responsible person listed above.

9. Data Security

We take appropriate technical and organizational measures to protect your data:

  • All communication is encrypted via HTTPS/TLS.
  • Passwords are hashed using bcrypt with a cost factor of 12.
  • Session tokens are httpOnly and secure.
  • API keys are stored exclusively in your browser and never transmitted to our servers.
  • Database access is restricted and monitored.

10. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page. Continued use of the application after changes constitutes acceptance of the updated policy.

Last updated: April 2026