Privacy Policy — Chesslytix

Chesslytix ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and share your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

1. Data We Collect

We collect the following categories of personal data:

Account information: email address and password (hashed) when you register.
Profile information: optional display name that you provide.
Chess data: games, analyses, annotations, and databases you create or import.
Payment information: processed by Stripe. We do not store your card details. We receive transaction IDs and subscription status from Stripe.
Usage data: pages visited, features used, and error reports (via Sentry) for improving the Service.
Technical data: IP address, browser type, device information, and cookies as described in our Cookie Policy.

2. Legal Basis for Processing

We process your personal data based on the following legal grounds:

Contract performance: to provide the Service, manage your account, and process payments.
Legitimate interest: to improve our Service, ensure security, and prevent fraud.
Legal obligation: to comply with tax, accounting, and other legal requirements.

3. How We Use Your Data

Providing and maintaining the Service (game storage, analysis, databases)
Processing payments and managing subscriptions
Sending account-related notifications (password resets, billing updates)
Monitoring and fixing errors and performance issues
Improving the Service based on aggregated, anonymized usage patterns

4. Sharing with Third Parties

We do not sell your personal data. We share data only with the following service providers who process data on our behalf:

Stripe — payment processing. Stripe processes your payment information under their own privacy policy.
Sentry — error monitoring. Sentry receives anonymized error reports and technical data to help us fix bugs.
Railway — infrastructure hosting. Our servers are hosted on Railway's infrastructure within the EU/US.

We may also share data when required by law or to protect our legal rights.

5. Cookies

We use a limited number of cookies for authentication and error tracking. For full details, see our Cookie Policy.

6. Data Retention

We retain your data as follows:

Account data: as long as your account is active, plus 30 days after deletion for recovery purposes.
Chess data: as long as your account is active. Deleted upon account deletion.
Payment records: up to 7 years as required by tax and accounting laws.
Error logs: up to 90 days (Sentry's default retention).

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

Access: request a copy of the personal data we hold about you.
Rectification: request correction of inaccurate or incomplete data.
Erasure: request deletion of your data ("right to be forgotten").
Portability: request your data in a machine-readable format (e.g., PGN export).
Restriction: request that we limit processing of your data in certain circumstances.
Objection: object to processing based on legitimate interest.

To exercise any of these rights, contact us at privacy@chesslytix.app. We will respond within 30 days.

8. Data Security

We implement appropriate technical and organizational measures to protect your data, including encrypted connections (HTTPS), hashed passwords, and access controls. However, no method of transmission over the internet is 100% secure.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the Service. The "Last updated" date at the top reflects the most recent revision.

10. Contact

For privacy-related questions or requests, contact us at privacy@chesslytix.app.

If you believe we have not addressed your concern adequately, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).