Privacy Policy

Last updated: 8 May 2026 · Effective date: 8 May 2026 · Version 1.0

In plain English (TL;DR)

This is the short version. The full policy below is what legally applies.

Ochess is a personal, non-commercial chess training project. We collect only what we need to run it.
We store your email, username, and any optional profile data you choose to add (real name, FIDE rating, Chess.com / Lichess usernames, date of birth, "about" text, language).
We store your chess content: imported games, opening labs, training progress, and direct messages with other users.
Our servers are on Google Cloud (Firebase) in the United States. By using Ochess, you agree your data may be processed in the US under standard GDPR safeguards.
We use Firebase Analytics, but only if you accept the cookie banner. You can change this any time via "Cookie settings" in the footer.
When you open a chess position in Opening Lab, your IP address is sent to our own opening-statistics server (api.ochess.app, hosted in Germany), which fetches the data from Lichess on our side — so your IP is not exposed to Lichess for this. This cannot be turned off without disabling the feature.
We don't sell your data. We don't share it with advertisers. We don't run ads.
You can delete your account at any time from your profile. Almost everything is deleted automatically; for full erasure you can email us.
You must be at least 16 years old to use Ochess.

1. Who we are (Data Controller)

The person responsible for your personal data ("we", "us", the "Data Controller") is:

Yevhenii Chebotarkyi, an individual operating Ochess as a personal project, based in the United Kingdom.

Contact: support@ochess.app

For privacy-related questions, requests, or complaints, please use the email above. We will respond within 30 days.

This policy is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and is also designed to comply with the EU GDPR for users in the European Economic Area.

2. Scope

This Privacy Policy applies to the Ochess website (currently hosted at ochess.app, hereinafter the "Service") and any related subdomains operated by us. It does not apply to third-party websites linked from the Service.

3. What personal data we collect

3.1 Data you provide directly

When you register and use Ochess, we collect:

Mandatory account data:

Email address
Username (chosen by you, must be unique)
Account creation timestamp

Optional profile data (only if you choose to add it):

Profile photo (from Google, if you sign in with Google)
Real name
Date of birth
FIDE rating
Chess.com username
Lichess username
"About" text
Preferred interface language

Authentication data:

Authentication method used (email/password or Google sign-in)
Hashed password (managed by Firebase Authentication; we never see your plaintext password)

Records of consent:

Timestamp of your acceptance of these Terms and Privacy Policy
Timestamp of your confirmation that you are 16 years of age or older
Version of the Terms you accepted

3.2 Data generated by your use of the Service

Chess games you import from Lichess, Chess.com, or via PGN upload
Opening labs you create, including the move trees, chapters, settings, and any notes
Training progress: which exercises you've completed, when you last studied
Direct messages you send to or receive from other users
Shared lab metadata: if you choose to make a lab public or share it via link, the share metadata (share ID, ownership, visibility setting) is recorded
User preferences stored in your browser's local storage (board orientation, lab settings, study progress cache)

3.3 Data we do NOT collect

For transparency, we explicitly do not collect:

IP addresses (beyond what Firebase logs internally for security)
User-agent strings or device fingerprints
Last-login timestamps
Browser history or activity outside the Service
Payment data (the Service is currently free)

3.4 Cookies and analytics

We use two categories of storage in your browser:

Strictly necessary technical storage — required for the Service to function. This includes Firebase Authentication session cookies and localStorage keys for caching your labs, board orientation, training progress, and similar preferences. No consent is required for this category.
Analytics (optional, opt-in only) — Firebase Analytics, which collects anonymised usage statistics (which pages are visited, how features are used). It is disabled by default. We only enable it after you click "Accept" on the cookie banner. You can withdraw consent at any time via "Cookie settings" in the footer; this resets the choice and disables Analytics.

We do not use any tracking, marketing, or advertising cookies.

4. Why we process your data, and on what legal basis

Purpose	Categories of data	Legal basis (UK/EU GDPR)
Creating and operating your account	Email, username, password (hashed), consent records	Performance of a contract (Art. 6(1)(b))
Storing your games, labs, progress, messages	All chess content data	Performance of a contract (Art. 6(1)(b))
Fetching opening statistics from Lichess	IP address (handled by Lichess directly)	Performance of a contract (Art. 6(1)(b)) — necessary for the Opening Explorer feature
Sending transactional emails (registration confirmation, password reset)	Email address	Performance of a contract (Art. 6(1)(b))
Firebase Analytics	Anonymised event data	Consent (Art. 6(1)(a)) — you can withdraw at any time
Security, fraud prevention, abuse handling	Account data, content data	Legitimate interests (Art. 6(1)(f)) — keeping the Service safe
Complying with legal obligations	Any data subject to a legal request	Legal obligation (Art. 6(1)(c))

5. Who we share your data with

We do not sell your personal data. We do not share it for advertising purposes.

We share data only with the following categories of recipients, and only as necessary:

5.1 Service providers (data processors acting on our behalf)

Google Ireland Limited / Google LLC (Firebase Authentication, Cloud Firestore, Cloud Storage, Cloud Functions, Firebase Analytics) — provides the entire backend infrastructure of the Service. Google acts as our data processor under Google's Cloud Data Processing Addendum.
Google Fonts (Google LLC) — when you load any page, your browser fetches font files from fonts.googleapis.com and fonts.gstatic.com. Google receives your IP address as a technical consequence of this request.
Hetzner Online GmbH (Germany) — hosts our opening-statistics proxy (api.ochess.app). When you open a position in Opening Lab, your browser sends the request to this server, which caches it and fetches the statistics from Lichess on our behalf. Your IP address is processed by this server inside the EU. Hetzner acts as our data processor.

5.2 Independent third parties (data controllers in their own right)

When you use certain features, your data is sent directly from your browser to third parties. These parties act as independent data controllers, and their handling of your data is governed by their own privacy policies.

Lichess (Association Lichess.org, France) — opening statistics for Opening Lab originate from Lichess, but these requests are now made by our server (see Hetzner in 5.1), not your browser, so your IP address is not exposed to Lichess for opening statistics. Lichess receives your IP address directly only for the game-import and rating-lookup actions described below. See Lichess Privacy Policy.
Lichess API (lichess.org/api/...) — used only when you actively choose to import your games or look up your Lichess rating. Your IP address is visible to Lichess for these requests.
Chess.com (Chess.com, LLC, USA) — used only when you actively choose to import your games or look up your Chess.com rating. Your IP address is visible to Chess.com for these requests. See Chess.com Privacy Policy.

5.3 Other users of the Service

Public lab content: if you set a lab to "public" or "unlisted", its content (move tree, chapters, notes you've added) becomes accessible to anyone who has the share link.
Direct messages: messages you send are visible to the recipient. The Service Operator can technically access stored messages for security and abuse-handling purposes, but does not routinely read them.
Profile information: your username and any optional profile fields you fill in (FIDE rating, Chess.com / Lichess usernames, "about" text) may be visible to other users in shared contexts.

5.4 Legal disclosures

We may disclose your data if required by law, court order, or to protect the rights, safety, or property of us, our users, or others.

6. International data transfers

The Service's primary data storage (Cloud Firestore default database, Cloud Storage, and the deletion Cloud Function) is hosted in the United States (Google Cloud nam5 multi-region). A separate Firestore database used only for static opening data is hosted in the European Union (europe-west3, Frankfurt) and contains no personal data.

This means your personal data is transferred outside the UK and EEA to the United States.

For these transfers, we rely on:

The Standard Contractual Clauses ("SCCs") approved by the European Commission and the UK International Data Transfer Addendum, which Google Cloud has implemented through the Google Cloud Data Processing Addendum. These provide GDPR-equivalent contractual safeguards.
Google's supplementary technical measures including encryption at rest and in transit.

You acknowledge that US laws (including FISA Section 702 and Executive Order 12333) may, in limited circumstances, require Google to disclose data to US government authorities. We have no practical way to control or prevent such disclosures, but they are not routine and the SCCs provide remedies in the event of misuse.

If you are not comfortable with this transfer, please do not use the Service.

We aim to migrate primary data storage to an EU region in a future version of the Service. Updates to this policy will reflect any such change.

7. How long we keep your data

Data	Retention
Account data, profile, games, labs, training progress, messages	For as long as your account exists
Account data after deletion	Erased immediately by the deletion Cloud Function (see § 9)
Backups	Up to 30 days, after which deleted data is purged from Google Cloud's backup systems
Records of consent	Retained for the lifetime of the account, then deleted with it
Communications with us (e.g. email)	Up to 3 years after the last message, for handling follow-up questions and disputes

We do not retain personal data longer than necessary.

8. Security

We rely on Google Cloud's security infrastructure, which includes encryption in transit (TLS) and at rest, access controls, and ISO 27001 / SOC 2 / ISO 27018 certifications.

On our side, we follow good engineering practices: passwords are never stored in plaintext (Firebase Auth handles them), Firestore Security Rules restrict access to data, and the Service Operator has minimal manual access to user data.

No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office (ICO) within 72 hours and notify you without undue delay.

9. Your rights and how to exercise them

Under UK GDPR and EU GDPR, you have the following rights:

Right of access (Art. 15) — you can request a copy of the personal data we hold about you.
Right to rectification (Art. 16) — you can correct inaccurate or incomplete data, either through the Service's profile editor or by emailing us.
Right to erasure / "right to be forgotten" (Art. 17) — you can delete your account from the profile page. This automatically erases your profile, username reservation, imported games, training progress, opening labs (private and shared), Cloud Storage files associated with your labs, and all your direct messages and conversations. The analytics_consent setting in your local browser storage is also cleared. Firebase backups retain copies for up to 30 days, after which they are purged.
Right to restriction of processing (Art. 18) — you can ask us to stop processing your data in certain circumstances.
Right to data portability (Art. 20) — we do not currently provide an in-app data export function. To exercise this right, please email us at support@ochess.app with the subject line "Data export request". We will provide your data in a machine-readable format (JSON) within 30 days.
Right to object (Art. 21) — you can object to processing based on legitimate interests.
Right to withdraw consent (Art. 7(3)) — for analytics, click "Cookie settings" in the footer at any time. For other consent-based processing, email us.
Right not to be subject to automated decision-making (Art. 22) — we do not engage in automated decision-making with legal effects.

To exercise any of these rights, email us at support@ochess.app. We will respond within 30 days. We may need to verify your identity before acting on requests that don't come from your account email.

Right to lodge a complaint

If you believe we have violated your data protection rights, you can lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or with the data protection authority in your country of residence within the EEA.

10. Children

The Service is intended for users aged 16 and older. We do not knowingly collect personal data from children under 16.

If you are a parent or guardian and you believe a child under 16 has provided us with personal data, please contact us at support@ochess.app and we will delete the account.

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the latest revision. For material changes (e.g. new categories of data, new third-party processors, changes to legal basis), we will notify registered users by email and require renewed acceptance on next login.

Previous versions of this policy will be available on request.

12. Contact

For any privacy-related question or to exercise your rights:

Email:support@ochess.app

Subject line suggestions:

"Data access request"
"Data export request"
"Account deletion follow-up"
"General privacy question"

This Privacy Policy is provided in English and Russian. In case of any conflict, the English version prevails.