This Privacy Policy explains how GambitCoach ("we", "us") processes your
personal data when you use the service at gambitcoach.com. We
comply with the EU General Data Protection Regulation (GDPR), the German
Federal Data Protection Act (BDSG), and the California Consumer Privacy Act
(CCPA/CPRA) where applicable.
The data controller within the meaning of GDPR Art. 4(7) is:
We do not have a designated Data Protection Officer (DPO) because we do not meet the thresholds in GDPR Art. 37 / BDSG § 38. You may contact us directly at the email above for any data-protection question.
The service is hosted on Microsoft Azure in the Germany West Central region (Frankfurt am Main, Germany). All personal data is stored on servers located within the European Union. We do not transfer personal data outside the EEA.
| Data | Purpose | Lawful basis |
|---|---|---|
| Email address (when you sign in) | Identify your account, secure sign-in, send magic-link / one-time codes | Art. 6(1)(b) - contract |
| Account identifier (a key derived from your verified email or sign-in provider) and an admin flag | Link your data to one account across sign-in providers; gate administrative features | Art. 6(1)(b) - contract |
| Chess.com username | Identify your data + fetch your public games | Art. 6(1)(b) - contract |
| Your public chess.com games (PGN + metadata) | Run Stockfish analysis, persist results | Art. 6(1)(b) - contract |
| Games you import (pasted PGN) and games you play against our bots | Store and analyse the games you add yourself | Art. 6(1)(b) - contract |
| Deep-analysis results (Stockfish evaluations of your games) | Show your move-quality feedback without re-running the engine each visit | Art. 6(1)(b) - contract |
| IP address (in-memory, transient) | Per-IP rate limiting; abuse prevention | Art. 6(1)(f) - legitimate interest |
| Server-side request logs (URL, status, timing) | Operational diagnostics; security | Art. 6(1)(f) - legitimate interest |
| Telemetry via Azure Application Insights (only enabled in production; not on dev) |
Detect errors and performance regressions | Art. 6(1)(f) - legitimate interest |
We use only strictly necessary cookies. No tracking cookies, no advertising cookies, no third-party analytics cookies. The following cookies are set:
cm_user - your chess.com username; required to look up your
cached games. HttpOnly, SameSite=Lax, Secure
in production. Lifetime: 1 year.gc_session - your signed-in session after you log in. It is a
short, server-signed token (HMAC); it carries no password and no server-side
session is stored. HttpOnly, SameSite=Lax, Secure
in production. Lifetime: up to 7 days; it is automatically renewed while
you keep using the app, and is cleared when you log out.csrf_token - a random anti-forgery token that protects form
submissions (double-submit pattern). HttpOnly, Secure in
production. Lifetime: 1 year.gc_auth_state - a short-lived value that protects the sign-in
redirect against cross-site request forgery. Set only during a login
round-trip. Lifetime: ~10 minutes.gc_otp - a signed challenge used to verify an email magic-link
or one-time code. Set only during email sign-in and scoped to the email
authentication routes. Short-lived.Because all cookies we set are strictly necessary for the service you request (ePrivacy Directive Art. 5(3), TTDSG § 25(2) Nr. 2), no separate consent banner is shown. You can clear them at any time via your browser settings; doing so will sign you out.
database.lichess.org / explorer.lichess.ovh. See the
Lichess privacy policy.All other engine analysis runs on our servers in Germany; the inputs (positions, moves) are not shared with any third party.
We do not sell or rent your personal data. We do not run third-party advertising. We do not use third-party analytics or social media trackers.
Under GDPR you have the right to:
To exercise any of these rights, email privacy@gambitcoach.com. We will respond within 30 days as required by GDPR Art. 12(3).
California residents have equivalent rights under CCPA/CPRA, including the right to know, the right to delete, and the right to opt out of sale (we do not sell personal information).
If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority (GDPR Art. 77). The competent authority in Germany depends on the state in which the controller is based; for federal-level matters this is:
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
(BfDI)
Graurheindorfer Straße 153, 53117 Bonn, Germany
www.bfdi.bund.de
GambitCoach is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact privacy@gambitcoach.com and we will delete it.
We use HTTPS / TLS for all data in transit. Server-side data is stored on Azure-managed encrypted storage. We follow the principle of data minimisation: we collect only what is required to operate the service.
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated in-app before they take effect.
GambitCoach is an independent project, not affiliated with, endorsed by, or sponsored by Chess.com, Inc. or the Lichess organisation.