Privacy Policy

Who is responsible for your data.

The data controller for your personal information is Chesscraft. For any question about how we handle your data — including exercising your rights — write to [email protected].

The data we collect about you.

We try to collect as little as we can while still running a useful coaching studio. Here's what that looks like in practice.

Account data

Your name, email address, role (coach / student / parent / club admin), password (stored hashed), and optional two-factor secret. Authentication is powered by Laravel Fortify.

Profile data

Optional information you choose to add: a public coach profile with biography, specialties, and a URL slug; for students, the name your coach uses to address you.

Lesson and coaching data

Classroom positions and annotations, lesson notes, puzzle attempts, hint usage, saved positions, puzzle pack membership, course/lesson progress, and student rating history that you or your coach record.

Imported chess data

Games imported from Lichess (via OAuth) or Chess.com (via your public username), YouTube playlist metadata when you import a playlist, and PGN files you upload.

Payment data

Card numbers and bank details never touch Chesscraft — they're handled directly by Stripe. We store Stripe customer IDs, Connected Account IDs, transaction identifiers, and metadata such as invoice amounts, currencies, and statuses.

Real-time telemetry

When you're inside a live classroom or a live queue, our broadcasting layer (Pusher / Laravel Reverb) maintains short-lived presence and channel state so other participants can see when you join, move, or leave.

AI prompt and response logs

When you use AI-assisted features such as position roasts or evaluation summaries, the relevant prompts and outputs are sent to a third-party AI provider and kept briefly for debugging and abuse review.

Operational data

IP address, browser user-agent, request paths and timing, errors and stack traces captured by Sentry, and session / CSRF cookies needed to keep you signed in.

Marketing & CRM

For coaches and coach prospects, we sync contact details to HubSpot to manage outreach and support. You can opt out at any time.

What we do with this information.

• Run the Services — authenticate you, deliver lessons, sync rosters, route real-time updates.
• Process payments — create invoices, route Stripe charges and payouts, handle refunds and chargebacks.
• Communicate with you — transactional emails about your account, lessons, invitations, invoices, and security; occasional product updates you can opt out of.
• Improve the product — diagnose bugs, measure how features are used in aggregate, and prioritise what to build next.
• Keep things safe — detect fraud, protect minors, enforce our Terms of Use, and meet our legal obligations.

We don't sell your personal information, and we don't show third-party advertising or run third-party advertising trackers on the Services.

Why processing is lawful.

If the GDPR or a similar regime applies to you, we rely on the following bases:

Performance of a contract

For everything we need to do to give you the Services you signed up for — accounts, lessons, classrooms, billing.

Legitimate interest

For security, abuse prevention, fraud detection, error monitoring (Sentry), and aggregate product analytics. We balance our interest against your rights.

Consent

For optional profile fields, marketing emails, and non-essential cookies — given by you and withdrawable at any time.

Legal obligation

For invoice and tax record retention, and responses to lawful requests from authorities.

Who else sees this data.

We share personal data only with the sub-processors and partners we need to run the Services. Each operates under a written data processing agreement where required.

Stripe

Payments, payouts, and KYC for connected coaches.

Lichess & Chess.com

Only when you authorise a connection. We exchange your username / OAuth token and import your games on your behalf.

YouTube (Google)

Public playlist and video metadata for course imports you initiate.

HubSpot

CRM for coach outreach and support.

Sentry

Error reporting. May incidentally collect IP addresses, browser details, and stack traces.

Pusher / Laravel Reverb host

Real-time channels for classrooms and live queues.

Email delivery provider

Sends transactional and notification emails on our behalf.

AI model provider

Generates position roasts, evaluation summaries, and lesson recaps when those features are used.

Hosting (Railway)

Runs our application servers and databases in a region we select.

We may also disclose data to comply with applicable law, enforce our Terms of Use, or protect the rights, safety, or property of Chesscraft, our users, or the public.

If Chesscraft is acquired or merged with another company, your information may be transferred as part of that transaction. We'll tell you and your rights here will continue to apply.

Students who are minors.

Chesscraft is intended for use by chess coaches and the students they coach. Many students are children. We take that seriously.

• Minors may only use the Services under the supervision and with the consent of a parent, legal guardian, or an inviting coach who has obtained that consent.
• We minimise what we collect about minors. We do not profile minors for advertising, and we do not surface them in public discovery (such as coach profiles) by default.
• Public chat or unmoderated communication is not part of the Services; interactions take place within the student's coach's classroom or homework.
• Parents and guardians can review, export, correct, or delete a minor's data, and revoke consent, by emailing [email protected] from the email address we have on file.

If you believe a child under 13 has registered without appropriate consent, please tell us and we'll take prompt action.

How data flows between coaches and students.

The coaching relationship is the heart of Chesscraft. Within that relationship:

• Coaches see their students' lesson activity, including puzzle attempts, classroom annotations, ratings history, imported games, lesson notes, and assigned homework.
• Students see their own activity and only the coach-authored content their coach chooses to share with them (such as puzzle packs, lesson recaps, and annotations).
• Parents and guardians, where enrolled, can receive digests summarising a student's progress.
• When a coach removes a student, the coach loses access to that student's data; the student retains their own account and data unless they choose to delete it.

How long we keep your data.

• While your account is active — we keep your data so the Services keep working.
• After you delete your account — we soft-delete your account immediately, then purge personal data after a 30-day grace period in case you change your mind.
• Invoices & tax records — retained for the period required by applicable tax and accounting law (typically up to 7 years).
• Backups — overwritten on a rolling basis; residual data may persist in backups for up to 30 days after deletion before being purged.
• Security & audit logs — kept for up to 12 months for fraud detection and incident response.
• AI prompt logs — kept for a short debugging window (typically up to 30 days) by us and our AI provider.

Your rights over your data.

Subject to applicable law (including the GDPR, UK GDPR, and the California Consumer Privacy Act where relevant), you have the right to:

• Access — get a copy of the personal data we hold about you.
• Rectify — correct inaccurate or incomplete data.
• Delete — ask us to remove your data, subject to legal retention obligations.
• Port — receive your data in a portable, machine-readable format.
• Restrict or object — to certain types of processing, including direct marketing.
• Withdraw consent — where processing is based on it, without affecting prior lawful processing.
• Complain — to your local data protection authority if you think we've handled your data poorly.

Most of these you can exercise yourself from your account settings. For anything else, write to [email protected] and we'll respond within one month.

Cookies and similar technologies.

Chesscraft uses only the cookies it needs to function:

• A session cookie that keeps you signed in.
• A CSRF cookie that protects forms against cross-site request forgery.
• A small preference cookie that remembers your light / dark / system theme choice.

We do not use third-party advertising cookies, behavioural profiling cookies, or cross-site trackers on the Services. Embedded content (such as a YouTube preview inside a course) may set its own cookies governed by that third-party's policy.

International transfers.

Our application and database are hosted in the region we've selected with our infrastructure provider (Railway). Some sub-processors — including Stripe, Sentry, HubSpot, and our AI model provider — are based in the United States or operate globally.

Where personal data leaves your region of residence, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and the UK's International Data Transfer Addendum, or the equivalent under other regimes.

How we protect your data.

• Traffic to and from Chesscraft is encrypted in transit with TLS.
• Passwords are hashed using a modern adaptive algorithm — we never store them in clear text.
• Two-factor authentication is available on every account and strongly recommended for coaches.
• Access to data inside the application is restricted by role and enforced by per-action authorisation policies (for example, only a student's coach can read that student's records).
• Production access by Chesscraft staff is limited, logged, and used only when necessary to operate or support the Services.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at [email protected].

Changes to this Privacy Policy.

When we make material changes to this policy, we'll update the "Last updated" date above and notify you by email and a dashboard banner at least fourteen (14) days before they take effect, unless the change is required by law or addresses a security risk that requires faster action.

Talk to us.

Questions about your data, your rights, or this policy? Reach our privacy team at [email protected]. For security disclosures, write to [email protected].