Privacy policy

1. Data controller

The controller of personal data associated with use of the Nexa chess web application is whoever holds the domain and service (hereinafter “Nexa chess” or “we”). To exercise your rights you may use the published contact channels (support email, contact form, etc.). Until a dedicated public channel exists, requests may be sent to the email linked to your registration account where the service recipient can be identified.

2. Purposes of processing

We process data for these main purposes:

• Account and authentication: to enable registration, sign-in (email and password or OAuth provider, e.g. Google) and session security via Supabase Auth.
• In-app user profile: to store name, online chess platform preferences, public Lichess and/or Chess.com identifiers you provide, and FIDE data you enter manually, to show the dashboard and personalise the experience.
• Game import and analysis: when you connect Lichess or Chess.com, to request game data you authorise or that is accessible via their API, store it on the Nexa chess analysis server and compute metrics (including engine analysis when configured).
• Service maintenance, security and improvement: technical logs, abuse prevention and error debugging as necessary.
• Audience and product analytics: if you accept in the cookie notice, aggregated statistics on visits, screens and events (e.g. Google Analytics 4, Plausible Analytics, Vercel Analytics or equivalent). Without your specific consent only strictly necessary cookies and data apply.

3. Data we process and sources

3.1. Supabase (cloud provider)

Authentication and part of the profile are managed with Supabase. The profile table (e.g. public.users) may include: user id, email, display name, avatar URL, preferred platform (Lichess/Chess.com), public usernames on those platforms, FIDE id and FIDE ratings you enter, and timestamps.

Supabase partly acts as a processor; its privacy policy and server locations apply to those processing activities.

3.2. Analysis server (own backend)

For import, metrics and engine analysis, Nexa chess uses a backend with its own database (usually SQLite on the server). We may store, among other things:

• Game id, username linked to the import, source (lichess/chesscom), date, result, moves or PGN, opening (ECO and name), public player names and ratings shown in the game, and platform JSON when applicable.
• Aggregated statistics by period: game counts, wins, draws, losses, average rating, etc.
• Engine analysis results: positions (FEN), move number, numeric evaluation, analysis metadata.
• Phase calculation caches and analysis metadata.

This data is used solely to provide app features. We do not sell it to third parties.

3.3. Browser analytics

When you enable analytics in the cookie banner, the integrated provider (e.g. Google Analytics 4, Plausible or Vercel Analytics) may process online identifiers and aggregated usage data. Those activities are governed by the provider’s policies and your consent, which you can withdraw by clearing cookies and choosing again in the notice.

4. Legal basis

Processing necessary for your account and the service is based on performance of the terms of use and, where applicable, consent when you register or connect external platforms. Third-party data in public games is based on your import request and legitimate interest in analysing games already published on source platforms. Non-essential analytics is based on your explicit consent in the cookie notice.

5. Retention

We retain data while your account is active and as needed for the service. You can request deletion of import and game profile data from Profile (“Delete my data”), which removes associated games and analysis and clears profile fields in Supabase, without necessarily deleting the access account unless you handle that separately with the authentication provider.

6. Recipients and transfers

Providers: Supabase (authentication and profile), public Lichess and/or Chess.com APIs when you start an import, and —if you accepted analytics— the configured measurement provider. We do not share your data with advertisers for behavioural advertising. Engine analysis runs on the infrastructure where the backend is deployed.

7. Your rights

If you are in the EEA or other jurisdictions with applicable law, you may exercise rights of access, rectification, erasure, restriction, objection and portability where applicable, and withdraw consent, by contacting the controller. You may also lodge a complaint with a data protection authority.

8. Security and confidentiality

We apply reasonable technical and organisational measures (HTTPS, backend access controls, secrets for sensitive routes, etc.). No system is 100% secure: use strong passwords and do not reuse credentials.

9. Minors

The service is not directed at children under 14 (or the minimum age in your country). If you are a parent or guardian and believe a minor has provided data, contact us for deletion.

10. Changes to this policy

We may update this text to reflect legal or product changes. Please review the legal section periodically.