Privacy Notice

Last updated: 28 March 2026

This Privacy Notice explains how OhNoMyChess (“we”, “us”) processes personal data when you use OhNoMyChess (the “Service”).

Data controller

Controller: OhNoMyChess (Bartosz Szymecki)
Email: [email protected]

Personal data we collect

Depending on how you use the Service, we may process:

• Account data: email address, login identifiers, password hash (never your raw password)
• Chess-related data: chess username(s), game PGNs or game metadata you provide or import, analysis results generated by the Service
• Public chess player data: for featured content (such as Blunder of the Day), we display publicly available information from chess platform APIs (e.g., chess.com), including player titles (GM, IM, etc.) and names of titled players. This data is already public on the respective platforms.
• Technical data: IP address (typically in server logs), device/browser data, timestamps, and basic diagnostics
• Cookies & local storage: see “Cookies & browser storage” section below

Why we process your data

We use personal data to:

• Create and manage your account
• Provide the Service (including generating and displaying analysis)
• Maintain security, prevent abuse, troubleshoot issues, and improve reliability
• Communicate with you about account or service-related issues (e.g., password resets, important notices)

Legal bases (GDPR)

We process personal data under one or more of these bases:

• Performance of a contract: to provide the Service you requested
• Legitimate interests: security, fraud prevention, service improvement (balanced against your rights)
• Consent: where required (for example, for optional communications), which you can withdraw at any time

Sharing and recipients

We do not sell your personal data. We may share data with:

• Hosting and infrastructure providers (e.g., VPS/hosting in the EU) to run the Service
• Email delivery providers (if used) for account emails
• Third-party services you connect to or data sources you request we use (e.g., Chess.com API requests initiated by your use)
• Payment processors: Paddle.com Market Ltd acts as our Merchant of Record to process your transactions, manage subscriptions, and comply with tax regulations. When you make a purchase, your payment data is handled securely by Paddle according to their Privacy Policy. We do not store or process your credit card information.

International transfers

We aim to store and process data in the EU/EEA. If we ever transfer personal data outside the EU/EEA, we will use appropriate safeguards (such as EU Standard Contractual Clauses) where required.

Data retention

• Account data: until you delete your account, then for a limited period as required for security, legal, or operational reasons
• Logs and security data: typically for a limited period (e.g., 90 days), unless needed to investigate abuse or incidents

You can request deletion at any time (see “Your rights”).

Cookies & browser storage

We do not use any analytics, tracking, or advertising cookies. The Service uses only the following strictly necessary or functional storage:

• Session cookie: an httpOnly cookie that keeps you logged in. It is essential for the Service to function and is deleted when you log out or it expires.
• localStorage: stores guest puzzle limits and skipped-puzzle lists so the Service works correctly between page reloads. This data stays in your browser and is not sent to our server.
• sessionStorage: stores a temporary flag for the current browser tab only; cleared when the tab is closed.

Because all cookies and browser storage we use are strictly necessary or functional, no consent banner is required under the ePrivacy Directive. If we ever introduce non-essential cookies (e.g., analytics), we will add a consent mechanism first.

Security

We use reasonable technical and organizational measures to protect personal data (for example, access controls, encryption in transit via HTTPS, and secure password hashing). No system is 100% secure.

Your rights (EU/EEA)

You have the right to request:

• Access to your personal data
• Rectification of inaccurate data
• Erasure (“right to be forgotten”)
• Restriction or objection to processing (in certain cases)
• Data portability (in certain cases)

To exercise rights, contact: [email protected]

You also have the right to lodge a complaint with your local supervisory authority. If you are in Poland, this is the President of the Personal Data Protection Office (UODO).

Children

The Service is not intended for users under 16. If you believe a child has provided personal data, contact us to request deletion.

Changes

We may update this Privacy Notice. We will post the updated version with a new “Last updated” date and may notify you for material changes.

Contact

Privacy questions or requests: [email protected]