Privacy Policy
This Privacy Policy explains how ChessNotes (operated by Francesco Albano) collects, uses, and protects your personal data when you use the website chessnotes.app and the ChessNotes web application. It is written to comply with the EU General Data Protection Regulation 2016/679 (“GDPR”) and the Italian Legislative Decree 196/2003 as amended by D.Lgs. 101/2018.
1. Data Controller
- The Data Controller under Article 4(7) GDPR is Francesco Albano (Individual (no VAT number yet, personal test phase)), operating from Italy.
- You can contact the Data Controller about any matter relating to your personal data at privacy@chessnotes.app.
- We have not appointed a Data Protection Officer (DPO) because our processing does not meet the thresholds of Article 37 GDPR (no large-scale processing of special categories, no systematic monitoring). If this changes we will update this policy and publish the DPO contact.
2. Personal data we collect
We only collect the data strictly necessary to provide and improve the Service. We do not collect special categories of data (race, religion, health, etc.).
2.1 Data you provide
- Account information: email address, password hash (via Firebase Authentication), optional display name when signing in with Google.
- Chess content: the repertoires, positions, annotations and notes you create. These are stored in our database linked to your account.
- Support communications: any message you send us via email.
2.2 Data collected automatically
- Technical data: IP address, user-agent string, timestamps of requests (logged by our hosting provider for security and debugging).
- Session data: Firebase Authentication cookies/tokens to keep you signed in.
- Device preferences: language preference, board settings, training progress stats (stored locally in your browser via LocalStorage and IndexedDB so the app can work offline and faster on repeat visits).
2.3 Data from third parties (only if you connect them)
- Chess.com: your public username, games history, ratings. Only if you voluntarily connect your chess.com account via the in-app “Connect” feature.
- Lichess: public study content you choose to import. No account linking required.
- Google: basic profile info (email, name, avatar) if you sign in with Google OAuth.
2.4 Payment data
- We never see or store your full payment card details. All payments are processed by Lemon Squeezy acting as Merchant of Record. We only receive metadata about your subscription status (active, trial, cancelled, renewal date) associated with your Firebase user ID.
- Lemon Squeezy processes your card under their own Privacy Policy: https://www.lemonsqueezy.com/privacy.
3. Purposes and legal basis of processing
We process your personal data for the following purposes, each based on a specific legal ground under Article 6 GDPR:
3.1 To provide the Service (Art. 6(1)(b) — contract)
Creating and managing your account, storing your repertoires, delivering training features, authenticating you. Without this data we cannot provide the Service.
3.2 To process payments (Art. 6(1)(b) — contract)
When you subscribe to the Pro plan, we share your Firebase user ID and email with Lemon Squeezy so they can link the purchase to your account and activate Pro features via webhooks.
3.3 To comply with legal obligations (Art. 6(1)(c))
Keeping records of transactions and receipts for tax and accounting purposes. We retain billing records for 10 years as required by Italian tax law (D.P.R. 633/1972).
3.4 To secure the Service and prevent abuse (Art. 6(1)(f) — legitimate interest)
Server logs, rate-limiting, fraud prevention, write-throttling. Our legitimate interest is keeping the Service available and safe for all users.
3.5 Customer support (Art. 6(1)(b) or (f))
Answering your questions and resolving issues when you contact us.
5. International data transfers
Some of our processors (Firebase, Vercel, Lemon Squeezy) are headquartered in the United States. When data leaves the EEA, it is protected through one or more of the following mechanisms under Articles 44-49 GDPR:
The EU-US Data Privacy Framework adequacy decision (European Commission, 10 July 2023).
Standard Contractual Clauses (Commission Implementing Decision 2021/914).
Additional technical and organisational measures (encryption in transit and at rest, pseudonymisation where possible).
6. How long we keep your data
We retain personal data only for as long as necessary for the purposes it was collected:
6.1 Account data
Kept for the duration of your account. If you delete your account, your profile, repertoires, and training progress are permanently deleted within 30 days. You can request deletion by emailing privacy@chessnotes.app.
6.2 Billing and tax records
Transaction receipts and invoices are retained for 10 years as required by Italian tax law (D.P.R. 633/1972 art. 39 and D.Lgs. 74/2000). These may be retained even after account deletion.
6.3 Server logs
Access logs (IP, timestamp, URL) are kept for up to 90 days for security and debugging, then automatically discarded.
6.4 Backups
Encrypted backups may retain data for up to 30 days after deletion before being overwritten.
7. Your rights
Under Articles 15-22 GDPR, you have the following rights regarding your personal data:
7.1 Rights available to you
- Access (Art. 15) — request a copy of your personal data.
- Rectification (Art. 16) — correct inaccurate data (most editable directly in-app).
- Erasure / “right to be forgotten” (Art. 17) — request deletion.
- Restriction (Art. 18) — limit how we process your data.
- Portability (Art. 20) — receive your data in a structured, machine-readable format.
- Objection (Art. 21) — object to processing based on legitimate interest.
- Withdraw consent (Art. 7) — where processing is based on consent.
- Not be subject to automated decisions (Art. 22) — we do not perform automated decision-making with legal effects.
7.2 How to exercise your rights
Email us at privacy@chessnotes.app with your request. We will respond within 30 days, extendable by another 60 days for complex requests (Art. 12(3) GDPR). The service is free; we may charge a reasonable fee only for manifestly unfounded or excessive requests.
7.3 Right to lodge a complaint
If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Garante per la protezione dei dati personali (the Italian Data Protection Authority): https://www.garanteprivacy.it, or with the supervisory authority in your country of residence.
8. Security
We take appropriate technical and organisational measures to protect your data against unauthorised access, loss, alteration, or disclosure:
Transport encryption (HTTPS/TLS 1.2+) on every connection.
Encryption at rest in Firebase Firestore and Vercel storage.
Firebase Security Rules restricting data access to the owning user.
Write throttling and circuit-breaker to mitigate abuse.
Password hashing by Firebase Authentication (bcrypt/scrypt, never stored in plaintext).
Regular security updates of all dependencies.
If a data breach occurs that is likely to result in a high risk to your rights, we will notify the Italian Data Protection Authority within 72 hours (Art. 33 GDPR) and, where required, notify affected users directly (Art. 34 GDPR).
10. Minors
The Service is not intended for children under the age of 14 (Italian age of digital consent under Art. 2-quinquies D.Lgs. 196/2003). We do not knowingly collect data from children below this age. If you are a parent or guardian and believe your child has provided us with personal data, please contact us and we will delete the data promptly.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
Update the “Last updated” date at the top.
Notify signed-in users via email or in-app notice at least 14 days before the change takes effect.
Keep previous versions available on request.
This is version 1.0.0, last updated on 2026-04-24.
12. Contact
For any question about this Privacy Policy or to exercise your rights, contact us at:
For support requests: support@chessnotes.app