Where your chess data lives.

What we store

Six classes of data, and only these. Anything not on this list, we don't have.

• •Account. A random user UUID. Your display name. Your registered passkeys (the public keys; private keys never leave your device). Your verified email, used for account recovery, billing receipts, and replies to support requests.
• •Your games. The PGNs you imported from your online chess accounts or pasted in directly. Game metadata (white, black, date, event, ECO).
• •Your study work. Findings (the patterns the analysis surfaces), notebook entries and positions, training session state, puzzle SRS state, puzzle attempt history.
• •Coach call provenance. For each LLM call: model, purpose, token counts, finish reason, generation ID. Used for cost accounting and to power the "your year in chess" summaries. The prompt and the model's reply are NOT stored by default.
• •Telemetry. An anonymous device UUID (separate from your user UUID), app version, OS, aggregate counts. Never tied to your account. Off-by-default toggle in Settings.
• •Feedback you send. When you click Report Issue, the screenshot you reviewed and the note you typed go to a private feedback database. Tied to your install UUID, not your user UUID, so signing out doesn't decouple a previously-sent report.

Where it lives

All six classes live in Cloudflare's services, region-managed by Cloudflare across their global network. Specifically:

• •Account, games metadata, findings, notebook, training, SRS, LLM provenance: Cloudflare D1 (managed SQL).
• •Game PGNs over 1KB, feedback screenshots, opening evaluation bundles, master game archives: Cloudflare R2 (object storage).
• •Engine evaluation cache (positions you and others have analyzed): D1, keyed on the position FEN. No user UUID attached.
• •Telemetry: a separate D1 database keyed on device UUID, never on user UUID.

Everything is encrypted in transit (HTTPS / TLS) and at rest (Cloudflare-managed encryption on D1 and R2).

Who can see it

Two people, both directly involved in operating the service:

• Daniel Weisman, the developer.
• Whoever Daniel designates as an operations admin (currently no one else).

Admin access is gated behind a password and an HMAC-signed session cookie at promotechess.com/admin. The admin panel reads aggregate counts, the feedback queue, and individual user records when troubleshooting. We do not browse user content recreationally. If we ever need to look at a specific user's games or coach calls to debug a bug they reported, we will do so only in connection with that report.

We never share, sell, or rent your data. There is no advertising network, no affiliate tracking, no data broker.

Your rights

• •Export. Settings → Privacy → Export everything generates a ZIP of every row tied to your account, including PGNs, findings, notebook entries, and SRS history. One-click, no email round-trip.
• •Delete. Settings → Privacy → Delete my account purges all D1 rows immediately and queues R2 objects for deletion within 24 hours. Once deleted, the user UUID is unrecoverable.
• •Access. The app itself is your view of your data. The export above gives you the underlying rows.
• •Rectification. Update display name, email, and connected chess handles in Settings any time.
• •No sale. Under any definition of "sell," including CCPA's expanded one, we don't sell your information.

Telemetry

At most once every 24 hours, Promote sends an anonymous ping with: install UUID (not user UUID), app version, browser, OS, and aggregate counts (games analyzed, coach calls made, training sessions completed). The toggle is in Settings → Privacy and defaults to on; flipping it off stops future pings immediately.

Telemetry is intentionally keyed on a device UUID rather than your user UUID, so signing out and back in doesn't break the longitudinal aggregate, and so a single user across multiple browsers shows up as multiple devices, not a coordinated profile.

Email

We collect a verified email address at sign-up. We use it for three things, and only these: account recovery (if you lose your passkeys), billing receipts, and replies to support requests. We don't run a marketing list, and there's nothing to unsubscribe from.

Report Issue

The Report Issue button in the app sends:

• •A PNG screenshot of whatever's on screen at the moment you press the button. The modal shows you the capture before it's sent. If your name, rating, a game, or a coach reply is visible, it's in the screenshot.
• •The note you type, verbatim.
• •Your install UUID (not user UUID), app version, browser, and the name of the current view. Nothing about that view's content beyond the screenshot.

Stored at feedback.promotechess.com: screenshots in a private R2 bucket, metadata in a private D1 database. To delete a report you sent, email the address below with the report ID (shown in the confirmation toast).

Subprocessors

• •Cloudflare hosts everything — Workers (compute), D1 (database), R2 (storage), Pages (the site), Email Routing (incoming email).
• •OpenRouter proxies LLM calls. The current position or game excerpt is sent to OpenRouter, which routes it to the model. No user UUID, no install UUID, no name.
• •Anthropic is the model provider currently routed through OpenRouter. Subject to their data-handling terms.
• •Stripe processes payments when paid plans ship. They handle card data; we never see it. PII shared with Stripe is email and the last 4 digits of the card.

Children

Chess has many young players. We don't knowingly collect data from anyone under 13. If a parent or guardian believes their child under 13 has created an account, email the address below and we'll delete the account and its data. We do not sell or share children's information under any circumstances.

GDPR and CCPA

For users in the EU, UK, and California:

• Legal basis (GDPR). Contract performance for the features you use (storing games and findings is necessary for analysis to work), and consent for telemetry (toggle in Settings).
• Data subject rights. Access, deletion, rectification, portability, objection — see "Your rights" above. Self-serve in Settings; appeal to the controller below if you believe we've fallen short.
• Controller. Daniel Weisman, an independent developer based in the United States, reachable at the email below.
• No sale (CCPA). We do not sell your personal information.
• Right to lodge a complaint. If you believe your rights have been violated and we haven't fixed it, you can complain to your local data-protection authority.

International transfers

Cloudflare is a US company with a global edge network. OpenRouter and Anthropic are US companies. If you're outside the US, the data relevant to a given feature call may be processed in the US.

Versioning

Your account record stores the version of the privacy policy you accepted at sign-up. When this policy changes substantively, the app prompts you to re-accept the new version before continuing. The date below reflects the last meaningful change.

Questions

Email Daniel at [email protected]. Faster than any contact form.