Privacy Policy
Effective date: July 10, 2026
1. Who we are
AxiomChess ("AxiomChess," "the app," "we," "us," or "our") is an independent chess-improvement web application. It analyzes your chess games using a Stockfish chess engine that runs entirely inside your own web browser (compiled to WebAssembly). Your games are not sent to us to be analyzed — the analysis happens on your device.
We are independent and are not affiliated with, endorsed by, or sponsored by Chess.com, Lichess, or the Stockfish project. Those names are third-party trademarks used only to describe what the app does.
The person responsible for the app and for personal data processed through it (the "data controller") is:
- Joshua Seiler, an individual sole proprietor, based in Bradenton, Florida, USA.
- Contact (the best way to reach us on any privacy question): joshuadseiler@gmail.com
Email is the fastest and best way to reach us, and under EU/UK data-protection law a monitored contact email is a valid contact point. We will publish a postal or registered-agent address here once one is established.
The app is free today. A paid tier is planned for the future; if and when it launches, we will update this policy to describe any billing-related data before we charge anyone.
2. The data we process, and why
The app is local-first. That means the main place your data lives is your own browser, on your own device — not our servers. Below we split the picture into the three ways data is handled: (a) data your browser fetches from public chess services, (b) optional account data we store in Supabase, and (c) data stored locally in your browser.
(a) Data your browser fetches from public chess services
Chess.com games. When you ask the app to analyze games for a Chess.com username, your own browser contacts Chess.com's public Published-Data API (api.chess.com) directly and downloads those games. Our servers never receive, proxy, or store your Chess.com games. The downloaded games land in your browser's local storage (see section (c)). Because your browser talks to Chess.com directly, that game download is between you and Chess.com and is also governed by Chess.com's own terms and privacy policy.
Opening explorer ("how masters played here"). When you use the opening-explorer feature, the app sends only a board position (a FEN string — a compact description of where the pieces stand) to Lichess through a small server component of ours. No personal data, no usernames, and no information about you or your opponent is included in that request — just the position on the board.
A note on third-party / opponent data. A game record you download naturally names both players and lists the moves both players made. If you analyze your own games, that record will include your opponents. If you look up another player's public username, the games you retrieve will include that player and their opponents. We keep this to a minimum and handle it honestly:
- This third-party game data is processed only transiently in your browser, so the app can display and analyze the game. It is not sent to us and not stored on our servers.
- We do not build profiles of opponents, and opponent identities are never saved to our cloud database (see section (b)).
Analyzing publicly available games — including looking up another player's public games through a public API — is a deliberate design choice for a chess-study tool, and we believe it is a reasonable and expected use of information those services already publish. It is not a claim that it is beyond all question. You are responsible for only requesting data you are entitled to look up. See our Terms of Service for more on acceptable use.
(b) Optional account data (stored with Supabase)
You can use the app without an account. Accounts are an optional feature (and may not be enabled in every version of the app). If you choose to create one, we use Supabase to provide sign-in and to store a small amount of data so your work can sync across your devices. Everything below is protected by row-level security, meaning each account can access only its own rows — you cannot see anyone else's data and they cannot see yours.
| What we store | What it contains | Why |
|---|---|---|
| Your login (handled by Supabase Auth) | Your email address and a hashed password (we never store your password in readable form) | To create and secure your account and sign you in — this is the account you asked for |
| Profile | A profile record keyed to your user_id, which can hold a display name if and when that feature is enabled | To personalize your account (note: the app does not currently collect or write a display name) |
| Linked chess handle | Your own Chess.com (or Lichess) username plus a verification code/status | To confirm the handle is yours and to fetch the right games; ownership verification is a safeguard so the app is used for your own games |
| Analyses | Your own engine output for your games — evaluation changes, accuracy percentages, move classifications, opening names, estimated Elo, and the moves of the game in engine notation — stored under your own linked handle | To save your analysis so it syncs across your devices without re-computing it |
| Library state | Which archive months you have synced | So a new device can rebuild the same library |
| Puzzle progress | Which puzzles you've solved and your puzzle rating | To save your training progress |
Verifying a linked handle. When you link a Chess.com or Lichess handle, you place a short verification code in your public profile (your Chess.com Location field or your Lichess Biography field). To confirm the handle is yours, our server makes a one-time request to that platform's public API to read your own public profile field and check that the code is present. This is the only time our server contacts Chess.com or Lichess on your behalf — your game downloads still go browser-to-platform directly (see section (a)), and this lookup reads only your own public profile, not your games or any opponent data.
Two things we want to be explicit and honest about regarding the cloud store:
- We do not store your raw games, a PGN file, or your opponents, on our servers. The analysis records above are your engine's derived output. They do not contain a stored PGN file, and they do not store either player's username. The analysis does record the moves of the game in engine notation (SAN/UCI/FEN), because move-by-move evaluation is the whole point of the tool — but those moves are never tied to a name, and no opponent is identified. The original game files themselves stay in your browser and can be re-fetched from the source platform.
- The stored analyses are keyed to your own linked chess handle so they sync to the right library. Your own handle is therefore stored; your opponents' identities are not.
(c) Data stored locally in your browser
The primary copy of your data lives on your device, in your browser's IndexedDB and localStorage. This includes:
- your game libraries (the games your browser downloaded),
- the computed analyses,
- your puzzle progress and app settings.
This local data is under your control. It stays on your device until you clear it (for example, by clearing your browser's site data), and we cannot read it remotely. If you never create an account, this local storage — plus the direct-to-Chess.com game downloads and position-only Lichess requests described above — is essentially all the data handling the app involves.
3. Our legal bases (for EU / UK users)
If you are in the European Economic Area or the United Kingdom, the GDPR / UK GDPR requires us to have a lawful basis for each purpose. Here is ours, in plain terms:
- To provide the account and cloud-sync features you sign up for — performance of a contract (GDPR Article 6(1)(b)). When you create an account, we process your email, password, profile, linked handle, analyses, library state, and puzzle progress to deliver the service you asked for.
- Creating an account and the age attestation at sign-up rely on your consent (Article 6(1)(a)), which you give by choosing to register. You can withdraw it at any time by deleting your account (this does not affect processing that already happened).
- Analyzing your own games and running the core study tools — our and your legitimate interests (Article 6(1)(f)) in providing and improving a functional chess-improvement tool, balanced against your rights. Because analysis runs in your browser and most data never leaves your device, the privacy impact is low.
- Verifying that a linked handle is yours — legitimate interests in preventing misuse and keeping the service tied to your own games. This includes the one-time server request to the platform's public API to read your own public profile field (section 2(b)).
An honest note on looking up a third party's public games. When you look up another player's public games through a public API, we rely on legitimate interests (Article 6(1)(f)) for the transient, in-browser handling needed to display and study those games. This is an accepted design choice for a study tool that reads only already-public information, does not store that third party's data on our servers, and does not build profiles of them. We flag it plainly rather than hide it, and you remain responsible for only requesting data you are entitled to access.
We do not use your data for advertising, and we do not carry out automated decision-making that produces legal or similarly significant effects about you.
4. No AI providers — the coach is deterministic
The app's coaching and feedback are produced by a deterministic, rules-and-templates engine. There is no AI/LLM service involved, and none of your data is ever sent to any third-party AI provider. The chess analysis itself is computed by the Stockfish engine in your browser. Your games and analyses are not transmitted to any outside service for the purpose of generating coaching.
5. Who else is involved (subprocessors and other recipients)
We keep third parties to a minimum. We do not use any advertising networks, analytics providers, trackers, Google Analytics, error-tracking services, or similar. We do not sell or rent your personal data (see section 10).
The parties involved in running the service are:
- Supabase — our authentication, database, and hosting provider for account data. If you create an account, Supabase processes and stores the account data described in section 2(b) on our behalf, under our instructions.
- Our hosting provider — a web-hosting/CDN provider that serves the app's files and runs our thin server components (including the position-only Lichess proxy and the one-time handle-verification lookup). It handles standard technical request data (such as IP addresses in server logs) needed to deliver and secure the site.
- Lichess — receives only board positions (FEN), with no personal data, for the opening-explorer feature. Separately, when you link a Lichess handle, our server makes a one-time request to read your own public Lichess profile to confirm your verification code (section 2(b)).
- Chess.com — a data source for your games contacted directly by your own browser, not by our servers, when you download your games. The one exception is handle linking: when you link a Chess.com handle, our server makes a one-time request to read your own public Chess.com profile to confirm your verification code (section 2(b)). We do not send Chess.com your data.
6. International data transfers
We are based in the United States, and the account data described in section 2(b) is stored in the United States with Supabase and our hosting provider. If you are in the EEA or the UK, this means your account data is transferred to and stored in the US.
Where such transfers require a safeguard under the GDPR / UK GDPR, we rely on the appropriate mechanism — the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, as incorporated into our providers' data-processing agreements (Supabase makes these available for the services we use), and/or a relevant adequacy determination where one applies.
7. EU / UK representative (Article 27) — status
We currently have no establishment in the EU or the UK. Under GDPR / UK GDPR Article 27, a controller with no EU/UK establishment that offers services to people there generally must appoint a representative in each region, unless a narrow exemption for occasional, low-risk processing applies.
We have not yet appointed an EU or UK representative. The Service is operated from the United States and is not currently marketed to or targeted at the EU or UK. If and when we begin actively offering accounts to users in the EU or UK, we will appoint the required representatives and name them here. In the meantime, users in the EU or UK can raise any data-protection matter with us directly at joshuadseiler@gmail.com, and always retain the right to contact their supervisory authority (section 12).
8. Cookies and local storage
We do not use advertising cookies, analytics cookies, or any cross-site tracking. We do not follow you around the web.
The only browser storage we use is:
- A Supabase authentication session token — stored in your browser when you are signed in, so you stay logged in. It exists only for signed-in users.
- A first-party, HttpOnly cookie (`coach_sid`) — strictly functional. It is set only by the opening-explorer ("how masters played here") lookups that reach our server, so we can apply fair-use rate limits and protect that endpoint from abuse. It is not set by the in-browser analysis or coaching (those never contact us), and it is not used to track you across other sites.
We also use IndexedDB and localStorage as described in section 2(c) to store your games, analyses, and progress on your own device.
9. How long we keep data
- Account data (Supabase): There is currently no automatic deletion schedule. We keep your account data until you delete it or delete your account. When you delete your account, the deletion cascades and removes your associated rows (profile, linked handles, analyses, library state, and puzzle progress). We do not retain a separate copy after that, other than anything we are required to keep by law or that persists briefly in routine backups before rotating out.
- Local data (your browser): Data stored on your device stays there until you clear it — for example, by using the app's controls, clearing your browser's site data, or deleting the browser profile. It is under your control.
We will only set a fixed retention period if and when we actually implement one, and we will describe it here rather than claim one that does not exist.
10. We do not sell or share your data
We do not sell your personal data, and we do not share it for cross-context behavioral advertising. We run no ads, no analytics, and no third-party trackers. The only parties that ever handle your data are the service providers listed in section 5, and only to make the app work.
11. Your rights and how to use them
Depending on where you live, you may have some or all of the following rights over your personal data: access, rectification (correction), erasure (deletion), restriction of processing, data portability, objection to processing, and withdrawal of consent. You also have the right to lodge a complaint with a data-protection authority (see section 12).
Because the app is local-first, it helps to know which data these rights attach to for us:
- Data in your browser (local): You control this directly. You can view and remove it through the app's controls and your browser's settings, without needing to contact us — we cannot access it remotely.
- Account data in our Supabase cloud store: This is the data we hold and control, so our access/export/deletion duties apply to it.
Self-service tools (for account holders). From your account page you can:
- Export your account data. The export produces a JSON file. Please note the current scope honestly: the export today includes your linked chess handles, your analyses, your library state, and your puzzle progress. It does not yet include your account email address (or a profile display name, if that feature is ever enabled). If you want those items too, email us and we will provide them. (We plan to close this gap.)
- Delete your account. Deletion removes your account and cascades to delete your associated data rows as described in section 9.
By email. For any right you can't fully exercise in the app — including rectification, objection, restriction, withdrawing consent, or a complete copy of everything we hold (including the items the self-service export currently omits) — email joshuadseiler@gmail.com. We will respond within the timeframe required by applicable law. We may need to verify your identity (for example, by confirming control of the account email) before acting, to protect your data.
12. Complaints
If you are in the EU or the UK and believe we have mishandled your personal data, you have the right to complain to a supervisory authority. In the UK, that is the Information Commissioner's Office (ICO). In the EU, it is the data-protection authority in your country of residence, work, or where the issue arose. We'd appreciate the chance to address your concern first — please email us — but you are not required to contact us before complaining to an authority.
13. Security and data breaches
We take reasonable technical and organizational measures to protect your data, including encryption in transit (HTTPS), row-level security so each account can access only its own data, hashed passwords, and keeping raw game files, PGN, and opponent identities off our servers by design. Supabase, our authentication and database provider, maintains its own security controls.
No online service can promise perfect security, and we do not claim your data is 100% secure. If a personal-data breach occurs that is likely to affect you, we will act on our legal obligations — including, where the GDPR / UK GDPR applies, notifying the relevant supervisory authority without undue delay and, where feasible, within 72 hours, and notifying affected users where the law requires it.
14. Children
The app is a general-audience service and is not directed to children. You must be at least 13 years old to use it. If you are under the age of majority where you live, you may use it only with the involvement and consent of a parent or guardian.
If you are in the EU or the UK, please note that in some countries users under 16 need a parent or guardian's consent for online services; where that applies, please only use the app with that consent.
We do not knowingly collect personal data from children under 13. If we learn that we have collected personal data from a child under 13 without the required consent, we will delete it promptly. If you believe a child under 13 has provided us personal data, please email joshuadseiler@gmail.com.
Sign-up includes an age-attestation checkbox confirming that you meet the minimum age. We do not otherwise ask for or verify your exact age.
15. United States privacy notes (California and other states)
We are a small independent operator. We do not sell or share your personal data, and we run no advertising, analytics, or trackers.
We are below the size and activity thresholds at which laws like the California Consumer Privacy Act (CCPA/CPRA) and the Florida Digital Bill of Rights impose their business obligations, so those specific statutory frameworks do not currently apply to us. We are not claiming to be a "business" under those laws, and we are not adopting their formal request procedures here. That said, the rights and self-service tools in section 11 are available to all users regardless of where you live, and our commitment in section 10 (no sale, no sharing, no trackers) applies to everyone.
16. Changes to this policy
We may update this policy from time to time — for example, when we appoint an EU/UK representative, launch a paid tier, or change how the app works. When we do, we will revise the Effective date at the top. For material changes, we will take reasonable steps to make the change more visible (such as an in-app notice or, for account holders, an email). Your continued use of the app after an update means you accept the revised policy, to the extent permitted by law.
17. Contact
Questions, requests, or concerns about this policy or your data:
Email: joshuadseiler@gmail.com
Version 1.0 — published July 10, 2026.