Back to home

Privacy Policy

Last updated: June 4, 2026

1. Who we are

Refine Chess ("the Service") is operated by Leonardo Amato, a sole proprietor based in Italy ("we", "us", "our"). For privacy-related questions, contact: support@refine.coach.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Service. It complies with the EU General Data Protection Regulation ("GDPR") and Italian data protection law.

2. What data we collect

2.1 Data you provide

  • Account info: email address, password (hashed), language preference
  • Chess platform username: chess.com and/or Lichess username you choose to link
  • Communications: chat messages with our AI coach "Tempo", feedback you submit

2.2 Data we collect automatically

  • Usage data (via PostHog, EU Cloud): pages visited, buttons clicked, session duration, features used
  • Device data: browser type, operating system, language, approximate location (country level)
  • Authentication tokens: managed by Supabase Auth for keeping you logged in

2.3 Data we retrieve from third parties

  • Chess games: from chess.com Public API and Lichess API, using the public username you provide. Only games you have played and which are publicly accessible.
  • Google profile (if you use Google OAuth): email address and basic profile info as authorized by you

2.4 Data we do NOT collect

  • Financial / payment information
  • Phone numbers
  • Physical addresses
  • Government IDs
  • Sensitive categories (health, religion, political opinions, etc.)

3. Why we collect data — purposes and legal bases

  • Create and manage your account — Email, password — Contract performance (GDPR Art. 6.1.b)
  • Provide chess coaching — Games, chat history — Contract performance (6.1.b)
  • Personalize coaching — Games, weakness patterns — Legitimate interest (6.1.f)
  • Send service-related emails — Email — Contract performance (6.1.b)
  • Improve the Service via analytics — Usage data — Consent (6.1.a), opt-in via cookie banner
  • Detect abuse, fraud, security threats — All data — Legitimate interest (6.1.f)
  • Comply with legal obligations — All data — Legal obligation (6.1.c)

4. Third parties we share data with

We use the following data processors:

  • Supabase, Inc. — Database, authentication — US/EU — supabase.com/privacy
  • Anthropic PBC — AI coach (chat messages sent for processing) — US — anthropic.com/legal/privacy
  • PostHog Inc. — Product analytics (EU Cloud, data stays in EU) — EU — posthog.com/privacy
  • Lovable — Application hosting — lovable.dev/privacy
  • Cloudflare, Inc. — DNS, CDN, email routing — Global — cloudflare.com/privacypolicy
  • Google LLC — OAuth login (if used) — US — policies.google.com/privacy
  • chess.com — Source of your public game data — US — chess.com/legal/privacy
  • Lichess.org — Source of your public game data — EU — lichess.org/privacy

We do not sell your personal data.

5. International data transfers

Some processors are located outside the European Economic Area ("EEA"), primarily in the United States. When data is transferred outside the EEA, it is protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards under EU adequacy decisions.

6. How long we keep your data

  • Account data: until you delete your account
  • Chess games and analyses: until you delete your account
  • Chat history with Tempo: until you delete your account
  • Feedback submissions: until you delete your account, or 3 years, whichever is shorter
  • Analytics data (PostHog): 1 year
  • Backups: up to 90 days after account deletion
  • Security / error logs: 90 days

When you delete your account, we permanently erase your data within 30 days, except where legal obligations require longer retention.

7. Your rights under GDPR

You have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate or incomplete data
  • Erase ("right to be forgotten") your data
  • Restrict processing in certain cases
  • Object to processing based on legitimate interest
  • Data portability: receive your data in a structured, machine-readable format
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with the Italian Data Protection Authority ("Garante", garanteprivacy.it) or your local supervisory authority

To exercise any right, email: support@refine.coach. We respond within 30 days.

8. Data security

We implement reasonable technical and organizational measures:

  • TLS encryption in transit
  • Passwords hashed with bcrypt (via Supabase Auth)
  • Database row-level security (RLS)
  • Access restricted to the operator

No system is 100% secure. If a data breach affects your data, we will notify you and the Garante within 72 hours as required by GDPR.

9. Cookies

See our Cookies Policy for details on cookies and similar technologies we use.

10. Children's privacy

The Service is not directed at children under 13. We do not knowingly collect data from children under 13. If a child has provided us data, email support@refine.coach and we will delete the account.

11. Changes to this policy

We may update this Privacy Policy. Material changes will be notified via email at least 30 days in advance. The "Last updated" date reflects the latest version.

12. Contact

For any privacy question or request:

  • Email: support@refine.coach
  • Data controller: Leonardo Amato (sole proprietor), Italy