Privacy Policy

Last updated: April 9, 2026

Chess Reel ("we," "us," or "our") operates the website chessreel.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

Chess Reel is operated by KenDev AB (org. nr 556428-6663), Londongatan 23, 418 77 Göteborg, Sweden. VAT number: SE556428666301. Contact: william@kendev.se.

1. Children's Privacy

Chess Reel is designed for chess learners of all ages, including children under 13. We take children's privacy seriously and comply with the Children's Online Privacy Protection Act (COPPA) and the GDPR provisions for children's data.

For users under 13 (COPPA) / under 16 (GDPR)

  • We require verifiable parental consent before collecting personal information from children under 13 (or under 16 in applicable EU member states).
  • Children may use the Service without an account to view demo games and play training modes. No personal data is collected for unauthenticated use.
  • Account creation (which collects an email address) requires parental consent for children under 13.
  • We do not condition a child's participation on providing more personal information than is reasonably necessary.
  • Analytics and error tracking are opt-in and disabled by default for all users, including children.
  • Parents or guardians may review, delete, or refuse further collection of their child's personal information by contacting us at william@kendev.se.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address (via magic link sign-in or Google OAuth) and generate a unique user ID. We do not collect passwords.

2.2 Usage Data (With Your Consent)

If you opt in to usage analytics, we collect page views, navigation patterns, button clicks, feature usage events, browser/device type, and general performance metrics. We do not log PGN content, chess positions, or email addresses in analytics events.

2.3 Error and Performance Data (With Your Consent)

If you opt in to crash reporting, we collect error messages, stack traces, browser/OS information, IP address, session replay data when errors occur, and performance traces.

2.4 Game History

When you are signed in and watch a chess game, we store the game identifier and source (Chess.com or Lichess), player names as provided by the chess platform, game result, final position, move count, and a timestamp. We store a maximum of 100 watched games per user. You can also "like" games, which stores the game identifier and timestamp.

2.5 Payment Information

If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We receive your email address, billing address, and a record of your subscription status. We never receive or store your full credit card number.

2.6 Preferences (Stored Locally)

We store settings such as theme selection, playback preferences, and UI toggles in your browser's local storage. This data never leaves your device.

2.7 Cookies

We use cookies strictly for authentication session management. We do not use advertising or tracking cookies. These are strictly necessary cookies required for the Service to function and do not require separate consent under GDPR.

3. How We Use Your Information

  • Provide authentication — email, user ID, session cookies (legal basis: contractual necessity)
  • Store your game history — game IDs, watch timestamps (legal basis: contractual necessity)
  • Process payments — billing address, subscription status, transaction records (legal basis: contractual necessity and legal obligation under Bokföringslagen)
  • Improve the Service — usage analytics, opt-in only (legal basis: consent)
  • Fix bugs and errors — error reports, session replay, opt-in only (legal basis: consent)
  • Prevent abuse — IP address via error tracking, opt-in only (legal basis: legitimate interest)

4. Your Consent Choices

We use a two-tier consent model. After signing in, you are asked to opt in to each category independently:

  • Usage Analytics — helps us understand how the Service is used
  • Crash Reporting — helps us identify and fix bugs

Both are disabled by default. You can change your preferences at any time from the Settings section on the home page. Withdrawing consent immediately stops the corresponding data collection.

5. Third-Party Services

5.1 Supabase (Authentication & Database)

  • Purpose: User authentication, database hosting, file storage
  • Data shared: Email address, user profile, game history
  • Privacy policy: supabase.com/privacy

5.2 Statsig (Analytics)

  • Purpose: Usage analytics and feature flags
  • Data shared: Anonymized usage events, page views, browser info
  • Note: Only activated when you grant usage analytics consent
  • Privacy policy: statsig.com/privacy

5.3 Sentry (Error Tracking)

  • Purpose: Error monitoring, performance tracking, session replay
  • Data shared: Error data, IP address, session replay on errors
  • Note: Only activated when you grant crash reporting consent. IP addresses are collected when this service is active.
  • Privacy policy: sentry.io/privacy

5.4 Vercel (Hosting)

  • Purpose: Website hosting and server-side rendering
  • Data shared: Standard HTTP request data (IP address, user agent, URL)
  • Privacy policy: vercel.com/legal/privacy-policy

5.5 Google (OAuth Authentication)

  • Purpose: Optional sign-in method
  • Data shared: Authentication tokens (we receive your email address)
  • Privacy policy: policies.google.com/privacy

5.6 Noembed (Video Metadata)

  • Purpose: Extracting video titles and metadata in admin tools
  • Data shared: YouTube/video URLs submitted by admins
  • Privacy policy: noembed.com

5.7 Stripe (Payments)

  • Purpose: Payment processing for paid subscriptions
  • Data shared: Payment card details (handled directly by Stripe, never stored on our servers), email address, billing address, transaction history
  • Note: Stripe is a PCI DSS Level 1 certified payment processor. We never see or store your full card number.
  • Privacy policy: stripe.com/privacy

5.8 Chess.com & Lichess (Game Data)

When you search for games or load a specific game, your request is sent to the respective chess platform's API. These requests are initiated by you. Data sent includes usernames and game IDs you search for. Data returned includes game data and player information.

Privacy policies: chess.com/legal/privacy | lichess.org/privacy

6. Data Retention

  • Account information — until you request account deletion
  • Watched games — rolling 100 games per user
  • Game likes — until you remove them or request account deletion
  • Analytics events — per Statsig's retention policy
  • Error reports — per Sentry's retention policy (default 90 days)
  • Payment records — as required by Swedish accounting law (Bokföringslagen), minimum 7 years
  • Local storage — until you clear your browser data

7. Your Rights

Under GDPR (European Economic Area)

You have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data
  • Restriction — limit how we process your data
  • Portability — receive your data in a structured format
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — at any time via Settings

Under CCPA (California)

You have the right to:

  • Know — what personal information we collect and why
  • Delete — request deletion of your personal information
  • Opt-out — of the sale of personal information (we do not sell your data)
  • Non-discrimination — for exercising your privacy rights

To exercise any of these rights, contact us at william@kendev.se.

8. Data Security

We protect your data through:

  • Encrypted connections (HTTPS/TLS) for all data in transit
  • Row-Level Security (RLS) policies ensuring users can only access their own data
  • Server-side API keys stored as environment variables, never exposed to the client
  • Authentication tokens managed by Supabase with industry-standard security

9. International Data Transfers

Your data may be processed in countries outside your residence, including the United States, through our use of cloud services (Supabase, Vercel, Statsig, Sentry). These transfers are governed by the respective service providers' data protection agreements.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or are a parent/guardian requesting information about your child's data, contact us at:

william@kendev.se