ChessMem

Privacy Policy

Last updated: 15 May 2026

1. Introduction

This Privacy Policy explains how we collect, use, and protect your personal information when you use our chess opening trainer service.

Data Controller: AVDC Ltd, a company registered in England & Wales (Company No 14303849). In this policy, "we", "our", and "us" refer to AVDC Ltd, trading as ChessMem.

Contact for privacy questions: support@avdcltd.com.

2. Information We Collect

Data Type	Purpose
Email address	Account identification, important notifications
Name (from Google or Apple sign-in)	Personalisation, leaderboard display
Practice progress, notes, favourites	Track your learning, spaced repetition, sync across devices
Subscription status	Manage your access level
Chess.com handle and game records (optional)	Generate Game Analysis reports when you opt in
Server logs (request, error, timing)	Operate the service and diagnose bugs. We do not run third-party analytics or advertising SDKs in the app.

3. How We Use Your Information

We use your information to:

Provide and maintain the ChessMem service
Track your learning progress across sessions
Process payments and manage subscriptions
Send important account notifications (sign-up confirmation, password reset)
Diagnose bugs and operate the service

We do not:

Sell your personal data to third parties
Send marketing emails without consent
Share your data with advertisers
Run third-party analytics or tracking SDKs in the app

3a. Lawful Basis for Processing (UK GDPR Article 6)

We rely on the following legal bases to process your personal data:

Contract (Art 6(1)(b)): account creation, sign-in, syncing progress across devices, processing subscriptions — necessary to deliver the service you signed up for.
Consent (Art 6(1)(a)): optional features that require explicit opt-in, such as Game Analysis (where you choose to share your Chess.com handle so we can fetch your public games).
Legitimate interests (Art 6(1)(f)): operating, securing, and improving the service — including server logs for diagnostics, fraud prevention, and aggregate (non-identifying) usage statistics for product decisions.
Legal obligation (Art 6(1)(c)): retaining payment records for the period required by UK tax and financial reporting law.

Where we process your data under consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal — see Section 7 for how.

4. Data Storage

Your data is stored securely using:

Supabase: Database hosting (PostgreSQL) with encryption at rest
Stripe: Payment processing (we never see your full card number)
Google: Authentication only (we receive your email and name)

All data is transmitted over HTTPS encryption.

5. Third-Party Services

We use the following third-party services:

Google Sign-In: For authentication when you choose Google login (Google Privacy Policy)
Sign in with Apple: For authentication on iOS when you choose Apple login (Apple Privacy Policy)
Apple App Store / StoreKit: For in-app purchases and subscriptions on iOS (Apple Privacy Policy)
Stripe: For payment processing on the web (Stripe Privacy Policy)
Supabase: For database hosting and authentication (Supabase Privacy Policy)
Resend: For transactional email delivery, e.g. account verification and password reset (Resend Privacy Policy)
Netlify: For web hosting and content delivery (Netlify Privacy Policy)

6. Cookies and Local Storage

We use:

Authentication tokens: Stored in localStorage to keep you signed in
Practice data: Cached locally for offline access and performance

We do not use tracking cookies or third-party advertising cookies.

7. Your Rights

You have the following rights under UK GDPR (and the equivalent rights under EU GDPR if you are in the EEA):

Access (Art 15): request a copy of your personal data.
Rectification (Art 16): correct inaccurate or incomplete information.
Erasure / "right to be forgotten" (Art 17): request deletion of your account and data. You can do this directly in-app: Settings → Account → "Delete account" at the bottom of the tab. This permanently removes your account and all linked data from our database.
Restriction (Art 18): ask us to stop processing your data in specific circumstances (e.g. while a dispute about its accuracy is resolved).
Portability (Art 20): receive a copy of the data you provided to us in a structured, machine-readable format.
Objection (Art 21): object to processing carried out under our legitimate interests (see Section 3a).
Withdraw consent (Art 7): for any processing we rely on consent for, you can withdraw at any time.

How to exercise these rights:

Deletion: use the in-app Settings → Account → "Delete account" link.
Access, rectification, portability, restriction, objection, or withdrawing consent: email support@avdcltd.com with your request. We will respond within one month (extendable by a further two months for complex requests, with notice).

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk), or your local data protection supervisory authority if you are based outside the UK.

8. Data Retention

Active accounts: Data retained while account is active
Deleted accounts: Data deleted within 30 days of request
Payment records: Retained for 7 years (legal requirement)

9. Children's Privacy

ChessMem is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, please contact us immediately.

10. International Transfers

Most of your personal data is stored on European servers — our Supabase database is hosted in the EU (Stockholm region) and our transactional email provider Resend is in the EU (Ireland region).

Some data is transferred outside the UK / EEA in order to deliver specific service features:

Stripe (United States): payment processing for web purchases. Transfers covered by the European Commission's Standard Contractual Clauses (SCCs) and Stripe's Data Processing Agreement.
Apple App Store and StoreKit (global): in-app purchases and subscriptions on iOS, governed by Apple's own data protection terms.
Netlify (United States, with a global CDN): web hosting and content delivery. Transfers covered by Netlify's SCC-based Data Processing Agreement.
Google Sign-In (United States, when you choose Google login): governed by Google's terms.

For all transfers to the United States we rely on Standard Contractual Clauses as the legal mechanism under UK GDPR Article 46. We do not transfer your data to countries that the UK Information Commissioner's Office considers inadequate without an appropriate safeguard in place.

11. Security

We implement appropriate technical and organisational measures to protect your data, including:

Encryption in transit (HTTPS/TLS)
Encryption at rest (database encryption)
Access controls and authentication
Regular security reviews

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or in-app notification. Continued use after changes constitutes acceptance.

13. Contact Us

For privacy-related questions or requests:

Email: support@avdcltd.com

Postal: AVDC Ltd, Company No 14303849, registered in England & Wales.

Back to ChessMem