Privacy Policy
Last updated: March 2026
This privacy policy explains how Shahmat Analytics Ltd (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use our website at shahmat.io and our chess analytics services (the “Service”).
We are a company registered in England and Wales. We are the data controller for the personal data we process about you. We take your privacy seriously and are committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
If you have any questions about this policy or how we handle your data, please contact us at: privacy@shahmat.io
1. What personal data we collect
We collect different types of personal data depending on how you interact with our Service:
1.1 Account information
When you create an account, we collect your email address, display name, and authentication credentials. Account creation and authentication is managed by our third-party authentication provider, Supabase. Supabase may also collect device information and IP addresses for security purposes. Please refer to Supabase’s privacy policy for details on their data handling practices.
1.2 Chess data
When you use our Service, we collect and process:
- your chess game records (PGN files) that you import from third-party platforms such as chess.com or Lichess, or upload directly
- your chess platform usernames (chess.com, Lichess) that you provide to us for game import
- the analytical data we generate from your games, including move-by-move evaluations, statistical metrics, and performance assessments
1.3 Usage data
We automatically collect certain technical information when you visit our website, including your IP address, browser type and version, device information, pages visited and time spent on each page, and referring website address. We use Google Analytics 4 for this purpose, but only with your consent (see our Cookie Policy for details).
1.4 Payment data
When you purchase credit packages, payment processing is handled entirely by Stripe. We do not receive, store, or have access to your full credit card details. Stripe provides us with a transaction reference, the amount paid, and a partial card identifier for your records. Please refer to Stripe’s privacy policy for details on their data handling.
1.5 AI coaching data
If you use our AI-powered game review feature, your game data (moves, evaluations, and statistical metrics) is sent to Google’s Vertex AI (Gemini) to generate personalised coaching feedback. This data is used solely for the purpose of generating your review and is subject to Google’s data processing terms.
2. Our lawful basis for processing your data
Under the UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:
| Lawful basis | Data processed | Purpose |
|---|---|---|
| Contract | Account info, chess data, payment data | To provide our Service to you, including game analysis, report generation, and AI coaching |
| Legitimate interest | Usage data, technical logs | To maintain security, prevent fraud, improve our Service, and ensure system stability |
| Consent | Analytics cookies, marketing | To understand how our website is used (Google Analytics) and, if applicable, to send you marketing communications |
| Legal obligation | Transaction records | To comply with tax, accounting, and regulatory requirements |
3. How we use your personal data
We use your personal data to:
- create and manage your account
- import, analyse, and store your chess games
- generate analytical reports and performance insights
- provide AI-powered game reviews
- process payments for credit packages
- communicate with you about your account or our Service
- monitor and improve the performance and security of our Service
- comply with legal obligations
4. Who we share your data with
We share your personal data with the following third-party service providers who process data on our behalf. Each of these providers is bound by data processing agreements and is required to protect your data in accordance with applicable data protection laws.
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Authentication & Database | Email, name, session data | EU (Stockholm) |
| Supabase | Database | Account data, game records | United States |
| Google Cloud Platform | Analytics storage, hosting, AI | Game analysis data, usage metrics | London (europe-west2) |
| Hetzner | Chess engine analysis | Game data (transient processing) | Germany (EU) |
| Cloudflare | CDN, DNS, security | IP addresses, traffic data | Global edge network |
| Stripe | Payment processing | Payment information | United States / EU |
| Google Analytics | Website analytics | Anonymised usage data (with consent) | United States |
We do not sell your personal data to any third party. We do not share your data with third parties for their own marketing purposes.
5. International data transfers
Some of our third-party service providers are located outside the United Kingdom. Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place, including: Standard Contractual Clauses (SCCs) approved by the ICO; the UK Extension to the EU-US Data Privacy Framework, where applicable; and transfers to countries with an adequacy decision from the UK government (including the European Economic Area).
Google Cloud Platform processes and stores your analytical data in our London (europe-west2) region. Hetzner processes your game data in Germany, which is covered by the UK’s adequacy decision for the EEA.
6. How long we keep your data
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
| Data type | Retention period | Reason |
|---|---|---|
| Account information | Until you delete your account | Required to provide the Service |
| Chess game data and analysis | Until you delete your account or request deletion | Core service delivery |
| Payment records | 7 years after transaction | UK tax and accounting requirements |
| Server logs | 90 days | Security and debugging |
| Analytics data (GA4) | 14 months (Google default) | Service improvement |
When you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required by law to retain it (such as financial records).
7. Your rights under UK GDPR
Under the UK GDPR, you have the following rights in relation to your personal data:
- Right of access: You can request a copy of the personal data we hold about you.
- Right to rectification: You can ask us to correct any inaccurate or incomplete personal data.
- Right to erasure: You can ask us to delete your personal data in certain circumstances (for example, if we no longer need it for the purpose it was collected).
- Right to restrict processing: You can ask us to limit how we use your data in certain circumstances.
- Right to data portability: You can request your personal data in a structured, commonly used, machine-readable format. For chess data, we can provide your original PGN files and analytical data in standard formats.
- Right to object: You can object to our processing of your data where we rely on legitimate interest as our lawful basis.
- Right to withdraw consent: Where we process your data based on consent (such as analytics cookies), you can withdraw your consent at any time. This will not affect the lawfulness of any processing carried out before you withdrew your consent.
To exercise any of these rights, please contact us at privacy@shahmat.io. We will respond to your request within one month of receiving it, as required by law. If your request is complex, we may extend this by a further two months, but we will inform you of this within the initial one-month period.
8. How we protect your data
We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:
- encryption of data in transit using TLS/HTTPS across all services
- encryption of data at rest in our database and storage systems
- access controls and authentication for all internal systems
- regular security updates and monitoring of our infrastructure
- use of firewalls, intrusion detection, and DDoS protection via Cloudflare
- secure handling of credentials and API keys via Google Cloud Secret Manager
9. Children’s data
Our Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@shahmat.io and we will take steps to delete that data.
10. Automated decision-making
Our Service uses automated processing to analyse your chess games and generate performance reports. This processing does not produce legal effects or similarly significant effects on you. The analysis is provided purely for informational and educational purposes to help you improve your chess. Our AI-powered game reviews use artificial intelligence to generate coaching feedback, but no automated decisions are made about you as a person based on this processing.
11. How to complain
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
We would appreciate the opportunity to resolve your concerns directly before you contact the ICO. Please reach out to us at privacy@shahmat.io in the first instance.
12. Changes to this privacy policy
We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on our website and, where appropriate, by email. The “Effective date” at the top of this policy indicates when it was last updated.