Back to home
Legal

Privacy Policy

Effective: July 6, 2026 · Last updated: July 6, 2026

Who we are

GMSomeday ("we", "us", "our") is a personal chess-coaching web application operated by Lemon AI LLC, 1309 Coffeen Avenue STE 1200, Sheridan, Wyoming 82801, United States. You can reach us at gregory@gmsomeday.com.

For the purposes of the EU General Data Protection Regulation (GDPR), Lemon AI LLC is the data controller for personal data processed by GMSomeday. Where a state privacy law such as the California Consumer Privacy Act (CCPA/CPRA) applies to us, Lemon AI LLC is the entity responsible for handling requests under that law.

What we collect

We collect the data needed to generate reports, run accounts, keep the service safe, and understand whether the product is working. Specifically:

  • Submitted chess username. When you submit a Chess.com or Lichess username, we use that username to fetch public game archives and public profile data from that platform's public API. The username may be yours or another publicly visible player, because the report feature works from public chess-platform data. We do not collect chess-platform passwords.
  • Public game data. The games we analyze are publicly hosted by Chess.com and Lichess. We may store PGNs, headers, ratings, timestamps, moves, clock comments where present, positions, FENs, engine evaluations, motifs, missed moves, win-probability changes, openings, verdicts, and other analysis derived from those public games.
  • Account and sign-in data. If you sign in, we store your email address and account identifiers. Google sign-in also provides a Google subject ID and may provide a profile image URL. Magic-link sign-in stores token metadata needed to send and verify the link. We do not use passwords.
  • Session, device, and security data. We store session identifiers, IP address, user agent, timestamps, OAuth state/nonce data, audit events, and related security metadata so we can keep users signed in, prevent account abuse, debug failures, enforce rate limits, and investigate suspicious activity.
  • Product activity data. If you use the app, we store linked usernames, missions, warm-up attempts, play-now sessions, session verdicts, coach-room state, export/delete actions, email subscription status, and similar product records.
  • Email and billing data. If you request magic links, weekly re-scan emails, receipts, or paid features, we process the email address, delivery metadata, subscription status, Stripe customer/subscription identifiers, and payment-webhook records needed to operate those features. We do not store full card numbers.
  • Analytics and diagnostics data. Where analytics or error reporting is configured, PostHog and Sentry may receive events such as page views, app actions, feature usage, referrers, UTM parameters, browser/device information, timestamps, IP-derived coarse location, masked session recordings, logs, and error traces. Analytics are used for product analytics and reliability, not advertising, retargeting, data brokerage, or sale.
  • AI narration inputs and outputs. When the narration harness is enabled, we may send a constrained fact sheet to an OpenAI-compatible LLM provider. The fact sheet can include chess positions, moves, ratings, game IDs, counts, and verified analysis facts. The LLM is used to phrase pre-computed facts, not to decide chess truth.

We do not knowingly collect: government identifiers, financial information, health information, biometric data, sexual orientation, political opinions, trade-union membership, or genetic data.

Why we collect it

We process your data on the following legal bases under GDPR Article 6:

  • Performance of a contract (Art. 6(1)(b)) — to create and maintain your account, generate reports and missions you request, provide exports, process account deletion, send magic links, and operate paid features you choose to use.
  • Legitimate interests (Art. 6(1)(f)) — to analyze public chess-platform data submitted through the service, cache public game archives, keep the product secure, prevent abuse, improve reliability, understand product usage, debug errors, and measure whether the coaching loop is useful. We limit this to data that is necessary for those purposes and let affected users object or request deletion where applicable.
  • Legal obligation (Art. 6(1)(c)) — where we need to retain records for tax, accounting, payment, dispute, security, or legal compliance.
  • Consent (Art. 6(1)(a)) — only where we ask for consent, such as if we later add non-essential browser cookies that require opt-in consent in your region. We do not treat silence, inactivity, or pre-ticked choices as consent.

Cookies and analytics

We use strictly necessary cookies for authentication and security, including the gms_session session cookie and short-lived OAuth cookies such as gms_oauth_state and gms_oauth_nonce. These are needed for sign-in, session continuity, CSRF protection, and account security.

As of the effective date above, the Astro landing pages do not load a PostHog analytics script. The app can load PostHog when a project key is configured; the current app configuration uses memory persistence rather than a persistent PostHog browser cookie. PostHog events may still be sent by the frontend or backend when analytics is enabled.

If we add non-essential analytics, advertising, or preference cookies that require consent in your region, we will ask before setting them and will make withdrawal as easy as giving consent.

Service providers and third parties

To run the service, we use the following providers and third-party services:

  • Chess.com and Lichess — public chess-platform APIs used to fetch public profile and game data for submitted usernames. Those platforms are separate services with their own terms and privacy policies.
  • PostHog, Inc. (United States) — product analytics, app events, and masked session recordings when analytics is configured. Their privacy practices are described at posthog.com/privacy.
  • Sentry — error reporting, performance diagnostics, and reliability monitoring when configured.
  • Google — Google OAuth sign-in, if you choose to use it.
  • AgentMail — transactional email delivery, including magic links, weekly re-scan links, and service emails when email is configured.
  • Stripe — checkout, subscriptions, invoices, payment method handling, and payment webhooks if paid features are enabled.
  • LLM and rating-context providers — OpenAI-compatible LLM providers and Maia/rating-context services when configured for narration or rating-relative analysis. We send constrained analysis facts, not chess-platform passwords or card numbers.
  • Infrastructure providers — hosting, database, object/storage, networking, DNS, TLS, and delivery providers, currently including Hetzner and Cloudflare where configured.

We do not sell your personal information, and we do not share it with advertising networks, data brokers, or social-media platforms.

How long we keep your data

  • Public game archives and derived analysis. Public chess games are immutable public records on Chess.com and Lichess. We may cache public game archives and derived analysis for as long as needed to provide reports, avoid repeated API fetches, improve reliability, and maintain abuse controls. You may ask us to delete or de-link data associated with you, and we will honor the request unless we need a limited record for security, legal, or dispute reasons.
  • Account and product data. Kept while your account is active and deleted when you delete your account or ask us to delete it, subject to limited exceptions for audit logs, security records, payment records, backups, and legal obligations.
  • Sessions and magic links. Session cookies currently have a 30-day sliding lifetime. Magic-link tokens expire after a short period and are single-use. Related security/audit records may be retained longer to prevent abuse and investigate incidents.
  • Analytics and diagnostics. Retained according to the configured provider/project retention settings and our operational need to measure product reliability and usage.
  • Backups. Deleted data may remain in encrypted backups for a limited period until those backups expire, unless restoring it is necessary for security, legal, or disaster-recovery reasons.

Your privacy rights

If you are in the EU/EEA or the United Kingdom, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your data ("right to be forgotten").
  • Restrict or object to our processing of your data.
  • Receive a portable copy of your data in a commonly used format (JSON).
  • Withdraw consent at any time (for processing based on consent — e.g., analytics cookies).
  • Lodge a complaint with your local data-protection authority (EU/UK) or the competent privacy regulator.

To exercise any of these rights, email gregory@gmsomeday.com. We respond within 30 days. There is no fee.

If a US state privacy law applies to us and to your request, you may have rights to know, access, correct, delete, obtain a portable copy of, or opt out of certain uses of personal information. We do not sell personal information and do not share personal information for cross-context behavioral advertising. We do not use sensitive personal information to infer characteristics about you.

If the data at issue is a public chess-platform username or public game archive that another user submitted, email us with enough information to identify the relevant platform and username. We may need to verify the request before deleting, de-linking, or suppressing data associated with that username.

International data transfers

We are based in the United States and use providers in the United States and other countries. When we transfer personal data from the EEA/UK to countries without an adequacy decision, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, UK transfer mechanisms where applicable, and provider security commitments required by GDPR Chapter V.

Children's privacy

The service is not directed at children under 13. In the EEA/UK, the service is not directed at children below the age at which they can lawfully consent to an information-society service in their country without parental authorization. We do not knowingly collect personal data directly from children. If you believe a child has used the service or that a child's username has been submitted, contact us at gregory@gmsomeday.com and we will take appropriate deletion or suppression steps.

Security

We use TLS for data in transit, HttpOnly/Secure/SameSite session cookies in production, OAuth state and PKCE, single-use magic links, CSRF protections, access controls, audit logs, provider secrets stored outside source control, and restricted production-data access. No security measure is perfect; if you discover a vulnerability, please email gregory@gmsomeday.com.

Changes to this policy

If we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify active users by email or an in-app banner. The previous version of the policy will remain available on request.

Contact us

For any privacy question, including data-subject requests, email gregory@gmsomeday.com. We aim to respond within 30 days.

GDPR/UK representative: we have not appointed a separate EU or UK representative as of the effective date above. EEA/UK users may contact us directly using the email or postal address above. We have not appointed a Data Protection Officer.