PhiChess

Privacy Policy

Last updated: 22 May 2026

1. Who we are

PhiChess is a matchmaking platform for Chess.com Family Plan sharing. We are not affiliated with Chess.com or Chess.com, LLC. References to "we", "us", or "PhiChess" refer to the PhiChess platform.

2. What data we collect

When you use PhiChess, we collect:

  • Email address — provided on signup; used for authentication and transactional emails, and shown to a listing's host when you apply to it (see Section 4)
  • Chess.com username — provided voluntarily to verify your identity as a chess player
  • Chess.com profile data — fetched from the public Chess.com API: rating, games played, member-since date, and country
  • Listing content — slots available, price, country, and optional notes you write when posting a listing
  • Payment instructions — the payment method and handle (e.g. PayPal email, Venmo handle) you paste into your listing as a host. Visible only to you and to applicants whose application you have accepted.
  • Application messages — optional messages you write when applying to a listing
  • Usage data — pages visited, clicks, browser version, approximate location (country) inferred from IP. See Section 8.

We do not collect or store payment information (card numbers, bank details), phone numbers, or government ID.

3. How we use your data

  • To authenticate your account and maintain your session
  • To display your Chess.com profile on listings to build trust with other users
  • To share your email and Chess.com username with a listing's host when you apply, so they can evaluate applicants and coordinate the plan (see Section 4)
  • To send transactional emails (e.g. application notifications, listing expiry reminders)
  • To monitor for errors, performance issues, and abuse using the third-party services in Section 5
  • We do not use your data for advertising or sell it to any third party

4. What is visible to other users

  • Public listings show a masked version of the host's Chess.com username (e.g. magn★★★sen), plus rating, games played, member-since year, and country.
  • Full Chess.com username — once you apply to a listing, the host's full Chess.com username becomes visible to you, and your full Chess.com username becomes visible to the host, regardless of whether the host later accepts or declines you. The host always sees their own.
  • Applicant email visible to the host. When you apply to a listing, the host can see the email address on your account as soon as you apply, including while your application is pending and if the host later declines it. We make your email visible to the host so they can evaluate applicants and coordinate the Chess.com Family Plan invite and payment with the people they accept. If a host declines your application, your email stays visible to that host for 30 days (so they can reconsider) and is then hidden from their view automatically. Only the host of the listing you applied to can see your email — other applicants to the same listing cannot. The host's own email is sent to you only if and when the host accepts your application (delivered via transactional email through Resend), so you can then coordinate the invite and payment.
  • Payment instructions are visible only to the host and to applicants whose application has been accepted. They are never visible to logged-out visitors or to other applicants.
  • Application messages are visible only to the host of the listing you applied to.

5. Third-party services

PhiChess relies on the following third-party processors:

  • Supabase — database and authentication, hosted on AWS. Privacy Policy
  • Vercel — website hosting and CDN. Privacy Policy
  • Resend — transactional email delivery. Privacy Policy
  • Google OAuth — used if you choose "Sign in with Google". We receive your email and Google profile name. Privacy Policy
  • PostHog — product analytics, error tracking, and (for a sample of sessions) session replay with form fields masked. Privacy Policy
  • Google Analytics 4 — aggregate traffic analytics. Privacy Policy
  • Chess.com public API — read-only, used to verify usernames and fetch profile stats. No Chess.com account credentials are stored.

6. Data retention

Account data, listings, and applications are retained for as long as your account is active. Listings auto-expire after 60 days but remain in our database for reference and fraud prevention. Where a listing is deleted by its host, it is hidden everywhere on the platform; underlying application records may be retained for reference and fraud prevention.

When you apply to a listing, the email on your account becomes visible to that listing's host (see Section 4). It remains visible to the host while your application is pending or accepted. If the host declines your application, your email stays visible to that host for 30 days and is then automatically hidden from their view. The host is permitted to use your email only to evaluate applicants and coordinate that specific listing, and not for marketing or unsolicited contact. You can also have your email removed from a host's view sooner by deleting your application, and you can request deletion of your account and all associated personal data at any time (see Section 7).

If you request account deletion, we delete your profile, listings, and applications within 30 days, except where we are required to retain records by law. Analytics events (PostHog, GA4) are retained per the third-party processor's default retention window — typically 12 months for PostHog and up to 14 months for GA4.

7. Your rights

Depending on where you live, you may have rights to access, correct, port, or delete your personal data. You can export your data or delete your account at any time from your account settings. You can also email support@phichess.com to exercise any of these rights, and we will respond within 30 days.

8. Cookies, analytics, and session recording

We use first-party cookies for two purposes:

  • Authentication — to keep you signed in across page loads.
  • Product analytics — PostHog and Google Analytics 4 set first-party cookies to count pageviews and approximate sessions. These are set only after you accept analytics cookies in our cookie banner; you can change your choice at any time via "Cookie preferences" in the footer. We do not run advertising or behavioural-targeting cookies.

A small percentage of sessions may be recorded by PostHog as anonymised replays for the purpose of debugging and improving the product. All form inputs (passwords, payment instructions, application messages) are masked in the recording so their content is never visible to us.

9. Age requirement

PhiChess is not intended for use by anyone under the age of 18. If you believe an account belongs to someone under 18, please contact support@phichess.com and we will delete the account and any personal data.

10. Security

We protect your data with TLS encryption in transit, encryption at rest provided by Supabase, and row-level security policies that restrict each user's access to their own data and the listings they participate in. Passwords are checked against the HaveIBeenPwned breached-password database before being accepted. No system is 100% secure; in the event of a data breach affecting your personal data, we will notify you as required by applicable law.

11. International data transfers

Your personal data is stored on servers located in the United States. If you access PhiChess from outside the United States, your data will be transferred to and processed in the United States, which may have different data protection laws than your country of residence.

12. Changes to this policy

We may update this policy from time to time. We will update the date at the top of this page when we do. Continued use of PhiChess after changes constitutes acceptance of the updated policy.