Last updated: May 13, 2026
Bright Moves (brightmoves.org) provides expert chess coaching for players of all levels.
Please don't type personal details — your full name, address, school, or phone number — into the AI tutor. Before your message is sent it is automatically scrubbed of emails, phone numbers, and payment details, and the tutor's replies are generated by Anthropic (Claude). Your birth year is used only to check your age and is never stored.
We compute simple statistics about your own games for you, and we keep aggregate, non-identifying usage counts (such as how many games were played on a given day) to operate the service — see “How we use your data” below. We do not use third-party analytics services, tracking pixels, or advertising cookies.
We use your contact information to respond to inquiries and manage coaching session bookings. We do not use your data for marketing, advertising, or to profile you against other players.
We show you statistics and trends about your own games (such as how often you play as each colour and your recent win rates). These are computed from your own game history and are visible only to you. They are simple arithmetic over your games — not a comparison to other players, not a ranking or leaderboard, and not generated by AI. The legal basis is performance of our contract with you (GDPR Art. 6(1)(b)). Because these statistics are derived from your game records, deleting your account removes them on the same cascade as the underlying games (see the account-deletion section below).
Separately, we keep aggregate, non-identifying counts about overall service usage (for example, how many games were played on a given day, broken down by time control and outcome) to operate and improve Bright Moves. These aggregates contain no usernames, user IDs, or any data that identifies you, and the legal basis is our legitimate interest (a legal basis that lets us process data for a specific operational reason without requiring your explicit consent) in running the service (GDPR Art. 6(1)(f)). Because these counts identify no one, they are not linked to your account and are not removed when you delete your account — there is nothing in them that is yours to delete.
We do not sell or share your personal information with any other third parties.
When you choose to import your games into Bright Moves, we fetch publicly available game records from the chess platform you specify. Imports are always user-initiated — Bright Moves does not automatically pull data from these platforms in the background, and you must tick a consent checkbox confirming you own the games before each import runs.
For each imported game: the move list (PGN), the date played, the opponent's username as recorded in the PGN headers, your and your opponent's ratings at the time, the time control, the result, and the game's URL on the source platform. We do not import private messages, friend lists, profile photos, email addresses, or any other personal data from these platforms.
Bright Moves is the data controller for the imported game records once they are inside our system. chess.com and lichess.org are independent data sources — not our sub-processors. They control their own platforms under their own privacy policies.
Consent (GDPR Art. 6(1)(a)) for processing the games of the account you own. You must tick a non-pre-checked consent box on the import page warranting that you own the games before the import runs. That consent is logged with your account for our records.
For data about your opponents that arrives inside the PGN (their username and rating), our legal basis is legitimate interest (GDPR Art. 6(1)(f)) under a documented balancing test (LIA-2026-001). The data is already public on the source platform; we ingest only what is required to display your game; we do not profile or further disseminate it. Opponents can email [email protected] to request erasure of their identifying information from imported games.
You can delete imported games at any time from your Bright Moves account. Deleting your Bright Moves account removes the imported game records on the same cascade as the rest of your data (see the account-deletion section below). Removing a game from Bright Moves does not delete it from chess.com or lichess.org — those platforms are governed by their own deletion processes.
When you sign in, sign up, reset your password, or submit certain other forms on Bright Moves, your browser loads a small piece of JavaScript from Cloudflare Turnstile. Turnstile checks whether the request is coming from a real person or an automated bot.
Your IP address, your browser's user agent string, signals about your browser environment (such as available APIs, runtime characteristics, and timing of interactions on the page), and the URL of the page where the form is shown.
Your email, password, name, the contents of any form fields, or any data you typed into the page. Turnstile evaluates the environment of your browser, not your identity.
Without bot protection, attackers can use scripted tools to attempt millions of logins, create fake accounts at scale, or knock our services offline. Turnstile prevents this with minimal friction for real users — most legitimate visitors are verified silently with no challenge presented.
Under GDPR Article 6(1)(f), our legitimate interest in protecting our users and services from abuse, fraud, and denial-of-service. We have conducted a balancing test and concluded that this processing is necessary, proportionate, and that the user benefit (protection against account takeover and abuse) outweighs the limited privacy impact of the bot detection signals.
The Turnstile JavaScript sends signals directly from your browser to Cloudflare. Cloudflare returns a single-use verification token to your browser. Your browser passes that token to Bright Moves. Bright Moves asks Cloudflare to validate the token (server-to-server). We never store the raw token, and we never see your full IP address in long-term audit logs.
Cloudflare's global edge network. For users in the EU/EEA, processing typically occurs at the EU point of presence nearest to you, with possible failover to other regions. International transfers (including any to the United States) are governed by Standard Contractual Clauses and Cloudflare's published transfer mechanisms.
Cloudflare's retention of Turnstile signals is governed by Cloudflare's privacy policy. Bright Moves does not retain raw Turnstile data; we keep only a yes/no verification outcome and an opaque request ID for security audit, plus a hashed-and-salted IP rotated daily.
You can exercise access, deletion, restriction, and objection rights against Bright Moves by emailing [email protected]. Because Turnstile signals are processed by Cloudflare and are not directly tied to your account, your most effective rights against Cloudflare-held data are exercised against Cloudflare directly under their privacy policy. We will assist you in routing such requests if asked.
Because Turnstile is processed under legitimate interest, you have the right to object. If you object, we will work with you to find an alternative authenticated pathway (for example, identity-verified email support) so you can still use sign-in, sign-up, password reset, and OTP flows without going through Turnstile.
We use essential cookies only — a cookie consent preference stored in your browser. No tracking or advertising cookies. Cloudflare Turnstile may set a short-lived clearance token in browser storage on Cloudflare's ownchallenges.cloudflare.comorigin to avoid re-challenging your browser within seconds. This is a security mechanism, not a tracking mechanism, and falls under the ePrivacy Directive's "strictly necessary" exemption.
Bright Moves serves chess students of all ages, including children. When you visit a sign-up page, your browser briefly interacts with a bot-protection service to verify you are not an automated program. This happens before our age gate. The bot-protection service receives only technical signals about your browser — never your age or identity. If you are under our minimum age, our age gate prevents account creation and we do not retain any data about your visit. See the bot protection section above for details on the third-party service we use.
You can delete all of your Bright Moves data — AI tutor history, AI commentary, imported games, consent records, and audit logs — from your account settings page. The deletion happens in a single Postgres transaction: either every row tied to your user ID across all seven user-keyed tables is removed, or none of it is and the request fails so you can retry. Your sign-in account on auth.brightmoves.org is deleted on the same path so you can re-register cleanly.
For all other rights or any questions, contact [email protected] or [email protected].
We do not sell personal information. We have never sold personal information and have no plans to do so.
Privacy inquiries: [email protected]