Last updated: May 13, 2026
Bright Moves (brightmoves.org) provides expert chess coaching for players of all levels.
We do not use analytics, tracking pixels, or advertising cookies.
We use your contact information to respond to inquiries and manage coaching session bookings. We do not use your data for marketing or profiling.
We do not sell or share your personal information with any other third parties.
When you choose to import your games into Bright Moves, we fetch publicly available game records from the chess platform you specify. Imports are always user-initiated — Bright Moves does not automatically pull data from these platforms in the background, and you must tick a consent checkbox confirming you own the games before each import runs.
For each imported game: the move list (PGN), the date played, the opponent's username as recorded in the PGN headers, your and your opponent's ratings at the time, the time control, the result, and the game's URL on the source platform. We do not import private messages, friend lists, profile photos, email addresses, or any other personal data from these platforms.
Bright Moves is the data controller for the imported game records once they are inside our system. chess.com and lichess.org are independent data sources — not our sub-processors. They control their own platforms under their own privacy policies.
Consent (GDPR Art. 6(1)(a)) for processing the games of the account you own. You must tick a non-pre-checked consent box on the import page warranting that you own the games before the import runs. That consent is logged with your account for our records.
For data about your opponents that arrives inside the PGN (their username and rating), our legal basis is legitimate interest (GDPR Art. 6(1)(f)) under a documented balancing test (LIA-2026-001). The data is already public on the source platform; we ingest only what is required to display your game; we do not profile or further disseminate it. Opponents can email [email protected] to request erasure of their identifying information from imported games.
You can delete imported games at any time from your Bright Moves account. Deleting your Bright Moves account removes the imported game records on the same cascade as the rest of your data (see the account-deletion section below). Removing a game from Bright Moves does not delete it from chess.com or lichess.org — those platforms are governed by their own deletion processes.
When you sign in, sign up, reset your password, or submit certain other forms on Bright Moves, your browser loads a small piece of JavaScript from Cloudflare Turnstile. Turnstile checks whether the request is coming from a real person or an automated bot.
Your IP address, your browser's user agent string, signals about your browser environment (such as available APIs, runtime characteristics, and timing of interactions on the page), and the URL of the page where the form is shown.
Your email, password, name, the contents of any form fields, or any data you typed into the page. Turnstile evaluates the environment of your browser, not your identity.
Without bot protection, attackers can use scripted tools to attempt millions of logins, create fake accounts at scale, or knock our services offline. Turnstile prevents this with minimal friction for real users — most legitimate visitors are verified silently with no challenge presented.
Under GDPR Article 6(1)(f), our legitimate interest in protecting our users and services from abuse, fraud, and denial-of-service. We have conducted a balancing test and concluded that this processing is necessary, proportionate, and that the user benefit (protection against account takeover and abuse) outweighs the limited privacy impact of the bot detection signals.
The Turnstile JavaScript sends signals directly from your browser to Cloudflare. Cloudflare returns a single-use verification token to your browser. Your browser passes that token to Bright Moves. Bright Moves asks Cloudflare to validate the token (server-to-server). We never store the raw token, and we never see your full IP address in long-term audit logs.
Cloudflare's global edge network. For users in the EU/EEA, processing typically occurs at the EU point of presence nearest to you, with possible failover to other regions. International transfers (including any to the United States) are governed by Standard Contractual Clauses and Cloudflare's published transfer mechanisms.
Cloudflare's retention of Turnstile signals is governed by Cloudflare's privacy policy. Bright Moves does not retain raw Turnstile data; we keep only a yes/no verification outcome and an opaque request ID for security audit, plus a hashed-and-salted IP rotated daily.
You can exercise access, deletion, restriction, and objection rights against Bright Moves by emailing [email protected]. Because Turnstile signals are processed by Cloudflare and are not directly tied to your account, your most effective rights against Cloudflare-held data are exercised against Cloudflare directly under their privacy policy. We will assist you in routing such requests if asked.
Because Turnstile is processed under legitimate interest, you have the right to object. If you object, we will work with you to find an alternative authenticated pathway (for example, identity-verified email support) so you can still use sign-in, sign-up, password reset, and OTP flows without going through Turnstile.
We use essential cookies only — a cookie consent preference stored in your browser. No tracking or advertising cookies. Cloudflare Turnstile may set a short-lived clearance token in browser storage on Cloudflare's ownchallenges.cloudflare.comorigin to avoid re-challenging your browser within seconds. This is a security mechanism, not a tracking mechanism, and falls under the ePrivacy Directive's "strictly necessary" exemption.
Bright Moves serves chess students of all ages, including children. When you visit a sign-up page, your browser briefly interacts with a bot-protection service to verify you are not an automated program. This happens before our age gate. The bot-protection service receives only technical signals about your browser — never your age or identity. If you are under our minimum age, our age gate prevents account creation and we do not retain any data about your visit. See the bot protection section above for details on the third-party service we use.
You can delete all of your Bright Moves data — AI tutor history, AI commentary, imported games, consent records, and audit logs — from your account settings page. The deletion happens in a single Postgres transaction: either every row tied to your user ID across all seven user-keyed tables is removed, or none of it is and the request fails so you can retry. Your Algebrics sign-in account on auth.algebrics.com is deleted on the same path so you can re-register cleanly.
For all other rights or any questions, contact [email protected] or [email protected].
We do not sell personal information. We have never sold personal information and have no plans to do so.
Privacy inquiries: [email protected]