◈ Data Protection Notice ◈

PRIVACY POLICY

How Andromeda handles your data

Effective date: 25 May 2026 Last updated: 30 May 2026

Andromeda is a personal chess website operated by Christian J. Walls (the "operator", "we", "us"). This policy explains what personal data we collect, why we collect it, how long we keep it, and the rights you have over it. We collect the minimum needed to run the site and we do not sell your data or use third-party advertising or cross-site tracking.

1 · Who is responsible

The data controller for this site is Christian J. Walls. For any privacy question or request, contact cjwalls1999@gmail.com.

2 · What we collect

If you create an account, we store:

  • Your username and email address.
  • Your password, stored only as a salted cryptographic hash — we never store or see your actual password.
  • An optional display name and your preference settings (for example, disabling background animations, or enabling read-aloud move narration and its level).
  • Content you create on the site: game bookmarks, player bookmarks, and game collections, including each collection's saved sort preference.
  • Which optional account features have been enabled for you.

For every visitor (including those without an account), we keep minimal, privacy-preserving analytics. For each page view we record:

  • The page path requested, without any query-string parameters.
  • The HTTP status code of the response.
  • The host of the referring website, if you arrived from an external link (not the full URL).
  • A salted monthly visitor hash. This is a one-way hash that is mixed with a secret value that rotates each month; it lets us count distinct visits within a month without ever storing who you are.
  • A coarse device type (desktop, mobile, or tablet) and browser family.

We deliberately do not store your raw IP address, your raw browser user-agent string, query strings, or requests for static files (images, scripts, stylesheets). Automated bot and scanner traffic is logged separately, using the same minimal non-identifying fields, purely to monitor abuse — it is never mixed into human visitor analytics.

3 · Cookies

We use only first-party, functional cookies: a session cookie to keep you signed in, and a CSRF token cookie that protects forms against cross-site request forgery. Both are marked Secure and are set only when needed. We do not use advertising cookies, analytics cookies, or any cross-site tracking technology.

4 · Why we use it

  • Run your account — sign-in, profile, bookmarks, collections, and settings.
  • Account email — to send password-reset messages when you request them.
  • Security — to protect the site against abuse, fraud, and attacks.
  • Aggregate understanding — to see which pages are visited, in aggregate, so we can improve the site.

5 · Legal bases (GDPR)

If you are in the European Economic Area or the UK, we rely on the following legal bases under the GDPR:

  • Performance of a contract — to provide the account and features you sign up for.
  • Legitimate interests — for security, abuse prevention, and minimal pseudonymous analytics that do not identify you.
  • Consent — where the law requires it; you may withdraw consent at any time.

6 · Sharing and processors

We do not sell, rent, or trade your personal data, and we do not share it with advertisers. The site runs on server infrastructure provided by our hosting provider (DigitalOcean), where the database is stored. If you request a password reset, your email address and the reset message are passed to our transactional email provider (Resend) solely to deliver that message. We may also disclose data if required to do so by law.

7 · How long we keep it

Account data is kept for as long as your account exists. If you ask us to delete your account, we remove your account data. Analytics records are pseudonymous by design — because the visitor hash salt rotates monthly, records cannot be linked back to an individual across months — and are retained only for aggregate trend analysis.

8 · Your rights (GDPR)

If the GDPR applies to you, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data (“right to be forgotten”).
  • Restrict or object to certain processing.
  • Port your data to another service.
  • Withdraw consent at any time, without affecting prior processing.
  • Lodge a complaint with your local data protection supervisory authority.

To exercise any of these, email cjwalls1999@gmail.com.

9 · Your rights (California / CCPA & CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used.
  • Delete personal information we hold about you.
  • Correct inaccurate personal information.
  • Opt out of the sale or sharing of personal information — note that we do not sell or share personal information as those terms are defined under the CCPA/CPRA.
  • Not be discriminated against for exercising any of these rights.

To make a request, email cjwalls1999@gmail.com.

10 · Children

This site is not directed to children. We do not knowingly collect personal data from children under 16 (or under 13 in the United States). If you believe a child has provided us data, contact us and we will delete it.

11 · Security

The site is served over HTTPS with HSTS enforced. Passwords are stored as salted hashes, cookies are marked Secure, and standard protections against clickjacking and content sniffing are in place. No system is perfectly secure, but we take reasonable measures to protect your data.

12 · Changes to this policy

We may update this policy from time to time. When we do, we will revise the “Last updated” date above. Material changes will be made clear on this page.

13 · Contact

Questions, requests, or complaints about your data: cjwalls1999@gmail.com.