Privacy Policy

Last updated: 2026-04-21

The Daily Chess Puzzle (the "Activity") is a small Discord Activity that serves one chess puzzle per day and tracks player ratings across the Discord servers ("guilds") it's installed in. This policy explains what data the Activity collects, how it's used, and how long it's kept.

This is a personal hobby project operated by a single developer. If you have any question about the data we hold about you, or want your data deleted, contact dailychessdev@proton.me — we'll respond within a reasonable timeframe.

What we collect

When you launch the Activity inside Discord, the Discord Embedded App SDK provides us with:

• Discord user ID (a numeric snowflake, e.g. 1234567890).
• Username, and if set, your display name and avatar hash.
• Guild (server) ID and channel ID of the Discord channel you launched the Activity from.
• Discord OAuth access token — used in-memory on our server to verify your identity per request; never stored.

When you play the daily puzzle, we also record:

• The ISO date of the puzzle.
• How many tries you used and whether you solved it.
• A timestamp of when you finished.
• Your computed Elo rating (before, after, delta, peak) and rank title.

Your in-progress puzzle state is also saved to your own browser's localStorage so you can't reset the game by closing and reopening.

What we DON'T collect

• Email address, phone number, or any other contact info.
• Your IP beyond what Fly.io's standard access logs retain (method, path, status, duration — no headers, no body).
• Data from Discord channels, DMs, or messages outside the Activity itself.
• Analytics, ad-tracking, or third-party telemetry.
• Payment information — the Activity is free.

How we use your data

• Display your identity on the leaderboard (username, avatar, rating).
• Compute and track your Elo rating across days so returning players see their progress.
• Post a results card in the Discord channel where you launched the Activity, so other members can see who played. The card is a PNG generated server-side and posted via Discord's webhook API using a short-lived (~15 min) interaction token associated with your launch action.
• Enforce a once-per-day lockout so you can't re-roll the puzzle after starting.
• Apply a −5 Elo inactivity penalty at 23:55 UTC to registered players who didn't play that day, to keep the ladder competitive.

Who we share data with

• Lichess — we fetch the daily puzzle from Lichess's public API. We do not send them any of your personal data; they see only our server's IP when we request today's puzzle.
• Discord — the Activity lives inside Discord. Per the Activity's launch mechanics, Discord sees your identity; we then post leaderboard cards back into channels via Discord's API using tokens Discord issued.
• No one else. No data brokers, no analytics companies, no third parties of any kind.

How long we keep your data

• Puzzle results (per-day, per-guild entries): stored indefinitely on our encrypted Fly.io volume in Frankfurt, Germany. This is what powers the leaderboard and the rank progression feel.
• Elo ratings: stored indefinitely. Peak ratings and win/loss counts are kept so you see progression over time.
• Channel card message state: kept for the current calendar day, rolled over automatically.
• Launch tokens: expire automatically 15 minutes after issue and are cleared from memory on the server shortly after.
• Daily Fly.io volume snapshots are kept for 14 days as a backup measure.

Your rights

You can request, at any time, to:

• Access the data we hold about you.
• Delete all data tied to your Discord user ID (ratings, results, streak history). Once deleted, your leaderboard entries in every guild disappear.
• Rectify incorrect data (rarely needed — the data is auto-generated from your play).

Contact dailychessdev@proton.me with your Discord user ID. We'll fulfill deletion requests within 30 days.

If you're an EU/UK resident, you have the usual GDPR rights (access, rectification, erasure, restriction, portability, objection) and may lodge a complaint with your data-protection authority if we fail to respond. Our basis for processing is legitimate interest (running a small multiplayer puzzle game inside Discord for the enjoyment of players who have voluntarily launched it).

Security

• All data is stored on an encrypted Fly.io volume.
• API endpoints that return or modify user data require a valid Discord OAuth access token, verified server-side against Discord's /users/@me endpoint. An outside caller cannot submit or read results on another user's behalf.
• Discord interaction webhooks are verified via Ed25519 signatures.
• No passwords are stored — authentication is delegated entirely to Discord's OAuth flow.

Children

The Activity is a Discord Activity, and Discord's own Terms of Service require users to be 13 years or older (or higher in some jurisdictions). We do not knowingly collect data from children under that age. If you believe a child's data has reached us, contact us and we will delete it.

Changes to this policy

This policy may be updated when the Activity changes. Material changes will be announced in the "Last updated" date at the top. Continued use of the Activity after changes take effect constitutes acceptance of the updated policy.