Grandmaster Journey logoGrandmaster Journey

Privacy Policy

Last updated: May 3, 2026

GoudaChess ("we," "us," or "our") operates Grandmaster Journey. This Privacy Policy explains how we collect, use, store, and protect information when you use our Grandmaster Journey mobile apps for iOS and Android (from the Apple App Store and Google Play), and when you visit grandmasterjourney.com.

We are based in the Netherlands and comply with the General Data Protection Regulation (GDPR) where it applies. Our main game database is hosted with Supabase in the EU (Ireland).

1. Information we collect

1.1 Information you provide

Account sign-in: your user id, email, username, password or one-time codes you use in our sign-in flows, and optional multi-factor authentication (MFA) when you turn it on. Sign-in is handled by Supabase, our backend provider.

Your profile can include display name fields, language preference, board and piece look, optional timezone for notifications, optional profile photo, your subscription level (for example free or pro), flags for manual upgrades or purchase linking, a visibility setting, when you last opened the app, and timestamps we use for reminders and housekeeping.

Feedback & support: if you use Send feedback while signed in, we store your message and basic device details (brand, model, OS version, app version) with the form. You may also email us directly (see section 8).

1.2 Gameplay, progression, and related records

Depending on what you use, our servers may store information such as:

Story Mode & journey map: your progress in each story game (for example completion, sync score, and times), optional saved resume points, and ways to merge guest progress into your account after you sign up.

Puzzles: each puzzle attempt (which puzzle, whether you solved it, timing and outcome details, and how your skill rating changes), as well as daily play counts and counts for extra puzzles earned from ads on free accounts.

Daily challenge: attempts tied to each daily game (including the engine strength you picked, moves and replay-style data we keep for history, how long you played, and results), as well as calendar and history views built from that data.

Artifacts & badges: progress collecting monthly artifact pieces, your museum display, and badge-related notifications.

Notifications: messages inside the app, read/unread state, and, if you turn on push, a push notification token for your device. We may also occasionally store when you last opened the app and your timezone so digest-style messages can match your local morning.

1.3 Automatically collected data & identifiers

Usage analytics (first-party): the app sends simple events to our own database (hosted with Supabase). These can include what happened (for example which screen you were on, game results, or timings), your platform and app version, a short-lived session id, and small ids so we do not double-count the same action. Before you sign in, we may use a random id stored on your device until you log in.

Ads & app stores: on phone and tablet apps that show Google AdMob rewarded ads, Google may use advertising-related identifiers under its rules and your device privacy settings. Apple and Google also process account and purchase information when you install or pay through their stores.

1.4 Analytics retention & anonymous linking

We keep product analytics in-house (we do not send these events to a separate marketing-analytics company by default). In practice:

Rolling deletion: automated cleanup may remove detailed usage events after about 14 days.

Guest to account: after you sign in, we may link earlier usage from the same device to your account so your timeline stays in one place.

Why we use events: to run the game, see what breaks, understand which features help players, and improve the app, balanced with legitimate interests and your rights.

Game clients: the product analytics described here are collected from our iOS and Android mobile apps only.

Marketing website: grandmasterjourney.com may save a small language cookie so the site stays in your chosen language. It is not used for personalised ads.

2. How we use information

We use the data above to:

Run the service: sign you in, load your profile, themes, and subscription state, and keep your progress in sync across devices.

Deliver the game: story play, puzzles and ratings, daily challenges against the engine, artifacts, and badges.

Apply subscriptions & limits: free daily caps, longer history for paying players, extra puzzles after watching ads, and manual upgrades where we grant them.

Communicate: send in-app or push messages you opt into (for example digests or progress updates) using the notification services we use with Expo.

Improve the product: study aggregated usage and internal dashboards (including admin-only views for running the service).

Protect accounts: optional MFA, account deletion flows, and database access rules on our Supabase-hosted data.

3. Processors & service providers

Depending on your device and settings, information may be processed by:

Supabase: our hosted database, sign-in, file storage for profile photos, background jobs, and (where enabled) live updates. Data is protected with row-level access rules; sign-in secrets stay inside Supabase’s auth service.

Google AdMob on supported phone and tablet apps, for rewarded video ads that unlock extra puzzles. Google’s policies apply.

Expo: tools we use for push notifications, app updates delivered over the air, and related app infrastructure.

Apple & Google: app stores and payment processors for in-app purchases. We store subscription information on your profile (and a purchase-linking id when present) but we do not receive your full card number from them.

4. Retention & deletion

We keep data only as long as needed. Examples from our current automated cleanup: read in-app notifications may be removed after about 14 days.

Usage analytics: detailed event rows are typically removed after about 14 days.

Puzzle and daily challenge history: older attempt rows may be deleted after about one year. Separately, free accounts may only see a shorter history in the app (for example about seven days in lists) even if some older rows still exist until they are cleaned up.

Account deletion: you can start deletion in the app; we first soft-delete your profile. After 30 days, your sign-in account can be permanently removed, which removes personal gameplay data tied to it, unless the law requires us to keep something longer.

5. Your rights (GDPR & equivalents)

Access & correction: contact us or edit your profile in the app (within our validation rules) for basic details.

Erasure: you can ask us to delete your account; permanent removal of the sign-in account happens after the 30-day period unless the law says otherwise.

Object or limit: you may object to some processing based on legitimate interests, within legal limits. Ad tracking can be controlled in your device settings and through AdMob consent on mobile.

6. Public profiles, younger users, & photos

The app is for a general audience and is not aimed at young children. If you think a child has shared personal data against the rules, contact us. Basic profile information for accounts that are not deleted may be visible without signing in under our current database rules. Treat your username as public unless you use visibility controls, which also apply in richer profile views. Profile photos you upload are stored so the app can show them via a public link (anyone with the link can load the image).

7. Security

We use database access rules, encrypted connections on the internet, and standard password protection through our auth provider. No system is perfectly secure; we work to reduce risk but cannot promise absolute security.

8. Contact

Questions or data requests:

Email: [email protected]

Operator: GoudaChess. Postal address on request via the email above (Netherlands).