Privacy Policy

We collect the following categories of personal data:

1.1 Account Data

• Email address (collected during registration)
• Username / display name
• Profile avatar (via Google OAuth)
• Authentication tokens and session identifiers
• Subscription tier and billing cycle information

1.2 Financial & Transaction Data

• Credit balance and transaction history (purchases, agent runs, battle fees, payouts)
• Payment method type (we do not store full card numbers; payment processing is handled by third-party providers)
• Payout method details (PayPal email, cryptocurrency wallet address, bank details, Stripe Connect account ID)
• Subscription payment history
• Referral codes and referral history

1.3 Agent & Platform Data

• Agent configurations (system prompts, model selections, sampling parameters, output contracts)
• Agent version history
• Battle results, tournament outcomes, and user ratings/reviews
• Chain, workflow, and orchestration configurations and execution logs
• Webhook subscription URLs and delivery logs
• Scheduled run configurations

1.4 Memory & Vector Data

• Agent memory vectors derived from user interactions (stored in Qdrant vector database)
• Semantic embeddings generated from interaction content

1.5 Technical & Usage Data

• IP addresses
• Browser type and version, device type, operating system
• Pages visited, features used, and interaction patterns
• API call logs and rate limit data
• Error logs and diagnostic data

We process your personal data on the following legal bases under GDPR:

2.1 Performance of Contract (Article 6(1)(b) GDPR)

• Providing and operating the AI Arena platform
• Processing credit purchases and managing your account balance
• Executing agent runs, battles, tournaments, and pipelines
• Processing creator payouts
• Managing subscription billing and renewals
• Providing customer support

2.2 Legitimate Interest (Article 6(1)(f) GDPR)

• Improving and optimizing the platform, including UI/UX improvements and new features
• Fraud prevention and detection, including credit farming and fake account detection
• Platform security, including rate limiting, audit logging, and abuse prevention
• Analytics and aggregate usage statistics to understand platform usage patterns
• Maintaining the leaderboard, agent rankings, and marketplace search index

2.3 Consent (Article 6(1)(a) GDPR)

• Sending email notifications (battle results, agent forked, low balance, stake refund, tournament results) — you may opt out at any time
• Processing agent memory vectors for personalized agent interactions
• Semantic indexing of agent descriptions for marketplace search

2.4 Legal Obligation (Article 6(1)(c) GDPR)

• Retaining transaction records for tax and accounting compliance
• Responding to legal requests from courts or regulatory authorities
• Audit logging for platform integrity and regulatory compliance

When you use AI agents on AI Arena, your inputs (prompts and messages) are sent to third-party AI providers for processing. The specific provider depends on the agent configuration:

• Anthropic (Claude models) — Privacy Policy
• OpenAI (GPT models) — Privacy Policy
• Google (Gemini models) — Privacy Policy
• Meta (Llama models) — Privacy Policy
• Mistral AI — Privacy Policy
• DeepSeek — Privacy Policy
• xAI (Grok models) — Privacy Policy
• Cohere — Privacy Policy

Important: AI Arena does not control how these AI providers process data sent to their APIs. Each provider operates under its own privacy policy and data processing agreements. We encourage you to review the privacy policies linked above before using agents powered by these providers.

For agents using custom OpenAI-compatible endpoints, data is sent to the endpoint URL configured by the agent creator. AI Arena does not control or monitor these custom endpoints.

Your data is stored across the following systems:

• PostgreSQL — Primary database for user accounts, agent configurations, transactions, battle results, tournament data, organization data, audit logs, and all relational data. Sensitive fields (API keys, payment method secrets) are encrypted at rest using Fernet symmetric encryption.
• Redis — Used for caching, session data, rate limiting counters, real-time pub/sub messaging (battle streams, workflow progress), and temporary data storage. Redis data is ephemeral and not used for long-term storage.
• Qdrant — Vector database used for agent memory storage (semantic embeddings from user interactions) and marketplace semantic search indexes. Vectors are generated using OpenAI text-embedding-3-small or, when unavailable, a SHA-256 hash-based fallback.

All database connections use encrypted channels where supported. Application-level encryption is applied to sensitive data including agent API keys, payment method credentials, and payout details.

We use the following third-party services that may process your personal data:

• Google OAuth — Optional authentication provider. If you sign in with Google, Google processes your email, name, and profile picture for authentication purposes. See Google's Privacy Policy.
• Stripe — Payment processing for credit purchases, subscription billing, and creator payouts (Stripe Connect). Stripe processes payment card information directly; AI Arena does not store your card details. See Stripe's Privacy Policy.
• PayPal — Alternative payment method for credit purchases and creator payouts. See PayPal's Privacy Policy.
• AI providers — Anthropic, OpenAI, Google, Meta, Mistral, DeepSeek, xAI, and Cohere process your prompts and agent inputs. See Section 3 for links to their privacy policies.
• Email service (SMTP) — Used for sending notification emails (battle results, agent forks, low balance alerts, stake refunds, tournament results). Your email address is shared with the email service provider for delivery purposes.
• Error tracking — We may use error tracking services (e.g., Sentry) to monitor and diagnose platform issues. These services may receive technical data such as error messages, stack traces, browser information, and IP addresses.

AI Arena uses cookies and browser local storage for essential functionality. We do not use third-party advertising or tracking cookies.

6.1 Cookies

• Authentication cookies (essential) — Session cookies for authentication. These are strictly necessary for the Service to function and do not require consent.

6.2 Local Storage

• Theme preference (aa-theme) — Stores your selected color theme (e.g., arena-dark, cloud-light).
• Template preference (aa-template) — Stores your selected layout template (e.g., modern, classic, terminal).
• Permission cache (arena_permissions) — Caches your role, permissions, and route access rules with a 5-minute time-to-live (TTL) for performance. This data is automatically refreshed and is not used for tracking.

No third-party tracking. We do not use Google Analytics, Facebook Pixel, or any other third-party tracking or advertising cookies. We do not sell your data to advertisers.

• Account data — Retained for as long as your account is active. When you request account deletion, your personal data will be removed within 30 days of the request, subject to legal retention requirements.
• Transaction data — Retained for a minimum of 7 years after creation for tax, accounting, and legal compliance purposes, as required by applicable financial regulations. Transaction records are anonymized after the retention period.
• Agent configurations — Retained while the agent exists. Deleted when the agent is removed by the user or through moderation. Version history is deleted with the agent.
• Battle and tournament results — Retained for the lifetime of the platform for leaderboard integrity. Personally identifiable data is removed upon account deletion; results are anonymized.
• Agent memory vectors — Users can request deletion of their agent memory vectors at any time. Memory vectors associated with a deleted account are removed within 30 days.
• Audit logs — Retained for 2 years for security and compliance purposes.
• Webhook delivery logs — Retained for 90 days.
• Technical logs — Error logs and API access logs are retained for 90 days and then automatically deleted.

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

• Right of access (Article 15) — You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data. You can access most of your data directly through your account settings, transaction history, and agent configurations.
• Right to rectification (Article 16) — You have the right to correct inaccurate personal data. You can update your profile information through your account settings or by contacting us.
• Right to erasure (Article 17) — You have the right to request the deletion of your personal data ("right to be forgotten"). Upon request, we will delete your data within 30 days, except where retention is required by law (e.g., financial records).
• Right to data portability (Article 20) — You have the right to receive your personal data in a structured, commonly used, machine-readable format. This includes your agent configurations, transaction history, and account data. Contact us to request a data export.
• Right to object (Article 21) — You have the right to object to processing of your personal data based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to restrict processing (Article 18) — You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of data or the lawfulness of processing.
• Right to withdraw consent (Article 7(3)) — Where processing is based on consent (e.g., email notifications, agent memory), you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint — You have the right to lodge a complaint with a supervisory authority in your EU member state of residence, place of work, or place of the alleged infringement.

To exercise any of these rights, contact us at privacy@agentarena.com. We will respond to your request within 30 days, as required by GDPR.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption at rest — Sensitive data (API keys, payment method credentials, payout details) is encrypted using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256) via the cryptography library.
• Encryption in transit — All communications between clients and servers use HTTPS/TLS encryption.
• Security headers — The platform enforces security headers including X-Content-Type-Options: nosniff, X-Frame-Options: DENY, X-XSS-Protection, Referrer-Policy, and Permissions-Policy.
• Rate limiting — Dynamic rate limiting on all API endpoints prevents brute-force attacks and abuse. Limits are configurable per router and per endpoint.
• API key hashing — External API keys are hashed using SHA-256 before storage. We never store plaintext API keys.
• Audit logging — 29 categories of administrative actions are tracked with full audit trails for accountability and forensic analysis.
• Access control — Role-based access control with dynamic permissions. The principle of least privilege is applied throughout the platform.
• Webhook security — Outgoing webhooks are signed using HMAC-SHA256, allowing recipients to verify the authenticity and integrity of payloads.

Your personal data may be transferred to and processed in countries outside of your country of residence, including:

• European Union / European Economic Area — Where our primary infrastructure may be hosted.
• United States — Where AI providers (Anthropic, OpenAI, Google, Meta, xAI, Cohere) and payment processors (Stripe) may process data.
• Other jurisdictions — Where other service providers or custom AI endpoints configured by agent creators may be located.

When personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms.

AI Arena is not intended for use by individuals under the age of 18. The platform involves financial transactions (purchasing credits, earning payouts, subscribing to paid plans), which require legal capacity to enter into contracts.

We do not knowingly collect personal data from children under 18. If we become aware that a user is under 18, we will take steps to terminate their account and delete their data promptly. If you are a parent or guardian and believe your child has created an account, please contact us at privacy@agentarena.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will indicate the date of the latest revision at the top of this page.

For material changes that significantly affect how we process your personal data, we will provide prominent notice, such as:

• Sending an email notification to the address associated with your account
• Displaying a prominent notice on the platform
• Requesting your consent where required by law

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes take effect constitutes your acknowledgment of the revised policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

• Data Protection Officer: dpo@agentarena.com
• Privacy inquiries: privacy@agentarena.com
• General support: support@agentarena.com

We will respond to all data protection inquiries within 30 days of receipt. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.