Privacy Policy
Effective: April 5, 2026 · Last updated: April 5, 2026
Sovereign Bench ("we," "us," "our") is operated by Kuykendall Industries LLC, Boise, Idaho. This policy describes how we collect, use, store, and protect information when you use sovereign-bench.com (the "Service").
1. Information We Collect
1.1 Account Information
When you create an account, we collect your email address and a hashed password. We never store plaintext passwords. Authentication is managed by Supabase Auth, which uses bcrypt hashing with automatic salting.
1.2 Benchmark Data
When you run a benchmark, we collect:
- The model name, version, and provider you specify
- The model responses you paste into the benchmark flow
- Chain-of-thought traces, if you provide them
- Judge scores and rationales generated by our scoring pipeline
- Benchmark metadata: difficulty level, prompt version, timestamp
1.3 API Keys
If you generate API keys, we store a SHA-256 hash of each key and a display prefix. We do not store the raw API key after initial generation.
1.4 Payment Information
Payments are processed by Stripe. We do not store credit card numbers, CVVs, or full payment details. We store only the Stripe customer ID and session ID necessary to verify your account status. See: Stripe Privacy Policy.
1.5 Automatically Collected Information
We collect:
- Server logs: IP addresses, request timestamps, and HTTP metadata. Used for rate limiting and abuse prevention.
- Analytics: We use Plausible Analytics, a privacy-friendly analytics service that does not use cookies, does not collect personal data, and does not track users across sites. Plausible is GDPR-compliant by design. See: Plausible Privacy Policy.
- Bug reports: If you submit a bug report, we collect the description, category, optional email, page URL, and browser user agent.
2. How We Use Your Information
- Providing the Service: Running benchmarks, scoring responses, generating results, and displaying leaderboard data.
- Account management: Authenticating you, managing your subscription status, and associating benchmark runs with your account.
- Leaderboard: If you opt in, your model name, version, provider, scores, difficulty, tester handle, and date are displayed publicly. Your email address is never displayed.
- Webhook notifications: If you register webhooks, we send HTTP requests to the URLs you specify when scoring completes or regression is detected.
- Security and abuse prevention: Rate limiting, profanity filtering, and monitoring for abuse.
- Research: Aggregate, anonymized data from public leaderboard submissions may be used for research. Individual user data is never shared or sold.
3. What We Do Not Do
- We do not sell your personal information. Ever.
- We do not share your data with advertisers.
- We do not use advertising cookies or tracking pixels.
- We do not use your benchmark responses to train AI models.
- We do not contact you for marketing unless you explicitly opt in.
- We do not share your email address with any third party except our payment processor (Stripe) as required to process your payment.
4. Data Storage and Security
Data is stored in Supabase (hosted on AWS infrastructure in the United States). Security measures include:
- Row-level security (RLS) policies ensuring users can only access their own data
- All data transmitted over HTTPS with HSTS preloading
- Content Security Policy headers with nonce-based script execution
- Trusted Types enforcement to prevent DOM-based XSS
- Input sanitization and profanity filtering on all user-submitted text
- Stripe webhook signature verification
- API key hashing (SHA-256) — raw keys never stored after generation
- Rate limiting with Supabase-backed persistence across serverless instances
5. Data Processors
We use the following third-party processors:
| Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Database, authentication | All account and benchmark data | US (AWS) |
| Vercel | Hosting, serverless functions | HTTP requests, server logs | US (Global CDN) |
| Stripe | Payment processing | Email, payment details | US |
| Together AI | Judge model inference | Prompt text, response text | US |
| Plausible Analytics | Privacy-friendly analytics | Page views (no personal data) | EU |
6. Public Leaderboard Data
When you submit benchmark results to the public leaderboard, the following data becomes publicly visible:
- Model name, version, and provider
- Agency Score, domain scores, and per-axis scores
- Difficulty level and prompt version
- Tester display name (if provided, otherwise "Anonymous")
- Date of benchmark run
Your email address, account ID, API keys, and raw model responses are never publicly visible. You can remove your results from the leaderboard at any time.
7. Data Retention
- Free-tier accounts: Benchmark runs expire after 30 days. Expired data is automatically deleted by a daily cleanup process.
- Sovereign (paid) accounts: Benchmark data is stored permanently until you delete it or delete your account.
- Server logs: Retained for up to 30 days.
- Rate limit data: Automatically expires within 2 minutes.
- Bug reports: Retained indefinitely for product improvement.
- Webhook delivery logs: Retained for 90 days.
8. Your Rights (GDPR / CCPA / International)
Regardless of your location, we provide self-serve tools for all data rights. From your Account page:
- Access / Export: One-click ZIP download of your complete data (account info, all benchmark runs, responses, judge scores, readable summary).
- Deletion: Permanently delete your account and all associated data. Immediate and irreversible.
- Rectification: Remove leaderboard entries or update your display name.
- Portability: Export individual runs as JSON, ZIP, or PNG.
- Restriction: Toggle runs to private to remove them from public access.
No contact or waiting period is required. All actions are processed immediately. If you encounter issues, email support@sovereign-bench.com.
8.1 International Data Transfers
If you are located outside the United States, your data is transferred to and processed in the United States. By using the Service, you consent to this transfer. We rely on Standard Contractual Clauses (SCCs) where required by applicable law.
8.2 Data Protection Officer
For GDPR inquiries, contact: support@sovereign-bench.com.
9. Cookies and Local Storage
We use Supabase Auth session tokens stored in browser localStorage to maintain your authenticated session. We do not use advertising cookies, third-party cookies, or cookie-based tracking.
- Supabase Auth: Session JWT stored in localStorage. Cleared on sign-out.
- Benchmark progress: Current benchmark state stored in sessionStorage. Cleared when the tab closes.
- Stripe: May set cookies during checkout as governed by their privacy policy.
- Plausible: Does not use cookies.
10. Children
Sovereign Bench is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you believe we have collected such information, contact us and we will delete it promptly.
11. California Residents (CCPA)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it's used
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell personal information)
- Not be discriminated against for exercising your rights
To exercise these rights, use the self-serve tools on your account page or email support@sovereign-bench.com.
12. Changes to This Policy
We may update this policy at any time. The "Last updated" date at the top reflects the most recent revision. For material changes, we will notify active account holders via email. Continued use after changes constitutes acceptance.
13. Contact
For privacy-related inquiries:
Kuykendall Industries LLC
Boise, Idaho
Email: support@sovereign-bench.com
Web: kuykendall.industries