How we handle your information

1.Information we collect

1.1Information you provide when you create an account

When you sign in with Google, we receive the following information from Google under the OAuth permissions you grant: (i) your email address; and (ii) a stable user identifier issued by Google. We do not store passwords. We do not request, and Google does not transmit to us, your profile photo, contacts, calendar, or any other Google account data beyond the items listed in this Section 1.1.

1.2Content you submit

Each question you submit through the Service (a “Query”), the answers each model produces in response, and the synthesized answer produced by the judge model (together, “Content”) are stored in our database and associated with your account. Content is visible only to you and to those of our personnel and processors who have a strict need to access it for the purposes set out in Section 2. You may view your Content in the “Run history” panel of the Service, delete individual Queries, or delete your entire history at any time.

1.3Usage data

For every completed Query we store:

• the panelist and judge models used;
• the depth of debate selected (between zero and three critique rounds);
• the timestamps of submission and completion; and
• the total cost of the Query in United States dollars, computed from each model provider's token usage and pricing.

We use this information to enforce per-tier limits, to display a running spend total to you, and to produce the aggregated statistics described in Section 1.4.

1.4Aggregated leaderboard data

When a Query completes, the judge model's selection of the best one to three panelist answers is recorded in a separate table and is used to compute the public leaderboard at /leaderboard. The leaderboard publishes only counts per artificial-intelligence provider; it does not publish any Content, any account identifier, or any information from which you could be identified.

1.5Analytics

We use Google Analytics 4 (“GA4”), provided by Google LLC, to understand the countries from which our visitors arrive. GA4 sets cookies in your browser and reports aggregated, country-level statistics that are surfaced on the /visitors page. We do not enable GA4's User-ID feature; we do not link GA4 data to your account; and we do not use GA4 for advertising.

1.6Cookies and similar technologies

The Service uses the following categories of cookies:

• Authentication cookies set by Supabase, Inc., our authentication provider, to keep you signed in across sessions. These cookies are strictly necessary for the Service to function and cannot be disabled without rendering the Service unusable.
• Analytics cookiesset by GA4, as described in Section 1.5. You may decline these cookies through your browser's cookie controls without losing access to the Service.

2.How we use the information

We process the information described in Section 1 for the following purposes:

• (a) Provision of the Service— to authenticate you, route your Queries to the model providers you have selected, store and display your history, and enforce your tier's limits.
• (b) Operation and security of the Service — to diagnose errors, monitor performance, prevent abuse, and protect the Service against fraudulent or unlawful use.
• (c) Aggregated statistics — to compute the public leaderboard described in Section 1.4 and the visitor statistics described in Section 1.5, in each case in a form that does not identify you.
• (d) Communication — to respond to inquiries you initiate with us. We do not send marketing emails.
• (e) Legal compliance — to comply with applicable law and with binding legal orders.

3.Legal bases for processing

Where the GDPR applies, we process your personal data on the following legal bases:

• Performance of a contract (Art. 6(1)(b) GDPR) for the activities required to deliver the Service to you (Section 2(a)).
• Legitimate interests (Art. 6(1)(f) GDPR) for the activities described in Section 2(b) and Section 2(c). Our legitimate interest is in operating, securing, and improving the Service and in providing transparency about model performance. You may object to this processing at any time using the contact details in Section 11.
• Consent (Art. 6(1)(a) GDPR) for non-essential analytics cookies. You may withdraw your consent at any time through your browser settings.
• Compliance with a legal obligation (Art. 6(1)(c) GDPR) for the activities described in Section 2(e).

4.Recipients of your information

We do not sell your personal data, and we do not share your personal data for advertising. We disclose your information only to the categories of recipients listed in this Section 4, each of which acts as our processor under a written agreement that imposes equivalent confidentiality and security obligations.

4.1Service infrastructure providers

• Supabase, Inc. (United States) — authentication, database, and storage.
• Vercel Inc. (United States) — frontend hosting and edge delivery.
• Render Services, Inc. (United States) — backend application hosting.
• Google LLC (United States) — authentication via Google OAuth and analytics via GA4.

4.2Model providers

When you submit a Query, the text of the Query and, where you have enabled critique rounds, the prior answers in the same debate are transmitted to the model providers you have enabled in Settings, solely for the purpose of generating a response:

• Anthropic PBC (United States) — Claude models;
• OpenAI, L.L.C. (United States) — GPT models;
• Google LLC (United States) — Gemini models;
• Perplexity AI, Inc. (United States) — Sonar models;
• X.AI Corp. (United States) — Grok models;
• Mistral AI SAS (France) — Mistral models.

We transmit only the text necessary to fulfil the Query. We do not transmit your email address, your account identifier, or any other personal data to the model providers. Each model provider's own terms govern its processing of the transmitted text; we encourage you to review them on the providers' respective websites.

4.3Disclosures required by law

We may disclose your information when compelled by a binding legal order issued by an authority of competent jurisdiction. Where we are permitted to do so, we will notify you before complying and we will challenge any order that we consider to be unlawful or overbroad.

5.International data transfers

The data controller is located in the State of Israel. Most of our sub-processors are located in the United States. Two transfer scenarios arise:

• EEA / United Kingdom / Switzerland to Israel. Israel has been the subject of an adequacy decision by the European Commission under Article 45 GDPR (Commission Decision 2011/61/EU of 31 January 2011), and equivalent recognitions by the United Kingdom and Switzerland. Transfers of personal data from those territories to Israel are therefore permitted without additional safeguards under Article 46 GDPR.
• Israel, EEA, UK, or Switzerland to the United States. Onward transfers to our United-States-based sub-processors are made pursuant to the Standard Contractual Clauses adopted by the European Commission (Decision (EU) 2021/914) and, where applicable, pursuant to the certifications maintained by the relevant sub-processor under the EU–U.S. Data Privacy Framework. The Israeli Privacy Protection Regulations (Transfer of Data to Databases Abroad), 5761-2001, apply equivalently to onward transfers from Israel; the transfers are made on the basis of the recipient's undertaking to maintain a level of protection no lower than that required by the PPL.

A copy of the transfer mechanism applicable to a given sub-processor will be provided on written request to the address in Section 11.

6.Retention

• Account information (Section 1.1) is retained for as long as your account exists.
• Content and usage data (Sections 1.2 and 1.3) is retained for as long as your account exists or until you delete it from the Service, whichever is earlier.
• Aggregated leaderboard data (Section 1.4) is retained indefinitely; it does not contain personal data.
• Analytics data(Section 1.5) is retained for the period configured in Google's default retention settings (currently fourteen months).

Following deletion of your account, the personal data described in Sections 1.1 to 1.3 is deleted within thirty (30) days, subject to limited retention only as required to comply with law or to enforce our Terms of Service.

7.Your rights

7.1Rights under the GDPR

Where the GDPR applies, you have the right to:

• access the personal data we hold about you (Art. 15);
• obtain rectification of inaccurate or incomplete data (Art. 16);
• obtain erasure of your account and Content (Art. 17);
• restrict or object to processing based on legitimate interests (Art. 18 and Art. 21);
• data portability — receive a copy of your Content in a structured, commonly used, machine-readable format (Art. 20);
• withdraw your consent at any time, where processing is based on consent and without affecting the lawfulness of processing carried out before the withdrawal (Art. 7(3)); and
• lodge a complaint with the data-protection authority of your habitual residence, place of work, or place of the alleged infringement (Art. 77).

7.2Rights under the Israeli Privacy Protection Law

Where the PPL applies, you have the rights set out in sections 13 to 14B of the PPL, including the right to inspect personal data held about you in our database, to request correction or deletion of inaccurate data, and to require us to amend our records following correction. Requests under the PPL may be addressed to us at the address in Section 11 and will be processed in accordance with the timeframes set out in the PPL and its regulations.

You may also lodge a complaint with the Israeli Privacy Protection Authority at www.gov.il/en/departments/the_privacy_protection_authority.

7.3Self-service erasure

The “Clear all” control in the Run history panel deletes all of your Content immediately, without further action by us. For full erasure of your account (including the account-level information described in Section 1.1), contact us at the address in Section 11. We will respond to any verifiable rights request within thirty (30) days.

8.Security

We employ technical and organisational measures designed to protect your information, including encryption in transit using Transport Layer Security (TLS); encryption at rest as provided by our hosting providers; role-based access controls; database row-level security policies that restrict each User's data to that User; and the use of short-lived authentication tokens. No method of transmission or storage is completely secure, and we do not guarantee the absolute security of your information.

9.Children

The Service is not directed to, and we do not knowingly collect personal data from, persons under the age of sixteen (16). If you believe that a person under the age of sixteen has provided us with personal data, please contact us using the address in Section 11 and we will delete the data without undue delay.

10.Changes to this Policy

We may update this Policy from time to time. Where a change is material we will post the updated Policy at this URL and update the “Last updated” date. Your continued use of the Service after the updated Policy takes effect constitutes acceptance of the updated Policy.

11.Contact and identification of the controller

The data controller for the purposes of GDPR Article 4(7) and section 7 of the PPL is the natural person operating Polymind, resident in the State of Israel, contactable at emil45@gmail.com. On a verifiable request submitted to that address by a data subject exercising the rights set out in Section 7, or by a competent supervisory authority, we will confirm in writing the controller's full legal name and postal address. Please direct any other question relating to this Policy to the same address.