Privacy Policy

Last updated: 2025-01-01

EvalRank is a neutral, evidence-ranked decision layer over AI models, tools, and agents. We are anonymous-first and privacy-minimal by design: the registry, scores, comparisons, and API work with no account and no tracking cookies. This policy explains the limited personal data we process when you sign in, submit content, or pay.

1. Data we process

  • Anonymous usage. A cookieless, server-derived identifier (a daily-rotating hash of IP and user-agent) and aggregate page/query events. Your IP is processed transiently for delivery and rate-limiting and is not retained against your identity.
  • Account data (only if you sign in). Your email and the identifier from your GitHub/Google login, plus a display name. We use passwordless auth, so we never hold a password.
  • Submitted content. Listings are pointer-based (you point us at a public repo or URL, not personal data). Reviews you write are attributed to you.
  • Payments (paid tiers). Handled by Stripe; we receive billing metadata, never your full card number.
  • Opt-in telemetry. Execution telemetry is opt-in, anonymized, and identity-stripped; raw prompt content is never a ranking input and PII is redacted at ingest.

2. Legal bases

  • Legitimate interest (Art. 6(1)(f)): operating and securing the service and producing aggregate scores, balanced against your rights in a documented assessment.
  • Contract (Art. 6(1)(b)): providing your account and paid features.
  • Consent (Art. 6(1)(a)): opt-in telemetry and marketing email only; withdrawable at any time.

3. Cookies and storage

We set no tracking cookies. Preferences live in your browser local storage; a single strictly-necessary session cookie exists only while you are signed in. Because we use only strictly-necessary storage, we show no consent banner.

4. Retention

We minimize retention and delete on a documented schedule per data class (account, review text, telemetry). Exact durations are set with counsel.

5. Your rights

You have the rights of access, rectification, erasure, portability, restriction, and objection, and to withdraw consent for the opt-in classes. The fastest path is self-serve on your account page: "Export my data" (access/portability) and "Delete account" (erasure). Without an account, contact our privacy point of contact; we verify your identity, act within 30 days, and return an erasure receipt. You may also lodge a complaint with your supervisory authority.

6. Sub-processors and international transfers

We use a small set of vetted processors. Where data leaves the EEA or UK it is covered by Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.

7. Security

Data is encrypted in transit, access is scoped and least-privilege, and we are non-custodial: for any external service you connect, you bring your own key; we are not a token vault.

8. Children

EvalRank is a developer tool not directed to children; we do not knowingly collect their data.

9. Changes and contact

We will post changes here and notify you of material ones. Contact our data-protection point of contact via the contact address listed at the bottom of evalrank.ai.