Privacy Policy

This Privacy Policy describes how we collect, use, disclose, and otherwise process information when you access or use the website, applications, APIs, and related services operated under the name Prompt Injection Lab (collectively, the "Service").

By using the Service, you acknowledge that you have read this Privacy Policy. If you do not agree, do not use the Service. We may update this policy at any time; continued use after changes constitutes acceptance of the revised policy.

The Service is operated by the Prompt Injection Lab project and its collaborators, affiliates, and service providers ("we," "us," or "our"). For privacy-related requests, contact us through the channels listed on the Service or in the About page.

We may collect the following categories of information, depending on how you use the Service:

Account and identity data: identifiers, profile information, and authentication tokens provided by third-party identity providers (such as Clerk), including email address, display name, and session metadata.

Usage and technical data: IP address, browser type, device identifiers, operating system, referral URLs, pages viewed, timestamps, cookies, and similar diagnostic data.

Submission and competition data: text you submit for evaluation, scores, rankings, challenge progress, campaign participation, and metadata generated by automated evaluation (including traces, tool-call logs, and model outputs).

Communications: messages you send to us for support, feedback, or research coordination.

We may also create aggregated, de-identified, or anonymized data derived from the above. We may use and disclose such data for any lawful purpose without restriction.

We use collected information to:

Provide, operate, maintain, secure, and improve the Service;

Authenticate users, enforce access controls, and prevent abuse;

Run evaluations, store results, display leaderboards, and support research or educational activities;

Communicate with you about the Service, updates, or security matters;

Comply with law, respond to lawful requests, and protect our rights and the rights of others;

Develop new features, conduct analytics, and publish research outputs in aggregated or de-identified form.

We may use information for any additional purpose disclosed at the time of collection or with your consent where required by law.

Where data protection laws require a legal basis, we rely on one or more of: performance of a contract, legitimate interests (including research, security, and product improvement), compliance with legal obligations, and consent where required. You may withdraw consent where applicable without affecting the lawfulness of processing before withdrawal.

We may share information with:

Service providers and subprocessors (hosting, authentication, analytics, email, and model/API providers) bound by contractual or professional obligations;

Academic, research, or institutional collaborators involved in operating or studying the Service;

Other users, to the extent you choose to make information public (for example, leaderboard entries or shared submissions);

Authorities, regulators, or parties involved in legal process when we believe disclosure is required or permitted by law;

Successors in connection with a merger, acquisition, reorganization, or sale of assets.

We do not sell personal information for monetary consideration. We may share information as otherwise described in this policy or at your direction.

Information may be processed in the United States and other countries where we or our providers operate. Those locations may have different data protection rules than your jurisdiction. By using the Service, you consent to transfer and processing in those locations to the extent permitted by law.

We retain information for as long as needed to provide the Service, fulfill the purposes in this policy, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods may vary by data type and may be extended for research, backup, or archival purposes. We may delete or anonymize data at any time in our discretion.

We implement reasonable administrative, technical, and organizational measures designed to protect information. No method of transmission or storage is completely secure. We do not guarantee absolute security and are not liable for unauthorized access beyond our reasonable control.

Depending on your location, you may have rights to access, correct, delete, restrict, or port personal information, or to object to certain processing. You may also have the right to lodge a complaint with a supervisory authority.

To exercise rights, contact us using the details on the Service. We may verify your identity and decline requests that are unfounded, excessive, or prohibited by law. California residents may have additional rights under applicable state law; we will not discriminate against you for exercising those rights.

You can manage cookies through browser settings. Disabling cookies may limit Service functionality.

The Service is not directed to children under 13 (or the minimum age required in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected such information, contact us and we will take appropriate steps to delete it.

The Service may link to or integrate third-party sites and services (including authentication, model providers, and benchmark tooling). Their privacy practices are governed by their own policies. We are not responsible for third-party practices.

We may modify this Privacy Policy at any time. Material changes may be indicated by updating the "Last updated" date or through in-Service notice. Your continued use constitutes acceptance.

For privacy questions or requests, contact the operators through the About page or other contact methods published on the Service.