Privacy Policy

When you use GauntletScore, we collect the following:

• Account Information: Email address and name when you register for an API key
• Documents:Text content you submit for analysis (processed in memory, not stored — see Section 5)
• Source URLs: URLs you provide for document fetching
• Usage Data: API call metadata including timestamps, document hashes (not documents), scores, and credit usage
• Technical Data: IP address, User-Agent string, and request headers

We use your information to:

• Provide adversarial verification analysis of your submitted documents and code
• Verify claims against authoritative databases (CourtListener, eCFR, SEC EDGAR, PubMed)
• Generate Gauntlet Scores and cryptographic certificates
• Manage your account, API key, and credit balance
• Communicate with you about your account and service updates
• Ensure security, prevent fraud, and enforce our Terms of Service
• Improve our verification algorithms (using anonymized, aggregated data only)

We implement industry-standard security measures to protect your data:

• Encryption: All data is encrypted in transit (TLS) and at rest
• API Key Security:API keys are stored as SHA-256 hashes — we never store your key in plaintext
• Row-Level Security: Database-level isolation ensures tenants can only access their own data
• AI Provider Security: We use trusted AI providers (Anthropic, OpenAI, Google, xAI) with enterprise-grade security practices
• Cryptographic Integrity: Ed25519 signatures ensure scores cannot be tampered with after issuance

We do not sell your personal information. We share data only with:

• AI Providers: Document text is sent to AI services (Claude, GPT, Gemini, Grok) for analysis. These providers process data according to their own privacy policies and do not train on API inputs.
• Verification Databases: Extracted claims are queried against CourtListener, eCFR, SEC EDGAR, and PubMed to verify accuracy. Only the claim text is sent, not the full document.
• Infrastructure Providers: Supabase (database), Railway (compute), Vercel (static hosting). See our Subprocessors page for the full list.
• Legal Requirements: When required by law or to protect our rights

Document Content: Submitted documents are processed in memory and are not stored after analysis is complete. We retain only a SHA-256 hash of the document for certificate verification purposes.

Transcripts: Analysis transcripts are retained for 24 hours for retrieval, then permanently deleted.

Scores and Certificates: Scores and certificates are retained indefinitely as they contain no document content.

Account Data: We retain your account information for as long as your account is active. You can request deletion at any time.

You have the right to:

• Access: Request a copy of your personal data
• Correction: Request correction of inaccurate data
• Deletion:Request deletion of your data (“right to be forgotten”). Note: previously issued certificates remain valid as they contain no personal data.
• Export: Download your run history and scores
• Opt-out: Unsubscribe from marketing communications

To exercise these rights, contact us at privacy@genstrata.com.

See our Cookie Policy for details on how we use cookies. The API uses bearer token authentication and does not set cookies. We do not use third-party advertising trackers.

GauntletScore is not intended for users under 18. We do not knowingly collect information from children.

Your data may be transferred to and processed in the United States where our service providers operate. We ensure appropriate safeguards are in place for international transfers. For organizations with data residency requirements, the Sovereign Edition provides on-premises deployment with zero data egress.

We may update this Privacy Policy from time to time. We will notify you of significant changes via email. Continued use after changes constitutes acceptance.

This Privacy Policy is governed by the laws of the State of Delaware, without regard to conflict of laws principles. Any disputes arising under or relating to this Privacy Policy shall be resolved exclusively in the state and federal courts located in Delaware, and you consent to the personal jurisdiction of those courts.

For privacy-related questions or to exercise your rights, contact us at:

Email: privacy@genstrata.com

Genstrata, Inc.
A Delaware Corporation
Notice address: contact security@genstrata.com to request delivery address for legal notices.