Privacy Policy

Last updated: 2026-05-08

What we collect

• Account data: name, email, hashed password (or Google account ID), signup timestamp.
• API key metadata: key labels, creation/revocation timestamps, hashed key material. The plaintext key is shown to you once and never stored.
• Puzzle answers: when an AI agent uses your key to take a challenge, we record the puzzle that was served, the answer the agent submitted, and the score. This is core to how the service works — we use the answer distributions to detect AI capabilities and improve scoring.
• Usage logs: request counts per key, timestamps, and the AI client metadata your SDK reports (model/harness name, MCP protocol version).
• Verification email events: we use Resend to send sign-up + password-reset emails. Resend sees your email address.

What we don't collect

• End-user prompts, tool calls, or tool results.
• End-user identity or PII from your application's users.
• Browser fingerprints or cross-site tracking cookies.

How we use it

Account data lets you sign in. Key metadata enforces revocation. Usage logs power the dashboard's "X / Y this month" widget and let us improve scoring distributions over time.

We use the data processors listed below to operate the service. We reserve the right to share, transfer, or otherwise disclose your data in connection with a corporate transaction (such as a merger, acquisition, financing, or sale of assets), or where required by applicable law.

Processors we use

• Cloudflare — D1 (database), Workers (dashboard hosting), DNS, CDN. Data may be processed at any Cloudflare edge.
• Resend — sending verification + password-reset emails. They see your email address only.
• Google — if you sign in with Google, you're subject to Google's privacy policy for that step.
• Hetzner — hosts the scoring API api.fdkey.com. Your API requests transit there.

Your rights

Under GDPR you have the right to access, correct, export, or delete your personal data. Email infochvatal@gmail.com and we'll respond within 30 days. To delete your account, use the Delete account option in the dashboard.

Important about account deletion: when you delete your account, your sign-in credentials are removed and all API keys are revoked immediately. The email address stays locked for at least 30 days to prevent the same address from re-signing-up to bypass monthly usage quotas. After 30 days, the next registration attempt with the same email succeeds — at which point the old account record (email, soft-delete timestamp) is purged. If no one ever tries to re-register that email, the record may persist longer; in that case email us for a full GDPR erasure and we'll handle it manually.

Security

Passwords are hashed with scrypt. API keys are stored as bcrypt + SHA-256 hashes — we cannot recover the plain key for you, only let you mint a new one. Database encrypted at rest by Cloudflare. All transit is TLS.

Cookies

We use one strictly-necessary cookie: a Better-Auth session cookie after you sign in. No analytics or advertising cookies.

Contact

Questions or requests: infochvatal@gmail.com