Agent Torture Lab
Privacy

Privacy Policy

Agent Torture Lab crash tests customer-facing AI agents and hands back a report. To do that we handle a small amount of data about the bot you ask us to test. This page explains, in plain English, what we collect, why, how long we keep it, and how to get it deleted.

This is a plain-language summary, not a substitute for legal advice. It should be reviewed by qualified legal counsel before you rely on it.

What we collect

When you run an anonymous Bot Roast, we collect only what you submit and the minimum we need to run the test:

  • The target you give us: the website URL or API endpoint of the bot you want tested, or a transcript you paste in.
  • Business-context text you provide so the test scenarios fit your bot (for example its rules, pricing, or scope).
  • The industry you select (or ask us to detect automatically).
  • An optional email address: used only to send your Stripe payment receipt if you get a paid report. We do not send marketing to it.
  • A salted hash of your IP address: we store a hashed form, not your raw IP address. We use it only to rate-limit abuse of the testing runner.
  • The transcript of the test: the messages our simulated customer exchanged with your bot, which become the evidence in your report.

How we use it

We use what you submit to run the adversarial test against the bot you authorised, to build your launch report (findings, severity, evidence, and recommended fixes), and to keep the service safe. For example, the salted IP hash is used only to throttle repeated runs against the same target so the runner cannot be turned into an abuse tool. We do not sell your data, and we do not use your submissions to advertise to you.

Cookies & analytics

We use Google Analytics to understand which pages are useful and how people find us. Google Analytics sets cookies in your browser, including _ga and cookies prefixed with _ga_, to measure visits. These analytics cookies are not required for the product to work, and we do not use them to identify you personally.

We also use Vercel Analytics for aggregate, privacy-friendly page-view measurement. It does not set cookies on your device and is not used to identify you personally.

You can opt out of Google Analytics at any time by blocking cookies in your browser, using the Google Analytics opt-out, or sending us a deletion request at the address below. Vercel Analytics is cookieless and records only aggregate page views. There is no per-visitor profile to opt out of. We are working toward a consent control that gates the Google Analytics cookies before they are set; until that ships, the opt-out methods above apply.

Payment processing

Paid reports are processed by Stripe. When you pay, Stripe handles your card details directly. We never see or store your full card number. Stripe returns to us only what we need to open your report (such as the payment status and, if you provided one, the receipt email). The operating entity for billing is BiteRight Ltd (Cyprus). Stripe's own handling of your payment data is governed by Stripe's privacy policy.

Where your data is stored

Data is hosted on Supabase, our database and infrastructure provider. Access to anonymous roast data is restricted to the service and the private link issued for your report.

Data retention

Anonymous Bot Roast sessions, including the submitted target, context text, and the test transcript, are retained for 14 days, after which they are expired and purged. Your private report link stops working once the session expires. We keep the minimum payment records Stripe requires us to retain for accounting and tax purposes.

Account & workspace data

If you create an account, we also process the data needed to run authenticated workspaces: your account email, the projects and audit runs you create, and the transcripts and reports those runs produce. Unlike anonymous roasts, account data has no fixed expiry. It is retained for the life of the workspace and project. To delete it, a project, a workspace, or your whole account, email us at the address below and we will remove it; removing a project or workspace also removes all of its transcripts, reports, and derived data. Account data is tenant-scoped: a workspace can only read its own rows.

Your rights

You can ask us to confirm what we hold about a roast you ran, and you can ask us to delete it before the 14-day window ends. To request access or deletion, email us at the address below and include the report link or enough detail to identify the session. Because anonymous roasts are not tied to an account, we may need the report link to locate your data.

Governing law

We intend this policy to be governed by the laws of Cyprus and applicable EU data-protection law, consistent with the operating entity BiteRight Ltd. This is to be confirmed with legal counsel.

Contact

Privacy questions or a deletion request? hello@agenttorture.com