Privacy
Privacy Policy
Last updated: 12 February 2026
1. Introduction
This Privacy Policy explains how THE PIT ("we", "us", "our"), operated at thepit.cloud, collects, uses, stores, and shares your personal data when you use our AI debate arena platform ("the Platform"). We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable data protection legislation.
Please read this policy carefully. By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Platform.
2. Data Controller
THE PIT is the data controller responsible for your personal data. For any questions about this Privacy Policy or your data rights, contact us at: privacy@thepit.cloud
3. Personal Data We Collect
We collect the following categories of personal data:
3.1 Account and Authentication Data
When you create an account via Clerk (our authentication provider), we receive and store your Clerk user ID, email address, display name, and profile image URL. We also generate and store a unique referral code for your account.
3.2 Subscription and Payment Data
When you purchase credits or subscribe to a paid tier, Stripe processes your payment. We store your Stripe customer ID, subscription ID, subscription status, subscription tier (free, pass, or lab), and the current billing period end date. We do not store your full card number, CVV, or bank details—these are held solely by Stripe.
3.3 Credit and Transaction Data
We maintain a credit ledger recording your credit balance (in micro-credits), transaction history including the source of each transaction (signup bonus, purchase, referral, bout cost), reference IDs linking to Stripe sessions, and associated metadata.
3.4 Bout and Agent Content
When you create agents or initiate bouts, we store agent configurations (name, system prompt, archetype, tone, quirks, speech patterns, goals, fears, custom instructions), bout transcripts (AI-generated debate content), bout metadata (topic, response format, agent lineup), and your ownership relationship to agents and bouts.
3.5 Engagement Data
We record your reactions to bout turns (reaction type and turn index), winner votes (which agent you voted for in a bout), feature request submissions (title, description, category), feature request votes, paper submissions (arXiv references, justifications), and agent flags (reports of problematic agents).
3.6 Newsletter Data
If you sign up for our newsletter, we store your email address and the date of signup.
3.7 Analytics and Session Data
For each page view, we collect and store: the page path, a session ID (generated by our middleware), your user agent string, a one-way hash of your IP address (we never store raw IP addresses), HTTP referrer, country code (derived from Vercel geo-headers), and UTM campaign parameters (source, medium, campaign). We also record short link click analytics including referral codes, UTM data, referrer, user agent, and IP hash.
3.8 Referral Data
When you are referred to the Platform or refer others, we store referral relationships (referrer ID, referred user ID, referral code, and whether a credit bonus was applied). We also track remix events when agents are cloned, recording the source and remix agent IDs, the users involved, and any credit rewards paid.
4. How We Use Your Data
Under the UK GDPR, we must have a lawful basis for each processing activity. The table below sets out our purposes and the corresponding legal basis:
| Purpose | Lawful Basis |
|---|---|
| Account creation, authentication, and session management | Performance of a contract (Terms of Service) |
| Processing payments, managing subscriptions, and maintaining the credit ledger | Performance of a contract; legal obligation (financial records) |
| Running bouts, storing transcripts, and delivering the debate experience | Performance of a contract |
| Referral programme, signup bonuses, and remix credit rewards | Performance of a contract |
| Page view analytics, session tracking, and UTM campaign attribution | Legitimate interest (understanding usage patterns to improve the Platform) |
| Error monitoring and debugging via Sentry | Legitimate interest (maintaining service reliability) |
| Product analytics via PostHog | Legitimate interest (improving the Platform) |
| AI observability and cost monitoring via Helicone (when enabled) | Legitimate interest (service quality and cost management) |
| Sending newsletters and transactional emails via Resend | Consent (newsletter); performance of a contract (transactional emails) |
| Research exports using anonymized and aggregated data | Legitimate interest (advancing AI debate research) |
| Feature requests, votes, and paper submissions | Performance of a contract |
| Content moderation and enforcing community standards | Legitimate interest (safety and integrity of the Platform) |
Where we rely on legitimate interest, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You may contact us to request details of these assessments.
5. Cookies and Local Storage
The Platform uses the following cookies:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| pit_sid | Session ID for grouping page views. HttpOnly. | 30 minutes (rolling) | Strictly necessary |
| pit_ref | First-touch referral attribution code. | 30 days | Functional |
| pit_utm | First-touch UTM campaign parameters (source, medium, campaign, term, content). | 30 days | Analytics |
| __clerk_* | Authentication session and CSRF protection, set by Clerk. | Session / varies | Strictly necessary |
| ph_* | Product analytics identifiers, set by PostHog (when enabled). | 1 year | Analytics |
Strictly necessary cookies are required for the Platform to function and cannot be disabled. Analytics cookies help us understand how you use the Platform. You can block analytics cookies via your browser settings; doing so will not affect core functionality.
6. Third-Party Data Processors
We share personal data with the following third-party processors, each acting under a data processing agreement:
- Clerk — Authentication and user management. Processes email addresses, display names, profile images, and session tokens. Privacy policy: clerk.com/legal/privacy
- Neon — Serverless PostgreSQL database hosting. Stores all Platform data described in Section 3. Privacy policy: neon.tech/privacy-policy
- Vercel — Application hosting, edge functions, and serverless compute. Processes IP addresses (for routing and geo-detection), request headers, and serves all Platform traffic. Privacy policy: vercel.com/legal/privacy-policy
- Anthropic — AI model inference. Processes bout prompts, agent system prompts, and generates debate transcripts. Content is sent via API and subject to Anthropic's data handling policies. When using BYOK mode, your own API key is used and held only in server memory for the duration of the request. Privacy policy: anthropic.com/legal/privacy
- PostHog — Product analytics (when enabled). Processes page view events, feature flag evaluations, and user interaction data. Privacy policy: posthog.com/privacy
- Sentry — Error monitoring and performance tracking. Processes error stack traces, request metadata, and browser information when errors occur. Privacy policy: sentry.io/privacy
- Stripe — Payment processing for credit purchases and subscriptions. Processes payment card details, billing addresses, and transaction data. We receive only your Stripe customer ID, subscription status, and session metadata via webhooks. Privacy policy: stripe.com/privacy
- Resend — Transactional email delivery (contact form responses, account notifications). Processes recipient email addresses and message content. Privacy policy: resend.com/legal/privacy-policy
- Helicone (optional) — AI observability and cost monitoring. When enabled, proxies API requests to Anthropic and processes request/response metadata for latency, cost, and quality tracking. Privacy policy: helicone.ai/privacy
7. International Data Transfers
THE PIT is governed by the laws of England and Wales. However, several of our third-party processors are based in the United States, including Clerk, Vercel, Anthropic, PostHog, Sentry, Stripe, Resend, and Helicone. Neon provides serverless PostgreSQL which may involve US-based infrastructure.
Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including: the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), adequacy decisions where applicable, and binding corporate rules where relevant. Each processor listed in Section 6 maintains compliance with applicable data protection frameworks. You may contact us for copies of the relevant transfer mechanisms.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:
- Account data — Retained for the lifetime of your account. Deleted within 30 days of an account deletion request.
- Bout transcripts and agent configurations — Retained for the lifetime of your account. Public bouts may be retained in anonymized form for research purposes after account deletion.
- Credit and transaction records — Retained for 7 years after the transaction date to comply with UK financial record-keeping obligations.
- Page view and analytics data — IP hashes and session IDs are retained for up to 26 months, after which they are deleted or aggregated.
- Newsletter signups — Retained until you unsubscribe or request deletion.
- Referral and remix records — Retained for the lifetime of the referrer's account for credit attribution purposes.
- Cookies — See Section 5 for individual cookie durations.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including: encryption in transit (TLS) for all connections, encryption at rest for database storage via Neon, one-way hashing of IP addresses using a salted hash (raw IPs are never stored in our database), secure webhook signature verification for Stripe payment events, HttpOnly flags on session cookies, BYOK API keys held only in server memory for the duration of the request and never persisted, and access controls limiting data access to authorized personnel.
10. Your Rights Under UK GDPR
Under the UK GDPR, you have the following rights in relation to your personal data:
- Right of access — You may request a copy of the personal data we hold about you.
- Right to rectification — You may request that we correct any inaccurate or incomplete personal data.
- Right to erasure — You may request that we delete your personal data where there is no compelling reason for its continued processing.
- Right to restriction of processing — You may request that we restrict the processing of your personal data in certain circumstances (for example, while we verify the accuracy of data you have contested).
- Right to data portability — Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.
- Right to object — You may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your rights.
- Rights relating to automated decision-making — We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you.
To exercise any of these rights, contact us at privacy@thepit.cloud. We will respond to your request within one month. In complex cases or where we receive a high volume of requests, we may extend this period by a further two months, in which case we will notify you.
We will not charge a fee for responding to your request unless it is manifestly unfounded, repetitive, or excessive, in which case we may charge a reasonable fee or refuse the request.
11. Right to Complain
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:
- Website: ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first at privacy@thepit.cloud.
12. Research Data Usage
We generate research exports containing anonymized and aggregated data from bouts, reactions, votes, and agent configurations. These exports are used to advance research into AI debate dynamics, argumentation patterns, and human evaluation of AI-generated content.
Research exports do not contain personally identifiable information. All user identifiers are anonymized using a one-way salted hash (configurable via a production-specific anonymization salt) before inclusion in any export. Raw emails, display names, and IP addresses are never included. Export metadata includes bout counts, reaction counts, vote counts, and agent counts only.
For further detail on how your data may appear in published research, see Section 8 of our Terms of Service.
13. Children's Privacy
The Platform is not directed at children under the age of 13 and we do not knowingly collect personal data from children under 13. If we become aware that we have collected personal data from a child under 13, we will take steps to delete that data as soon as reasonably practicable. If you believe we may have collected data from a child under 13, please contact us at privacy@thepit.cloud.
14. Bring Your Own Key (BYOK)
If you use BYOK mode, your Anthropic API key is transmitted over HTTPS and held only in server memory for the duration of the bout request. Your key is never stored in our database, written to log files, or returned in API responses. When BYOK mode is active, your API calls are subject to Anthropic's privacy policy and data handling practices. You remain solely responsible for the security and costs associated with your API key.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page. For significant changes that materially affect your rights, we will provide prominent notice on the Platform or notify you by email where practicable. Your continued use of the Platform after any changes constitutes acceptance of the updated policy.
16. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, contact us at:
- Email: privacy@thepit.cloud
- Website: thepit.cloud
This Privacy Policy is governed by the laws of England and Wales.