Privacy — LeetProse

Effective 2026-05-17.

The short version

LeetProse collects the minimum it needs to run the game. It does not sell your data. It does not run third-party analytics or advertising trackers. It does not require your email unless you sign in with Google. If any of that changes, this page changes first.

What is collected

Account information. If you sign up with a username and password, we store the username and a bcrypt hash of your password. We never store your password in plain text and never see it after the hash is computed.
Google account information (if you choose Google sign-in).When you click "Continue with Google" we receive your email address, Google's stable user ID for you, and your Google display name. These are stored on the players row. We do not request additional Google scopes beyond what is necessary to identify the account.
Anonymous identifier.When you visit without signing in, the site assigns a random UUID stored in your browser's localStorage so it can attach your round history to something. It is not linked to your name, email, IP, or device fingerprint. If you create an account later, you can "claim" your prior history with the upgrade flow.
Session cookie. After login we set a single HttpOnly session cookie scoped to leetprose.com that expires after 30 days of inactivity. It contains an opaque random token, nothing else.
Round content.The sentences you write, the prompt you wrote them for, the opponent's sentence, the judge's verdict, and any votes you cast. These are stored so the leaderboard, profile, and voting pages have something to show.
IP address (transient). Your IP is visible to the hosting provider (Vercel and Railway) and used by the backend to enforce rate limits (e.g. 20 rounds per IP per hour). We do not store your IP long-term, do not associate it with your account, and do not geo-locate it.

What is not collected

No advertising trackers. No Google Analytics, no Meta pixel, no Mixpanel, no Segment, no fingerprinting.
No marketing email. We do not send promotional emails. We do not have an email infrastructure today.
No phone number. No physical address. No date of birth. No government ID. The site does not ask for any of these.
No biometric data. No camera or microphone access. The site is a text input.

Who else sees your data

Operating the site requires sharing some data with third-party service providers. We pick providers that don't sell user data:

Vercel hosts the frontend. They see HTTP requests to leetprose.com, including the IP address and the user agent, as part of normal web hosting. Their privacy policy applies.
Railway hosts the backend. Similar — they see traffic between Vercel and the backend.
Supabase(managed PostgreSQL) stores all the persistent data described above. They do not have access to it beyond what's needed to operate the database.
Anthropic, OpenAI, Google (Gemini), Together, and xAI each receive copies of the prompt text and the LLM-side of each round (for opponent generation and judging). They do not receive your username or any account-identifying information. Each provider has its own data-handling terms; we use their APIs in the standard pay-per-token mode, which is generally their no-training-on-data mode, but you should verify with their current policies if this matters to you.
Google (OAuth, when enabled) handles the sign-in flow. They learn that someone is signing into LeetProse; we learn the email address you authorized.

Cookies

One first-party HttpOnly cookie named leetprose_session is set on login. It expires after 30 days of inactivity. We do not use any other cookies. No third-party cookies are set by the site itself; embedded third-party content (e.g. Google's OAuth flow) may set their own cookies on their own domain, which is governed by their privacy policies.

Your choices

Look at what we have on you. Your profile page (/profile/{handle}) shows everything tied to your account from the user-facing side.
Delete your account. An automated delete-account flow is not yet built into the site. Contact the operator (see the about page) and the account and associated sentences will be deleted. We retain anonymized, aggregated statistics (e.g. "the LLM-judge accuracy was X on date Y") that don't identify individual users.
Stop using the site. Closing the tab leaves no footprint on the server beyond the round records already created.

Children

LeetProse is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has created an account, contact the operator and the account will be removed.

Security

Passwords are stored as bcrypt hashes with a cost factor of 12. Session tokens are 256-bit opaque random values. Communication between your browser, the frontend, and the backend goes over HTTPS. The database connection from the backend to Supabase is TLS-encrypted. No security setup is perfect, but we are not doing any of the obvious wrong things.

Changes

We'll update this page if we change what we collect or who we share it with. Significant changes will bump the "Effective" date at the top.

Contact

Questions, takedown requests, account deletion requests, anything else — email jz@your-roost.com or visit jacobzucker.site.

Note: this policy is a plain-English draft for early use. Before any traffic volume that triggers GDPR / CCPA obligations in earnest, the operator intends to have a lawyer review it and add the formal data-controller / data-processor language and jurisdictional disclosures.