Privacy Policy

1.1 Account and Identity Information

• Email address — used to identify your account and communicate with you.
• Display name — shown within the platform.
• Password — stored exclusively as a bcrypt hash. We never store or have access to your plaintext password.

1.2 Profile Content

If you upload a profile picture, it is stored in Amazon S3 (us-east-1 region). Access is controlled through time-limited presigned URLs that expire after 7 days.

1.3 Coding Activity Data

• Code drafts — your in-progress code saved during a practice session.
• Code submissions — the final code snapshot you submit for evaluation.
• Execution results — output of your submitted code (stdout, stderr, exit code, execution time, peak memory usage).
• Chat conversations — your messages and the AI assistant's replies during a coding session.
• AI-generated scores and feedback — the overall score, per-dimension rubric scores, and written feedback for each submission.

1.4 Technical and Usage Information

• Timestamps — when your account was created, records updated, and submissions scored.
• Authentication tokens — JWT tokens (24-hour expiration) stored in your browser's localStorage. We do not use cookies for authentication.

1.5 Information We Do Not Collect

We do not collect payment information, physical address, phone number, or government-issued identification. We do not use browser cookies for tracking or advertising purposes.

• To provide the Service — authenticate your account, run code in the sandbox, deliver AI chat assistance, generate scores and feedback, and display your history.
• To improve the Service — understand usage patterns, identify technical issues, and improve platform reliability and AI quality.
• To communicate with you — respond to support requests and send Service-related notices.
• To enforce our Terms of Service — detect and prevent abuse, fraud, or violations of our acceptable use policy.
• To comply with legal obligations — respond to lawful requests from authorities where required.

We do not use your data for advertising, behavioral profiling, or sale to third parties.

We do not sell your personal information. We share information only in the following circumstances:

3.1 Third-Party Service Providers

Important note about OpenAI: When you interact with the AI chat assistant or submit code for scoring, the relevant content — including your code, conversation history, and execution output — is transmitted to OpenAI's API for processing. OpenAI's API data usage policies provide that API inputs and outputs are not used to train their models by default. We encourage you to review OpenAI's privacy policies for current terms.

3.2 Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Kruskal, our users, or the public.

3.3 Business Transfers

If Kruskal is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

All primary data — including your account information, code, chat history, submissions, and scores — is stored in a Neon PostgreSQL database hosted on AWS infrastructure in the US East (N. Virginia) region (us-east-1). Profile pictures and submission artifacts are stored in Amazon S3 in the same region.

By using the Service, you consent to the transfer of your data to and storage in the United States, which may have different data protection laws than your country of residence.

We retain your data for as long as your account is active:

• Account information, code drafts, submissions, scores, and chat history — retained for the life of your account.
• Execution results — retained as part of the submission record.
• Profile pictures — retained until you update or remove them, or your account is deleted.

Account deletion: To request deletion of your account and associated data, contact us at support@kruskal.dev. We will process requests within 30 days. Some data may be retained in backups for a limited period following deletion.

We implement reasonable technical and organizational measures to protect your information:

• Password hashing — passwords are hashed using bcrypt and never stored in plaintext.
• Encrypted transport — all data transmitted between your browser and our servers uses HTTPS/TLS.
• JWT authentication — API access requires a signed token with a 24-hour expiration.
• Code execution isolation — user code runs in Docker containers with no network access, 256 MB memory limit, and 30-second timeout.
• Presigned S3 URLs — profile pictures are accessed through time-limited URLs, not publicly accessible.
• Input validation — file paths and inputs are validated at system boundaries to prevent traversal and injection attacks.

No system is completely secure. If you suspect a security incident, contact us immediately.

We use JSON Web Tokens (JWT) to manage authenticated sessions. Your token is stored in your browser's localStorage (not in a cookie). This means:

• We do not use tracking cookies or session cookies for authentication.
• Tokens expire automatically after 24 hours.

Because localStorage is accessible to JavaScript on the page, we encourage you to use the Service only on trusted devices and to log out on shared computers.

Depending on your location, you may have certain rights:

• Access — request a copy of the personal data we hold about you.
• Correction — update your display name and email through account settings, or contact us.
• Deletion — request deletion of your account and personal data.
• Portability — request an export of your data in a common format.
• Objection / Restriction — object to or restrict certain processing activities.

To exercise any of these rights, contact support@kruskal.dev. We will respond within 30 days.

GDPR (European Users)

If you are located in the EEA, United Kingdom, or Switzerland: we process your data based on contractual necessity (to provide the Service), our legitimate interests (improving the Service, preventing abuse), and legal compliance. Your data is transferred to and stored in the United States. You have the right to lodge a complaint with your local data protection authority.

CCPA (California Users)

• We do not sell your personal information to third parties.
• You have the right to know what personal information we collect and how we use it (see Sections 1 and 2).
• You have the right to request deletion of your personal information.
• You have the right to non-discrimination for exercising your CCPA rights.

The Service is not intended for children under the age of 16. We do not knowingly collect personal information from anyone under 16. If you believe a child under 16 has created an account, please contact us and we will promptly delete the relevant information.

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or through an in-app notice before the changes take effect. We encourage you to review this Policy periodically.