Privacy Policy
FrontierCS · Eigen Labs, Inc.
EFFECTIVE DATE – July 8, 2026
This Privacy Policy explains how Eigen Labs, Inc. ("Eigen Labs," "we," "us," or "our") collects, uses, and discloses personal information in connection with FrontierCS, including the FrontierCS website, the frontiercs CLI, and related APIs (collectively, the "Platform"). By using the Platform, you agree to the practices described here.
Standalone document. This policy applies only to FrontierCS. It is separate from and does not incorporate any Eigen Labs privacy notice governing other Eigen Labs products, including mlx.fast.
1. Information We Collect
Account and identity. When you sign in with GitHub, we receive from GitHub (via Supabase OAuth): your email address, GitHub username, and GitHub avatar URL. We generate and store an internal account identifier (UUID) for your account. We do not store your GitHub numeric user ID or GitHub OAuth access token.
Competition and leaderboard data. We store: your submitted code archive (tar.gz, in Cloudflare R2); any free-form note you attach to a submission; scores and performance metrics (claimed score, measured score, per-test-case results including execution time, memory usage, and score ratio, timestamps); submission status; git commit SHAs. API keys are stored only as a hash plus a short non-secret prefix, a name, and a last-used timestamp; the secret is shown once and never stored. Session tokens are stored as a hash plus expiry.
Reasoning traces and model interaction data. If you use an AI coding agent inside a cloned challenge repository, our CLI captures that agent's full session transcript (including the model's reasoning ("thinking"), tool calls, tool results, and the working directory path) and uploads it to us, together with any other chat transcripts, prompts, and model outputs generated during that process (collectively, "Covered Data"). This is on by default; you can disable it at any time by running frontiercs trace off. We redact secrets (such as API keys and credentials) from Covered Data before upload, but the reasoning content itself is retained. Covered Data is stored as metadata in our database and as compressed transcript files in Cloudflare R2.
Technical and log data. Our API reads your IP address from edge headers to enforce rate limits; your IP address is also stored in our application database as part of rate-limiting records, each tied to an expiration timestamp. Our hosting providers (Vercel for the website, Fly.io for the API) automatically log request IP, user agent, path, status, timing, and approximate location, and this is platform-level logging outside our application code. Our API logs method, route, status, duration, request ID; on certain authentication code paths, these logs also include your email address; these logs go to Datadog. Datadog also receives aggregate metrics (counters and timings) that use non-personal tags only and do not include individual user identifiers.
Cookies. Supabase sets HttpOnly, Secure cookies to maintain your login session. We set no advertising or tracking cookies. We use Google Analytics on the website (see Section 7).
CLI telemetry. The CLI collects limited telemetry by default: CLI name and version, command name, success or error, duration, and an error code on failure. It does not collect your OS, hardware identifiers, hostname, file paths, arguments, or source code. You can disable telemetry at any time by running frontiercs config – telemetry disabled. This basic telemetry is separate from the reasoning-trace collection described above, which does include your working directory path and is controlled by a separate command.
2. How We Use Information
We use the information we collect to authenticate you; accept, evaluate, and display submissions; operate the leaderboard; enforce rate limits and prevent abuse; monitor platform reliability; send you account and submission emails; and comply with legal obligations. We use Google Analytics to understand aggregate website usage.
3. What We Make Public
The leaderboard is public. For each submission, it exposes your GitHub username, avatar URL, profile link, internal account UUID, submission note, scores and metrics, submission status, timestamps, and commit SHAs. Every submission is also pushed to a public GitHub repository branch, making your code publicly auditable. Depending on the technical evaluation process used for a given challenge, additional technical information about your submission's evaluation (such as build or execution output) may also become publicly visible as part of that process.
Git commit history: read before submitting. Every scored submission is pushed to a public branch of the challenge repository, and the associated commit includes a Co-authored-by: trailer identifying you by your GitHub username and a GitHub-generated noreply email address, not your account email or real name. If your submission is promoted to the repository's main branch, that same authorship information becomes part of the main branch's history as well. This becomes a permanent, public part of the repository's git history and visible in the GitHub UI, via the GitHub API, in all clones and forks, and in third-party git indexing services. It cannot be removed. By submitting, you explicitly consent to this disclosure. Although we do not store your GitHub numeric user ID in our database (see Section 1), it may be resolved at the time of your submission and permanently embedded in this public commit trailer's noreply email address.
Covered Data: not currently made public. Unlike your submission code, your Covered Data is collected for our internal use and is not exposed through the leaderboard, the public repository, or any other public-facing feature of the Platform; there is no public read or download path for this data. We may share Covered Data with service providers who help us process and store it (see Section 4). If we decide to publish or further license Covered Data in the future, we will update this Policy before doing so and will describe the applicable terms and any opt-out available to you at that time.
4. How We Disclose Information
We share your information only as necessary to operate the Platform:
- GitHub: OAuth identity provider; host of public submission repos and permanent commit history including Co-authored-by trailers.
- Supabase: GitHub OAuth broker, session/JWT issuer, and hosted Postgres database.
- Cloudflare R2: Storage for submitted code archives and Covered Data transcripts.
- Vercel: Website hosting; edge logs include IP and user agent.
- Fly.io: API hosting; edge logs include IP and user agent.
- Datadog: Application logs and metrics, including your email address on certain authentication code paths.
- Google LLC: Google Analytics on the website.
- Agent Compose: Eigen Labs' sandboxed code-execution system, running on Vercel's sandbox infrastructure. Executes your submitted code in an isolated, network-restricted environment during evaluation. Individual sandbox runs do not persist your submitted code beyond that run; however, workspace setup snapshots (the benchmark repository and installed dependencies, not your submission) may be retained and reused to speed up later runs.
- Google Cloud (GCP): Hosts the dedicated virtual machine that runs our evaluation judge for algorithmic challenges. The judge temporarily writes your submission's source code to that machine's local disk during evaluation; an automated process deletes this data immediately after evaluation completes. Per-case evaluation results are retained on that machine to support repeat status checks.
We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
5. Legal Bases (EU/UK Users)
- Contract performance: Providing the Platform, running evaluations, maintaining the leaderboard.
- Legitimate interests: Platform security, abuse prevention, debugging, aggregate analytics, and analyzing reasoning traces to improve challenge design and evaluation. We have assessed that these do not override your rights.
- Consent: Google Analytics and, to the extent required, CLI telemetry. You may withdraw consent at any time.
- Legal obligation: Where required by applicable law.
6. Retention
We retain personal information as long as your account is active or as necessary to provide the Platform, comply with legal obligations, and resolve disputes. In general: account and identity data is retained for the life of your account plus a reasonable period after deletion; submission archives and Covered Data (reasoning traces and related transcripts) are retained for as long as needed to operate the Platform and support the purposes described in this Policy absent a deletion request; leaderboard scores and metrics are retained as part of the permanent competition record; application logs are retained per our Datadog configuration for a reasonable period for operational and security purposes; CLI telemetry events are retained for a reasonable period for operational and security purposes. Submission source code is also written temporarily to the evaluation judge's virtual machine during evaluation and is deleted automatically immediately after evaluation completes; per-case evaluation results on that machine are retained to support repeat status checks; code executed inside the sandbox environment is not retained beyond the life of that ephemeral sandbox though workspace setup snapshots may persist to speed up later runs. Promotion commit history is permanent and cannot be deleted. We do not currently publish Covered Data; if that changes, we will update this Policy and describe any applicable opt-out before publication.
To request deletion of your account and personal data, contact us at notices@eigenlabs.org. We will respond within 30 days, subject to our legal obligations and the permanent nature of public git history.
7. Cookies and Tracking
Authentication cookies. Supabase sets HttpOnly, Secure session cookies. These are strictly necessary for the Platform to function.
Google Analytics. We use Google Analytics on the website to understand aggregate usage. Google Analytics uses cookies and collects IP address (subject to anonymization) and browsing behavior. You can opt out via the Google Analytics opt-out browser add-on.
We use no advertising cookies and no cross-site tracking.
8. International Transfers
Eigen Labs is based in the United States. If you are in the EEA or UK, your personal data may be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission, and the UK IDTA or UK Addendum as applicable, for these transfers.
9. Your Privacy Rights
EU/UK (GDPR / UK GDPR). You have rights of access, rectification, erasure, restriction, portability, and objection, and the right to withdraw consent. To exercise these rights, contact us at notices@eigenlabs.org. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
California (CCPA/CPRA). You have the right to know, delete, correct, and opt out of the sale or sharing of your personal information. We do not sell or share personal information. Contact us at notices@eigenlabs.org; we will respond within 45 days.
10. Children's Privacy
The Platform is not directed to users under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe we have done so, contact us at notices@eigenlabs.org and we will delete it promptly.
11. Changes to This Policy
We may update this policy from time to time. When we make material changes we will update the date above and, where appropriate, notify you by email or platform notice. Continued use after the effective date constitutes acceptance.
12. Contact
For questions about this policy or to exercise your privacy rights:
Eigen Labs, Inc.
600 1st Ave Ste 330 # 926277
Seattle, WA 98104-2246 · notices@eigenlabs.org