Privacy Policy

1. Who We Are

Arguably is an independent, bootstrapped project operated by its creator (“we”, “us”, or “our”) at arguably.ai. For purposes of the EU General Data Protection Regulation (GDPR) and UK GDPR, we are the data controller of your personal data. For purposes of India's Digital Personal Data Protection Act 2023 (DPDP Act), we are the Data Fiduciary. For purposes of the California Consumer Privacy Act (CCPA/CPRA), we are the business. For purposes of Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Law 25, we are the organization responsible for your personal information. Contact us at support@arguably.ai.

2. What Personal Data We Collect

We collect the following categories of data:

• Account data: your email address; if you sign in with Google, your name, profile picture URL, and Google account ID.
• Profile data: display name, username, and any profile fields you set after account creation.
• Gameplay data: the messages you send during game sessions, character responses, turn-by-turn scores, session outcomes, grades, and XP earned.
• Technical data: IP address, browser type and version, operating system, device type, screen dimensions, approximate timezone, and locale. All of this is collected automatically when you use the Service.
• Auth & session data: login timestamps, OTP attempt records, token metadata, and session activity logs used for security and fraud prevention.
• Consent records: a timestamped record of your acceptance of these policies, including the policy version, your IP address, and browser information.

3. How and Why We Use Your Data

We process your data for the following purposes and on the following legal bases:

• To provide the Service (contract performance / DPDP consent): authenticate your account, run game sessions, compute scores, and maintain leaderboards.
• To communicate with you (contract performance): send one-time login codes via email. We do not send marketing emails unless you explicitly opt in.
• To improve the Service and train our own AI models (legitimate interests): We store your in-game conversation data in masked form to analyse gameplay patterns and, in the future, to fine-tune our own AI models. This is to reduce our dependency on third-party AI APIs and improve response quality over time.
• What masking means: before any conversation is used for model training, we remove or replace all directly identifying information from the text (such as names, contact details, or any personal identifiers you may have included in your messages). The masked data is not linked back to your account. Once fully anonymised, this data falls outside the definition of personal data under GDPR, CCPA, and DPDP.
• Opt-out: you can request that your conversation data be excluded from model training at any time by contacting us at support@arguably.ai. We will flag your account and exclude your data from any future training datasets within 30 days.
• Security and fraud prevention (legitimate interests / legal obligation): detect and prevent abuse, unauthorised access, and violations of our Terms of Service.
• Legal compliance (legal obligation): retain records as required by applicable law, respond to lawful requests from public authorities.

4. Who We Share Your Data With

We do not sell, rent, or trade your personal data. We share data only with the following categories of recipients:

• Anthropic, Inc. (USA): your in-game messages are sent to Anthropic's API to generate character responses and scores. Anthropic processes this data as a subprocessor under their API usage policy and privacy terms.
• Neon, Inc. (USA): our database provider. All account, gameplay, and session data is stored on Neon's Postgres infrastructure.
• Vercel, Inc. (USA): hosts our frontend application. May process request logs including IP addresses.
• Railway Corp. (USA): hosts our backend API. Processes request logs including IP addresses.
• Resend, Inc. (USA): delivers transactional emails (login codes). Receives your email address for this purpose.
• Google LLC (USA): if you choose to sign in with Google, Google provides us with your profile data under their OAuth consent flow. Google's own privacy policy governs that interaction.
• Razorpay Software Private Limited (India): our payment aggregator. When you make a purchase, Razorpay directly collects and processes your payment details (card, UPI, netbanking, wallet). Razorpay may use this data for their own fraud prevention, analytics, and as otherwise permitted by their Privacy Policy (razorpay.com/privacy). By proceeding to payment, you are also subject to Razorpay's Terms of Use (razorpay.com/terms). We receive only a transaction confirmation. We never see your full card details.
• Legal authorities: we may disclose data where required by law, court order, or to protect the rights and safety of users or the public.

5. International Data Transfers

Arguably's infrastructure providers (listed above) are primarily located in the United States. If you are located in the European Economic Area, United Kingdom, Switzerland, India, or another jurisdiction with data transfer restrictions, your personal data is transferred internationally when processed by these providers. We rely on Standard Contractual Clauses (SCCs) and equivalent safeguards where required to legitimise such transfers. By using the Service, you acknowledge that your data will be processed outside your country of residence.

6. Cookies and Local Storage

We use a single HTTP-only, Secure, SameSite cookie to store your session refresh token. This cookie is never accessible to JavaScript and is used only to keep you logged in between visits. We do not use advertising cookies, third-party tracking cookies, or fingerprinting technologies. We do not use Google Analytics or similar analytics services. A small entry in localStorage is used temporarily to coordinate token refresh across browser tabs; it contains only a timestamp and is deleted immediately after use.

When you proceed to payment, Razorpay's checkout script loads and may set its own session and persistent cookies for payment processing, fraud prevention, and security. These cookies are set by Razorpay, not by us, and are governed by Razorpay's own Privacy Policy.

7. Data Retention

We retain your personal data for as long as your account is active. Security logs (auth events, OTP attempts) are retained for up to 12 months. If you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law (e.g., for fraud prevention records, which may be retained for up to 7 years). Anonymised, aggregated gameplay statistics may be retained indefinitely as they no longer constitute personal data.

Payment records: Transaction records (order IDs, payment confirmations, invoices) are retained for a minimum of 10 years as required by Razorpay's terms and applicable financial regulations in India. This applies even after account deletion.

8. Automated Decision-Making and Scoring

Arguably's game engine uses automated processing to evaluate your in-game conversations and produce scores, grades (S through F), momentum readings, and XP. These outputs affect your leaderboard position and session outcomes. This constitutes automated decision-making within the meaning of GDPR Article 22, Quebec Law 25, and similar regulations in other jurisdictions.

The scoring logic evaluates the persuasiveness, tone, and strategy of your messages in the context of each character's scenario. No human reviews individual turn scores in real time. If you believe a session outcome was incorrect or unfair, you may contact us at support@arguably.ai to request a review. We will examine the session and respond within 10 business days.

These automated decisions do not produce legal effects or similarly significant consequences outside the game. They affect only your in-game experience.

9. Your Rights

Depending on where you are located, you may have some or all of the following rights regarding your personal data. To exercise any of these rights, contact us at support@arguably.ai.

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate or incomplete data.
• Erasure (“right to be forgotten”): request deletion of your personal data. We will action deletion requests within 30 days.
• Portability: request your data in a structured, machine-readable format (applies to data processed on the basis of contract or consent).
• Restriction: request that we restrict processing of your data in certain circumstances (e.g., while a complaint is under review).
• Objection: object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
• Withdraw consent: where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Opt out of AI model training: you may request at any time that your conversation data be excluded from any future model fine-tuning. Contact us at support@arguably.ai. We will action this within 30 days.
• Automated decision-making: you have the right to request a human review of any automated score or grade, to understand the logic behind it, and to contest a result you believe is inaccurate.
• California residents (CCPA/CPRA): you have the right to know what personal information we collect, the right to delete, the right to correct, and the right to opt out of the sale or sharing of personal information. We do not sell or share your personal information with third parties for their own marketing purposes. We also honour Global Privacy Control (GPC) opt-out signals.
• Canada residents (PIPEDA / Quebec Law 25): you have the right to access your personal information, withdraw consent, and request correction or deletion. Quebec residents additionally have the right to be informed of any automated decision-making that profiles or significantly affects them, and to request human review of such decisions. You may lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) or the Commission d'acces a l'information (CAI) for Quebec residents.
• India residents (DPDP Act 2023): you have the right to obtain information about processing, the right to correction and erasure, the right to grievance redressal, and the right to nominate a person to exercise rights on your behalf in the event of death or incapacity. Our Grievance Officer can be reached at support@arguably.ai.
• EU/UK residents (GDPR/UK GDPR): you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have infringed your rights.

We will respond to all verifiable rights requests within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

10. Children's Privacy

The Service is not directed at children under 13. In the EEA and UK, the Service is not directed at persons under 16 (or the applicable digital age of consent in your country). We do not knowingly collect personal data from children below the applicable age limit. If we become aware that we have collected data from a child below the applicable age, we will delete it promptly. If you believe a child has registered, please contact us at support@arguably.ai.

11. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. These include HTTP-only secure cookies, hashed refresh tokens, refresh token rotation, rate limiting, and encrypted connections (TLS). No method of transmission or storage is completely secure; we cannot guarantee absolute security.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the date at the top of this page and, for material changes, notify you by email or in-app notice. If changes affect how we use your personal data in a way that requires your consent (e.g., a new purpose), we will seek your fresh consent before making those changes take effect.

13. Contact & Complaints

For privacy enquiries, data subject requests, or to reach our Grievance Officer (India / DPDP Act), contact us at support@arguably.ai. We aim to respond within 5 business days. EU and UK residents may also contact their local data protection authority if they are not satisfied with our response.