Privacy Policy
Last updated: April 25, 2026. This privacy policy explains how SupraBench processes personal data under the EU General Data Protection Regulation (GDPR).
1. Controller
Controller within the meaning of Article 4 (7) GDPR:
Florian Fischer, Steig 4, 88167 Grünenbach, Germany
Email: suprabench.editor887@passmail.com
2. Scope of this policy
This policy applies to the website suprabench.com (the “Service”). SupraBench is a community platform that ranks publicly available AI benchmarks and models. We intentionally collect as little personal data as possible.
3. Data we process
3.1 Server access data (log files)
When you visit SupraBench, our hosting providers (static files: Cloudflare Pages; edge/proxy: Cloudflare Workers; backend: Convex, Inc.) automatically collect standard server log data such as IP address, timestamp, browser user agent, and the requested resource. This data is required for the technical delivery of the website and for security (e.g. abuse prevention).
- Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in a secure, functional website.
- Retention: Logs are retained for the period defined by the respective hosting provider (typically up to 30 days).
3.2 Account data (when you sign in)
You can optionally sign in using Google Sign-In (OAuth 2.0) to contribute benchmark scores, vote and rate. When you sign in we receive from Google: your Google account’s name, email address, profile picture URL, and a provider-issued unique identifier. We store this information in our database (Convex) together with a user ID.
- Legal basis: Art. 6 (1) (b) GDPR — performance of the contract of use (i.e. letting you create and manage an account).
- Retention: Until you delete your account or request deletion (see Section 8).
- Recipients: Google Ireland Limited (identity provider); Convex, Inc., USA (backend/database provider, acting as processor under Art. 28 GDPR).
3.3 Contribution data
When you submit a benchmark score, rate a benchmark quality dimension, vote on a submission, add a tag, or add a model or benchmark entry, we store the content you provided together with your user ID, a timestamp and the source URL. This data is public by design — SupraBench is an open community platform.
- Legal basis: Art. 6 (1) (b) GDPR.
3.4 Authentication storage (localStorage)
If you sign in, we store a JWT session token and refresh token in your browser’s localStorage (no third-party cookies). This storage is strictly necessary to keep you signed in and does not require consent under § 25 (2) TTDSG / ePrivacy Directive. We do not use cookies or localStorage for analytics, advertising, or cross-site tracking.
3.5 What we do NOT use
- No analytics (no Google Analytics, no Plausible, no Matomo, etc.)
- No advertising networks, no retargeting pixels
- No social share trackers
- No fingerprinting
4. Third parties and international transfers
4.1 Google Sign-In
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When you click “Sign in with Google”, you are redirected to Google. Google’s own privacy policy applies: https://policies.google.com/privacy. Transfers to the United States are protected by the EU–U.S. Data Privacy Framework (Art. 45 GDPR) and/or Standard Contractual Clauses (Art. 46 GDPR).
4.2 Convex (backend / database)
Provider: Convex, Inc., 2261 Market Street #4085, San Francisco, CA 94114, USA. Convex acts as our data processor under Art. 28 GDPR and stores account and contribution data on our behalf. Transfers are safeguarded by Standard Contractual Clauses (Art. 46 GDPR).
4.3 Fontshare (Clash Display font)
Fonts are loaded from Fontshare (Indian Type Foundry, India). Your browser requests these font files directly from Fontshare’s CDN, which will see your IP address. We chose Fontshare because it does not require an API key and does not set any cookies. Legal basis: Art. 6 (1) (f) GDPR — design and typography.
4.4 GitHub (Discussions/Comments via Giscus)
The SupraBench source code is hosted on GitLab (gitlab.com/florian-fischer-group/suprabench); visiting GitLab is governed by GitLab Inc.'s own privacy policy. GitHub is contacted by your browser only because we embed Giscus, a third-party widget that maps benchmark and submission comment threads onto a public GitHub Discussions repository. When the comment widget loads, your browser sends a request to giscus.app and to github.com, which receive your IP address. To leave a comment you must sign in with your GitHub account; authentication and content storage are handled entirely by GitHub. Provider: GitHub B.V., Vijzelstraat 68-72, 1017 HL Amsterdam, Netherlands (a subsidiary of Microsoft Corporation). Legal basis: Art. 6 (1) (f) GDPR — community discussion functionality without operating our own moderation infrastructure.
4.5 Stripe (payment processing — for the planned API service)
Provider: Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland ("Stripe"). When you subscribe to a paid API tier, Stripe processes your payment and tax data (name, billing address, email, payment instrument tokens, VAT-ID where provided). Stripe acts as an independent controller for fraud prevention and as our processor for processing the subscription on our behalf. Transfers to the United States (Stripe, Inc.) are safeguarded by Standard Contractual Clauses (Art. 46 GDPR) and the EU–U.S. Data Privacy Framework where applicable.
- Legal basis: Art. 6 (1) (b) GDPR — performance of the paid subscription contract.
- Retention: As required by tax and commercial law (typically 10 years for invoices, § 147 AO).
- Stripe privacy policy: https://stripe.com/privacy.
5. Cookies and similar technologies
SupraBench does not set any cookies. We only use browser localStorage, and only for the strictly necessary purpose of keeping logged-in users signed in (see Section 3.4). Under § 25 (2) no. 2 TTDSG, consent is not required for strictly necessary storage.
6. Your rights under the GDPR
- Access (Art. 15): you may request a copy of the personal data we hold about you.
- Rectification (Art. 16): you may ask us to correct inaccurate data.
- Erasure / “right to be forgotten” (Art. 17): you may ask us to delete your account and associated data.
- Restriction (Art. 18) and objection (Art. 21) to processing based on legitimate interests.
- Data portability (Art. 20): you may ask for a machine-readable export of data you provided.
- Withdrawal of consent (Art. 7 (3)): where processing is based on consent, you can withdraw it at any time with effect for the future.
- Right to lodge a complaint (Art. 77) with a supervisory authority. In Germany the competent authority is usually the Data Protection Authority of the federal state in which you reside. For us (Bavaria): Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach.
To exercise any of these rights, email suprabench.editor887@passmail.com. We will respond within one month (Art. 12 (3) GDPR).
7. Public contributions
Please remember that content you submit (model names, benchmark names, tags, scores, source URLs, votes, comments) is published publicly on the Service and can be indexed by search engines. Do not submit personal data you do not wish to disclose. You are responsible for ensuring that content you submit does not infringe third-party rights.
8. Account deletion
You can request deletion of your account and associated personal data at any time by sending an email to suprabench.editor887@passmail.com. Note that contributions (scores, ratings, tags) will be retained in anonymised form to preserve the integrity of the public ranking system; your user ID will be replaced with a neutral placeholder.
9. Data security
We use TLS encryption for all connections. Our processors (Convex, Google) provide state-of-the-art technical and organisational security measures.
10. Changes to this policy
We may update this policy to reflect changes to our service or to applicable law. The date at the top indicates the most recent revision. Material changes will be announced on the site before they take effect.