/ Summary
CodeSOTA is a benchmark site for tracking AI models, tasks, datasets, and evidence, with paid API access and custom-benchmark engagements. We collect and use data to operate the Service, protect the registry, process submissions, take payments through our Merchant of Record (Paddle), improve site quality, support analytics, run product and benchmark research, evaluate internal systems, and communicate with users where appropriate.
This Privacy Policy explains how CodeSOTA, operated by Kacper Wikiel (“we”, “us”, “our”), collects, uses, and protects your personal information when you use our website at codesota.com, create an account, or submit benchmark-related content (collectively, the “Service”).
The data controller and GDPR data protection contact for applicable data protection laws is:
Kacper Wikiel
k.wikiel@gmail.comAccount information
Name, email address, and authentication credentials managed via Clerk.
Submitted content
Benchmark results, papers, datasets, model entries, corrections, source links, comments, and other material you submit while logged in.
Review metadata
Submission timestamps, review status, moderation notes, source URLs, provenance fields, and related audit information needed to maintain the benchmark registry.
Usage data
Page views, submitted searches, endpoints used, timestamps, browser and device metadata, approximate location derived from network data, response sizes, and error rates. Used for debugging, abuse prevention, security, product analytics, service improvement, and research.
Analytics data
Usage and interaction analytics via Vercel Analytics, PostHog, and internal logs. Depending on your settings, consent choices, and applicable law, this data may be used to improve site quality, understand benchmark usage, run product research, evaluate new features, and improve internal ranking, search, evaluation, and moderation systems.
Communications and leads
Email address, message content, company or project context, requested reports, and follow-up metadata when you contact us, submit feedback, request access, or use an email capture form.
Payment and billing data
When you purchase a paid plan or engagement, payment is processed by our Merchant of Record, Paddle.com Market Limited. Paddle collects and processes your payment method, billing address, country, and tax-relevant information; we receive only the order summary, customer email, plan, amount, currency, and country (for invoicing and account provisioning). We do not see or store your full card details. Paddle's privacy notice governs the data it collects: paddle.com/legal/privacy.
Contract
Processing necessary to provide account access and logged-in submission features
Legitimate interest
Service quality improvement, benchmark integrity, product analytics, internal research, search and ranking quality, security monitoring, fraud prevention, and protection against misuse
Legal obligation
Tax records, regulatory compliance
Consent
Optional research, analytics, product feedback, training or evaluation uses, and marketing communications where consent is required
We share data with the following processors, only as necessary to operate the Service:
Clerk
Authentication and user account management
Vercel
Website hosting and analytics
PostHog
Product analytics (anonymized usage patterns)
Paddle (Paddle.com Market Limited)
Merchant of Record — handles checkout, payment processing, billing, invoicing, sales tax and VAT for paid plans and engagements
Neon
Managed PostgreSQL database for the benchmark registry and account data
Resend
Transactional email (confirmation, billing receipts, account notifications)
Duration of account + 30 days after deletion
Retained for as long as needed to maintain benchmark provenance, review history, attribution, and public registry integrity.
Retained as needed for debugging, abuse prevention, reliability monitoring, quality improvement, research, security, and legal compliance. Security and audit logs may be retained longer where necessary to protect the Service, investigate abuse, or establish, exercise, or defend legal claims.
Contact and business-development records are retained while there is an active relationship, pending request, reasonable follow-up purpose, or legal/accounting need.
Under GDPR and applicable data protection laws, you have the right to:
Access
Request a copy of your personal data
Rectification
Correct inaccurate personal data
Erasure
Request deletion of your data
Portability
Receive data in machine-readable format
Restriction
Limit how we use your data
Objection
Object to legitimate interest processing
To exercise any of these rights, email k.wikiel@gmail.com. We respond within the timeframe required by applicable law.
We may ask for information needed to verify your identity or authority before acting on a data request. If a request is complex, repetitive, excessive, unfounded, abusive, or would harm the rights and freedoms of others, we may limit the response, extend the response period, charge a reasonable fee, or decline the request where applicable law allows.
Some records cannot always be deleted immediately or completely, including benchmark provenance, public registry history, security logs, fraud-prevention records, legal/accounting records, and records needed to establish, exercise, or defend legal claims. Where appropriate, we may anonymize or de-identify attribution instead of deleting public benchmark content.
Benchmark submissions, corrections, source links, paper metadata, dataset metadata, model metadata, and moderation decisions may become part of a public or semi-public registry. Public registry records may remain visible after account deletion when retention is necessary for provenance, reproducibility, attribution, auditability, or the integrity of CodeSOTA's benchmark history.
Authentication and session management (Clerk)
Usage tracking and product analytics for site quality, reliability, search improvement, and optional research where applicable.
Some analytics or research uses may depend on your browser settings, consent choices, account settings, or other controls made available in the Service.
We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS), secure authentication, and access controls. No method of transmission or storage is 100% secure.
Your data may be processed outside your jurisdiction, including the United States (Vercel, Clerk, PostHog, Resend) and the United Kingdom (Paddle.com Market Limited). Where data is transferred outside the EEA, we ensure appropriate safeguards such as Standard Contractual Clauses, the UK International Data Transfer Agreement, or adequacy decisions.
The Service is not directed at individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the Service. The “Last updated” date at the top reflects the most recent revision.
For privacy inquiries, GDPR matters, or data subject requests:
You also have the right to lodge a complaint with your local data protection authority.
Kacper Wikiel
k.wikiel@gmail.com