Privacy Policy
Last updated: June 13, 2026
1. Introduction
Welcome to AlgoArena ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our competitive coding, classroom, and assessment platform at https://algoarena.net. By using the platform, you agree to the practices described below.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- First name and last name
- Email address (verified via an emailed verification code)
- Username (unique identifier; publicly visible)
- Password (hashed; we never store it in plaintext)
- Self-reported skill level (used to set initial ranked Elo)
- Newsletter and notification preferences
- User type and onboarded roles (e.g. student, educator, or recruiter)
- OAuth identifiers if you sign in with Google or GitHub (including a GitHub access token if you link an account for the "Push to GitHub" feature)
Authentication, including password hashing and our optional anonymous/guest sign-in (used to join a classroom without an account), is handled by Firebase Authentication. We never see or store your password in plaintext.
2.2 Profile Information (Optional)
You may optionally provide:
- Profile picture (stored in Firebase Storage)
- Bio (maximum 250 characters)
- Location (city, state, country)
- Social links (GitHub, LinkedIn, personal website)
2.3 Coding Activity Data
We automatically collect data about your coding activity:
- All code submissions (full source code and programming language)
- Test results (passed/failed tests, runtime, memory, compile/runtime errors)
- Problem-solving history and timestamps
- Practice session data and completion times
- Accepted submission replay, timing, and final-code data used for async ghost races and post-attempt comparisons
- AI analysis requests and generated feedback
- Daily challenge streaks, quest/achievement progress, and solved-problem records
2.4 Battle, Tournament, and Puzzle Rush Data
During competitive activities we collect:
- Battle results (win/loss/forfeit/timeout) and full match history
- Ranked Elo changes and rating history
- Opponent information (username, ranked Elo, match outcome)
- Tournament participation, bracket position, and Arena Credit balances
- Puzzle Rush stats and submission records
2.5 Keystroke and Typing Pattern Data
During all coding activities (including battles, practice, puzzles, interviews, classroom quizzes, and online assessments) we automatically collect detailed keystroke timing and code-editing patterns for anti-cheat and research:
- Keystroke timing (milliseconds between key presses)
- Periodic code snapshots
- Typing patterns (speed, pauses, deletions, backspaces)
- Test-run frequency and results
- Syntax errors and debugging patterns
- Typing burst detection (rapid code insertion)
- Window focus / tab-switch signals in applicable sessions
This data is linked to your user ID and is used for platform improvement, anti-cheat detection, and research into coding behaviors.
Automated integrity and fair-play signals. We derive automated, deterministic integrity signals from the data above (for example, typing-pattern anomalies, paste detection, tab/focus signals, and solve-time checks). These can affect outcomes: in ranked play we may decline to award rating for a win that is solved implausibly fast or that exceeds a daily fair-play limit; in assessments we may surface an integrity flag for the hiring company to review. These signals are advisory inputs for fair-play and human review — they are not the sole basis for any hiring or disciplinary decision, and you may contact us to question a flag that affected you.
2.6 AI Chat, Mock Interview, and Voice Data
When you use AI features we collect and process:
- AI chat transcripts (your messages plus the model's responses)
- AI interviewer transcripts and submitted code
- Audio you record in mock interview or "Vibe" flows, which is uploaded to a transcription provider (OpenAI Whisper). We store the resulting transcript, not the raw audio, unless you explicitly retain it
- Synthesized speech text sent to our text-to-speech provider (Amazon Polly, on AWS) to produce the interviewer's voice
- Daily and weekly AI usage counters used to enforce plan limits
The Rena AI copilot available during online assessments is not stored in our database; each chat request is processed and then discarded. To generate a reply, we send the inference provider (AWS Bedrock) a short evidence summary of the session (such as candidate name, score, and activity counts) together with the most recent few chat messages.
2.7 Classroom Mode Data
When a classroom quiz is hosted or joined we store, in the session document:
- Host account identifier and display name
- Student display names or user IDs (guests may join anonymously with just a display name)
- Each student's answers, submitted code, drawing submissions, timing, and score
- Per-question and per-session aggregate stats
Guests can take part in classrooms, battles, and other activities without an account. If a guest later creates an account, the activity generated as a guest (such as match history, ranked Elo, and the keystroke data described in Section 2.5) is migrated onto the new account.
Classroom session data is only visible to the host of that session (and to the student for their own submissions). The host can view, export (CSV or PDF), or delete their session's report from the in-app debrief page.
2.8 Online Assessment (OA) Data
For candidates taking an OA, and for companies administering one, we collect:
- Candidate session state: code, answers, timings, navigation, and anti-cheat events
- An audit log of meaningful session events
- Uploaded "explain video" recordings (stored in Firebase Storage) and the machine-generated transcript
- Company profile, membership, invitations, and entitlement records
- Institution bundle entitlements and invitations, where applicable
- Webcam proctoring (off by default; only when the hiring organization enables it and you grant camera access): periodic still images from your webcam — by default about one every 60 seconds, capped at 120 per session, stored as JPEG snapshots rather than continuous video — with a timestamp. These snapshots are for the hiring organization to review manually; we do not run facial recognition or automated face analysis on them.
- An optional identity photo you upload at the start of the assessment to confirm your identity.
Webcam proctoring is configured by the company or institution administering the assessment and only runs after you grant camera access in your browser. Company administrators can see their own candidates' submissions, transcripts, and proctoring snapshots. We do not share your OA activity with other companies.
2.9 User Preferences
We store preferences such as:
- Battle invitation settings, match and rank notifications
- Forfeit confirmation and opponent-progress display
- Practice timer and default programming language
- AI interviewer preferences (gender, voice, mode)
- Theme, accessibility, and editor settings
2.10 Device, Technical, and Network Information
We automatically collect:
- IP address (used for rate limiting, referral deduplication, and abuse prevention)
- Browser type and version, user agent
- Screen resolution and device type (desktop, mobile, tablet)
- Operating system and referring website
- Firebase Cloud Messaging (FCM) push-notification tokens, where you enable push notifications
2.11 Payment Information
Payment processing is handled by Stripe. We do not store your full credit card information on our servers. We store your Stripe customer ID, subscription tier, billing status, and the metadata Stripe returns via webhook. Stripe's privacy policy governs the handling of your payment information.
2.12 Newsletter, Email, and Notifications
We collect and store:
- Email subscription preferences (general newsletter, performance digest)
- Subscription source (account creation, landing page, dashboard)
- Subscription timestamps and status
- Unsubscribe tokens used to manage preferences without signing in
- In-app notification and delivery records
2.13 Referral Program Data
If you participate in the referral program, we store your referral code, your referral count, reward status, and the signup IP address of each referred account. IP addresses are used solely to prevent self-referral and other abuse.
3. How We Use Your Information
We use your information to:
- Provide, maintain, and improve our services and features
- Create and manage your account
- Facilitate battles, matchmaking, classroom sessions, and assessments
- Calculate and maintain ranked Elo ratings and leaderboards
- Detect cheating, abuse, and enforce fair play
- Process payments, manage subscriptions, and administer entitlements
- Send you notifications about battles, classroom sessions, challenges, and platform updates
- Respond to your comments, questions, and support requests
- Send marketing and promotional communications where you have opted in
- Analyze usage patterns, conduct research, and improve user experience
- Comply with legal obligations
4. Sharing Your Information and Third-Party Services
We do not sell your personal information. We may share information with service providers that help us operate the platform, and with other users where the feature is inherently public. Key providers:
4.1 Public Information
Your username, profile picture, ranked Elo, battle history, and aggregate coding statistics are visible on leaderboards and your public profile. Classroom session data, OA submissions, and private chats are not made public.
Accepted practice and battle submissions may also be used as async ghost races. Ghost opponents show race progress while active; stored replay and final-solution details may be shown after another user attempts or races that ghost.
4.2 Third-Party Service Providers
Firebase / Google Cloud Platform
Authentication (including anonymous/guest auth for classroom joins), Firestore, Cloud Functions, Cloud Storage (avatars, OA explain videos), Cloud Messaging, Analytics.
Data shared: all persisted user data, uploaded files, device tokens.
Stripe
Payment processing for subscriptions and webhook events.
Data shared: email, name, payment information (handled directly by Stripe).
SendGrid (Twilio)
Transactional email, verification codes, contact-form delivery, newsletters, and classroom/OA invitation emails.
Data shared: email address, name, message bodies, preferences.
Hermes (tryhermes.dev)
Lifecycle and re-engagement email automation (onboarding, retention nudges, and product updates).
Data shared: email address, name, and engagement signals used to time and personalize messages.
DeepSeek AI
Code analysis, AI chat tutor, classroom quiz generation, OA auto-grading, and interviewer reasoning.
Data shared: prompts, code, chat messages, and problem context.
OpenAI
Whisper speech-to-text (mock interview, "Vibe") and text-to-speech. OpenAI is not used for chat/code inference.
Data shared: recorded audio (for transcription) and TTS text.
Anthropic (Claude)
Chat completions and rubric-based grading for selected models. Inference is typically routed through AWS Bedrock.
Data shared: prompts, code, and rubric text.
Google Generative Language (Gemini)
Chat completions for selected models and speech-to-text for OA explain videos.
Data shared: prompts, code, signed URLs to uploaded explain videos for transcription.
Amazon Polly (AWS)
Text-to-speech for the AI interviewer voice (runs inside AWS).
Data shared: interviewer line text.
Serper (Google Search)
Web search tool used by AI features to ground answers.
Data shared: the search query issued by the AI on your behalf.
Google Cloud Vision (Safe Search)
Automated moderation of uploaded images.
Data shared: the image being moderated.
OneCompiler (via RapidAPI)
Code execution engine used across battles, practice, classroom, and OA (replaces earlier Judge0 integration).
Data shared: submitted code, stdin, expected output, and language.
GitHub OAuth
Optional sign-in and linking to a GitHub account.
Data shared: OAuth authorization code for token exchange; resulting access token is stored server-side.
Redis (managed)
Low-latency queues for realtime matchmaking and Puzzle Rush pairing.
Data shared: user ID and ephemeral matchmaking state.
Vercel Analytics
Website usage analytics and performance monitoring.
Data shared: page views, performance metrics, anonymous usage patterns.
AWS Bedrock
Managed inference endpoint used to route a range of models (such as DeepSeek, Qwen, Llama, Mistral, Gemma, Amazon Nova, and Claude) through Amazon Web Services.
Data shared: prompts, code, and the system and user messages sent for inference.
AWS Rekognition and Sightengine
Additional automated image-moderation providers used alongside Google Cloud Vision.
Data shared: the image being moderated.
WorkOS
Enterprise single sign-on (SAML/OIDC) for online-assessment company users.
Data shared: SSO credentials and company identity and connection metadata.
Cloudflare Turnstile
Bot and CAPTCHA verification on certain invitation and billing flows.
Data shared: a verification token and IP address.
Cal.com
Optional scheduling embed for booking a demo or meeting (only where enabled).
Data shared: contact information you provide for a calendar invitation.
Each of these providers has its own privacy policy. We encourage you to review them.
AI training: the AI providers we use process your prompts, code, and related context only to generate a response for you, and do not use that data to train their models. Where we route inference through AWS Bedrock, your data is processed within our cloud environment and is not shared with the underlying model providers for training.
4.3 Analytics and Tracking
We use Firebase Analytics and Vercel Analytics for usage tracking and performance monitoring. These services may use cookies and similar technologies.
4.4 Legal Requirements
We may disclose information if required by law or in response to valid requests by public authorities, court orders, or legal process.
5. Data Security
We use industry-standard technical and organizational measures to protect personal information, including TLS in transit, Firebase security rules, server-side admin enforcement for sensitive reads, and redaction of submitted code from non-host callers of classroom endpoints. No method of internet transmission or electronic storage is 100% secure; while we work hard to protect your information, we cannot guarantee absolute security.
6. Data Retention
We retain information for as long as your account is active or as needed to provide the service. Some categories — including behavioral, keystroke, anti-cheat, audit, and match data — are retained indefinitely, including after you delete your account, for integrity, security, research, and product-improvement purposes. Specific retention rules include:
- Challenge / invitation links: expire automatically after their configured TTL (typically 24 hours).
- Mock interview conversations: deleted when you clear them or when triggered by our cleanup endpoint.
- Puzzle Rush matches: abandoned matches are resolved and stats are written by a cleanup job.
- Classroom sessions: retained on the host's account until the host deletes the session from the in-app debrief page or requests deletion.
- OA sessions, transcripts, and explain videos: retained per the hiring company's or institution's configured retention policy.
- Audit logs and anti-cheat data: retained indefinitely for security, integrity, and research purposes, including after account deletion.
- Keystroke and typing data and battle/match history: retained indefinitely, including after your account is deleted, for integrity, anti-cheat, research, and product-improvement purposes. We do not run automated time-based deletion for these categories.
- Webcam snapshots (proctored assessments): owned by the hiring company or institution and retained per their configured retention policy — independent of whether you delete your AlgoArena account — and in any case destroyed when the assessment's purpose is satisfied or within 3 years of last activity, whichever comes first, consistent with applicable biometric-privacy law.
You can request deletion of your account and associated data at any time as described below (subject to the legal and anti-cheat exceptions noted in Section 7). To have us action a deletion on your behalf, email contact@algoarena.net.
7. Your Privacy Rights
You have the following rights regarding your personal information:
- Access: request a copy of your data, including code submissions, battle history, classroom and OA activity, and keystroke data.
- Correction: update your information in account settings.
- Deletion: request deletion of your account. Deleting your account removes your login and profile, but behavioral and keystroke telemetry, anti-cheat evidence, audit logs, match history, and financial records are retained indefinitely for integrity, security, research, and legal purposes. Proctoring data (webcam snapshots) from assessments you took is owned by the hiring company or institution and retained per their policy, as described in Section 6.
- Opt-out: unsubscribe from marketing emails at any time via the unsubscribe link or in account settings.
- Data portability: request your data in a portable format (JSON or CSV).
- Newsletter management: control general newsletter and performance digest preferences separately.
- Object to processing: you may object to specific types of processing, though this may limit platform functionality.
To exercise these rights, email us at contact@algoarena.net. We will respond within 30 days.
8. Cookies and Tracking Technologies
We use cookies and similar technologies for:
- Essential: authentication, session management, core platform functionality.
- Analytics: Firebase Analytics and Vercel Analytics, to understand how the platform is used.
- Preference: remembering theme, language, editor and notification settings.
When you first visit, we show a cookie banner where you can choose "Accept All Cookies" or "Reject Non-Essential." Your choice is stored locally in your browser. If you reject non-essential cookies, we disable our analytics cookies (Firebase / Google Analytics); essential cookies needed for sign-in and core functionality remain active. You can also configure your browser to refuse cookies, but some features (particularly sign-in and personalized features) may not work.
9. Children's Privacy
The platform is not intended for children under 13. We do not knowingly collect personal information from children under 13; if you believe we have, please contact us immediately and we will delete it. Educators who use Classroom Mode with students under 13 are responsible for obtaining appropriate parental consent in their jurisdiction (e.g. COPPA in the United States) and for complying with applicable school record laws (such as FERPA). If a school wishes to require a data-processing addendum, please contact us.
10. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence (including the United States), which may have different data-protection laws. When we transfer the personal data of users in the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, we rely on recognized legal transfer mechanisms — in particular the European Commission's Standard Contractual Clauses (together with the UK International Data Transfer Addendum and the Swiss equivalents, where applicable) — as incorporated into the data-processing agreements we have with our cloud and AI providers (including Google, AWS, OpenAI, and Vercel).
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will update the "Last updated" date and, for material changes, provide additional notice. You are encouraged to review this page periodically.
12. Contact Us
If you have any questions about this Privacy Policy, please contact us:
Email: contact@algoarena.net
Website: https://algoarena.net