Who we are

PromptInjects ("we," "us") is operated by ALYNX — Inhaber: Dat Tran, Albrechtstr. 18, 45130 Essen, Germany. PromptInjects is a platform for playing and hosting prompt-injection capture-the-flag challenges. For privacy questions, contact [email protected]. Our full legal notice is on the imprint page.

What we collect

  • Account data. If you create an account, our authentication provider (Kinde) processes your email and login credentials. We receive a user identifier, your email, and display name.
  • Gameplay data. Challenges you attempt, flags you capture, message counts, solve times, ELO, and leaderboard standings. Anonymous "taste" play before login is tracked only in your browser.
  • Challenge messages. The prompts you send to a challenge model are processed by our model provider (OpenRouter and the underlying model) to generate replies. Don't put real secrets or personal data in challenge chats.
  • Hosting & event data. If you host an event, we store the event configuration, join codes, and the resulting leaderboard.
  • Payment data. Purchases are handled by Stripe. We do not store full card numbers; we receive a payment confirmation and limited billing metadata.
  • Technical data. Standard server logs (IP, user agent, timestamps) from our host (Cloudflare), and minimal in-browser storage (localStorage) for your theme preference and session tokens.

Legal basis for processing (GDPR Art. 6)

We process personal data on the following lawful bases:

  • Contract (Art. 6(1)(b)). To authenticate you, score gameplay, run hosted events, and process payments — the services you sign up for.
  • Legitimate interests (Art. 6(1)(f)). To prevent abuse, maintain security, and operate and improve the platform, where those interests do not override your rights.
  • Legal obligation (Art. 6(1)(c)). Where we are required to retain records (e.g. accounting for payment records).
  • Consent (Art. 6(1)(a)). For any optional processing we ask you to agree to; you can withdraw consent at any time without affecting processing already carried out.

How we use it

To run the product: authenticate you, score and rank gameplay, generate challenge responses, run hosted events, process payments, prevent abuse, and improve the service. We do not sell your personal data, and we do not show third-party ads.

Cookies & local storage

We do not use advertising cookies, and we do not set any first-party cookies. We use browser localStorage and sessionStorage for:

  • Essential: authentication tokens (Kinde refresh token), per-event participation grants, and PKCE OAuth state. These are strictly necessary for the service to function and are set without consent under the ePrivacy exception.
  • Preferences: your light/dark theme and currency choice. These are benign preferences stored locally on your device.

We use Cloudflare Web Analytics, a privacy-first, cookieless analytics service. It does not set cookies and does not collect personal data — it uses the browser Performance API to measure aggregate page performance. No consent banner is required for it. See Cloudflare's Web Analytics documentation for details.

Fonts are self-hosted — no requests are made to Google or any third-party font service.

Who we share data with

Only the processors needed to operate:

  • Kinde — authentication (email, login credentials).
  • Cloudflare — hosting/CDN and cookieless web analytics.
  • Stripe — payment processing.
  • OpenRouter / model providers — generating challenge replies.

Each processes data on our behalf under their own terms. We may also disclose data if required by law.

Data retention

We keep account and gameplay data while your account is active. Server logs (Cloudflare) are retained for a limited operational period. Payment records are retained as required by tax and accounting law (typically 6–10 years in Germany). Request deletion at any time and we'll remove your account data, except records we must retain for legal or accounting reasons.

Your rights

Under the GDPR (if you're in the EEA/UK) and similar laws, you have the right to:

  • Access your personal data (Art. 15).
  • Rectify inaccurate data (Art. 16).
  • Erasure / "right to be forgotten" (Art. 17).
  • Restrict processing (Art. 18).
  • Data portability (Art. 20).
  • Object to processing based on legitimate interests (Art. 21).
  • Withdraw consent at any time (Art. 7(3)).
  • Lodge a complaint with your local supervisory data protection authority (Art. 77). For Germany, the competent authority is the Federal Commissioner for Data Protection and Freedom of Information (BfDI).

To exercise any of these rights, email [email protected]. We will respond within one month.

Children

PromptInjects is not directed to children under 16, and we don't knowingly collect their data.

International transfers

Some of our providers (e.g. Kinde, OpenRouter, model providers) may process data outside the EEA, including the United States. Where required, transfers rely on appropriate safeguards such as Standard Contractual Clauses (Art. 46 GDPR) and supplementary measures.

Changes

We'll update this page when our practices change and revise the "last updated" date. Material changes will be highlighted.

Contact

Questions or requests: [email protected].
Postal address: ALYNX — Inhaber: Dat Tran, Albrechtstr. 18, 45130 Essen, Germany.