Policy
Privacy Policy
Last updated: March 2026
attacks.ai ("we", "us", "our") operates the attacks.ai website. This page informs you of our policies regarding the collection, use, and disclosure of information.
Information We Collect
We collect minimal data to operate the platform:
- User-Agent headers — To detect AI agents vs human visitors
- Session data — Anonymous session IDs, page visits, and test progress
- Submitted text — If your AI agent submits a summary or fills in a verification form, that text is stored as part of the session for analysis and report generation
- Country and datacenter — Cloudflare-provided country code (ISO 3166) and edge datacenter identifier, persisted with your scan report for aggregate analytics
- Rate-limit buckets — Your IP address is hashed into a short-lived rate-limit counter (1 hour) to prevent abuse; the raw IP is never written to D1 or to the report
- Aggregate metrics — Total sessions, detection rates, and provider statistics (anonymized)
How We Use Information
- To provide security test results and reports
- To distinguish between AI and human visitors
- To generate anonymous, aggregate benchmark statistics
- To improve probe effectiveness and reduce false positives
Data Storage & Retention
We keep data in two layers: live session data (auto-deletes after 24 hours) and anonymized reports (retained 7 to 365 days depending on your tier). Both are purged after those windows.
Session data (including any submitted text) is stored in Cloudflare KV with a 24-hour TTL. After 24 hours, session data is automatically deleted. Aggregate benchmark counters are retained permanently but contain no individual session data.
Persistent Reports (D1)
When a test session completes, an anonymized report is stored in Cloudflare D1 for 7 days (free tier), 90 days (Team), or per contract (Enterprise). These reports contain:
- Session ID, detected provider, and skin identity
- Probe results, category scores, and remediation data
- Aggregate scoring metadata (severity, finding counts)
D1 reports do not contain raw IP addresses, cookies, personally identifiable information, or raw conversation content. They do record Cloudflare-derived country code and edge datacenter for aggregate geographic analytics. Reports are used to power the public benchmark page and to improve probe accuracy over time. After the retention period, reports are automatically purged.
Data Sharing
We do not sell, trade, or rent user information. We may share data only:
- In aggregate, anonymized form (e.g., the public benchmark page)
- To comply with legal obligations
- To protect our rights or safety
Cookies
We use minimal cookies for essential functionality: a session ID cookie and an authentication cookie for the admin dashboard. No tracking cookies or third-party analytics.
Your Rights
You have the right to:
- Request information about data associated with your session
- Request deletion of your session data (KV auto-deletes after 24 hours; D1 reports are purged after 7 days on the free tier or 90 days on Team)
- Erase your account on demand from your account dashboard, which cascade-deletes all API keys, scans, and session reports immediately
- Opt out of testing by not sending your AI agent to the platform
Contact
Questions about this policy? Contact us at attacks@reyse.ai