Skip to main content
ALPARAI
Sign in
Back to home

Privacy Policy

Last updated: Jun 1, 2026

Who we are

ALPAR AI is operated by a small independent team committed to transparency. We act as an intermediary platform hosting community-submitted reports about AI systems.

What we collect

  • Account: email, name (optional), avatar (optional), role. We use Supabase Auth with magic link or Google OAuth.
  • Submissions: incident reports, suggestions, takedown requests, evidence files you upload.
  • Technical: IP address (hashed for rate limiting), browser type, referrer, timestamps. No advertising trackers.
  • Cookies: essential session cookies (Supabase) and one localStorage key to remember your cookie consent.

What we do NOT collect

  • No advertising identifiers, cross-site trackers, or retargeting pixels.
  • No analytics that profile individual users. If we add privacy-friendly analytics, this page will be updated.
  • No personal data of third parties. PII Guardian masks emails, phones, TC IDs, and credit cards before storage.

PII Guardian

All free-text submissions pass through an automated PII detection layer that redacts emails, phone numbers, Turkish national IDs, IBAN, credit cards, and API keys before they reach our database. You can review the full pattern list in our open source repository.

Your rights (KVKK Art. 11 & GDPR Art. 15-22)

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion (right to be forgotten).
  • Object to processing or restrict it.
  • Data portability in a machine-readable format.
  • Lodge a complaint with the Turkish KVKK or your local data protection authority.

privacy@alparai.com

Legal basis

We process your data on the basis of legitimate interest (operating a public accountability platform) and your explicit consent (marketing emails, cookies). Account data is processed for contract performance.

Retention

  • Account data: until you delete your account.
  • Published incidents: indefinite (public record).
  • Rejected submissions: 90 days, then deleted.
  • Audit log: 2 years.
  • Backups: 30 days rolling.

Sub-processors

  • Supabase (eu-west-1): database, auth, storage.
  • Vercel (fra1): hosting and edge functions.
  • Upstash (eu-west-1): rate limiting.
  • Google OAuth: sign-in provider. Google may process data outside the EEA under their own policies.

International transfers

We host primary data in the EU (Supabase eu-west-1, Vercel fra1). When you sign in with Google, your data may be transferred to the US under Google's Standard Contractual Clauses. No other cross-border transfers.

Children

The Platform is not intended for children under 18. We do not knowingly collect data from minors. If you believe a minor has submitted data, contact us and we will delete it.

Changes to this policy

We will notify you of material changes by email and by posting a notice on the Platform at least 14 days before they take effect.

Contact

dpo@alparai.com

Postal address will be disclosed in the Imprint page once the legal entity is registered.

Feed Incidents Leaderboard About