Privacy Policy
1. Introduction
Rackor Labs LLC ("Rackor," "we," "us," or "our") is a Massachusetts limited liability company. We provide Rackor Model Intelligence ("RackorMI" or the "Service"), a web platform that lets you run and track large language model (LLM) benchmarks against any OpenAI-compatible model endpoint. Our marketing website is rackor.com and the application is hosted at mi.rackor.com.
This Privacy Policy describes how we collect, use, disclose, and protect personal information in connection with the Service and our websites. It applies to visitors to rackor.com, to account holders and workspace members who use mi.rackor.com, and to individuals whose information is submitted to us in connection with the Service. By using the Service, you acknowledge the practices described in this policy.
With RackorMI, you connect your own model endpoints (a base URL and API key — for example llama.cpp, vLLM, Ollama, OpenRouter, OpenAI, and other hosted providers), then choose or author versioned benchmarks and run them while keeping full transcripts, scores, and head-to-head comparisons. Rackor never resells inference or hosts models; you always bring your own endpoint and key. This policy should be read together with our Terms of Service.
The Service is also available as a free self-hosted mode via a Docker image. When you self-host, you (or your organization) operate the entire application and database on your own infrastructure, and your data stays with you. In that case, the operator of the self-hosted deployment — not Rackor — is the party responsible for the data it holds, and much of this policy (particularly the sections describing our hosted infrastructure and subprocessors) will not apply to your deployment.
2. Workspaces and roles
The Service is organized around workspaces. Where a workspace is administered by an organization (for example, your employer), that organization controls the workspace and its content, and we process workspace content on its behalf. If you are a member of such a workspace, requests concerning workspace content (benchmarks, transcripts, run results) may need to be directed to your workspace owner or admin, and we may refer your request to them. Your individual account details remain subject to your own rights under this policy.
3. Information we collect
Information you provide to us
We collect the information you and your workspace members give us directly, including:
- Account details. Your name, email address, and password. Passwords are stored only as a cryptographic hash — we never store your password in plain text.
- Workspace and organization information. Details about the workspace you create or join, its members, and their roles (owner, admin, or member).
- Billing details. Subscription plan, billing contact, and payment information. Payments are processed by Stripe (see the section on how we share information). Rackor does not store full payment-card numbers.
- Benchmark content you author. The questions, prompts, sampling settings, scorer configuration, and related materials you create or upload to run benchmarks.
- Connection settings. The endpoint URLs and API keys you supply so the Service can send prompts to the model endpoints you choose to connect.
- Communications. Information you provide when you contact us for support, respond to surveys, or otherwise communicate with us.
Information collected automatically
When you use the Service, we automatically collect certain information, including:
- Prompts and transcripts. The prompts sent to the endpoints you connect and the responses and transcripts returned from them, along with the scores and run results generated when a benchmark runs.
- Usage and log data. Records of actions taken in the Service, feature usage, timestamps, and diagnostic and error logs.
- Device and connection data. Technical information such as IP address, browser type, and similar device and network information used to operate and secure the Service.
We use only strictly necessary session cookies for authentication and security. We do not use advertising cookies or third-party analytics. See the Cookies section below.
How we protect API keys and connection secrets
We treat the endpoint URLs, API keys, and connection secrets you provide as highly sensitive. API keys and connection secrets are envelope-encrypted using AES-256-GCM and are write-only: after you save a key, only the last four characters are ever shown back to you. Connection secrets are never written to our logs, and Authorization headers and keys are redacted from any stored request or transcript.
4. How we use information
We use the information we collect for the following purposes:
- Providing and operating the Service — creating and managing accounts and workspaces, connecting your endpoints, running benchmarks, and storing transcripts, scores, and comparisons.
- Billing and account management — processing subscriptions and credit usage, calculating taxes, and maintaining billing records.
- Support and communications — responding to your requests and sending account, verification, security, and billing-related messages.
- Security, fraud prevention, and legal compliance — protecting the Service and our users, detecting and preventing abuse, and complying with applicable law.
- Maintaining and improving the Service — diagnosing problems, understanding how features are used in aggregate, and developing new features.
- Community features — publishing benchmark versions to the community as described below, consistent with your plan and your choices.
We do not use your prompts, transcripts, questions, or scores to train any models. See the next section for details.
5. Prompts, transcripts, and connected-endpoint data
RackorMI sends the prompts in a benchmark run to the endpoints you connect. Because you bring your own endpoint and API key, the provider operating that endpoint (for example, OpenAI or OpenRouter) receives the prompts you send and processes them under its own terms and privacy policy, not this one. We encourage you to review the policies of any provider you connect.
Some AI-assisted features that Rackor operates directly — such as AI-generated benchmark questions — do not use a connected endpoint. Instead, they route to a default model provider that Rackor configures, currently OpenRouter, which processes that content as our subprocessor under our agreement with it. Content sent through these features is not used to train any models.
Your customer content — including the questions, prompts, transcripts, and scores associated with your workspace — is not used to train any models. Your own transcripts and per-question results always remain visible to you and stay private to your workspace.
Community publishing
The Service includes an optional community corpus where users can share benchmark versions. Whether sharing happens automatically or only deliberately depends on your plan:
- Community-visible plans (Free, Free-with-card, and Individual). When a user publishes a benchmark version, it is automatically listed to the community. We display a notice at the point of publishing so this is clear before you act.
- Private plans (Pro and Enterprise). Sharing to the community happens only deliberately, when a workspace admin chooses to publish.
When a benchmark version is shared to the community, the following is made available:
- the prompt template and sampling defaults;
- the scorer type (but not the full scorer configuration);
- the question rows, with the answer key sealed and never published;
- the publisher's username; and
- an aggregate leaderboard.
The following is never shared to the community:
- the gold or expected answers and accepted-answer lists (the "sealed answer key");
- the full scorer configuration;
- transcripts; and
- per-question pass/fail results.
To be clear about what this means: answer keys are not published. A user's own transcripts and per-question results always stay visible only to that user and remain private to the workspace.
Unpublishing. You (or your workspace admin) can unpublish a benchmark version at any time from the Service, which removes it from the community listing. Copies that other users made while it was published may persist in their workspaces, and cached or archived copies outside our control may remain available. If you want your username removed from a past publication, contact [email protected].
6. How we share information
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. We share information only in the limited circumstances described below.
Service providers (subprocessors)
We rely on a small number of vendors to operate the Service. Each processes information on our behalf and under contractual obligations to protect it:
- Cloud hosting. The application and database are hosted on Heroku (a Salesforce company) in the United States.
- Payments. Stripe processes payments and subscriptions, and Stripe Tax handles sales-tax calculation. Rackor does not store full payment-card details.
- Transactional email. Resend sends account, verification, and billing emails on our behalf.
- Default AI inference. For AI-assisted features that Rackor operates directly (such as AI-generated questions), OpenRouter routes requests to model providers on our behalf. This does not apply to the endpoints you connect yourself, which you operate under your own agreements.
We maintain a current list of subprocessors at rackor.com/legal/subprocessors and will update that page before adding or replacing a subprocessor.
Legal and safety disclosures
We may disclose information if we believe in good faith that it is necessary to comply with a law, regulation, legal process, or governmental request; to enforce our Terms of Service; or to protect the rights, property, or safety of Rackor, our users, or others. Where legally permitted, we will notify affected users before disclosing their information in response to legal process.
Business transfers
If Rackor is involved in a merger, acquisition, financing, reorganization, or sale of all or part of its assets, information may be transferred as part of that transaction, subject to this policy.
Community sharing
Where you or your workspace publish a benchmark version to the community, the limited information described in the Prompts, transcripts, and connected-endpoint data section is made available to other users, consistent with your plan and choices.
7. Cookies
We use only strictly necessary cookies — specifically, a session cookie used for authentication and security. We do not use advertising cookies, we do not use third-party analytics, and we do not engage in cross-context behavioral advertising. Because these cookies are essential to providing the Service, they are not used for tracking you across other websites, and disabling them may prevent you from signing in or using the Service.
Because we do not sell or share personal information or use cookies for tracking, browser-based opt-out preference signals such as Global Privacy Control do not change how the Service operates; there is no sale or sharing to opt out of.
8. Data retention and deletion
We retain personal information for as long as needed to provide the Service and for the legitimate and legal purposes described in this policy. Specific retention periods include:
- Transcripts are retained according to your plan: Free, 30 days; Individual, 90 days; Pro and Enterprise, 365 days. After the applicable period, transcripts are pruned. You can also delete transcripts and runs manually at any time before the retention period ends.
- Scores and aggregate results are kept for as long as the associated workspace exists, so historical comparisons remain accurate.
- Usage, diagnostic, and connection logs are retained for up to 12 months, then deleted or aggregated.
- Account and billing records are kept as needed to meet our legal, tax, and accounting obligations.
Account and workspace deletion. You can delete your account from your account settings, and a workspace owner can delete a workspace. When you do, we delete or de-identify the associated personal information within 30 days, except for records we are legally required to keep (such as billing and tax records) and limited backup copies, which are overwritten on our standard backup cycle. Benchmark versions previously published to the community are handled as described in the Community publishing section.
Self-hosted deployments keep all data under the operator's control, and the operator determines retention for that deployment.
9. Security
We use technical and organizational measures designed to protect personal information. Our primary datastore is PostgreSQL. Data in transit is protected with TLS.
Sessions are managed server-side and stored in Postgres. The session cookie carries only an opaque token; we store a SHA-256 hash of that token and never the raw token. Sessions are revocable, and a member's authority is re-derived on every request, so removing or demoting a workspace member takes effect immediately. As noted above, API keys and connection secrets are envelope-encrypted with AES-256-GCM, are write-only, and are never logged.
We maintain a written information security program consistent with the Massachusetts data-security regulations (201 CMR 17.00). If a security incident affects your personal information, we will notify you and the relevant regulators as required by applicable law, including the Massachusetts breach-notification statute (M.G.L. c. 93H).
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. Customers who want to keep all data on their own infrastructure may use the free self-hosted option.
10. Your privacy rights
Depending on where you live and applicable law, you may have rights to access, correct, update, or delete personal information we hold about you, and to request a copy of certain information in a portable format. You can exercise many of these choices directly in the Service — for example, by editing your account or workspace settings or deleting your account — or by contacting us at [email protected].
We extend the core rights described in this section — access, correction, deletion, and portability — to all users of the Service, regardless of where you live. We will respond to verifiable requests within 45 days (extendable once, with notice, where the law allows). If we decline a request in whole or in part, we will explain why, and where applicable law provides an appeal process, you may appeal by replying to our response; we will answer appeals in writing within 60 days. In some cases we may need to retain certain information to comply with our legal obligations or for legitimate business purposes, such as maintaining billing records.
We will not discriminate against you for exercising any of these rights.
11. US state privacy rights (including California)
This section supplements the rest of this policy for residents of US states with comprehensive privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (the "CCPA"). Some of these laws apply only to businesses that meet certain revenue or data-volume thresholds; we honor the rights below for all US residents regardless of whether a given law applies to us.
Categories of personal information we collect
In the preceding twelve months, we have collected the following categories of personal information:
- Identifiers — such as name, email address, and IP address.
- Commercial information — such as subscription plan, credit usage, and billing records.
- Internet or other electronic network activity — such as usage, log, and device data.
- Customer content — the benchmark content, prompts, transcripts, and scores you submit or generate through the Service.
- Account credentials — a hashed password and, for connected endpoints, encrypted API keys and connection secrets.
Purposes and sources
We collect this information from you directly and automatically through your use of the Service, and we use it for the business purposes described in the How we use information section. We disclose personal information to the service providers listed in the How we share information section for those business purposes. We retain each category for the periods described in the Data retention and deletion section.
No sale or sharing; no sensitive-PI profiling
We do not sell personal information and we do not share personal information for cross-context behavioral advertising, as those terms are defined by the CCPA and similar state laws. We do not use or disclose sensitive personal information for the purpose of inferring characteristics about you, and we do not engage in profiling that produces legal or similarly significant effects.
Your rights
Depending on your state, you have the right to:
- know and access the personal information we have collected about you;
- request deletion of your personal information, subject to legal exceptions;
- request correction of inaccurate personal information;
- obtain a portable copy of personal information you provided to us;
- opt out of the sale or sharing of your personal information and of targeted advertising — although, as noted, we do not sell or share personal information or engage in targeted advertising; and
- appeal a refusal to act on your request, where your state's law provides an appeal right.
We will not discriminate against you for exercising any of these rights. To submit a request, email [email protected]. We will take steps to verify your identity before acting on a request. You may use an authorized agent to submit a request on your behalf; we may require the agent to provide proof of authorization and may ask you to verify your own identity directly.
12. International users
The Service is operated from the United States, and the information we collect is processed and stored in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States, where data-protection laws may differ from those in your jurisdiction. The Service is designed for a United States audience. If we later offer the Service in the European Union or the United Kingdom, we will add region-specific terms (such as a GDPR/UK GDPR notice) as required.
13. Children's privacy
The Service is intended for businesses and professionals and is not directed to children. You must be at least 18 years old to use the Service. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected such information, we will take steps to delete it.
14. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will provide advance notice (for example, by email or a prominent notice in the Service) before the changes take effect. Non-material changes take effect when posted. Your continued use of the Service after an update means you acknowledge the revised policy.
15. Contact us
If you have questions about this Privacy Policy or our privacy practices, contact us at [email protected] or by mail at:
Rackor Labs LLC
82 Wendell Lane, Ste 100
Pittsfield, MA 01201
United States