Legal
Privacy Policy
Last updated: April 21, 2026
1. Introduction & Scope
At Self Play Lab ("SPL", "we", "our"), we understand that privacy and data sovereignty are paramount, particularly when handling proprietary research and frontier machine learning models. This Privacy Policy details how we collect, process, store, and protect your personal and organizational data when you interact with our website, infrastructure, APIs, and associated services (collectively, the "Services").
2. Data We Collect
To provide scalable RL infrastructure and robust APIs, we collect data across three primary categories:
Customer & Account Data
- Identity Data: Name, email address, and authentication credentials (e.g., via GitHub OAuth).
- Billing Data: Payment processing details, billing addresses, and subscription tiers (processed securely via our PCI-compliant payment partners).
- Profile Data: Organization name, team size, and primary AI research focus areas.
API & Payload Data (Customer Content)
- Inputs: Prompts, environment configurations, verifier logic, and datasets submitted to our APIs.
- Outputs: The trajectories, rollouts, policies, and text generated by our systems in response to your Inputs.
- Metadata: API request timestamps, latency metrics, token consumption, and endpoint routing data.
Telemetry & Diagnostic Data
- Device & Network Information: IP addresses, browser types, and OS versions used to access the dashboard.
- Usage Logs: Interactivity metrics on our web platform to help us improve user experience and detect anomalous behaviors.
3. Our Stance on AI Model Training
We do not train on your private data by default. Unless you explicitly opt-in or are utilizing a specifically designated free/research tier, SPL does not use your Inputs or Outputs (Customer Content) to train, fine-tune, or improve our core foundational models.
Customer Content is processed strictly to deliver the immediate API response, fulfill the requested compute workload, and temporarily retained only as necessary for abuse monitoring, debugging, and providing your historical dashboard logs.
4. How We Use Your Data
We utilize the collected data strictly for the following operational purposes:
- Service Delivery: To authenticate API requests, route workloads, and deliver the compute required for your RL environments.
- Billing & Accounting: To accurately meter token usage, rollout attempts, and apply appropriate subscription charges.
- Security & Abuse Prevention: To actively monitor our infrastructure for DDoS attacks, malicious payloads, and violations of our Acceptable Use Policy.
- Communication: To send essential transactional emails (e.g., API key rotation alerts, quota warnings) and occasional product updates (which you can opt out of).
5. Data Security & Infrastructure
Protecting your research and intellectual property is critical. SPL implements robust, enterprise-grade security measures:
- Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.
- Access Controls: Internal access to infrastructure is strictly gated by role-based access control (RBAC), SSO, and multi-factor authentication.
- API Key Protection: We store only cryptographic hashes of your API keys. We cannot retrieve or view your raw keys after generation.
6. Data Sharing & Subprocessors
We do not sell, rent, or broker your personal or organizational data. We share data only with vetted third-party subprocessors essential to operating our Services (e.g., cloud hosting providers like AWS/GCP, payment gateways like Stripe, and email delivery services). All subprocessors are bound by strict Data Processing Agreements (DPAs).
We may also disclose data if legally required to do so by a valid subpoena, court order, or regulatory mandate, provided we notify you first (unless legally prohibited).
7. Data Retention & Deletion
We retain Customer & Account Data for the duration of your active relationship with SPL. API & Payload Data is retained dynamically based on your workspace settings (e.g., 30 days for debugging logs) and then permanently deleted. If you terminate your account, we will purge all associated personal data and API history within 30 days, retaining only anonymized billing records as required by tax laws.
8. International Data Transfers
SPL's compute clusters and databases are primarily located in the United States. By using our Services, you consent to the transfer, storage, and processing of your data in the US. For users in the European Economic Area (EEA) or UK, we rely on Standard Contractual Clauses (SCCs) to ensure lawful data transfers.
9. Your Privacy Rights
Depending on your jurisdiction (e.g., under GDPR or CCPA), you possess specific rights regarding your data:
- The right to access and obtain a copy of your personal data.
- The right to rectify inaccurate or incomplete records.
- The right to request erasure ('Right to be Forgotten') of your account and data.
- The right to restrict or object to certain processing activities.
To exercise these rights, please submit a request to hello@selfplay.computer. We will process your request within 30 days.
10. Contact Information
If you have any questions, concerns, or feedback regarding this Privacy Policy or our data security practices, please reach out to our Data Protection team at: