Privacy Policy

FutureAI ("we", "us", "our") operates the platform at futurai.space. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform. We are committed to protecting your personal data in compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable international privacy laws. By using FutureAI, you consent to the data practices described in this policy. If you do not agree, please discontinue use of the platform.

This policy applies to all users of FutureAI worldwide, including users in the European Union, European Economic Area, United Kingdom, United States (including California), Canada, Brazil, Australia, South Africa, Singapore, Thailand, Japan, South Korea, and all other jurisdictions. This policy covers data collected through: • The FutureAI web platform (futurai.space) • API interactions through the AI Arena • User accounts and profiles • Community features (forum, projects, challenges)

We collect the following categories of personal data: Account Data: Email address, username, display name, avatar image URL, country (optional), bio (optional), social links (GitHub, LinkedIn, website). Authentication Data: Clerk authentication identifiers and session tokens. We do not store passwords directly; authentication is handled by Clerk (our identity provider). Platform Activity Data: Ideas submitted, votes cast, project contributions, challenge entries, forum posts, Arena sessions and generated content, comments, and badge achievements. Technical Data: IP addresses (for rate limiting and security only, not stored long-term), browser language preference cookie, consent status and timestamp. API Keys: When you connect AI providers (OpenAI, Anthropic, Mistral, Google, etc.), your API keys are encrypted with AES-256-GCM encryption at rest and are never stored in plain text. We do NOT collect: Financial information, government IDs, precise geolocation, biometric data, health data, or data about children under 13.

Under the GDPR and equivalent regulations, we process your personal data on the following legal bases: Consent: You provide explicit consent when creating an account and accepting this Privacy Policy via our consent banner. You may withdraw consent at any time. Contractual Necessity: Processing necessary to provide the FutureAI platform services you have requested, including account management, Arena sessions, and project collaboration. Legitimate Interest: Platform security (rate limiting, abuse prevention), improving our services, and ensuring the integrity of community features such as voting and challenges. Legal Obligation: Compliance with applicable laws, responding to legal requests, and maintaining audit logs for governance transparency.

Your data is stored in PostgreSQL databases hosted by Vercel. We implement the following security measures: • API keys are encrypted with AES-256-GCM (industry-standard authenticated encryption) • All data transmission uses HTTPS/TLS encryption • HTTP security headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options, X-Content-Type-Options • Authentication managed by Clerk with secure session handling • Webhook signature verification using Svix • Input validation and rate limiting on all API endpoints • Role-based access control for administrative functions We are committed to protecting your data with the highest industry-standard security practices. As with any online service, we continuously improve our security measures to maintain the strongest level of protection possible.

We use a minimal set of cookies, strictly limited to platform functionality: Essential Cookies: • Language preference cookie (locale): Stores your language selection (English or French). Duration: 1 year. • Clerk authentication cookies (__session, __client_uat): Manage your login session. Duration: session-based. We do NOT use: • Advertising or marketing cookies • Analytics or tracking cookies (no Google Analytics, no Facebook Pixel) • Third-party tracking pixels • Cross-site tracking technologies

We share data with the following third-party service providers: Clerk (clerk.com): Authentication and identity management. Processes: email, name, avatar. Location: United States. Vercel (vercel.com): Platform hosting and database infrastructure. Processes: all platform data. Location: United States and global edge network. AI Providers (when you use the Arena with your own API keys): OpenAI, Anthropic, Mistral AI, Google, Stability AI, Leonardo AI, Replicate, Kling AI. Processes: prompts and generated content. Your API keys are sent directly to these providers. We do not sell, rent, or trade your personal data to any third party. We do not share your data with data brokers.

FutureAI is operated from infrastructure hosted primarily in the United States. If you are accessing FutureAI from the European Union, United Kingdom, or other regions with data protection laws, please note that your data may be transferred to, stored, and processed in the United States. For EU/EEA/UK users: We rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, as implemented by our data processors (Clerk, Vercel), to ensure adequate protection for international data transfers. We ensure that any international transfer of personal data is subject to appropriate safeguards as required by GDPR Article 46.

We retain your personal data for as long as necessary to provide our services: • Account Data: Retained for the lifetime of your account. Deleted upon account deletion request. • Platform Activity (ideas, votes, contributions): Retained for the lifetime of your account. Fully deleted upon account deletion. • Audit Logs: Retained for 2 years for governance transparency, then automatically purged. • Authentication Logs: Managed and retained by Clerk per their retention policy. • API Keys: Encrypted keys are deleted immediately upon your request or account deletion. • Backup Data: Database backups may retain data for up to 30 days after deletion. You may request deletion of all your data at any time through the Data Management page (/data).

Depending on your jurisdiction, you have the following rights: • Right of Access: Export a complete copy of all your personal data from the Data Management page (/data) in JSON format. • Right to Rectification: Update your profile information at any time through your Profile page (/profile). • Right to Erasure (Right to be Forgotten): Permanently delete your account and all associated data from the Data Management page. • Right to Restrict Processing: Contact our DPO. • Right to Data Portability: Your data export is provided in machine-readable JSON format. • Right to Object: Contact our DPO. • Right to Withdraw Consent: At any time by deleting your account. To exercise any of these rights, use the Data Management page or contact us at contact@futurai.space.

If you are located in the European Union, European Economic Area, or United Kingdom: Data Controller: FutureAI, reachable at contact@futurai.space. Data Protection Officer (DPO): Contact our DPO at contact@futurai.space. Supervisory Authority: You have the right to lodge a complaint with your local data protection supervisory authority. Automated Decision-Making: We do not use automated decision-making or profiling that produces legal effects. The gamification points system is transparent and based solely on platform activity.

If you are a California resident: • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected. • Right to Delete: Request deletion via the Data Management page. • Right to Opt-Out of Sale: We do not sell your personal information. • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights. To submit a verifiable consumer request, email contact@futurai.space.

We also respect privacy rights under the following regulations: • LGPD (Brazil): Rights to access, correction, anonymization, blocking, deletion, and portability. • PIPEDA (Canada): Rights to access and challenge the accuracy of your personal information. • POPI Act (South Africa): Rights to access, correct, and delete your personal information. • APPs (Australia): Rights to access and correct your personal information under the Privacy Act 1988. • PDPA (Singapore and Thailand): Rights to access, correct, and withdraw consent. • APPI (Japan): Rights to request disclosure, correction, or cessation of use. • PIPA (South Korea): Rights to access, correct, suspend, and delete your personal data. For rights under any of these frameworks, contact contact@futurai.space.

FutureAI is not intended for children under 13 years of age (or under 16 in the EU/EEA, or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children under these age thresholds. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information promptly. If you are a parent or guardian, please contact us at contact@futurai.space.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will: • Notify the relevant supervisory authority within 72 hours (GDPR Article 33) • Notify affected users without undue delay when the breach is likely to result in high risk (GDPR Article 34) • Document the breach, its effects, and remedial actions taken • Take immediate steps to contain and mitigate the breach Breaches will be communicated via the email address associated with your account.

For any questions about this Privacy Policy, your personal data, or to exercise your privacy rights: Email: contact@futurai.space General Privacy Inquiries: contact@futurai.space We will respond to all legitimate requests within 30 days (or within the timeframe required by applicable law).

We may update this Privacy Policy from time to time. When we make material changes: • We will update the "Last updated" date at the top of this page • For significant changes, we will notify registered users via the platform notification system • Continued use of FutureAI after changes constitutes acceptance of the updated policy

If you have questions, concerns, or requests regarding this Privacy Policy: Email: contact@futurai.space Data Protection Officer: contact@futurai.space Platform: futurai.space You may also exercise your data rights directly through the Data Management page at futurai.space/data.