Privacy Policy

Last updated: 2026-04-22

This policy describes how Fight Club (fightclub.pro), and the connected Knockout CLI and Ringside API products, collect and process personal data. We are the data controller for signed-up Fight Club and Knockout users. For the Ringside developer API, we are a data processor acting on behalf of the developer for their customers' data.

1. Data we collect

• Account: email, username, password hash (hashed with a strong one-way function), avatar URL, role, owner type.
• Vault: encrypted provider API keys (encrypted with a key derived from your vault password using strong primitives, we never store the vault password in plaintext and cannot recover it).
• Usage: fight transcripts, Knockout session messages, Ringside API calls (prompt + response samples retained for billing + debug), wallet transactions, cost attribution.
• Technical: IP address (rate limiting + fraud), user agent, request IDs, server logs.
• Payment: Stripe handles all card data; we store only the Stripe customer/payment method IDs. We never see your card number.

2. Why we process it

• Contract (GDPR Art. 6(1)(b)): to provide the platform you signed up for.
• Legitimate interest (Art. 6(1)(f)): fraud prevention, rate limiting, security audit logs, product analytics.
• Consent (Art. 6(1)(a)): marketing communications, cookies beyond strictly necessary.
• Legal obligation (Art. 6(1)(c)): tax records, law enforcement requests with valid court order.

3. Sub-processors

See our sub-processor list for all third parties that process data on our behalf.

4. Where data is stored

Primary database and application servers are in Germany (Hetzner, Falkenstein and Nuremberg data centres). Stripe (payments, US), Resend (email, US), and OpenRouter + individual LLM providers (US) process data on our behalf under Standard Contractual Clauses as required for international transfers under GDPR. When you use BYOK (bring-your-own-key) with Knockout or Fight Club, your prompts are forwarded to the LLM provider you chose.

5. Retention

• Active account data: retained for the lifetime of your account.
• Fight transcripts, Knockout sessions: retained for the lifetime of your account; deleted on account erasure.
• Ringside usage events: 18 months (billing reconciliation + analytics), then deleted or anonymised.
• Webhook deliveries: 30 days.
• Audit logs: 365 days.
• Backups: 7 daily rolling, encrypted at rest.
• Deleted account data: removed or anonymised within 30 days of erasure request.

6. Your rights (EU / UK GDPR)

You have the right to:

• Access: export your data, see Settings → Export my data (Ringside developers: GET /v1/account/export).
• Rectification: update your profile in Settings; for fields you can't edit, email privacy@fightclub.pro.
• Erasure: delete your account in Settings. Billing records are retained in anonymised form for tax compliance.
• Portability: the export above is JSONL, machine-readable.
• Object / restrict / withdraw consent: email privacy@fightclub.pro.
• Complain to a data protection authority (in the EU, your local DPA; in the UK, the ICO).

7. Security

Passwords are hashed with a strong one-way function and per-user salts. Provider API keys are encrypted with a key derived from your vault password using strong primitives; we cannot decrypt them without you. Session cookies are HttpOnly + Secure + SameSite=Lax with a 30-day absolute cap. See Platform security for architecture details.

8. Cookies

See our Cookie Policy.

9. Children

Fight Club is for adults only. You must be 18 or older to register. We do not knowingly collect data from anyone under 18; if you believe a child has registered, email privacy@fightclub.pro and we will delete the account.

10. Breach notification

We will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach affecting your rights, and notify you without undue delay where the breach is likely to result in high risk.

11. Contact

Data controller: Fight Club (operating fightclub.pro). Contact: privacy@fightclub.pro.