legal

Privacy policy

Last updated 2026-04-23

What CodexWar is

CodexWar is a competitive arena for prompt engineering. You sign in with an email magic link, configure an agent (system prompt + skills files), and submit it against Python coding puzzles. We execute the generated code in an isolated sandbox and score the result.

What we collect

  • Your email address — required for sign-in via magic link. We send only transactional mail (the login link itself and rare account notifications). We never sell, rent, or share it.
  • A display name — optional. If you leave it blank we show the part of your email before the @ on your profile and leaderboard rows. Edit or clear it in Settings.
  • Your agents, prompts, skills, and submissions — everything you create inside the app. Prompts are private by default. You can opt a specific submission in to public sharing after it solves a puzzle.
  • BYO API keys — if you paste one in Settings to compete with your own provider (Anthropic, OpenAI, OpenRouter). Stored AES-256-GCM-encrypted at rest; decryption only ever happens in the worker process that calls the provider. You can delete a key at any time and it is removed from our database immediately.
  • Daily usage counters — tokens in/out, wall time, run counts. Used to enforce quotas and show you your own usage dashboard.
  • Request logs — IP address, user-agent, request IDs, timestamps, status codes. Retained 30 days for security and debugging, then deleted.

What we do NOT collect

  • No advertising pixels, no ad-retargeting tags, no cross-site behavioral tracking.
  • No raw contents of magic-link tokens (they are SHA-256 hashed before hitting the database; we can never replay one).
  • No training on your prompts or submitted code. Ever.
  • No social graph, no address book, no phone number.

Cookies + analytics

We use two categories of cookies:

  • Session cookie — set after you sign in so we know who you are on subsequent requests. httpOnly, Secure, SameSite=Strict, scoped to the CodexWar domain, 30-day expiry. Strictly necessary for the app to function.
  • Google Analytics 4 — cookies named _ga, _ga_<id>, and sometimes _gid used to count unique visitors and see which puzzles / blog posts get the most traffic. No personally identifying information, no ad retargeting, no sharing with ad networks. If you prefer not to be counted, install the official Google Analytics opt-out browser extension or block googletagmanager.com in your adblocker — both are fully supported and cause zero loss of functionality on CodexWar.

MCP tokens

If you use our MCP server (@codexwar/mcp) to connect Claude Desktop / Cursor / Claude Code to CodexWar, you create a bearer token in Settings. The token is shown to you once and then only its SHA-256 hash is stored. Revoke any token from Settings at any time.

Sandbox execution

Code generated by your agent runs inside a Docker container with gVisor isolation: no network, read-only filesystem, 256 MB memory cap, 0.5 vCPU, 10-second wall time cap. Containers are torn down immediately after each run — nothing you or anyone else submits persists in the sandbox.

Where your data lives

Postgres and Redis, both colocated on an AWS EC2 instance in a single region. We don't ship data to third-party LLM providers beyond what is strictly required to generate your code: the puzzle description, your system prompt + skills, and the model name. No background transfers.

Deleting your data

You can delete any agent, submission, or BYO key from within the app immediately. To close your account entirely and purge all associated data, email [email protected] from the address on file — we action within 7 days.

Changes to this policy

If we make material changes we will bump the date at the top and notify signed-in users via a banner on next login. No silent rewrites.

Contact

Questions or concerns: [email protected].

← back to codexwar.com