Privacy

When the leaderboard switch is on, your local copy of AgentGraphed posts a batch of session-level rows every six hours (or sooner if you finished a new session since the last submit) to /api/leaderboard/submit. Each row in the batch contains these fields and only these fields:

You can preview the literal payload that would be sent for the current window inside the app at /leaderboard — before you opt in.

This list is what the app is incapable of sending — these fields are not in the payload shape, not in the database schema, and there is no code path that reads them on submit:

• Your prompts or message content (yours or Claude's).
• Project names, repository names, or directory names.
• File paths, file contents, or anything from your cwd.
• Git branches, remotes, or commit hashes.
• Session transcripts, system prompts, tool inputs, or tool outputs. (We send a random per-session UUID for de-duping re-submits, but it's a random identifier — it doesn't encode any of the above.)
• Your email, real name, or any account identifier.
• Any Anthropic / OpenAI API keys you may have entered in Settings.
• Your IP address (we hash it with a server-side secret before storage — see the next section).
• Telemetry of any kind from the rest of the app — dashboard renders, ingest runs, etc.

v1 handles are anonymous — you pick whatever you want. No email, no account, no third-party login. If two people pick the same handle, last write wins; we treat that as a feature of the no-auth contract, not a bug.

You can optionally attach up to 3 self-asserted social links (GitHub, X, Reddit, Bluesky, Mastodon, LinkedIn, YouTube, or any URL). They're public, unverified, and stored in a separate profiles table keyed only on your handle. Same trust model as the handle itself: anyone could submit anything; we don't check.

Every HTTP request to our endpoints carries your IP address — that's how the internet works. We don't store it.

On every request, we hash your IP with a server-side secret (SHA-256, truncated to 32 hex chars) and use the result as a rate-limit key. The hash is also stored alongside your submission so we can audit specific abuse without ever having raw IPs in the database. The secret is not in the public source — flipping it would invalidate every existing hash.

The exact lines that do this: leaderboard-guards.ts (function hashIp).

All submissions are kept indefinitely so the leaderboard can show past weeks. There is no scheduled deletion job.

You can delete your data at any time. Two ways:

• Opt out inside the app. Future submissions stop immediately. Existing rows stay until you delete them explicitly (see next point).
• Hit DELETE https://agentgraphed.com/api/leaderboard/my-data?handle=YOUR_HANDLE from any tool. Returns the count of rows deleted. No auth needed in v1 — anonymous handles are anonymous both ways.

You can also audit what we have for a handle with GET https://agentgraphed.com/api/leaderboard/my-data?handle=YOUR_HANDLE.

The single best way to verify any of this is to read the code. The endpoints are small and audit-friendly:

• /api/leaderboard/submit — accepts the payload above, validates, rate-limits, UPSERTs.
• /api/leaderboard/top — returns the public ranking.
• /api/leaderboard/my-data — audit + delete endpoints.
• leaderboard-db.ts — schema. One table, eleven columns, no surprises.
• leaderboard-guards.ts — IP hashing, rate limit, validation caps.
• agentgraphed/src/lib/ingest/auto.ts — the client-side submitter in the OSS app. See maybeSubmitLeaderboard.

If we ever want to collect a new field, the path is:

• Bump schema_version in the OSS client.
• The app shows a fresh consent dialog listing the new field before any submission with the new schema is sent.
• Submissions with the old schema_version keep working in parallel until you upgrade.

In other words: no silent expansion. Consent is per-schema, not blanket.

File an issue at github.com/sudomichael/agentgraphed. AgentGraphed is a one-person project; if something here is wrong, vague, or insufficient, please tell me.