Who we are

The controller of your personal data is Model Evaluation and Threat Research, Inc. (“METR”), a 501(c)(3) nonprofit incorporated in Delaware (EIN 99-1219864), with a mailing address at 440 N Barranca Ave #3345, Covina, CA 91723, USA.

For visitors in the EU and EEA, METR has designated Rasmus Faber-Espensen as our representative under GDPR Article 27. You can reach him at info@metr.org.

You can contact us about anything in this notice at info@metr.org.

What we collect, and why

Website visits. Our hosting provider (Netlify) processes your IP address and basic request information (URL, user agent, timestamp) to deliver the site to you and to protect against abuse. Netlify provides us with access logs and aggregate operational metrics in their dashboard. For each individual request, the dashboard shows the visitor’s IP address, approximate geolocation (country and region), user-agent string, URL, timestamp, response status, and duration. We use these for debugging and operational monitoring, and we also use Netlify Web Analytics — a server-side analytics product that summarizes our access logs into aggregate visitor stats (top pages, top countries, top referrers, etc.) without setting any cookies or running any JavaScript in your browser. We do not tie requests to persistent visitor identities or build per-visitor reports from them.

For visitors in countries without a comprehensive personal-data protection regime — most notably the United States — who also don’t send a Do Not Track (DNT: 1) or Global Privacy Control (Sec-GPC: 1) signal, we load Google Analytics, which sets cookies and reports aggregate traffic data to us. For visitors in any of the countries listed in the “Countries where we don’t load Google Analytics” section below — or anyone sending DNT/GPC — no analytics or tracking scripts load at all.

Anyone can opt out at any time by enabling DNT or GPC in their browser, or by using Google’s browser opt-out add-on. You can also append ?nocookie=1 to any URL on this site to disable tracking for that page load — note that this only applies per-URL and does not persist as you navigate, so you’d need to add it to each page you visit on metr.org.

Newsletter subscriptions. Our newsletter is delivered by Substack. When you submit your email through our subscribe form (in the footer, on /subscribe, or on blog post pages), your email is sent to Substack and they manage delivery, unsubscribes, and analytics on our behalf. Substack’s privacy policy applies to data they hold.

Job applications. Our hiring is run through Lever (an applicant tracking system). When you apply for a role, the resume, cover letter, contact details, and other information you submit go to Lever and are reviewed by METR staff or contractors we engage to assist with hiring. Internal notes, interview feedback, and communications between METR staff and candidates are stored in Lever as part of the hiring record. Discussions about candidates may also occur in METR’s internal Slack workspace (see below) and would be retained there. We scan submitted attachments (primarily resumes) with Pangram, an AI-detection service, to identify likely AI-generated content. For some roles, applications flagged as nearly fully AI-generated are routed to a separate Lever stage. We don’t currently use AI anywhere else in candidate evaluation, screening, or scoring. (We’ve experimented with AI for grading work test responses in the past, and found it didn’t work well.) Every decision about a candidate — advancing, rejecting, scheduling, or extending an offer — is made by humans.

Some roles include a technical assessment via CodeSignal or Woven. CodeSignal assessments may be proctored — webcam, screen, and government-issued photo ID — with CodeSignal prompting you for these at the start of the test.

We retain candidate data in Lever indefinitely, so that we can consider applicants for future roles. We do not sell candidate data, and we do not share it with other organizations unless you have explicitly opted in when applying. You can ask us to delete your application data at any time by emailing hiring@metr.org.

Outreach notes. Our team may keep notes about people we’ve identified for potential outreach — for example, prospective hires (based on professional profiles, published research, or referrals) or others we may want to reach out to in connection with our work. These notes may be based on publicly available information, and may live in Lever (for hiring leads), in our Google Workspace (shared documents or spreadsheets), or Slack. We process this data under our legitimate interest in pursuing our research mission. If you think we may hold information about you, you can email info@metr.org or hiring@metr.org to ask about what we have, correct it, or have it deleted.

Research forms. From time to time we may send out voluntary forms (typically Google Forms or Airtable forms) to gather data for our research — for example, to study AI uplift on particular tasks, to collect AI incident reports (such as via /report-ai), or to ask survey questions of researchers, baseliners, or other collaborators. Responses are stored by the corresponding form provider (Google Workspace or Airtable) and used for the research purpose described in the form. We may publish aggregated or de-identified findings; we do not publish identifying information without permission.

Slack workspaces. For some research activities — task baselining, collaborative studies, contractor coordination — METR operates Slack workspaces that participants are invited to join. When we add you, Slack receives your name and email; messages, files, and other content posted in the workspace are stored by Slack (Salesforce) and are visible to the METR staff who administer it. We may use workspace activity for the research purpose described when you joined. You can leave a workspace at any time and request deletion of your account by emailing info@metr.org.

METR also runs an internal Slack workspace for staff communication. Discussions about candidates, collaborators, journalists, or other external people may take place there as part of normal hiring and operational work; that content is stored by Slack and accessible to METR staff.

Donations. We recommend donating through every.org, a 501(c)(3) donor-advised fund: donors legally give to every.org, which then grants the funds on to METR (typically weekly, via direct deposit). every.org is the controller for donor data and issues the tax receipt to the donor directly. By default, every.org shares the donor’s name and email with METR for acknowledgment and stewardship; donors can opt to remain anonymous. See every.org’s privacy notice for the full picture.

Payments and reimbursements. If METR pays you — as a contractor, baseliner, vendor, or other individual — or reimburses you for expenses you’ve incurred on METR’s behalf, we ask you to submit a short intake form (hosted in Airtable) with your name, email, the purpose of the payment, the amount in USD, your taxpayer status, and (optionally) a METR contact person and a payment code. That intake data is stored in our Airtable workspace.

Most payments are processed through Wise, which collects your banking or payment details directly from you via a separate email invite — METR doesn’t see those details in this path. Some payments may be processed through Brex (US business banking) instead, in which case the relevant banking details are recorded in Brex. If for some reason you send banking details to a METR staff member by email, those will sit in our Google Workspace until deleted.

Payment records (name, purpose, amount, date) sit indefinitely in our financial systems by default — we don’t currently auto-delete them on a schedule. You can ask us to delete payment information by emailing payments@metr.org, and we’ll honor the request to the extent our tax and accounting record-keeping obligations allow.

Direct correspondence. If you email us, we receive and store your message in Google Workspace indefinitely as part of our records. You can ask us to delete specific messages or threads at any time by emailing us.

Countries where we don’t load Google Analytics

For visitors detected (by geo-IP) as being in any of the 145 jurisdictions below, our edge function strips Google Analytics from the page before it’s served, so no GA cookies are set and no data is sent to Google. We do this for any country with a comprehensive personal-data protection regime. (We also strip GA for any visitor whose browser sends DNT or GPC, regardless of country, and for any URL with ?nocookie=1.)

• EU + EEA (32 countries): Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, plus Iceland, Liechtenstein, Norway (EEA), plus the United Kingdom (UK GDPR) and Switzerland (FADP).
• Other Europe and European territories: Monaco, Vatican City, Andorra, San Marino, Jersey, Guernsey, Isle of Man, Gibraltar, Faroe Islands, Greenland, Serbia, Montenegro, Albania, North Macedonia, Bosnia and Herzegovina, Turkey.
• CIS region and Central Asia: Russia, Belarus, Ukraine, Moldova, Georgia, Armenia, Azerbaijan, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, Turkmenistan.
• Middle East: Israel, Lebanon, UAE, Saudi Arabia, Qatar, Bahrain, Oman, Jordan.
• North Africa: Egypt, Morocco, Tunisia, Algeria, Mauritania.
• West Africa: Senegal, Côte d’Ivoire, Mali, Burkina Faso, Niger, Chad, Benin, Togo, Ghana, Nigeria, Guinea, Cape Verde.
• East, Central, and Southern Africa: Kenya, Uganda, Rwanda, Tanzania, Ethiopia, Mauritius, Madagascar, Comoros, Malawi, Zambia, Zimbabwe, Eswatini, Lesotho, Botswana, South Africa, Angola, Cameroon.
• East and South Asia: Mongolia, Japan, South Korea, India, Sri Lanka.
• Southeast Asia: Thailand, Vietnam, Philippines, Singapore, Malaysia, Indonesia, Brunei, Hong Kong, Taiwan.
• Oceania: Australia, New Zealand.
• Mainland Americas (other than the United States): Canada, Mexico, Brazil, Argentina, Chile, Colombia, Peru, Paraguay, Uruguay, Ecuador, Costa Rica, Panama, Nicaragua, Belize, Guyana.
• Caribbean and Atlantic islands: Cuba, Dominican Republic, Jamaica, Trinidad and Tobago, Barbados, Antigua and Barbuda, Cayman Islands, British Virgin Islands, Curaçao, Sint Maarten, Bahamas, Bermuda.

Geo detection isn’t perfect — VPN exits, mobile-carrier egress, and corporate proxies can produce false negatives. (The geo lookup happens locally on Netlify’s side using commercial IP databases they license; no visitor data is sent to a separate geo provider.) If you’re in one of these countries but your IP geolocates elsewhere, DNT, GPC, or ?nocookie=1 give you a second path. If your country isn’t on this list and you’d like to opt out, the same three mechanisms work.

We maintain this list by hand. Adding or removing a country requires editing both this notice and our edge function source code; the two are kept in sync. The list is best-effort — there are a small number of countries with comprehensive privacy laws that may not yet be reflected here (especially newly-enacted laws in smaller jurisdictions). If you notice a gap, email us.

Service providers who see your data

We use the following third parties to operate the site and our processes. Each is a processor or independent controller as noted; data we share with them is limited to what they need to provide their service. This list is our current best-effort inventory and may not be exhaustive — other tools may be in use across METR that haven’t been captured here. If you’d like a current answer for a specific situation, email info@metr.org.

• Netlify (US) — website hosting, edge functions, and server-side analytics (Netlify Web Analytics). Sees: IP addresses, approximate geolocation, user-agent strings, request URLs, and timing/status metadata for every request. Presents this data to us as both raw access logs (Observability dashboard) and aggregate visitor stats (Web Analytics dashboard).
• Google LLC (US) — Analytics (for non-EU/non-DNT visitors), Forms (for our research and incident-reporting forms), and Workspace (for our email and document storage). Sees: as applicable to each service.
• Substack (US) — newsletter delivery. Sees: email addresses of subscribers.
• Lever (US) — applicant tracking. Sees: information you submit in a job application; internal notes, interview feedback, and communications between METR staff and candidates; and any notes we add about people we’ve identified for outreach.
• CodeSignal (US) — technical assessments for some engineering roles, sometimes proctored. Sees: candidate identifiers and assessment responses; for proctored assessments, also webcam and screen recordings and a photo of a government-issued ID for identity verification.
• Woven (now part of Andela, US) — technical assessments for some roles. Sees: candidate identifiers and assessment responses.
• Pangram Labs (US) — AI-content detection on application materials. Sees: text submitted by candidates (resumes, cover letters, etc.).
• Slack (Salesforce, US) — research and collaboration workspaces, plus METR’s internal staff Slack. Sees: names, emails, and the content of workspaces we administer, including internal staff discussions that may reference candidates, collaborators, or other external people.
• Airtable (US) — some research forms and internal data management, including the payments and reimbursements intake form. Sees: responses to Airtable-hosted forms (for the payments form: name, email, payment purpose, amount, US-taxpayer status, and any optional fields you fill in — but not banking details, which go directly to Wise).
• every.org (US) — 501(c)(3) donor-advised fund. Acts as the legal recipient of donations and the controller for donor data; grants the funds on to METR. By default shares the donor’s name and email with METR for acknowledgment, unless the donor has opted to remain anonymous.
• Wise (Wise plc, UK) — international payment processing for paying contractors and other individuals. Sees: name, contact information, bank account or other payment details, and payment amounts.
• Brex (US) — US business banking and payment processing. Sees: name, bank account or other payment details, and payment amounts.

We do not sell or rent your personal data to anyone, and we do not share it for advertising purposes. METR staff and contractors who access personal data are bound by confidentiality obligations regarding it.

International transfers

METR is based in the United States, and all of our service providers listed above are US-based. If you are in the EU, EEA, UK, or Switzerland and you give us any personal data — by subscribing to our newsletter, applying for a job, filling out a research form, accepting a payment, or otherwise — that data is transferred to and processed in the United States.

For visitors from those regions, the website itself does not load any third-party tracking scripts on page load. The transfer of your IP address and request to Netlify (our hosting provider) is necessary to deliver the page; Netlify also records that request, including your IP, approximate location, and user-agent string, in access logs that METR staff can view via Netlify’s dashboard for operational purposes. If you actively submit a form (newsletter, job application, etc.), the additional transfer to the associated processor is necessary to provide the service you’ve requested.

Where transfers of personal data to the US are involved, we rely on the EU–US Data Privacy Framework for participating providers, and on Standard Contractual Clauses or comparable safeguards otherwise.

Retention

We keep personal data for as long as needed for the purpose it was collected, and then delete it. Specifically:

• Website logs (Netlify access logs) are kept by Netlify per their standard retention policy. We can view recent entries via Netlify’s dashboard for debugging and operational monitoring.
• Analytics data (Google Analytics, for non-EU/non-DNT visitors only) is retained for 14 months. The retention clock resets for active users, so as long as you keep visiting the site, your associated event and user data does not expire.
• Newsletter subscriptions persist until you unsubscribe.
• Job applications and outreach notes are retained indefinitely in Lever (and, for outreach notes, sometimes in our Google Workspace) so that we can consider people for current or future engagement. You can request deletion of your data at any time by emailing us, even if you have not applied or contacted us.
• Pangram scans (AI-detection on application materials) appear not to be retained by Pangram after the scan returns a result — we don’t have access to historical scans via their dashboard. For Pangram’s own data-handling commitments, see their terms.
• Research-form responses are kept as long as needed for the research described in the form, and any associated analyses.
• Slack workspace content persists for as long as the workspace is in use; you can request deletion of your account at any time.
• Payment records are retained indefinitely in our financial systems (Wise, Brex, Google Workspace, and Airtable as applicable) by default; we don’t have an auto-delete schedule. We’ll delete payment information on request to the extent our tax and accounting record-keeping obligations allow.
• Email correspondence is retained indefinitely in our Google Workspace. You can ask us to delete specific messages or threads at any time.

Your rights

If you are in the EU, EEA, UK, or Switzerland, the GDPR (or UK GDPR / Swiss FADP) gives you rights over your personal data. These include the right to:

• Access — find out what personal data we hold about you and, where appropriate, receive a copy
• Rectify — ask us to correct inaccurate or incomplete data
• Erase — ask us to delete your personal data
• Restrict — ask us to stop processing your data in certain circumstances
• Object — object to processing based on our legitimate interests
• Port — receive your data in a portable format
• Withdraw consent — where we rely on consent, you can withdraw it at any time

To exercise any of these rights, email info@metr.org. We aim to respond within 30 days.

You also have the right to lodge a complaint with a data protection authority. In the EU, this is usually the authority for your country of residence. In the UK, it’s the Information Commissioner’s Office. We’d appreciate the chance to address your concern first.

If you are in the United States, comparable privacy statutes generally do not apply to nonprofits like METR. You can still email us at info@metr.org with any of the requests above.

Many other jurisdictions have comparable personal-data protection regimes — see the country list in “Countries where we don’t load Google Analytics” above for the set we treat as having one. Where one of these gives you a legal right over personal data we process about you, you can email us at info@metr.org to exercise it.

Updates to this notice

This notice describes our practices as of the “Last updated” date at the bottom of the page. We try to keep it in sync with what we actually do, but METR is a small organization and our practices can drift between updates — we may change vendors, add new tools, or adjust workflows without immediately revising this page. If you have a specific question about how your data is handled, email info@metr.org; a current answer for your situation is more reliable than a static document can be.

Please re-check this page if you want to keep current with updates.