# Privacy Policy

Welcome to Terminal43CTF ("Root Access to Knowledge"), a cybersecurity capture-the-flag and learning platform. This Privacy Policy explains how Terminal43CTF (the "Platform," "we," "us," or "our") collects, uses, stores, and protects your personal data when you use our website and services.

Terminal43 SRL, a company registered in Bucharest, Romania, acts as the data controller for the personal data processed through this Platform, within the meaning of Article 4(7) of the GDPR. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable Romanian data protection law.

By creating an account or using the Platform, you acknowledge that you have read and understood this Privacy Policy.

We collect and process the following categories of personal data:

2.1 Account Data

• Username (chosen by you)
• Email address
• Password (stored as a one-way cryptographic hash; we never store or have access to your plaintext password)
• Authentication provider identifiers (if you sign in via GitHub, Google, or Discord OAuth)

2.2 Profile Data

• Display name
• Biography / "about me" text
• Country
• Social media links (GitHub, Twitter/X, LinkedIn, personal website)
• Avatar image

2.3 Activity Data

• Challenge flag submissions (timestamp, submitted value hash, correct/incorrect status)
• Course enrollment and lesson completion progress
• Quiz attempts and scores
• Writeups and forum posts you author
• Ratings and reviews you submit
• Leaderboard rankings and point history
• Certificates earned
• Classroom and organization membership

2.4 Technical Data

• IP addresses (recorded in audit logs and security events)
• Session identifiers and authentication tokens
• Browser user-agent string (for session management)
• Timestamps of login, logout, and key actions

2.5 Payment Data

• Payment transactions are processed by Stripe, our third-party payment processor
• We do not store your credit card numbers, CVV, or full payment card details on our servers
• We retain a Stripe customer ID, subscription status, plan type, and transaction history (amounts, dates, invoice IDs) for billing and support purposes

We process your personal data for the following purposes:

Account Management

• Creating and maintaining your user account
• Authenticating your identity when you log in
• Managing your subscription and billing

Platform Functionality

• Scoring challenge submissions and calculating leaderboard rankings
• Tracking course progress and issuing certificates
• Enabling classroom features (assignments, grades, analytics) for instructors and students
• Powering skill radar charts, learning path recommendations, and gamification (XP, achievements, streaks)
• Displaying your public profile to other users

Security & Integrity

• Rate limiting to prevent brute-force attacks on flag submissions
• Fraud prevention and detection of platform abuse
• Maintaining audit logs of administrative and security-relevant actions
• Enforcing Terms of Service and community guidelines

Communication

• Sending email verification and password reset messages
• Delivering in-platform notifications (challenge solves, announcements, classroom updates)
• Optional email digests and push notifications (only with your consent)

Under the GDPR, we process your personal data on the following legal bases:

• Performance of a contract (Art. 6(1)(b)): Processing necessary to provide you with the Platform's services, including account creation, challenge scoring, course delivery, leaderboard rankings, certificate issuance, and subscription management.
• Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate interests in platform security (rate limiting, fraud prevention, audit logging), service improvement, and aggregated analytics. We balance these interests against your rights and freedoms.
• Consent (Art. 6(1)(a)): Where you have given explicit consent, such as opting in to optional email notifications, push notifications, marketing communications, and non-essential cookies. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): Where we are required by law to retain certain records (e.g., billing records for tax purposes).

We use essential cookies only by default. These are strictly necessary for the Platform to function and include:

• Session cookie: Maintains your authenticated session while you use the Platform
• CSRF token cookie: Protects against cross-site request forgery attacks
• Theme preference: Stores your dark/light mode selection (localStorage, not a cookie)

For full details about cookies used on this Platform, please see our Cookie Policy.

We do not sell, rent, or trade your personal data to third parties.

We may share limited data with the following categories of recipients, solely for the purposes described:

• Email service provider (SMTP): Your email address is shared with our email delivery provider to send transactional emails (verification, password resets, notifications).
• Payment processor (Stripe): Your billing information is processed by Stripe in accordance with their Privacy Policy. We share only the data necessary to process payments and manage subscriptions.
• Infrastructure and hosting providers: Your data is stored on servers operated by our hosting providers, who process data on our behalf under appropriate data processing agreements.
• Organization administrators: If you are a member of an organization on the Platform, organization admins and instructors can view your activity within their organization's scope, including challenge submissions, course progress, grades, and classroom participation. They cannot access data outside their organization.
• Public profile data: Information you choose to display on your public profile (username, avatar, bio, skill radar, badges, solve statistics, activity heatmap) is visible to all Platform users.

We may also disclose data if required by law, regulation, legal process, or enforceable governmental request.

We retain your personal data in accordance with the following principles:

• Account data: Retained for as long as your account remains active. If you delete your account, your personal data is permanently removed or anonymized within 30 days.
• Submissions and scores: Challenge submissions and leaderboard scores are retained to preserve the integrity of platform rankings and competition results. Upon account deletion, these records are anonymized (linked to a placeholder "Deleted User" identity) rather than fully removed, so that leaderboard history and challenge statistics remain accurate.
• Course progress and certificates: Retained while your account is active. Certificates include a unique verification ID that remains valid after account deletion for third-party verification purposes, but personal details are anonymized.
• Audit logs: Security and administrative audit logs (including IP addresses and action records) are retained for up to 24 months for security and compliance purposes, after which they are automatically purged.
• Billing records: Transaction records are retained as required by applicable tax and financial regulations (typically 7 years).
• Deleted data: When you request account deletion, we permanently delete or anonymize your personal data. Some data may persist in encrypted backups for a limited period (up to 90 days) before being fully purged.

As a data subject under the GDPR, you have the following rights regarding your personal data. You can exercise most of these rights directly through the Platform:

• Right of Access (Art. 15): You have the right to obtain a copy of all personal data we hold about you. You can export your data at any time from your Privacy Settings page.
• Right to Rectification (Art. 16): You have the right to correct inaccurate personal data. You can update your profile information at any time from your Profile Settings page.
• Right to Erasure (Art. 17): You have the right to request deletion of your personal data ("right to be forgotten"). You can delete your account from your Privacy Settings page. Please note that some data may be anonymized rather than deleted to preserve leaderboard integrity (see Data Retention above).
• Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON). This export is available from your Privacy Settings page.
• Right to Restriction of Processing (Art. 18): You have the right to request that we restrict the processing of your personal data under certain circumstances, such as while we verify the accuracy of contested data.
• Right to Object (Art. 21): You have the right to object to processing based on legitimate interests. Where you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Right to Withdraw Consent (Art. 7(3)): Where processing is based on your consent (e.g., optional notifications), you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority (Data Protection Authority) in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement.

To exercise any of these rights, you may use the self-service tools on the Platform or contact us at the email address listed in Section 13 below. We will respond to all valid requests within 30 days, as required by the GDPR.

Terminal43CTF is not intended for users under the age of 16. We do not knowingly collect personal data from children under 16 years of age.

While we do not implement age verification at registration, if we become aware that a user is under the age of 16, we will take prompt steps to delete their account and remove all associated personal data from our systems.

If you are a parent or guardian and believe that your child has created an account on this Platform, please contact us at the email address in Section 13 so that we can take appropriate action.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• TLS encryption: All data in transit between your browser and our servers is encrypted using TLS (HTTPS)
• Password hashing: Passwords are hashed using bcrypt/argon2 with salt; we never store or transmit plaintext passwords
• CSRF protection: All state-changing requests are protected against cross-site request forgery attacks
• Rate limiting: API and form endpoints are rate-limited to prevent brute-force and abuse attacks
• Sandboxed containers: Challenge environments run in isolated containers with no internet access by default, preventing lateral movement
• HttpOnly cookies: Session cookies are flagged HttpOnly and Secure, preventing access from JavaScript and insecure connections
• Content Security Policy: CSP headers are configured to mitigate cross-site scripting (XSS) attacks
• Parameterized queries: All database queries use parameterized statements via SQLAlchemy ORM to prevent SQL injection
• Data encryption at rest: Database storage uses encryption at rest where supported by the hosting infrastructure
• Access controls: Administrative access is restricted by role, and all admin actions are recorded in audit logs

While we strive to protect your data, no method of transmission or storage is 100% secure. If you discover a security vulnerability, we encourage responsible disclosure through our bug bounty program.

Your personal data may be processed and stored in the jurisdiction where our servers are located, which may be outside the European Economic Area (EEA).

Where data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with the GDPR, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries recognized as providing an adequate level of data protection.

You may request information about the specific safeguards applied to international transfers of your data by contacting us at the email address in Section 13.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• The updated policy will be posted on this page with a revised "Effective Date"
• For significant changes, we will notify registered users via email or in-platform notification
• Your continued use of the Platform after the effective date constitutes acceptance of the updated policy

We encourage you to review this page periodically to stay informed about how we protect your data.

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

We aim to respond to all privacy-related inquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Romanian supervisory authority: