Privacy Policy


Last Updated: April 3, 2024



We recognize that your privacy is very important. This privacy policy covers the policies of CTFd LLC ("CTFd", “we”, “us”, or “our”) on the collection, use, and disclosure of your information, including any personally identifiable information or other data collected that could directly or indirectly identify you (“Personal Data”) when you access the our website at https://ctfd.io, software, applications, and other existing and future products and services, owned, operated, controlled or offered by CTFd and hosted on CTFd’s systems (collectively, the “Services”).


Each time you use our Services, you consent to the collection, use and storage of the collected information as described in this Privacy Policy. Please read it carefully and contact us at [email protected] if you have any questions.


  1. What information do we collect?


Account Registration Information.  If you wish to register for an account, we may collect your email address and password.


Profile Information.  From time to time you may be able to create a profile of which we may collect the following information where applicable: username, affiliation, website and country.


Event Subscription—Participant Information. If you are a participant in an event that is administered by a third-party organization (the “Organizer”) that subscribes to our Services, the Organizer may collect certain information from you when you register to create an account with us which includes Account Registration Information (see “Account Registration Information” above), and such other information deemed relevant by your Organizer for the purpose of registration. This Privacy Policy does not apply to the activities of the Organizer when it is collecting or using data for their own purpose or on behalf of third parties other than CTFd.  The information is automatically collected by us solely for the purpose of providing Services to the Organizer and you. We are not responsible for the activities of the Organizer when it is collecting or using data for their own purpose or on behalf of third parties other than CTFd.  Please review your Organizer’s privacy policies to understand how they use your information.


Challenge Questions and Responses. If you are an administrator, you will be able to design challenge questions which can be textual, source code, or other formats as available through our Services. If you are a challenge participant, you will be able to input your responses to the challenge questions, which can be textual, source code, or other formats as available through our Services. 


Payment Information.  As part of our Services, our third party payment processing service provider, Stripe, Shopify, or Paypal, may collect credit card information from you.


Online Activity. If you are a challenge participant, other Users may be able to see your performance statistics on your profile, which may include the following: your ranking, your points, the challenges you have solved, when you solved the challenges, the percentage of correct vs incorrect submissions you have, and other statistics related to your challenge activity. Administrators are always able to see all details related to the challenge activity and account of non-administrative users.  If you are an administrator, you may be able to put in comments on your dashboard, which will be viewable by administrators of your challenge only.


Automatically Collected Online Usage Activity.


As is true of most websites, we gather certain information automatically when you visit our website. When you use our Services, we may collect certain information automatically from you, which  may include device and usage information, such as your IP address (as part of our security logging system), browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about who and when you use our website and other technical information. To collect this information, a cookie may be set on your computer or device when you visit our Services. Please see section below “How We Use Cookies” for more discussion on this topic.


Mobile Device Data.  When you access our Services through a mobile device, we may also collect certain mobile device information automatically, including, but not limited to, the type of mobile device you use, your mobile operating system, and the type of mobile Internet browsers you use.


Products & Services Updates. We may collect your name and email address if you sign up to receive emails, invites and newsletters from us regarding our products and services. You may opt out at any time by clicking on the “Unsubscribe” link located at the bottom of any CTFd marketing email and following the instructions found on the page to which the link takes you. Please allow us a reasonable time to process your request. You cannot opt out of receiving transactional e-mails related to the Services.



Services and Customer Support. We may collect information such as your name and email address to the extent necessary for us to provide the Services that you have requested and/or to provide customer support.



  1. How we use cookies?


Cookies are small text files which are transferred to your computer or mobile device when you visit a website or app. We use them to remember your preferences, improve your user experience, and help us understand how people are using our Services, so we can make them better.  Cookies can be session cookies, which expire once you close your web browser. Cookies can also be persistent cookies, which stay on your device or a set period of time or until you delete them.  CTFd uses the following types of cookies:


·       Strictly Necessary Cookies: These cookies are necessary to allow us to operate our Services as you have requested. For example, they let us recognize what type of User you are, provide security settings (for example, CAPTCHA) and then provide you with services accordingly.

·       Performance/Analytics Cookies: We use cookies and other similar technologies to analyze how our Services are accessed, is used, or is performing. We use this information to maintain, operate, and continually improve our Services. We may also obtain information from our email newsletters or other communications we send to you, including whether you opened or forwarded a newsletter or clicked on any of its content. This information tells us about our newsletters' effectiveness and helps us ensure that we're delivering information that you find interesting.

·       Functional Cookies: These cookies help us remember your preferences and settings to enhance your user experience.

Using our Services without cookies is also possible. In your browser, you can deactivate the saving of cookies, limit them to particular websites, or set the browser to notify you when a cookie is sent. You can also delete cookies from your PC hard drive at any time (file: "cookies"). Please note that in this case you will have to expect a limited page presentation and limited user guidance. Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit http://www.allaboutcookies.org/


  1. How do we use the collected information? 


We use the information we collect for the purposes described in this Privacy Policy, as covered in any agreement that incorporates this Privacy Policy, or as disclosed to you in connection with our Services. For example, we will use your information to:


·       Provide and deliver products or services, including software updates;

·       Operate and improve our operations, systems, products, and services;

·       Provide customer and service support, such as sending confirmations, invoices, technical notices, updates, security alerts, and administrative messages and providing service support and troubleshooting;

·       Communicate with you and your referrals about promotions and news about products and services offered by CTFd and our selected partners;

·       Enforce our terms and conditions or protect our business, partners, or users; or

·       Protect against, investigate, and deter fraudulent, unauthorized, or illegal activity


Aggregate Data. In an ongoing effort to better understand and to serve the users of our Services, we may conduct research on our user performance on challenges. This research may be compiled and analyzed on an aggregate basis and this aggregate information does not identify you personally and will not be treated as Personal Data under this Privacy Policy.

Legal Basis For Processing. When we process your information we will only do so where at least one of the following applies:

  • Provide our service to you: Most of the time, the reason we process your information is to perform the contract that you have with us. For example, if you create an account, we process your account registration data to provide customized and personalized Services to you. If you are an administrator, when you input challenge questions or problems, we process those information to execute the challenges as requested by you. When you provide our third party payment processor with payment information, our third party payment processor processes the information to process your payment.
  • Legitimate interests: We may use your information where we have legitimate interests to do so. We analyze aggregated and/or anonymous user activities on our Services to continuously improve our Services and for market research purpose. We remember your preferences to provide enhanced, more personalized features.  We process information for administrative, fraud detection and other legal purposes. 
  • Consent: From time to time, we may ask for your consent to use your information for certain specific reasons. You may withdraw your consent at any time by utilizing the opt-out features available in your account settings, or by contacting us at the address provided at the end of this Privacy Policy.
  • Legal Compliance: When it is necessary for us to use your information to comply with a legal obligations.

Data Processing AgreementWe offer Users with qualifying accounts our standard CTFd Data Processing Agreement and rely on  Standard Contractual Clauses for the transfer of Personal Data originating from EEA, Switzerland or UK to outside of those regions . We understand that some of our Users prefer to have a written agreement as regards data processing and transfers, in addition to CTFd’s Terms of Use and Privacy Policy. To receive a copy of the DPA please contact us at [email protected] .

4.     Is Information Collected by or Disclosed to Third Parties by using the Services?


We do not share, sell or rent to third parties your information except as described in this Privacy Policy.  Examples of instances in which we share your information are provided below:


1.     Third party service providers. We, like many businesses, sometimes engage other companies to perform certain business-related functions on our behalf so that we can focus on our core business. Examples of these services include, but are not limited to website evaluation and data analysis, social media management, live chat support, customer support,  form building, error tracking, internet security and DDoS mitigation and, where applicable, data cleansing, invoicing and payment processing and authorization and order fulfillment, email delivery, marketing and promotional material distribution.  We authorize them to use this Personal Data only in connection data security and privacy standards.


2.     Business transfers. We may sell, assign, buy, transfer or otherwise acquire or dispose of certain of our businesses or corporate assets. In the event of such or similar event, Personal Data we collected from you may be part of the transferred assets. We may also share Personal Data with our auditors, attorneys or other advisors in connection with the forgoing corporate transactions. You acknowledge and agree that any successor to or acquirer of us will continue to have the right to use your Personal Data and other information in accordance with the terms of this Privacy Policy.



3.     Aggregate Data.  In an ongoing effort to better understand and to serve the users of our Services, we may conduct research on our user performance on challenges. This research may be compiled and analyzed on an aggregate basis, shared with Users or third parties and this aggregate information does not identify you personally and will not be treated as Personal Data under this Privacy Policy


4.     Website AnalyticsWe use analytics providers such as Google Analytics, or some of our third party service providers use analytic tools (such as Shopify), to help us track user interactions with content on the site for the purposes of monitoring the performance.  For opt-out options specific to Google Analytics, please visit this page. To learn more about how Shopify uses tracking technologies to track the effectiveness of our on-line storefront, please visit them here.


5.     Legal requirementsWe may disclose your Personal Data if required to do so by law (including, without limitation responding to a subpoena or request from law enforcement, court or government agency or other public authorities) or in the good faith belief that such action is necessary (i) to comply with a legal obligation, (ii) to protect or defend our rights, interests or property or that of other customers or users, (iii) to act in urgent circumstances to protect the personal safety of users of the Services or the public, or (iv) to protect against legal liability or potential fraud, as determined in our sole discretion.


6.     Your consentIf we intend to use any of your Personal Data collected in any manner that is not specified herein, we will inform you of such anticipated use prior to or at the time at which such Personal Data is collected or we will obtain your consent subsequent to such collection but prior to such use. In short, we will honor the choices you make regarding your Personal Data and will inform you about any other intended uses of such information.



5.     Linking to or from Third Party Social Media Platforms.


Users may follow CTFd on
Facebook, Twitter, GitHub and other social media platforms as made available from time to time. Users should click on the hyperlinks for each site to review the applicable privacy policies for more detail about information collected from these sites.



  1. How Does CTFd Comply with the Children’s Online Privacy Protection Act?


Our Services are directed toward a general audience and are not directed at nor intended for use by children.  We do not knowingly collect information from children under the age of 13 without parental consent. If a parent or guardian becomes aware that his or her child has provided us with information without their consent, he or she should contact us at [email protected]. We will delete such information from our files within a reasonable time.


7.     What are my data protection rights under General Data Protection Regulation (“GDPR”) and its Swiss and UK GDPR counterparts?


If you are located in countries that are within the European Economic Area (the “EEA”) Switzerland or UK, GDPR and its UK and Swiss GDPR counterparts gives you rights with respect to your personal data, subject to any exemptions provided by the law, including the rights to:


·       Request access to your Personal Data;

·       Request correction or deletion of your Personal Data;

·       Object to our use and processing of your Personal Data;

·       Request that we limit our use and processing of your Personal Data; and

·       Request portability of your Personal Data.


You can usually access, correct, or delete your personal data by contacting us at [email protected] . We will consider all such requests and provide our responses as soon as we can.  Please note, however, that personal information may be exempt from such requests in certain circumstances, which may include circumstances where we need to keep processing your personal information for our legitimate interests or to comply with a legal obligations. Users located in EEA, Switzerland or UK also have the right to make a complaint to a government supervisory authority.



  1. Cross-Border Data Transfers


Sharing of information laid out in Section 4 sometimes involves cross-border data transfers, for instance to the United States of America and other jurisdictions. CTFd may also subcontract processing to, or share your Personal Data with, third parties located in countries other than your home country.  Your Personal Data, therefore, may be subject to privacy laws that are different from those in your country of residence. 


We store the Personal Data on servers hosted by Digital Ocean and Amazon Web Services (AWS). Like CTFd, helping to protect the confidentiality, integrity, and availability of customer data is of the utmost importance to Digital Ocean and AWS, as is maintaining customer trust and confidence. For more details of Digital Ocean's privacy and security processes, please visit https://www.digitalocean.com/legal/privacy-policy/. For more details of AWS’ privacy and security processes, please visit https://aws.amazon.com/compliance/data-privacy/. By using our Services, you consent to your personal information being transferred to our servers as set out in this policy.



Where our Services allow for users located in the European Economic Area (“EEA”), Switzerland or UK, and when we transfer their Personal Data to countries outside of the EEA, Switzerland or UK as processors, we transfer the Personal Data in accordance with applicable privacy laws and, in particular, that appropriate contractual, technical, and organizational measures in place such as the Standard Contractual Clauses approved by the EU Commission.  Standard Contractual Clauses are commitments between companies transferring personal data, binding them to protect the privacy and security of your data.



  1. U.S. Privacy Laws


If you are located in the United States, this Privacy Policy explains how we collect, use and disclose your personal information under California, Colorado, Connecticut, Montana, Oregon, Texas, Utah and Virginia privacy laws, to the extent applicable to us. We call these laws collectively, the “U.S. Privacy Laws.” As of the last date when this Privacy Policy was updated, we are not yet subject to the U.S. Privacy Laws due to our level of activities in those states.  Although we are not yet subject to the U.S. Privacy Laws, our Privacy Policy currently describes rights afforded to data subjects under GDPR that are similar to the rights afforded to data subjects under the U.S. Privacy Laws. It is contemplated that in the event that the U.S. Privacy Laws apply to us, we will update our Privacy Policy to describe the rights afforded to data subjects under the U.S. Privacy Laws. Regardless, we do not sell or share personal information. We do not collect sensitive personal information. We do not disclose Personal Data to third parties for the purpose of engaging in targeted advertising. We will closely monitor the development of the U.S. Privacy Laws that may apply to our future activities and will implement reasonable administrative, technical and physical security measures for compliance.


  1. How long does CTFd retain information collected? 


We follow generally accepted standards to store and protect the Personal Data we collect, both during transmission and once received and stored, including utilization of encryption where appropriate.  We retain Personal Data only for as long as necessary to provide the Services you have requested and thereafter for a variety of legitimate legal or business purposes. These might include retention periods (i) mandated by law, contract or similar obligations applicable to our business operations; (ii) for preserving, resolving, defending or enforcing our legal/contractual rights; or (iii) needed to maintain adequate and accurate business and financial records.  If you have any questions about the security or retention of your Personal Data, you can contact us at [email protected]


  1. What is CTFd’s Security Policy?


We have implemented reasonable administrative, technical and physical security measures to protect your personal information against unauthorized access, destruction or alteration. For example, we limit access to this information to authorized employees and contractors who need to know that information in order to operate, develop or improve our Services. All sensitive information is protected behind firewalls and multiple layers of security systems. However, although we endeavor to provide reasonable security for information we process and maintain, no security system can ever by 100% secure.


  1.  How Does CTFd Respond to “Do Not Track” Signals?


“Do Not Track” is a feature enabled on some browsers that sends a signal to request that a web application disable its tracking or cross-site user tracking. At present, CTFd does not respond to or alter its practices when a Do Not Track signal is received.


13.  Your Rights and Your Choices.



You can request in writing copies of personal information about you held by us. If that information is inaccurate, please let us know and we will endeavor to make the necessary amendments, erase, or block the relevant information as you request.


14.   How Will I Be Notified of Changes to Your Privacy Policy? 


If CTFd makes material changes to its Privacy Policy, it will notify you by: (i) changing the Last Updated Date at the top of the Privacy Policy, (ii) sending an email to its users, and/or (iii) adding a statement to the Site.


15.  Contact Us


If you have any questions regarding privacy while using our Services, or have questions about our practices, please contact us at [email protected] or write us at the following the address:


93 4th Ave Unit 231
New York, NY 10003