CTFd

Privacy Policy

 

Last Updated: September 30, 2020

 

 

We recognize that your privacy is very important. This privacy policy covers the policies of CTFd LLC ("CTFd", “we”, “us”, or “our”) on the collection, use, and disclosure of your information, including any personally identifiable information or other data collected that could directly or indirectly identify you (“Personal Data”) when you access the our website at https://ctfd.io, software, applications, and other existing and future products and services, owned, operated, controlled or offered by CTFd (collectively, the “Services”).

 

Each time you use our Services, you consent to the collection, use and storage of the collected information as described in this Privacy Policy. Please read it carefully and contact us at [email protected] if you have any questions.

 

  1. What information do we collect?

 

Account Registration Information.  If you wish to register for an account, we may collect your email address and password.

 

Profile Information.  From time to time you may be able to create a profile of which we may collect the following information where applicable: full name, username, affiliation, website and country.

 

Challenge Questions and Responses. If you are an administrator, you will be able to design challenge questions which can be textual, source code, or other formats as available through our Services. If you are a challenge participant, you will be able to input your responses to the challenge questions, which can be textual, source code, or other formats as available through our Services. 

 

Payment Information.  As part of our Services, our third party payment processing service provider, Stripe, Shopify, or Paypal, may collect credit card information from you.

 

Online Activity. If you are a challenge participant, other Users may be able to see your performance statistics on your profile, which may include the following: your ranking, your points, the challenges you have solved, when you solved the challenges, the percentage of correct vs incorrect submissions you have, and other statistics related to your challenge activity. Administrators are always able to see all details related to the challenge activity and account of non-administrative users.  If you are an administrator, you may be able to put in comments on your dashboard, which will be viewable by administrators of your challenge only.

 

Automatically Collected Online Usage Activity.

 

As is true of most websites, we gather certain information automatically when you visit our website. When you use our Services, we may collect certain information automatically from you, which  may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about who and when you use our website and other technical information. To collect this information, a cookie may be set on your computer or device when you visit our Services. Please see section below “How We Use Cookies” for more discussion on this topic.

 

Mobile Device Data.  When you access our Services through a mobile device, we may also collect certain mobile device information automatically, including, but not limited to, the type of mobile device you use, your mobile operating system, and the type of mobile Internet browsers you use.

 

Products & Services Updates. We may collect your name and email address if you sign up to receive emails, invites and newsletters from us regarding our products and services. You may opt out at any time by clicking on the “Unsubscribe” link located at the bottom of any CTFd marketing email and following the instructions found on the page to which the link takes you. Please allow us a reasonable time to process your request. You cannot opt out of receiving transactional e-mails related to the Services.

 

 

Services and Customer Support. We may collect information such as your name and email address to the extent necessary for us to provide the Services that you have requested and/or to provide customer support.

 

 

  1. How we use cookies?

 

Cookies are small text files which are transferred to your computer or mobile device when you visit a website or app. We use them to remember your preferences, improve your user experience, and help us understand how people are using our Services, so we can make them better.  Cookies can be session cookies, which expire once you close your web browser. Cookies can also be persistent cookies, which stay on your device or a set period of time or until you delete them.  CTFd uses the following types of cookies:

 

·       Strictly Necessary Cookies: These cookies are necessary to allow us to operate our Services as you have requested. For example, they let us recognize what type of User you are, provide security settings (for example, CAPTCHA) and then provide you with services accordingly.

·       Performance/Analytics Cookies: We use cookies and other similar technologies to analyze how our Services are accessed, is used, or is performing. We use this information to maintain, operate, and continually improve our Services. We may also obtain information from our email newsletters or other communications we send to you, including whether you opened or forwarded a newsletter or clicked on any of its content. This information tells us about our newsletters' effectiveness and helps us ensure that we're delivering information that you find interesting.

·       Functional Cookies: These cookies help us remember your preferences and settings to enhance your user experience.

Using our Services without cookies is also possible. In your browser, you can deactivate the saving of cookies, limit them to particular websites, or set the browser to notify you when a cookie is sent. You can also delete cookies from your PC hard drive at any time (file: "cookies"). Please note that in this case you will have to expect a limited page presentation and limited user guidance. Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit http://www.allaboutcookies.org/

 

  1. How do we use the collected information? 

 

We use the information we collect for the purposes described in this Privacy Policy, as covered in any agreement that incorporates this Privacy Policy, or as disclosed to you in connection with our Services. For example, we will use your information to:

 

·       Provide and deliver products or services, including software updates;

·       Operate and improve our operations, systems, products, and services;

·       Provide customer and service support, such as sending confirmations, invoices, technical notices, updates, security alerts, and administrative messages and providing service support and troubleshooting;

·       Communicate with you and your referrals about promotions and news about products and services offered by CTFd and our selected partners;

·       Enforce our terms and conditions or protect our business, partners, or users; or

·       Protect against, investigate, and deter fraudulent, unauthorized, or illegal activity

 

Aggregate Data. In an ongoing effort to better understand and to serve the users of our Services, we may conduct research on our user performance on challenges. This research may be compiled and analyzed on an aggregate basis and this aggregate information does not identify you personally and will not be treated as Personal Data under this Privacy Policy.

Legal Basis For Processing. When we process your information we will only do so where at least one of the following applies:

  • Provide our service to you: Most of the time, the reason we process your information is to perform the contract that you have with us. For example, if you create an account, we process your account registration data to provide customized and personalized Services to you. If you are an administrator, when you input challenge questions or problems, we process those information to execute the challenges as requested by you. When you provide our third party payment processor with payment information, our third party payment processor processes the information to process your payment.
  • Legitimate interests: We may use your information where we have legitimate interests to do so. We analyze aggregated and/or anonymous user activities on our Services to continuously improve our Services and for market research purpose. We remember your preferences to provide enhanced, more personalized features.  We process information for administrative, fraud detection and other legal purposes. 
  • Consent: From time to time, we may ask for your consent to use your information for certain specific reasons. You may withdraw your consent at any time by utilizing the opt-out features available in your account settings, or by contacting us at the address provided at the end of this Privacy Policy.
  • Legal Compliance: When it is necessary for us to use your information to comply with a legal obligations.

Data Processing AgreementWe offer Users with qualifying accounts our standard CTFd Data Processing Agreement with Standard Contractual Clauses/Model Clauses and GDPR clauses as standard. We understand that some of our Users prefer to have a written agreement as regards data processing and transfers, in addition to CTFd’s Terms of Use and Privacy Policy. To receive a copy of the DPA please contact us at [email protected].

4.     Is Information Collected by or Disclosed to Third Parties by using the Services?

 

We do not share, sell or rent to third parties your information except as described in this Privacy Policy.  Examples of instances in which we share your information are provided below:

 

1.     Third party service providers. We, like many businesses, sometimes engage other companies to perform certain business-related functions on our behalf so that we can focus on our core business. Examples of these services include, but are not limited to website evaluation and data analysis, social media management, site search and discovery services, internet security and DDoS mitigation and, where applicable, data cleansing, and payment processing and authorization and order fulfillment, marketing and promotional material distribution.  We authorize them to use this Personal Data only in connection data security and privacy standards.

 

2.     Business transfers. We may sell, assign, buy, transfer or otherwise acquire or dispose of certain of our businesses or corporate assets. In the event of such or similar event, Personal Data we collected from you may be part of the transferred assets. We may also share Personal Data with our auditors, attorneys or other advisors in connection with the forgoing corporate transactions. You acknowledge and agree that any successor to or acquirer of us will continue to have the right to use your Personal Data and other information in accordance with the terms of this Privacy Policy.

 

 

3.     Aggregate Data.  In an ongoing effort to better understand and to serve the users of our Services, we may conduct research on our user performance on challenges. This research may be compiled and analyzed on an aggregate basis, shared with Users or third parties and this aggregate information does not identify you personally and will not be treated as Personal Data under this Privacy Policy

 

4.     Website AnalyticsWe use analytics providers such as Google Analytics and Hotjar, or some of our third party service providers use analytic tools (such as Jotform and Shopify), to help us track user interactions with content on the site for the purposes of monitoring the performance.  For opt-out options specific to Google Analytics, please visit this page. For opt-out options specific to Hotjar, please visit this page. To learn more about how Jotform uses tracking services to measure the performance of our email messaging, please visit their Privacy Policy. To learn more about how Shopify uses tracking technologies to track the effectiveness of our on-line storefront, please visit them here.

 

5.     Legal requirementsWe may disclose your Personal Data if required to do so by law (including, without limitation responding to a subpoena or request from law enforcement, court or government agency or other public authorities) or in the good faith belief that such action is necessary (i) to comply with a legal obligation, (ii) to protect or defend our rights, interests or property or that of other customers or users, (iii) to act in urgent circumstances to protect the personal safety of users of the Services or the public, or (iv) to protect against legal liability or potential fraud, as determined in our sole discretion.

 

6.     Your consentIf we intend to use any of your Personal Data collected in any manner that is not specified herein, we will inform you of such anticipated use prior to or at the time at which such Personal Data is collected or we will obtain your consent subsequent to such collection but prior to such use. In short, we will honor the choices you make regarding your Personal Data and will inform you about any other intended uses of such information.

 

 

5.     Linking to or from Third Party Social Media Platforms.

 


Users may follow CTFd on
Facebook, Twitter, GitHub and other social media platforms as made available from time to time. Users should click on the hyperlinks for each site to review the applicable privacy policies for more detail about information collected from these sites.

 

 

  1. How Does CTFd Comply with the Children’s Online Privacy Protection Act?

 

Our Services are directed toward a general audience and are not directed at nor intended for use by children.  We do not knowingly collect information from children under the age of 13 without parental consent. If a parent or guardian becomes aware that his or her child has provided us with information without their consent, he or she should contact us at [email protected]. We will delete such information from our files within a reasonable time.

 

7.     What are my data protection rights under General Data Protection Regulation (“GDPR”)?

 

If you are located in countries that are within the European Economic Area (the “EEA”) or Switzerland, GDPR gives you rights with respect to your personal data, subject to any exemptions provided by the law, including the rights to:

 

·       Request access to your Personal Data;

·       Request correction or deletion of your Personal Data;

·       Object to our use and processing of your Personal Data;

·       Request that we limit our use and processing of your Personal Data; and

·       Request portability of your Personal Data.

 

You can usually access, correct, or delete your personal data by contacting us at [email protected]. We will consider all such requests and provide our responses as soon as we can.  Please note, however, that personal information may be exempt from such requests in certain circumstances, which may include circumstances where we need to keep processing your personal information for our legitimate interests or to comply with a legal obligations. Users located in EEA or Switzerland also have the right to make a complaint to a government supervisory authority.

 

 

  1. Cross-Border Data Transfers

 

Sharing of information laid out in Section 4 sometimes involves cross-border data transfers, for instance to the United States of America and other jurisdictions. CTFd may also subcontract processing to, or share your Personal Data with, third parties located in countries other than your home country.  Your Personal Data, therefore, may be subject to privacy laws that are different from those in your country of residence. 

 

We store the Personal Data on servers hosted by Digital Ocean. Like CTFd, helping to protect the confidentiality, integrity, and availability of customer data is of the utmost importance to Digital Ocean, as is maintaining customer trust and confidence. Digital Ocean is certified under the US-EU and US-Swiss Privacy Shields and, in compliance with the Privacy Shield Principles, act as our agent with regard to data privacy. For more details of Digital Ocean's privacy and security processes, please visit https://www.digitalocean.com/legal/privacy-policy/. By using our Services, you consent to your personal information being transferred to our servers as set out in this policy.

 

 

Where our Services allow for users located in the European Economic Area (“EEA”) or Switzerland, and when we transfer their Personal Data to countries outside of the EEA or Switzerland as processors, we transfer the Personal Data in accordance with applicable privacy laws and, in particular, that appropriate contractual, technical, and organizational measures in place such as the Standard Contractual Clauses approved by the EU Commission.  Standard Contractual Clauses are commitments between companies transferring personal data, binding them to protect the privacy and security of your data.

 

 

  1. How long does CTFd retain information collected? 

 

We follow generally accepted standards to store and protect the Personal Data we collect, both during transmission and once received and stored, including utilization of encryption where appropriate.  We retain Personal Data only for as long as necessary to provide the Services you have requested and thereafter for a variety of legitimate legal or business purposes. These might include retention periods (i) mandated by law, contract or similar obligations applicable to our business operations; (ii) for preserving, resolving, defending or enforcing our legal/contractual rights; or (iii) needed to maintain adequate and accurate business and financial records.  If you have any questions about the security or retention of your Personal Data, you can contact us at [email protected].

 

  1. What is CTFd’s Security Policy?

 

We have implemented reasonable administrative, technical and physical security measures to protect your personal information against unauthorized access, destruction or alteration. For example, we limit access to this information to authorized employees and contractors who need to know that information in order to operate, develop or improve our Services. All sensitive information is protected behind firewalls and multiple layers of security systems. However, although we endeavor to provide reasonable security for information we process and maintain, no security system can ever by 100% secure.

 

  1.  How Does CTFd Respond to “Do Not Track” Signals?

 

“Do Not Track” is a feature enabled on some browsers that sends a signal to request that a web application disable its tracking or cross-site user tracking. At present, CTFd does not respond to or alter its practices when a Do Not Track signal is received.

 

  1. How Will I Be Notified of Changes to Your Privacy Policy? 

 

If CTFd makes material changes to its Privacy Policy, it will notify you by: (i) changing the Last Updated Date at the top of the Privacy Policy, (ii) sending an email to its users, and/or (iii) adding a statement to the Site.

 

  1. Contact Us

 

If you have any questions regarding privacy while using our Services, or have questions about our practices, please contact us at [email protected].