Last Updated: September 30, 2020
- What information do we collect?
Account Registration Information. If you wish to register for an account, we may collect your email address and password.
Profile Information. From time to time you may be able to create a profile of which we may collect the following information where applicable: full name, username, affiliation, website and country.
Challenge Questions and Responses. If you are an administrator, you will be able to design challenge questions which can be textual, source code, or other formats as available through our Services. If you are a challenge participant, you will be able to input your responses to the challenge questions, which can be textual, source code, or other formats as available through our Services.
Payment Information. As part of our Services, our third party payment processing service provider, Stripe, Shopify, or Paypal, may collect credit card information from you.
Online Activity. If you are a challenge participant, other Users may be able to see your performance statistics on your profile, which may include the following: your ranking, your points, the challenges you have solved, when you solved the challenges, the percentage of correct vs incorrect submissions you have, and other statistics related to your challenge activity. Administrators are always able to see all details related to the challenge activity and account of non-administrative users. If you are an administrator, you may be able to put in comments on your dashboard, which will be viewable by administrators of your challenge only.
Automatically Collected Online Usage Activity.
Mobile Device Data. When you access our Services through a mobile device, we may also collect certain mobile device information automatically, including, but not limited to, the type of mobile device you use, your mobile operating system, and the type of mobile Internet browsers you use.
Products & Services Updates. We may collect your name and email address if you sign up to receive emails, invites and newsletters from us regarding our products and services. You may opt out at any time by clicking on the “Unsubscribe” link located at the bottom of any CTFd marketing email and following the instructions found on the page to which the link takes you. Please allow us a reasonable time to process your request. You cannot opt out of receiving transactional e-mails related to the Services.
Services and Customer Support. We may collect information such as your name and email address to the extent necessary for us to provide the Services that you have requested and/or to provide customer support.
Cookies are small text files which are transferred to your computer or mobile device when you visit a website or app. We use them to remember your preferences, improve your user experience, and help us understand how people are using our Services, so we can make them better. Cookies can be session cookies, which expire once you close your web browser. Cookies can also be persistent cookies, which stay on your device or a set period of time or until you delete them. CTFd uses the following types of cookies:
· Strictly Necessary Cookies: These cookies are necessary to allow us to operate our Services as you have requested. For example, they let us recognize what type of User you are, provide security settings (for example, CAPTCHA) and then provide you with services accordingly.
· Functional Cookies: These cookies help us remember your preferences and settings to enhance your user experience.
Using our Services without cookies is also possible. In your browser, you can deactivate the saving of cookies, limit them to particular websites, or set the browser to notify you when a cookie is sent. You can also delete cookies from your PC hard drive at any time (file: "cookies"). Please note that in this case you will have to expect a limited page presentation and limited user guidance. Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit http://www.allaboutcookies.org/
- How do we use the collected information?
· Provide and deliver products or services, including software updates;
· Operate and improve our operations, systems, products, and services;
· Provide customer and service support, such as sending confirmations, invoices, technical notices, updates, security alerts, and administrative messages and providing service support and troubleshooting;
· Communicate with you and your referrals about promotions and news about products and services offered by CTFd and our selected partners;
· Enforce our terms and conditions or protect our business, partners, or users; or
· Protect against, investigate, and deter fraudulent, unauthorized, or illegal activity
Legal Basis For Processing. When we process your information we will only do so where at least one of the following applies:
- Provide our service to you: Most of the time, the reason we process your information is to perform the contract that you have with us. For example, if you create an account, we process your account registration data to provide customized and personalized Services to you. If you are an administrator, when you input challenge questions or problems, we process those information to execute the challenges as requested by you. When you provide our third party payment processor with payment information, our third party payment processor processes the information to process your payment.
- Legitimate interests: We may use your information where we have legitimate interests to do so. We analyze aggregated and/or anonymous user activities on our Services to continuously improve our Services and for market research purpose. We remember your preferences to provide enhanced, more personalized features. We process information for administrative, fraud detection and other legal purposes.
- Legal Compliance: When it is necessary for us to use your information to comply with a legal obligations.
4. Is Information Collected by or Disclosed to Third Parties by using the Services?
1. Third party service providers. We, like many businesses, sometimes engage other companies to perform certain business-related functions on our behalf so that we can focus on our core business. Examples of these services include, but are not limited to website evaluation and data analysis, social media management, site search and discovery services, internet security and DDoS mitigation and, where applicable, data cleansing, and payment processing and authorization and order fulfillment, marketing and promotional material distribution. We authorize them to use this Personal Data only in connection data security and privacy standards.
5. Legal requirements. We may disclose your Personal Data if required to do so by law (including, without limitation responding to a subpoena or request from law enforcement, court or government agency or other public authorities) or in the good faith belief that such action is necessary (i) to comply with a legal obligation, (ii) to protect or defend our rights, interests or property or that of other customers or users, (iii) to act in urgent circumstances to protect the personal safety of users of the Services or the public, or (iv) to protect against legal liability or potential fraud, as determined in our sole discretion.
6. Your consent. If we intend to use any of your Personal Data collected in any manner that is not specified herein, we will inform you of such anticipated use prior to or at the time at which such Personal Data is collected or we will obtain your consent subsequent to such collection but prior to such use. In short, we will honor the choices you make regarding your Personal Data and will inform you about any other intended uses of such information.
5. Linking to or from Third Party Social Media Platforms.
Users may follow CTFd on Faceboo, Twitter, GitHub and other social media platforms as made available from time to time. Users should click on the hyperlinks for each site to review the applicable privacy policies for more detail about information collected from these sites.
- How Does CTFd Comply with the Children’s Online Privacy Protection Act?
Our Services are directed toward a general audience and are not directed at nor intended for use by children. We do not knowingly collect information from children under the age of 13 without parental consent. If a parent or guardian becomes aware that his or her child has provided us with information without their consent, he or she should contact us at [email protected]. We will delete such information from our files within a reasonable time.
7. What are my data protection rights under General Data Protection Regulation (“GDPR”)?
If you are located in countries that are within the European Economic Area (the “EEA”) or Switzerland, GDPR gives you rights with respect to your personal data, subject to any exemptions provided by the law, including the rights to:
· Request access to your Personal Data;
· Request correction or deletion of your Personal Data;
· Object to our use and processing of your Personal Data;
· Request that we limit our use and processing of your Personal Data; and
· Request portability of your Personal Data.
You can usually access, correct, or delete your personal data by contacting us at [email protected]. We will consider all such requests and provide our responses as soon as we can. Please note, however, that personal information may be exempt from such requests in certain circumstances, which may include circumstances where we need to keep processing your personal information for our legitimate interests or to comply with a legal obligations. Users located in EEA or Switzerland also have the right to make a complaint to a government supervisory authority.
- Cross-Border Data Transfers
Sharing of information laid out in Section 4 sometimes involves cross-border data transfers, for instance to the United States of America and other jurisdictions. CTFd may also subcontract processing to, or share your Personal Data with, third parties located in countries other than your home country. Your Personal Data, therefore, may be subject to privacy laws that are different from those in your country of residence.
We store the Personal Data on servers hosted by Digital Ocean. Like CTFd, helping to protect the confidentiality, integrity, and availability of customer data is of the utmost importance to Digital Ocean, as is maintaining customer trust and confidence. Digital Ocean is certified under the US-EU and US-Swiss Privacy Shields and, in compliance with the Privacy Shield Principles, act as our agent with regard to data privacy. For more details of Digital Ocean's privacy and security processes, please visit https://www.digitalocean.com/legal/privacy-policy/. By using our Services, you consent to your personal information being transferred to our servers as set out in this policy.
Where our Services allow for users located in the European Economic Area (“EEA”) or Switzerland, and when we transfer their Personal Data to countries outside of the EEA or Switzerland as processors, we transfer the Personal Data in accordance with applicable privacy laws and, in particular, that appropriate contractual, technical, and organizational measures in place such as the Standard Contractual Clauses approved by the EU Commission. Standard Contractual Clauses are commitments between companies transferring personal data, binding them to protect the privacy and security of your data.
- How long does CTFd retain information collected?
We follow generally accepted standards to store and protect the Personal Data we collect, both during transmission and once received and stored, including utilization of encryption where appropriate. We retain Personal Data only for as long as necessary to provide the Services you have requested and thereafter for a variety of legitimate legal or business purposes. These might include retention periods (i) mandated by law, contract or similar obligations applicable to our business operations; (ii) for preserving, resolving, defending or enforcing our legal/contractual rights; or (iii) needed to maintain adequate and accurate business and financial records. If you have any questions about the security or retention of your Personal Data, you can contact us at [email protected].
- What is CTFd’s Security Policy?
We have implemented reasonable administrative, technical and physical security measures to protect your personal information against unauthorized access, destruction or alteration. For example, we limit access to this information to authorized employees and contractors who need to know that information in order to operate, develop or improve our Services. All sensitive information is protected behind firewalls and multiple layers of security systems. However, although we endeavor to provide reasonable security for information we process and maintain, no security system can ever by 100% secure.
- How Does CTFd Respond to “Do Not Track” Signals?
“Do Not Track” is a feature enabled on some browsers that sends a signal to request that a web application disable its tracking or cross-site user tracking. At present, CTFd does not respond to or alter its practices when a Do Not Track signal is received.
- Contact Us
If you have any questions regarding privacy while using our Services, or have questions about our practices, please contact us at [email protected].