Privacy Policy | Terminal43

Last updated: 14 May 2026

Terminal43 ("we", "us", "our") is committed to protecting your personal data. This policy explains what data we collect, why, and how we handle it in accordance with the EU General Data Protection Regulation (GDPR).

1. Data Controller

The data controller is Terminal43, based in Bucharest, Romania. For any data-related inquiries, contact us at:

Email: contact@terminal43.ro
Address: Bucharest, Romania

2. Data We Collect

We collect only the data necessary to provide our services:

Data Category	Examples	Source
Account data	Username, email, hashed password	Registration form
Newsletter data	Email address, subscription date, IP address	Newsletter form
Contact data	Name, email, message content, IP address	Contact form
Usage data	Challenge progress, scores, course enrollment	Platform activity
Technical data	Session cookies, CSRF tokens, theme preference	Automatic (browser)

We do not collect sensitive personal data (health, biometric, political opinions, etc.).

3. Legal Basis for Processing

Under GDPR Article 6, we process your data based on:

Contract performance (Art. 6(1)(b)) -- to provide our educational platforms and services you signed up for.
Consent (Art. 6(1)(a)) -- for newsletter subscriptions. You can withdraw consent at any time.
Legitimate interest (Art. 6(1)(f)) -- for platform security, fraud prevention, and service improvement.
Legal obligation (Art. 6(1)(c)) -- where required by applicable law.

4. How We Use Your Data

Providing and maintaining our educational platforms (CTF, System, Code)
Managing your account and tracking learning progress
Sending newsletter updates (only with your explicit consent)
Responding to contact inquiries
Ensuring platform security and preventing abuse
Generating anonymized, aggregated statistics

5. Data Storage and Transfers

Your personal data is stored on servers operated by Hetzner Online GmbH, located in Germany and Finland. Both countries are within the European Economic Area (EEA), so no cross-border transfer outside the EEA occurs.

We do not share, sell, or transfer your personal data to any third parties outside the EEA.

6. Cross-Platform Ecosystem Data Sharing

Terminal43 operates an integrated ecosystem composed of the Terminal43 Hub and the connected learning platforms (Terminal43 CTF, Terminal43 System, and Terminal43 Code). When You hold accounts on more than one of these platforms or link Your accounts via the Hub, certain non-sensitive data flows between them in order to provide ecosystem features such as unified scoring, cross-platform unlocks, ecosystem-wide streaks, perks, recommendations, and a single learner profile.

Shared data	Source → Destination	Purpose	Legal basis
User identifier (Hub user ID), display name, avatar	Hub ↔ CTF / System / Code	Single-sign-on, unified profile, account linking	Contract (Art. 6(1)(b))
Total points, solves, level, streak per platform	CTF / System / Code → Hub	Ecosystem-wide score, cross-platform leaderboards, perks evaluation	Legitimate interest (Art. 6(1)(f)): service integration
Earned achievements, badges, certificates	CTF / System / Code → Hub	Display on unified profile, perk eligibility, learning-path progress	Contract / legitimate interest
Course / challenge / task completion events	CTF / System / Code → Hub	Cross-platform unlock rules, learning-path stage completion, recommendations	Legitimate interest
Linked-account confirmation tokens	Hub → CTF / System / Code	Account linking, identity verification	Contract
Plan / subscription status	Hub ↔ CTF / System / Code	Apply paid-tier entitlements consistently across platforms	Contract

We share only the categories listed above. We do not share Your code submissions, writeup text, flag answers, private profile fields, contact-form messages, raw audit logs, or any sensitive data category between platforms unless explicitly required to provide a specific feature You have activated.

Within-controller transfers. All Terminal43 platforms are operated by the same controller (Terminal43 SRL). Cross-platform sharing as described above is therefore not a disclosure to a third party; it is an internal data flow within a single controller’s system, processed under the same legal bases and protections set out in this Policy.

Your control. You may at any time:

View which of Your accounts are linked across the ecosystem in Your Hub profile;
Unlink any platform account from the Hub, which stops further sharing of progress, achievements, and entitlements from that platform forward (data already shared remains in the relevant platforms’ records);
Delete the underlying account on the source platform, in which case its data is deleted in accordance with Section 7 below and is no longer available to flow to other platforms;
Object to specific sharing flows based on legitimate interest by writing to contact@terminal43.ro.

Some ecosystem features (cross-platform leaderboards, unified streaks, perks unlocking) will not function for accounts that are unlinked or have sharing objected to.

7. Data Retention

Data Type	Retention Period
Account data	Until you delete your account, or 2 years after last login
Newsletter subscriptions	Until you unsubscribe
Contact form messages	12 months after resolution
Session/technical data	Duration of session (max 12 hours)
Usage/progress data	Retained with your account; deleted when account is deleted

8. Your Rights Under GDPR

As an EU/EEA resident, you have the following rights:

Right of access (Art. 15) -- request a copy of your personal data.
Right to rectification (Art. 16) -- correct inaccurate data.
Right to erasure (Art. 17) -- request deletion of your data ("right to be forgotten").
Right to restrict processing (Art. 18) -- limit how we use your data.
Right to data portability (Art. 20) -- receive your data in a structured, machine-readable format.
Right to object (Art. 21) -- object to processing based on legitimate interest.
Right to withdraw consent (Art. 7(3)) -- withdraw consent at any time (e.g., unsubscribe from newsletter).

To exercise any of these rights, email contact@terminal43.ro. We will respond within 30 days.

9. Cookies

We use only essential and preference cookies. We do not use third-party tracking or advertising cookies. For full details, see our Cookie Policy.

10. Children's Privacy

Our platforms are intended for users aged 16 and older. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child under 16, please contact us immediately at contact@terminal43.ro.

11. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

Passwords stored using bcrypt hashing (never in plaintext)
HTTPS encryption for all data in transit
CSRF protection on all forms
Rate limiting to prevent abuse
Isolated database networks with restricted access
Regular security audits of our platforms

12. Third-Party Services

We use the following third-party services:

Service	Purpose	Data Shared	Location
Hetzner	Server hosting	All data (stored on their servers)	Germany, Finland (EEA)
Google Fonts	Typography	IP address (via font loading)	Global (Google LLC)

We do not use analytics, advertising, or social media tracking services.

13. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated date. For significant changes, we will notify registered users by email.

14. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Romanian data protection authority:

ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania
Website: www.dataprotection.ro
Email: anspdcp@dataprotection.ro

15. Contact

For any privacy-related questions or requests:

Email: contact@terminal43.ro
General contact: Contact form