Last updated: 29 May 2026

Terminal43 ("we", "us", "our") is committed to protecting your personal data. This policy explains what data we collect, why, and how we handle it in accordance with the EU General Data Protection Regulation (GDPR).

1. Data Controller

The data controller for personal data processed via terminal43.ro is:

Legal nameTERMINAL43 S.R.L.
Registered officeMun. București, Sector 3, Str. Râmnicu Vâlcea nr. 27, Cam. 1, Bl. 20C, Sc. 2, Romania
Trade RegisterJ2026013719005
Fiscal code (CUI)54133669
CAEN8559, Other education n.e.c.
General contactcontact@terminal43.ro
Data Protection (DPO contact)contact@terminal43.ro

2. Data We Collect

We collect only the data necessary to provide our services:

Data CategoryExamplesSource
Account dataUsername, email, hashed passwordRegistration form
Newsletter dataEmail address, subscription date, IP addressNewsletter form
Contact dataName, email, message content, IP addressContact form
Usage dataChallenge progress, scores, course enrollmentPlatform activity
Technical dataSession cookies, CSRF tokens, theme preferenceAutomatic (browser)

We do not collect sensitive personal data (health, biometric, political opinions, etc.).

3. Legal Basis for Processing

Under GDPR Article 6, we process your data based on:

  • Contract performance (Art. 6(1)(b)) -- to provide our educational platforms and services you signed up for.
  • Consent (Art. 6(1)(a)) -- for newsletter subscriptions. You can withdraw consent at any time.
  • Legitimate interest (Art. 6(1)(f)) -- for platform security, fraud prevention, and service improvement.
  • Legal obligation (Art. 6(1)(c)) -- where required by applicable law.
  • Parental consent for minors (Art. 8 GDPR, Legea nr. 190/2018 art. 8): for users under 16, processing relies on verifiable consent given by a parent or legal guardian; see Section 11.

4. How We Use Your Data

  • Providing and maintaining our educational platforms (CTF, System, Code)
  • Managing your account and tracking learning progress
  • Sending newsletter updates (only with your explicit consent)
  • Responding to contact inquiries
  • Ensuring platform security and preventing abuse
  • Generating anonymized, aggregated statistics

5. Data Storage and Transfers

Your personal data is stored on servers operated by Hetzner Online GmbH, located in Germany and Finland. Both countries are within the European Economic Area (EEA), so no cross-border transfer outside the EEA occurs in connection with primary storage.

We do not share, sell, or transfer your personal data to any third parties outside the EEA.

6. Cross-Platform Ecosystem Data Sharing

Terminal43 operates an integrated ecosystem composed of the Terminal43 Hub and the connected learning platforms (Terminal43 CTF, Terminal43 System, and Terminal43 Code). When You hold accounts on more than one of these platforms or link Your accounts via the Hub, certain non-sensitive data flows between them in order to provide ecosystem features such as unified scoring, cross-platform unlocks, ecosystem-wide streaks, perks, recommendations, and a single learner profile.

Shared dataSource → DestinationPurposeLegal basis
User identifier (Hub user ID), display name, avatarHub ↔ CTF / System / CodeSingle-sign-on, unified profile, account linkingContract (Art. 6(1)(b))
Total points, solves, level, streak per platformCTF / System / Code → HubEcosystem-wide score, cross-platform leaderboards, perks evaluationLegitimate interest (Art. 6(1)(f)): service integration
Earned achievements, badges, certificatesCTF / System / Code → HubDisplay on unified profile, perk eligibility, learning-path progressContract / legitimate interest
Course / challenge / task completion eventsCTF / System / Code → HubCross-platform unlock rules, learning-path stage completion, recommendationsLegitimate interest
Linked-account confirmation tokensHub → CTF / System / CodeAccount linking, identity verificationContract
Plan / subscription statusHub ↔ CTF / System / CodeApply paid-tier entitlements consistently across platformsContract

We share only the categories listed above. We do not share Your code submissions, writeup text, flag answers, private profile fields, contact-form messages, raw audit logs, or any sensitive data category between platforms unless explicitly required to provide a specific feature You have activated.

Within-controller transfers. All Terminal43 platforms are operated by the same controller (Terminal43 SRL). Cross-platform sharing as described above is therefore not a disclosure to a third party; it is an internal data flow within a single controller’s system, processed under the same legal bases and protections set out in this Policy.

Your control. You may at any time:

  • View which of Your accounts are linked across the ecosystem in Your Hub profile;
  • Unlink any platform account from the Hub, which stops further sharing of progress, achievements, and entitlements from that platform forward (data already shared remains in the relevant platforms’ records);
  • Delete the underlying account on the source platform, in which case its data is deleted in accordance with Section 7 below and is no longer available to flow to other platforms;
  • Object to specific sharing flows based on legitimate interest by writing to contact@terminal43.ro.

Some ecosystem features (cross-platform leaderboards, unified streaks, perks unlocking) will not function for accounts that are unlinked or have sharing objected to.

7. Sub-processors

The third parties below process personal data on our behalf under written agreements meeting GDPR Art. 28 requirements.

ProviderPurposeLocation / safeguards
Stripe Payments Europe, Ltd.PCI-DSS compliant payment processing for paid bundles and subscriptionsIreland (EU). Transfers to Stripe Inc. (US) rely on Stripe's SCCs and the EU-US Data Privacy Framework.
TERMINAL43 S.R.L., the other Terminal43 platforms (code.terminal43.ro, ctf.terminal43.ro, system.terminal43.ro, terminal43.school)Single sign-on (SSO), cross-platform enrollment, ecosystem featuresRomania (EU), same controller
Hetzner Online GmbHVPS hosting: application server, database, file storage (production environment)Germany and Finland (EEA)
Hostinger International Ltd.Transactional email (SMTP relay) for account, billing, and service notificationsLithuania (EU)
Google FontsTypography (font delivery)Global (Google LLC); IP address only at font load time

If we add or replace a sub-processor for paid services, we update this list and, for material changes affecting paid users, notify registered users at least 30 days in advance.

8. Data Retention

Data TypeRetention Period
Account dataWhile the account is active, then 30 days after deletion request (soft-delete grace period)
Activity / learning dataLifetime of the account, for progress and certificates
Payment records, invoices10 years (Codul fiscal art. 25)
Server / security logs90 days, then deleted or anonymized
Cookie consent record12 months, then re-prompted
Database backups30 days rolling, then overwritten
Newsletter subscriptionsUntil you unsubscribe
Contact form messages12 months after resolution
Session / technical dataDuration of session (max 12 hours)

On account deletion we anonymize or delete personal data within 30 days, except where retention is required by law (fiscal records) or required to defend legal claims.

9. Your Rights Under GDPR

As an EU/EEA resident, you have the following rights:

  • Right of access (Art. 15) -- request a copy of your personal data.
  • Right to rectification (Art. 16) -- correct inaccurate data.
  • Right to erasure (Art. 17) -- request deletion of your data ("right to be forgotten").
  • Right to restrict processing (Art. 18) -- limit how we use your data.
  • Right to data portability (Art. 20) -- receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) -- object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)) -- withdraw consent at any time (e.g., unsubscribe from newsletter).

To exercise any of these rights, email contact@terminal43.ro. We will respond within 30 days.

10. Cookies

We use only essential and preference cookies. We do not use third-party tracking or advertising cookies. For full details, see our Cookie Policy.

11. Children's Privacy (Art. 8 GDPR)

Romanian law (Legea nr. 190/2018, art. 8) sets the GDPR digital-consent age at 16.

Users under 16: a parent or legal guardian must register the minor on their behalf, accept these Terms and this Privacy Policy on the minor's behalf, and is treated as the contracting consumer. We do not knowingly collect personal data from children under 16 without verifiable parental consent.

Users 16 and over: may register on their own.

If you become aware that we have collected personal data from a child under 16 without proper parental consent, email contact@terminal43.ro and we will delete it without undue delay.

12. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Passwords stored using bcrypt hashing (never in plaintext)
  • HTTPS encryption for all data in transit
  • CSRF protection on all forms
  • Rate limiting to prevent abuse
  • Isolated database networks with restricted access
  • Regular security audits of our platforms

We do not use analytics, advertising, or social media tracking services beyond what is listed in Section 7 (Sub-processors).

13. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated date. For significant changes, we will notify registered users by email.

14. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Romanian data protection authority:

ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania
Website: www.dataprotection.ro
Email: anspdcp@dataprotection.ro

15. Contact

For any privacy-related questions or requests:

  • Email: contact@terminal43.ro
  • General contact: Contact form