Privacy Policy
Last updated: 29 May 2026
Terminal43 ("we", "us", "our") is committed to protecting your personal data. This policy explains what data we collect, why, and how we handle it in accordance with the EU General Data Protection Regulation (GDPR).
1. Data Controller
The data controller for personal data processed via terminal43.ro is:
| Legal name | TERMINAL43 S.R.L. |
| Registered office | Mun. București, Sector 3, Str. Râmnicu Vâlcea nr. 27, Cam. 1, Bl. 20C, Sc. 2, Romania |
| Trade Register | J2026013719005 |
| Fiscal code (CUI) | 54133669 |
| CAEN | 8559, Other education n.e.c. |
| General contact | contact@terminal43.ro |
| Data Protection (DPO contact) | contact@terminal43.ro |
2. Data We Collect
We collect only the data necessary to provide our services:
| Data Category | Examples | Source |
|---|---|---|
| Account data | Username, email, hashed password | Registration form |
| Newsletter data | Email address, subscription date, IP address | Newsletter form |
| Contact data | Name, email, message content, IP address | Contact form |
| Usage data | Challenge progress, scores, course enrollment | Platform activity |
| Technical data | Session cookies, CSRF tokens, theme preference | Automatic (browser) |
We do not collect sensitive personal data (health, biometric, political opinions, etc.).
3. Legal Basis for Processing
Under GDPR Article 6, we process your data based on:
- Contract performance (Art. 6(1)(b)) -- to provide our educational platforms and services you signed up for.
- Consent (Art. 6(1)(a)) -- for newsletter subscriptions. You can withdraw consent at any time.
- Legitimate interest (Art. 6(1)(f)) -- for platform security, fraud prevention, and service improvement.
- Legal obligation (Art. 6(1)(c)) -- where required by applicable law.
- Parental consent for minors (Art. 8 GDPR, Legea nr. 190/2018 art. 8): for users under 16, processing relies on verifiable consent given by a parent or legal guardian; see Section 11.
4. How We Use Your Data
- Providing and maintaining our educational platforms (CTF, System, Code)
- Managing your account and tracking learning progress
- Sending newsletter updates (only with your explicit consent)
- Responding to contact inquiries
- Ensuring platform security and preventing abuse
- Generating anonymized, aggregated statistics
5. Data Storage and Transfers
Your personal data is stored on servers operated by Hetzner Online GmbH, located in Germany and Finland. Both countries are within the European Economic Area (EEA), so no cross-border transfer outside the EEA occurs in connection with primary storage.
We do not share, sell, or transfer your personal data to any third parties outside the EEA.
6. Cross-Platform Ecosystem Data Sharing
Terminal43 operates an integrated ecosystem composed of the Terminal43 Hub and the connected learning platforms (Terminal43 CTF, Terminal43 System, and Terminal43 Code). When You hold accounts on more than one of these platforms or link Your accounts via the Hub, certain non-sensitive data flows between them in order to provide ecosystem features such as unified scoring, cross-platform unlocks, ecosystem-wide streaks, perks, recommendations, and a single learner profile.
| Shared data | Source → Destination | Purpose | Legal basis |
|---|---|---|---|
| User identifier (Hub user ID), display name, avatar | Hub ↔ CTF / System / Code | Single-sign-on, unified profile, account linking | Contract (Art. 6(1)(b)) |
| Total points, solves, level, streak per platform | CTF / System / Code → Hub | Ecosystem-wide score, cross-platform leaderboards, perks evaluation | Legitimate interest (Art. 6(1)(f)): service integration |
| Earned achievements, badges, certificates | CTF / System / Code → Hub | Display on unified profile, perk eligibility, learning-path progress | Contract / legitimate interest |
| Course / challenge / task completion events | CTF / System / Code → Hub | Cross-platform unlock rules, learning-path stage completion, recommendations | Legitimate interest |
| Linked-account confirmation tokens | Hub → CTF / System / Code | Account linking, identity verification | Contract |
| Plan / subscription status | Hub ↔ CTF / System / Code | Apply paid-tier entitlements consistently across platforms | Contract |
We share only the categories listed above. We do not share Your code submissions, writeup text, flag answers, private profile fields, contact-form messages, raw audit logs, or any sensitive data category between platforms unless explicitly required to provide a specific feature You have activated.
Within-controller transfers. All Terminal43 platforms are operated by the same controller (Terminal43 SRL). Cross-platform sharing as described above is therefore not a disclosure to a third party; it is an internal data flow within a single controller’s system, processed under the same legal bases and protections set out in this Policy.
Your control. You may at any time:
- View which of Your accounts are linked across the ecosystem in Your Hub profile;
- Unlink any platform account from the Hub, which stops further sharing of progress, achievements, and entitlements from that platform forward (data already shared remains in the relevant platforms’ records);
- Delete the underlying account on the source platform, in which case its data is deleted in accordance with Section 7 below and is no longer available to flow to other platforms;
- Object to specific sharing flows based on legitimate interest by writing to contact@terminal43.ro.
Some ecosystem features (cross-platform leaderboards, unified streaks, perks unlocking) will not function for accounts that are unlinked or have sharing objected to.
7. Sub-processors
The third parties below process personal data on our behalf under written agreements meeting GDPR Art. 28 requirements.
| Provider | Purpose | Location / safeguards |
|---|---|---|
| Stripe Payments Europe, Ltd. | PCI-DSS compliant payment processing for paid bundles and subscriptions | Ireland (EU). Transfers to Stripe Inc. (US) rely on Stripe's SCCs and the EU-US Data Privacy Framework. |
| TERMINAL43 S.R.L., the other Terminal43 platforms (code.terminal43.ro, ctf.terminal43.ro, system.terminal43.ro, terminal43.school) | Single sign-on (SSO), cross-platform enrollment, ecosystem features | Romania (EU), same controller |
| Hetzner Online GmbH | VPS hosting: application server, database, file storage (production environment) | Germany and Finland (EEA) |
| Hostinger International Ltd. | Transactional email (SMTP relay) for account, billing, and service notifications | Lithuania (EU) |
| Google Fonts | Typography (font delivery) | Global (Google LLC); IP address only at font load time |
If we add or replace a sub-processor for paid services, we update this list and, for material changes affecting paid users, notify registered users at least 30 days in advance.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | While the account is active, then 30 days after deletion request (soft-delete grace period) |
| Activity / learning data | Lifetime of the account, for progress and certificates |
| Payment records, invoices | 10 years (Codul fiscal art. 25) |
| Server / security logs | 90 days, then deleted or anonymized |
| Cookie consent record | 12 months, then re-prompted |
| Database backups | 30 days rolling, then overwritten |
| Newsletter subscriptions | Until you unsubscribe |
| Contact form messages | 12 months after resolution |
| Session / technical data | Duration of session (max 12 hours) |
On account deletion we anonymize or delete personal data within 30 days, except where retention is required by law (fiscal records) or required to defend legal claims.
9. Your Rights Under GDPR
As an EU/EEA resident, you have the following rights:
- Right of access (Art. 15) -- request a copy of your personal data.
- Right to rectification (Art. 16) -- correct inaccurate data.
- Right to erasure (Art. 17) -- request deletion of your data ("right to be forgotten").
- Right to restrict processing (Art. 18) -- limit how we use your data.
- Right to data portability (Art. 20) -- receive your data in a structured, machine-readable format.
- Right to object (Art. 21) -- object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3)) -- withdraw consent at any time (e.g., unsubscribe from newsletter).
To exercise any of these rights, email contact@terminal43.ro. We will respond within 30 days.
10. Cookies
We use only essential and preference cookies. We do not use third-party tracking or advertising cookies. For full details, see our Cookie Policy.
11. Children's Privacy (Art. 8 GDPR)
Romanian law (Legea nr. 190/2018, art. 8) sets the GDPR digital-consent age at 16.
Users under 16: a parent or legal guardian must register the minor on their behalf, accept these Terms and this Privacy Policy on the minor's behalf, and is treated as the contracting consumer. We do not knowingly collect personal data from children under 16 without verifiable parental consent.
Users 16 and over: may register on their own.
If you become aware that we have collected personal data from a child under 16 without proper parental consent, email contact@terminal43.ro and we will delete it without undue delay.
12. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Passwords stored using bcrypt hashing (never in plaintext)
- HTTPS encryption for all data in transit
- CSRF protection on all forms
- Rate limiting to prevent abuse
- Isolated database networks with restricted access
- Regular security audits of our platforms
We do not use analytics, advertising, or social media tracking services beyond what is listed in Section 7 (Sub-processors).
13. Changes to This Policy
We may update this policy from time to time. Changes will be posted on this page with an updated date. For significant changes, we will notify registered users by email.
14. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Romanian data protection authority:
ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania
Website: www.dataprotection.ro
Email: anspdcp@dataprotection.ro
15. Contact
For any privacy-related questions or requests:
- Email: contact@terminal43.ro
- General contact: Contact form