Privacy Policy
Last updated: 29 May 2026
1. Controller identification
The data controller for personal data processed via system.terminal43.ro is:
TERMINAL43 S.R.L. ("we", "us", "the Platform") is the data controller for personal data processed through this educational platform, within the meaning of Article 4(7) of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
2. Data We Collect
Account Data
Username, email address, display name, bio, timezone, avatar URL, password (hashed).
Learning Data
Challenge submissions, lesson progress, hint usage, enrollment records, achievement history, leaderboard scores.
Technical Data
IP address, user agent string, session identifiers. Collected for security, rate limiting, and abuse prevention.
Container Data
Temporary SSH credentials generated for challenge containers. These are ephemeral and destroyed when containers expire.
Payment Data
If you purchase paid plans or items, transaction records, Stripe customer ID, last 4 digits and card brand. We never store full card data; payments are processed by Stripe.
3. Legal Basis for Processing (Art. 6 GDPR)
| Data Category | Lawful Basis | Details |
|---|---|---|
| Username, email, password | Contract (Art. 6(1)(b)) | Necessary to create and maintain your account |
| Display name, bio, avatar, timezone | Contract (Art. 6(1)(b)) | Profile features you opted into by registering |
| Submissions, progress, scores, achievements | Contract (Art. 6(1)(b)) | Core educational service delivery |
| Payment records, invoices | Legal obligation (Art. 6(1)(c)) | Fiscal records required by Codul fiscal art. 25 |
| IP address, user agent | Legitimate interest (Art. 6(1)(f)) | Platform security, abuse prevention, rate limiting |
| Container SSH credentials | Contract (Art. 6(1)(b)) | Ephemeral; destroyed when container expires (max 4 hours) |
| Cookie consent preference | Consent (Art. 6(1)(a)) | Stored locally in your browser only |
| Data of users under 16 | Parental consent (Art. 8 GDPR) | Verifiable parental/guardian consent required; see Section 11 |
4. How We Use Your Data
- Provide and maintain the learning platform
- Track your progress through courses and challenges
- Calculate scores and maintain leaderboards
- Process payments and issue invoices for paid plans
- Send notifications about your learning activity
- Detect and prevent abuse, fraud, and security incidents
- Improve platform features and user experience
- Comply with Romanian tax and consumer-protection law
5. Sub-processors
The third parties below process personal data on our behalf under written agreements meeting GDPR Art. 28 requirements.
| Provider | Purpose | Location / safeguards |
|---|---|---|
| Stripe Payments Europe, Ltd. | PCI-DSS compliant payment processing for paid plans and items | Ireland (EU). Stripe transfers to Stripe Inc. (US) rely on Stripe's SCCs and the EU-US Data Privacy Framework. |
| TERMINAL43 S.R.L. (terminal43.ro, code.terminal43.ro, ctf.terminal43.ro, terminal43.school) | Single sign-on (SSO), cross-platform account directory, auto-enrollment into related programs | Romania (EU) |
| Sandboxed lab / SSH / VM infrastructure (operated by us) | Isolated Docker containers, SSH access, and virtual machines for challenge environments | Self-hosted in the EU |
| Hostinger International Ltd. | Transactional email (SMTP relay): verification, password reset, service notifications | Lithuania (EU) |
| Hetzner Online GmbH | VPS hosting: application server, database, file storage | Germany and Finland (EEA) |
If we add or replace a sub-processor for paid services, we update this list and, for material changes affecting paid users, notify registered users at least 30 days in advance.
6. Data Retention
| Data | Retention Period | Deletion Method |
|---|---|---|
| Account data | While active, then 30 days after deletion request | Soft-delete grace period, then purge |
| Lab attempts / training data | Lifetime of the account | Deleted with account |
| Payment records, invoices | 10 years (Codul fiscal art. 25) | Archived for legal retention, then deleted |
| Server / security logs | 90 days | Automated cleanup, then anonymized or deleted |
| Cookie consent record | 12 months | Re-prompted after expiry |
| Database backups | 30 days rolling | Overwritten by retention cycle |
| Container SSH credentials | Max 4 hours | Destroyed on container expiry |
On account deletion we anonymize or delete personal data within 30 days, except where retention is required by law (fiscal records) or required to defend legal claims.
7. Your Rights (GDPR Articles 15-22)
Right of Access: Download all your data from Privacy Settings.
Right to Rectification: Edit your profile data at any time from your dashboard.
Right to Erasure: Request account deletion from Privacy Settings. Data is permanently removed after a 30-day grace period, subject to legal retention (e.g. fiscal records).
Right to Portability: Export your data in machine-readable JSON format.
Right to Object: Contact us to object to specific processing activities.
Right to Restrict Processing (Art. 18): You may ask Us to stop using Your data while a complaint, rectification, or objection is being resolved. To request restriction, write to contact@terminal43.ro stating which processing activity You want paused.
Right to Withdraw Consent (Art. 7(3)): Where We process Your data based on Your consent (for example, cookies that require consent, optional communications, or any opt-in feature), You may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal. Withdrawal can be exercised through Privacy Settings or by writing to contact@terminal43.ro.
8. Data Sharing
We do not sell, rent, or share your personal data with third parties for marketing purposes. Data may be shared with:
- Organization administrators: If you join an organization or classroom, its managers can see your progress within that context.
- Public profiles: Your username, display name, total points, and achievements are publicly visible on your profile and the leaderboard.
- Law enforcement: Only when required by valid legal process.
9. Third-Party Services
The Platform loads resources from third-party CDNs to provide its user interface. These services may receive your IP address and browser metadata when pages load:
- Google Fonts (fonts.googleapis.com): Typeface delivery. Google Privacy Policy
- Tailwind CSS CDN (cdn.tailwindcss.com): Styling framework
- cdnjs / unpkg: JavaScript libraries (GSAP, Lucide Icons, Socket.IO)
We do not use any analytics, advertising, or tracking services. No cookies are set by third parties.
10. International Transfers
Production data is stored in the European Union. Stripe Inc. (US) receives payment-related data via Stripe Payments Europe, Ltd. (Ireland) under EU Standard Contractual Clauses and the EU-US Data Privacy Framework. Third-party CDN resources (Section 9) are served from global edge networks; this constitutes a transfer of your IP address outside the EEA, covered by the CDN providers' Standard Contractual Clauses or adequacy decisions where applicable. We do not transfer training, enrollment, or progress data outside the EEA.
11. Children's Privacy (Art. 8 GDPR)
Romanian law (Legea nr. 190/2018, art. 8) sets the GDPR digital-consent age at 16.
Users under 16: a parent or legal guardian must enrol the minor on their behalf, accept this Privacy Policy on the minor's behalf, and is treated as the contracting consumer. We do not knowingly collect personal data from children under 16 without verifiable parental consent.
Users 16 and over: may register on their own.
What we collect about a minor is the minimum necessary to deliver the service: name (or chosen handle), age range, the linked parent's email, enrollment status, and progress. We do not use a minor's data for marketing or profiling.
If you become aware that we have collected personal data from a child under 16 without proper parental consent, email contact@terminal43.ro and we will delete it without undue delay.
12. Security
We implement industry-standard security measures: bcrypt password hashing, CSRF protection, rate limiting, TLS encryption in transit, and isolated container environments for challenges.
13. Cookies
We use only essential cookies required for the platform to function. See our Cookie Policy for details.
14. Changes to This Policy
We may update this policy from time to time. Material changes will be announced on the platform with a new "Last updated" date above. Continued use after changes constitutes acceptance.
15. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Romanian supervisory authority ANSPDCP:
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 București, România
Website: www.dataprotection.ro
16. Contact
For privacy-related inquiries: contact@terminal43.ro