$ cat /legal/privacy-policy.md

Privacy Policy

Last updated: April 6, 2026

1. Overview

CTF Base (ctfbase.com) respects your privacy. This policy describes what data we collect, how we use it, and your rights regarding that data.

2. Data We Collect

data-collection.log

# OAuth (on sign in via GitHub, Discord, or Google)

provider_id, username, display_name, email, avatar_url

# Usage data (automatic)

search queries, writeup views, API requests, timestamps

# Technical data (automatic)

IP address, user agent, request headers

What we do NOT collect:

Payment information (handled entirely by NOWPayments; we only store invoice metadata)
Passwords (we use GitHub, Discord, or Google OAuth only)
Location data or device fingerprints
Data from advertising networks

3. How We Use Your Data

Authentication — to identify you and manage your account
Rate limiting — to enforce fair usage per service tier
Anomaly detection — to detect and prevent scraping or abuse
Service improvement — to understand how the service is used
Communication — to send important service updates (no marketing spam)

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Cookies

We use minimal cookies:

Cookie	Purpose	Duration
`authjs.session-token`	Authentication session	30 days
`authjs.csrf-token`	CSRF protection	Session
`authjs.callback-url`	OAuth redirect	Session
`_ga`	Google Analytics — unique visitor ID	2 years
`_ga_*`	Google Analytics — session state	2 years

We use Google Analytics for anonymous usage statistics. No advertising cookies. No third-party ad trackers.

5. Third-Party Services

GitHub — OAuth authentication. GitHub Privacy Statement
Discord — OAuth authentication. Discord Privacy Policy
Google — OAuth authentication. Google Privacy Policy
Google Analytics — anonymous usage statistics (page views, session duration, traffic sources). We use this data to understand how the service is used and to improve user experience. No personally identifiable information is shared with Google for advertising. Google Privacy Policy
Cloudflare — CDN, DDoS protection, DNS. Cloudflare Privacy Policy
NOWPayments — crypto payment processing. NOWPayments Privacy Policy

6. Data Retention

Account data is retained as long as your account is active. Usage logs are retained for up to 90 days for security and anomaly detection purposes, then automatically purged.

If you delete your account, your personal data will be removed within 30 days. Anonymized, aggregated statistics may be retained indefinitely.

7. Data Security

We protect your data with:

HTTPS/TLS encryption on all connections
Encrypted session tokens (JWE)
Database access restricted to internal network only
Rate limiting and anomaly detection
Regular automated backups
Minimal data collection principle

8. Your Rights

You have the right to:

Access — request a copy of your personal data
Correction — update inaccurate information
Deletion — request removal of your account and data
Export — receive your data in a portable format

To exercise these rights, contact us at [email protected]

9. Children

CTF Base is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe we have collected such data, please contact us for immediate removal.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or a notice on the website. The "Last updated" date at the top reflects the most recent revision.

11. Contact

Privacy questions or data requests? Contact us at [email protected]

$ see also terms-of-service | docs

$ loading…