$ cat /legal/privacy-policy.md

Privacy Policy

Last updated: March 27, 2026

1. Overview

CTF Base (ctfbase.com) respects your privacy. This policy describes what data we collect, how we use it, and your rights regarding that data.

2. Data We Collect

data-collection.log

# GitHub OAuth (on sign in)

github_id, username, display_name, email, avatar_url

# Usage data (automatic)

search queries, writeup views, API requests, timestamps

# Technical data (automatic)

IP address, user agent, request headers

What we do NOT collect:

Payment information (handled entirely by Stripe)
Passwords (we use GitHub OAuth only)
Location data or device fingerprints
Data from third-party trackers or advertising networks

3. How We Use Your Data

Authentication — to identify you and manage your account
Rate limiting — to enforce fair usage per service tier
Anomaly detection — to detect and prevent scraping or abuse
Service improvement — to understand how the service is used
Communication — to send important service updates (no marketing spam)

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Cookies

We use minimal cookies:

Cookie	Purpose	Duration
`authjs.session-token`	Authentication session	30 days
`authjs.csrf-token`	CSRF protection	Session
`authjs.callback-url`	OAuth redirect	Session

No analytics cookies. No advertising cookies. No third-party trackers.

5. Third-Party Services

GitHub — OAuth authentication. GitHub Privacy Statement
Cloudflare — CDN, DDoS protection, DNS. Cloudflare Privacy Policy
Stripe — payment processing (when available). Stripe Privacy Policy

6. Data Retention

Account data is retained as long as your account is active. Usage logs are retained for up to 90 days for security and anomaly detection purposes, then automatically purged.

If you delete your account, your personal data will be removed within 30 days. Anonymized, aggregated statistics may be retained indefinitely.

7. Data Security

We protect your data with:

HTTPS/TLS encryption on all connections
Encrypted session tokens (JWE)
Database access restricted to internal network only
Rate limiting and anomaly detection
Regular automated backups
Minimal data collection principle

8. Your Rights

You have the right to:

Access — request a copy of your personal data
Correction — update inaccurate information
Deletion — request removal of your account and data
Export — receive your data in a portable format

To exercise these rights, contact us at [email protected]

9. Children

CTF Base is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe we have collected such data, please contact us for immediate removal.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or a notice on the website. The "Last updated" date at the top reflects the most recent revision.

11. Contact

Privacy questions or data requests? Contact us at [email protected]

$ see also terms-of-service | docs