HackAdvisor
Labs

Challenges

Code Review

For Business

Leaderboard

Create Lab

Last updated: March 24, 2026

Privacy Policy

1. Introduction

HackAdvisor Labs ("we", "us", "our"), operated at labs.hackadvisor.io as part of the HackAdvisor ecosystem, is committed to protecting your privacy and personal data. This Privacy Policy explains what information we collect, how we use it, how we protect it, and what rights you have regarding your data. This policy applies to all users of the Platform, including individual users, organization members, and assessment candidates. By using the Platform, you acknowledge that you have read and understood this Privacy Policy. We process personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Information We Collect

Account Information

When you register, we collect your username, email address, and password (stored exclusively as a bcrypt hash -- we never store plaintext passwords). You may optionally provide additional profile information such as a bio, location, social media links, and avatar image.

Usage Data

We automatically collect information about your interactions with the Platform, including: challenges attempted and solved, time spent on challenges, hints requested, points earned, container start and stop events, flag submission attempts, and certificate generation events.

Technical Data

For security and service improvement purposes, we collect IP addresses, browser type and version, operating system, device type, referral URLs, and page visit timestamps. This data is used for abuse prevention, rate limiting, and aggregated analytics.

Assessment Candidate Data

If you participate in an organizational assessment, we collect your name (as provided by the inviting organization), challenge completion data, time taken, and hints used. This data is shared with the organization that invited you to the assessment. Assessment participation does not require full account registration.

3. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases under the GDPR:

  • Contract performance: Processing necessary to provide you with the Platform services you signed up for (account management, challenge access, leaderboard functionality, certificate issuance)

  • Consent: Processing based on your explicit consent, such as optional profile information and marketing communications (you may withdraw consent at any time)

  • Legitimate interest: Processing necessary for our legitimate interests, such as Platform security, fraud prevention, service improvement, and aggregated analytics, where these interests are not overridden by your rights

  • Legal obligation: Processing necessary to comply with applicable laws, such as responding to lawful requests from authorities

4. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing and maintaining the Platform, including account management, challenge delivery, and container orchestration

  • Displaying your public profile on leaderboards (username, points, solve count, and rank)

  • Sending essential notifications about your account, security alerts, and important Platform updates

  • Preventing abuse, fraud, unauthorized access, and enforcing our Terms of Service

  • Improving the Platform, developing new features, and optimizing user experience based on aggregated usage patterns

  • Generating anonymized and aggregated analytics to understand Platform usage trends

  • Issuing and verifying certificates of achievement linked to your username and solved challenges

5. Data Storage and Security

Your data is stored in a PostgreSQL database hosted on servers located in the European Union (Contabo data center, Germany). We implement appropriate technical and organizational measures to protect your personal data, including: encrypted data transmission (TLS/HTTPS), AES-256-GCM encryption for sensitive data such as vulnerability reports, bcrypt password hashing, rate limiting and brute-force protection, Cloudflare Turnstile CAPTCHA to prevent automated attacks, email verification for new accounts, and regular security audits. While we strive to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to industry best practices.

6. Cookies and Tracking Technologies

We use a minimal set of cookies and similar technologies necessary for Platform operation:

Essential Cookies (Strictly Necessary)

JWT authentication tokens stored as httpOnly cookies for secure session management. These cookies are necessary for the Platform to function and cannot be disabled. They do not track you across other websites.

Cloudflare Turnstile

We use Cloudflare Turnstile as a CAPTCHA solution on login, registration, and password reset pages to prevent automated attacks. Turnstile may set cookies necessary for its bot detection functionality. Cloudflare's privacy policy governs how they handle data collected through Turnstile. We do not use any third-party analytics tracking, advertising cookies, or social media tracking pixels.

7. Challenge Container Data

Challenge containers run in isolated, sandboxed environments with no outbound internet access. Any data you input into challenge containers (form submissions, file uploads, commands executed) exists only within the ephemeral container and is automatically and irreversibly destroyed when the container is stopped or expires. We collect HTTP request metadata (method, path, status code, timing) from container traffic for Platform improvement and training data purposes. This metadata does not include request or response bodies, authentication credentials, or personally identifiable information from within the challenge environment.

8. Third-Party Services

We share data with the following third-party service providers, each of which has their own privacy policy:

  • Cloudflare -- CDN, DDoS protection, DNS, and Turnstile CAPTCHA. Cloudflare processes traffic data to provide security and performance services.

  • SMTP Provider (smtp.mail.ru) -- Transactional email delivery for account verification, password resets, and organization invites. We share your email address for delivery purposes only.

  • Contabo -- Server hosting and S3 object storage (EU-based) for backups. Data is stored within the European Union.

We do not sell, rent, or trade your personal information to any third party. We do not share your data with advertising networks or data brokers.

9. Organization Data

If you are a member of an organization on the Platform, your organization administrator can view your activity within the organization context, including challenges assigned, completion status, and performance metrics. Organization data is strictly isolated -- administrators of one organization cannot access data from another organization. Vulnerability reports uploaded by organizations are encrypted at rest using AES-256-GCM. Audit logs within organizations track administrative actions (member invites, role changes, assessment creation) and are retained for the lifetime of the organization. If you leave an organization, your historical activity data within that organization (solves, assessment results) is retained for the organization's records, but your personal profile information is no longer accessible to the organization.

10. Assessment Candidate Data

If you participate in an assessment as a candidate, the organization that created the assessment will have access to your assessment results, including challenges attempted, completion status, time taken, and hints used. Assessment data is shared only with the organization that created the specific assessment. We retain assessment data for the duration of the assessment period plus 12 months, after which it is automatically deleted unless the organization requests earlier deletion. Candidates may request deletion of their assessment data by contacting admin@hackadvisor.io.

11. Data Retention

We retain your data according to the following schedule: Account information is retained for as long as your account is active, plus 30 days after deletion request to allow for recovery. Challenge solve history and points are retained indefinitely for leaderboard integrity and certificate verification, unless you request account deletion. Container traffic metadata is retained for up to 12 months for service improvement. Assessment candidate data is retained for the assessment period plus 12 months. Organization audit logs are retained for the lifetime of the organization. Email verification codes expire after 24 hours. Password reset tokens expire after 1 hour. When you delete your account, we remove your personal information (email, profile data) within 30 days. Anonymized, aggregated data that cannot be used to identify you may be retained indefinitely.

12. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR) and applicable data protection laws, you have the following rights regarding your personal data:

  • Right of Access -- You can view your personal data at any time through your profile page (/me). You may also request a complete copy of all data we hold about you.

  • Right to Rectification -- You can update and correct your personal information through your account settings (/me/settings) at any time.

  • Right to Erasure ("Right to be Forgotten") -- You can request deletion of your account and all associated personal data. Use the account deletion feature in your settings or contact admin@hackadvisor.io. Deletion is processed within 30 days.

  • Right to Data Portability -- You can export your personal data in a machine-readable format through your account settings. This includes your profile information, challenge history, and points.

  • Right to Restriction of Processing -- You can request that we restrict processing of your personal data in certain circumstances, such as while we verify the accuracy of your data.

  • Right to Object -- You can object to the processing of your personal data for certain purposes, such as direct marketing. We do not currently engage in direct marketing.

  • Right to Withdraw Consent -- Where processing is based on your consent, you may withdraw it at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, use the self-service tools available in your account settings or contact us at admin@hackadvisor.io. We will respond to all data rights requests within 30 days as required by the GDPR. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

13. International Data Transfers

Your data is primarily stored and processed within the European Union (Germany). In cases where data may be transferred outside the EU (for example, through Cloudflare's global CDN network), we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or the service provider's adequacy decision. We do not transfer your personal data to countries without adequate data protection unless appropriate safeguards are in place.

14. Children's Privacy

The Platform is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at admin@hackadvisor.io, and we will take steps to delete such information promptly.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated through a prominent notice on the Platform or by email at least 14 days before the changes take effect. We encourage you to review this policy periodically. The "Last updated" date at the top indicates when the policy was last revised.

16. Contact and Data Protection

For any privacy-related questions, concerns, data access requests, or to exercise your GDPR rights, please contact us at admin@hackadvisor.io

When contacting us about data rights, please include your username and the email address associated with your account so we can verify your identity and process your request efficiently. We aim to respond to all inquiries within 30 days.

Terms of Service