Privacy Policy
Last updated: March 8, 2026
1. Data Controller
Legal entity: Terminal43 SRL
Registered office: Bucharest, Romania
Contact: contact@terminal43.ro
Terminal43 SRL ("we", "us", "the Platform") is the data controller for personal data processed through this educational platform, within the meaning of Article 4(7) of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
2. Data We Collect
Account Data
Username, email address, display name, bio, timezone, avatar URL, password (hashed).
Learning Data
Challenge submissions, lesson progress, hint usage, enrollment records, achievement history, leaderboard scores.
Technical Data
IP address, user agent string, session identifiers. Collected for security, rate limiting, and abuse prevention.
Container Data
Temporary SSH credentials generated for challenge containers. These are ephemeral and destroyed when containers expire.
3. Legal Basis for Processing (Art. 6 GDPR)
| Data Category | Lawful Basis | Details |
|---|---|---|
| Username, email, password | Contract (Art. 6(1)(b)) | Necessary to create and maintain your account |
| Display name, bio, avatar, timezone | Contract (Art. 6(1)(b)) | Profile features you opted into by registering |
| Submissions, progress, scores, achievements | Contract (Art. 6(1)(b)) | Core educational service delivery |
| IP address, user agent | Legitimate interest (Art. 6(1)(f)) | Platform security, abuse prevention, rate limiting |
| Container SSH credentials | Contract (Art. 6(1)(b)) | Ephemeral; destroyed when container expires (max 4 hours) |
| Cookie consent preference | Consent (Art. 6(1)(a)) | Stored locally in your browser only |
4. How We Use Your Data
- Provide and maintain the learning platform
- Track your progress through courses and challenges
- Calculate scores and maintain leaderboards
- Send notifications about your learning activity
- Detect and prevent abuse, fraud, and security incidents
- Improve platform features and user experience
5. Data Retention
| Data | Retention Period | Deletion Method |
|---|---|---|
| Account data | While account is active | Self-service deletion or request |
| Learning progress & submissions | While account is active | Deleted with account |
| Activity logs (IP, user agent) | 90 days | Automated weekly cleanup |
| Container SSH credentials | Max 4 hours | Destroyed on container expiry |
| Deleted accounts | 30-day grace period | Automated daily purge after grace period |
6. Your Rights (GDPR Articles 15-22)
Right of Access — Download all your data from Privacy Settings.
Right to Rectification — Edit your profile data at any time from your dashboard.
Right to Erasure — Request account deletion from Privacy Settings. Data is permanently removed after a 30-day grace period.
Right to Portability — Export your data in machine-readable JSON format.
Right to Object — Contact us to object to specific processing activities.
7. Data Sharing
We do not sell, rent, or share your personal data with third parties for marketing purposes. Data may be shared with:
- Organization administrators — If you join an organization or classroom, its managers can see your progress within that context.
- Public profiles — Your username, display name, total points, and achievements are publicly visible on your profile and the leaderboard.
- Law enforcement — Only when required by valid legal process.
8. Third-Party Services
The Platform loads resources from third-party CDNs to provide its user interface. These services may receive your IP address and browser metadata when pages load:
- Google Fonts (fonts.googleapis.com) — Typeface delivery. Google Privacy Policy
- Tailwind CSS CDN (cdn.tailwindcss.com) — Styling framework
- cdnjs / unpkg — JavaScript libraries (GSAP, Lucide Icons, Socket.IO)
We do not use any analytics, advertising, or tracking services. No cookies are set by third parties.
9. International Transfers
Our servers are located within the European Union. Third-party CDN resources (Section 8) are served from global edge networks; this constitutes a transfer of your IP address outside the EEA. These transfers are covered by the CDN providers' Standard Contractual Clauses (SCCs) or adequacy decisions where applicable.
10. Children & Minors (Art. 8 GDPR)
You must be at least 16 years of age to create an account on this Platform. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at contact@terminal43.ro and we will delete the data promptly.
11. Security
We implement industry-standard security measures: bcrypt password hashing, CSRF protection, rate limiting, TLS encryption in transit, and isolated container environments for challenges.
12. Cookies
We use only essential cookies required for the platform to function. See our Cookie Policy for details.
13. Changes to This Policy
We may update this policy from time to time. Material changes will be announced on the platform. Continued use after changes constitutes acceptance.
14. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Romanian supervisory authority:
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 București, România
Website: www.dataprotection.ro
15. Contact
For privacy-related inquiries: contact@terminal43.ro