Privacy Notice

Last updated: May 2026

1. Who we are

CTFProfile is a platform for tracking CTF competition results and mapping cybersecurity skills to the NIST NICE framework. This notice explains what personal data we collect, why, and how we handle it.

2. Data we collect

Account data

When you register you provide a username and email address. You may optionally add a display name, bio, affiliation, and links to external profiles. This information is stored in our database and, if your profile is set to public, displayed to other users.

OAuth sign-in data

If you sign in via Google, GitHub, or Discord, we receive and store a provider-specific user identifier (not your full profile from that service). We may also receive your verified email address to match your account. We do not store OAuth access tokens beyond the authentication request.

Competition and activity data

CTF event participation records, challenge solves, scores, and writeups you create are associated with your account and stored on our servers.

Automatically collected data

We collect standard server logs (IP address, timestamp, pages accessed) for security monitoring and debugging. These logs are retained for a limited period and are not used for advertising.

Cookies and sessions

We use a session cookie to keep you logged in. We do not use third-party tracking cookies or advertising cookies.

3. How we use your data

Account management: to authenticate you, send password-reset emails, and maintain your profile.
Service delivery: to display scoreboards, profiles, event pages, and writeups.
Security: to detect abuse, enforce rate limits, and investigate incidents.
Discord bot features: your linked Discord user ID is used to verify your identity when you use CTFProfile bot commands in a Discord server.

We do not sell your personal data. We do not use it for advertising.

4. Profile visibility

Your profile is public by default, meaning your username, display name, competition activity, and writeups are visible to anyone. You can switch your profile to private in your profile settings — this hides personal details from public views while keeping anonymous aggregate stats in rankings.

5. Third-party services

CTFProfile uses the following external services:

Google OAuth — sign-in only. Governed by Google's Privacy Policy.
GitHub OAuth — sign-in only. Governed by GitHub's Privacy Statement.
Discord OAuth and Bot API — account linking and bot features. Governed by Discord's Privacy Policy.

6. Data retention

We retain account data for as long as your account exists. Server logs are retained for up to 90 days. If you delete your account, your personal profile data is removed; aggregated competition records may be retained in anonymised form.

7. Your rights

Depending on your jurisdiction, you may have rights to access, correct, or delete your personal data. To exercise these rights, contact us at contact@ctfprofile.com. We will respond within 30 days.

You can update most of your profile data directly in your profile settings. You can unlink OAuth providers on the same page.

8. Security

We use HTTPS for all data in transit, store passwords as salted hashes (bcrypt via Django), and use httpOnly/SameSite cookies. We perform regular dependency updates and follow security hardening best practices. No system is perfect; if you discover a security issue please disclose it responsibly to contact@ctfprofile.com.

9. Children

CTFProfile is not directed at children under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will delete it.

10. Changes to this notice

We may update this Privacy Notice from time to time. The "Last updated" date at the top of this page reflects when changes were last made. Continued use of the service constitutes acceptance of the updated notice.

11. Contact

Privacy questions or data requests: contact@ctfprofile.com.