Privacy

Privacy Policy

This page describes what LevelUpCTF collects, why, and what we never do. It aligns with our FAQ . This Privacy Policy is the canonical privacy text; the FAQ links here and summarises the same contract.

Last reviewed: 2026-07-11. Contact: privacy@levelupctf.com.

What we collect

Account data

Email, display name (handle), and password hash. Optionally display name, country, stream selection, and social links if you fill them in on your profile.

Training data

Solve history, attempt timestamps, hint usage, ELO rating, category scores, and badges. The LevelUpCTF challenge-type skill vector uses 15 axes: Web, Cryptography, Binary Exploitation, Smart Contracts, Reverse Engineering, Forensics, General Security, OSINT, AI Security, API Security, Malware Analysis, Incident Response, OT/ICS Security, Mobile Security, and Boot2Root. This is what lets us match you to challenges at the right difficulty.

Behavioural telemetry

LevelUpCTF records attempt timestamps and outcomes, tool and command execution events, retries, hint usage, and sandbox session metadata. Session replay is recorded where the selected service or workspace enables it. Free-tier telemetry is mandatory because it supports difficulty calibration, fair matchmaking, abuse prevention, and aggregate platform reliability. Enterprise, Event, and Academia agreements may define additional session-replay access and retention controls.

Infrastructure logs

Standard request/response logs, IP address at auth time for rate-limiting and abuse prevention, and Docker container lifecycle events. Kept for 30 days by default, longer if required for incident investigation.

What we never do

  • We don’t sell your personal data.
  • We don’t share individual behavioural telemetry with third parties. Aggregate metrics (e.g. “average solve time by category”) may appear in research papers or marketing — never with identifiers.
  • We don’t use your solve patterns to train foundation models outside the LevelUpCTF platform. Enterprise AI evaluation customers license anonymised aggregate telemetry under a separate explicit agreement.
  • We don’t read challenge-sandbox command history for anything other than the platform uses above.

Account deletion

You can export or delete your account from Profile → Account, or ask for help by emailing privacy@levelupctf.com. Deleting an account immediately disables access and removes live profile, authentication, and direct identity data. Encrypted backups expire within 30 days. De-identified aggregate solve-time and calibration metrics may be retained and cannot be used to restore the account.

Cookies and tracking

We set the authentication cookie (levelup_token, 7-day lifetime), a CSRF marker (when applicable), and a Google Analytics identifier (for aggregate page-view counts). We do not set third-party advertising or cross-site tracking cookies. You can block the GA cookie with any standard ad-blocker; it does not affect platform functionality.

Security posture

Password hashing: bcrypt. Transport: TLS 1.3 only. Sandbox isolation: Docker with seccomp + no-new-privileges + network policy + read-only filesystems where applicable.

We do not claim SOC 2 Type II or ISO 27001 certification. We welcome security reports at security@levelupctf.com.

Changes to this policy

Material changes are announced via email to all registered accounts at least 14 days before taking effect. The current version of this page is the canonical text.

Privacy Policy | LevelUpCTF