🎮 Spring Hack-a-thon 2020
View Event →

Legal

Privacy Policy

Last updated: 09 June 2026  ·  Version 2.0

This policy applies to individuals who access nodebreach.com, create an account, or join the waitlist. If you represent an organisation using NodeBreach under a commercial agreement, please also review our Data Processing Agreement.

1. Data Controller

NodeBreach LLC ("we", "us", "our") is the data controller for personal data processed through this website and platform. Our contact details:

Company: NodeBreach LLC
Registered in: State of New Hampshire, USA
Email: privacy@nodebreach.com

2. Data We Collect

We collect information in the following categories:

Account data
Name, email address, username, hashed password, profile picture, two-factor authentication seed.
Source: When you register or update your profile.
Waitlist data
Name, email, job role, and organisation name.
Source: When you submit the waitlist form.
Usage data
Pages visited, features used, session duration, IP address, browser type, operating system.
Source: Automatically via server logs and application analytics.
Payment data
Billing name, last four digits of card, billing address, subscription status. Full card numbers are processed by Stripe and never stored by us.
Source: When you subscribe or purchase tokens.
Communications
Emails, support tickets, and any messages you send us.
Source: When you contact us.
Technical data
Container IDs, node configurations, attack logs, CTF flag submissions, battle records.
Source: Generated automatically through platform activity.

We do not collect special category data (as defined in Article 9 GDPR), including health, biometric, or political data.

4. How We Use Your Data

  • Provision and operate your account and the NodeBreach platform
  • Process payments and manage subscriptions
  • Send transactional emails (registration confirmation, password resets, billing receipts)
  • Provide technical support and respond to enquiries
  • Send platform updates and, with your consent, marketing communications
  • Monitor for abuse, fraudulent activity, or violations of our Terms of Service
  • Compile anonymised, aggregated usage statistics for product improvement
  • Comply with legal and regulatory obligations

5. Data Sharing & Sub-processors

We do not sell your personal data. We share data only with the following categories of recipients:

Stripe Inc.
Payment processing (US-based). Governed by Stripe Inc.'s Privacy Policy and Standard Contractual Clauses.
Amazon Web Services / hosting provider
Infrastructure and data hosting within the EU/EEA (where applicable).
Sentry
Error monitoring and crash reporting. Data may be processed in the US under SCCs.
Law enforcement / courts
Where required by law, court order, or to protect the rights and safety of others.

6. Data Retention

We retain personal data only as long as necessary for the purposes stated:

Data typeRetention period
Active account data Duration of account + 30 days after deletion request
Deleted account data 90 days (for recovery), then permanently deleted
Waitlist entries 24 months from submission, or until you request removal
Payment records (invoices) 7 years (US IRS / tax record retention)
Server access logs 90 days
Support communications 3 years from resolution
Marketing consent records Until consent is withdrawn + 1 year

7. International Data Transfers

Some of our sub-processors (including Stripe and Sentry) are based in the United States. Where data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) — EU Commission-approved clauses incorporated into our data processing agreements
  • UK International Data Transfer Agreements (IDTA) — where applicable for data transfers involving UK residents
  • Adequacy decisions — where an adequacy decision by the EU Commission or UK Secretary of State exists

You may request a copy of the relevant transfer mechanism by emailing privacy@nodebreach.com.

8. Your Rights

Under applicable data protection laws (including EU GDPR and UK GDPR for residents of those jurisdictions), you have the following rights. To exercise any right, contact privacy@nodebreach.com. We will respond within 30 days.

Art. 15 — Access
Obtain a copy of the personal data we hold about you.
Art. 16 — Rectification
Correct inaccurate or incomplete personal data.
Art. 17 — Erasure
Request deletion of your data where there is no legal basis for continued processing.
Art. 18 — Restriction
Request that processing is paused while a dispute or objection is resolved.
Art. 20 — Portability
Receive your data in a structured, machine-readable format.
Art. 21 — Objection
Object to processing based on legitimate interests, including for direct marketing.
Art. 7(3) — Withdraw Consent
Withdraw consent at any time where consent is the legal basis, without affecting prior lawful processing.
Lodge a complaint
File a complaint with your national supervisory authority (EU: your local DPA; UK: ICO; US residents in certain states: your state attorney general).
Example supervisory authorities: UK — Information Commissioner's Office (ICO), ico.org.uk. EU residents should contact the data protection authority in their country of residence.

9. US State Privacy Rights (CA, VA, CO, CT, UT, and others)

If you are a resident of a US state with a comprehensive consumer privacy law — including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and others — you have additional rights regarding your personal information:

Right to know
Request confirmation of whether we process your personal information and access to the categories and specific pieces collected.
Right to delete
Request deletion of personal information we have collected from you, subject to legal exceptions.
Right to correct
Request correction of inaccurate personal information.
Right to portability
Receive your personal information in a portable, readily usable format.
Right to opt out of sale/sharing
We do not sell or share your personal information for cross-context behavioural advertising. There is nothing to opt out of.
Right to limit sensitive data
You may limit our use of any sensitive personal information (we currently do not use sensitive PI for inferring characteristics).
Right to non-discrimination
We will not discriminate against you for exercising any of these rights.
Right to appeal
If we deny a rights request, you may appeal by replying to our decision email within 60 days.

Global Privacy Control (GPC): We recognise the GPC browser signal as a valid opt-out of sale/sharing for California residents. Because we do not sell or share personal information, receiving a GPC signal does not change our processing, but we honour it as confirmation of your preference.

Authorised agents: California residents may designate an authorised agent to submit requests on their behalf. We require written proof of authorisation and verification of the resident's identity.

Notice of financial incentives: We do not offer financial incentives in exchange for the collection, sale, or retention of personal information.

To exercise any right, email privacy@nodebreach.com with the subject line “US Privacy Request”. We will respond within 45 days (extendable by an additional 45 days where necessary).

10. Children's Privacy

NodeBreach is a cybersecurity training platform intended for adult learners and security professionals. The platform is not directed to children under the age of 16, and we do not knowingly collect personal information from any individual under 13 (US — COPPA) or under 16 (EU/EEA — GDPR Article 8) without verifiable parental consent.

If we learn we have collected personal information from a child in violation of applicable law, we will delete that information promptly. Parents or guardians who believe their child has provided personal information to NodeBreach should contact privacy@nodebreach.com.

11. Cookies

We use cookies and similar technologies for session management, security, and analytics. For full details, see our Cookie Policy. You can manage cookie preferences through your browser settings or our cookie banner.

12. Security Measures

We implement technical and organisational measures appropriate to the risk, including:

  • Passwords stored using bcrypt hashing
  • Data in transit encrypted via TLS 1.2+
  • Application-level access controls via Laravel Sanctum and Policies
  • Google two-factor authentication support
  • Docker container isolation for all user workloads
  • Regular dependency security audits
  • Audit logging for privileged operations

In the event of a personal data breach, we will notify affected individuals and the relevant supervisory authority without undue delay and, where feasible, within 72 hours, as required by applicable law. To report a security issue, email security@nodebreach.com.

13. Contact, EU/UK Representative & Data Protection Queries

EU/UK representative (Article 27 GDPR): NodeBreach LLC is in the process of appointing a GDPR Article 27 representative in the European Union and the United Kingdom for matters relating to EU/UK GDPR compliance. Once appointed, their contact details will be published here. In the interim, EU and UK data subjects may contact privacy@nodebreach.com directly and their requests will be handled with the same rights and timescales.

For any privacy-related enquiry, to exercise your rights, or to raise a concern:

Email: privacy@nodebreach.com
Subject line: “GDPR Request — [your right]”
Response time: Within 30 calendar days

We reserve the right to update this policy. Material changes will be notified by email or prominent notice on the platform. Continued use after the effective date constitutes acceptance of the updated policy.

NODEBREACH_OS_V1.0 // SYSTEM_LOGS
● LIVE
System initialized...
Waiting for input...