Privacy Policy

1. Introduction

NodeBreach ("we," "our," or "us") operates nodebreach.com (the "Platform"), a cybersecurity training platform that provides hands-on learning experiences through vulnerable virtual machines and gamified security challenges.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Platform. We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).

By using NodeBreach, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Personal Information You Provide

• Account Information: Name, email address, username, password (encrypted), country selection
• Payment Information: Credit card details (processed securely by Stripe), billing address, transaction history
• Profile Information: Bio, avatar, cybersecurity skill level, learning preferences
• Communications: Support requests, feedback, survey responses, chat messages
• OAuth Information: When signing in via Google, GitHub, or other OAuth providers, we receive your name, email, and profile information as permitted by the provider

2.2 Automatically Collected Information

• Usage Data: Pages visited, features used, time spent, click patterns, training node interactions
• Device Information: IP address, browser type, operating system, device identifiers, screen resolution
• Technical Data: Session IDs, API requests, error logs, performance metrics
• Training Activity: Nodes created, vulnerabilities exploited, flags captured, attacks launched, defense actions
• Location Data: Approximate geographic location based on IP address (country/region level only)

2.3 Cookies and Tracking Technologies

We use cookies, web beacons, and similar technologies to enhance your experience. See our Cookie Policy for detailed information.

3. How We Use Your Information

• Service Delivery: Provision and manage your account, process payments, deploy training VMs, track progress
• Platform Improvement: Analyze usage patterns, fix bugs, develop new features, optimize performance
• Personalization: Recommend learning paths, customize difficulty, suggest challenges based on skill level
• Communication: Send service updates, security alerts, payment receipts, educational content (if opted-in)
• Security: Detect fraud, prevent abuse, monitor for unauthorized access, protect user data
• Legal Compliance: Meet regulatory requirements, respond to law enforcement, enforce our Terms of Service
• Marketing: Send promotional emails (with consent), display relevant offers, conduct surveys

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your data under the following legal bases:

• Contract Performance: Processing necessary to provide our services
• Consent: When you opt-in to marketing communications or optional cookies
• Legitimate Interests: Platform security, fraud prevention, service improvement
• Legal Obligation: Compliance with laws and regulations

5. Information Sharing and Disclosure

We share your information with:

• Payment Processors: Stripe (for payment processing) - see Stripe's privacy policy
• Cloud Infrastructure: AWS, DigitalOcean, or similar providers for hosting and data storage
• OAuth Providers: Google, GitHub when you use social login
• Analytics Services: To understand user behavior (only if you consent to analytics cookies)
• Service Providers: Email delivery (transactional emails only), customer support tools
• Legal Requirements: Law enforcement, regulators, courts when legally required

We do NOT sell your personal information to third parties.

6. Data Retention

We retain your personal information only as long as necessary for the purposes outlined in this policy:

• Account Data: Retained while your account is active, plus 30 days after deletion
• Training Activity: Retained for 2 years for educational analytics and leaderboard rankings
• Payment Records: Retained for 7 years to comply with tax and financial regulations
• Security Logs: Retained for 90 days for fraud prevention and security investigations
• Marketing Consent: Retained until consent is withdrawn

7. Your Privacy Rights

GDPR Rights (EEA Users)

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure ("Right to be Forgotten"): Request deletion of your data
• Restriction: Limit how we process your data
• Portability: Receive your data in a machine-readable format
• Object: Object to processing based on legitimate interests
• Withdraw Consent: Revoke consent for marketing or optional cookies

CCPA Rights (California Residents)

• Know: What personal information we collect and how it's used
• Delete: Request deletion of your personal information
• Opt-Out: Opt-out of sale of personal information (we don't sell data)
• Non-Discrimination: Equal service regardless of privacy choices

To exercise these rights, email us at privacy@nodebreach.com or use the settings in your account dashboard.

8. Data Security

We implement industry-standard security measures to protect your information:

• AES-256 encryption for data at rest
• TLS 1.3 encryption for data in transit
• Bcrypt password hashing with salt
• Regular security audits and penetration testing
• Role-based access controls
• Automated vulnerability scanning
• Docker container isolation for training VMs

Important: While we strive to protect your data, no method of transmission over the Internet is 100% secure. Use strong, unique passwords and enable two-factor authentication.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure adequate protections through:

• Standard Contractual Clauses (SCCs) for EEA transfers
• Adequacy decisions recognized by the European Commission
• Binding Corporate Rules where applicable

10. Children's Privacy

NodeBreach is not intended for users under 16 years of age. We do not knowingly collect personal information from children. If we discover we've collected data from a child, we will delete it promptly. Parents who believe their child has provided information should contact us at privacy@nodebreach.com.

11. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via:

• Email notification to registered users
• Prominent notice on the Platform
• Updated "Last modified" date at the top of this page

Continued use after changes constitutes acceptance of the updated policy.

12. Contact Us

For questions, concerns, or to exercise your privacy rights, contact us:

EU Representative: If you're in the EEA and wish to contact our EU representative regarding GDPR matters, please email eu-rep@nodebreach.com.

Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority if you believe we've violated your privacy rights.