DUCA CTF
Login

Privacy Policy

Last updated 13 Jun 2026 02:59 GMT+10

1. Introduction

This Privacy Policy explains how the Deakin University Cybersecurity Association (DUCA) collects, uses, stores, and protects personal information when you use the DUCA CTF platform (the "Platform"). We are committed to handling your data responsibly and transparently.

We do not sell your personal information. Data is collected only to operate the Platform, run competitions, maintain security, and understand how the service is used for analytics and operational improvement.

2. Who we are

The Platform is operated by DUCA, a student association at Deakin University focused on cybersecurity education and community events. For privacy enquiries, contact us via duca.au.

3. Information we collect

3.1 Account and profile data

  • Email address — required for passwordless login (one-time codes sent to your inbox).
  • Display name — shown on leaderboards and solve feeds when you complete challenges.
  • Student ID — collected during onboarding where required for association or competition eligibility.
  • Account role and status — e.g. user or administrator, active or disabled.

3.2 Authentication data

  • Hashed one-time login codes, expiry times, and verification attempt counts.
  • Encrypted session cookies that keep you signed in (see Section 6).

3.3 Competition activity

  • Flag submissions — submitted values, success or failure, timestamps, and associated challenge.
  • Solves — correct submissions, points awarded, solve time, and your user identifier.
  • IP address — recorded with solves and certain submissions for abuse prevention and audit purposes.

3.4 Telemetry and analytics

We log operational events to keep the Platform secure and to understand usage patterns. This may include:

  • Action type (e.g. login, flag submit, admin action, page view events where logged).
  • Timestamp, IP address, and browser user-agent string.
  • Associated user ID when you are signed in.
  • Structured metadata relevant to the event (e.g. challenge ID, competition ID) — not used for advertising.

These logs are used for security monitoring, debugging, competition administration, and aggregate analytics (such as how many users participate, which features are used, and error rates). We do not use this data for targeted advertising and we do not sell it to third parties.

3.5 Technical data

  • Standard web server logs (requests, response codes, timestamps).
  • Uploaded images attached to writeups when administrators or authorised editors add them.

4. How we use your information

We use personal information to:

  • Authenticate you and maintain your session.
  • Operate competitions, scoring, leaderboards, and writeups.
  • Enforce rules, submission limits, and prevent abuse.
  • Provide admin tools for user and competition management.
  • Generate internal analytics on platform usage and event participation.
  • Communicate login codes and essential service-related email.
  • Comply with legal obligations where applicable.

5. Legal bases (where applicable)

Depending on your jurisdiction, we rely on: performance of a contract (providing the service you signed up for), legitimate interests (security, analytics, fraud prevention), and consent where required (e.g. optional communications).

6. Cookies and similar technologies

We use essential session cookies to keep you logged in after email verification. These cookies are required for core functionality. We do not use third-party advertising cookies on this Platform.

7. How we share information

We do not sell, rent, or trade your personal data.

We may share limited data only in these circumstances:

  • Service providers — e.g. email delivery (SMTP) and hosting infrastructure, solely to operate the Platform under appropriate safeguards.
  • Public leaderboards — your display name, solve times, and scores may be visible to other participants as part of the competition.
  • Administrators — authorised DUCA admins can access user and activity data to run events and investigate abuse.
  • Legal requirements — if required by law or to protect rights, safety, and security.

8. Data retention

We retain account and competition data for as long as needed to operate the Platform and association activities. Login codes expire shortly after use or timeout. Activity logs may be retained for a limited period for security and analytics, then archived or deleted. Administrators may remove or anonymise data when no longer required.

9. Security

We use industry-standard measures including hashed credentials for login codes, encrypted sessions, access controls for admin functions, and rate limiting on sensitive actions. No system is perfectly secure; report concerns to DUCA promptly.

10. Your rights and choices

Depending on applicable law, you may have the right to access, correct, or delete your personal information, or to object to certain processing. To exercise these rights, contact DUCA via duca.au. You may request account deactivation; some competition records may be retained in anonymised or aggregated form for historical results.

11. International users

The Platform is operated from Australia. If you access it from elsewhere, your information may be processed in Australia and where our infrastructure providers host data.

12. Children

The Platform is intended for university and community participants. We do not knowingly collect data from children under 16 without appropriate consent. Contact us if you believe a minor has provided personal information.

13. Changes to this policy

We may update this Privacy Policy from time to time. The latest version will always be published on this page. Material changes may be communicated through the Platform or association channels.

14. Contact

Privacy questions or requests: duca.au.