Privacy Policy — NeonHat

NeonHat CTF Platform

Last updated: April 20, 2026
Authors: Wadoud & Ramy

Welcome to NeonHat, a Capture The Flag (CTF) cybersecurity training platform. We are committed to protecting your personal information and being transparent about how we collect, use, and safeguard it.

This Privacy Policy applies to all services provided through NeonHat, including our web platform, REST API, real-time notification system, and any associated features. By creating an account or using NeonHat, you agree to the practices described in this policy.

If you have any questions, contact us at: privacy@neonhat.io

2. Information We Collect

2.1 Account Information

When you register, we collect:

Username — your public display name on the platform
Email address — used for account verification, password resets, and platform notifications
Password — stored exclusively as a bcrypt hash (12 salt rounds). We never store, log, or transmit your plain-text password
Account creation date and last update timestamp

2.2 Profile Information (Optional)

You may voluntarily provide:

Bio — a short text description visible on your profile
Profile picture — uploaded images are processed, resized to 800×800px, re-encoded as JPEG, and stored on Cloudinary (our third-party image hosting provider). The original file is discarded after processing

2.3 Activity and Progress Data

We collect data about your activity on the platform to power rankings, progress tracking, and gamification features:

Points and level — accumulated through solving challenges
Solved challenges on Neon-Gym — a record of which CTF challenges you have completed
Learning-Path progress — per-category skill progression (Web, Cryptography, Reverse Engineering, Forensics, Pwn, General Skills)
Unlocked hints — which hints you have purchased on challenges, and their cost
Challenge submissions — timestamps and point values of completed challenges, used to build your score progression chart on the dashboard

2.4 Challenge Submission Data

If you submit a CTF challenge for review, we collect:

Challenge title, description, difficulty, and category
Your submitted flag (stored as a bcrypt hash — never in plain text)
Attached material files (uploaded to Cloudinary)
Writeup file (.md format, uploaded to Cloudinary)
Docker configuration files (if the challenge is dockerized, uploaded to Cloudinary)
Hints associated with the challenge
Review status and reviewer feedback

2.5 OAuth Authentication Data

If you choose to sign in via GitHub OAuth, we receive from GitHub:

Your GitHub username
Your primary email address associated with your GitHub account
Your GitHub user ID (used as a unique identifier)

We do not receive access to your repositories, organizations, private data, or any GitHub permissions beyond your public profile and email.

We do not store your GitHub access token beyond the duration of the authentication request.

2.6 Technical and Security Data

We automatically collect certain technical information necessary to operate the service:

JWT authentication tokens — stored as HTTP-only cookies (neonhat_token) with your browser. These expire after a defined period and are used to authenticate your requests
Server-side logs — our backend maintains application logs (combined.log, error.log) that may include IP addresses, request paths, timestamps, and error details. Logs are retained for operational and security purposes and are not shared externally
Rate limiting data — we track request frequency per IP address to enforce rate limits and protect against abuse. This data is ephemeral and not stored persistently

2.7 Docker Container Data

For dockerized challenges, we run isolated Docker containers on our infrastructure. Container instances are tracked by:

Container ID and associated challenge
User ID of the session owner
Expiration timestamp

Containers are automatically cleaned up by a background worker after expiration.

3. How We Use Your Information

Purpose	Legal Basis
Creating and managing your account	Contract performance
Authenticating your sessions securely	Contract performance
Displaying your profile and rank on the leaderboard	Contract performance
Calculating your points, level, and skill progress	Contract performance
Sending email verification codes and password reset links	Contract performance
Sending platform notifications (challenge accepted/rejected, etc.)	Legitimate interest
Reviewing and publishing user-submitted challenges	Contract performance
Enforcing rate limits and protecting against abuse	Legitimate interest
Improving platform stability through error logging	Legitimate interest
Complying with legal obligations	Legal obligation

We do not use your data for advertising, behavioral profiling, or sell it to any third party under any circumstances.

We share minimal data with trusted third-party services strictly required to operate the platform:

4.1 Cloudinary

We use Cloudinary to store profile pictures, challenge material files, writeups, and Docker archives. Files uploaded to Cloudinary are stored on their servers and governed by Cloudinary's Privacy Policy. We store Cloudinary public IDs to manage and delete your files when needed.

4.2 MongoDB Atlas

Our database is hosted on MongoDB Atlas (cloud-hosted MongoDB). All user data, challenge data, and activity records are stored there. Data is encrypted at rest. MongoDB Atlas is governed by MongoDB's Privacy Policy.

4.3 GitHub (OAuth only)

If you use GitHub login, your authentication request is processed through GitHub's OAuth flow. We only receive the data described in section 2.5. We do not maintain an ongoing connection to your GitHub account after login.

4.4 Email Provider (Gmail SMTP)

We use Gmail's SMTP service to send transactional emails (verification codes, password reset links, challenge review notifications). These emails contain only information relevant to your account action. We do not send marketing emails.

We do not share your data with:

Advertisers or marketing platforms
Data brokers
Analytics companies
Any other third parties not listed above

We may disclose information if required to do so by law or in response to a valid legal request from public authorities.

5. Data Retention

Data Type	Retention Period
Account data (username, email, password hash)	Until account deletion
Profile data (bio, profile image)	Until account deletion or manual removal
Activity data (points, solved challenges, progress)	Until account deletion
Challenge submissions	Until manual deletion by you (Pending/Rejected only) or indefinitely if Accepted and published
Server logs	Rolling window — overwritten periodically
Rate limiting data	Ephemeral — not persisted
Docker container instances	Automatically deleted after session expiration
Email verification codes	Automatically expired after a defined TTL
Password reset tokens	Automatically expired after use or timeout

Challenge submission data associated with accepted and published challenges may be retained even after account deletion, as the challenge itself becomes part of the platform content. Your authorship credit will be anonymized upon request.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

6.1 Access

You may request a copy of the personal data we hold about you at any time.

6.2 Correction

You can update your username, bio, and profile picture directly from your account settings at any time.

6.3 Deletion (Right to be Forgotten)

You may delete your account from Dashboard → Configuration → Account → Danger Zone → Delete Account. This requires password confirmation. Upon deletion:

Your account, profile, points, and activity data are permanently removed
Your profile image is deleted from Cloudinary
Challenge submissions you authored that are Pending or Rejected are deleted along with their uploaded files
Accepted and published challenges may be retained with anonymized authorship

6.4 Data Portability

You may request an export of your data by contacting us at privacy@neonhat.io.

6.5 Objection

You may object to processing based on legitimate interest by contacting us. We will evaluate and respond within 30 days.

7. Security

We take security seriously — it is, after all, what this platform is about.

Passwords are hashed with bcrypt (12 rounds) — never stored or logged in plain text
Challenge flags are also hashed with bcrypt — never stored in plain text
Authentication uses HTTP-only JWT cookies — not accessible to client-side JavaScript
All API responses are protected with Helmet.js security headers
Cross-origin requests are restricted to the configured domain via CORS policy
Rate limiting is enforced on all sensitive endpoints to prevent brute-force attacks
Docker challenge containers run in isolated environments and are automatically cleaned up
All data in transit is protected by HTTPS

Despite these measures, no system is perfectly secure. If you discover a security vulnerability in NeonHat, please report it responsibly to security@neonhat.io rather than exploiting it.

8. Children's Privacy

NeonHat is intended for users aged 16 and older. We do not knowingly collect personal data from children under 16. If we become aware that a user is under 16, we will delete their account and associated data promptly.

9. Cookies

We use a single first-party cookie:

Cookie Name	Type	Purpose	Expiry
`neonhat_token`	HTTP-only, Secure	JWT session authentication	Session / defined TTL

We do not use tracking cookies, analytics cookies, or advertising cookies of any kind.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify users via the platform's notification system.

Your continued use of NeonHat after changes take effect constitutes acceptance of the updated policy.

11. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data:

Email: privacy@neonhat.io Security disclosures: security@neonhat.io

NeonHat — Hack the planet, protect the people.

NeonHat CTF Platform

Last updated: April 20, 2026
Authors: Wadoud & Ramy

1. Introduction

If you have any questions, contact us at: privacy@neonhat.io

2. Information We Collect

2.1 Account Information

When you register, we collect:

Username — your public display name on the platform
Email address — used for account verification, password resets, and platform notifications
Password — stored exclusively as a bcrypt hash (12 salt rounds). We never store, log, or transmit your plain-text password
Account creation date and last update timestamp

2.2 Profile Information (Optional)

You may voluntarily provide:

Bio — a short text description visible on your profile
Profile picture — uploaded images are processed, resized to 800×800px, re-encoded as JPEG, and stored on Cloudinary (our third-party image hosting provider). The original file is discarded after processing

2.3 Activity and Progress Data

We collect data about your activity on the platform to power rankings, progress tracking, and gamification features:

Points and level — accumulated through solving challenges
Solved challenges on Neon-Gym — a record of which CTF challenges you have completed
Learning-Path progress — per-category skill progression (Web, Cryptography, Reverse Engineering, Forensics, Pwn, General Skills)
Unlocked hints — which hints you have purchased on challenges, and their cost
Challenge submissions — timestamps and point values of completed challenges, used to build your score progression chart on the dashboard

2.4 Challenge Submission Data

If you submit a CTF challenge for review, we collect:

Challenge title, description, difficulty, and category
Your submitted flag (stored as a bcrypt hash — never in plain text)
Attached material files (uploaded to Cloudinary)
Writeup file (.md format, uploaded to Cloudinary)
Docker configuration files (if the challenge is dockerized, uploaded to Cloudinary)
Hints associated with the challenge
Review status and reviewer feedback

2.5 OAuth Authentication Data

If you choose to sign in via GitHub OAuth, we receive from GitHub:

Your GitHub username
Your primary email address associated with your GitHub account
Your GitHub user ID (used as a unique identifier)

We do not receive access to your repositories, organizations, private data, or any GitHub permissions beyond your public profile and email.

We do not store your GitHub access token beyond the duration of the authentication request.

2.6 Technical and Security Data

We automatically collect certain technical information necessary to operate the service:

JWT authentication tokens — stored as HTTP-only cookies (neonhat_token) with your browser. These expire after a defined period and are used to authenticate your requests
Server-side logs — our backend maintains application logs (combined.log, error.log) that may include IP addresses, request paths, timestamps, and error details. Logs are retained for operational and security purposes and are not shared externally
Rate limiting data — we track request frequency per IP address to enforce rate limits and protect against abuse. This data is ephemeral and not stored persistently

2.7 Docker Container Data

For dockerized challenges, we run isolated Docker containers on our infrastructure. Container instances are tracked by:

Container ID and associated challenge
User ID of the session owner
Expiration timestamp

Containers are automatically cleaned up by a background worker after expiration.

3. How We Use Your Information

Purpose	Legal Basis
Creating and managing your account	Contract performance
Authenticating your sessions securely	Contract performance
Displaying your profile and rank on the leaderboard	Contract performance
Calculating your points, level, and skill progress	Contract performance
Sending email verification codes and password reset links	Contract performance
Sending platform notifications (challenge accepted/rejected, etc.)	Legitimate interest
Reviewing and publishing user-submitted challenges	Contract performance
Enforcing rate limits and protecting against abuse	Legitimate interest
Improving platform stability through error logging	Legitimate interest
Complying with legal obligations	Legal obligation

We do not use your data for advertising, behavioral profiling, or sell it to any third party under any circumstances.

We share minimal data with trusted third-party services strictly required to operate the platform:

4.1 Cloudinary

4.2 MongoDB Atlas

4.3 GitHub (OAuth only)

4.4 Email Provider (Gmail SMTP)

We do not share your data with:

Advertisers or marketing platforms
Data brokers
Analytics companies
Any other third parties not listed above

We may disclose information if required to do so by law or in response to a valid legal request from public authorities.

5. Data Retention

Data Type	Retention Period
Account data (username, email, password hash)	Until account deletion
Profile data (bio, profile image)	Until account deletion or manual removal
Activity data (points, solved challenges, progress)	Until account deletion
Challenge submissions	Until manual deletion by you (Pending/Rejected only) or indefinitely if Accepted and published
Server logs	Rolling window — overwritten periodically
Rate limiting data	Ephemeral — not persisted
Docker container instances	Automatically deleted after session expiration
Email verification codes	Automatically expired after a defined TTL
Password reset tokens	Automatically expired after use or timeout

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

6.1 Access

You may request a copy of the personal data we hold about you at any time.

6.2 Correction

You can update your username, bio, and profile picture directly from your account settings at any time.

6.3 Deletion (Right to be Forgotten)

You may delete your account from Dashboard → Configuration → Account → Danger Zone → Delete Account. This requires password confirmation. Upon deletion:

Your account, profile, points, and activity data are permanently removed
Your profile image is deleted from Cloudinary
Challenge submissions you authored that are Pending or Rejected are deleted along with their uploaded files
Accepted and published challenges may be retained with anonymized authorship

6.4 Data Portability

You may request an export of your data by contacting us at privacy@neonhat.io.

6.5 Objection

You may object to processing based on legitimate interest by contacting us. We will evaluate and respond within 30 days.

7. Security

We take security seriously — it is, after all, what this platform is about.

Passwords are hashed with bcrypt (12 rounds) — never stored or logged in plain text
Challenge flags are also hashed with bcrypt — never stored in plain text
Authentication uses HTTP-only JWT cookies — not accessible to client-side JavaScript
All API responses are protected with Helmet.js security headers
Cross-origin requests are restricted to the configured domain via CORS policy
Rate limiting is enforced on all sensitive endpoints to prevent brute-force attacks
Docker challenge containers run in isolated environments and are automatically cleaned up
All data in transit is protected by HTTPS

Despite these measures, no system is perfectly secure. If you discover a security vulnerability in NeonHat, please report it responsibly to security@neonhat.io rather than exploiting it.

8. Children's Privacy

9. Cookies

We use a single first-party cookie:

Cookie Name	Type	Purpose	Expiry
`neonhat_token`	HTTP-only, Secure	JWT session authentication	Session / defined TTL

We do not use tracking cookies, analytics cookies, or advertising cookies of any kind.

10. Changes to This Policy

Your continued use of NeonHat after changes take effect constitutes acceptance of the updated policy.

11. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data:

Email: privacy@neonhat.io Security disclosures: security@neonhat.io

NeonHat — Hack the planet, protect the people.