picoCTF Privacy Statement <p>Carnegie Mellon University (<strong>“CMU,” “we,” “us,” or “our”</strong>) is
committed to privacy and data protection regarding the picoCTF platform.
This picoCTF Privacy Statement applies to all personal data CMU collects
from you, from your child if you are registering as a parent or
guardian, of from your students if you are registering as a teacher,
academic administrator, or other educational supervising party
(collectively <strong>“you” or “your”</strong>) through the picoCTF platform
(currently https://picoctf.org or https://picoctf.com/).</p>
<p>Through the picoCTF platform, CMU expects to make available certain
educational materials, resources and activities related to computer
security that are targeted at middle and high school students aged 13 or
older.
From time to time, CMU may also run various competitions related
to these games.
Any and all information, materials and services provided
or accessed through the picoCTF platform and otherwise provided or
accessed in connection with the picoCTF site are collectively referred
to as the <strong>“Services.”</strong>
</p>
<p>This picoCTF Privacy Statement does not apply to any third-party
applications or software that integrate with the Services, or any other
third-party products, services or businesses (collectively, <strong>“Third
Party Services”</strong>).
Third Party Services are governed by their own
privacy policies.
We recommend you review the privacy policy governing
any Third Party Services before using them.</p>
<p>CMU is the controller of the personal data collected through the
Services.
Any questions or concerns regarding CMU’s privacy and data
protection practices can be directed to our Data Protection Officer,
Melanie Lucht, Associate Vice President and Chief Risk Officer at
GDPR-info@andrew.cmu.edu.</p>
<p>If you have not done so already, please also review the picoCTF
Terms of Use.</p> Personal Data We Collect <p>CMU collects data to provide the Services you request, ease your
navigation on our websites, communicate with you, and improve your
experience using the Services.
Some of this information is provided by
you directly, such as when you register for the Services (or by someone
with a relationship to you that has, or has obtained, the appropriate
authority to provide the information on your behalf).
Some of the
information is collected through your interactions with the Services.
We
collect such data using technologies like cookies and other tracking
technologies, error reports, and usage data collected when you interact
with Services running on your device.</p>
<p>The data we collect depends on the Services and features thereof that
you use, and includes the following:</p>
<p>
<strong>Name and Contact information.</strong> We may collect your name, email
address, and other similar contact data.
We may use this information to
contact you or provide you with information on CMU or the Services.</p>
<p>
<strong>Demographic Information</strong>.
We may collect your age range (e.g.
18 or
older, or 13-17), your country of residence and your status (e.g.,
middle/high school student, teacher, etc), and information about your
school (if applicable).
We may use this information to verify your
eligibility to use the Services (including but not limited to
eligibility to participate in certain competitions) and/or use it as
part of aggregated data about the users of the Services.</p>
<p>
<strong>Sensitive personal data.</strong> Under certain circumstances, we may ask you
to provide sensitive personal data such as through optional questions
about your gender identity and/or racial/ethnic identity.
Providing
sensitive personal data is voluntary you have you have the choice of
whether to disclose any requested information.</p>
<p>
<strong>Credentials.</strong> We process username, password, and related security
information used for authentication and account access and information
security purposes.</p>
<p>
<strong>Usage data.</strong> We collect personalized information about your use of
the Services, to better understand uses thereof and identify potential
improvements, as well as to send you promotional communications or
offers tailored to your use of the Services and interest thereto.
If you
participate in optional competitions, we may also track the performance
of you and your team through your usernames and/or team names.</p>
<p>Examples include:</p>
<ul>
<li>
<p>Information on the web pages you visit on the Services and the
search terms you enter on the Services.</p>
</li>
<li>
<p>Service information based on your use of the Services.
This includes
the games in which you participate, the types and frequency of tools
and commands being used, the size and nature of solutions to the
games, and the frequency and duration of use.</p>
</li>
<li>
<p>Information regarding the performance of the Services and any
problems you may experience while using them.
This information
enables us to diagnose problems and offer support in resolution.</p>
</li>
<li>
<p>Data about your device and the network you use to connect to the
Services, including IP address, device identifiers, and regional and
language settings.</p>
</li>
</ul>
<p>
<strong>Web requests.</strong> We collect information regarding every web request
sent to our servers.
This information is used to provide support, as
well as to assess usage and performance of the Services.
The data
collected for each request can include such things as timestamps, any
exception messages, user agent, IP address, and request time and
duration.</p>
<p>
<strong>Location data.</strong> We collect your country of residence and the name and
zip code of your school.
We may also collect your IP address and infer
location such as city or postcode therefrom, when necessary in order to
provide you with the Services or to send you promotional communications
or for user relationship management purposes.</p>
<p>
<strong>Content.</strong> We may collect the content of messages you send to us, such
as feedback or questions you ask our technical support representatives,
when necessary to provide you with the Services.
We will collect and
utilize any data files you send to us for troubleshooting and improving
the Services.</p>
<p>
<strong>Competitions, Surveys and Studies.</strong> We may ask you to participate in
a survey or study or provide an opportunity to participate in
competitions.
and may request information from you.
Participation is
voluntary, and you have the choice of whether to disclose any requested
information in order to participate in those activities.</p>
<p>In order to create a picoCTF platform account, you will need to provide
certain information to register.
Except for students who are being
registered by teachers using the teacher batch registration process
described in the Terms of Use, the information needed to create a
picoCTF platform account includes but is not limited to a username, an
email address, your country of residence and your status (e.g.,
middle/high school student, teacher, etc), and information about your
school (if applicable).
In addition, you may choose to provide certain
optional information (including but not limited to your gender identity
and/or your racial/ethnic identity).</p> How We Use Personal Data <p>We will only use your personal data when the law allows us to.
Most
commonly, we will use your personal data for the following lawful
purposes:</p>
<ul>
<li>
<p>Where we need to perform the contract (i.e.
Terms of Use) we are
about to enter into or have entered into with you (“<strong>performance of
a contract</strong>”).</p>
</li>
<li>
<p>Where we receive your consent (“<strong>consent</strong>”).</p>
</li>
<li>
<p>Where it is necessary for our legitimate interests (or those of a
third party) and your interests and fundamental rights do not
override those interests (“<strong>legitimate business interest</strong>”).</p>
</li>
<li>
<p>Where we need to comply with a legal or regulatory obligation
(“<strong>legal obligation</strong>”).</p>
</li>
</ul>
<p>Please note that we may process your personal data without your
knowledge or consent, in compliance with the above rules, where this is
required or permitted by law.</p>
<p>CMU uses information that we collect from customers and visitors for the
purposes of:</p>
<ul>
<li>
<p>providing the Services (performance of a contract, consent, and
legitimate business interest);</p>
</li>
<li>
<p>providing ongoing support (performance of a contract);</p>
</li>
<li>
<p>communicating with you, including promotional communications
(legitimate business interest);</p>
</li>
<li>
<p>providing information about other Services (legitimate business
interest and consent);</p>
</li>
<li>
<p>helping us run our organization, for example to improve the Services
or our security, train staff or perform marketing activities
(legitimate business interest);</p>
</li>
<li>
<p>complying with our legal obligations (legal obligation).
and</p>
</li>
<li>
<p>accounting and other administrative purposes (legitimate business
interest and legal obligation).</p>
</li>
</ul>
<p>Examples of the uses of information include:</p>
<p>
<strong>Providing Services.</strong> We use data to carry out your transactions with
us and to provide Services to you.
Often, this includes personal data
such as email, name and address.
We may collect additional information
when you register to use the services, including contact information and
credentials.
We may use this data to diagnose and address problems and
provide other support services.</p>
<p>
<strong>Improving the Services.</strong> We use data to continually improve the
Services, including adding new features or capabilities.
Data is
collected throughout your interactions with the Services that enable us
to understand customer usage and tailor future capabilities.</p>
<p>We track general, non-personalized information (e.g., operating system,
browser version and type of device being used) to know how many people
visit specific pages of the Services or utilize specific areas of the
Services so that we may improve those Services.
We may use your IP
address to customize services to your location, such as the language
displayed on the Services.</p>
<p>Please note that we use IP addresses to analyze trends, to administer
the site, and to collect general information for aggregate use.</p>
<p>
<strong>Services Communications.</strong> We use data we collect to deliver and
personalize our communications with you.
For example, we may contact you
by email or other means to notify you of changes in information and
updates to the Services or to our picoCTF Privacy Statement.</p>
<p>
<strong>Marketing and event communication:</strong> We use personal data to deliver
informational, marketing, and event communications to you across various
platforms, such as email, direct mail, social media, and online via the
Services.
We also may send you invitations to events relating to the
Services that occur nearby you, based on your address.</p>
<p>If we send you a marketing email, it will include instructions on how to
opt out of receiving these emails in the future.
We also maintain email
preference centers for you to manage your information and marketing
preferences.
For information about managing email subscriptions and
promotional communications, please visit the Your Rights Regarding Your
Personal Data section of this privacy statement.
Please remember that
even if you opt out of receiving marketing emails, we may still send you
important Services information related to your accounts and
subscriptions.</p>
<p>
<strong>Impact Assessment.</strong> We may use de-identified aggregate or other
statistical information about you (which could include demographic data
about you, such as your location, grade level and, if you provide it,
your gender identity and/or racial/ethnic identity) for various purposes
such as assessing the breadth of use of picoCTF.</p> How We Share Personal Data <p>
<em>Parents, Guardians, and Educators</em>
</p>
<p>We may share the Personal Data of individuals under the age of 18
(“<strong>minors</strong>”) with the parent or guardian who consented to the minor’s
participation in the Services.
If you are participating in the Services
as part of an educational or learning program, we may share your
Personal Data with your teachers, administrators, supervising parties,
and the affiliated school or organization of the educational or learning
program in which you are participating.</p>
<p>
<em>Service Providers and Other Third-parties</em>
</p>
<p>It is the practice of CMU to protect users’ information.
Access to our
users’ information is restricted to only those employees or agents,
contractors or subcontractors of CMU who have valid reasons to access
this information to perform any service you have requested or
authorized, or for any other purpose described in this picoCTF Privacy
Statement.
The information you provide will not be sold or rented to
third parties.</p>
<p>We may provide your personal data to:</p>
<ul>
<li>
<p>Outsourced service providers who perform functions on our behalf.
For example, your personal information may be stored on cloud
hosting services such as Amazon Web Services or may be processed
through email services such as SendGrid or visualized using Tableau.</p>
</li>
<li>
<p>our authorized agents and representatives, located inside or outside
of your country of residence (in such case, we will use appropriate
legal framework to operate data transfers), who provide services on
our behalf, such as training service providers;</p>
</li>
<li>
<p>anyone expressly authorized by you to receive your personal data;</p>
</li>
<li>
<p>anyone to whom we are required by law to disclose personal data,
upon valid and enforceable request thereof.</p>
</li>
</ul>
<p>We will access, disclose and preserve personal data, when we have a good
faith belief that doing so is necessary to:</p>
<ul>
<li>
<p>comply with applicable law or respond to valid legal processes,
including from law enforcement or other government agencies, upon
valid and enforceable request thereof.
or</p>
</li>
<li>
<p>operate and maintain the security of the Services, including to
prevent or stop an attack on our computer systems or networks.</p>
</li>
</ul>
<p>We may also share de-identified aggregate or other statistical
information about you which could include demographic data about you,
such as your location, grade level and, if you provide it, your gender
identity and/or racial/ethnic identity) with our sponsors or other
funding agencies who are interested in the breadth of use and impact of
the Services and/or to fulfill any reporting obligations under our
relevant sponsorship or other funding agreements.</p>
<p>Please note that some of the Services may direct you to services of
third parties whose privacy practices differ from those described in
this picoCTF Privacy Statement.
If you provide personal data to any of
those services, your data is governed by their privacy statements or
policies.
Carnegie Mellon University is not responsible for the privacy
practices of these other websites.
Please review the privacy policies
for these websites to understand how they process your information.</p> HOW YOU MAY SHARE PERSONAL DATA <p>Certain features of the Services (such as features that enable you to
join a team for a competition under the relevant competition rules) may
allow you to share information with other users.
Please do not share
your personal data or the personal data of others through any of these
sharing features.
You are the controllers of personal information you
share through the sharing features of the Services.</p> Handling of Personal Data Security of Personal Data <p>CMU is committed to protecting the security of your personal data.
Depending on the circumstances, we may hold your information in hard
copy and/or electronic form.
For each medium, we use technologies and
procedures to protect personal data.
We review our strategies and update
as necessary to meet our business needs, changes in technology, and
regulatory requirements.</p>
<p>These measures include, but are not limited to, technical and
organizational security policies and procedures, security controls and
employee training.</p>
<p>We may suspend your use of all or part of the Services without notice if
we suspect or detect any breach of security.
If you believe that
information you provided to us is no longer secure, please notify us
immediately using the contact information provided below.</p>
<p>If we become aware of a breach that affects the security of your
personal data, we will provide you with notice as required by applicable
law.
To the extent permitted by applicable law, CMU will provide any
such notice that CMU must provide to you at your account’s email
address.
By using the Services, you agree to accept notice
electronically.</p> Storage and Transfer of Personal Data <p>Personal data collected by CMU through the Services may be stored and
processed in your region, in the United States or in any other country
where CMU, its affiliates or contractors maintain facilities, including
outside the EU.
We take steps to ensure that the data we collect under
this picoCTF Privacy Statement is processed pursuant to the terms
thereof and the requirements of applicable law wherever the data is
located.</p>
<p>CMU also collaborates with third parties such as cloud hosting services
and suppliers located around the world as needed for the Services.
In
some cases, we may need to disclose or transfer your personal data
within CMU or to third parties in areas outside of your home country.
When we do so, we take steps to ensure that personal data is processed,
secured, and transferred according to applicable law.</p> Retention of Personal Data <p>CMU retains personal data in a form which permits identification of data
subjects for as long as necessary to provide the Services and fulfill
the transactions you have requested, or for other business purposes such
as complying with our legal obligations, resolving disputes, and
enforcing our agreements.
We are required by law to keep some types of
information for certain periods of time (e.g.
statute of limitations).</p> Your Rights Regarding Your Personal Data <p>CMU respects your right to access and control your personal data.
You
have choices about the data we collect.
When you are asked to provide
personal data that is not necessary for the purposes of providing you
with the Services, you may decline.
However, if you choose not to
provide data that is necessary to provide the Services, you may not have
access to certain features of the Services.</p>
<p>We aim to keep all personal data that we hold accurate, complete and
up-to-date.
While we will use our best efforts to do so, we encourage
you to tell us if you change your contact details.
If you believe that
the information we hold about you relating to the picoCTF Services is
incorrect, incomplete or out-of-date, please contact
other@picoCTF.com.</p>
<p>
<strong>Access to personal data:</strong> In some jurisdictions, you have the right
to request access to your personal data.
In these cases, we will comply,
subject to any relevant legal requirements and exemptions, including
identity verification procedures.
Before providing data to you, we will
ask for proof of identity and sufficient information about your
interaction with us so that we can locate any relevant data.
We may also
charge you a fee for providing you with a copy of your data (except
where this is not permissible under local law).</p>
<p>
<strong>Correction and deletion:</strong> In some jurisdictions, you have the right
to correct or amend your personal data if it is inaccurate or requires
updating.
You may also have the right to request deletion of your
personal data.
Please note that such a request could be refused because
your personal data is required to provide you with the Services you
requested, e.g.
to send an invoice to your email address, or that it is
required by the applicable law.</p>
<p>
<strong>Portability:</strong> If you reside within certain jurisdictions, you may
have the right to ask for a copy of your personal data and/or ask for it
to be ported to another provider of your choice.
Please note that such a
request could be limited to the only personal data you provided us with
or that we hold at that given time and would be subject to any relevant
legal requirements and exemptions, including identity verification
procedures.</p>
<p>
<strong>Marketing preferences:</strong> If you have provided us with your contact
information, we may, subject to any applicable Spam Act or similar
regulation, contact you via e-mail, postal mail or telephone about CMU
Services and events that may be of interest to you.</p>
<p>Marketing e-mail communications you receive from CMU will generally
provide an unsubscribe link allowing you to opt-out of receiving future
e-mail or to change your contact preferences.
E-mail communications may
also include a link to directly update and manage your marketing
preferences.
You can also request changes to your contact preferences by
contacting CMU via email at other@picoCTF.com.</p>
<p>Please remember that even if you opt out of receiving marketing emails,
we may still send you important Services information related to your
accounts and subscriptions.</p>
<p>
<em>California Shine the Light Law:</em> California Civil Code Section 1798.83
permits users who are California residents to obtain from us once a
year, free of charge, a list of third parties to whom we have disclosed
personal information (if any) for direct marketing purposes in the
preceding calendar year.
If you are a California resident and you wish
to make such a request, please send an e-mail with “California Privacy
Rights” in the subject line to GDPR-info@andrew.cmu.edu or write us at:
Carnegie Mellon University, Attn: Data Protection Officer, 5000 Forbes
Avenue, Pittsburgh, PA 15213.</p> Cookies &.
OTHER Technologies <p>We use Cookies to track how you use the Services by providing usage
statistics.
Cookies are also used to deliver CMU information (including
updates) based upon your browsing history and previous visits to the
Services.
Information supplied to us using Cookies helps us to provide a
better online experience to our visitors and users and send marketing
communications to them, as the case may be.
Information supplied to us
upon launching of the Services will enable CMU to improve the
functionality of the Services.</p>
<p>While this information on its own may not constitute your “personal
data”, we may combine the information we collect via Cookies with
personal data that we have collected from you to learn more about how
you use the Services to improve them.</p> Types of Cookies <p>We use both session Cookies (which expire once you close your web
browser) and persistent Cookies (which stay on your device until you
delete them).
To make it easier for you to understand why we need them,
the Cookies we use on the Services can be grouped into the following
categories:</p>
<ul>
<li>
<p>Strictly Necessary: These Cookies are necessary for the Services to
work properly.
They include any essential authentication and
authorization Cookies for the Services.</p>
</li>
<li>
<p>Functionality: These Cookies enable technical performance and allow
us to “remember” the choices you make while browsing the Services,
including any preferences you set.
They also include sign-in and
authentication Cookies and IDs that enable you to return without
additional sign-in.</p>
</li>
<li>
<p>Performance/Analytical: These Cookies allow us to collect certain
information about how you navigate the Services.
They help us
understand which areas you use and what we can do to improve them.</p>
</li>
<li>
<p>Targeting: These Cookies are used to deliver relevant information
related to the Services to an identified machine or other device
(not a named or otherwise identifiable person) which has previously
been used to visit the Services.
Some of these types of Cookies on
the Services are operated by third parties with our permission and
are used to identify advertising sources that are effectively
driving customers to the Services.</p>
</li>
</ul>
<p>Here is a representative list of the Cookies we use in connection with
the Services.</p>
<strong>Provider</strong>
<strong>Cookie Name</strong>
<strong>Category</strong>
<strong>Duration</strong>
<strong>Purpose</strong> Google Analytics _utma<br>_utmb<br>_utmc<br>_utmv<br>_utmz Performance / Analytical 2 years after inactivity These Cookies are used to collect information about how visitors use our site.
We use the information to compile reports and to help us improve the site.
The Cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.
Click here for an overview of privacy at Google.
Cookies Set by Third Parties <p>To enhance our content and to deliver a better online experience for our
users, we sometimes embed content from other websites on the Services.
We currently use, and may in the future use, Facebook, Twitter and
Discord.
You may be presented with Cookies from these third-party
websites.
Please note that we do not control these Cookies.
The privacy
practices of these third parties will be governed by the parties’ own
privacy statements or policies.
We are not responsible for the security
or privacy of any information collected by these third parties, using
Cookies or other means.
You should consult and review the relevant
third-party privacy statement or policy for information on how these
Cookies are used and how you can control them.</p>
<p>We also use Google, a third-party analytics provider, to collect
information about Services usage and the users of the Services,
including demographic and interest-level information.
Google uses
Cookies in order to collect demographic and interest-level information
and usage information from users that visit the Services, including
information about the pages where users enter and exit the Services and
what pages users view on the Services, time spent, browser, operating
system, and IP address.
Cookies allow Google to recognize a user when a
user visits the Services and when the user visits other websites.
Google
uses the information it collects from the Services and other websites to
share with us and other website operators’ information about users
including age range, gender, geographic regions, general interests, and
details about devices used to visit websites and purchase items.
We do
not link information we receive from Google with any of your personally
identifiable information.
For more information regarding Google’s use of
Cookies, and collection and use of information, see the Google Privacy
Policy (available at https://policies.google.com/privacy?hl=en).
If you
would like to opt out of Google Analytics tracking, please visit the
Google Analytics Opt-out Browser Add-on (available at
https://tools.google.com/dlpage/gaoptout).</p>
<p>
<strong>Advertising</strong>.
We may use third party service providers to serve
advertisements or collect data on our behalf across the internet and on
the Services (“<strong>Advertisers</strong>”).
Some of these Advertisers may collect
your personal information about your Service visits and your
interactions with our services to tailor marketing messages on the
Service or other sites, or to trigger real-time interactions, customize
the Services, or enhance your profile.
Advertisers may use cookies,
Pixels and other technologies to collect your personal information,
measure the effectiveness of their advertisements, and personalize the
advertisements on the Services.
Some of these Advertisers may collect
your personal information that you share on the Services via a web form
automatically and prior to your submission of the personal information
(i.e., before you click, “Submit”).
Advertisers may be able to use
information from your Service visits to send marketing messages to you
in a way that could personally identify you.
The information collected
by Advertisers may include your IP address, email addresses and other
user and device level information.
For example, when Advertisers send
advertisements and links that appear on the Service directly to your
browser, they automatically receive your IP address.
Please keep in mind
that your browser settings may not permit you to control Advertisers’
technologies, and this Privacy Statement does not apply to, and we
cannot control the activities of, Advertisers.
If you would like more
information about Advertisers’ practices, please see
http://optout.aboutads.info/#!/.</p>
<p>You can generally opt-out of receiving personalized ads from third-party
advertisers and ad networks who are members of the Network Advertising
Initiative (NAI) or who follow the Digital Advertising Alliance’s
Self-Regulatory Principles for Online Behavioral Advertising (DAA) by
visiting the opt-out pages on the NAI website
(http://optout.networkadvertising.org/)
and DAA website (http://www.aboutads.info/choices/).</p> How to Control and Delete Cookies <p>Cookies can be controlled, blocked or restricted through your web
browser settings.
Information on how to do this can be found within the
Help section of your browser.
All Cookies are browser specific.
Therefore, if you use multiple browsers or devices to access websites,
you will need to manage your cookie preferences across these
environments.</p>
<p>If you are using a mobile device to access the Services, you will need
to refer to your instruction manual or other help/settings resource to
find out how you can control Cookies on your device.</p>
<p>Please note: If you restrict, disable or block any or all Cookies from
your web browser or mobile or other device, the Services may not operate
properly, and you may not have access to the Services.
CMU shall not be
liable for any impossibility to use the Services or degraded functioning
thereof, where such are caused by your settings and choices regarding
Cookies.</p>
<p>To learn more about Cookies and web beacons, visit
http://www.allaboutcookies.org.</p> Social Sharing <p>We also embed social sharing icons throughout the Services.
These
sharing options are designed to enable users to easily share content
from the Services with their friends using a variety of different social
networks.
If you choose to connect using a social networking or similar
service, we may receive and store authentication information from that
service to enable you to log in and other information that you may
choose to share when you connect with these services.
These services may
collect information such as the web pages you visited and IP addresses,
and may set cookies to enable features to function properly.
We are not
responsible for the security or privacy of any information collected by
these third parties.
You should review the privacy statements or
policies applicable to the third-party services you connect to, use, or
access.
If you do not want your personal data shared with your social
media account provider or other users of the social media service,
please do not connect your social media account with your account for
the Services and do not participate in social sharing on the Services.</p>
<p>Do Not Track</p>
<p>Some web browsers (including Safari, Internet Explorer, Firefox and
Chrome) incorporate a “Do Not Track” (“DNT”) or similar feature that
signals to websites that a user does not want to have his or her online
activity and behavior tracked.
If a website that responds to a
particular DNT signal receives the DNT signal, the browser can block
that website from collecting certain information about the browser’s
user.
Not all browsers offer a DNT option and DNT signals are not yet
uniform.
For this reason, many website operators, including this picoCTF
website, do not respond to DNT signals.</p> CHILDREN’S PRIVACY <p>IF YOU ARE UNDER THE AGE OF 13, DO NOT USE THE SERVICES.</p>
<p>The Services are intended to be used by individuals who are at least 13
years old.
Consistent with the requirements of the U.S.
Children’s
Online Privacy Protection Act, if we learn that we received any
information directly from a child under age 13 without his or her
parent’s verified consent, we will use that information only to inform
the child (or his or her parent or legal guardian) that he or she cannot
use the Services.</p>
<p>
<em>California Minors:</em> If you are a California resident who is under age
18 and you are unable to remove publicly-available content that you have
submitted to us, you may request removal by contacting us at:
GDPR-info@andrew.cmu.edu.
When requesting removal, you must be specific
about the information you want removed and provide us with specific
information, such as the URL for each page where the information was
entered, so that we can find it.
We are not required to remove any
content or information that: (1) federal or state law requires us or a
third party to maintain.
(2) was not posted by you.
(3) is anonymized so
that you cannot be identified.
(4) you don’t follow our instructions for
removing or requesting removal.
or (5) you received compensation or
other consideration for providing the Content or information.
Removal of
your content or information from the Services does not ensure complete
or comprehensive removal of that content or information from our systems
or the systems of our service providers.
We are not required to delete
the content or information posted by you.
our obligations under
California law are satisfied so long as we anonymize the content or
information or render it invisible to other users and the public.</p>
<p>
<strong>THE GENERAL DATA PROTECTION REGULATION (“GDPR”)</strong>
</p>
<p>If you reside within the EU you may be entitled to other rights under
the GDPR.
These rights are summarized below.
We may require you to
verify your identity before we respond to your requests to exercise your
rights.
If you are entitled to these rights, you may exercise these
rights with respect to your personal data that we collect and store:</p>
<ul>
<li>
<p>the right to withdraw your consent to data processing at any time
(please note that this might prevent you from using certain aspects
of the Services);</p>
</li>
<li>
<p>the right of access your personal data;</p>
</li>
<li>
<p>the right to request a copy of your personal data;</p>
</li>
<li>
<p>the right to correct any inaccuracies in your personal data;</p>
</li>
<li>
<p>the right to erase your personal data;</p>
</li>
<li>
<p>the right to data portability, meaning to request a transfer of your
personal data from us to any other person or entity as chosen by
you;</p>
</li>
<li>
<p>the right to request restriction of the processing of your personal
data.
and</p>
</li>
<li>
<p>the right to object to processing of your personal data.</p>
</li>
</ul>
<p>You may exercise these rights free of charge.
These rights will be
exercisable subject to limitations as provided for by the GDPR.
Any
requests to exercise the above-listed rights may be made to:
GDPR-info@andrew.cmu.edu.</p>
<p>If you reside within the EU, you have the right to lodge a complaint
with a Data Protection Authority about how we process your personal data
at the following website:
https://edpb.europa.eu/about-edpb/board/members_en.</p>
<p>
<em>Processing EU Personal Data</em>
</p>
<p>In the event that your personal data is subject to the GDPR, we will
only use your personal data for the original purpose for which we
collected it, unless we reasonably consider that we need to use it for
another purpose and that purpose is compatible with the original
purpose.
If we need to use your EU personal data for an unrelated
purpose, we will notify you and we will explain the legal basis which
allows us to do so.
We require third parties to only use your EU
personal data for the specific purpose for which it was given to us and
to protect the privacy of your personal data.
If your personal data is
no longer necessary for the legal or business purposes for which it is
processed, we will generally destroy or anonymize that data.</p>
<p>
<em>International Transfers of Personal Data</em>
</p>
<p>Whenever we transfer your personal data out of the EU, we ensure a
similar degree of protection is afforded to it by ensuring at least one
of the following safeguards is implemented:</p>
<ul>
<li>
<p>European Commission Standard Contractual Clauses: We may use
specific contracts approved by the European Commission which give
personal data the same protection it has in the EU.</p>
</li>
<li>
<p>Privacy Shield.
Where we use providers based in the US, we may
transfer data to them if they are part of the Privacy Shield which
requires them to provide similar protection to personal data shared
between the Europe and the US.</p>
</li>
</ul>
<p>For additional information on the mechanisms used to protect your
personal data, please contact our Data Protection Officer at
GDPR-info@andrew.cmu.edu.</p> Changes To This PICOCTF PRIVACY STATEMENT** <p>We may update this picoCTF Privacy Statement based upon evolving laws,
regulations and industry standards, or as we may make changes to our
business including the Services.
We will post changes to our picoCTF
Privacy Statement on this page and encourage you to review our picoCTF
Privacy Statement when you use the Services to stay informed.
If we make
changes that materially alter your privacy rights, CMU will provide
additional notice, such as via email or through the Services.
If you
disagree with the changes to this picoCTF Privacy Statement, you should
discontinue your use of the Services.
You may also request access and
control of your personal data as outlined in the Your Rights Regarding
Your Personal Data section of this picoCTF Privacy Statement.</p> Questions or Complaints Handling** <p>We understand that you may have questions or concerns about this Privacy
Statement or our privacy practices or may wish to file a complaint.
In
such case, please contact us in one of the following ways:</p>
<code>Email: <GDPR-info@andrew.cmu.edu>.
Mail: Carnegie Mellon University Attention: Data Protection Officer 5000 Forbes Avenue Pittsburgh, PA 15213
</code>
<p>If you are not satisfied with our answer or how CMU manages your
personal data, you may also have the right to make a complaint to a data
protection regulator.
If you reside within the EU, a list of National
Data Protection Authorities can be found here:
http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.</p>
<p>Effective Date: September 11, 2020</p>