Privacy Policy
Last updated: 29 May 2026
TERMINAL43 S.R.L. ("we", "us", "the Platform") operates code.terminal43.ro. We are committed to protecting your privacy in compliance with the EU General Data Protection Regulation (GDPR) and applicable Romanian data protection law. This policy describes what personal data we collect, how we process it, and your rights.
1. Data Controller
| Legal name | TERMINAL43 S.R.L. |
| Registered office | Mun. București, Sector 3, Str. Râmnicu Vâlcea nr. 27, Cam. 1, Bl. 20C, Sc. 2, Romania |
| Trade Register | J2026013719005 |
| Fiscal code (CUI) | 54133669 |
| CAEN | 8559 (Other education n.e.c.) |
| General contact | contact@terminal43.ro |
| Data Protection (DPO contact) | contact@terminal43.ro |
TERMINAL43 S.R.L. is the data controller for personal data processed through this platform, within the meaning of Article 4(7) of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
2. Data We Collect
Account Data
When you register, we collect your username, email address, and password (stored as a bcrypt hash; we never store plaintext passwords).
Usage Data
We record your coding submissions, progress, points, streaks, badges, course enrollments, bookmarks, comments, reviews, and contest participation to provide the learning platform's core features.
Technical Data
We collect your IP address, browser type, and session information for security, rate limiting, and abuse prevention. Server logs are retained for up to 12 months.
3. Legal Basis for Processing (GDPR Art. 6)
| Processing Activity | Legal Basis |
|---|---|
| Account creation & authentication | Contract (Art. 6(1)(b)) |
| Progress tracking, badges, leaderboards | Contract (Art. 6(1)(b)) |
| Email streak reminders | Consent (Art. 6(1)(a)): opt-in at registration |
| Analytics cookies | Consent (Art. 6(1)(a)) |
| Security logging & rate limiting | Legitimate Interest (Art. 6(1)(f)) |
| Admin audit trail | Legitimate Interest (Art. 6(1)(f)) |
4. Data Retention
We keep personal data only as long as necessary for the purpose for which it was collected.
| Category | Retention |
|---|---|
| Account data | While the account is active, then 30 days after a deletion request (soft-delete grace period) |
| Code submissions and learning data (progress, badges, points) | Lifetime of the account |
| Payment records, invoices | 10 years (Romanian fiscal law, Codul fiscal art. 25) |
| Server and security logs | 90 days, then deleted or anonymized |
| Cookie consent record | 12 months, then re-prompted |
| Database backups | 30 days rolling, then overwritten |
On account deletion we anonymize or delete personal data within 30 days, except where retention is required by law (e.g., fiscal records) or to defend legal claims.
5. Your Rights Under GDPR (Art. 7(3), 15–22)
You have the following rights regarding your personal data:
- Right of Access (Art. 15): Export a copy of all your data via Account Settings → Export My Data.
- Right to Rectification (Art. 16): Update your profile information via Edit Profile. You can change your email and password from your account settings.
- Right to Erasure (Art. 17): Delete your account and all associated data via Account Settings → Delete Account.
- Right to Data Portability (Art. 20): Download your data as a machine-readable JSON file via the Export feature.
- Right to Restriction (Art. 18): Contact us to restrict processing of your data while a dispute is resolved.
- Right to Object (Art. 21): You may opt out of email reminders at any time from your account settings. You may withdraw cookie consent at any time.
- Right to Withdraw Consent (Art. 7(3)): Where We process Your data on the basis of Your consent, You may withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal. Withdrawal can be exercised through your account settings or by writing to contact@terminal43.ro.
- Right Regarding Automated Decision-Making (Art. 22): The Platform applies automated processing to evaluate code submissions, grade tasks, compute points and skill mastery, award badges, and rank users on leaderboards. These operations are necessary for the performance of the educational service You have signed up for (Art. 22(2)(a)) and do not produce legal effects on You. You may nevertheless contact contact@terminal43.ro to obtain human review of any automated grading outcome, to express Your point of view, or to contest the decision. We do not perform profiling for marketing purposes and do not make automated decisions that produce legal or similarly significant effects on You.
6. Sub-processors
We do not sell your personal data. The third parties below process personal data on our behalf under written agreements meeting GDPR Art. 28 requirements.
| Provider | Purpose | Location / safeguards |
|---|---|---|
| Stripe Payments Europe, Ltd. | PCI-DSS compliant payment processing for paid subscriptions and one-off purchases | Ireland (EU). Transfers to Stripe Inc. (US) rely on Stripe's Standard Contractual Clauses and the EU–US Data Privacy Framework. |
| Other TERMINAL43 platforms (ctf.terminal43.ro, system.terminal43.ro, terminal43.ro, terminal43.school) | Cross-platform single sign-on (SSO), account directory, enrollment / auto-join into related learning programs | Romania (EU), operated by TERMINAL43 S.R.L. |
| Sandboxed Docker code-execution infrastructure (operated by us) | Isolated execution of user-submitted code, graders, and challenge runners | EU, self-hosted on TERMINAL43 infrastructure |
| Redis (operated by us) | Session store, rate-limit counters, transient caches | EU, self-hosted on our VPS |
| Hostinger International Ltd. | Transactional email (SMTP relay): account confirmations, password resets, streak reminders | Lithuania (EU) |
| Hetzner Online GmbH | VPS hosting: application server, database, file storage | Germany and Finland (EEA) |
We may also disclose data to law enforcement or regulators when required by applicable law. If we add or replace a sub-processor for paid services, we update this list and, for material changes affecting paid users, notify registered users at least 30 days in advance.
7. International Data Transfers
Your data is stored on EU-based servers. If any third-party processor transfers data outside the EU/EEA, we ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions per GDPR Art. 46).
8. Data Security
We implement appropriate technical and organizational measures including: bcrypt password hashing, CSRF protection, rate limiting, session regeneration, input validation, and access controls limiting data access to authorized personnel only.
9. Data Breach Notification
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Art. 33. If the breach poses a high risk to your rights, we will also notify you directly (Art. 34).
10. Children's Privacy (Art. 8 GDPR)
Romanian law (Legea nr. 190/2018, art. 8) sets the GDPR digital-consent age at 16.
Users under 16: a parent or legal guardian must enrol the minor on their behalf, accept these terms and this Privacy Policy on the minor's behalf, and is treated as the contracting consumer. We do not knowingly collect personal data directly from children under 16 without verifiable parental consent.
Users 16 and over: may register and use the platform on their own.
What we collect about a minor is the minimum necessary to deliver the educational service: chosen username, email, progress, code submissions, and the linked parent's email. We do not use a minor's data for marketing or profiling.
If you become aware that we have collected personal data from a child under 16 without proper parental consent, email contact@terminal43.ro and we will delete it without undue delay.
11. Cookies
We use essential, preference, and analytics cookies. For full details, see our Cookie Policy. You can manage your cookie preferences at any time via the cookie consent banner.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via a notice on the platform. The "Last updated" date at the top indicates the most recent revision.
13. Contact & Data Protection Officer
If you have questions about this policy or wish to exercise your rights, contact us at:
Contact: contact@terminal43.ro
Support: contact@terminal43.ro
Data Protection Officer. Terminal43 SRL has not formally appointed a Data Protection Officer under GDPR Art. 37, as its core activities do not consist of large-scale systematic monitoring of data subjects or large-scale processing of special categories of data. Data-protection inquiries are handled by the address above and responded to within 30 days, in accordance with Art. 12(3) GDPR.
14. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. The Romanian supervisory authority is:
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 București, România
Website: www.dataprotection.ro