Mirachron LogoMirachron
Sign In

Privacy Policy

Your privacy is fundamental to our mission. This policy explains how Mirachron Security SRL collects, uses, and protects your personal information.

GDPR Compliant
Privacy by Default
Last Updated: January 2025
Company Information

Company: Mirachron Security SRL

Country: Romania

Legal Framework: Romanian Data Protection Law and EU General Data Protection Regulation (GDPR)

Data Controller: Mirachron Security SRL

Contact: contact@mirachron.com

Our Privacy Principles
These principles guide every decision we make about your data

Privacy by Default

We collect only what we need and protect it by design, not as an afterthought.

Consent First, Always

We ask for your explicit consent before collecting or sharing personal data.

Transparency

We explain clearly what we do with your data in plain language.

Your Control

You have full control over your data and can modify or delete it anytime.

Information We Collect
We collect information only when necessary to provide our services

Account Information

  • Name and email address (via OAuth providers: Google, GitHub)
  • Profile information from OAuth providers (public profile data only)
  • Account preferences and settings

CTF Competition Data

  • Team name and participant information (when you register for competitions)
  • Institution/university affiliation (for educational competitions)
  • Competition performance and scores (for leaderboards and certificates)
  • Challenge submissions and timestamps

Service Usage Data

  • Application usage patterns (for PIECE and other tools)
  • Search queries and command usage (anonymized for improvement)
  • Technical logs for security and performance monitoring

Communication Data

  • Messages sent through contact forms
  • Email correspondence for support or business inquiries
  • Feedback and survey responses (when provided voluntarily)

Technical Information

  • IP address and browser information (for security and analytics)
  • Device type and operating system (for compatibility)
  • Cookies and session data (essential cookies only, unless you consent to others)
How We Use Your Information
We use your data only for legitimate purposes with proper legal basis

Service Provision (Contractual Basis)

  • Provide access to our applications and services
  • Manage your account and authentication
  • Process CTF registrations and manage competitions
  • Deliver professional security services

Educational Purposes (Legitimate Interest)

  • Create learning materials and challenges
  • Generate anonymized statistics for educational research
  • Improve our educational programs and methodologies
  • Provide certificates and recognition for achievements

Communication (Consent or Legitimate Interest)

  • Respond to your inquiries and support requests
  • Send important service updates and security notifications
  • Share educational content and competition announcements (with consent)

Security and Legal Compliance (Legal Obligation)

  • Protect against fraud, abuse, and security threats
  • Comply with legal requirements and law enforcement requests
  • Maintain audit trails for security services
Data Sharing and Disclosure
We do not sell your data. We share it only in specific, limited circumstances.

What We DON'T Do

  • Sell your personal data to third parties
  • Share personal data for marketing purposes without explicit consent
  • Use your data for advertising or profiling
  • Share personal data by default - consent first, always

Limited Sharing Scenarios

  • Service Providers: Trusted partners who help us operate our services (hosting, authentication, email)
  • Competition Partners: Educational institutions for joint CTF events (with participant consent)
  • Legal Requirements: When required by law or to protect rights and safety
  • Aggregated Data: Anonymous, statistical data for research and improvement

Third-Party Services

We use the following third-party services that may process your data:

  • Authentication: Google OAuth, GitHub OAuth (for secure login)
  • Database: MongoDB Atlas (for data storage)
  • Hosting: Vercel (for application hosting)
  • Email: Professional email services (for communication)
Data Retention
We keep your data only as long as necessary

Retention Periods

  • Account Data: Until you delete your account or request deletion
  • CTF Competition Data: 3 years for certificates and historical records
  • Service Usage Logs: 12 months for security and improvement purposes
  • Communication Records: 2 years for support and business purposes
  • Legal/Security Logs: As required by law (typically 6-7 years)

Automatic Deletion

We automatically delete data when retention periods expire. You can also request immediate deletion of your personal data at any time (subject to legal requirements).

Your Rights Under GDPR
As a data subject, you have comprehensive rights over your personal data

Right to Access

Request a copy of all personal data we hold about you.

Right to Rectification

Correct any inaccurate or incomplete personal data.

Right to Erasure

Request deletion of your personal data ("right to be forgotten").

Right to Portability

Receive your data in a structured, machine-readable format.

Right to Restrict Processing

Limit how we process your personal data in certain circumstances.

Right to Object

Object to processing based on legitimate interests or direct marketing.

How to Exercise Your Rights

To exercise any of these rights, contact us at:

  • Email: contact@mirachron.com
  • Subject Line: [GDPR REQUEST] - [Type of Request]
  • Response Time: Within 30 days of receiving your request
Security Measures
We implement military-grade security to protect your data

Technical Safeguards

  • End-to-end encryption for data in transit and at rest
  • Multi-factor authentication and OAuth-only access
  • Regular security audits and penetration testing
  • Automated threat detection and response systems
  • Secure hosting infrastructure with redundancy

Organizational Safeguards

  • Privacy by design in all system development
  • Regular staff training on data protection
  • Strict access controls and need-to-know basis
  • Incident response procedures and breach notification
  • Regular compliance reviews and updates

Data Breach Response

In the unlikely event of a data breach, we will notify affected users and relevant authorities within 72 hours, as required by GDPR, and provide clear information about the incident and remediation steps.

Cookies and Tracking
We use minimal, essential cookies and respect your choices

Essential Cookies (No Consent Required)

  • Authentication and session management
  • Security and fraud prevention
  • Basic functionality and user preferences
  • Load balancing and performance optimization

Optional Cookies (Consent Required)

  • Analytics cookies for usage statistics (anonymized)
  • Performance monitoring and error tracking
  • User experience improvements

What We DON'T Use

  • Third-party advertising cookies
  • Social media tracking pixels
  • Cross-site tracking or fingerprinting
  • Behavioral profiling for marketing

Cookie Control: You can manage cookie preferences in your browser settings or through our cookie consent banner. Essential cookies cannot be disabled as they are necessary for basic functionality.

International Data Transfers
How we handle data transfers outside the European Economic Area

Our Approach

We primarily process data within the European Economic Area (EEA). When we must transfer data outside the EEA, we ensure adequate protection through:

  • European Commission adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules where applicable
  • Your explicit consent for specific transfers

Third-Party Services

Some of our service providers may process data outside the EEA. We ensure they provide adequate protection and comply with GDPR requirements for international transfers.

Children's Privacy
Special protections for users under 16

Age Requirements

Our services are designed for users 16 years and older. For users under 16:

  • Parental or guardian consent is required
  • We collect minimal data necessary for educational purposes
  • Enhanced privacy protections apply
  • Parents can request access to or deletion of their child's data

Educational Context

For educational competitions and programs involving minors, we work with schools and institutions to ensure proper consent and supervision are in place.

Changes to This Policy
How we handle updates to our privacy practices

Notification Process

  • Material changes will be communicated via email and website notice
  • 30-day advance notice for significant changes
  • Updated policy will be posted with revision date
  • Continued use constitutes acceptance of changes

Version History

We maintain a record of policy changes and can provide previous versions upon request.

Contact Information
How to reach us with privacy questions or requests

Data Protection Contact

Company: Mirachron Security SRL

Email: contact@mirachron.com

Subject Line for Privacy Requests: [PRIVACY] - [Your Request Type]

Response Time: Within 30 days

Supervisory Authority

If you believe we have not addressed your privacy concerns adequately, you have the right to lodge a complaint with the Romanian data protection authority:

Authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)

Website: www.dataprotection.ro

This privacy policy is effective as of January 2025 and applies to all users of Mirachron services.

Mirachron Security SRL - Building useful security with privacy by design.