Privacy Policy
This Privacy Policy explains how the CYBERFOXES CTF 2026 Organizing Committee (“we,” “us,” “the Organizers”) collects, uses, stores, discloses, and protects your personal data when you register for and participate in CYBERFOXES CTF 2026 (the “Event”).
We are committed to protecting your privacy in accordance with Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (the “DPA”), its Implementing Rules and Regulations (IRR), and the issuances, circulars, and advisories of the National Privacy Commission (the “NPC”) of the Republic of the Philippines. By submitting the registration form and ticking the consent boxes, you acknowledge that you have read, understood, and agreed to this Policy.
Table of Contents
2. Personal Data We Collect
3. Lawful Basis for Processing
4. Purposes of Processing
5. How We Store & Secure Data
6. Data Sharing & Third Parties
7. International Data Transfers
8. Data Retention
9. Your Rights as a Data Subject
10. Minors
11. Cookies & Analytics
12. Data Breach Notification
13. Changes to this Policy
14. How to Contact Us / the DPO
1. Who We Are
CYBERFOXES CTF 2026 is a Capture the Flag cybersecurity competition scheduled for 24 July 2026. For the purposes of the DPA, the Organizing Committee acts as the Personal Information Controller (PIC) for personal data collected through this registration platform. The registration data store is hosted on Appwrite infrastructure, and the website is served through Vercel, both acting as Personal Information Processors (PIPs) strictly on our documented instructions.
2. Personal Data We Collect
Through the registration form, we collect the following categories of personal data that you voluntarily provide:
- Full name to identify you as a registrant and participant.
- Date of birth to verify eligibility and age, and for demographic reporting in aggregate.
- Preferred code name your public handle on the scoreboard and in communications.
- HAU email address to verify affiliation with Holy Angel University and to send official notices.
- Personal email address as an alternate contact channel for competition logistics.
- Consent records the fact, date, and time that you accepted this Policy and the Terms & Conditions.
We also automatically process limited technical data (such as the timestamp of submission) necessary to operate the platform. We do not intentionally collect sensitive personal information as defined under Section 3(l) of the DPA (e.g., race, ethnic origin, health, religious or political affiliations, or government-issued identifiers) through this form. Please do not enter such information into free-text fields.
3. Lawful Basis for Processing
We process your personal data on the following lawful bases recognized under Sections 12 and 13 of the DPA:
- Consent you have given free, specific, informed, and evident consent by ticking the consent boxes.
- Contract / legitimate interest processing necessary to register you, administer the Event, and fulfill our obligations to participants.
You may withdraw your consent at any time (see Section 9); withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
4. Purposes of Processing
Your personal data is processed only for purposes compatible with the declared purposes below:
- Registering, verifying, and managing your participation in the Event;
- Communicating essential information schedules, platform access, rules updates, and results;
- Verifying eligibility, preventing duplicate or fraudulent registrations, and enforcing fair play;
- Producing anonymized, aggregate statistics for reporting to partners and sponsors;
- Issuing certificates, prizes, or recognitions to qualified participants; and
- Complying with legal, regulatory, and audit obligations.
5. How We Store & Secure Data
We implement reasonable and appropriate organizational, physical, and technical security measures under Sections 20–22 of the DPA and NPC Circular No. 16-01, including but not limited to:
- Access controls limiting registration records to authorized Organizing Committee members;
- Encryption in transit (HTTPS/TLS) between your browser and our processors;
- Storage on managed Appwrite databases with project-scoped credentials and role-based permissions;
- Regular review of access logs and the principle of least privilege.
While we strive to protect your data, no method of electronic transmission or storage is absolutely secure, and we cannot guarantee absolute security.
6. Data Sharing & Third Parties
We do not sell, rent, or trade your personal data. We may share it only with:
- Processors (Appwrite, Vercel) who process data solely on our instructions under confidentiality obligations;
- Event partners (e.g., the academic host and sponsoring bodies) in anonymized or aggregate form, unless you have separately consented to identified disclosure (for example, to receive a certificate); and
- Authorities where disclosure is required by law, court order, or lawful request of a government agency.
7. International Data Transfers
Our processors may store or process data on servers located outside the Philippines. Where personal data is transferred across borders, we take steps to ensure a comparable level of protection consistent with the DPA and applicable NPC guidelines, including contractual safeguards with our processors.
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this Policy, and in any case no longer than twelve (12) months after the conclusion of the Event, unless a longer period is required for legitimate archival, certificate verification, legal, or audit purposes. Upon expiry of the retention period, personal data is securely deleted or irreversibly anonymized.
9. Your Rights as a Data Subject
Under Chapter IV of the DPA, you are entitled to the following rights, which you may exercise by contacting fvolpindo@student.hau.edu.ph:
- Right to be informed about how your data is collected and processed;
- Right to access to obtain a copy of the data we hold about you;
- Right to rectification to correct inaccurate or incomplete data;
- Right to erasure or blocking to suspend, withdraw, or order the destruction of your data under the conditions of the DPA;
- Right to object to processing, including for direct marketing or automated processing;
- Right to data portability to obtain your data in a structured, commonly used format;
- Right to damages to be indemnified for damages sustained due to unlawful processing; and
- Right to lodge a complaint before the National Privacy Commission.
10. Minors
If you are below the age of majority (18 years), you represent that you have obtained the consent of a parent or legal guardian to register and to have your personal data processed as described. The Organizers may require proof of such consent. We do not knowingly process the data of minors without appropriate authorization.
11. Cookies & Analytics
This registration website uses only the cookies and local storage strictly necessary to operate the form and the underlying Appwrite/Vercel services. We do not deploy third-party advertising trackers. Any analytics used are privacy-respecting and configured to minimize the collection of identifiable information.
12. Data Breach Notification
In the event of a personal data breach that is likely to give rise to a real risk of serious harm, we will notify the National Privacy Commission and affected data subjects within seventy-two (72) hours of knowledge of the breach, in accordance with the DPA IRR and NPC Circular No. 16-03.
13. Changes to this Policy
We may update this Policy from time to time. Material changes will be posted on this page with a revised effective date and, where appropriate, communicated to you by email. Your continued participation after such changes constitutes acceptance of the updated Policy.
14. How to Contact Us
For questions, requests, or complaints regarding this Policy or your personal data, please contact:
- Email: fvolpindo@student.hau.edu.ph
- Alternate: fourtholpindo@gmail.com
You also have the right to lodge a complaint with the National Privacy Commission (privacy.gov.ph), 5th Floor, Philippine International Convention Center, Pasay City, Metro Manila.