Terms of Service and Privacy Policy

Manage Avatao platform privacy preferences

1. Who are we?

Avatao.com Innovative Learning Kft. (hereinafter: Avatao, we, us) provides educational services (hereinafter: service) in accordance with the General Data Protection Regulation (GDPR) through its website at www.avatao.com (hereinafter: website, platform).

Our contact information:
Avatao.com Innovative Learning Kft.
Budapest – 1136
Pannónia utca 32.
Phone: 0036708861337

2. Who are you for us? (Data subjects)

You can be

  • a visitor of our website (hereinafter: visitor), if you simply browse any of our websites on the (sub)-domain of avatao.com;

  • registered user (hereinafter: registered user), who registers on our platform through avatao.com;

  • premium user (hereinafter: premium user), who registers on our platform through avatao.com and subscribes to our premium content in a paid subscription model;

  • challenge creator (hereinafter: challenge creator), who registers on our platform through avatao.com and can create challenges on our platform;

  • an organization (hereinafter: organization), who may or may not have registered on our platform but its contact information is stored by us for communication purposes.

The term “user” henceforth includes registered users, premium users, and challenge creators.

3. Why do we collect and process your data? (Purposes of data collection)

In general, Avatao uses your personal data for the provision, monitoring, revision and development of its educational services, and for the fulfilment of every contractual obligation of Avatao. Avatao also uses your personal data for communicating with you in connection with our services and our contractual and legal obligations. More specifically, Avatao’s purposes to process your personal data are as follows.

Purpose 1: Providing educational service by delivering challenge oriented hands-on IT security exercises

Avatao offers a rich library of hands-on IT security exercises for software engineers to teach secure programming from design to deployment. These exercises are presented as challenges to any visitor or registered user. Visitors can have access to a limited set of challenges, while registered/premium users can have access to a wider set of challenges. In order to have a complete access to our services, a user has to register on the platform and create a user account. After registering through our website, a user becomes a registered user.

Avatao collects personal data for the following specific purposes:

  • Avatao may evaluate the performance of registered users using a scoring mechanism.

  • Avatao may notify registered users when an action is expected from their side or when they request information from Avatao. Avatao only delivers information if recipients are eligible to access it.

  • Avatao may ask users to optionally review certain components of the platform.

  • Avatao groups registered users into communities.

  • Avatao may award users who successfully solve certain challenges.

  • Avatao offers premium services in a paid subscription model to registered users. As part of this service, Avatao process and store personal and billing information of premium users in order to fulfill Avatao’s legal obligations.

  • Avatao organizes challenges and invites challenge creators.

Purpose 2: Newsletters

Avatao offers a newsletter service to users and visitors if they wish to be notified about feature and content updates on Avatao’s platform as well as certain upcoming events, such as CTFs, workshops, hackathon via email; users can opt to subscribe to newsletters during registration. All newsletters contain an unsubscribe link, in case users wish not to receive these updates in the future.

Purpose 3: Platform analytics

Analytics of users’ behavioural data on Avatao’s websitesare recorded in case the users consent to that. Avatao uses external services to collect information about how its websites perform and how users, in general, navigate through and use Avatao services. This helps Avatao evaluate how users use the platform, compute statistics of activity, and improve the overall service and website performance. Avatao can also record performance information about users in order to deliver aggregated behavioural data to other users, such as community managers, only if the recipients are eligible to access this information.

Purpose 4: Communication with business partners

Avatao may store the point of contact of some organizations in order to inquire business services and to maintain a customer relationship with these organizations or their representatives.

Purpose 5 : Advertising

Avatao may collect information to facilitate Avatao’s marketing initiatives and better communicate with users about the products and services offered by Avatao.To this end, Avatao,or some of its 3rd parties, may provide targeted advertisements to users in case the users consent to that. 3rd parties may record the list of visited web pages as well as behavioural analytics about users within Avatao’s platform. These data are only used to provide personalized advertisements.

4. What data do we collect about you?

Avatao collects different pieces of information about you. If you are a visitor of our websites, we log the internet address (IP address) of your device to improve our services and also for purposes to improve the security of our users’ data. Avatao will not link your device’s IP address with your identity. Avatao also uses your email address to deliver you newsletters (Purpose 2) only if you consented to that by providing your email address.

If you are a registered user, Avatao stores your email address as part of allowing you to access your account and also in order to contact you regarding important information about the platform, your account, and to deliver you newsletters in case you consented to it. Avatao also stores all necessary information about you for the provision of Avatao’s educational services (Purpose 1). Such information may include your names and affiliations, your roles in different communities, your community memberships, your newsletter subscriptions, your reviews/ratings, or your certificates issued by Avatao. We also compute and store website analytics about users (Purpose 3). Some of our 3rd parties may process mouse movements,mouse clicks, scroll movements of users as well as browser information and the type of operating system (Purpose 3). Direct personal and sensitive information is never transferred to these 3rd parties (Purpose 3)

If you are a premium user, we store payment information including services you payed for as well as your personal and billing information in order to fulfill Avatao’s legal obligations (Purpose 1). We also store the source code of challenges created by challenge creators (Purpose 1).

Avatao also records information about potential customers (e.g., universities, companies) which may include personal data (i.e., point of contact) (Purpose 4).

For the purpose of targeted advertisements, Avatao or its 3rd parties may record visiting information about users including HTTP headers, IP addresses, information about the web browser, buttons clicked by site visitors, form field names (except field values), and page metadata within Avatao’s platform (Purpose 5).


5. Do we collect or infer any sensitive or special category of personal data about you?

We do not collect/process/store explicitly any special (sensitive) data about you and do not attempt to infer them from the data you provided. (Sensitive/special category of data include any information which reveal race, ethnic origin, political affiliation, religious or philosophical beliefs, trade union memberships, genetics, biometrics (where used for ID purposes), health, sex life, and sexual orientation).

6. Why can we collect data about you? (Legal basis of data processing)

Avatao collects and process data about individuals only for the purposes listed in Section 3 and only if they provide their consent to do so. Avatao always asks for users’ and visitors’ consent before it first processes or collects their data. There are two exceptions:

  • The data of challenge creators and premium users must be collected in order to comply with legal obligations of Avatao regarding payouts and billing

  • The data of companies or institutions are collected because their interests or fundamental rights and freedoms should not override Avatao’s legitimate interests. Also, Avatao stores the contact information of any person only if s/he has provided consent to do so either explicitly or implicitly.

Users can withdraw consent given to Purposes 2 and 3 at any time on their profile page.

7. What kind of cookies do we store? (Cookie policy)

When you visit any of our websites first time, a small window (banner or bar) appears at the bottom of our website which informs you that we (or some of our sub-processors) may store some cookies in your browser in order to guarantee the correct operation of our services. A cookie is a small piece of data stored in your browser by our web server which identifies your browser. Your browser sends these cookies to our web server when you visit our websites. We use three types of cookies depending on their objectives:

  1. Strictly necessary cookies: These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Without these cookies services you have asked for, like logging in or starting challenges, cannot be provided.

  2. Performance cookies: These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies do not collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works.

  3. Functionality cookies: These cookies allow the website to remember choices you make (such as your accepting cookie usage) and provide enhanced, more personal features.

  4. Advertising cookies: These cookies are used to deliver ads that are relevant to your interests and browsing habits, and to help measure the performance of ad campaigns.

See full list at cookie list.

By browsing Avatao’s websites, you implicitly agree that Avatao can store the above cookies on your device. If you disable your browser to accept cookies, you will not be able to log in or use Avatao’s services.

All social widgets (Facebook share buttons, Tweet buttons) which are used on Avatao’s websites cannot be used by any third-parties (including Facebook and Twitter) to track your online browser activity.

Note that certain actions, such as clicking on links and buttons on Avatao’s website might navigate you away to external websites which are not hosted on Avatao’s domain (i.e., avatao.com). The target website may store other cookies in your browser not discussed here.

8. Who else can access your data and why? (Data processors)

See full list of data processors.

9. How long do we store your data? (Data retention)

Avatao stores any information about you only as long as it is necessary and eligible for achieving the purposes the data were collected for (see Section 3), unless otherwise required by law. Avatao does not collect any unnecessary volume of information, or any unnecessary information, or any information that are unsuitable for achieving the purposes described above. Avatao will retain and use information as necessary to comply with its legal obligations, resolve disputes, and enforce agreements as follows:

  • backups are kept for 730 days;

  • your logged IP address is retained for 6 months for the purpose of incident response and forensics;

  • the aggregated website analytics on avatao.com are stored for 38 months;

  • billing information is retained for a period of 5 years in accordance with the Hungarian accounting and taxation laws

Avatao retain your user account (including inactive accounts) and activity data indefinitely, unless you delete it or request its deletion. If you would like to delete your user account, you may want to send us an e-mail to dpo@avatao.com. We will delete your full profile (within reason) within 30 days.

10. Where is your data transferred?

Avatao does not transfer personal data outside EEA (European Economic Area), but some of Avatao’s data processors may do. However, these data processors participate in the Privacy Shield framework that you can also verify on the website of the Department of Commerce on https://www.privacyshield.gov/list. This allows us your personal data to transfer to these data processors, as they also process your personal data according to a strong set of data protection rules and safeguards. The protection given to your data applies regardless of whether you are an EU citizen or not. For more details about the Privacy Shield framework please visithttps://www.privacyshield.gov/article?id=Requirements-of-Participation.

11. How do we protect your data?

It is the obligation of Avatao to provide protection for your personal data. Avatao has introduced physical, electronic and administrative procedures for the protection of your personal data from unauthorized access, modification, transmission, publication, cancellation or destruction, furthermore, from inaccessibility caused by causal destruction, damage or by the modification of the applied technology. Avatao pays particular attention to the protection of your personal data from unlawful and unauthorized procedure during data management. Despite all of these measures Avatao cannot fully guarantee the security of your data. 

Avatao provides security for your data by the following means: usage of encoding (including encryption) where possible, password protection where applicable, limitation of the access to information (i.e. only those employees have access to these data for whom it is necessary for the attainment of the purposes written above). Avatao requests you to help protecting the information by using non-obvious login name and password, and by regular modification of your password. Furthermore, Avatao also requests you not to make your password accessible for any other person.

12. Children’s Privacy

Avatao’s service is not intended for children under the age of 16. If we learn that you are a person under 16 years an you provided your personal data without verifiable parental consent, then we will take the appropriate steps to delete this information. If you are a parent or guardian and discover that your child under 16 years of age has registered for our services, then you should inform us at dpo@avatao.com and request that we delete your child’s personal data from our systems.

13. What rights do you have? (Rights of data subjects)

Avatao recall you that you have several important data protection rights that we fully respect. You can find these rights below and also in the GDPR at https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32016R0679.

  • Right to request information about the management of your personal data or any information related to your data protection rights at any time. Information is given free of charge. Avatao will give you the information within 30 (thirty) days of the submission of your request.

  • Right to access any of your personal data stored or processed by Avatao or information on their management

  • Right to withdraw your consent at any time.

  • Right to request the correction or erasure (excluding the case of compulsory data management) of your personal data.

  • Right to object to the management of your personal data in cases defined in the General Data Protection Regulation (GDPR). You also have the right to object to the processing of personal data for the purpose of direct marketing, including profiling.

  • Right to restrict the processing of personal data in cases defined in the GDPR.

  • Right to data portability by receiving a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use. You also have the right to transfer your personal data to another data controller.

  • Right to turn to our Data Protection Officer (DPO) if you have any question in relation to the management of your personal data, your data protection rights, or feel that any of your rights are violated. You can reach our DPO at dpo@avatao.com.

  • Right to turn to the competent court or authority if you have any complains unanswered by us or our DPO within 30 days, or feel that your rights described above are seriously violated, you can always contact the Hungarian Data Protection Agency (NAIH) (Szilágyi Erzsébet fasor 22/c, 1125 Budapest, Hungary, phone: +36 (1) 391-1400, e-mail: ugyfelszolgalat@naih.hu) or any European Data Protection Agency in your country of residence directly.

Avatao gives effect to your above rights of access, rectification, erasure and the right to object, free of charge. Avatao draws your attention to the fact that in certain cases, in connection with the data management defined in this privacy policy, the data controller may manage your personal data according to Section 6 (5) of Act CXII of 2011, of Hungary on Informational Self-determination and Freedom of Information. This means that the management of personal data may be necessary for the fulfillment of certain legal obligations of the data controller or for the observation of the legitimate interest of third parties. In these cases personal data may be managed even if you have withdrawn your permission thereto. You may ask for further information from the data controller at its contact details.

14. Who can you contact in case of further questions or problems?

You can always contact our Data Protection Officer at dpo@avatao.com. Upon your request, our DPO will inform you about the data we store and process about you, and the source of these data, the purpose, the legal basis, and the duration of the data management. We also provide information about the name, address and data management-related activity of any of our data processors as well as, in case your personal data are forwarded, about the legal basis and addressee thereof. 

Should you have any complains unanswered by us within 30 days or feel that your data protection rights are violated, you can always contact the Hungarian Data Protection Agency (NAIH) (Szilágyi Erzsébet fasor 22/c, 1125  Budapest, Hungary, phone: +36 (1) 391-1400, e-mail: ugyfelszolgalat@naih.hu) or the local Data Protection Authority in your country of residence.