1. Who are we? (Data controller)
Avatao.com Innovative Learning Kft. (hereinafter: Avatao, we, us) provides educational services (hereinafter: service) in accordance with the General Data Protection Regulation (GDPR) through its website at www.avatao.com, and on its platform next.avatao.com (hereinafter together: website, platform).
Our contact information:
Avatao.com Innovative Learning Kft.
Budapest – 1117
Alíz utca 1/B. Office Garden
2. Who are you for us? (Data subjects)
You can be
- a visitor of our website (hereinafter: visitor), if you simply browse any of our websites on the (sub)-domain of avatao.com;
- a registered user (hereinafter: registered user), who registers on our platform through next.avatao.com;
- a premium user (hereinafter: premium user), who registers on our platform through next.avatao.com and subscribes to our premium content in a paid subscription model;
- a challenge creator (hereinafter: challenge creator), who registers on our platform through avatao.com and can create challenges on our platform;
- an organization (hereinafter: organization), who may or may not have registered on our platform, but its contact information is stored by us for communication purposes;
- a business user (hereinafter: business user), who has an assigned license from an organization.
The term “user” henceforth includes registered users, premium users, business users, and challenge creators.
3. Why do we collect and process your data? (Purposes of data collection)
In general, Avatao uses your personal data for the provision, monitoring, revision and development of its educational services, and for the fulfilment of every contractual obligation of Avatao. Avatao also uses your personal data for communicating with you in connection with our services and our contractual and legal obligations. More specifically, Avatao’s purposes to process your personal data are as follows.
Purpose 1: Providing educational service by delivering challenge oriented hands-on IT security exercises
Avatao offers a rich library of hands-on IT security exercises for software engineers to teach secure programming from design to deployment. These exercises are presented as challenges to any visitor or registered user. Visitors can have access to a limited set of challenges, while registered/premium users can have access to a wider set of challenges. In order to have complete access to our services, a user must register on the platform and create a user account. After registering through our website, a user becomes a registered user.
Avatao collects personal data for the following specific purposes:
- Avatao may evaluate the performance of registered users using a scoring mechanism.
- Avatao may notify registered users when an action is expected from their side or when they request information from Avatao. Avatao only delivers information if recipients are eligible to access it.
- Avatao may ask users to optionally review certain components of the platform.
- Avatao may group registered users into organizations.
- Avatao may award users who successfully solve certain challenges.
- Avatao offers premium services in a paid subscription model to registered users. As part of this service, Avatao processes and store personal and billing information of premium users in order to fulfill Avatao’s legal obligations.
- Avatao may organize challenges into one-time events and may invite challenge creators.
- Avatao sends notifications about service updates or important changes to users’ accounts via email.
Purpose 2: Newsletters
Avatao offers a newsletter service to users and visitors if they wish to be notified about feature and content updates on Avatao’s platform as well as certain upcoming events, such as CTFs, workshops, hackathon via email; users can opt to subscribe to newsletters during registration. Users can unsubscribe on their profile page in case users wish not to receive these updates in the future, as well as all newsletters contain an unsubscribe link.
Purpose 3: Platform analytics
Analytics of users’ behavioural data on Avatao’s websites are recorded on server side for quality assurance and security purposes. Additionally, in case the user consents, Avatao uses external services to collect information via cookies about how its websites perform and how users, in general, navigate through and use Avatao services. Users may at any time disable the collection at Manage Avatao Platform Privacy Preferences here. This helps Avatao evaluate how users use the platform, compute statistics of activity, and improve the overall service and website performance. Avatao can also record performance information about users in order to deliver behavioural data to other users, such as organization Owners or Admins, only if the recipients are eligible to access this information.
Purpose 4: Communication with business partners
Avatao may store the point of contact of some organizations in order to inquire business services and to maintain a customer relationship with these organizations or their representatives.
Purpose 5: Advertising
Avatao may collect information to facilitate Avatao’s marketing initiatives and better communicate with users about the products and services offered by Avatao. To this end, we may directly contact trial edition users for product related feedback, and conditional to your consent, Avatao or some of its contracted sub-processors may also provide targeted advertisements to users. Sub-processors may record the list of visited web pages as well as behavioral analytics about users within Avatao’s platform. These data are only used to provide personalized advertisements related to Avatao’s services.
4. What data do we collect about you?
Avatao collects different pieces of information about you. If you are a visitor of our websites, we log the internet characteristics (specifically: IP address; user agent; requested URLs) of your device to improve our services and also for purposes to improve the security of our users’ data. Avatao will not link your device’s IP address with your identity. Avatao also uses your email address to deliver you newsletters (Purpose 2), and to reach out to you for product related feedback (Purpose 5.).
If you are a registered user, Avatao stores your email address as part of allowing you to access your account and also in order to contact you regarding important information about the platform, your account, and to deliver you newsletters, or to contact you for product related feedback. Avatao also stores all necessary information about you for the provision of Avatao’s educational services (Purpose 1). Such information may include your names and affiliations, your memberships and roles in different organizations, your newsletter subscriptions, your reviews/ratings, recommended topics, career tracks, or your certificates, belts issued by Avatao. We also compute and store website analytics about users (Purpose 3). Some of our sub-processors may process mouse movements, mouse clicks, scroll movements of users as well as browser information and the type of operating system (Purpose 3). Direct personal and sensitive information is never transferred to these sub-processors (Purpose 3)
If you are a paid user (i.e.: premium user, business user), we store payment information including services you paid for as well as your personal and billing information in order to fulfill Avatao’s legal obligations (Purpose 1). We also store the source code of challenges created by challenge creators (Purpose 1).
Avatao also records information about potential customers (e.g., universities, companies) which may include personal data (i.e., point of contact) (Purpose 4).
For the purpose of targeted advertisements, Avatao or its 3rd parties may record visiting information about users including HTTP headers, IP addresses, information about the web browser, buttons clicked by site visitors, form field names (except field values), and page metadata within Avatao’s platform (Purpose 5).
5. Do we collect or infer any sensitive or special category of personal data about you?
We do not collect/process/store explicitly any special (sensitive) data about you and do not attempt to infer them from the data you provided. (Sensitive/special category of data include any information which reveal race, ethnic origin, political affiliation, religious or philosophical beliefs, trade union memberships, genetics, biometrics (where used for ID purposes), health, sex life, and sexual orientation).
6. Why can we collect data about you? (Legal basis of data processing)
Avatao collects and processes data about individuals only for the purposes listed in Section 3 with the following articulated legal grounds:
- User consent: Avatao always asks for users’ and visitors’ consent before it first processes or collects their data. Users’ rights regarding consent is detailed in 13. Consent is the legal basis for processing user data described in Purpose 2, Purpose 3 and Purpose 5.
- Compliance with legal obligations: the data of challenge creators and billing contacts must be collected in order to comply with legal obligations of Avatao regarding payouts and billing (in accordance with Hungarian law). This legal basis is used in the case of data stated in the description of Purpose 1 and Purpose 4.
- Performance of a contract: Avatao needs user data to perform its obligations incorporated within the contract of Avatao’s clients and users. This is the legal basis for the data processing described in Purpose 1.
- Legitimate interest: It is in Avatao’s legitimate interest to collect data of the usage of Avatao Platform, to ensure performance and security of the service as described in Purpose 3. Also, by this legal basis, Avatao collects and processes personal data to seek out potential business partners. Avatao does everything to secure and guard the rights and freedoms of the data subjects. Avatao has carefully evaluated all processes done by this legal basis to rule out all violations of any right or freedom.
When you visit any of our websites for the first time, a small window (banner or bar) appears at the bottom of our website which informs you that we (or some of our sub-processors) may store some cookies in your browser in order to guarantee the correct operation of our services. A cookie is a small piece of data stored in your browser by our web server which identifies your browser. Your browser sends these cookies to our web server when you visit our websites. We use four types of cookies depending on their objectives:
- Strictly necessary cookies: These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Without these cookie services you have asked for, like logging in or starting challenges, cannot be provided.
- Performance cookies: These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies do not collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works.
- Functionality cookies: These cookies allow the website to remember choices you make (such as your accepting cookie usage) and provide enhanced, more personal features.
- Advertising cookies: These cookies are used to deliver ads that are relevant to your interests and browsing habits, and to help measure the performance of ad campaigns.
When visiting Avatao’s websites, you may disable the option that Avatao stores the above cookies on your device. However, if you disable your browser to accept cookies, you will not be able to log in or use Avatao’s services.
Note that certain actions, such as clicking on links and buttons on Avatao’s website might navigate you away to external websites which are not hosted on Avatao’s domain (i.e., avatao.com). The target website may store other cookies in your browser not discussed here.
8. Who else can access your data and why? (Sub-processors)
See full list at Data processors.
9. How long do we store your data? (Data retention)
Avatao stores any information about you only as long as it is necessary and eligible for achieving the purposes the data were collected for (see Section 3), unless otherwise required by law. Avatao does not collect any unnecessary volume of information, or any unnecessary information, or any information that are unsuitable for achieving the purposes described above. Avatao will retain and use information as necessary to comply with its legal obligations, resolve disputes, and enforce agreements as follows:
- backups are kept at most for 730 days;
- your logged IP address and related actions are retained for 90 days for the purpose of quality assurance, incident response, and forensics;
- the aggregated website analytics on avatao.com are stored for 38 months;
- billing information is retained for a period of 5 years in accordance with the Hungarian accounting and taxation laws
Avatao retains your user account (including inactive accounts) and activity data for 3 years, unless you delete it or request its deletion. If you would like to delete your user account, you may want to send us an email to firstname.lastname@example.org. Upon user request, we will delete your full profile within 30 days – if there is no other reason, legal basis or other purpose for us to retain it. If there is such a reason, Avatao shall inform you within the due date.
10. Where is your data transferred?
Avatao does not transfer personal data outside the EEA (European Economic Area), but some of Avatao’s sub-processors may do. These sub-processors are based in the United States of America (U.S.A.) or Canada. With these sub-processors we implemented Standard Contractual Clauses (as per Art. 28. and 46. of GDPR) to ensure compliance and process your personal data according to a strong set of data protection rules and safeguards. The protection given to your data applies regardless of whether you are an EU citizen or not.
11. How do we protect your data?
It is the obligation of Avatao to provide protection for your personal data. Avatao has introduced physical, electronic and administrative procedures for the protection of your personal data from unauthorized access, modification, transmission, publication, cancellation or destruction, furthermore, from inaccessibility caused by causal destruction, damage or by the modification of the applied technology. Avatao pays particular attention to the protection of your personal data from unlawful and unauthorized procedure during data management. Despite all of these measures, no method of transmission over the Internet, or method of electronic storage is 100% secure, still, Avatao does everything which can be expected for the security of your data in accordance with industry good practice.
Avatao provides security for your data by the following means: usage of encoding (including encryption) where possible, password protection where applicable, limitation of the access to information (i.e., only those employees have access to these data for whom it is necessary for the attainment of the purposes written above). Avatao requests you to help protect the information by using a non-obvious login name and password, this can be achieved for example via a password manager. Furthermore, Avatao also requests you not to make your password accessible for any other person.
12. Children’s Privacy
Avatao’s service is not intended for children under the age of 16. If we learn that you are a person under 16 years and you provided your personal data without verifiable parental consent, then we will take the appropriate steps to delete this information. If you are a parent or guardian and discover that your child under 16 years of age has registered for our services, then you should inform us at email@example.com and request that we delete your child’s personal data from our systems.
13. What rights do you have? (Rights of data subjects)
Avatao recall you that you have several important data protection rights that we fully respect. You can find these rights below and also in the GDPR at https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32016R0679.
- Right to request information about the management of your personal data or any information related to your data protection rights at any time. Information is given free of charge. Avatao will give you the information within 30 (thirty) days of the submission of your request.
- Right to access any of your personal data stored or processed by Avatao or information on their management.
- Right to withdraw your consent at any time.
- Right to request the correction or erasure (excluding the case of compulsory data management) of your personal data.
- Right to object to the management of your personal data in cases defined in the General Data Protection Regulation (GDPR). You also have the right to object to the processing of personal data for the purpose of direct marketing, including profiling.
- Right to restrict the processing of personal data in cases defined in the GDPR.
- Right to data portability by receiving a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use. You also have the right to transfer your personal data to another data controller.
- Right to turn to our Data Protection Officer (DPO) if you have any question in relation to the management of your personal data, your data protection rights, or feel that any of your rights are violated. You can reach our DPO at firstname.lastname@example.org.
- Right to turn to the competent court or authority if you have any complains unanswered by us or our DPO within 30 days or feel that your rights described above are seriously violated, you can always contact the Hungarian Data Protection Agency (NAIH) (Szilágyi Erzsébet fasor 22/c, 1125 Budapest, Hungary, phone: +36 (1) 391-1400, e-mail: email@example.com) or any European Data Protection Agency in your country of residence directly.
14. Who can you contact in case of further questions or problems?
You can always contact our Data Protection Officer at firstname.lastname@example.org. Upon your request, our DPO will inform you about the data we store and process about you, and the source of these data, the purpose, the legal basis, and the duration of the data management. We also provide information about the name, address and data management-related activity of any of our data processors as well as, in case your personal data are forwarded, about the legal basis and addressee thereof.
Should you have any complains unanswered by us within 30 days or feel that your data protection rights are violated, you can always contact the Hungarian Data Protection Agency (NAIH) (Szilágyi Erzsébet fasor 22/c, 1125 Budapest, Hungary, phone: +36 (1) 391-1400, e-mail: email@example.com) or the local Data Protection Authority in your country of residence.
© 2020 Avatao • Contact: firstname.lastname@example.org