1. Who we are
The controller of your personal data is CODESPECT s.r.o., Lužická 1490/33, Kylešovice, 747 06 Opava, Czechia. Contact: contact@codespect.xyz.
2. What data we collect at registration
When you submit the registration form, we process:
| Field | Source | Required |
|---|---|---|
| you | yes | |
| Handle | you | yes |
| GitHub profile URL | you | yes |
| Discord handle | you | yes |
| Portfolio links | you | optional |
| Free-text notes | you | optional |
| Consent flags + version + timestamp | you | yes |
| Hashed IP address (HMAC-SHA256, not reversible to the original IP without our server secret) | derived from your request | automatic |
| User-agent string | sent by your browser | automatic |
| Verification token (hashed, 24-hour expiry) | generated by us, mailed to you | automatic |
We do not use cookies, analytics, or third-party trackers on this site.
3. Why we process it, and on what legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Evaluating your application and selecting contestants | Art. 6(1)(a) — your consent |
| Sending you the email verification link | Art. 6(1)(b) — steps prior to entering into a contract at your request |
| Inviting you to the contest chat platform (only if selected) | Art. 6(1)(b) — performance of the contest you applied to |
| Storing a hashed IP and user-agent to prevent spam/abuse of the form | Art. 6(1)(f) — legitimate interest in operating the service securely |
| Keeping a record of your consent (text, version, timestamp) | Art. 6(1)(c) — accountability obligation under Art. 7(1) GDPR |
If you are selected and win a bounty, we will then ask you to pass KYC (identity, address, sanctions screening). That is a separate processing operation governed by its own notice at the time we ask for those documents — it is not covered by this notice.
Providing the required fields is a precondition for participating in the contest; if you do not provide them, we cannot evaluate your application.
4. Who receives your data
Your data is processed only by us and by service providers acting on our written instructions under Art. 28 GDPR. We use providers in the following categories:
- An email delivery provider, to send your verification link and any contest correspondence.
- A website hosting and edge-routing provider, which serves this site and handles incoming requests.
- A managed database provider, where applications are stored.
- A rate-limiting / abuse-prevention provider, which stores hashed IPs for short periods.
- A community chat platform, used only if you are selected — to deliver your invite to the contest server. Only your chat handle is shared, at the moment of invitation.
We do not sell or rent personal data. We do not share your data with the audited protocol team. Members of the CODESPECT team and the lead judge contracted by us act under our authority and are not separate recipients in the sense of Art. 13(1)(e) GDPR.
If you would like the names of the specific providers we currently use, please request them at the address in §1 — we are required to provide them on request under Art. 15 GDPR.
5. Transfers outside the EEA
Some of our processors operate infrastructure outside the European Economic Area. Where this occurs, transfers are covered by the European Commission's Standard Contractual Clauses (Implementing Decision 2021/914) and, where the destination is the United States, the EU–US Data Privacy Framework where the recipient is certified. You can request a copy of the safeguards from the contact in §1.
6. How long we keep your data
| Category | Retention |
|---|---|
| Applications from non-selected contestants | Deleted within 90 days of contest selection being finalised, unless you separately opt in to future contests. |
| Applications from selected contestants | Kept for the duration of the contest plus 24 months afterwards, to handle disputes, attributions in the final report, and bounty payouts. |
| Consent records (text, version, timestamp) | Retained for 3 years after the related application is deleted, as evidence of compliance with Art. 7 GDPR. |
| Hashed IP + user-agent (anti-abuse) | 30 days, then deleted. |
| Verification token hash | Deleted on use, or 24 hours after issue, whichever comes first. |
7. Your rights
Under GDPR Arts. 15–22 you have the right to:
- Access the personal data we hold about you;
- Rectification of inaccurate data;
- Erasure (the "right to be forgotten");
- Restriction of processing;
- Data portability for the data you provided to us;
- Object to processing based on legitimate interests (§3 row 4);
- Withdraw your consent at any time, with effect for the future — withdrawal does not affect the lawfulness of processing carried out before withdrawal. To withdraw, email the address in §1.
We do not make automated decisions with legal or similarly significant effects about you. Contestant selection is performed manually by the CODESPECT team.
You also have the right to lodge a complaint with the Czech supervisory authority:
Úřad pro ochranu osobních údajů (ÚOOÚ) Pplk. Sochora 27, 170 00 Praha 7, Czechia https://www.uoou.gov.cz
…or with the supervisory authority in your country of residence.
8. Security
Personal data is transmitted over TLS and stored in databases with access restricted to the CODESPECT team. IP addresses are stored only as a salted HMAC (not as plaintext), and verification tokens are stored only as hashes.
9. Changes to this notice
We may update this notice (for example, to add a new processor category or change retention). Material changes will be reflected in the "Last updated" date at the top. If a change affects the consent you gave at registration, we will ask you to re-consent before continuing to process your data on the new basis.