This page describes what LevelUp collects, why, and what we never do. It aligns with our FAQ — if anything is unclear, the FAQ is the source of truth and this is the formal restatement.
Last reviewed: 2026-04-21. Contact: privacy@levelupctf.com.
Email, display name (handle), and password hash. Optionally display name, country, stream selection, and social links if you fill them in on your profile.
Solve history, attempt timestamps, hint usage, ELO rating, skill vector (12 axes), category scores, and badges. This is what lets us match you to challenges at the right difficulty.
Keystroke patterns, tool execution order, retries, hint usage, and session replay on sandboxed challenge containers. This telemetry powers three things: difficulty calibration, the AI-vs-human classifier (used to isolate bot-vs-human leaderboard cohorts), and — on Enterprise tiers only — audit-ready session replay for compliance teams.
Telemetry collection on free and Developer tiers is mandatory and cannot be disabled; the platform depends on it for difficulty calibration and fair matchmaking. On Enterprise tiers, your admin controls session replay retention.
Standard request/response logs, IP address at auth time for rate-limiting and abuse prevention, and Docker container lifecycle events. Kept for 30 days by default, longer if required for incident investigation.
You can delete your account and all associated training data at any time from your profile page, or by emailing privacy@levelupctf.com. Deletion is permanent: your handle, solve history, skill vector, and behavioural telemetry are removed within 30 days. Aggregate metrics that already shipped in research or monthly reports are retained in anonymised form.
We set the authentication cookie (levelup_token, 7-day lifetime), a CSRF marker (when applicable), and a Google Analytics identifier (for aggregate page-view counts). We do not set third-party advertising or cross-site tracking cookies. You can block the GA cookie with any standard ad-blocker; it does not affect platform functionality.
Password hashing: bcrypt. Transport: TLS 1.3 only. Sandbox isolation: Docker with seccomp + no-new-privileges + network policy + read-only filesystems where applicable.
We do not claim SOC 2 Type II or ISO 27001 certification. We welcome security reports at security@levelupctf.com.
Material changes are announced via email to all registered accounts at least 14 days before taking effect. The current version of this page is the canonical text.