Legal

Privacy Policy

Last updated: January 2025

1. Who We Are

Promptathon is operated by Your College. We are the data controller for information collected through this platform. Contact us at promptathon@promptathon.es3d.org.

2. What Data We Collect

We collect the following categories of personal data:

  • Account data: Email address, name (if provided), Microsoft account ID (if you use SSO).
  • Submission data: Title, written content, and uploaded files you submit as part of the competition.
  • Technical data: IP addresses (for security and rate limiting), login timestamps, browser User-Agent (for consent records).
  • Consent records: Your cookie and processing consent choices, with timestamp.

3. Legal Basis for Processing

  • Contract performance (Art. 6(1)(b)): Processing your account and submission data to deliver the competition.
  • Legitimate interests (Art. 6(1)(f)): Security logging, fraud prevention, audit trails.
  • Consent (Art. 6(1)(a)): Optional analytics or preference cookies, if you accept them.

4. How We Use Your Data

  • To authenticate you and manage your account.
  • To receive, store, and judge your competition submission.
  • To send transactional emails (sign-in codes, submission confirmations).
  • To maintain security and audit logs.
  • To respond to data subject requests.

5. Data Retention

We retain personal data for as long as is necessary for the purposes described above. Competition data (accounts and submissions) is retained for up to 2 years after the competition closes. Audit logs are retained for 90 days. You may request earlier deletion (see Your Rights below).

6. Data Security

We implement appropriate technical and organisational security measures including:

  • TLS encryption in transit (HTTPS enforced).
  • AES-128-CBC field-level encryption for stored personal data (Fernet).
  • Hashed OTP tokens (SHA-256) — plain codes are never stored.
  • HTTP security headers (CSP, HSTS, X-Frame-Options).
  • Rate limiting on authentication endpoints.

7. Sharing Your Data

We do not sell your personal data. We may share it with:

  • Judges at Your College for the purpose of assessing submissions.
  • Microsoft (if you use Microsoft SSO) — subject to Microsoft's own privacy policy.
  • Our email provider (SMTP service) solely to deliver transactional messages.

8. Your Rights

Under UK/EU GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Erase your data ("right to be forgotten").
  • Port your data to another service.
  • Restrict or object to processing.
  • Withdraw consent at any time (for consent-based processing).

To exercise any right, submit a data request or email promptathon@promptathon.es3d.org. We will respond within 30 days.

9. Cookies

We use strictly necessary session cookies (required for login security) and, with your consent, optional analytics or preference cookies. You can manage your preferences via the cookie banner or by revisiting our site.

10. Complaints

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) (UK) or your local supervisory authority.