Privacy Policy

1. Controller and contact details

Codex Hackathons is operated by Alexandru Gavrilescu from Vienna, Austria.

• Controller: Alexandru Gavrilescu
• Postal address: Zentagasse 33/2, 1050 Vienna, Austria
• General support: support@codex-hackathons.com
• Privacy contact: privacy@codex-hackathons.com

No separate data protection officer has been appointed.

2. Scope of this policy

This Privacy Policy explains how we process personal data when you:

• visit the Codex Hackathons website
• create and use a platform account
• apply to hackathons
• join or manage teams
• submit projects
• participate in judging or hackathon administration
• redeem prizes
• contact us through the imprint contact form or by email

Hackathon-specific application terms, winner terms, and event materials may contain additional rules for a particular hackathon. This policy covers the platform-level processing behind those workflows as operated through Codex Hackathons.

3. Who can use the platform

The platform is intended for adults. You must be at least 18 years old to create an account or use the platform.

We do not knowingly collect personal data from children under 18. If you believe a minor under 18 has provided personal data to us, contact us at privacy@codex-hackathons.com.

4. Categories of personal data we process

Depending on how you use the platform, we may process:

Account and identity data

• Auth0 subject identifier
• email address
• display name, first name, and family name
• platform account status information

Optional profile data

• company and bio
• X, LinkedIn, and GitHub profile links
• ChatGPT email
• OpenAI organization ID
• Luma username
• optional profile icon

Hackathon participation data

• hackathons you apply to, join, administer, or judge
• application status and review metadata
• application responses, including optional motivation text and proof-of-execution URL
• in-person attendance commitment when required for a hackathon
• team-intent information and teammate hints you provide during application

Team, submission, and judging data

• team membership and join-request records
• submission content such as project name, summary, repository URL, and demo URL
• judging assignments, scores, comments, eligibility decisions, and related workflow records
• admin actions and competition operations data

Prize and legal-record data

• prize eligibility and redemption records
• legal name supplied for prize redemption
• acceptance records for platform documents and hackathon-specific terms documents, including the exact version accepted and acceptance timestamps

Contact and support data

• information you include when you email us or use the imprint contact form, such as your name, email address, and message

Technical and security data

• session and authentication state needed to keep you signed in
• request metadata, logs, IP-address-related technical information, and security events reasonably needed to operate and secure the platform

Publicly displayed competition data

If a hackathon publishes results, we may publicly display winner and project information such as:

• participant or team names
• project names
• demo links
• repository links

5. Purposes of processing and legal bases

We process personal data for the following purposes:

To create accounts and operate the platform

This includes sign-in, account provisioning, profile management, hackathon participation, team workflows, submissions, judging, prize workflows, and hackathon administration.

Legal basis: performance of a contract with you or steps taken at your request before entering into a contract (Article 6(1)(b) GDPR).

To run support, privacy, and legal-contact channels

This includes handling messages sent through the imprint contact form or by email, answering questions, and following up on your request.

Legal basis: legitimate interests (Article 6(1)(f) GDPR) in responding to inquiries and operating the service, and where your request concerns entering into or using the service, Article 6(1)(b) GDPR.

To secure the service and preserve operational integrity

This includes preventing abuse, protecting accounts, investigating incidents, preserving audit trails, and defending the platform against misuse.

Legal basis: legitimate interests (Article 6(1)(f) GDPR) and, where applicable, compliance with legal obligations (Article 6(1)(c) GDPR).

To comply with legal, tax, accounting, or regulatory obligations

This includes handling lawful requests, retaining records where required by law, and preserving evidence relevant to disputes or compliance matters.

Legal basis: compliance with legal obligations (Article 6(1)(c) GDPR).

To publish and document hackathon outcomes

This includes publishing winner details, team names, project names, demo links, repository links, and related recap or showcase material where a hackathon publishes results.

Legal basis: legitimate interests (Article 6(1)(f) GDPR) in operating, documenting, and promoting the platform and its hackathons, together with the platform and hackathon terms that apply to participation.

Our legitimate interests include operating a secure hackathon platform, preventing abuse, answering inquiries, documenting competition outcomes, and defending legal claims.

6. Sources of personal data

We receive personal data:

• directly from you when you create an account, complete your profile, apply, participate, submit content, redeem prizes, or contact us
• from Auth0 when you authenticate and create or use your platform account
• from hackathon admins, judges, or team admins when they carry out workflow actions within the platform
• from technical systems that generate operational and security metadata while the service is used

We do not rely on publicly accessible sources for ordinary platform operation, except where you voluntarily provide public links such as social-profile URLs, repository URLs, or demo URLs.

7. Recipients of personal data

We share personal data only where needed to run the platform and hackathons.

Processors and infrastructure providers

At launch, the platform uses:

• Auth0 for authentication and identity
• Cloudflare for application hosting, database, storage, and queue infrastructure
• Resend for transactional email delivery

These providers process data on our behalf according to their service terms and data-processing arrangements.

Other users inside the platform

Depending on your role and the workflow:

• hackathon admins may view application, participation, submission, prize, and operational records needed to run a hackathon
• judges may access blind-judging data assigned to them
• team members and team admins may see team and submission information relevant to their team

Public recipients

If a hackathon publishes results, winner and project information may become public as described above.

Authorities and advisers

We may also disclose information to competent authorities, courts, insurers, auditors, or professional advisers where legally required or reasonably necessary to establish, exercise, or defend legal claims.

We do not sell personal data. We do not use participant data for advertising or behavioral profiling. At launch, we do not share participant data with sponsors, venue partners, or unrelated third parties outside the listed service providers unless a specific hackathon workflow clearly tells you otherwise.

8. International transfers

Some service providers may process personal data outside the EEA or make support, security, or infrastructure resources available from outside the EEA.

Where personal data is transferred internationally, we rely on lawful transfer mechanisms such as adequacy decisions, standard contractual clauses, or other safeguards permitted by GDPR.

You can request more information about relevant safeguards by contacting privacy@codex-hackathons.com.

9. Retention

We keep personal data only for as long as needed for the purposes described above or as long as required by law.

Our current platform-level retention approach is:

• inactive platform accounts: up to 2 years after the last meaningful activity, unless deleted earlier or retention is needed for a dispute, security issue, or legal obligation
• rejected applications: up to 1 month after the relevant hackathon is closed
• contact-form and support correspondence: for as long as needed to respond, handle follow-up, document the request, and resolve any related legal or operational issue
• approved applications, team data, submissions, judging data, prize records, and audit records: retained for as long as reasonably necessary to operate the platform, preserve competition integrity, document outcomes, handle disputes, defend legal claims, and meet compliance needs

When an account is deleted, we may retain de-identified or pseudonymized operational records where reasonably necessary for compliance, security, auditability, or competition integrity.

10. When providing data is required

Some personal data is required so we can provide the service:

• if you do not provide the data required for account creation and authentication, you cannot create or use a platform account
• if you do not provide the fields required for a specific hackathon application or workflow, you may not be able to apply, join a team, submit a project, judge, administer the hackathon, or redeem a prize
• if you do not provide a working email address or enough information in a support or imprint-contact request, we may be unable to respond effectively

Providing optional profile fields is voluntary. Not providing optional fields may limit only the specific optional feature that uses them.

11. Cookies and similar technologies

At launch, the platform does not use cookies or similar technologies for advertising, cross-site tracking, or behavioral profiling.

We do use strictly necessary cookies and similar local storage mechanisms to run the service, such as:

• authentication and session state
• security and abuse-prevention controls
• site preferences such as selected theme and navigation state
• functionality required to keep the platform working correctly

If we later introduce non-essential analytics, marketing, or profiling technologies, we will update the legal notices and any consent flows as needed.

12. Your rights

Depending on the circumstances, you may have the right to:

• access your personal data
• rectify inaccurate or incomplete data
• erase data
• restrict processing
• object to processing based on legitimate interests
• receive data portability where applicable
• withdraw consent where processing is based on consent
• lodge a complaint with a supervisory authority

To exercise your rights, contact privacy@codex-hackathons.com.

You also have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehoerde) or with another competent supervisory authority in the EU. See https://www.dsb.gv.at.

13. Automated decision-making

We do not use solely automated decision-making or profiling that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.

14. Security

We use reasonable technical and organizational measures to protect the platform and personal data. No internet service can be completely secure, so we cannot guarantee absolute security.

15. Changes to this policy

We may update this Privacy Policy from time to time. The current platform version can be updated in the product's version-tracking records, and the public legal pages may also be updated in the repository-backed site content.

When required, we will take appropriate steps to notify users of material changes.