Personal Data Protection

1. Introduction

HackCulture is an innovation management platform that helps organizations run global hackathons and innovation challenges. The platform connects participants, organizers, judges, and mentors, handling personal data at different stages of the process. This document explains how we protect personally identifiable data (PII) and our commitment to responsible and ethical technology practices.

The HackCulture platform is hosted entirely on enterprise-grade cloud infrastructure, providing built-in support for industry compliance standards including ISO 27001, SOC 2, and GDPR.

2. Personal Data We Collect

HackCulture collects only the data required to support hackathon participation, judging, and event management.

2.1 Participant Profiles

2.2 Judge and Mentor Data

We collect name, email, phone (optional), industry, bio, and social links. Public visibility is controlled through the is_public setting, allowing organizers to choose whether their profile is displayed.

2.3 Organization and Tenant Data

We currently store organization name, legal name and contact email or phone. Ownership relationships allow proper administrative control.

2.4 Event Participation Data

We store registration responses, team membership details, submission content, and evaluation scores required to run programs effectively.

3. How We Use Personal Data

HackCulture uses personal data solely to operate and improve the platform experience. We do not sell, rent, or share personal data with any third party for commercial or marketing purposes.

3.1 Platform Operations

Personal data is used to create and manage user accounts, process event registrations, facilitate team formation, support judging and evaluation workflows, and deliver transactional communications such as registration confirmations and submission receipts.

3.2 Program Communications

By joining the HackCulture platform, participants become part of an active innovation community. We use registered email addresses to notify participants about new and upcoming hackathons, innovation challenges, and programs hosted on the platform. These notifications are designed to help participants discover relevant opportunities, register in time, and stay engaged with the community.

This type of communication is sent only to registered platform users and is always relevant to HackCulture-hosted programs. Participants can manage or opt out of these notifications at any time through their communication preferences in account settings.

3.3 No Third-Party Data Sharing

Personal data collected through HackCulture is never shared with, sold to, or made accessible by any third party. This applies to all categories of data including email addresses, profile information, submission content, and evaluation records.

Data may be accessed by the organizing entity of a specific hackathon only to the extent necessary to run that program, and only within the permissions granted by the platform's role-based access control system.

3.4 Internal Use Only

All data usage is strictly internal to the HackCulture platform. We do not use personal data for advertising, profiling unrelated to platform activity, or automated decision-making that produces legal or similarly significant effects on users.

3.5 Consent at Registration

HackCulture collects explicit consent from users as part of the registration process. Before an account is created, users are presented with a clear notice outlining how their personal data will be collected, stored, and used — including for event participation, platform communications, and program notifications. Account creation requires affirmative acknowledgment of this notice, ensuring that all data processing is grounded in informed user consent.

4. Data Retention & Archival

HackCulture distinguishes between two categories of data with different retention treatments: program-specific activity data and persistent participant profile data.

4.1 Program-Related Data

Data generated through participation in a specific hackathon or innovation challenge — including team memberships, project submissions, evaluation scores, and registration responses — is considered program-scoped activity data. This data is retained for a period of 6 months following the conclusion of the respective program.

At the end of this retention period, the following process is followed:

1. The data is archived and a complete export is prepared and made available to the customer or organizing entity for their own records.
2. Once the export has been delivered and acknowledged, the data is permanently deleted from the HackCulture platform.

This ensures customers retain ownership of program outcomes and participant records, while HackCulture does not hold data beyond its operational purpose.

This applies to:

• Created teams and team membership records
• Project and solution submissions
• Evaluation scores and judge remarks
• Event-specific registration responses

4.2 Participant, Judge, and Mentor Profile Data

Profile data for participants, judges, and mentors is not subject to automatic archival or scheduled deletion. A user's profile — including identity, professional, educational, and preference information — remains active and accessible on the platform for the duration of their account's active status.

This allows participants to seamlessly discover and register for future programs without needing to re-create their profile, and ensures continuity across multiple hackathon cycles.

Profile data is retained until the registered user formally requests account deletion. Upon such a request, all associated profile data is removed from the platform in accordance with our data deletion process. Users may initiate this request at any time through account settings or by contacting the platform administrators.

4.3 Summary of Retention Policy

5. How We Protect Personal Data

5.1 Authentication

HackCulture uses an industry-standard identity management service for authentication.

Passwords are never stored on our servers. All credentials are managed by a dedicated authentication provider. Authentication relies on short-lived, time-bound access tokens. Token revocation checks are performed on every request so that compromised accounts can be blocked quickly.

Email verification is required before users can perform sensitive actions such as creating hackathons or joining teams.

5.2 Authorization with Role-Based Access Control

Access to data is controlled through a hierarchical role-based access control (RBAC) model with four levels:

Global → Tenant → Organization → Event

There are eleven predefined roles including Super Admin, Platform Manager, Tenant Admin, Organization Admin, Event Admin, Event Moderator, Judge, and Mentor.

Permissions follow inheritance rules. For example, a Tenant Admin automatically has permissions across all organizations and events within that tenant.

Permissions are scope-specific. Having judge permissions for one event does not grant access to another event.

Authorization checks are enforced at the API level before business logic runs.

5.3 Data Minimization in API Responses

We expose only the data required for each context.

Examples include:

• Public profile view shows only name, email, profile type, and gender.
• Judge listing shows bio, avatar, and social links but hides email and phone.
• Participants can view their own submission data but not judge remarks or evaluation scores during active competitions.
• Tenant configuration responses include branding and feature settings but exclude contact details.
• Hackathon listings show summary information without exposing internal configurations.

This approach ensures sensitive information such as phone numbers, internal remarks, and evaluation notes is never shared unnecessarily.

5.4 Encryption

All communication between clients and the HackCulture platform is encrypted in transit using industry-standard TLS protocols.

All data connections to our storage and database layers are encrypted in transit.

Data at rest is encrypted using AES-256 encryption across all storage services.

Sensitive configuration values such as credentials and API keys are stored securely and never committed to source control.

5.5 Input Validation and Injection Prevention

HackCulture uses strict server-side validation rules to ensure safe data handling.

• All incoming requests are validated and malformed inputs are rejected before processing.
• Social links are validated to prevent malicious URLs.
• Uploaded files are checked for content type and size limits.
• Database queries use parameterized patterns to prevent injection attacks.
• All templates automatically escape dynamic content to prevent cross-site scripting.

5.6 Secure File Storage

Uploaded files such as resumes, assets, and submissions are stored in secure cloud storage using structured access paths.

Files use system-generated unique identifiers rather than original filenames to prevent information exposure.

5.7 Communication Privacy

Emails are delivered through a compliant cloud communication service.

Users can control their communication preferences for both transactional emails and platform program notifications, including announcements about new and upcoming programs hosted on HackCulture.

Email templates use parameterized fields so personal data is injected only when needed.

5.8 API Security Controls

• API documentation is disabled in production environments.
• Cross-origin requests are restricted to prevent unauthorized browser-based access.
• Responses include headers that prevent indexing by search engines.
• Rate limiting protects against abuse and brute-force attacks.

5.9 Database Safety

• Write operations use transactions with retry logic to ensure consistency.
• Data replication is enforced to ensure durability across storage nodes.
• Unique constraints prevent duplicate accounts.
• Cascade-aware deletions ensure related data is removed safely when teams or submissions are deleted.

5.10 Credential and Secret Security

• Invite codes use cryptographically secure generation methods.
• Automatically generated passwords use strong combinations of characters.
• All secrets and credentials are stored securely and never committed to version control.

6. Infrastructure and Compliance

6.1 Cloud Security

• Our cloud infrastructure provider offers encryption, access control, and diagnostic logging across all data services.
• Encrypted storage is used for all file and document assets, with built-in recovery features.
• Email delivery infrastructure is compliant with applicable data protection standards.
• Container-based deployment ensures isolated and reproducible compute environments.

6.2 Deployment Security

• Applications run in non-root containers.
• Development, testing, and production environments are fully separated.
• Debug features and documentation endpoints are disabled in production.

6.3 Monitoring and Incident Response

• Structured logging ensures operational visibility.
• Centralized log aggregation helps investigate incidents.
• Accounts can be suspended quickly if suspicious activity is detected.

6.4 Multi-Tenant Data Segregation

HackCulture is designed to serve multiple organizations on the same platform while ensuring strict data separation between tenants.

Depending on a customer's requirements, HackCulture supports two deployment models:

Dedicated Instance Deployment — Customers with specific compliance, regulatory, or data residency requirements can be provisioned on a dedicated infrastructure instance. This provides full physical and logical isolation, where the customer's data environment is entirely separate from other tenants.

Shared SaaS Deployment — For customers operating within the standard SaaS model, all data is logically isolated at the application layer. Every data record is scoped to its respective tenant, and all queries are enforced with tenant-level filters, ensuring that no user, API response, or background operation can access data belonging to another tenant. Access control rules are applied consistently at every layer of the application stack, from authentication through to data retrieval.

In both models, cross-tenant data access is architecturally prevented. Tenant boundaries are treated as a core security constraint, not an application-level convention.

7. User Rights

Users have the ability to:

• Access their profile and submission data.
• Update personal information.
• Control communication preferences, including opting out of platform program notifications.
• Manage public visibility settings.
• Reset passwords and secure their accounts.
• Request full account deletion at any time.