Privacy Policy

HackEval ("the platform", "we") is a self-hostable hackathon evaluation tool operated by [Your organization]. This policy explains what data we collect when you use the platform, why we collect it, who we share it with, and the rights you have over your data.

1. Data we collect

We only collect what's required to run hackathons.

• Account: username, email address, hashed password, display name. We never store your password in plaintext — passwords are hashed with bcrypt.
• Profile (optional): short bio, list of skills, GitHub / LinkedIn / portfolio URLs, experience level. You enter this only if you choose to participate as a hackathon participant.
• Hackathon submissions: project name, team members, description, tech stack, demo URL, and any files you upload (code, README, slides, images).
• Evaluations: scores and notes submitted by judges on projects.
• Audit metadata: for security and accountability we record who did what and when, including your user ID, IP address, action name, and a small payload describing the change. See audit_log in the codebase.
• Cookies: see section 4.

2. How we use your data

• Authentication. Your username and password verify your identity. The session cookie keeps you signed in.
• Showing your profile to judges. Judges and admins of hackathons you join can read your profile so they have context when evaluating your project.
• Running evaluations. Project content (descriptions and uploaded text files) is sent to AI evaluation providers (see section 3) when an admin triggers AI scoring.
• Security & compliance. Audit logs and IP addresses help us detect abuse and respond to incidents.

We do not sell your data, run analytics ad networks, or share your data for marketing purposes.

3. Third-party services

HackEval relies on a small number of infrastructure providers. Depending on how this instance is configured, your data may be processed by:

• PostgreSQL host (e.g. Neon, Supabase, AWS RDS) — stores account, profile, project, evaluation, and audit data.
• Object storage (Amazon S3 or Google Cloud Storage) — stores uploaded files. Files are accessed by short-lived signed URLs.
• OpenAI (gpt-4o) and/or AWS Bedrock (Claude) — receive project descriptions and the text content of uploaded files when AI evaluation is triggered. These providers process the content under their own privacy terms; we do not receive any usage data back from them beyond the evaluation result.

If your operator has changed which providers are used, that information should be available from them directly.

4. Cookies and local storage

HackEval uses only strictly necessary browser storage. We do not use tracking cookies, advertising cookies, or third-party analytics.

• hackeval_session — HttpOnly session cookie. Carries your signed JWT so you stay signed in. Lifetime: 7 days.
• hackeval_csrf — Random token cookie used for CSRF protection on state-changing requests. Lifetime: 7 days.
• hackeval_cookie_consent (in localStorage) — Records that you've dismissed the cookie notice on this device.
• hackeval_current_hackathon (in localStorage) — Remembers which hackathon you last selected so the picker doesn't reopen on every page load.

5. Data retention

• Account & profile: retained until you delete your account.
• Hackathon data (projects, evaluations): retained for the lifetime of the hackathon. When a hackathon is deleted, all associated rows and uploaded files are removed.
• Audit log: retained indefinitely by default to support security investigations. Operators may configure shorter retention.

6. Your rights

You can:

• Access the data we hold about you — your profile, projects, and evaluations are visible from your account.
• Update your profile and account details at any time.
• Delete your account by contacting the operator. Deletion cascades through your profile, project memberships, and uploaded files.
• Export hackathon data (admins only) via the built-in export endpoint.

If you're located in a jurisdiction with specific data-protection laws (such as the EU's GDPR or California's CCPA), additional rights may apply. Contact the operator to exercise them.

7. Security

We follow standard security practices:

• Passwords are hashed with bcrypt (never stored in plaintext).
• Session tokens live in HttpOnly cookies, immune to JavaScript theft.
• State-changing requests require a CSRF token (double-submit cookie pattern).
• All requests support TLS; signed URLs expire in minutes.
• The database connection uses TLS by default; weak modes must be enabled explicitly.

No system is perfectly secure. If you discover a vulnerability, please email the operator (see Contact).

8. Children

HackEval is not directed at children under 13. If you believe we hold data about a child without parental consent, contact the operator and we will delete it.

9. Changes to this policy

We may update this policy as the platform evolves. The effective date at the top reflects the most recent change. Material changes will be announced in-app where practical.

10. Contact

For privacy questions, data access requests, or vulnerability reports, contact the operator of this HackEval instance at contact@example.com.