Privacy Policy and Terms of Service
Effective Date: January 1, 2025 | Last Updated: December 21, 2025
Table of Contents
- Financial Transparency
- Security Engineering
- Privacy Policy
- 1. Information We Collect
- 2. Cookies and Local Storage
- 3. How We Use Information
- 4. Disclosure to Third Parties
- 5. International Data Transfers
- 6. Security
- 7. Data Breach Notification
- 8. Data Retention
- 9. Your Rights
- 10. Children's Privacy
- 11. Sensitive Data
- 12. Automated Decision-Making
- 13. "Do Not Track" Signals
- 14. Changes to This Policy
- 15. Contact Us
- Terms of Service
- 1. Use of Service
- 2. Account Responsibility
- 3. Rate Limiting & Anti-Abuse
- 4. Termination
- 5. No Guarantee of Service
- 6. Intellectual Property
- 7. Randomness of Service
- 8. Fictional Content
- 9. Limitation of Liability
- 10. Governing Law
- 11. Dispute Resolution
- 12. Severability
- 13. Changes to Terms
- 14. Contact
Financial Transparency
Transparency is fundamental to our operations. Below is our estimated monthly operating budget.
Organization Expenses
The following table details our organizational costs.
| Expense Item | Purpose | Monthly Cost (USD) |
|---|---|---|
| Virtual Business Address | Privacy-preserving mailing address for legal notices | ~$30 |
| Registered Agent | Receiving agent for LLC legal and tax documentation | ~$20 |
| Monthly Organization Costs | ~$50 | |
Operation Expenses
The following table details our operational costs.
| Expense Item | Purpose | Monthly Cost (USD) |
|---|---|---|
| Hosting Infrastructure | High-performance Virtual Private Servers (VPS) for cloud hosting | ~$25 |
| Domain Portfolio | Primary domain plus defensive registrations | ~$20 |
| Transactional Email | DKIM-signed messages for client support | ~$5 |
| Monthly Operation Costs | ~$50 | |
Security Engineering
We believe that obscurity has no place in security. We openly share our security controls and posture to ensure we maintain a proactive approach.
Controls & Posture
The following table details portions of our security posture.
| Class | Description | Purpose | Relevant CWE |
|---|---|---|---|
| Architecture, Storage, and OS-Level Hardening | Application uses flat-file storage on GNU/Linux and runs as a dedicated non-root user; access control is enforced via POSIX file permissions/ownership; no relational database/SQL layer. | Removes SQL injection attack surface by eliminating SQL queries and DB drivers; reduces dependency footprint; limits impact via least privilege. | CWE-89 (SQL Injection) |
| Architecture, Storage, and OS-Level Hardening | Files are created with permissions limited to the non-root service account, meaning only that user (and root) can read them. | Prevents local disclosure of sensitive data to other users/processes on the host. |
CWE-552 (Files or Directories Accessible to External Parties)
CWE-276 (Incorrect Default Permissions) |
| Architecture, Storage, and OS-Level Hardening | Application design avoids using user input to control file paths; file locations are computed internally, with only constrained identifiers (e.g., username) used where necessary. | Prevents attackers from selecting arbitrary files/directories via crafted input. |
CWE-22 (Path Traversal)
CWE-73 (External Control of File Name or Path) |
| Containerization / Runtime Reduction | Runs in Docker as a non-root user and uses a multi-stage build so build tooling and extra dependencies are not present in the final runtime layer/image. | Reduces post-exploitation capability if a shell/code execution is gained; reduces attack surface by shipping fewer tools and libraries. |
CWE-250 (Execution with Unnecessary Privileges)
CWE-269 (Improper Privilege Management) |
| Containerization / Runtime Reduction | Uses Tini as PID 1 for proper signal handling and child process reaping. | Improves process hygiene and reduces edge-case instability that can contribute to availability issues. | N/A |
| Input Validation and Injection Resistance | User-supplied fields (except passwords) are restricted to mostly alphanumeric characters and validated strictly. | Shrinks the input space and blocks metacharacters commonly used in injection attacks while maintaining needed functionality. | CWE-20 (Improper Input Validation) |
| Authentication, Authorization, and Session Management | Authorization is enforced consistently via middleware based on JWT identity/claims (roles/uid checks) across endpoints. | Prevents privilege escalation and access to other users’ resources by centralizing and uniformly applying authorization rules. |
CWE-285 (Improper Authorization)
CWE-863 (Incorrect Authorization) |
| Authentication, Authorization, and Session Management | Validates JWT claims (including standard time claims like iat and exp) and logs anomalous events such as non-existent claims, invalid signing method, role mismatch, uid mismatch, invalid Content-Type, and other indicators of probing/abuse. | Prevents common JWT validation pitfalls (e.g., algorithm confusion) and improves detection/triage of auth attacks and request smuggling/probing patterns. |
CWE-347 (Improper Verification of Cryptographic Signature)
CWE-778 (Insufficient Logging) CWE-223 (Omission of Security-relevant Information) |
| Authentication, Authorization, and Session Management | JWTs are issued with a 30-day expiration TTL baseline for the application. | Ensures tokens are time-bounded (not indefinite) and limits the window of misuse if a token is compromised. | CWE-613 (Insufficient Session Expiration) |
| Authentication, Authorization, and Session Management | Implements logout and uses a jti claim to support token revocation. | Allows invalidating tokens before natural expiration (e.g., on logout or suspected compromise), reducing the impact of stolen tokens even with longer TTLs. | CWE-613 (Insufficient Session Expiration) |
| Authentication, Authorization, and Session Management | Primary API auth uses the Authorization header; optionally supports cookie auth (auth_token) with Secure=true and SameSite=Strict. | Reduces CSRF exposure for cookie mode and ensures cookies are only sent over HTTPS; keeps header-based auth as the default to reduce CSRF risk in typical API use. |
CWE-352 (Cross-Site Request Forgery)
CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute) |
| Authentication, Authorization, and Session Management | Accounts have a strong, automatically generated secret used as an account security token for sensitive actions like password changes; regenerated on registration and reset. | Adds a strong secret gate for high-impact operations and reduces risk of unauthorized password changes and some account takeover flows. | CWE-620 (Unverified Password Change) |
| Password Storage and Credential Hardening | Password hashing uses bcrypt with cost factor 13, with SHA-512 prehashing and a hidden pepper stored externally to the application, with an HMAC construction in the scheme. | Makes offline cracking dramatically harder; pepper ensures exfiltrated hashes are significantly less useful without the external secret. |
CWE-916 (Use of Password Hash With Insufficient Computational Effort)
CWE-256 (Unprotected Storage of Credentials) |
| Password Storage and Credential Hardening | Passwords must be between 16 and 128 characters and meet strong complexity requirements. | Increases password entropy to reduce success of guessing and credential stuffing and to strengthen resilience if hashes are ever attacked offline. | CWE-521 (Weak Password Requirements) |
| Abuse Prevention, Availability, and Performance | Custom Go middleware rate limits requests to detect and constrain API abuse, including authentication attempts and DoS-like request patterns. | Reduces brute force feasibility and limits resource exhaustion from abusive clients. |
CWE-307 (Improper Restriction of Excessive Authentication Attempts)
CWE-400 (Uncontrolled Resource Consumption) |
| Abuse Prevention, Availability, and Performance | Data models are kept lightweight to avoid expensive server-side operations and excessive load times. | Improves availability and reduces accidental amplification factors that could be abused for DoS. | CWE-400 (Uncontrolled Resource Consumption) |
| Browser-Side Protections | Uses CSP to restrict the sources and types of executable content. | Mitigates XSS impact by limiting script execution paths even if injection occurs. | CWE-79 (Cross-Site Scripting) |
| Browser-Side Protections | Applies output encoding/escaping in the client for the limited set of areas where user-influenced data is rendered. | Prevents injected strings from being interpreted as HTML/JS, reducing XSS likelihood. | CWE-79 (Cross-Site Scripting) |
| Browser-Side Protections | Frontend is custom HTML/JS with no external API interactions and minimal third-party dependency usage (only a chart library). | Reduces supply-chain risk and exposure to compromised third-party scripts/services; reduces overall dependency attack surface. | CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) |
| Transport Security | Uses HTTPS with a valid publicly trusted TLS certificate. | Protects sensitive data (credentials/tokens) in transit and reduces MITM risk. | CWE-319 (Cleartext Transmission of Sensitive Information) |
| Operational / External Controls | Registers likely typosquatted domains and alternate TLDs to reduce domain impersonation. | Reduces phishing and brand impersonation risk that can lead to credential theft. | N/A |
Privacy Policy
This Privacy Policy explains how Hashcracky, LLC ("we," "our," or "us") collects, uses, discloses, and safeguards information when you visit or use our website and related services (collectively, the "Service"). By using the Service, you consent to the data practices described in this policy.
1. Information We Collect
Hashcracky has been designed to operate with minimal data collection. The Service does not provide functionality to collect personal identifiers such as names, email addresses, postal addresses, telephone numbers. The following limited data is collected automatically during your use of the Service:
- Account Data: Username, password (encrypted), account creation timestamp, and account activity related to the competition (submissions, scores, achievements).
- Technical Data: IP addresses and user-agent strings are processed temporarily in memory for anti-abuse and rate-limiting purposes. This data is not persistently stored unless captured by automated security systems during suspected abuse incidents.
- Server Logs: Error traces and performance metrics that do not contain personally identifiable information. These logs are retained indefinitely for operational integrity and debugging purposes.
Note: IP addresses may constitute personal data under certain privacy regulations, including the GDPR Article 6(1)(f). Our processing of IP addresses is based on our legitimate interest in maintaining the security and integrity of the Service.
2. Cookies and Local Storage
The Service uses the following browser storage mechanisms exclusively for essential functionality. We do not use tracking cookies, advertising cookies, or third-party analytics services:
| Key | Type | Purpose | Retention |
|---|---|---|---|
auth_token |
Cookie (essential) | Maintains authenticated session state | Session duration or until logout |
hcky.reset |
Local Storage | Stores account recovery codes upon user request | Until logout or cache clearance |
hcky_regen_field |
Local Storage | Preserves user interface preferences | Until logout or cache clearance |
These storage mechanisms are strictly necessary for the Service to function properly. Disabling cookies or local storage will prevent access to authenticated features of the Service.
3. How We Use Information
The information we collect is used exclusively for the following purposes:
- Authenticating users and maintaining secure session states
- Operating competition features including leaderboards, scoring, and achievements
- Protecting the Service from abuse through automated rate limiting
- Monitoring service health, diagnosing technical issues, and improving performance
- Complying with applicable legal obligations
Our legal basis for processing this information is: (a) your consent when you create an account and use the Service, (b) our legitimate interest in providing and securing the Service, and (c) compliance with legal obligations where applicable.
4. Disclosure to Third Parties
We do not sell, rent, or share your information with third parties for their marketing purposes. Information may be disclosed only in the following circumstances:
- Service Providers: Our infrastructure hosting provider, DigitalOcean, LLC, processes data solely for the purpose of providing hosting services. Their privacy policy is available at digitalocean.com/legal/privacy-policy.
- Legal Requirements: We may disclose information if required by law, court order, or other legal process, or if we believe disclosure is necessary to protect our rights, property, or safety, or that of others.
- Business Transfers: In the event of a merger, acquisition, or sale of assets, information may be transferred to the successor entity.
5. International Data Transfers
All data is stored and processed on servers located in the United States operated by DigitalOcean, LLC. By using the Service from outside the United States, you acknowledge and consent to the transfer of your information to the United States, which may have different data protection laws than your jurisdiction.
6. Security
We implement appropriate technical and organizational measures designed to protect the security of information processed through the Service, including encryption, secure authentication mechanisms, and regular security assessments. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.
7. Data Breach Notification
In the event of a data breach that may compromise user account security, we will post a prominent notice on our website and social media channels. As we do not collect email addresses, public notification is our primary means of communication. Where legally required, we will also notify relevant regulatory authorities within the prescribed timeframes.
8. Data Retention
We retain information for the following periods:
- Account Data: Retained until you delete your account, at which point it is immediately and permanently removed from our systems.
- Competition Records: Historical leaderboard entries and usernames may be retained indefinitely to maintain competition integrity and historical records.
- Server Logs: Retained indefinitely for operational and debugging purposes. These logs do not contain personally identifiable information.
9. Your Rights
You have the following rights regarding your information:
- Access and Portability: You may access your account information through the Service interface.
- Deletion: You may delete your account at any time through the account settings interface, which will immediately remove all associated account data.
- Correction: You may update certain account information through the Service interface.
To exercise any rights not available through the Service interface or for questions about this policy, contact us at contact@hashcracky. com. We will respond to requests within 30 days.
Residents of the European Economic Area (EEA), United Kingdom, and certain other jurisdictions have additional rights under applicable data protection laws.
10. Children's Privacy
The Service is not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information promptly. If you believe we have collected information from a child under 13, please contact us immediately.
11. Sensitive Data
We do not intentionally collect sensitive personal data (also known as special categories of personal data), including information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation. The Service does not provide any mechanism for submitting such information.
12. Automated Decision-Making
The Service employs automated decision-making solely for anti-abuse purposes. This includes IP-based rate limiting that may temporarily restrict access when suspicious patterns are detected. No user profiling or automated decision-making that produces legal or similarly significant effects is performed.
13. "Do Not Track" Signals
The Service does not track users across third-party websites and therefore does not respond to Do Not Track (DNT) browser signals or similar mechanisms. Our data collection is limited to your direct interactions with our Service.
14. Changes to This Policy
We reserve the right to update this Privacy Policy at any time. Changes will be effective immediately upon posting to the Service. Material changes will be highlighted through a notice on our website. Your continued use of the Service after any changes indicates your acceptance of the updated policy.
15. Contact Us
For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
Email: contact@hashcracky.com
Mailing Address: Available upon request for legal notices only
Terms of Service
These Terms of Service ("Terms") constitute a legally binding agreement between you and Hashcracky, LLC ("we," "our," or "us") governing your use of the Hashcracky website and services (the "Service"). By accessing or using the Service, you agree to be bound by these Terms. If you do not agree to these Terms, you may not access or use the Service.
1. Use of Service
1.1 Eligibility. You must be at least 13 years of age to use the Service. By using the Service, you represent and warrant that you meet this age requirement.
1.2 Acceptable Use. You agree to use the Service only for lawful purposes and in accordance with these Terms. You agree not to:
- Violate any applicable laws, regulations, or third-party rights
- Transmit any harmful, offensive, or illegal content
- Attempt to gain unauthorized access to any portion of the Service or related systems
- Interfere with or disrupt the Service or servers or networks connected to the Service
- Engage in any form of automated data collection without our express written permission
- Impersonate any person or entity or misrepresent your affiliation with any person or entity
- Use the Service for any commercial purpose without our prior written consent
2. Account Responsibility
2.1 Account Security. You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account. You agree to immediately notify us of any unauthorized use of your account or any other breach of security.
2.2 Accuracy of Information. You agree to provide accurate and complete information when creating your account and to keep such information current.
3. Rate Limiting & Anti-Abuse
To protect the integrity and availability of the Service, we implement automated rate limiting and anti-abuse measures. Violation of these limits, whether intentional or unintentional, may result in temporary or permanent suspension of your access to the Service. We reserve the right to modify these limits at any time without notice.
4. Termination
4.1 Termination by You. You may terminate your account at any time through the account deletion feature within the Service.
4.2 Termination by Us. We reserve the right to suspend or terminate your access to the Service, with or without notice, for any reason, including but not limited to:
- Violation of these Terms
- Conduct that we determine to be harmful to the Service or other users
- Extended periods of inactivity
- Request by law enforcement or government agencies
- Discontinuation or material modification of the Service
4.3 Effect of Termination. Upon termination, your right to use the Service will immediately cease. Provisions of these Terms that by their nature should survive termination shall survive, including but not limited to ownership provisions, warranty disclaimers, indemnity, and limitations of liability.
5. No Guarantee of Service
THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR COURSE OF PERFORMANCE. WE DO NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, SECURE, OR FREE OF OTHER HARMFUL COMPONENTS.
6. Intellectual Property
6.1 Our Rights. The Service and all content, features, and functionality (including but not limited to information, software, text, displays, images, graphics, and the design, selection, and arrangement thereof) are owned by us, our licensors, or other providers and are protected by United States and international copyright, trademark, patent, trade secret, and other intellectual property laws.
7. Randomness of Service
Certain features of the Service incorporate random or pseudo-random elements. We make no representations or warranties regarding the randomness, fairness, or predictability of these features. Results may vary and are not guaranteed to meet any particular expectation or standard.
8. Fictional Content
All challenges, scenarios, and data presented within the Service are entirely fictional and created for entertainment and educational purposes only. Any resemblance to real persons, organizations, or actual data is purely coincidental.
9. Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL WE, OUR AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS, OR LICENSORS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA, OR OTHER INTANGIBLE LOSSES, ARISING OUT OF OR RELATING TO YOUR USE OF OR INABILITY TO USE THE SERVICE, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
OUR TOTAL LIABILITY TO YOU FOR ANY DAMAGES ARISING FROM OR RELATED TO THESE TERMS OR THE SERVICE SHALL BE LIMITED TO THE AMOUNT YOU HAVE PAID US IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY. IF YOU HAVE NOT PAID US ANY AMOUNTS, OUR SOLE LIABILITY SHALL BE LIMITED TO THE DISCONTINUATION OF YOUR ACCESS TO THE SERVICE.
SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF CERTAIN WARRANTIES OR LIABILITY. IN SUCH JURISDICTIONS, OUR LIABILITY SHALL BE LIMITED TO THE GREATEST EXTENT PERMITTED BY LAW.
10. Governing Law
These Terms shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of law provisions. You agree to submit to the personal and exclusive jurisdiction of the courts located in Delaware.
11. Dispute Resolution
11. 1 Informal Resolution. We encourage you to contact us at contact@hashcracky. com if you have any concerns or disputes regarding the Service. We will make reasonable efforts to resolve any dispute informally.
11.2 Binding Arbitration. For any dispute that cannot be resolved informally, you and Hashcracky agree that any dispute arising out of or relating to these Terms or the Service shall be resolved through binding individual arbitration in accordance with the Streamlined Arbitration Rules and Procedures of JAMS ("JAMS Rules"), except as modified by these Terms. The arbitration will be conducted by telephone, online, or based solely on written submissions unless otherwise agreed. The arbitrator's decision shall be final and binding.
11.3 Class Action Waiver. YOU AND HASHCRACKY AGREE THAT EACH MAY BRING CLAIMS AGAINST THE OTHER ONLY IN AN INDIVIDUAL CAPACITY AND NOT AS A CLASS REPRESENTATIVE OR MEMBER. Neither you nor we will seek class treatment for any disputes subject to arbitration.
11.4 Exceptions. Notwithstanding the above, either party may seek injunctive or other equitable relief in any court of competent jurisdiction to prevent the actual or threatened infringement of intellectual property rights. Small claims court actions may be brought without first attempting arbitration.
12. Severability
If any provision of these Terms is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be deemed replaced by a valid, enforceable provision that most closely matches the intent of the original provision.
13. Changes to Terms
We reserve the right to modify these Terms at any time at our sole discretion. If we make material changes, we will provide notice through the Service. Your continued use of the Service after such notice constitutes acceptance of the modified Terms. If you do not agree to the modified Terms, you must discontinue use of the Service.
14. Contact
If you have any questions about these Terms of Service, please contact us at:
Email: contact@hashcracky.com
Mailing Address: Available upon request for legal notices only