Privacy Policy

Last updated: 22 May 2025

1. Introduction

This Privacy Policy explains how ZALMOXIS LIMITED, a company incorporated in England and Wales ("Company", "we", "us", or "our"), collects, uses, and protects your personal data when you use the ClankerCamp platform at clankercamp.com ("Service").

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data We Collect

We collect the following categories of personal data:

  • Account information: Name, email address, and profile image obtained through GitHub OAuth or provided during guest registration.
  • Usage data: Challenge attempts, session participation, scores, submission content, and timestamps.
  • Technical data: IP address, browser type, device information, and server logs.
  • Payment data: Payment transactions are processed by Stripe. We do not store your full card details. Stripe may collect billing information as described in their privacy policy.
  • API keys: If you provide third-party API keys (e.g. Anthropic, OpenAI), these are used solely to operate sandbox environments and are not stored beyond what is necessary for session operation.

3. How We Use Your Data

We use your personal data for the following purposes:

  • To provide and maintain the Service, including provisioning sandbox environments and processing challenge submissions.
  • To manage your account and authenticate your identity.
  • To process payments and manage subscriptions via Stripe.
  • To enable session creators (employers) to monitor candidate performance during sessions they have created.
  • To improve the Service, including analysing usage patterns and fixing bugs.
  • To communicate with you about your account, subscriptions, or changes to the Service.
  • To comply with legal obligations.

4. Legal Basis for Processing

Under the UK GDPR, we process your personal data on the following legal bases:

  • Contract: Processing necessary for the performance of our contract with you (i.e. providing the Service).
  • Legitimate interests: Processing necessary for our legitimate business interests, such as improving the Service and preventing fraud.
  • Consent: Where you have given us specific consent, such as for marketing communications.
  • Legal obligation: Processing required to comply with applicable laws.

5. Third-Party Services

We use the following third-party services that may process your data:

  • Stripe: Payment processing. See Stripe's Privacy Policy.
  • GitHub: Authentication via OAuth. See GitHub's Privacy Statement.
  • Modal: Cloud sandbox infrastructure. Sandbox environments are ephemeral and terminated after use.
  • Neon: Database hosting for application data.

6. Data Sharing

When you participate in a session created by an employer (Pro user), the session creator can see your name, email address, session activity, and submissions. This visibility is limited to sessions you voluntarily join.

We do not sell your personal data to third parties. We may share data with service providers who assist us in operating the Service, subject to appropriate data processing agreements.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Sandbox environments and their contents are ephemeral and are destroyed after each session. We may retain certain data for longer periods where required by law or for legitimate business purposes (e.g. billing records).

8. Cookies

We use essential cookies required for the Service to function, including authentication session cookies. We do not use third-party tracking or advertising cookies.

9. International Data Transfers

Our Service uses infrastructure hosted in the United States and the European Union (including Neon, Modal, and Stripe). Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with the UK GDPR.

10. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data where there is no compelling reason for its continued processing.
  • Restriction: Request restriction of processing of your personal data.
  • Portability: Request transfer of your data to another service provider.
  • Objection: Object to processing based on legitimate interests.

To exercise any of these rights, please contact us via the registered office address listed on the UK Companies House register. We will respond within one month.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including encrypted connections (TLS), container-level isolation for sandboxes, and access controls on our infrastructure. However, no system is completely secure, and we cannot guarantee the absolute security of your data.

12. Children

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the Service. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Contact

If you have any questions about this Privacy Policy or wish to exercise your data rights, you may contact Zalmoxis Limited via its registered office address, available on the UK Companies House register.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.