Effective January 30, 2026, Compass Security Network Computing AG ("CSNC") and its subsidiaries updated their privacy notice ("Policy"). 

1 Introduction

This Policy describes our commitment to protecting the privacy of individuals who visit our websites ("Website Visitors"), who register to use the products and services or who attend or register for sponsored events or other events that the CSNC Group organizes or participates in ("Participants"). For the purposes of this Policy, the term "Websites" collectively refers to www.compass-security.com as well as the other websites operated by CSNC that refer to this Policy. 

2 Scope of this Policy

In addition to the websites that refer to this Policy, this Policy applies to the following sites and offerings:

• Compass Security Group websites: *.compass-security.com
• The Hacking-Lab (*.hacking-lab.com / *.hacking-lab-ctf.com)
• Filebox solution: *.filebox-solution.com

Personal data in this Policy means information about a specific or identifiable natural person. An identifiable person is a person who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data and online identifier, or to one or more factors that are specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

The use of information collected through our service is limited to the purpose of providing the service for which subscribers have signed up or registered.

Our Websites may contain links to other websites, and the information practices and content of those other websites are governed by the privacy notices of those sites. We encourage you to read the privacy notices of those websites to understand their information practices.

Account information (as defined below) and other information that we collect in connection with your registration or authentication with our services  are subject to this Policy. The security and privacy practices, including the manner in which we protect, collect, and use electronic data, texts, messages, communications or other materials that you submit to the services and that are stored within the services ("Service Data"), are described in detail in this privacy policy. If a subscription agreement or another applicable contract between you and a member of the CSNC Group concerning your access to and use of a particular service (collectively referred to as a "Service Agreement") has been agreed, that Service Agreement will supplement this privacy policy. The order of precedence of different contracts is set out in the Service Agreement.

3 Information you provide to us

Account and registration information
We ask for personal data about you, such as your name, address, telephone number, email address, gender and date of birth.

For the purposes of this Policy, we refer to all of the information described above as "Account Information". By voluntarily providing us with Account Information, you represent that you are the owner of such personal data or otherwise have the necessary consent to provide it to us.

Other submissions
We ask for and may collect personal data from you when you submit web forms on our Websites or when you use interactive features of the Websites, including participation in surveys, contests, promotions, sweepstakes, requesting customer support, appointments, or otherwise communicating with us.

Participant information
We ask you for personal data such as your name, address, telephone number and email address when you register for a sponsored event or other events in which a member of the CSNC Group participates or when you attend such events.

4 Information we collect from you on our Websites

Cookies and other tracking technologies

We may use cookies and other information-gathering technologies for a variety of purposes. In particular, cookies are used to collect and analyze information about how our Websites are interacted with (web analytics) and to detect and prevent any misuse. These technologies may provide us with personal information, information about devices and networks used to access our Websites, and other information about interactions with our Websites.

On our websites we use persistent tracking and performance cookies from our third-party providers Google Analytics, Cloudflare and Usercentrics Cookiebot with the aim of collecting information about website traffic and the use of the website by users. The information collected through these cookies can directly or indirectly identify individual visitors. This is because the collected information is usually linked to an identifier associated with the device used to access the website. We may also use these cookies to test new pages, features or new functions of the website or to see how our users respond to them.

Analytics
We collect analytics information when you use the Websites to improve them:

• Our Websites use third-party services such as Cloudflare, CleanTalk Anti-Spam & Security, Google Analytics and Google Adwords. These can store and process IP addresses. IP addresses can be stored in server log files, CMS log files, CleanTalk Anti-Spam & Security log files, Google Analytics, Google Adwords as well as at Cloudflare. Cloudflare and CleanTalk can use cookies to control access to our Websites, ensure their security and protect them against spam and malware
• Hacking-Lab uses Matomo to collect and process the following personal data: cookies, anonymized IP address, user ID, dimensions, variables, pages visited, browser and device used, mouse movements, anonymized keystrokes and more (as described here https://matomo.org/matomo-cloud/). Once the data has been processed (number of visitors who reach a not found page, view only one page...), Matomo creates reports to take action, e.g., to change the layout of the pages or to publish new content.
• Hacking-Lab also uses Hacking-Lab Analytics based on browser fingerprinting technologies for fraud detection. Hacking-Lab stores IP addresses, nicknames, usage times, browsers and operating systems.

Without this data we would not be able to provide the service we currently offer. Your data is used exclusively to improve the user-friendliness of our website and to help you find the information you are looking for.

Log
As with most websites and services provided over the Internet, we collect certain information and store it in log files when you interact with our Websites and services. This information includes Internet Protocol (IP) addresses as well as browser type, Internet service provider, URLs of referring/exit pages, operating system, date/time stamp, search terms, language settings and preferences, identification numbers associated with your devices, your mobile carrier and system configuration data.

5 Information collected from other sources

Social Media
Our Websites contain a link to social media websites such as Facebook or Twitter. We do not use social media plugins. Your interactions with these providers are governed solely by the privacy notices of the companies that provide them.

6 How we use the information we collect

General use
We may use the information we collect about you (including personal data, where applicable) for a variety of purposes, including (a) providing, operating, maintaining, improving and promoting the services; (b) accessing and using the services; (c) processing and completing transactions and sending related information, including purchase confirmations and invoices or job postings; (d) sending transactional communications, including responding to your comments, questions and requests; providing customer service and support and sending you technical notices, updates, security alerts and support and administrative messages; (e) processing and delivering contest entries and rewards; (f) monitoring and analyzing trends, usage and activities in connection with the Websites and services as well as for marketing or advertising purposes; (g) investigating and preventing fraudulent transactions, unauthorized access to the services and other illegal activities; and (h) for other purposes for which we obtain your consent.

If we send you advertising material, such as information about products and services, features, surveys, newsletters, offers, promotions, contests and events, and other news or information about us and our partners, we will ask for your express consent (dual opt-in or similar procedure) before doing so.

You can opt out of receiving marketing communications from us by contacting us at privacy(at)compass-security.com or by following the unsubscribe instructions included in our marketing communications.

Legal bases for processing
We collect personal data from you only if: (a) we have your consent to do so, (b) we need the personal data to enter into a contract with you (e.g., to provide the CSNC services you have requested), or (c) the processing is in our or a third party's legitimate interest under the GDPR or other data protection laws. In some cases we are also legally obliged to collect personal data from you.

If we rely on your consent to process personal data, you have the right to withdraw or revoke your consent at any time. Please note that this does not affect the lawfulness of processing based on consent before its withdrawal.

If we ask you to provide personal data to comply with a legal obligation or to enter into a contract with you, we will make this clear at the relevant time and inform you whether the provision of your personal data is mandatory or not (and of the possible consequences if you do not provide your personal data). If we collect and use your personal data in reliance on our (or a third party's legitimate interests) that are not already described in this notice, we will inform you in due course what those legitimate interests are.

If you have questions or need further information about the legal basis on which we collect and use your personal data, please contact us using the contact details provided in Section 16 below.

7 Disclosure of collected information

We use third-party partners and services to provide our services. We have entered into contracts with these partners that require them to use personal data only to the extent necessary to provide services on our behalf and to take appropriate security measures in accordance with legal requirements.

Partners and Services

Atlassian
We use products from Atlassian (Atlassian. Pty Ltd, Level 6, 341 George Street, Sydney NSW 2000, Australia) to communicate with registered and unregistered users, e.g., Jira Service Management, Jira Work Management, Jira Software, Confluence for support management, project management, issue tracking, Bug Bounty Services and documentation. In this context, a transfer of data to other countries in which Atlassian provides services (e.g., USA) cannot be excluded. Further information on data processing by Atlassian can be found here: https://www.atlassian.com/legal/privacy-policy

Brevo
We use the European mail delivery service Brevo to send our newsletters. This service is GDPR-compliant and has concluded a data processing agreement (DPA) with us; further information can be found here: https://www.brevo.com/datenschutz-uebersicht/. By subscribing to the newsletter, you accept Brevo's terms for processing your data. The use of the newsletter service is independent of this website.

Calendly
Hacking-Lab uses Calendly for scheduling (Calendly, Inc. 115 E Main St., Ste A1B, Buford, GA 30518, USA). Email, names and other personal information entered may be stored in the web services of Calendly. Calendly user and invitee data is hosted in US data centers provided by Google and Amazon Web Services (AWS). Calendly follows the guidelines for data protection and the rights of data subjects under the EU GDPR. More information: https://calendly.com/legal/privacy-notice 

CleanTalk
On our websites we use CleanTalk Anti-Spam & Security (CleanTalk Inc,111 Barclay Blvd, suite 202, Lincolnshire, IL,60069, USA) for security reasons and to protect our websites from spam. When you submit data on our websites, your data is processed in the CleanTalk cloud service. Approved requests are not stored. Therefore, emails, nicknames and messages from approved registrations, comments, orders, contact messages and other submissions are deleted. Data from non-approved requests are stored in log files for 7 days. Compass Security has set the data location to Europe, therefore all your data processed by CleanTalk remains within Europe. In addition, there are standard contractual clauses to ensure compliance with the regulations. Further information can be found here: https://cleantalk.org/publicoffer#privacy

Cloudflare
We use Cloudflare, Inc. as a Content Delivery Network (CDN) and DNS provider to improve the security, speed and availability of our websites. When accessing our websites, Cloudflare may collect certain technical information, such as your IP address, system configuration data and traffic information, to provide security and operational functions. Cloudflare may also use a cookie (e.g., "__cfduid" or a similar one) to identify trusted traffic and prevent malicious activity. Data is not stored by Cloudflare for longer than 31 days. We do not export, store or process this data outside of Cloudflare. All data collected by Cloudflare is processed in accordance with its privacy policy. Cloudflare is committed to GDPR compliance and provides corresponding data processing agreements and appropriate safeguards for personal data. Further information: https://www.cloudflare.com/privacypolicy/

CM.com
As a backup for aspsms, we use the SMS service from CM.com (formerly CM Telecom). For the delivery of SMS, generally only the recipient's telephone number is processed. Further information on data processing is provided by CM.com in its privacy policy.

CosmoCode GmbH
Our websites are designed and developed by CosmoCode GmbH (Prenzlauer Allee 36g, 10405 Berlin, Germany), a professional web design company. CosmoCode GmbH helps us create an attractive and user-friendly online experience. They have access to certain personal data, but not to sensitive information such as payment data. CosmoCode GmbH undertakes to protect your privacy and handle your data responsibly. See https://www.cosmocode.de/de/legal/datenschutz/

DACHCOM.CH
Hacking-Lab works with the marketing agency DACHCOM.CH AG (Communication LSA, Appenzellerstrasse 40, 9424 Rheineck, Switzerland). DACHCOM may access email addresses and full names of potential customers. This is the case, for example, when the contact form on the Hacking-Lab website is completed. Further details can be found here: https://www.dachcom.com/de-ch/datenschutz

Google
On our websites we use Google Analytics, a web analytics service offered by Google that tracks and reports website traffic. With your consent, Google Analytics will process and collect your personal data (cookies and IP addresses) to provide us with valuable information. Google uses the collected data to track and monitor the use of our service. This data may be shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network. Google Analytics transfers your data to the United States and stores it for 6 months. Further information on Google's data transfer policies can be found at: https://policies.google.com/privacy/frameworks?hl=en-US

Further information on Google's privacy practices can be found on the Google website for privacy and terms of use: https://policies.google.com/privacy

Instructure
We use Parchment Digital Badges from Instructure to issue electronic certificates that you receive from us upon successful completion of a course. Canvas Credentials is a service offered by INSTRUCTURE (6330 South 3000 East Suite 700 Salt Lake City, UT 84121 USA). Instructure uses industry-standard security practices to protect personal data. By using our services and consenting to receive electronic certificates (badges), you agree to Instructure's privacy policy and terms of use regarding the management and storage of your certification data. See https://www.instructure.com/policies/privacy-badgr

Matomo Cloud
Hacking-Lab uses Matomo Cloud to collect and analyze information about how you interact with our websites (web analytics) and to detect and prevent any misuse. The personal data obtained via Matomo is transmitted to our company and our service provider: InnoCraft, 7 Waterloo Quay PO625, 6140 Wellington, New Zealand. Matomo data is hosted in Frankfurt, Germany. All data and backups from Matomo Cloud are securely stored in Europe. This service is GDPR-compliant and has entered into a data processing agreement with us. The Matomo Cloud privacy policy: https://matomo.org/matomo-cloud-privacy-policy

Metanet
We host some of our web servers at Metanet (Metanet, Josefstrasse 218, CH-8005 Zurich). We use the "Server Housing" service. This means that the provider has no access to personal data stored on our servers.

Microsoft
We use Microsoft 365 Bookings for appointment scheduling and for booking and managing appointments. The information you provide to Bookings enables us to process your request or provide the services you have requested. Bookings only asks for the necessary information, such as full name, email, phone numbers and information about the topic of the appointment.

We also use M365 and other cloud services from Microsoft (Teams, Exchange Online, SharePoint Online, PowerAutomate) for data processing and communication. If you contact us via these communication channels, for example full names, email, job title and more are transmitted to M365 or the Microsoft cloud.

According to our settings and current information from Microsoft, all data is stored on servers in Switzerland. Details on the products and applicable terms can be found here: https://www.microsoft.com/licensing/terms/product/ForallSoftware/all

By scheduling an appointment you accept Microsoft's product and licensing terms as well as privacy and security terms. You acknowledge that Microsoft's terms may change at any time. Microsoft's terms of use and privacy policies for the protection of data in the Microsoft cloud can be found here: https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all (Microsoft privacy and security terms). 

Ostschweizer Fachhochschule
OST (Ostschweizer Fachhochschule, Oberseestrasse 10, 8640 Rapperswil), a public Swiss university with a strong background in information security, hosts our public lab. It is an IaaS provider that operates the Hacking-Lab infrastructure, while the Hacking-Lab application is operated and maintained by us. See https://www.ost.ch/de/systemseiten/datenschutz

Raiffeisenbank Rapperswil-Jona
To enable payouts, CSNC works with Raiffeisenbank Rapperswil-Jona (St. Gallerstrasse 51, 8645 Jona SG, Switzerland). If you are entitled to a payment from CSNC within the SEPA area, Raiffeisenbank Rapperswil-Jona can access name, first name, address, email, account number and bank details. See https://www.raiffeisen.ch/rch/de/ueber-uns/raiffeisen-gruppe/disclaimer-website.html

Stripe
Hacking-Lab uses Stripe as an online service provider that offers the processing of debit and credit cards as a service. Stripe meets the Payment Card Industry Data Security Standard (PCI DSS) and uses encryption to protect your payment information. All account information is stored by Stripe. We do not store your full credit card data and do not have access to it. By using our services and entering credit or debit card data, you agree to Stripe's privacy policy and terms of use that govern the processing and storage of your payment data. See https://stripe.com/privacy

Usercentrics
We use Cookiebot on our websites, a consent management platform (CMP) of Usercentrics GmbH (Sendlinger Strasse 7, 80331 Munich, Germany), to ensure compliance with data protection requirements for cookies.

Cookiebot is used to inform users about cookies on our websites and we use this platform for consent-based data collection. When you visit our websites, your browser may contact Usercentrics servers, making your IP address known. Information about consent may also be stored. Usercentrics uses the Google Cloud Platform. The servers are located in Germany and Belgium. Further information can be found at: https://www.cookiebot.com/de/privacy-policy/

VADIAN.NET
For sending SMS messages we use the aspsms service of VADIAN.NET AG (Katharinengasse 10, CH - 9004 St. Gallen). aspsms is developed entirely in Switzerland and VADIAN.NET complies with the requirements of the Swiss Data Protection Act. More information: https://www.aspsms.ch/de/privacy/. We mainly use the service for sending two-factor tokens. In doing so, only the phone number of the respective recipient is transmitted to the service. In exceptional cases, other personal data such as usernames or passwords may also be transmitted via the service.

Wise
Hacking-Lab and our Bug Bounty program use the payment service provider Wise (Wise Switzerland AG, Talacker 41, 8001 Zurich, Switzerland) for payouts (e.g., for Bug Bounty) outside the SEPA zone. The following information may be transferred to Wise in such a case: name, first name, address, email, account number with bank details. See https://wise.com/gb/legal/global-privacy-policy-en 

Other disclosure

Community Forums
The websites may offer publicly accessible blogs, community forums, comment sections, discussion forums or other interactive features ("Interactive Areas"). You should be aware that any information you post in an Interactive Area may be read, collected and used by other people who access it. To request the removal of your personal data from an Interactive Area, please contact us at privacy(at)compass-security.com In some cases, we may not be able to remove your personal data; in that case, we will inform you whether and why we are unable to do so.

CSNC Group sharing
We may share information, including personal data, with any member of the CSNC Group. The protection of your data is ensured by a uniform Group data protection policy.

With your consent
We may also share personal data with third parties if we have your consent to do so.

Compliance with laws and law enforcement measures; protection of our rights
In certain situations we may be required to disclose personal data in response to lawful requests by public authorities, including to meet law enforcement requirements. We may disclose personal data to respond to subpoenas, court orders or legal processes, to establish or exercise our legal rights or to defend against legal claims. We may also disclose this information if we deem it necessary to investigate, prevent or take action with respect to illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our service agreement or other actions required by law.

8 International transfer of collected information

CSNC is a Switzerland-based global company. We store personal data of website visitors and subscribers in Switzerland and EU member states. To facilitate our global activities, we may transfer and access such personal data from around the world, including from other countries in which the CSNC Group operates, for the purposes described in this Policy.

We may also share your personal data with our third-party processors pursuant to Section 7, which may be located in another country. However, we only process your personal data in countries that have a level of data protection equivalent to that under the GDPR. Compass Security ensures that data is transferred only to countries that are recognized as adequate or where the standard contractual clauses approved by the European Commission or Switzerland apply.

Whenever CSNC transfers personal data to a CSNC company, it will do so on the basis of its CSNC Binding Corporate Rules, which ensure adequate protection of such personal data and are legally binding for the CSNC Group.

When you visit our websites, please note that you agree to the transfer of your personal data to the countries in which we operate. By providing your personal data, you consent to the transfer and processing in accordance with this Policy and the CSNC Group Data Protection Policy.

9 Communication preferences

We provide those who provide personal contact information with the ability to choose how we use the information provided. You can manage your receipt of marketing and non-transactional communications by clicking the "Unsubscribe" link at the bottom of our marketing emails or by sending a request to privacy(at)compass-security.com.

10 How long we retain your personal data

We retain your personal data only for as long as necessary to fulfill the purposes described in this privacy notice, unless a longer retention period is required or permitted by law (e.g., tax, accounting or other legal requirements). If we have no ongoing legitimate business need to process your personal data, we will delete it. If this is not possible (e.g., because your personal data is stored in backup archives), we will securely store your personal data and isolate it from any further processing until deletion.

11 Your data protection rights

The security of your personal data is important to us. We follow GDPR standards to protect the personal data submitted to us. If you have questions about the security of your personal data, you can contact us at privacy(at)compass-security.com.

Upon request, we will inform you whether we have stored personal data about you or process it. To request this information, please contact us at privacy(at)compass-security.com

In addition, you have the following rights:

• Right to erasure: You have a right to erasure of the personal data we have stored about you - for example, if it is no longer necessary in connection with the purposes for which it was originally collected. Please note, however, that we may need to retain certain information for record keeping, completing transactions, or complying with our legal obligations.
• Right to object to processing: You have the right to request that CSNC stop processing your personal data and/or stop sending you marketing communications.
• Right to restriction of processing and data correction: You have the right to request that we restrict the processing of your personal data in certain circumstances (e.g., if you believe that the personal data we have about you is inaccurate or unlawful). We will also make corrections and amendments to your personal data at your request.
• Right to data portability: Under certain circumstances, you have the right to receive your personal data in a commonly used format and to request that we transmit the personal data to another data controller without hindrance.

To request access, correction or deletion of the personal data we maintain, please send us an email. Requests for access, modification or deletion of your data will be processed within thirty (30) days.

If you wish to exercise these rights, please contact us using the contact details in Section 16 below. We will review your request in accordance with applicable laws. To protect your privacy and security, we may take steps to verify your identity before responding to the request.

You also have the right to lodge a complaint with a data protection authority regarding the collection and use of your personal data. For more information, please contact your local data protection authority.

12 Personal data of children

We do not knowingly collect personal data from children. We encourage parents and guardians to monitor their children's internet usage and to help enforce this Policy by instructing their children never to provide personal data through the websites or services without their permission. If you have reason to believe that a child under the age of 14 has provided us with personal data through the websites or services, please contact us at privacy(at)compass-security.com and we will endeavor to delete that data.

13 Business transactions

We may transfer this Policy, as well as your account and the associated information and data, including personal data, to a natural or legal person that acquires all or substantially all of our business, inventory or assets, or with whom we merge.

14 Changes to this Policy

If there are material changes to this Policy, you will be notified by our posting of a prominent notice on the websites prior to the change taking effect. Due to the seriousness and impact on your personal rights, your consent may be required for certain changes. In this case, we will inform you and ask for your consent.

For minor changes that do not affect your privacy, we will announce the changes on the websites. We recommend that you visit this page regularly to obtain the latest information about our privacy practices. Your continued use of the websites or services constitutes your agreement to be bound by such changes to this Policy. Your sole remedy if you do not accept the terms of this Policy is to stop using the websites and services.

15 Contact

If you have any questions about this Policy or the privacy practices of the CSNC Group, please contact us by email at privacy(at)compass-security.com or at:

Compass Security Network Computing AG
Werkstrasse 20
CH-8640 Rapperswil
privacy(at)compass-security.com
Phone: +41 58 510 36 00

16 Choice of Law/Forum Selection

These privacy notices are governed by Swiss law and are interpreted in accordance with it.

The exclusive place of jurisdiction for disputes arising from the use of the terms of use is Rapperswil-Jona, Canton of St. Gallen (Switzerland).

English version control
English translations of this Policy are provided for convenience only. In the event of ambiguities or conflicts between translations, the German version shall prevail.