Privacy Policy

Last updated: January 12, 2026

1. Introduction

Flagmancer is operated by Lukas Van Den Bosch ("we", "us", "our"), located in Belgium. We are committed to protecting your personal data and respecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable Belgian data protection laws.

This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our autonomous CTF hacking agent service.

2. Data Controller

The data controller responsible for your personal data is:

Lukas Van Den Bosch

Email: contact@flagmancer.com

Location: Belgium

3. Data We Collect

We collect the following categories of personal data:

Account Information

  • Email address
  • Name (if provided)
  • Password (encrypted)
  • Account creation date

Session Data

  • Target IP addresses you provide
  • CTF platform information
  • Challenge names and categories
  • Agent actions and findings
  • Terminal output logs

Usage Analytics

We use Plausible Analytics, a privacy-focused analytics service that does not use cookies and does not collect personal data. Plausible collects:

  • Page views (aggregated, anonymous)
  • Referrer source
  • Country (derived from IP, not stored)
  • Device type and browser (aggregated)

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide our service and fulfill our contractual obligations to you.
  • Legitimate Interests (Art. 6(1)(f)): Processing for service improvement, security, and fraud prevention.
  • Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws.

5. How We Use Your Data

We use your personal data to:

  • Provide and maintain the Flagmancer service
  • Authenticate your account and manage sessions
  • Store your CTF session history and findings
  • Communicate service updates and security notices
  • Improve our service based on aggregated usage patterns
  • Prevent abuse and ensure platform security

6. Data Storage and Security

Your data is stored securely using the following measures:

  • Database hosted on Supabase with encryption at rest
  • All data transmitted over HTTPS/TLS encryption
  • Passwords hashed using industry-standard algorithms
  • Access controls and authentication for all systems
  • Regular security audits and updates

Our hosting infrastructure is provided by Netlify (website) and Supabase (database), both of which maintain appropriate security certifications and comply with GDPR requirements.

7. Data Retention

We retain your personal data for the following periods:

  • Account data: Until you delete your account
  • Session data: Until you delete the session or your account
  • Analytics data: Aggregated data retained indefinitely (no personal data)

Upon account deletion, your personal data will be permanently deleted within 30 days, except where retention is required by law.

8. Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right of Access (Art. 15): Request a copy of your personal data
  • Right to Rectification (Art. 16): Correct inaccurate personal data
  • Right to Erasure (Art. 17): Request deletion of your personal data
  • Right to Restrict Processing (Art. 18): Limit how we use your data
  • Right to Data Portability (Art. 20): Receive your data in a portable format
  • Right to Object (Art. 21): Object to certain processing activities
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at contact@flagmancer.com. We will respond within 30 days as required by GDPR.

9. Third-Party Services

We use the following third-party services:

Supabase

Database and authentication services

Netlify

Website hosting and deployment

Plausible Analytics

Privacy-focused, cookie-free analytics

These services process data on our behalf and are bound by data processing agreements compliant with GDPR.

10. International Data Transfers

Some of our service providers may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions for countries with equivalent data protection

11. Cookies

We use only essential cookies required for the service to function:

  • Authentication cookies: To keep you logged in
  • Session cookies: To maintain your session state

We do not use tracking cookies or advertising cookies. Our analytics service (Plausible) is cookie-free.

12. Age Requirement

Flagmancer is intended for users aged 18 and older. We do not knowingly collect personal data from individuals under 18. If you believe we have collected data from a minor, please contact us immediately at contact@flagmancer.com.

13. Complaints

If you have concerns about how we handle your personal data, please contact us first at contact@flagmancer.com.

You also have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit):

Gegevensbeschermingsautoriteit

Website: www.gegevensbeschermingsautoriteit.be

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

15. Contact Us

For any questions about this Privacy Policy or our data practices, please contact us:

Email: contact@flagmancer.com

Flagmancer logoflagmancer
|フラグマンサー
Terms of Service Home