Privacy Policy
EFFECTIVE: 2026-02-23
1. Overview
Duckurity ("we", "us", "our") is a cybersecurity training company headquartered in Cairo, Egypt. We operate the Duckyard platform. This policy describes how we collect, use, and protect your personal information when you use our services, in compliance with the EU General Data Protection Regulation (GDPR) and the Egyptian Personal Data Protection Law No. 151 of 2020 (PDPL).
2. Data Controller
Duckurity is the data controller responsible for your personal data. For all privacy-related inquiries, contact our Data Protection Officer at dpo@duckurity.com. If you are located in the EU, you also have the right to lodge a complaint with your local supervisory authority. For Egyptian residents, complaints may be directed to the Personal Data Protection Center (PDPC) under the Egyptian PDPL.
3. Data We Collect
We collect information you provide directly (account registration, support requests), usage data (session metadata, challenge completion, lab provisioning events), and technical data (IP addresses, browser type, device identifiers). Command logs and attack artifacts within lab environments are stored temporarily for debugging and are automatically purged after 30 days.
4. Legal Basis for Processing
We process your personal data on the following legal bases under GDPR Article 6: (a) Consent — where you have given explicit consent (e.g., marketing emails, optional analytics cookies); (b) Contractual necessity — to provide the services you signed up for; (c) Legal obligation — to comply with applicable laws including Egyptian PDPL and EU GDPR; (d) Legitimate interest — for platform security, fraud prevention, and service improvement, balanced against your rights.
5. How We Use Your Data
We use collected data to operate and improve the platform, generate anonymized performance analytics, provide customer support, enforce our terms of service, and comply with legal obligations. We do not sell personal data to third parties.
6. Data Storage, Security & Transfers
All personal data is stored on servers located in Frankfurt, Germany (EU). Data is encrypted at rest (AES-256-GCM) and in transit (TLS 1.3). We implement strict access controls and regular penetration testing. As our company is headquartered in Egypt and our data resides in the EU, cross-border transfers between Egypt and the EU are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, and comply with the Egyptian PDPL's requirements for international data transfers.
7. Data Retention
Account data is retained for the duration of your active subscription plus 90 days. Session metadata is retained for 12 months. Lab artifacts are purged within 30 days. Enterprise customers may configure custom retention policies. Upon account deletion, we anonymize your data within 30 days, except where legal retention obligations apply.
8. Your Rights
Under GDPR and Egyptian PDPL, you have the right to: access your personal data; rectify inaccurate data; erase your data ("right to be forgotten"); restrict processing; data portability (receive your data in a structured, machine-readable format); object to processing based on legitimate interest; withdraw consent at any time without affecting prior lawful processing. To exercise any of these rights, contact dpo@duckurity.com. We will process requests within 30 days.
10. Age Requirement
The Duckyard platform is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact dpo@duckurity.com and we will promptly delete such data.
11. Contact & Supervisory Authority
Data Protection Officer: dpo@duckurity.com. General privacy inquiries: ops@duckurity.com. Security vulnerabilities: security@duckurity.com. EU residents may lodge complaints with their national data protection authority. Egyptian residents may contact the Personal Data Protection Center (PDPC).