Legal

Privacy Policy

Last updated: April 14, 2026

The short version: Tunnyl collects only what it needs to run a professional network. We do not sell your data, run ads, or share your information with third parties beyond what's required to operate the platform. You can delete your account and all associated data at any time.

1. Who we are

Tunnyl is a professional networking platform for cybersecurity practitioners. References to "Tunnyl," "we," "us," or "our" in this policy refer to the Tunnyl platform and its operators.

If you have questions about this policy, contact us at [email protected].

2. Information we collect

We collect information you provide directly and information generated by your use of the platform.

Account information

Email address and password (hashed with Argon2id — we never store your plaintext password)
Name and username
If you use Google sign-in: your Google account email and profile name

Profile information (optional, you control what you share)

Job title, employer, location, bio
Skills, certifications, work experience, education
Profile photo
Links to external profiles (GitHub, LinkedIn, personal site, etc.)
GitHub activity and CTFtime data, if you choose to connect those integrations

Content you create

Posts, comments, and reactions
Direct messages
Community memberships and channel activity
Files and images you upload

Usage and technical information

IP address and general location (country/region)
Browser type and operating system
Pages visited and features used, for security monitoring and platform improvement
Authentication logs (login times, failed attempts) for account security

3. How we use your information

We use your information to:

Operate and maintain your account and the platform
Display your profile to other verified members
Deliver content, notifications, and direct messages
Verify your professional background during the application review process
Detect and prevent fraud, abuse, spam, and security threats
Send transactional emails (account verification, password reset, security alerts)
Improve the platform based on aggregate, anonymized usage patterns

We do not use your information to serve advertising, build advertising profiles, or train AI models for sale to third parties.

4. Information we do not sell or share

We do not sell your personal information. Ever. Tunnyl has no advertising business model and no financial incentive to share your data.

We share information only in these limited circumstances:

With other members: Your public profile, posts, and community activity are visible to other verified Tunnyl members, consistent with your privacy settings.
Service providers: We use infrastructure providers (hosting, email delivery) who process data on our behalf under confidentiality agreements. They may not use your data for their own purposes.
Legal requirements: We may disclose information if required by law, court order, or to protect the safety of our members or the public.
Business transfers: If Tunnyl is acquired or merges, your data may transfer to the new entity, which will be bound by this policy or provide equivalent protections.

5. Data retention

We retain your account data for as long as your account is active. If you delete your account, we delete your personal information within 30 days, except where retention is required by law or for legitimate security purposes (e.g., fraud prevention logs).

Content you've posted (posts, comments) may remain in anonymized or aggregated form after account deletion, but will no longer be associated with your identity.

6. Security

We take security seriously — it's in the DNA of this platform and its community.

Passwords are hashed with Argon2id (64MB memory cost, side-channel resistant)
All data in transit is encrypted with TLS
Access tokens expire after 15 minutes; refresh tokens after 7 days
Rate limiting and account lockout after repeated failed login attempts
Two-factor authentication (TOTP) available on all accounts
Security headers (CSP, HSTS, X-Frame-Options) enforced on all responses

No system is perfectly secure. If you discover a vulnerability, please report it responsibly to [email protected].

7. Your rights and choices

You have control over your data:

Access: You can view and export your profile data from your account settings.
Update: You can edit or delete your profile information at any time.
Delete: You can permanently delete your account from Settings → Account. This removes all personal data within 30 days.
Privacy settings: You can control who sees your profile, connections, and activity from your privacy settings.
Communications: You can opt out of non-essential emails from your notification settings.

If you are located in the EU or UK, you may also have rights under GDPR to access, rectify, restrict, or port your data, and to object to certain processing. Contact us at [email protected] to exercise these rights.

8. Cookies and tracking

Tunnyl uses cookies and browser storage for authentication only — to keep you logged in across sessions. We do not use third-party tracking cookies, advertising cookies, or analytics services that report your behavior to external companies.

9. Children's privacy

Tunnyl is intended for professional use by adults. We do not knowingly collect information from anyone under the age of 16. If you believe a minor has created an account, contact us and we will promptly delete it.

10. Changes to this policy

If we make material changes to this policy, we will notify you by email and post a notice on the platform at least 14 days before the changes take effect. Continued use after that date constitutes acceptance of the updated policy.

11. Contact

Questions, concerns, or data requests:
[email protected]