Add privacy and data handling policy

[vaswiz]

Summary

This PR adds a draft PRIVACY.md / Data Handling Notice for FinBot CTF.

The goal is to make data handling expectations explicit for users of the hosted and self-hosted versions, especially because the platform uses email magic links, stores challenge progress, and involves AI-agent interactions in a simulated financial-services environment. There is also an open question as to whether data collected through the hosted version at https://owasp-finbot-ctf.org/ and through self-hosted deployments may be used for future research, including the publication of new benchmarks or datasets.

This draft is not legal advice and should be reviewed by the project maintainers and qualified legal counsel before being treated as an official privacy policy or data handling notice.

Why this is useful

The draft clarifies:

• what categories of data may be processed;
• that users must not enter real personal data, secrets, financial data, customer data, or confidential information;
• how prompts and AI responses may be handled;
• how external LLM and email providers may be involved;
• recommended retention periods;
• public profile / leaderboard considerations;
• deletion-request expectations;
• safer defaults for enterprise/self-hosted deployments.

Notes for maintainers

This is a draft and should be reviewed against the actual hosted deployment and project governance model.

The following placeholders need confirmation:

• application operator;
• privacy/security contact emails;
• actual retention periods;
• LLM provider configuration;
• email provider configuration;
• analytics settings;
• deletion process;
• whether public profiles / leaderboards are enabled by default.

Scope

• Adds PRIVACY.md.
• Links it from README.md.
• Intended follow-up: link from the hosted site footer/header.
• Optional follow-up: add a short “do not enter real data” warning near the first prompt/chat entry point.

[szybnev]

+1. It would be nice update