Hands-On Privacy Training

Welcome!

The private-piranha.pics shop is a training environment for common privacy problems in web applications. It focuses on the General Data Protection Regulation (GDPR) while considering best practices. The training environment targets developers and service operators, but is also useful for anyone looking to deepen their understanding of the GDPR and its real-world impact on web applications.

The shop implements a set of privacy-related issues (referred to as privacy problems). Your goal is to find them using your knowledge of the GDPR. You can validate your findings using the Problem Walkthrough.

Please take everything with a grain of salt. This project does not provide legal advice. Implemented problems may be outdated, and new ones may be missing.

Guide

What are the requirements?

Having basic knowledge about the GDPR and its most essential articles is strongly recommended. You should also have some experience in web development and be familiar with the developer tools of your preferred browser.

Finding and understanding all problems can be challenging — you need to be attentive and persistent.

How to start?

Open the training environment: private-piranha.pics

The problems vary in difficulty and fall into three groups:

  • problems that are visible to the user,
  • problems that result from something that is missing, and
  • problems that are hidden and only visible in the source code or via browser developer tools.

Besides the privacy problems, there are false flags — pay attention to whether something is a privacy problem, a security problem, or no problem at all.

There is no guidance inside the shop itself. You must independently identify and understand each issue. A privacy problem can be as subtle as a single faulty sentence or line of code.

Ensure that ad blockers, content blockers, and anti-tracking extensions are disabled. Safari is not recommended. Do not use real payment, address, or account information — data may be publicly viewable due to intentional privacy or security problems.

Resources

A GDPR Handout with key concepts and legal foundations is available directly within the training environment. It is also linked from the header bar inside the shop.

I need help!

The Problem Walkthrough describes how to find each problem and explains why it is a problem. Use it after you have explored the shop, or if you get stuck.

You can also toggle Disable Problems in the shop's header bar to see the shop without the introduced issues and compare the difference.

More about the project

How is private-piranha.pics built?

The shop uses a modern web tech stack. The frontend and backend are built with Nuxt 4, using server-side rendering. Data is stored in a PostgreSQL database, accessed via Drizzle ORM. The training environment resets daily to a clean state.

This project page is a separate Nuxt application served from project.private-piranha.pics. It hosts the project overview, the GDPR handout, and the problem walkthrough.

Both applications use Tailwind CSS and daisyUI for styling. Icons are from Tabler Icons and Flaticon. The piranha pictures were generated using Craiyon.

Why was private-piranha.pics developed?

There are many training environments in the security space — cyber ranges, Capture The Flag (CTF) games, and serious games are common approaches. The most popular example is probably the OWASP Juice Shop. The GDPR, in force since 2018, is a major milestone for data protection — yet the privacy area lacks comparable training tools for developers. private-piranha.pics tries to fill that gap, bridging the developer-unfriendly wording of the GDPR and its real-world implications for web applications.

I have a question or an idea. How can I contact you?

You can reach us via mail@private-piranha.pics.