1. Who we are
2. What is personal information?
"Personal Information" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Under specific laws, Personal Information may include any information relating to a household.
3. Where is (y)our information stored?
As a global company we understand that there are many different privacy and data protection laws where our Customers and Finders are based. We know and understand the value of your information. We will take all reasonable steps to ensure that your Personal Information is treated securely and in accordance with the laws and regulations relevant to where you are located.
We are a company headquartered in California and so, our Sites and Servers are hosted here in the United States. Therefore, the Personal Information that we collect from you will be received, transferred and/or stored in the United States.
If you are located outside the United States, please see our section on International Data Transfer below.
4. Personal information we process
We process Personal Information that you actively submit to us, that we automatically collect through your use of our Services, and that we collect from third-parties for the following reasons We may, when securing our website and Services, collect details about your device, your computer’s internet protocol (IP addresses) and other technical information, through our data security and firewall providers and/or when marketing our Services, we may collect identity and contact data from publicly available sources. For compliance with applicable laws (including but not limited to anti-money laundering and financing laws and regulations), we may through third parties who use verification providers or due diligence, and screening information providers verify your information and collect information from publicly available sources or check data against government sanction lists.
We may process your Personal Information with or without automatic means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of your Personal Information.
We DO NOT sell the Personal Information we collect to other parties.
4.1 PERSONAL INFORMATION THAT YOU ACTIVELY SUBMIT TO US
We collect Personal Information that you actively submit to us through your account, website forms, email subscriptions, surveys, events, conferences, customer service and ancillary support services , inquiries, and other interactions. You will normally know when we collect your Personal Information because we will directly ask you for the information. Examples are provided below. We will require certain Personal Information in order for you to use our Services or for us to be able to contact you. There may also be circumstances where providing Personal Information is optional and does not impact your access to Services.
4.1.1 Your Account. Whether you are a Customer or a Finder (or both), when you create a HackerOne account, you are required to provide us with profile information, including your email address and password. HackerOne stores this information to help identify you when you log in. Once you've registered, you create a user profile. Your profile information includes your name (if you choose to provide it), chosen username, company name (if applicable), and if you choose, a profile photo, your location, your social media and other third-party affiliations, and any other information you include in the "About me" or "Intro" fields. We may display your profile information on our site where other users of the Services and visitors to our website will be able to see that information. If you enable two-factor authentication, we will store a phone number used for account recovery purposes.
If you are a Customer, in addition to your profile information, you may provide us with financial information, such as your credit card or debit card information or your banking information, in order to assist us in awarding bounties, collecting bounty deposits, or collecting HackerOne fees.
If you are a Finder, in addition to your profile information, you may need to provide us with other personally identifying information necessary for background and fraud checking purposes where required. This includes your date of birth, nationality, current and previous addresses, your social security number (or tax identification number), and for Reward purposes, your banking, Coinbase, PayPal, or similar information in order to allow us to pay you monetary Rewards from Customers. In addition, in order that we can award any "swag" where available, we may ask for information such as a mailing address, telephone number, and clothing size. In addition to Personal Information we collect, your profile may be publicly associated with any vulnerability reports or other content that you submit, in the event these are published on the Services.
4.1.2 Events. We host events to bring together industry professionals in a casual setting. We also host live hacking events where top Finders from all over the globe join together to find vulnerabilities on HackerOne Customer programs. To register in advance for these events, we may collect your first name, last name, email address, company name (if applicable), job title (if applicable), and give you an option to provide us a website reference.
4.1.3 Email Subscriptions. We actively communicate with subscribers through newsletters, webinars, and education content, and also send emails about product updates, events, the status of the HackerOne Platform, and updates to the third-party service providers (sub-processors) used to process Personal Information. A subscriber may be required to provide their email address and other contact information to receive communications.
4.1.4 Text Subscriptions. We may communicate with subscribers through text messages concerning the status of the HackerOne Platform. A subscriber is required to provide their phone number to receive texts.
4.1.5 Recruitment. We are always looking out for new employees. So should you decide to apply to us (or a partner recruitment provider or service) for a role, we will collect the information contained in your resume/cv, (information such as where you went to school or previous employment) along with any other relevant information you choose to provide to us.
4.1.6 Surveys. We occasionally conduct surveys in order to gather data central to assessing our business objectives and understanding the Finder community. Participation in surveys is always optional. Information provided in surveys is anonymized and aggregated for analysis.
4.1.7 Contact Us. There are multiple opportunities for you to contact us, including for support, to report a bug, make a suggestion, make a sales inquiry, request a product demonstration, request research, and for customer service and ancillary support services. Online forms collect Personal Information such as a first name, last name, email address, company (if applicable), job title (if applicable), reason for contact, and may provide an option to attach a file. When we contact you in response to your request, we may collect additional Personal Information.
4.2 PERSONAL INFORMATION WE AUTOMATICALLY COLLECT THROUGH YOUR USE OF THE SERVICES
We receive some Personal Information automatically when you visit HackerOne Services. This includes information about the device, browser, and operating system you use when accessing our site and Services, your IP address, the website that referred you, which pages you request and visit, and the date and time of each request you make. If you visit the HackerOne Platform when you are logged into your account, we also collect the user identification number we assign you when you open your account.
4.3 PERSONAL INFORMATION WE COLLECT FROM THIRD-PARTY SOURCES
We are continually expanding our Customer reach. As part of our business-to-business marketing, we collect Personal Information from third-party sources to identify individuals who hold relevant job roles in key industries. Personal Information collected generally includes a first name, last name, job title, company name, email address, and phone number. We generally communicate via email or telephone to provide information about HackerOne programs and offer businesses an opportunity to try out HackerOne Services.
4.4 PERSONAL INFORMATION OF MINORS
We welcome all Finders to register a HackerOne account as a Finder, participate in our programs, and submit reports to HackerOne. We believe that skilled Finders are not determined by age. However, applicable laws may restrict our ability to collect Personal Information from minors unless we have first obtained the consent of the minor's parent or guardian. Please note that the definition of a minor varies by jurisdiction and various laws institute age related requirements. If you are considered a minor and want to submit a vulnerability report to us, please ask your parent or guardian to submit it for you. Please note that in addition, any Reward payments that may apply are only issued to an adult. HackerOne does not otherwise knowingly collect Personal Information of minors, and the HackerOne Services are not directed to minors. If we become aware that we have collected Personal Information from a minor in conflict with applicable law, we will delete that information or obtain the requisite consent from the minor's parent or guardian.
4.5 PERSONAL INFORMATION WE COLLECT USING COOKIES AND SIMILAR TRACKING TECHNOLOGIES
5. How we use your personal information
We use your Personal Information to operate our Services, fulfill our contractual obligations in our contracts with Customers and Finders or take steps preparatory to entering into those contracts, to review and enforce compliance with our Terms, guidelines, and policies, to analyze the use of the Services in order to understand how we can improve our content and service offerings and products, and for administrative and other business purposes. We process Personal Information for sales leads, subscription services, payments, employee training, marketing, data analysis, security monitoring, auditing, research, and to comply with applicable laws, to exercise legal rights, and meet tax and other regulatory requirements.
In this context, the legal basis for our processing of your Personal Information is either the necessity to perform or enter into contractual and other obligations, our legitimate business interests as a provider of security services (and the other legitimate interests described above), compliance with legal and regulatory requirements, or in some instances your consent.
6. Sharing of personal information
WE DO NOT SELL YOUR PERSONAL INFORMATION!
We may share your Personal Information in the following circumstances:
6.2 THIRD-PARTY SERVICE PROVIDERS
We may share information we collect about you with third-party service providers to perform tasks on our behalf in supporting the Services. The types of service providers, or sub-processors, to whom we entrust Personal Information include: (i) payment providers; (ii) providers of hosting services; (iii) sales and marketing providers; (iv) providers of document and content management tools; (iv) providers of analytic data services; and (v) other services such as system support, subscription services, verification, and ticketing.
For Finders who participate in certain Customer programs, to the extent described in the policies of such Customer programs, HackerOne may share contact information about those Finders (for example, name, company name (if applicable), and email address) to allow those Customers to contact those Finders to allow them to interact directly or as otherwise authorized by the Finder with respect to the specific Customer program or service. For Finders who choose to submit a vulnerability report directly to a Customer outside the HackerOne Platform, HackerOne may provide that Customer with a reference to your public profile information. In the event of a serious security concern, HackerOne may determine, in its sole discretion, that Personal Information will be shared with a Customer to identify and resolve the security concern.
6.3 REGULATORY BODIES, PUBLIC AUTHORITIES, AND LAW ENFORCEMENT
We may access and disclose your Personal Information to regulatory bodies if required under applicable law or regulation. This may include submitting Personal Information required by tax authorities. We may disclose your Personal Information in response to lawful requests by public authorities or law enforcement, including to meet national security or law enforcement requirements. If we are going to release your Personal Information in this instance, our policy is to provide you with notice unless we are prohibited from doing so by law or court order (including orders under 18 U.S.C. § 2705(b)).
6.4 MERGER, SALE, OR OTHER ASSET TRANSFERS
6.5 OTHER DISCLOSURES
Where there is agreement by Customers and Finders that Finder Submissions are publicly disclosed, then certain information about the submission associated with your profile may be published through our Services. We may share Personal Information with our affiliated companies. We may also disclose your Personal Information to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of HackerOne, other users of our Services, of any other individuals, or of the general public; to maintain and protect the security and integrity of our Services or infrastructure; to protect HackerOne and our Services from fraudulent, abusive, or unlawful uses; or to investigate and defend HackerOne against third-party claims or allegations. Disclosures may be made to courts of law, attorneys and law enforcement, or other relevant third parties in order to meet these purposes.
Please note that we share aggregated information and non-identifying information with third parties for industry research and analysis, demographic profiling, and other similar purposes. In addition, our Services may contain links to other websites not controlled by us, and these other websites may reference or link to our Services; we encourage you to read the privacy policies applicable to these other websites.
6.6 CALIFORNIA CONSUMER PRIVACY ACT OF 2018 ("CCPA")
Pursuant to §§ 1798.110 and 1798.115 of the CCPA, the categories of Personal Information we have collected about consumers and disclosed about consumers for a business purpose in the preceding 12 months are:
- Identifiers such as a real name, alias, postal address, email address, unique personal or online identifier, Internet Protocol address, account name, SSN, driver's license or passport number, or other similar identifiers;
- Other information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including signature, bank account number, credit card number, debit card number, or any other financial information;
- Commercial information, including products or services purchased, obtained, or considered; other purchasing or consuming histories or tendencies;
- Internet or other electronic network activity information, including, browsing history, search history, and information regarding a consumer's interaction with an internet website, or advertisement;
- Professional or employment-related information; and
- Inferences drawn from any of the information identified to create a profile about a consumer reflecting the consumer's preferences, intelligence, abilities, and aptitudes (applies only to Finders who have registered an account and participate in programs and subsequent skill ratings).
Please note that not all of this information is collected or disclosed from all consumers using our Services.
7. Retention of personal information
HackerOne retains Personal Information for a reasonable time period to fulfill the processing purposes mentioned above. Personal Information is then archived for time periods required or necessitated by legal or regulatory considerations. When archival is no longer required, Personal Information is deleted from our records.
You may choose to disable your HackerOne account at any time. This means your user profile will no longer be visible on the Services. However, for the purposes mentioned above, we may need to retain information within our internal systems. In addition, public vulnerability reports and associated information that you have submitted will still be available on the Services.
We retain Personal Information that we are required to retain to meet our regulatory obligations including tax records and transaction history. We regularly review our retention policies to ensure compliance with our obligations under data protection laws and other regulatory requirements. We regularly audit our databases and archived information to ensure that Personal Information is only stored and archived in alignment with our retention policies.
8. Protection of personal information
HackerOne uses technical and organizational measures to protect the Personal Information that we store, transmit, or otherwise process, against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. We regularly consider appropriate new security technology and methods as we maintain and develop our software and systems.
However, you should keep in mind that the Services are run on software, hardware, and networks, any component of which may, from time to time, require maintenance or experience problems or breaches of security beyond our control. Please also be aware that despite our best efforts to ensure the security of your data, we cannot guarantee that your information will be 100% secure.
Please recognize that protecting your Personal Information is also your responsibility. We urge you to take every precaution to protect your information when you are on the Internet, such as using a strong password, keeping your password secret, and using two-factor authentication. If you have reason to believe that the security of your account might have been compromised (for example, your password has been leaked), or if you suspect someone else is using your account, please let us know immediately.
9. International data transfer
If you are located outside the United States and choose to provide your Personal Information to us, we will transfer your Personal Information to (or receive it in) the United States and process it there. Your Personal Information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. Whenever we transfer your Personal Information, we will take all reasonable steps to ensure that your privacy rights continue to be protected. Wherever you are based, we are responsible for the processing of your Personal Information, including any subsequent transfers to third parties.
9.1 EU - US DATA TRANSFERS
If HackerOne transfers Personal Information to a jurisdiction (or to a third party in a jurisdiction) for which the European Commission, Switzerland or the UK (as applicable) has not issued an adequacy decision, HackerOne will implement appropriate technical and security safeguards as required, including Standard Contractual Clauses (see below) approved by competent authorities, to transfer Personal Data in accordance with data protection and privacy laws, either internally between our group entities, or between us and our Finders and Customers (such as where we process personal data on their behalf).
9.2 STANDARD CONTRACTUAL CLAUSES
In order to comply with the transfer of data rules between the US and the UK, Switzerland or EU we offer Standard Contractual Clauses (sometimes also referred to as EU Model Clauses). Standard Contractual Clauses are contractual clauses designed to ensure HackerOne meets the legal and regulatory requirements for Customers and Finders using the Services in the European Economic Area (“EEA”), Switzerland and the UK. A copy of our standard Data Processing Agreement which incorporates the Standard Contractual Clause is available here.
10. Privacy rights
Subject to where you are based you may have rights under data protection and privacy laws, including but not limited to the CCPA and the EU General Data Protection Regulation (“GDPR”). Under these laws, individuals have the right to access Personal Information and to correct, amend, restrict, or delete that information where it is inaccurate, or has been processed in violation of your rights, except in some cases where their request is manifestly unfounded or excessive, or where certain other circumstances apply, for example where the rights of persons other than the individual will be violated.
If you have a HackerOne account, we rely upon you to keep your information up to date. You may edit your profile information and may also choose to disable your HackerOne account at any time through your account settings. For subscription services, such as newsletters, webinars, events, and the like, we offer you the ability to manage your preferences and choose whether to receive email communication for each service. To manage your preferences, please visit the Email Subscription Preference Center at https://ma.hacker.one/SubscriptionManagement.html. Where you are receiving communication from us of a marketing nature, we provide the ability for you to unsubscribe directly from the email.
Where we rely upon consent as a legal basis for processing, you may withdraw your consent at any time. Please note the withdrawal of your consent does not affect the lawfulness of processing based on consent before withdrawal.
Individuals in the many territories where we operate have certain rights that may be subject to limitations and/or restrictions. These include but are not limited to, the right to: (i) request access to and rectification or erasure of their Personal Information; (ii) obtain restriction of processing or to object to processing of their Personal Information; and (iii) ask for a copy of their Personal Information to be provided to them, or a third party, in a digital format. If you wish to exercise one of the above-mentioned rights, please send us your request to the contact details set out below. Individuals also have the right to lodge a complaint about the processing of their Personal Information with their local data protection authority.
Personal Information subject rights under the CCPA may also apply to certain individuals and households. These rights include the right to: (i) know what Personal Information is being collected about them, (ii) know whether their Personal Information is sold or disclosed at to whom, (iii) say no to the sale of Personal information, (iv) access their Personal Information, and (v) equal service and price, even if they exercise their privacy rights.
10.1 EXERCISING YOUR RIGHTS AND PRIVACY DISPUTES
11. Changes to this policy
12. Contact information
Toll-free Number (USA): +1 (855) 242-8699
Attn: Privacy Officer
548 Market Street, PMB 24734
San Francisco, CA 94104-5401
United States of America
Our EU representative:
Attn: Privacy Officer
9723 DV Groningen