HackerOne Privacy Policy
Effective Date: May 11, 2026
This Privacy Policy explains how HackerOne Inc., HackerOne, B.V., HackerOne UK Limited, HackerOne Ireland Limited, HackerOne India, and Pullrequest, LLC (together, "HackerOne", "we", "us" or "our") collect, use, and share personal data about you when you visit our websites or use our Services, as applicable to this Privacy Policy (as defined below).
HackerOne is a global leader in Continuous Threat Exposure Management (CTEM). HackerOne partners with the global security researcher community, which may be referred to as "Community Members", "security researchers", "researchers", "hackers", or "you" (we will use the term "Community Member(s)" in this policy), to provide businesses with access to top talent Community Members who identify and surface relevant security issues in a business's products or services.
HackerOne operates a cybersecurity platform that delivers continuous offensive security, enabling organizations to identify, assess, and remediate vulnerabilities across software, systems, and AI through a combination of technology, security researchers, and related services; the website located at hackerone.com and related domains and subdomains; and related services, including live hacking events, marketing, customer service and ancillary support services (collectively referred to as "Services").
For the purposes of the UK and EU GDPR (together "GDPR"), the HackerOne entities listed above are "controllers" of your personal data as it is described in this Privacy Policy. This means we make decisions about how and why your information is used, and have a responsibility to make sure that your rights are protected when we do so.
What personal data do we collect?
When we refer to "personal data," we mean information which relates to an identified or identifiable individual (i.e. a natural person). We may collect and process your personal data either directly from you (including through online forms, when you contact us about our Services, or through our service provider); from the device(s) you use to access the websites; and from third parties (for example, Google Analytics), and from public sources (such as LinkedIn).
Personal data we collect from you directly
Enquiry and Business Development Data (information we receive when you get in touch) including: name, contact details (e.g., phone, email address), website reference number, job title, video and audio recordings and transcripts, and other personal data you send to us as part of enquiries.
Account Data (relating to Community Members or customers) including: your username, password, email address; your profile name; if you choose, your name, social media and other third-party affiliations; profile picture and any other information you include in "About me" or "Intro" fields; telephone number (if used for two-factor authentication); language and location (IP location); clothing size and other "swag" related data ("swag" is when we offer merchandise as an award for Members hitting certain milestones in the Community); the use you make of our Services and the content you provide while doing so.
Payment Data including: name, contact details (e.g., phone, email address), account or card information, tax identification documentation, transaction details (e.g., amount due or paid) and your Vetting Data.
Hosted Event Data including: name, email address, company and job title and website reference.
Vetting Data or other Community Member related information including: your Account Data; survey data; date of birth; nationality; current and previous addresses; social security (or tax identification) number; identification documents (e.g., passport or driving license, which will include images of Community Members); and images and/or videos, including face scans and other measurements extracted from the same which are used to authenticate the Community Member or Community Member's identification document photos.*
* Some of this extracted data may be considered biometric data under applicable data protection laws in certain jurisdictions. Please review the privacy policy of the applicable service provider for more details.
Personal data we collect from your device(s) or third parties
Analytics: We may use third party services such as Google Analytics to collect information from the device(s) you use to access the websites such as your browser type and version, IP and MAC address, approximate location and time zone, access logs, device type, operating system, & other information provided by browser or device; your user ID and the use you make of our Services, including URLs and content you visit, language preferences, clickstream to, through and from our website, date and time, page response times, errors, length of visits to pages, interaction (such as scrolling, clicks and mouse-overs) data, and methods used to leave our site; and error reports generated if there are problems with our Services.
You can find out more about how Google processes analytics data by clicking here. You can withdraw your consent for Google Analytics by using the following link: Google Analytics.
You can find out more about how LinkedIn processes data by clicking here. LinkedIn account holders can opt-out specifically from LinkedIn's use of certain data to show more relevant ads. LinkedIn visitors can do so here.
You can find out more about how Meta processes data and how to adjust your preferences by clicking here.
Your personal data and how we use it
We use your personal data for the following purposes and on the following lawful bases:
| Category of personal data | Purpose | Lawful basis relied on |
|---|---|---|
| Enquiry and Business Development Data | To respond to your support and other enquiries, and to provide records of technical and other meetings. | We may process this data in accordance with the terms of our contract with you (where we need this information to provide Services to you) or to take steps at your request prior to entering a contract. We also use this to pursue our legitimate interests, in responding to enquiries to ensure smooth operation of our business and Services. |
| Enquiry and Business Development Data | To send you promotional and non-promotional material about us and our Services (or to call you about our Services). | Unless we are contacting you as staff of a corporate entity, or where the "soft-opt-in" applies, we process your personal data for marketing with your consent. If you are staff of a corporate entity, or if we have asked you for consent to send marketing material when negotiating your purchase of Services, we may process this data in pursuit of legitimate interests in keeping you informed about our Services through marketing email and/or text messages or calls. We may send messages to let you know about the status of the HackerOne Platform, changes to our supply chain, privacy and similar policies or other terms in pursuit of our legitimate interests to ensure you receive prompt notice of important changes. To manage your messaging preferences, please visit the Email Subscription Preference Centre at the following link (or if you receive a marketing communication, you can unsubscribe directly using the link in our emails): https://ma.hacker.one/SubscriptionManagement.html |
| Video and Audio Recordings and Transcripts of Meetings with You | To respond to your requests and to improve our Services. | With your consent. |
| Account Data | To enable you to register for, log into, access, use, and pay for our Services, and to enforce our terms. | We process this personal data in accordance with the terms of our contract with you (where we need this information to provide Services to you) or to take steps at your request prior to entering into a contract. We also process your profile data (excluding details which you specify as non-public) by making it available through our Services to third parties so they can find you and review your profile. Your profile will also be linked to any reports and other content you submit publicly through the Services, or privately through our program. We do this in pursuit of the legitimate interests of us, Community Members and customers, in making it easy to find and connect with relevant Community Members and other users through our Services. |
| Payment Data | To collect, facilitate, make, and record payments. | We process this personal data in accordance with the terms of our contract with you or to take steps at your request prior to entering a contract with you. We also process this personal data to comply with applicable laws, such as finance related laws. We also process this personal data in pursuit of our legitimate interests in complying with rules imposed by payment services providers. |
| Vetting Data | To undertake fraud, background, sanctions and similar checks for Community Members in relation to screening for participation in HackerOne Clear, pentesting, and to fulfill our compliance obligations in relation to Rewards. | We carry out sanctions screening, report to tax authorities, police enforcement authorities, enforcement authorities, and/or supervisory authorities to comply with applicable law. We process this data based in accordance with the terms of our contracts with Community Members and customers. We also process this personal data to pursue legitimate interests (being our interests and those of our customers and the public, in detecting and preventing fraud or money laundering). With your consent, we may also process this personal data to provide Services to our customers e.g., HackerOne Clear or pentesting. In particular, where you consent, we may use our third party service providers to confirm that your image matches that on the identification documents you provide, and to conduct background checks, and we will notify our customers that you have passed the foregoing checks (we will not share this personal data with our customers, only that we have carried out checks to a certain standard). |
| Hosted Event Data | To host events to bring together industry professionals in a casual setting. We also host live hacking events where top Community Members from all over the globe join to find vulnerabilities on HackerOne customer programs. We process this information to allow you to register for events, and to provide attendees with details of others attending our events. | We process this personal data to pursue our legitimate interest in ensuring attendees at our events can attend and get the most out of their events. |
| Survey Data | To conduct surveys. | To pursue our legitimate interests in gathering data to assess and inform our business objectives and understand the Community Member environment. Participation in surveys is always optional. Information provided in surveys, once collected, is anonymized and aggregated for analysis. |
| Analytics Data | To understand how people use the Services, where they come from, which devices and operating systems they use, and how they interact with our Services, and to help improve and maintain our Services. We may also use this data to: (a) determine which adverts and Services are likely to be most relevant to you, so we can use our third parties to deliver ads for HackerOne Services to you later on websites and those of third parties; and (b) track ad performance (including whether ads are clicked and/or lead to a successful relationship). | We process analytics data if you have given your consent. |
| Enquiry and Business Development Data, Account Data, Survey Data, and Analytics Data | We use machine learning to understand more about Community Members and customers, and how we can improve our business and Services. We do this by monitoring how our Services are used, and the content submitted through our Services, along with any feedback received from or about Community Members and customers, and using what we learn to inform our marketing, development, recruitment and business strategy. | We use this information to pursue our legitimate interests, and those of our current or prospective Community Members and customers, in: understanding skills and experience offered by Community Members and desired by customers so we can refine our marketing, development and recruitment strategies to better meet the demands of the market; devising new products and improving our Services (by making changes to interfaces, fixing bugs and developing new functionality); producing and distributing the insights we uncover, such as in reports describing what we learn from statistical and other analysis; or pointing users to resources which may allow them to make the most out of our Service (for example, if a customer often uses certain features, or a Community Member often accepts certain types of project, then we may be able to flag similar features or jobs which may be of interest). |
Disclosure
We may share your personal data with third-party service providers, who will process it on our behalf for the purposes identified above. We use third-party providers of certain services such as but not exclusively in the following categories: website hosting, website analytics, behavioral remarketing services, marketing automation, payment processing, contract signing, IT maintenance, security, customer services, artificial intelligence (AI) processing, and identity verification and screening. We also pass information to our payment processing partners when you make a payment.
Other than as set out above, we may disclose your personal data:
Where required by law, government, competent authorities or the courts (including to meet national security or law enforcement requirements); or to establish, exercise or defend our legal rights; or for the purposes of preventing crime and fraud (for example, we may share personal data with our professional advisors, investigators, or credit reference agencies); or to take precautions against liability, protect rights, property or safety of HackerOne, our users, other individuals or the public; to maintain and protect security and integrity of our Services or infrastructure; to protect HackerOne and our Services from fraud, or abusive or unlawful use; or to investigate and defend HackerOne against third-party claims or allegations.
Our policy is to make reasonable efforts to provide notice of disclosures to law enforcement or public authorities, unless prohibited by law or court order (including orders under 18 U.S.C. § 2705(b)).
Where customers and Community Members agree submissions should be publicly disclosed, certain information about the submission associated with your profile may be published through our Services.
Please note we share aggregated information and non-identifying information with third parties for industry research and analysis, demographic profiling, and other similar purposes. In addition, our Services may contain links to other websites not controlled by us, and these other websites may reference or link to our Services; we encourage you to read the privacy policies applicable to these other websites.
With members of our corporate group, our suppliers, and subcontractors, as necessary for the purposes set out in this policy (such suppliers may include payment providers, providers of hosting services, sales and marketing service providers, providers of document and content management tools, providers of analytic data services, and suppliers of other services such as system support, subscription services, verification and ticketing).
If involved in an investment, merger, acquisition, or sale of our organization or assets, personal data we hold may be shared based on the legitimate interests of us, our shareholders, customers and other parties to a transaction, unless those interests are outweighed by prejudicial impacts upon you.
Retention
To determine the appropriate retention period of personal data, we consider its amount, nature, and sensitivity, and the purposes for which we process it. We also consider applicable legal obligations, and the need to deal with complaints or inquiries and to protect our legal rights in the event of claims. In general, subject to the considerations above, we keep the following categories of personal data for the following periods:
Enquiry and Business Development Data: 7 years from when our relationship with you ends.
Video and Audio Recording and Transcripts: For up to 30 days after the data is no longer necessary to fulfill the original purpose.
Account Data, Payment Data, and Vetting Data: 7 years from when our relationship with you ends, except where a different period is required by applicable law.
Hosted Event Data: 2 years from initial collection (or longer if we ask for and receive your consent to retain this information to facilitate future swag awards).
Survey Data: For up to 12 months, but we keep anonymous statistics we generate indefinitely.
Analytics Data: After 26 months underlying data is deleted, but we may retain anonymous, aggregated statistics generated from that data indefinitely.
Where retention periods are not noted above, HackerOne retains personal data for a reasonable time to fulfil processing purposes mentioned herein. Data is then archived for time periods required or necessitated by legal or regulatory considerations. When archival is no longer required, personal data is deleted.
You may choose to disable your HackerOne account at any time. This means your user profile will no longer be visible through the Services. However, for the purposes mentioned herein, we may need to retain information within our internal systems. In addition, public vulnerability reports and associated information that you have submitted will still be available on the Services.
Security
HackerOne uses technical and organizational measures to protect the personal data we store, transmit, or otherwise process, against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. We regularly consider appropriate new security technology and methods as we maintain and develop our software and systems.
However, you should keep in mind that the Services are run on software, hardware, and networks, any component of which may, from time to time, require maintenance or experience problems or breaches of security beyond our control. Please also be aware that despite our best efforts to ensure the security of your data, we cannot guarantee that your information will be 100% secure.
Please recognize that protecting your personal data is also your responsibility. We urge you to take every precaution to protect your information when you are on the Internet, such as using a strong password, keeping your password secret, and using two-factor authentication. If you have reason to believe that the security of your account might have been compromised (for example, your password has been leaked), or if you suspect someone else is using your account, please let us know immediately.
Cookies
We (and the third-party service providers working on our behalf) use various technologies to collect personal data. This may include saving cookies to your device, using pixels and similar technologies. For information on what cookies and pixels are, which ones we use, why we use them, and how you can manage their use, please see our Cookies Policy, which provides more information about how and why we or our commercial partners may process certain personal data relating to you, and should be read in conjunction with this Privacy Policy.
Transfers
If you are located outside the United States and choose to provide personal data to us, we will transfer that information to (or receive/access it in) the United States and process it there. Your personal data may be transferred outside of your state, province, country, or other jurisdiction, where privacy laws may not be as protective as those in your jurisdiction or location.
Where required by law (such as under the GDPR) if we transfer personal data to a country which does not provide an adequate level of protection, we implement appropriate safeguards, including standard contractual clauses approved by the competent authorities. In the case of transfers of data out of the European Union, Switzerland and the United Kingdom (and Gibraltar), we have committed to comply with the EU-U.S. Data Privacy Framework, the UK Extension to the Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework. For more information drop us a line using the contact details below.
A copy of our standard Data Processing Agreement which incorporates the standard contractual clauses is available here.
EU-U.S. and Swiss-U.S. Data Privacy Framework and UK Extension
We comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. HackerOne Inc. and its affiliates have certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. HackerOne Inc. and its affiliates have certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. HackerOne remains responsible for any of your personal data that is shared under the Onward Transfer Principle with third parties for external processing on our behalf, as described in the "Your Personal Data and How We Use It" section of our Privacy Policy. To learn more about the Data Privacy Framework (DPF) program, and to view HackerOne's certification, please visit https://www.dataprivacyframework.gov/.
For the purposes of this section, an affiliate is a wholly owned U.S. subsidiary of HackerOne Inc., including the following company that provides services in the U.S.: Pullrequest, LLC.
Note that the Federal Trade Commission has jurisdiction over HackerOne's compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.
DPF Related Complaints & Queries
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, we commit to resolve DPF Principles-related complaints about our collection and use of your personal data. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact us at: privacy@hackerone.com or the contact details below.
We also commit to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States, the European Union, the United Kingdom, and/or Switzerland (as applicable). If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
You may have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms. For more information about binding arbitration, visit https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.
What are your rights?
Under the GDPR, you have the following rights in respect of personal data, although these rights may be limited in some circumstances:
Ask us to send a copy of your data to you or someone else;
Ask us to restrict, stop processing, or delete your data;
Object to our processing of your data;
Object to use of your personal data for direct marketing; and
Ask us to correct inaccuracies.
If we rely on consent to process data, you can withdraw your consent at any time by sending an email to privacy@hackerone.com.
You also have the right to complain to a data protection authority about how we process your personal data (see the contact details below).
California Privacy Rights Act of 2020 (CPRA)
The California Privacy Rights Act ("CPRA") may also apply to California residents and households. These rights, subject to applicable exceptions and limitations, include the right to: (i) know what personal data is being collected about them, (ii) know whether their personal data is sold or shared and to whom, (iii) opt out and say no to the sale or sharing of personal data, (iv) request to delete, correct, limit, and access their personal data, and (v) equal service and price, even if they exercise their privacy rights.
Pursuant to §§ 1798.110 and 1798.115 of the CPRA the categories of personal data we have collected about consumers and disclosed about consumers for a business purpose in the preceding 12 months are:
Identifiers such as a real name, alias, postal address, email address, unique personal or online identifier, Internet Protocol address, account name, SSN, driver's license or passport number, or other similar identifiers;
Other information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including signature, bank account number, credit card number, debit card number, or any other financial information;
Commercial information, including products or Services purchased, obtained, or considered; other purchasing or consuming histories or tendencies;
Internet or other electronic network activity information, including, browsing history, search history, and information regarding a consumer's interaction with an internet website, or advertisement;
Professional or employment-related information; and
Inferences drawn from any of the information identified to create a profile about a consumer reflecting the consumer's preferences, intelligence, abilities, and aptitudes (applies only to Community Members who have registered an account and participate in programs and subsequent skill ratings).
Please note that not all of this information is collected or disclosed from all consumers using our Services.
WE DO NOT SELL OR SHARE YOUR PERSONAL DATA FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING.
Minors (children)
We welcome all Community Members to register an account, participate in our programs, and submit reports. We believe skilled Community Members are not determined by age. However, applicable laws may restrict our ability to collect personal data from minors unless we have first obtained the consent of the minor's parent or guardian.
If you are under the age of 13 and want to submit a vulnerability report to us, please ask your parent or guardian to submit it for you. Please note rewards/payments are only available to adults that have read and accepted our Community Member Terms and Conditions.
HackerOne does not otherwise knowingly collect personal data of minors, and the Services are not directed to minors. If we become aware that we have collected personal data from a minor in conflict with applicable law, we will delete that information or obtain the requisite consent from the minor's parent or guardian.
How do you contact us?
(if you have questions about this policy or to exercise your rights)
In the EU or UK:
Attn: Privacy Team
HackerOne B.V.
Griffeweg 97/4
9723 DV Groningen
Netherlands
Attn: Privacy Team
HackerOne UK Limited
4th Floor St. James House
St. James Square
Cheltenham, GL50 3PR
UK
If we can't resolve your issue, you can also get in touch with the regulator. In the UK, this is the ICO: https://ico.org.uk/. In the Netherlands, the AP: https://autoriteitpersoonsgegevens.nl/.
(If you live in another European country, you can submit a complaint to the supervisory authority in your country).
Outside of the EU and UK:
Attn: Privacy Team
HackerOne Inc.
548 Market Street,
PMB 24734,
San Francisco, CA 94104
United States of America
Toll-free phone (USA): +1 (855) 242-8699
What about changes?
We update this Policy from time to time so please check back in. If we make changes, we may notify you by email (sent to the email address specified in your HackerOne account), prior to the change becoming effective, or as otherwise required by law.