Last Updated: April 24th, 2019
HackerOne strives to be a safe and transparent environment for its users.
1. The Information We Collect
We collect some information from you when you create an account so that you can use the Services.
We also collect some information to make sure HackerOne works properly and to improve user experience. This may include using Your Information for analytical purposes.
Below is a more detailed explanation of the information we collect and use.
1.1. Information We Collect Directly From You
Whether or are a Customer or a Finder, when you create an account with HackerOne, you are required to provide us with profile information, including your name, company name (if applicable), username, password, and email address. HackerOne stores this information to help identify you when you log in.
Once you've registered with HackerOne, you create a user profile. Your profile information includes your name (if you choose to provide it), chosen user name, company name (if applicable), and if you choose, a profile photo, your location, and any other information you choose to include in the "About" field. We may display your profile information on our site where other users of HackerOne and visitors to our web site will be able to see that information.
If you are a Customer, in addition to your profile information, you may provide us with financial information, including your credit card or debit card information, or your banking information, in order to assist us in awarding Bounties, collecting Bounty Deposits, or collecting HackerOne Fees.
If you are a Finder, in addition to your profile information, you may need to provide us with other personally identifying information necessary for background and fraud checking purposes where required. This includes your date of birth, nationality, current and previous addresses, your social security number (or tax identification number), and for bounty award purposes, your banking, Coinbase, or PayPal information in order to allow us to pay you monetary Bounty awards from Customers. In addition, in order that we can award any "swag" where available, we may ask for information such as a mailing address, telephone number, and t-shirt size.
In addition to personal information we collect, your profile may be publicly associated with any Vulnerability Reports and content that you submit, in the event these are published on the Services.
1.2. Information We Automatically Collect
We receive some information automatically when you visit HackerOne. This includes information about the device, browser, and operating system you use when accessing our site and Services, your IP address, the website that referred you to HackerOne, which pages you request and visit, and the date and time of each request you make to HackerOne. If you visit HackerOne when you are logged into your account, we also collect the user identification number we assign you when you open your account.
- Strictly necessary cookies
When you log in to your account, HackerOne will place cookie(s) for the purpose of creating the session, knowing when you're logged in, and recognizing you as the same authenticated user across accounts. These cookie(s) contain an encrypted user identifier.
- Functionality cookies
We use functionality cookies to recall information you provide, the choices you make, or the settings you select to optimize features for you across the Services or to remember changes you have made to customize the Service to you.
- Analytic cookies
- Advertising and retargeting cookies
We may use Twitter, LinkedIn, and Facebook pixels on certain site pages to learn whether you interact with online content and measure the effectiveness of our social media campaigns.
Most browsers include an option to clear existing cookies or reject new ones. More information about managing storage settings across different browsers can be found at www.allaboutcookies.org. If you prefer not to use any cookies, you can also opt out in some browsers by turning on "Do Not Track" or visiting https://www.aboutads.info/choices and https://www.youronlinechoices.com to opt out directly. Certain third parties we work with also offer their own opt-out tool including Google https://tools.google.com/dlpage/gaoptout. However, if you reject new cookies, portions of HackerOne will not function as intended. We currently do not support Do Not Track browser settings.
2. How We Use or Disclose Your Information
We may use Your Information when needed to provide and keep the site and Services running and prevent abuse. Your Information is used internally in this respect, to provide our Services under our Terms with you, for the purpose of our legitimate business interests, to comply with our legal obligations or with your consent. In particular, we use your information:
- to allow us in our legitimate interest, to support, sign-in and verify access by registered users;
- to establish and administer commercial relationships and transactions under our General Terms and Conditions;
- to send you marketing communications, including via email and SMS in compliance with applicable laws and in accordance with your preferences, that we believe may be of interest to you;
- to contact you about your account or reply to any communications you send us;
- to troubleshoot, in our legitimate interest, any problems with your account or the Services;
- to review and enforce compliance with our General Terms and Conditions and guidelines and policies; and
- to analyze the use of HackerOne in order to understand how we can improve our content and services.
In addition, we employ other companies and people to perform tasks on our behalf in supporting the Services. This includes but is not limited to, providers of hosting, payment processing, document and content management tools, providers of software and services that allow integration with other of our systems such as for verification, ticketing, and escalation purposes, and providers of analytic data services. We may share Your Information with them as needed to provide the Services to you. Unless we tell you differently, our agents do not have any right to use any personal information we share with them beyond what is necessary to assist us.
Where there is agreement by Customers and Finders that Vulnerability Reports are publicly disclosed, then certain information about the report associated with your profile may be published through our Services.
For Finders who participate in certain Programs of particular Customers, to the extent described in the Program Policies, HackerOne may share contact information about those Finders (name, company name (if applicable), and email address) to allow those Customers to contact those Finders to allow them to interact directly.
For Finders who choose to submit a Vulnerability Report directly to a Customer outside the HackerOne Platform, HackerOne may provide that Customer with a reference to your public profile information.
We may share aggregated information and non-identifying information with third parties for industry research and analysis, demographic profiling and other similar purposes.
We will cooperate with government and law enforcement officials or private parties to enforce and comply with the law. We may disclose Your Information to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate: (i) to comply with law, regulation or valid legal process (including orders and subpoenas); or (ii) to protect our property, rights and safety and the property, rights and safety of a third party or the public in general. If we are going to release Your Information, our policy is to provide you with notice unless we are prohibited from doing so by law or court order (including orders under 18 U.S.C. § 2705(b)).
3. Information Storage
With the exception of access logs, which are retained for two years and then purged from our systems, our Information will be retained for the duration of your account and may be retained for a period after this time as necessary and relevant to our legitimate operations, our General Terms and Conditions with you, and in compliance with applicable law obligations. This may include retention necessary to meet our tax reporting requirements or for licensing purposes, as well as time required to enforce our rights or identify, issue, or resolve legal proceedings.
You may choose to disable your HackerOne account at any time. This means your user profile will no longer be visible on our site and Services. However, for the purposes mentioned above, we may need to retain information within our internal systems. In addition, public reports and associated information that you've submitted will still be available on HackerOne.
HackerOne will use reasonable efforts to secure information submitted to us by our users. We use encryption (HTTPS/TLS) to protect data transmitted to and from our site. However, no data transmission over the internet is completely secure, so we cannot guarantee the absolute security of this data. You use the Services at your own risk, and are responsible for taking reasonable measures to secure your account (such as keeping your password secret).
We welcome children to submit reports to HackerOne. However, applicable laws may restrict our ability to collect personal information from children.
The definition of a child varies by jurisdiction. In the United States and the United Kingdom, this section applies to you if you are under 13. In most member states of the European Union, this applies to everyone under 16.
HackerOne is not directed to minors. If you are considered a child and want to submit a report to us, please ask your parent or guardian to submit it for you. Please note that any bounty payments that may apply are only issued to an adult. If we become aware that we have collected personal information from a child in conflict with applicable law, we will delete that information.
6. International Transfer
Your Information may be transferred to, and maintained on, computers located outside of your state, province, country or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to provide Your Information to us, we may transfer Your Information to the United States and process it there. Where we transfer Your Information, we will take all reasonable steps to ensure that your privacy rights continue to be protected.
In the case of transfers of data out of Europe, we have committed to comply with the EU and Swiss Privacy Shield frameworks. For more information about our Privacy Shield commitment please see below and our Privacy Shield Notice.
Our Commitment to the Privacy Shield
Adherence to the Privacy Shield Frameworks
7. Privacy Rights
We respect the rights you may have to request the Information held by us and where relevant, to receive a copy of this information or to receive that information in a commonly used electronic format (or have it provided to another service provider where feasible). You may also have the right under applicable law to request the correction or erasure of Your Information, to seek to object to the further processing under certain circumstances of Your Information or to request that specific processing is restricted while we verify or investigate your concerns with this information.
As mentioned above you have the right to request to limit the use and disclosure of your personal data (i.e. object) to certain further processing which includes direct marketing or to request a list of any third parties in the past calendar year to which we may have disclosed your information for direct marketing purposes along with details of the categories of information shared with those third parties. You can submit a request by email or by writing to us at the "Contact" address below.
If you remain unhappy with a response you receive, you can also refer the matter to a relevant data protection supervisory authority.
Attn: Privacy Officer
22 4th Street, 5th Floor
San Francisco, CA 94103
United States of America
Or by contacting our EU representative:
Attn: Privacy Officer
9723 DV Groningen