HackerOne PRIVACY POLICY

You have the following rights in respect of personal data, although these rights may be limited in some circumstances:

• Ask us to send a copy of your data to you or someone else
• Ask us to restrict, stop processing, or delete your data
• Object to our processing of your data
• Object to use of your personal data for direct marketing
• Ask us to correct inaccuracies

If we rely on consent to process data, or send direct marketing, you can withdraw consent by sending an email to privacy@hackerone.com.

The California Privacy Rights Act (“CPRA”) may also apply to California residents and households. These rights include the right to:
(i) know what Personal Information is being collected about them,
(ii) know whether their personal information is sold or shared and to whom,
(iii) Opt Out and say no to the sale or sharing of Personal Information,
(iv) access their personal information, and
(v) equal service and price, even if they exercise their privacy rights.

Enquiry data (information we receive when you get in touch) including:

• Name;
• Contact details, phone, email address; and
• Other personal data you send to us as part of enquiries.

How long we keep it

7 years from when our relationship with you ends.

We process this information to respond to your support and other enquiries.

Sources

We collect this information from you.

Recipients include:

• AWS
• Google
• InterCom
• Componentlab
• Box
• SalesForce
• Drift.com, Inc.

Account Data

We process the following personal data relating to Community Members or customers:

• your username, password, email address; 
• your profile name;
• if you choose, your name, social media and other third-party affiliations, profile picture and any other information you include in “About me” or “Intro” fields;
• telephone number (if used for two-factor authentication); and
• language and location (IP location);
• the use you make of our Services and the content you provide while doing so.

How long we keep it

7 years from when our relationship with you ends.

We process this information in order to enable you to register for, log into, access, use, and pay for our Services, and to enforce our terms. 

Legal basis

We process this personal data in accordance with the terms of our contract with you (where we need this information to provide Services to you) or to take steps at your request prior to entering into a contract.

We also process your profile data (excluding details which you specify as non-public) by making it available through our Services to third parties so they can find you and review your profile. Your profile will also be linked to any reports and other content you submit publicly through the Services, or privately through our program.  We do this in pursuit of the legitimate interests of us, Community Members and customers, in making it easy to find and connect with relevant Community Members and other users through our Services. 

More information

You may be required to provide us with certain information to make full use of our Services.  

Sources

We collect this information from you.

Recipients include:

• AWS
• FiveTran
• Snowflake
• Sumologic
• Tray.IO
• Slack
• Intercom
• SalesForce
• Dropbox Sign
• Docusign

Payment Data

We process this data for payments to Community Members or to receive customers payments: 

• Name;
• Contact details, phone, email address;
• payment (such as account or card information, address, and other information necessary to transfer funds, for example Coinbase or PayPal account information) information;
• tax identification documentation;
• amounts due or paid, and associated transaction details; and
• your Vetting Data.

How long we keep it

7 years from when our relationship with you ends.

We process this information to collect, facilitate, make and record payments.

Legal basis

We process this personal data in accordance with the terms of our contract with you or to take steps at your request prior to entering a contract with you.

We also process this personal data to comply with applicable laws, such as anti-money laundering, sanctions and export control. For example, when we process Personal Data for our own process know-your-user (“KYX”) requirements, to prevent, detect and investigate money laundering, terrorist financing and fraud. 

We also carry out sanction screening, report to tax authorities, police enforcement authorities, supervisory authorities where we are not compelled by EU and Member State law but where we have a good faith belief that sharing the information is necessary to comply with applicable law such as OFAC checks.  Such processing is undertaken in pursuit of our legitimate interests in seeking to comply with applicable law, detecting and preventing suspected criminal activity, and complying with sanction and similar controls.  

We also process this personal data in pursuit of our legitimate interests in complying with rules imposed by payment services providers.

Sources

Unless otherwise indicated, we collect this information from you with your consent.

Recipients include:

• AWS
• Stripe
• Currency Cloud 
• Paypal
• Coinbase
• Dropbox Sign
• Docusign

Vetting Data
Where applicable, we process the following personal data relating to Community Members:

• your Account Data;
• date of birth, nationality, current and previous addresses; and
• social security (or tax identification) number

How long we keep it

7 years from when our relationship with you ends.

We process this information to undertake fraud, background, and similar checks.

Legal basis
We process this data based in accordance with the terms of our contracts with Community Members and customers.

We also process this personal data to pursue legitimate interests (being our interests and those of our customers and the public, in detecting and preventing fraud or money laundering).

With your consent, we may also process this personal data to provide Services to our customers e.g., HackerOne Clear. In particular, where you consent, we may use our third party service providers to confirm that your image matches that on the identification documents you provide, and to conduct background checks, and we will notify our customers that you have passed the foregoing checks (we will not share this personal data with our customers, only that we have carried out checks to a certain standard).

We also carry out sanction screening, report to tax authorities, police enforcement authorities, enforcement authorities, supervisory authorities where we are not compelled by EU and Member State law but where we have a good faith belief that sharing the information is necessary to comply with applicable law such as OFAC checks. Such processing is undertaken in pursuit of our legitimate interests in seeking to comply with applicable law, detecting and preventing suspected criminal activity, and complying with sanction and similar controls.

Sources & Recipients

We collect this information from you, from public records or other publicly or commercially available sources.

If you are a Community Member and participate in our HackerOne Clear program. You may be contacted by the following service providers:

• Veriff
• Checkr

Swag

To award any “swag” where available we may ask for information such as a mailing address, telephone number, and clothing size.

How long we keep it

2 years from initial collection (or longer if we ask for and receive your consent to retain this information to facilitate future swag awards).

Sources 

We collect this information from you.

This may be shared with our partners who help us create our swag:

Recipients include:

• Canary Marketing
• Printfection
• Reachdesk
• Sticker Mule

Recruitment

We are always looking out for new staff. If you apply to us (or a recruiter) for a role, we will collect the information contained in your resume/cv, (information such as where you went to school or previous employment) along with any other relevant information you choose to provide to us.

How long we keep it

7 years from when our relationship with you ends.  Or, if you apply for a job, and are unsuccessful, for 4 weeks (or up to 12 months if we ask for and receive your consent to retain this information in order to let you know of future opportunities).

We use this information to make decision about recruitment or appointment, to determine the terms on which staff work for us, and whether you are suitable for the role you are applying for (internally or externally).

Legal basis

Our mutual legitimate interests in ensuring that you are the right candidate for the role, suitably qualified and experienced, and that terms of your prospective engagement meet our mutual expectations and our business objectives.

More Information

More detail about the way we process personal data relating to staff and applicants is included in our Staff Privacy Notice.  If we consider applications further, we will send you a copy of this notice.

Sources 

We collect this information from you or the recruiters involved.

Recipients include:

• AWS
• Ashby
• LinkedIn
• Dropbox Sign
• Docusign
• Slack
• Calendly

Events

We process the following personal data in relation to events:

• name;
• email address;
• company and job title;
• website reference.

How long we keep it

2 years from initial collection (or longer if we ask for and receive your consent to retain this information to facilitate future swag awards).

We host events to bring together industry professionals in a casual setting.  We also host live hacking events where top Community Members from all over the globe join to find vulnerabilities on HackerOne customer programs.

We process this information to allow you to register for events, and to provide attendees with details of others attending our events.

Legal basis

We process this personal data in accordance with the terms of our contract with you or to take steps at your request prior to entering into a contract with you.

We also process this personal data to pursue our legitimate interest in ensuring attendees at our events can make the most of them by understanding who else is attending.

Sources & Recipients

We collect this information from you and may share certain details with the organisers of events to the extent necessary to run those events.

Recipients include:

• Bevy
• Intercom

Survey Data

(data you provide in response to surveys we undertake from time to time)

How long we keep it

For up to 12 months, but we keep anonymous statistics we generate indefinitely.

To conduct surveys, we may process this personal data to pursue our legitimate interests in gathering data to assess and inform our business objectives and understand the Community Member environment. 

More information

Participation in surveys is always optional. Information provided in surveys, once collected, is anonymized and aggregated for analysis.

Sources & Recipients

We normally collect this data from you.

Recipients include:

• Survey Monkey
• Gainsight

Analytics

(data about how you interact with our Services):

• browser type and version, IP and MAC address, approximate location and time zone, access logs, device type, operating system, & other information provided by browser or device;
• your user ID and the use you make of our Services, including URLs and content you visit, language preferences, clickstream to, through and from our website, date and time, page response times, errors, length of visits to pages, interaction (such as scrolling, clicks and mouse-overs) data, and methods used to leave our site;
• error reports generated if there are problems with our Services.

How long we keep it

After 26 months underlying data is deleted, but we may retain aggregated statistics generated from that data which are anonymous indefinitely.

We use software to collect analytics data about users of our Services, to understand how people use them, where they come from, which devices and operating systems they use, and how they interact with our Services, and to help improve and maintain our Services.

We may also use this data to: (a) determine which adverts and Services are likely to be most relevant to you, so we can use our third parties to deliver ads for HackerOne services to you later on websites and those of third parties; and (b) track ad performance (including whether ads are clicked and/or lead to a successful relationship). 

Legal basis

We process analytics data if you have given your consent.

We process advertising data if you have given your consent.

More information

You can find out more about how Google processes analytics data by clicking here.

You can withdraw your consent for Google analytics by using the following link: Google Analytics.

You can find out more about how LinkedIn processes data by clicking here. LinkedIn account holders can opt-out specifically from LinkedIn's use of certain data to show more relevant ads. LinkedIn visitors can do so here.

Sources & Recipients

We use Google analytics and LinkedIn to collect this data.

Other recipients include:

• HootSuite
• SproutMedia

Marketing/Messaging

We process the following information about you to send you emails or text messages to let you know about news, content and updates about to HackerOne and the Services: 

• Name;
• Company name, job title; and
• Contact information (such as email address or phone number)

How long we keep it

For as long as our relationship with you continues.

We process this information to send you promotional and non-promotional material about us and our Services (or to call you about our Services).

Legal basis

Unless we are contacting you as staff of a corporate entity, or where the “soft-opt-in” applies, we process your personal data for marketing with your consent.

If you are staff of a corporate entity, or if we have asked you for consent to send marketing material when negotiating your purchase of services, we may process this data in pursuit of legitimate interests in keeping you informed about our Services through marketing email and/or text messages or calls.

We may send messages to let you know about the status of the HackerOne Platform, changes to our supply chain, privacy and similar policies or other terms, either: (a) where necessary for us to comply with contractual obligations to you; or (b) in pursuit of our respective legitimate interests to ensure you receive prompt notice of important changes.

More Information

To manage your messaging preferences, please visit the Email Subscription Preference Centre at the following link (or if you receive a marketing communication, you can unsubscribe directly using the link in our emails):

• https://ma.hacker.one/SubscriptionManagement.html 

Please note that we reserve the right to send you information related to our Service updates, your use of the Services and your account and these transactional communications may remain unaffected even if you opt-out of Marketing.

Sources

We normally collect this information from you.

As part of our business-to-business marketing, we may collect personal data from third party sources to identify individuals who hold relevant job roles in key industries. 

Recipients include:

• AWS 
• Intercom
• Hootsuite
• Sprout Social

Beyond uses of personal data described above, we also use information received from and about Community Members and customers (excluding where we rely on consent) and how they use our Services, to understand more about Community Members and customers, and how we can improve our business and Services.

We do this by monitoring how our Services are used, and the content submitted through our Services, along with any feedback received from or about Community Members and customers, and using what we learn to inform our marketing, development, recruitment and business strategy.

We use this information to pursue our legitimate interests, and those of our current or prospective Community Members and customers, in:

1. understanding skills and experience offered by Community Members and desired by customers so we can refine our marketing, development and recruitment strategies to better meet the demands of the market;
2. devising new products and improving our Services (by making changes to interfaces, fixing bugs and developing new functionality);
3. producing and distributing the insights we uncover, such as in reports describing what we learn from statistical and other analysis; 
4. pointing users to resources which may allow them to make the most out of our Service (for example, if a customer often uses certain features, or a Community Member often accepts certain types of project, then we may be able to flag similar features or jobs which may be of interest).

We may also process the information referred to in this policy where necessary to monitor compliance with, and to enforce, the terms and conditions which govern use of our website and services. We do so in pursuit of our legitimate interests in ensuring that you comply with the terms we have agreed. For example, we may review material which you submit through our website or services, for compliance with the terms, conditions and policies which apply to such submissions.

Where explicit retention periods are not noted, HackerOne retains personal data for a reasonable time to fulfil processing purposes mentioned herein. Data is then archived for time periods required or necessitated by legal or regulatory considerations. When archival is no longer required, personal data is deleted.

You may choose to disable your HackerOne account at any time. This means your user profile will no longer be visible through the Services. However, for the purposes mentioned herein, we may need to retain information within our internal systems. In addition, public vulnerability reports and associated information that you have submitted will still be available on the Services.

HackerOne uses technical and organizational measures to protect the personal data we store, transmit, or otherwise process, against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. We regularly consider appropriate new security technology and methods as we maintain and develop our software and systems.

However, you should keep in mind that the Services are run on software, hardware, and networks, any component of which may, from time to time, require maintenance or experience problems or breaches of security beyond our control. Please also be aware that despite our best efforts to ensure the security of your data, we cannot guarantee that your information will be 100% secure.

Please recognize that protecting your personal data is also your responsibility. We urge you to take every precaution to protect your information when you are on the Internet, such as using a strong password, keeping your password secret, and using two-factor authentication. If you have reason to believe that the security of your account might have been compromised (for example, your password has been leaked), or if you suspect someone else is using your account, please let us know immediately.

We (and the third-party service providers working on our behalf) use various technologies to collect personal information. This may include saving cookies to your device, using pixels and similar technologies. For information on what cookies and pixels are, which ones we use, why we use them, and how you can manage their use, please see our Cookies Policy, which provides more information about how and why we or our commercial partners may process certain personal data relating to you, and should be read in conjunction with this privacy policy.

If you are located outside the United States and choose to provide personal data to us, we will transfer that data to (or receive it in) the United States and process it there. Your personal data may be transferred outside of your state, province, country, or other jurisdiction, where privacy laws may not be as protective as those in your jurisdiction. If we transfer personal data, we take all reasonable steps to ensure your privacy rights continue to be protected. 

Where required by law (such as under the GDPR) if we transfer personal data to a country which does not provide an adequate level of protection, we implement appropriate safeguards, including standard contractual clauses approved by the competent authorities.  In the case of transfers of data out of the European Union and the United Kingdom (and Gibraltar), we have committed to comply with the EU-U.S. Data Privacy Framework, the UK Extension to the Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework. For more information drop us a line using the contact details at the start of this policy.

A copy of our standard Data Processing Agreement which incorporates the standard contractual clauses is available here.

We comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  HackerOne Inc. and its affiliates have certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  HackerOne Inc. and its affiliates have certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  HackerOne remains responsible for any of your personal data that is shared under the Onward Transfer Principle with third parties for external processing on our behalf, as described in the “Your Personal Data and How We Use It” section of our Privacy Policy. To learn more about the Data Privacy Framework (DPF) program, and to view HackerOne’s certification, please visit https://www.dataprivacyframework.gov/.

For the purposes of this section, an affiliate is a wholly owned U.S. subsidiary of HackerOne Inc., including the following company that provides services in the U.S.: Pullrequest, LLC.

Complaints & Queries

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, we commit to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact us at: privacy@hackerone.com or the contact details in Section 1 of this policy.

We also commit to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States, the European Union, the United Kingdom, and/or Switzerland (as applicable).  If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint.  The services of JAMS are provided at no cost to you.

In respect of human resources data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF in the context of the employment relationship, we commit to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of such human resources data.

You may have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms. For more information about binding arbitration, visit https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.

Jurisdiction

The Federal Trade Commission has jurisdiction over HackerOne’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

Other than as set out above, we may use or disclose your personal data:

• Where required by law, government, competent authorities or the courts (including to meet national security or law enforcement requirements); or to establish, exercise or defend our legal rights; or for the purposes of preventing crime and fraud (for example, we may share personal data with our professional advisors, investigators, or credit reference agencies); or to take precautions against liability, protect rights, property or safety of HackerOne, our users, other individuals or the public; to maintain and protect security and integrity of our Services or infrastructure; to protect HackerOne and our Services from fraud, or abusive or unlawful use; or to investigate and defend HackerOne against third-party claims or allegations. 
• Our policy is to provide notice of disclosures to law enforcement or public authorities, unless prohibited by law or court order (including orders under 18 U.S.C. § 2705(b)).
• Where customers and Community Members agree submissions should be publicly disclosed, certain information about the submission associated with your profile may be published through our Services.
• Please note we share aggregated information and non-identifying information with third parties for industry research and analysis, demographic profiling, and other similar purposes. In addition, our Services may contain links to other websites not controlled by us, and these other websites may reference or link to our Services; we encourage you to read the privacy policies applicable to these other websites.
• With members of our corporate group, our suppliers, and subcontractors, as necessary for the purposes set out in this policy (such suppliers may include payment providers, providers of hosting services, sales and marketing service providers, providers of document and content management tools, providers of analytic data services, and suppliers of other services such as system support, subscription services, verification and ticketing).
• If involved in an investment, merger, acquisition, or sale of our organisation or assets, personal data we hold may be shared based on the legitimate interests of us, our shareholders, customers and other parties to a transaction, unless those interests are outweighed by prejudicial impacts upon you.

Pursuant to §§ 1798.110 and 1798.115 of the CPRA the categories of Personal Information we have collected about consumers and disclosed about consumers for a business purpose in the preceding 12 months are:

• Identifiers such as a real name, alias, postal address, email address, unique personal or online identifier, Internet Protocol address, account name, SSN, driver's license or passport number, or other similar identifiers;
• Other information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including signature, bank account number, credit card number, debit card number, or any other financial information;
• Commercial information, including products or services purchased, obtained, or considered; other purchasing or consuming histories or tendencies;
• Internet or other electronic network activity information, including, browsing history, search history, and information regarding a consumer's interaction with an internet website, or advertisement;
• Professional or employment-related information; and
• Inferences drawn from any of the information identified to create a profile about a consumer reflecting the consumer's preferences, intelligence, abilities, and aptitudes (applies only to Community Members who have registered an account and participate in programs and subsequent skill ratings).

Please note that not all of this information is collected or disclosed from all consumers using our Services.

WE DO NOT SELL OR SHARE YOUR PERSONAL INFORMATION FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING.