HackerOne Privacy Policy

Last Updated: June 14, 2016

HackerOne strives to be a safe and transparent environment its users.

We want to make sure you, as a Customer or Finder, understand what information we collect from you and why. We also want you to know about our information use practices so that you can make good decisions about how you use HackerOne. This Privacy Policy explains what information we collect from and about you (collectively, "Your Information") and what we do with it.

Please read this Privacy Policy carefully. Remember that your use of our Services and all interactions you have with the HackerOne website are subject to the General Terms and Conditions located at https://hackerone.com/terms/general, which incorporates this Privacy Policy. This Privacy Policy covers our treatment of Your Information, but does not apply to the practices of companies we don't own or control, or people that we don't manage. If you have concerns about our data collection and use practices, as explained below, please do not use HackerOne.

Some capitalized terms used in this Privacy Policy are defined in the General Terms and Conditions.

1. The Information We Collect

We collect some information from you when you create an account so that you can use the Services.

We also collect some information to make sure HackerOne works properly and to improve user experience. This may include using Your Information for analytical purposes.

Below is a more detailed explanation of the information we collect and use.

1.1. Information We Collect Directly From You

Whether or are a Customer or a Finder, when you create an account with HackerOne, you are required to provide us with profile information, including your name, company name (if applicable), username, password and email address. HackerOne stores this information to help identify you when you log in and help you communicate with other users.

Once you've registered with HackerOne, you create a user profile where you post information to help you communicate with other HackerOne users. Your profile information includes your name, company name (if applicable), username, and user identification number. You can also choose to add additional profile information, including a profile picture, your city and state, mobile phone, and any other information you like in the "About" field. We may display your profile information on our site, so that other users of HackerOne and visitors to our web site will be able to see that profile information.

If you are a Customer, in addition to your profile information, you may provide us with financial information, including your credit card or debit card information, or your banking information, in order to assist us in awarding Bounties, collecting Bounty Deposits or collecting HackerOne Fees.

If you are a Finder, in addition to your profile information, you may provide us with other personally identifying information, including your mailing address, your social security number (or tax identification number), and/or your banking or PayPal information in order to allow us to pay you monetary Bounty awards from Customers. If you are Finder and you prefer, your name may be a pseudonym instead of a legal name.

In addition to personal information, we collect any Vulnerability Reports and content that you submit, post, or display on the Services.

1.2. Information We Automatically Collect

We receive some information automatically when you visit HackerOne. This includes information about the device, browser and operating system you use when accessing our site and Services, your IP address, the website that referred you to HackerOne, which pages you request and visit, and the date and time of each request you make to HackerOne. If you visit HackerOne when you are logged into your account, we also collect the user identification number we assign you when you open your account.

We retain access logs for 180 days, and then delete them.

1.3. Cookie Policy

When you log in to your account, HackerOne will place a cookie for the purpose of creating the session and knowing when you're logged in. The cookie contains an encrypted user identifier.

HackerOne sometimes partners with third-party services which may use various tracking technologies to provide certain services or features, including targeted online marketing. These technologies allow a partner to recognize your computer or mobile device each time you visit HackerOne, but do not allow access to Your Information from HackerOne. For a list of current partners, please contact us at support@hackerone.com.

Most browsers include an option to clear existing cookies or reject new ones. If you prefer not to use any cookies, you can also opt out in some browsers by turning on "Do Not Track" or visit https://www.aboutads.info/choices to opt out directly. However, if you reject new cookies, portions of HackerOne will not function as intended. We currently do not support Do Not Track browser settings.

2. How We Use or Disclose Your Information

We may use Your Information when needed to keep the site and Services running and prevent abuse. Your Information is used internally only where necessary to provide our Services. In addition, if we employ other companies and people to perform tasks on our behalf, we may share Your Information with them as needed to provide the Services to you. Unless we tell you differently, our agents do not have any right to use any personal information we share with them beyond what is necessary to assist us.

Except as otherwise described in this Privacy Policy, we will only share Your Information (including Vulnerability Reports) with your consent, and after letting you know what information will be shared and with whom. We do not sell Your Information to any third party.

When you enter into a financial transaction related to our Services (to pay us or to be paid by us), we may, directly or through a third-party payment services provider, collect the financial information about you described above, all of which will be treated as Your Information for purposes of this Privacy Policy. We will use this information solely in connection with the financial transaction and will not share this information with third parties, except to the extent necessary to complete the financial transaction or comply with applicable law.

For Finders who participate in certain Programs of particular Customers, to the extent described in the Program Policies, HackerOne may share contact information about those Finders (name, company name (if applicable) and email address) to allow those Customers to contact those Finders to allow them to interact directly.

We may share aggregated information and non-identifying information with third parties for industry research and analysis, demographic profiling and other similar purposes.

Information that we collect from all of our users, including Your Information, is considered to be a business asset. Thus, if we are acquired by a third party as a result of a transaction such as a merger, acquisition or asset sale, or if our assets are acquired by a third party in the event that we go out of business or enter bankruptcy, some or all of our assets, including Your Information, may be disclosed or transferred to a third party acquirer in connection with the transaction.

We will cooperate with government and law enforcement officials or private parties to enforce and comply with the law. We may disclose Your Information to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate: (i) to comply with law, regulation or valid legal process (including orders and subpoenas); or (ii) to protect our property, rights and safety and the property, rights and safety of a third party or the public in general. If we are going to release Your Information, our policy is to provide you with notice unless we are prohibited from doing so by law or court order (including orders under 18 U.S.C. § 2705(b)).

3. Account Disabling

You may choose to disable your HackerOne account at any time. This means your user profile will no longer be visible on our site and Services. However, public reports and associated information that you've submitted will still be available on HackerOne. For this reason, users can't entirely delete their accounts.

4. Data Security

HackerOne will use reasonable efforts to secure information submitted to us by our users. We use encryption (HTTPS/TLS) to protect data transmitted to and from our site. However, no data transmission over the internet is completely secure, so we cannot guarantee the absolute security of this data. You use the Services at your own risk, and are responsible for taking reasonable measures to secure your account (such as keeping your password secret).

5. Children Under 13

We welcome minors to submit reports to HackerOne. However, the Children's Online Privacy Protection Act restricts our ability to collect personal information from children under 13.

HackerOne is not directed to people 12 and younger. If you are under 13 and want to submit a report to us, please ask your parent or guardian to submit it for you. If we become aware that we have collected personal information from a child under 13, we will delete that information.

6. International Transfer

Your Information may be transferred to, and maintained on, computers located outside of your state, province, country or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to provide Your Information to us, we may transfer Your Information to the United States and process it there.

7. User's California Privacy Rights

If you are a California resident, you may request and obtain from us, once a year, free of charge, a list of third parties, if any, to which we disclosed your Information for direct marketing purposes during the preceding calendar year and the categories of Your Information shared with those third parties. If you are a California resident and wish to obtain that information, please submit a request by sending us an email at privacy@hackerone.com with "California Privacy Rights" in the subject line or by writing to us at HackerOne, 535 Mission St., Suite 1416, San Francisco, CA 94105.

8. Changes to This Privacy Policy

We may revise this Privacy Policy from time to time. The most current version of the Privacy Policy will govern our use of your information and will always be at https://hackerone.com/privacy. If we make changes that we believe will substantially alter your rights, we will prominently display a notice on our site 7 days before we make those changes.

Contact

HackerOne welcomes questions, concerns, and feedback about this Privacy Policy. If you have suggestions for us, feel free to let us know at support@hackerone.com.