HackerOne Privacy Policy
Effective as of December 30, 2022, HackerOne Inc. and its affiliates (collectively, "HackerOne", "we", "us", or "our") have updated our Privacy Policy.
1. Introduction
Who are we?
HackerOne Inc. is a company incorporated in Delaware at 548 Market Street, PMB 24734 San Francisco, CA 94104 USA, HackerOne, B.V. is a company incorporated and registered in the Netherlands under company number 58601325 with its offices at Griffeweg 97/4, 9723 DV Groningen, The Netherlands, HackerOne UK Limited, company registration 14123945, with its offices at 3 Valentine Place, London, UK, SE1 8QH. These entities (together, “HackerOne”, “we”, “us” or “our”) may decide the means and purpose of processing personal data, in which case they are a “controller” of that data.
What’s this policy about?
HackerOne is an industry leader in hacker-powered security. HackerOne partners with the global security researcher community, which may be referred to as hackers or Finders, or you (we will use the term “Finder(s)” in this policy), to provide businesses with access to top talent Finders who identify and surface relevant security issues in a business's products or services.
HackerOne operates a bug bounty & vulnerability disclosure software-as-a-service platform known as the HackerOne Platform, the website located at hackerone.com and related domains and subdomains, and related services, including live hacking events, marketing, and customer service and ancillary support services (collectively referred to as "Services").
This policy explains how we process your personal data as a data controller when you use, or contact us about, our Services.
What about changes?
We update this policy from time to time so please check back in. If we make significant changes, we may notify you by email (sent to the email address specified in your HackerOne account), by means of a notice on our Services prior to the change becoming effective, or as otherwise required by law. In certain cases, we may also seek your consent to further use of your Personal Information where this is required.
Minors (children)
We welcome all Finders to register an account, participate in our programs, and submit reports. We believe skilled Finders are not determined by age. However, applicable laws may restrict our ability to collect personal information from minors unless we have first obtained the consent of the minor's parent or guardian.
If you are under 18 and want to submit a vulnerability report to us, please ask your parent or guardian to submit it for you. Please note rewards/payments are only available to adults that have read and accepted our Finder Terms and Conditions.
HackerOne does not otherwise knowingly collect Personal Information of minors, and the Services are not directed to minors. If we become aware that we have collected personal information from a minor in conflict with applicable law, we will delete that information or obtain the requisite consent from the minor's parent or guardian.
How do you contact us? (if you have questions about this policy or to exercise your rights)
Attn: Privacy Team
HackerOne Inc.
548 Market Street,
PMB 24734,
San Francisco, CA 9410
United States of America
Or our EU representative:
Attn: Privacy Team
HackerOne B.V.
Griffeweg 97/4
9723 DV Groningen
Netherlands
Attn: Privacy Team
HackerOne UK Limited
4th Floor, St. James House, St. James Square
Cheltenham
GL50 3PR
England
Toll-free phone (USA): +1 (855) 242-8699
(Timeline of response) – 30 days
We try to respond to legitimate requests as soon as reasonably possible and within 30 days of your request. Occasionally, it takes us longer. In such circumstances we will notify you of the delay, give you a reason for that delay, and continue to update you regarding the progress of our response.
If we can’t resolve your issue, you can also get in touch with the regulator. In the UK this is the ICO: https://ico.org.uk/concerns. In the Netherlands, the AP: https://autoriteitpersoonsgegevens.nl/.
(If you live in another European country, you can submit a complaint to the supervisory authority in your country).
What are your rights?
You have the following rights in respect of personal data, although these rights may be limited in some circumstances:
- Ask us to send a copy of your data to you or someone else
- Ask us to restrict, stop processing, or delete your data
- Object to our processing of your data
- Object to use of your personal data for direct marketing
- Ask us to correct inaccuracies
If we rely on consent to process data, or send direct marketing, you can withdraw consent by sending an email to privacy@hackerone.com
The California Privacy Rights Act (“CPRA”) may also apply to California residents and households. These rights include the right to: (i) know what Personal Information is being collected about them, (ii) know whether their personal information is sold or shared and to whom, (iii) Opt Out and say no to the sale or sharing of Personal Information, (iv) access their personal information, and (v) equal service and price, even if they exercise their privacy rights.
2. Your Personal Data and How We Use It
Enquiry data
(information we receive when you get in touch) including:
- Name
- Contact details, email, phone, email address
- Other personal data you send to us as part of enquiries.
How long we keep it
7 years from when our relationship with you ends.
How we use it
We process this information to respond to your support and other enquiries.
Legal basis
We may process this data in accordance with the terms of our contract with you (where we need this information to provide Services to you) or to take steps at your request prior to entering a contract.
We also use this to pursue our legitimate interests, including: (a) our interest in responding to enquiries to ensure smooth operation of our business and services; and (b) to understand Finders and customers and improve our Services, by taking on-board your feedback.
More information
You may be required to provide us with certain information for us to respond to your enquiries.
Sources and recipients
Sources
We collect this information from you with your consent when you send it to us.
Recipients include:
- AWS
- InterCom
- Componentlab
- Box
- SalesForce
Account Data
We process the following personal data relating to Finders or customers:
- your username, password, email address;
- your profile name;
- if you choose, your name, social media and other third-party affiliations, profile picture and any other information you include in “About me” or “Intro” fields;
- telephone number (if used for two-factor authentication); and
- language and location (IP location);
- the use you make of our Services and the content you provide while doing so.
How long we keep it
7 years from when our relationship with you ends.
How we use it
We process this information in order to enable you to register for, log into, access, use, and pay for our Services, and to enforce our terms.
Legal basis
We process this personal data in accordance with the terms of our contract with you (where we need this information to provide Services to you) or to take steps at your request prior to entering into a contract.
We also process your profile data (excluding details which you specify as non-public) by making it available through our Services to third parties so they can find you and review your profile. Your profile will also be linked to any reports and other content you submit publicly through the Services, or privately through our program. We do this in pursuit of the legitimate interests of us, Finders and customers, in making it easy to find and connect with relevant Finders and other users through our Services.
More information
You may be required to provide us with certain information to make full use of our Services.
Sources and recipients
Sources
We collect this information from you.
Recipients include:
- AWS
- FiveTran
- Snowflake
- Sumologic
- Tray.IO
- Slack
- Intercom
- SalesForce
- Slack
Payment Data
We process this data for payments to Finders or to receive customers payments:
- payment (such as account or card information, address, and other information necessary to transfer funds, for example Coinbase or PayPal account information) information;
- amounts due or paid, and associated transaction details; and
- your Vetting Data.
How long we keep it
7 years from when our relationship with you ends.
How we use it
We process this information to collect, facilitate, make and record payments.
Legal basis
We process this personal data in accordance with the terms of our contract with you or to take steps at your request prior to entering a contract with you.
We also process this personal data to comply with applicable laws, such as anti-money laundering, sanctions and export control. For example, when we process Personal Data for our own process know-your-user (“KYX”) requirements, to prevent, detect and investigate money laundering, terrorist financing and fraud.
We also carry out sanction screening, report to tax authorities, police enforcement authorities, supervisory authorities where we are not compelled by EU and Member State law but where we have a good faith belief that sharing the information is necessary to comply with applicable law such as OFAC checks. Such processing is undertaken in pursuit of our legitimate interests in seeking to comply with applicable law, detecting and preventing suspected criminal activity, and complying with sanction and similar controls.
We also process this personal data in pursuit of our legitimate interests in complying with rules imposed by payment services providers.
Sources and recipients
Sources
Unless otherwise indicated, we collect this information from you with your consent.
Recipients include:
- AWS
- Stripe
- Currency Cloud
- Paypal
- Coinbase
Vetting Data
Where applicable, we process the following personal data relating to Finders:
- your Account Data; and
- date of birth, nationality, current and previous addresses;
- social security (or tax identification) number
How long we keep it
7 years from when our relationship with you ends.
How we use it
We process this information to undertake fraud, background, and similar checks.
Legal basis
We process this data based in accordance with the terms of our contracts with Finders and customers.
We also process this personal data to pursue legitimate interests (being our interests and those of our customers and the public, in detecting and preventing fraud or money laundering).
With your consent, we may also process this personal data to provide Services to our customers e.g., HackerOne Clear. In particular, where you consent, we may use our third party service providers to confirm that your image matches that on the identification documents you provide, and to conduct background checks, and we will notify our customers that you have passed the foregoing checks (we will not share this personal data with our customers, only that we have carried out checks to a certain standard).
We also carry out sanction screening, report to tax authorities, police enforcement authorities, enforcement authorities, supervisory authorities where we are not compelled by EU and Member State law but where we have a good faith belief that sharing the information is necessary to comply with applicable law such as OFAC checks. Such processing is undertaken in pursuit of our legitimate interests in seeking to comply with applicable law, detecting and preventing suspected criminal activity, and complying with sanction and similar controls.
Sources & Recipients
We collect this information from you, from public records or other publicly or commercially available sources.
If you are a Finder and participate in our HackerOne Clear program. You may be contacted by the following service providers:
- First Advantage
- Berbix
Swag
To award any “swag” where available we may ask for information such as a mailing address, telephone number, and clothing size.
How we use it
We process this information to send you swag, in pursuit of our (and your) legitimate interests in ensuring that members of our community are rewarded for their participation.
Sources & Recipients
Sources
We collect this information from you.
This may be shared with our partners who help us create our swag:
Recipients include:
- AWS
- Prinfection
Recruitment
We are always looking out for new staff. If you apply to us (or a recruiter) for a role, we will collect the information contained in your resume/cv, (information such as where you went to school or previous employment) along with any other relevant information you choose to provide to us.
How long we keep it
7 years from when our relationship with you ends. Or, if you apply for a job, and are unsuccessful, for 4 weeks (or up to 12 months if we ask for and receive your consent to retain this information in order to let you know of future opportunities).
How we use it
We use this information to make decision about recruitment or appointment, to determine the terms on which staff work for us, and whether you are suitable for the role you are applying for (internally or externally).
Legal basis
Our mutual legitimate interests in ensuring that you are the right candidate for the role, suitably qualified and experienced, and that terms of your prospective engagement meet our mutual expectations and our business objectives.
More Information
More detail about the way we process personal data relating to staff and applicants is included in our Staff Privacy Notice. If we consider applications further, we will send you a copy of this notice.
Sources & Recipients
Sources
We collect this information from you or the recruiters involved.
Recipients include:
- AWS
- Lever
- Docusign
- HelloSign
- Slack
- Calendly
Events
We process the following personal data in relation to events:
- name;
- email address;
- company and job title;
- website reference.
How we use it
We host events to bring together industry professionals in a casual setting. We also host live hacking events where top Finders from all over the globe join to find vulnerabilities on HackerOne customer programs
We process this information to allow you to register for events, and to provide attendees with details of others attending our events.
Legal basis
We process this personal data in accordance with the terms of our contract with you or to take steps at your request prior to entering into a contract with you.
Sources & Recipients
We collect this information from you and may share certain details with the organisers of events to the extent necessary to run those events.
Survey Data
(data you provide in response to surveys we undertake from time to time)
How long we keep it
For up to 12 months, but we keep anonymous statistics we generate indefinitely.
How we use it
To conduct surveys, we may process this personal data to pursue our legitimate interests in gathering data to assess and inform our business objectives and understand the Finder community.
More information
Participation in surveys is always optional. Information provided in surveys, once collected, is anonymized and aggregated for analysis.
Sources & Recipients
Sources
We normally collect this data from you.
Recipients include
- Survey Monkey.
Analytics
(data about how you interact with our Services):
- browser type and version, IP and MAC address, approximate location and time zone, access logs, device type, operating system, & other information provided by browser or device;
- your user ID and the use you make of our Services, including URLs and content you visit, language preferences, clickstream to, through and from our website, date and time, page response times, errors, length of visits to pages, interaction (such as scrolling, clicks and mouse-overs) data, and methods used to leave our site;
- error reports generated if there are problems with our Services.
How long we keep it
After 26 months underlying data is deleted, but we may retain aggregated statistics generated from that data which are anonymous.
How we use it
We use software to collect analytics data about users of our Services, to understand how people use them, where they come from, which devices and operating systems they use, and how they interact with our Services, and to help improve and maintain our Services.
We may also use this data to: (a) determine which adverts and Services are likely to be most relevant to you, so we can use our third parties to deliver ads for HackerOne services to you later on websites and those of third parties; and (b) track ad performance (including whether ads are clicked and/or lead to a successful relationship).
Legal basis
We process analytics data if you have given your consent.
We process advertising data if you have given your consent.
More information
You can find out more about how Google processes analytics data by clicking here.
You can withdraw your consent for Google analytics by using the following link: Google Analytics.
You can find out more about how LinkedIn processes data by clicking here. LinkedIn account holders can opt-out specifically from LinkedIn's use of certain data to show more relevant ads. LinkedIn visitors can do so here.
Sources & Recipients
Sources
We use Google analytics and LinkedIn to collect this data.
Other recipeints include:
- HootSuite
- SproutMedia
Marketing/Messaging
We process the following information about you to send you emails or text messages to let you know about news, content and updates about to HackerOne and the Services:
- Name
- Company name, job title
- Contact information (such as email address or phone number)
How we use it
We process this information to send you promotional and non-promotional material about us and our Services (or to call you about our Services).
Legal basis
Unless we are contacting you as staff of a corporate entity, or where the “soft-opt-in” applies, we process your personal data for marketing with your consent.
If you are staff of a corporate entity, or if we have asked you for consent to send marketing material when negotiating your purchase of services, we may process this data in pursuit of legitimate interests in keeping you informed about our Services through marketing email and/or text messages or calls.
We may send messages to let you know about the status of the HackerOne Platform, changes to our supply chain, privacy and similar policies or other terms, either: (a) where necessary for us to comply with contractual obligations to you; or (b) in pursuit of our respective legitimate interests to ensure you receive prompt notice of important changes.
More Information
To manage your messaging preferences, please visit the Email Subscription Preference Centre at the following link (or if you receive a marketing communication, you can unsubscribe directly using the link in our emails):
Please note that we reserve the right to send you information related to our Service updates, your use of the Services and your account and these transactional communications may remain unaffected even if you opt-out of Marketing.
Sources & Recipients
Sources
We normally collect this information from you.
As part of our business-to-business marketing, we may collect personal data from third party sources to identify individuals who hold relevant job roles in key industries.
Recipients include:
- AWS
- Intercom
- Hootsuite
- Sprout Social
3. More Information
Learning
Beyond uses of personal data described above, we also use information received from and about Finders and customers (excluding where we rely on consent) and how they use our Services, to understand more about Finders and customers, and how we can improve our business and Services.
We do this by monitoring how our Services are used, and the content submitted through our Services, along with any feedback received from or about Finders and customers, and using what we learn to inform our marketing, development, recruitment and business strategy.
We use this information to pursue our legitimate interests, and those of our current or prospective Finders and customers, in:
- understanding skills and experience offered by Finders and desired by customers so we can refine our marketing, development and recruitment strategies to better meet the demands of the market;
- devising new products and improving our Services (by making changes to interfaces, fixing bugs and developing new functionality);
- producing and distributing the insights we uncover, such as in reports describing what we learn from statistical and other analysis;
- pointing users to resources which may allow them to make the most out of our Service (for example, if a customer often uses certain features, or a Finder often accepts certain types of project, then we may be able to flag similar features or jobs which may be of interest).
Enforcement
We may also process the information referred to in this policy where necessary to monitor compliance with, and to enforce, the terms and conditions which govern use of our website and services. We do so in pursuit of our legitimate interests in ensuring that you comply with the terms we have agreed. For example, we may review material which you submit through our website or services, for compliance with the terms, conditions and policies which apply to such submissions.
Retention
Where explicit retention periods are not noted, HackerOne retains personal data for a reasonable time to fulfil processing purposes mentioned herein. Data is then archived for time periods required or necessitated by legal or regulatory considerations. When archival is no longer required, personal data is deleted.
You may choose to disable your HackerOne account at any time. This means your user profile will no longer be visible through the Services. However, for the purposes mentioned herein, we may need to retain information within our internal systems. In addition, public vulnerability reports and associated information that you have submitted will still be available on the Services.
Security
HackerOne uses technical and organizational measures to protect the personal data we store, transmit, or otherwise process, against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. We regularly consider appropriate new security technology and methods as we maintain and develop our software and systems.
However, you should keep in mind that the Services are run on software, hardware, and networks, any component of which may, from time to time, require maintenance or experience problems or breaches of security beyond our control. Please also be aware that despite our best efforts to ensure the security of your data, we cannot guarantee that your information will be 100% secure.
Please recognize that protecting your personal data is also your responsibility. We urge you to take every precaution to protect your information when you are on the Internet, such as using a strong password, keeping your password secret, and using two-factor authentication. If you have reason to believe that the security of your account might have been compromised (for example, your password has been leaked), or if you suspect someone else is using your account, please let us know immediately.
Cookies
We (and the third-party service providers working on our behalf) use various technologies to collect personal information. This may include saving cookies to your device, using pixels and similar technologies. For information on what cookies and pixels are, which ones we use, why we use them, and how you can manage their use, please see our Cookies Policy, which provides more information about how and why we or our commercial partners may process certain personal data relating to you, and should be read in conjunction with this privacy policy.
Transfers
If you are located outside the United States and choose to provide personal data to us, we will transfer that data to (or receive it in) the United States and process it there. Your personal data may be transferred outside of your state, province, country, or other jurisdiction, where privacy laws may not be as protective as those in your jurisdiction. If we transfer personal data, we take all reasonable steps to ensure your privacy rights continue to be protected.
Where required by law (such as under the GDPR) if we transfer personal data to a country which does not provide an adequate level of protection, we implement appropriate safeguards, including standard contractual clauses approved by the competent authorities. For more information drop us a line using the contact details at the start of this policy.
A copy of our standard Data Processing Agreement which incorporates the standard contractual clauses is available here.
Disclosure
Other than as set out above, we may use or disclose your personal data:
- Where required by law, government, competent authorities or the courts; or to establish, exercise or defend our legal rights; or for the purposes of preventing crime and fraud (for example, we may share personal data with our professional advisors, investigators, or credit reference agencies); or to take precautions against liability, protect rights, property or safety of HackerOne, our users, other individuals or the public; to maintain and protect security and integrity of our Services or infrastructure; to protect HackerOne and our Services from fraud, or abusive or unlawful use; or to investigate and defend HackerOne against third-party claims or allegations.
- Our policy is to provide notice of disclosures to law enforcement or public authorities, unless prohibited by law or court order (including orders under 18 U.S.C. § 2705(b)).
- Where customers and Finders agree submissions should be publicly disclosed, certain information about the submission associated with your profile may be published through our Services.
- Please note we share aggregated information and non-identifying information with third parties for industry research and analysis, demographic profiling, and other similar purposes. In addition, our Services may contain links to other websites not controlled by us, and these other websites may reference or link to our Services; we encourage you to read the privacy policies applicable to these other websites.
- With members of our corporate group, our suppliers, and subcontractors, as necessary for the purposes set out in this policy (such suppliers may include payment providers, providers of hosting services, sales and marketing service providers, providers of document and content management tools, providers of analytic data services, and suppliers of other services such as system support, subscription services, verification and ticketing).
- If involved in an investment, merger, acquisition, or sale of our organisation or assets, personal data we hold may be shared based on the legitimate interests of us, our shareholders, customers and other parties to a transaction, unless those interests are outweighed by prejudicial impacts upon you.
California Privacy Rights Act of 2020 (CPRA)
Pursuant to §§ 1798.110 and 1798.115 of the CPRA the categories of Personal Information we have collected about consumers and disclosed about consumers for a business purpose in the preceding 12 months are:
- Identifiers such as a real name, alias, postal address, email address, unique personal or online identifier, Internet Protocol address, account name, SSN, driver's license or passport number, or other similar identifiers;
- Other information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including signature, bank account number, credit card number, debit card number, or any other financial information;
- Commercial information, including products or services purchased, obtained, or considered; other purchasing or consuming histories or tendencies;
- Internet or other electronic network activity information, including, browsing history, search history, and information regarding a consumer's interaction with an internet website, or advertisement;
- Professional or employment-related information; and
- Inferences drawn from any of the information identified to create a profile about a consumer reflecting the consumer's preferences, intelligence, abilities, and aptitudes (applies only to Finders who have registered an account and participate in programs and subsequent skill ratings).
Please note that not all of this information is collected or disclosed from all consumers using our Services.
WE DO NOT SELL OR SHARE YOUR PERSONAL INFORMATION FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING