This Privacy Statement (“Statement”) describes how Intigriti processes personal data of data subjects who access and use Intigriti’s Crowdsourced Security Platform (the “Platform”) as representative of a company or organization using the Intigriti Platform (the “Platform”) to publish bug bounty and vulnerability disclosure programs.
This Statement also describes such client users’ rights and how they can contact us to establish them.
This privacy statement does not describe how Intigriti processes personal data in the context of your use of the website www.intigriti.com. If you would like more information on how we process personal data in that context, please consult the General Privacy Statement on the website.
1. Who are we?
Intigriti NV, a company incorporated and existing under the laws of Belgium with enterprise number 0660.623.646, having its principal office at Klokstraat 16, 2600 Antwerp, Belgium.
2. How we process your personal data and why?
Activity | Personal data Processed | Purpose | Legal basis |
Identification and settings |
| We use this information to identify you and the company you represent, in the context of your use of the platform, and to manage your platform access and settings. | Legitimate interest (the operation of our platform and performance of our services). |
Contacting client users |
| We use this information to contact you in connection with your use of the platform (for example to inform you of a new submission). | Legitimate interest (the operation of our platform and performance of our services) |
Audit trail - Login activity |
| We use this information to manage the secure access to our platform. | Legitimate interest (security and access management) |
Audit trail - Events |
We will for example keep an audit trail with regards to the go-live of a (bug bounty) program, amendments made to a program, confirmation of submissions and bounty payments, approvals and permissions, communications made to or by you, changes to settings, etc.). | We use this information to follow-up on submissions and keep track of actions with a legal effect.
| Legitimate interest (the operation of our platform, performance of our services and demonstrating legal events) |
3. How long do we process your personal data?
We will store and process your personal data for as long as necessary for the purposes of the above processing. If there is no need to continue processing your data, we will permanently destroy or delete the data from our systems, or anonymise so you are no longer identifiable.
Activity | Retention time |
Identification and settings | We will preserve this information for as long as you are registered as a client user on our platform and for a period of up to six (6) months thereafter. |
Contacting client users | We will preserve this information for as long as you are registered as a client user on our platform and for a period of up to six (6) months thereafter. |
Audit trail - Login activity | We will preserve this information during the period relevant for legal action (currently 10 years). |
Audit trail - Events | We will preserve this information for as long as it is relevant for the performance of our agreement with the company you represent and thereafter during the period relevant for legal action (currently 10 years). |
4. To whom do we disclose your personal data?
Within our organization, your information is shared on a need-to-know basis. Moreover, we may disclose your personal data to the following recipients:
To the company you represent on our Platform.
To researchers, in connection with their submissions and communications made to the company you represent.
To our affiliated companies, hosting providers or other services providers, where useful in connection with the services or support they provide to us. These parties process your personal data in accordance with our instructions thereto.
To our professional advisors, such as lawyers, accountants and bailiffs, to the extent necessary for their activities.
If the company you represent integrates third-party services with our platform, we may share your personal data with such third parties, in accordance with your company’s instructions thereto.
5. Which rights do you have in relation to your personal data?
In accordance with the provisions of the GDPR, you have several rights regarding your personal data that we process. Please note that the exercise of your rights may be subject to additional legal conditions. To exercise any of your rights, please send us a written request, using the contact details below.
Right to information and right of access
You have the right to confirmation as to whether or not we process your personal data and, in the event we do so, to access such personal data and receive a copy thereof, as long as this does not adversely affect the rights and freedoms of others. This service is usually free of charge, although we have the right to charge a ‘reasonable fee’ in some circumstances.
Right to rectification
You have the right to request that we rectify any inaccuracies in relation to the personal data we hold about you. Have you noticed an error in the information we hold? Please let us know using the contact details below.
Right to erasure ("right to be forgotten")
In some circumstances, you have the right to request the erasure of your Personal Data or object to the further processing of your information.
We will comply with your request in the following situations:
If your personal data is solely processed based upon your consent.
If you object to the processing on grounds relating to your particular situation and there are no overriding legitimate grounds for processing.
If you object to the processing of your data for direct marketing purposes.
If we have processed your personal data unlawfully.
If the personal data must be deleted to comply with a legal obligation to which we are subject.
There are certain exclusions to the right to erasure. Those exclusions include the situation where processing is necessary:
for exercising the right of freedom of expression and information;
for compliance with a legal obligation; or
for the establishment, exercise or defense of legal claims.
Right to restriction of processing
You have the right to restrict the processing of your personal data if:
You contest the accuracy of the personal data (and only for as long as it takes to verify that accuracy);
The processing is unlawful and you request restriction (as opposed to exercising the right to erasure);
We no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defense of legal claims; or
You have objected to processing, pending the verification of that objection.
Once you have exercised your right to restrict the processing of your personal data, we may still process it:
with your consent;
for the establishment, exercise or defense of legal claims;
for the protection of the rights of another natural or legal person; or
for reasons of important public interest.
Right to object to processing
Where we process your personal data based on legitimate interests, you have the right to object to the processing of your personal data on grounds relating to your particular situation. You also have the right to object to the use of your personal data for direct marketing purposes. In this case, no specific reason is required.
Right to data portability
To the extent that the legal basis for our processing of your personal data is consent, and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format.
However, this right does not apply where it would adversely affect the rights and freedoms of others. You also have the right to have your personal data transferred directly to another company, if this is technically possible, and/or to store your personal data for further personal use on a private device.
Right to withdraw your consent
If the processing is based on your consent, you have the right to withdraw this consent for the future.
Automated decision-making and profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning your, or similarly significantly affects you.
6. How can you exercise your rights?
Contact us
In order to exercise your rights contact us per email via: privacy@intigriti.com. We may ask you some relevant questions allowing us to ensure that you are the person you claim to be.
Complaints
You have the right to lodge a complaint with the Belgian Data Protection Authority. However, we would appreciate the chance to deal with your concerns before you approach our supervisory authority ask you to contact us in the first instance.
You can lodge a complaint with the Belgian Data Protection Authority by written mail to:
Data Protection Authority
Rue du Printing 35
1000 Brussels
Tel. +32 (0)2 274 48 00 - Fax +32 (0)2 274 48 35,
Or by email via: contact@apd-gba.be
This is without prejudice to the possibility of taking legal action before the civil courts. If you have suffered damage as a result of the processing of your personal data, you can submit a claim for compensation.
7. International data transfers
Subject to your permission or as permitted by law, the personal data that you provide us with may be transferred outside the EEA, in order to consolidate data storage or to simplify our business management. We have adopted globally recognized privacy principles and only collect and/or transmit your personal data to the extent it is necessary to conduct business and perform requested services.
In cases where personal data is transferred to countries that are not recognized by the European Commission as offering an adequate level of personal data protection, such transfers are covered by standard contractual clauses adopted by the European Commission. If applicable to you, you may obtain copies of such safeguards by contacting us.
8. Amendments to this client users Privacy Statement
This Statement may be updated from time to time, to reflect changes in our practices, and technologies, and/or to remain consistent with the applicable data protection and privacy laws and principles, and other legal requirements.
If we make any material updates, we will provide you with a prior notice by email or on the platform.
This is version V2 (2023) of the Privacy Statement