1. INTRODUCTION
This Privacy Statement describes how INTIGRITI processes personal data of the users that access and use our bug bounty platform, on behalf of a company with whom Intigriti has a services agreement.
Who are we?
Intigriti NV, a company incorporated and existing under the laws of Belgium with enterprise number 0660.623.646, having its principal office at Borsbeeksebrug 34/1, 2600 Antwerp, Belgium.
The current privacy statement sets out which personal data we may process, how we may use it, with whom we may share it, and which rights you may have in this context. The content of the current document may not be construed or interpreted as an obligation for us to process or preserve certain information. Moreover, we may decide not to process certain data about you and/or to delete any of your personal data prior to the completion of processing term that is indicated below.
If you have any questions or remarks on how we process your personal data, please reach out to our privacy team at: privacy@intigriti.com .
2. HOW WE USE AND COLLECT YOUR PERSONAL DATA (GDPR)
We collect the following personal data based upon legitimate interests.
Categories of Personal Data
| Data details | Purpose of the processing
|
Identity information |
| When your company launches a program, the program is represented by a client contact. This contact is provided a login in order to follow up on the submitted program. This information allows us to identify you as a company user. |
Platform event information – login activity
|
| In order to monitor and secure our platform we keep an audit trail of the activity on the platform. This way we can demonstrate that unauthorized access was not granted to the platform and to the submitted program.
|
Platform event information – change activity
|
| In order to monitor and secure our platform we keep an audit trail of the activity on the platform. This way we can keep track of events that occurred on the platform, for example setting up bug bounty programs, pausing or terminating programs, confirming submissions and bounties, etc.
|
3. HOW LONG DO WE PROCESS YOUR PERSONAL DATA?
We will store and process your personal data for as long as necessary for the purposes of the above processing. If there is no need to continue processing your data, we will permanently destroy or delete the data from our systems, or anonymise so you are no longer identifiable.
Activity | Processing Term |
User data | The personal information will be removed when you ask to delete your account |
Platform event information | The time relevant for undertaking legal action (10 years) |
4. WHO DO WE SHARE YOUR DATE WITH
Notwithstanding the Intigriti entity you have contracted with, all data described herein is shared with and processed by our Belgian entity, detailed at the beginning of this document, who will process your personal data in accordance with the current Privacy Statement.
We may share your data with the company you represent on the platform
We may share your data in connection with event logs that took place with researchers involved
We may share your data with our affiliated companies as needed for our service provision
We may share your personal data with third party systems connected with the platform and used on the client's initiative
5. WHICH RIGHTS DO YOU HAVE IN RELATION TO YOUR PERSONAL DATA
In accordance with the provisions of the GDPR, you have several rights with regard to the personal data that we process about you. We try to explain your rights here in a simplified way here. Please note that the exercise of your rights may be subject to additional legal conditions.
Right to information and right of access
You have the right to obtain information from us about the processing of your personal data. You have the right to be informed about whether or not we are processing personal data about you and, if so, to have access to that personal data and to any additional information about the processing that we are carrying out.
Right to rectification
If the information we hold about you is inaccurate, you have the right to have that data rectified without undue delay. Have you noticed an error in the information we hold? Please let us know using the contact details below.
Right to erasure ("right to be forgotten")
You have the right to ask us to erase your personal data. We are obliged to comply with this request in each of the following situations:
If we no longer need the data for the purposes for which it was collected or otherwise processed.
If the data is processed on the basis of consent, you withdraw your consent, and there is no other legal basis for the processing.
If you object to the processing on grounds relating to your particular situation and there are no overriding legitimate grounds for processing.
If you object to the processing of your data for direct marketing purposes.
If we have processed your personal data unlawfully.
If the personal data must be deleted to comply with a legal obligation to which we are subject.
Right to restriction of processing
In certain cases, you have the right to obtain restriction of the processing of your data. For example, if you dispute the accuracy of your personal data, you have the right to restriction of processing during the period that allows us to verify the accuracy of the personal data.
Right to restriction of processing
In certain cases, you have the right to obtain restriction of the processing of your data. For example, if you dispute the accuracy of your personal data, than you have the right to restriction of processing, during the period that allows us to verify the accuracy of the personal data.
Right to object
You have the right to object to the processing of your personal data on grounds relating to your particular situation. You also have the right to object to the use of your personal data for direct marketing purposes. In this case, no specific reason is required.
Right to data portability
If we process your personal data by automated means, on the basis of your consent or contractual necessity, you have the right to receive the personal data concerning which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transfer this data to another data controller.
Right to withdraw your consent
If the processing is based on your consent, you have the right to withdraw this consent for the future.
Automated decision-making and profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning your, or similarly significantly affects you.
How can you exercise your rights?
You can contact your right to contact us per e-mail at: privacy@intigriti.com
In case of questions, you can also contact your colleagues of the Intigriti privacy team in person, or by using our day-to-day communication methods.
We may ask you to prove your identity, for example by sending us a copy of the front of your identity card.
You have the right to lodge a complaint with the Belgian Data Protection Authority:
Data Protection Authority
Drukpersstraat 35
1000 Brussels
Tel. +32 (0)2 274 48 00 - Fax +32 (0)2 274 48 35,
E-mail: contact(@)apd-gba.be
This is without prejudice to the possibility of taking legal action before the civil courts. If you have suffered damage as a result of the processing of your personal data, you can submit a claim for compensation.
We may update this Privacy Statement from time to time. Please consult the most recent version on our website.
This is version V1 (2023) of the Privacy Statement