This Researcher Privacy Statement (“Statement”) describes how Intigriti collects, stores, uses and discloses your personal data in the context of your access and use of our Bug Bounty Platform (“Platform”).
This Statement also describes your rights and how you can contact us to establish them. This Statement is issued on behalf of Intigriti and every reference to “we”, “us”, or “our” in this Statement is a reference to Intigriti, who is the data controller responsible for the processing of your personal data.
This privacy statement does not describe how Intigriti processes personal data in the context of your use of the website www.intigriti.com. If you would like more information on how we process personal data in that context, please consult the General Privacy Statement on the website.
1. Who are we?
Intigriti NV, a company incorporated and existing under the laws of Belgium with enterprise number 0660.623.646, having its principal office at Klokstraat 16, 2600 Antwerp, Belgium.
2. How we process your personal data and why
Profile creation
Activity | Personal data processed | Purpose | Legal basis |
Identification and settings |
| We use this information to identify you, in the context of your use of the platform and to manage your platform access and settings. | Processing is necessary for the performance of a contract with you. |
Additional profile information |
| We use this information to identify you in the context of your use of the platform, and to match you with our companies and their programs. | Consent |
Swag preferences |
| we may use this information to send you swag from time to time | Consent |
Program participation
Activity | Personal data processed | Purpose | Legal basis |
Identification |
| We use this information to manage your access to programs. | Legitimate Interest (the operation of our platform and performance of our services) |
Contact |
| We use this information to contact you in connection with your use of the platform (for example to inform you of the status of your submissions). | Processing is necessary for the performance of a contract with you. |
Submission data |
| We use this information to follow-up on your submissions. | Legitimate interest (the operation of our platform and performance of our services) |
Identity verification
Activity | Personal data processed | Purpose | Legal basis |
ID Verification Data |
| We use this information to verify the accuracy of your identity details; in connection with fraud prevention, AML and other lawful purposes. | Legitimate interest (fraud prevention, AML and other lawful purposes) |
Screening results |
| We use this information to make sure we and our clients can comply with authority imposed embargoes, restricted party lists and similar legal restrictions, in connection with their collaboration with our platform’s Researchers. | Legal obligation in respect of our own compliance purposes.
Our legitimate interest to enable our clients with legal requirements, where it concerns their compliance purposes. |
Bounty payments
Activity | Personal data processed | Purpose | Legal basis |
Bounty payment information |
| We use this information to make payments to you. | Processing is necessary for the performance of a contract with you. |
Transaction details and accounting information |
| We process this data for bookkeeping purposes and other tax and financial reporting obligations. | Legal obligation (finance and tax related) |
Audit trail
Activity | Personal data processed | Purpose | Legal basis |
Audit trail - Access management |
| We use this information to manage the secure access to our platform. | Legitimate interest (security and access management) |
Audit trails - Events |
We will for example keep an audit trail with regards to your submissions, any updates and amendments to submissions, program invites and access, communications made to or by you, changes in settings, etc.). | We use this information to follow-up on programs and submissions, and to keep track of actions with a legal effect. | Legitimate interest (the operation of our platform, performance of our services and proof legal events) |
Updates and newsletters
Activity | Personal data processed | Purpose | Legal basis |
Newsletter |
| If you subscribe to our newsletters, trainings of similar communication, we use this data for that purpose. | Consent |
3. HOW LONG DO WE PROCESS YOUR PERSONAL DATA?
We will retain your personal data for a period necessary according to the original purpose of the data processing as outlined in this Statement. Once your data is no longer required, we will permanently destroy or delete the data from our systems or anonymise it, ensuring you are no longer identifiable.
Activity | Retention time |
Profile |
|
Identification and settings | We will preserve this information for as long as you are registered as a Researcher on our platform. |
Additional profile information | We will preserve this information for as long as you are registered as a Researcher on our platform. |
Swag preferences | We will preserve this information for as long as you are registered as a Researcher on our platform. |
Program participation |
|
Identification | We will preserve this information for as long as you are registered as a Researcher on our platform. |
Contact | We will preserve this information for as long as you are registered as a Researcher on our platform. |
Submission data | We will preserve this information for as long as you are registered as a Researcher on our platform. |
Identity Verification |
|
ID Verification Data | We will preserve this information for as long as you are registered as a Researcher on our platform; and for an additional period relevant to take legal action (currently 10 years) |
Screening results | We will preserve this information for as long as you are registered as a Researcher on our platform; and for an additional period relevant to take legal action (currently 10 years) . |
Bounty Payments |
|
Bounty Payment information | We will preserve this information for as long as you are registered as a Researcher on our platform; and for an additional period of up to 1 year thereafter. |
Transaction details and accounting information | We will preserve this information for as long as you are registered as a Researcher on our platform; and for an additional period relevant to take legal action (currently 10 years). |
Audit trail |
|
Audit trail – Access management | We will retain the relevant personal data for 10 years, potentially allowing us to undertake legal action, if required. |
Audit trail - Events | We will retain the relevant personal data for 10 years, potentially allowing us to undertake legal action, if required. |
Updates and newsletters |
|
Newsletter | We will preserve this information for as long as you are registered as a Researcher on our platform |
4. WHO DO WE SHARE YOUR DATA WITH?
Within our organization, your information is shared on a need-to-know basis. Moreover, we may disclose your personal data to the following recipients:
To our affiliated companies, hosting providers or other services providers, where useful in connection with the services or support they provide to us. These parties process your personal data in accordance with our instructions thereto.
To our professional advisors, such as lawyers accountants and bailiffs, to the extent necessary for their activities.
To financial institutions, payment providers and other relevant services providers, for the purpose of making payments.
To public authorities (including tax and social security authorities) when we are legally required to do so.
In case of a dispute, non-compliance with applicable terms and conditions or (suspected) unethical or illegal behavior, to the company whose program you participate in.
5. WHICH RIGHTS DO YOU HAVE IN RELATION TO YOUR PERSONAL DATA?
In accordance with the provisions of the GDPR, you have several rights with regard to the personal data that we process about you. Please note that the exercise of your rights may be subject to additional legal conditions. To exercise any of your rights, please send us a written request, using the contact details below.
Right to information and right of access
You have the right to confirmation as to whether or not we process your personal data and, in the event we do so, to access such personal data and receive a copy thereof, as long as this does not adversely affect the rights and freedoms of others. This service is usually free of charge, although we have the right to charge a ‘reasonable fee’ in some circumstances.
Right to rectification
You have the right to request that we rectify any inaccuracies in relation to the personal data we hold about you. Have you noticed an error in the information we hold? Please let us know using the contact details below.
Right to erasure ("right to be forgotten")
In some circumstances, you have the right to request the erasure of your Personal Data or object to the further processing of your information.
We will comply with your request in the following situations:
If your personal data is solely processed based upon your consent.
If you object to the processing on grounds relating to your particular situation and there are no overriding legitimate grounds for processing.
If you object to the processing of your data for direct marketing purposes.
If we have processed your personal data unlawfully.
If the personal data must be deleted to comply with a legal obligation to which we are subject.
There are certain exclusions to the right to erasure. Those exclusions include the situation where processing is necessary:
for exercising the right of freedom of expression and information;
for compliance with a legal obligation; or
for the establishment, exercise or defense of legal claims.
Right to restriction of processing
You have the right to restrict the processing of your personal data if:
You contest the accuracy of the personal data (and only for as long as it takes to verify that accuracy);
The processing is unlawful and you request restriction (as opposed to exercising the right to erasure);
We no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defense of legal claims; or
You have objected to processing, pending the verification of that objection.
Once you have exercised your right to restrict the processing of your personal data, we may still process it:
with your consent;
for the establishment, exercise or defense of legal claims;
for the protection of the rights of another natural or legal person; or
for reasons of important public interest.
Right to object
Where we process your personal data based on legitimate interests, you have the right to object to the processing of your personal data on grounds relating to your particular situation. You also have the right to object to the use of your personal data for direct marketing purposes. In this case, no specific reason is required.
Right to data portability
To the extent that the legal basis for our processing of your personal data is consent, and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format.
However, this right does not apply where it would adversely affect the rights and freedoms of others. You also have the right to have your personal data transferred directly to another company, if this is technically possible, and/or to store your personal data for further personal use on a private device.
Right to withdraw your consent
If the processing is based on your consent, you have the right to withdraw this consent for the future.
Automated decision-making and profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning your, or similarly significantly affects you.
How can you exercise your rights?
In order to exercise your rights contact us per email via: privacy@intigriti.com. We may ask you some relevant questions allowing us to ensure that you are the person you claim to be.
Complaints
You have the right to lodge a complaint with the Belgian Data Protection Authority. However, we would appreciate the chance to deal with your concerns before you approach our supervisory authority ask you to contact us in the first instance.
You can lodge a complaint with the Belgian Data Protection Authority by written mail to:
Data Protection Authority
Drukpersstraat 35
1000 Brussels
Tel. +32 (0)2 274 48 00 - Fax +32 (0)2 274 48 35,
or by E-mail: contact(@)apd-gba.be
This is without prejudice to the possibility of taking legal action before the civil courts. If you have suffered damage as a result of the processing of your personal data, you can submit a claim for compensation.
7. International data transfers
Subject to your permission or as permitted by law, the personal data that you provide us with may be transferred outside the EEA, in order to consolidate data storage or to simplify our business management. We have adopted globally recognized privacy principles and only collect and/or transmit your personal data to the extent it is necessary to conduct business and perform requested services.
In cases where personal data is transferred to countries that are not recognized by the European Commission as offering an adequate level of personal data protection, such transfers are covered by standard contractual clauses adopted by the European Commission. If applicable to you, you may obtain copies of such safeguards by contacting us.
8. What about personal data of children?
Our Platform is not directed at children. We do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us by using the information above in the contact us section of this Statement and we will take the required steps to delete such personal data from our systems.
9. Amendments to this Researcher Privacy Statement
This Statement may be updated from time to time, to reflect changes in our practices, and technologies, and/or to remain consistent with the applicable data protection and privacy laws and principles, and other legal requirements.
If we make any material updates, we will provide you with a prior notice regarding by email or on the platform.
This is version V2 (2023) of the Privacy Statement