1. INTRODUCTION

This Privacy Statement describes how INTIGRITI may process personal data of Researchers that access and use our bug bounty platform.

This privacy statement does not describe how Intigriti processes personal data in the context of your use of the website www.intigriti.com. If you would like more information on how we process personal data in that context, please consult the General Privacy Statement on the website.

Who are we?

Intigriti NV, a company incorporated and existing under the laws of Belgium with enterprise number 0660.623.646, having its principal office at Borsbeeksebrug 34/1, 2600 Antwerp, Belgium.

The current privacy statement sets out which personal data we may process, how we may use it, with whom we may share it, and which rights you may have in this context. The content of the current document may not be construed or interpreted as an obligation for us to process or preserve certain information. Moreover, we may decide not to process certain data about you and/or to delete any of your personal data prior to the completion of processing term that is indicated below.

If you have any questions or remarks on how we process your personal data, please reach out to our privacy team at: privacy@intigriti.com .

2. HOW WE USE AND COLLECT YOUR PERSONAL DATA (GDPR)

Profile creation

Categories of personal data

Purpose of the processing

Legal basis

User data

  • Username

  • First and last name

  • Email address

  • Phone number

Information we collect when you create an account to join our bug bounty community.

Contractual necessity

User data

  • Add a photo to your profile

  • Add a link to your social media profile

You have the option to link an image to your user profile.

You also have the option to add social media profile information to your user profile.

Consent

Participating a program

Categories of personal data

Purpose of the processing

Legal basis

User data

  • Username

  • First and last name

  • Date of birth and age

  • Email address

  • Address

  • Phone number

  • Notification settings

  • Program Preferences

  • Payment Preferences

Information we collect when you participate in a program.

Contractual necessity

Terms and conditions

  • First and last name

  • Terms and conditions details

  • Date and time of acceptance

Information we collect to keep track of the terms and conditions that you have accepted, permissions you have granted and other legal of contractual actions you have undertaken.

Contractual necessity

ID verification data

  • ID proving document in order to validate your name, birthday and birth location, nationality and gender

  • Proof of address to verify your address details

  • Record movements of you turning your head from one side to the other to verify you are a living person

  • Other data you have submitted in connection with your identity verification

This information is collected to verify the accuracy of your personal data. Becoming ID verified provides you access to programs and features that are only accessible for ID verified researchers.

Contractual necessity

Platform communications

  • User data

  • Communication details between you and Intigriti

We process this data to communicate with you in connection with your use of the platform and your participation in programs.

Contractual necessity

Receiving a bounty

Categories of personal data

Purpose of the processing

Legal basis

ID verification data

  • First, given and last name

  • ID proving document

  • Proof of address

  • Birth location and Birthday

  • Nationality

  • Gender

  • Other data you have submitted in connection with your identity verification

To verify your identity and to ensure we only pay to the right person and to comply with our legal obligations in connection with KYC, anti-terrorism financing and similar legal obligations.

Legal obligation

Financial data

  • User data

  • Bank account number or other payment account information

Information required to pay a granted bounty to your account.

Contractual necessity

Financial transaction details

  • Bank account number or other payment account information

  • Invoice number and amount

  • Date and time of the transaction

Information we keep for bookkeeping purposes and other tax related obligations.

Legal obligation

Newsletters and swag

Categories of personal data

Purpose of the processing

Legal basis

Newsletter

  • First and last name

  • Date and time of subscription

Newsletter you can subscribe to, to get information related to programs and bounty awards.

Consent

User data

  • T-shirt size

  • Address details

We award our winners from time to time with a Intigriti T-shirt. If you provide your T-shirt size, we can provide you swag in the correct size.

Consent

Securing the program flow

Categories of personal data

Purpose of the processing

Legal basis

Audit trail – program activity

  • User name

  • Access logging to our platform and events

  • Date and time

  • ID verification data

  • Information about relevant events and actions (e.g. acceptance of terms and conditions, signatures, confirmations, etc. Including the content thereof)

We preserve information as an audit trail, to be able to prove that we have complied with our obligations

  • towards researchers and clients,

  • for security purposes,

  • to preserve information about acceptance of terms,

  • When doubt to validate if you are properly ID checked

Legitimate interest

Platform event information – login activity

  • Electronic identification data

  • Date and time

In order to monitor and secure our platform we keep an audit trail of the activity on the platform. This way we can demonstrate that unauthorized access was not granted to the platform and to the submitted program.

Legitimate interest

Platform event information – change activity

  • Username

  • Date and time

  • Event (what you have done on our platform)

In order to monitor and secure our platform we keep an audit trail of the activity on the platform. This way we can keep track of events that occurred on the platform, for example setting up bug bounty programs, pausing or terminating programs, confirming submissions and bounties, etc.

Legitimate interest

3. HOW LONG DO WE PROCESS YOUR PERSONAL DATA?

We will store and process your personal data for as long as necessary for the purposes of the above processing. If there is no need to continue processing your data, we will permanently destroy or delete the data from our systems or anonymise, so you are no longer identifiable.

Activity

Processing Term

Data processed based upon consent

As it is given upon consent you can withdraw your consent at any time

User data

The personal information will be removed when you ask to delete your account within 60 days after your request

Terms and conditions

As long as you are active on our platform, we keep track of the acceptance of our terms and conditions.

ID verification data

During the period relevant to undertake legal action (usually 10 years)

Financial transaction details

During the period relevant to undertake legal action (usually 10 years)

Program data activity

During the period relevant to undertake legal action (usually 10 years)

Monitoring platform communications

Only during the active program

Audit trail Program data activity

Anonimised as soon as they are no longer needed for the transmission of communication

Platform event information

During the period relevant to undertake legal action (usually 10 years)

4. WHO DO WE SHARE YOUR DATA WITH

Notwithstanding the Intigriti entity you have contracted with, all data described herein is shared with and processed by our Belgian entity, detailed at the beginning of this document, who will process your personal data in accordance with the current Privacy Statement.

  • We may engage data processors such as hosting providers who process your data, only in accordance with our instructions thereto;

  • We share your personal data with financial institutions, insurance companies and other partners for the purpose of awarding, managing and paying the bounty;

  • We share your personal data with public authorities (including tax and social security authorities) when we are legally required to do so;

  • We may share your data with the companies whose programs you participate in, in connection with any disputes between you and such company, in connection with any of your activities under the companies’ program.

5. WHICH RIGHTS DO YOU HAVE IN RELATION TO YOUR PERSONAL DATA

In accordance with the provisions of the GDPR, you have several rights with regard to the personal data that we process about you. We try to explain your rights here in a simplified way here. Please note that the exercise of your rights may be subject to additional legal conditions.

Right to information and right of access

You have the right to obtain information from us about the processing of your personal data. You have the right to be informed about whether or not we are processing personal data about you and, if so, to have access to that personal data and to any additional information about the processing that we are carrying out.

Right to rectification

If the information we hold about you is inaccurate, you have the right to have that data rectified without undue delay. Have you noticed an error in the information we hold? Please let us know using the contact details below.

Right to erasure ("right to be forgotten")

You have the right to ask us to erase your personal data. We are obliged to comply with this request in each of the following situations:

  • If we no longer need the data for the purposes for which it was collected or otherwise processed.

  • If the data is processed on the basis of consent, you withdraw your consent, and there is no other legal basis for the processing.

  • If you object to the processing on grounds relating to your particular situation and there are no overriding legitimate grounds for processing.

  • If you object to the processing of your data for direct marketing purposes.

  • If we have processed your personal data unlawfully.

  • If the personal data must be deleted to comply with a legal obligation to which we are subject.

Right to restriction of processing

In certain cases, you have the right to obtain restriction of the processing of your data. For example, if you dispute the accuracy of your personal data, you have the right to restriction of processing during the period that allows us to verify the accuracy of the personal data.

Right to object

You have the right to object to the processing of your personal data on grounds relating to your particular situation. You also have the right to object to the use of your personal data for direct marketing purposes. In this case, no specific reason is required.

Right to data portability

If we process your personal data by automated means, on the basis of your consent or contractual necessity, you have the right to receive the personal data concerning which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transfer this data to another data controller.

Right to withdraw your consent

If the processing is based on your consent, you have the right to withdraw this consent for the future.

Automated decision-making and profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning your, or similarly significantly affects you.

How can you exercise your rights?

You can contact your right to contact us per e-mail at: privacy@intigriti.com

In case of questions, you can also contact your colleagues of the Intigriti privacy team in person, or by using our day-to-day communication methods.

We may ask you to prove your identity, for example by sending us a copy of the front of your identity card.

You have the right to lodge a complaint with the Belgian Data Protection Authority:

Data Protection Authority
Drukpersstraat 35
1000 Brussels
Tel. +32 (0)2 274 48 00 - Fax +32 (0)2 274 48 35,

E-mail: contact(@)apd-gba.be

This is without prejudice to the possibility of taking legal action before the civil courts. If you have suffered damage as a result of the processing of your personal data, you can submit a claim for compensation.

We may update this Privacy Statement from time to time. Please consult the most recent version on our website.

This is version V1 (2023) of the Privacy Statement

Did this answer your question?