All Collections
Legal information
Privacy Statement Intigriti – Researcher
Privacy Statement Intigriti – Researcher

Our Privacy Statement relating to our community of researchers.

Travis Anderson avatar
Written by Travis Anderson
Updated over a week ago

This Researcher Privacy Statement (“Statement”) describes how Intigriti collects, stores, uses and discloses your personal data in the context of your access and use of our Bug Bounty Platform (“Platform”).

This Statement also describes your rights and how you can contact us to establish them. This Statement is issued on behalf of Intigriti and every reference to “we”, “us”, or “our” in this Statement is a reference to Intigriti, who is the data controller responsible for the processing of your personal data.

This privacy statement does not describe how Intigriti processes personal data in the context of your use of the website www.intigriti.com. If you would like more information on how we process personal data in that context, please consult the General Privacy Statement on the website.

1. Who are we?

Intigriti NV, a company incorporated and existing under the laws of Belgium with enterprise number 0660.623.646, having its principal office at Klokstraat 16, 2600 Antwerp, Belgium.

2. How we process your personal data and why

Profile creation

Activity

Personal data processed

Purpose

Legal basis

Identification and settings

  • Identification data (such as your name, user name, and user number)

  • Contact data (email and telephone number)

  • Preferences and (notification) settings)

We use this information to identify you, in the context of your use of the platform and to manage your platform access and settings.

Processing is necessary for the performance of a contract with you.

Additional profile information

  • Photo or avatar

  • Additional information you may choose to add to your profile, such as social media links or your professional background and experience, certifications.

We use this information to identify you in the context of your use of the platform, and to match you with our companies and their programs.

Consent

Swag preferences

  • Preferences such as desired T-shirt size

  • Identification details

  • Address details

we may use this information to send you swag from time to time

Consent

Program participation

Activity

Personal data processed

Purpose

Legal basis

Identification

  • Identification data (such as your name, user name and user number)

  • Country

  • ID verification status

We use this information to manage your access to programs.

Legitimate Interest (the operation of our platform and performance of our services)

Contact

  • Contact data (email and telephone number)

We use this information to contact you in connection with your use of the platform (for example to inform you of the status of your submissions).

Processing is necessary for the performance of a contract with you.

Submission data

  • Identification data

  • Submissions

  • Status

  • Communications

We use this information to follow-up on your submissions.

Legitimate interest (the operation of our platform and performance of our services)

Identity verification

Activity

Personal data processed

Purpose

Legal basis

ID Verification Data

  • Identification data (e.g. name, nationality, country, date of birth)

  • Copy of the ID proving document you submit and relevant data drawn from such document

  • Images and/or video ('liveness check')

  • Other data you submit in the context of your identity verification

We use this information to verify the accuracy of your identity details; in connection with fraud prevention, AML and other lawful purposes.

Legitimate interest (fraud prevention, AML and other lawful purposes)

Screening results

  • Identification data

  • Result of sanctions and restricted party screening (e.g. OFAC sanctions, most wanted lists, adverse media)

We use this information to make sure we and our clients can comply with authority imposed embargoes, restricted party lists and similar legal restrictions, in connection with their collaboration with our platform’s Researchers.

Legal obligation in respect of our own compliance purposes.

Our legitimate interest to enable our clients with legal requirements, where it concerns their compliance purposes.

Bounty payments

Activity

Personal data processed

Purpose

Legal basis

Bounty payment information

  • Identification data

  • ID verification status

  • Bounty eligibility

  • Payment account information

  • Company and invoice information

We use this information to make payments to you.

Processing is necessary for the performance of a contract with you.

Transaction details and accounting information

  • Identification data

  • Information about payments made to you, including bounty eligibility and transaction details such as amounts, timestamp, account details, references,…

We process this data for bookkeeping purposes and other tax and financial reporting obligations.

Legal obligation (finance and tax related)

Audit trail

Activity

Personal data processed

Purpose

Legal basis

Audit trail - Access management

  • Identification data (IP address, user number)

  • Login method and data (including MFA data if applicable)

We use this information to manage the secure access to our platform.

Legitimate interest (security and access management)

Audit trails - Events

  • Identification data

  • Platform activity and events (the actions you undertake on our platform)

  • Communications

  • Timestamp

We will for example keep an audit trail with regards to your submissions, any updates and amendments to submissions, program invites and access, communications made to or by you, changes in settings, etc.).

We use this information to follow-up on programs and submissions, and to keep track of actions with a legal effect.

Legitimate interest (the operation of our platform, performance of our services and proof legal events)

Updates and newsletters

Activity

Personal data processed

Purpose

Legal basis

Newsletter

  • Identification data

  • E-mail address

  • Preferences

If you subscribe to our newsletters, trainings of similar communication, we use this data for that purpose.

Consent

3. HOW LONG DO WE PROCESS YOUR PERSONAL DATA?

We will retain your personal data for a period necessary according to the original purpose of the data processing as outlined in this Statement. Once your data is no longer required, we will permanently destroy or delete the data from our systems or anonymise it, ensuring you are no longer identifiable.

Activity

Retention time

Profile

Identification and settings

We will preserve this information for as long as you are registered as a Researcher on our platform.

Additional profile information

We will preserve this information for as long as you are registered as a Researcher on our platform.

Swag preferences

We will preserve this information for as long as you are registered as a Researcher on our platform.

Program participation

Identification

We will preserve this information for as long as you are registered as a Researcher on our platform.

Contact

We will preserve this information for as long as you are registered as a Researcher on our platform.

Submission data

We will preserve this information for as long as you are registered as a Researcher on our platform.

Identity Verification

ID Verification Data

We will preserve this information for as long as you are registered as a Researcher on our platform; and for an additional period relevant to take legal action (currently 10 years)

Screening results

We will preserve this information for as long as you are registered as a Researcher on our platform; and for an additional period relevant to take legal action (currently 10 years) .

Bounty Payments

Bounty Payment information

We will preserve this information for as long as you are registered as a Researcher on our platform; and for an additional period of up to 1 year thereafter.

Transaction details and accounting information

We will preserve this information for as long as you are registered as a Researcher on our platform; and for an additional period relevant to take legal action (currently 10 years).

Audit trail

Audit trail – Access management

We will retain the relevant personal data for 10 years, potentially allowing us to undertake legal action, if required.

Audit trail - Events

We will retain the relevant personal data for 10 years, potentially allowing us to undertake legal action, if required.

Updates and newsletters

Newsletter

We will preserve this information for as long as you are registered as a Researcher on our platform

4. WHO DO WE SHARE YOUR DATA WITH?

Within our organization, your information is shared on a need-to-know basis. Moreover, we may disclose your personal data to the following recipients:

  • To our affiliated companies, hosting providers or other services providers, where useful in connection with the services or support they provide to us. These parties process your personal data in accordance with our instructions thereto.

  • To our professional advisors, such as lawyers accountants and bailiffs, to the extent necessary for their activities.

  • To financial institutions, payment providers and other relevant services providers, for the purpose of making payments.

  • To public authorities (including tax and social security authorities) when we are legally required to do so.

  • In case of a dispute, non-compliance with applicable terms and conditions or (suspected) unethical or illegal behavior, to the company whose program you participate in.

5. WHICH RIGHTS DO YOU HAVE IN RELATION TO YOUR PERSONAL DATA?

In accordance with the provisions of the GDPR, you have several rights with regard to the personal data that we process about you. Please note that the exercise of your rights may be subject to additional legal conditions. To exercise any of your rights, please send us a written request, using the contact details below.

Right to information and right of access

You have the right to confirmation as to whether or not we process your personal data and, in the event we do so, to access such personal data and receive a copy thereof, as long as this does not adversely affect the rights and freedoms of others. This service is usually free of charge, although we have the right to charge a ‘reasonable fee’ in some circumstances.

Right to rectification

You have the right to request that we rectify any inaccuracies in relation to the personal data we hold about you. Have you noticed an error in the information we hold? Please let us know using the contact details below.

Right to erasure ("right to be forgotten")

In some circumstances, you have the right to request the erasure of your Personal Data or object to the further processing of your information.

We will comply with your request in the following situations:

  • If your personal data is solely processed based upon your consent.

  • If you object to the processing on grounds relating to your particular situation and there are no overriding legitimate grounds for processing.

  • If you object to the processing of your data for direct marketing purposes.

  • If we have processed your personal data unlawfully.

  • If the personal data must be deleted to comply with a legal obligation to which we are subject.

There are certain exclusions to the right to erasure. Those exclusions include the situation where processing is necessary:

  • for exercising the right of freedom of expression and information;

  • for compliance with a legal obligation; or

  • for the establishment, exercise or defense of legal claims.

Right to restriction of processing

You have the right to restrict the processing of your personal data if:

  • You contest the accuracy of the personal data (and only for as long as it takes to verify that accuracy);

  • The processing is unlawful and you request restriction (as opposed to exercising the right to erasure);

  • We no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defense of legal claims; or

  • You have objected to processing, pending the verification of that objection.

Once you have exercised your right to restrict the processing of your personal data, we may still process it:

  • with your consent;

  • for the establishment, exercise or defense of legal claims;

  • for the protection of the rights of another natural or legal person; or

  • for reasons of important public interest.

Right to object

Where we process your personal data based on legitimate interests, you have the right to object to the processing of your personal data on grounds relating to your particular situation. You also have the right to object to the use of your personal data for direct marketing purposes. In this case, no specific reason is required.

Right to data portability

To the extent that the legal basis for our processing of your personal data is consent, and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format.

However, this right does not apply where it would adversely affect the rights and freedoms of others. You also have the right to have your personal data transferred directly to another company, if this is technically possible, and/or to store your personal data for further personal use on a private device.

Right to withdraw your consent

If the processing is based on your consent, you have the right to withdraw this consent for the future.

Automated decision-making and profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning your, or similarly significantly affects you.

How can you exercise your rights?

In order to exercise your rights contact us per email via: privacy@intigriti.com. We may ask you some relevant questions allowing us to ensure that you are the person you claim to be.

Complaints

You have the right to lodge a complaint with the Belgian Data Protection Authority. However, we would appreciate the chance to deal with your concerns before you approach our supervisory authority ask you to contact us in the first instance.

You can lodge a complaint with the Belgian Data Protection Authority by written mail to:

Data Protection Authority
Drukpersstraat 35
1000 Brussels
Tel. +32 (0)2 274 48 00 - Fax +32 (0)2 274 48 35,

or by ​E-mail: contact(@)apd-gba.be

This is without prejudice to the possibility of taking legal action before the civil courts. If you have suffered damage as a result of the processing of your personal data, you can submit a claim for compensation.

7. International data transfers

Subject to your permission or as permitted by law, the personal data that you provide us with may be transferred outside the EEA, in order to consolidate data storage or to simplify our business management. We have adopted globally recognized privacy principles and only collect and/or transmit your personal data to the extent it is necessary to conduct business and perform requested services.

In cases where personal data is transferred to countries that are not recognized by the European Commission as offering an adequate level of personal data protection, such transfers are covered by standard contractual clauses adopted by the European Commission. If applicable to you, you may obtain copies of such safeguards by contacting us.

8. What about personal data of children?

Our Platform is not directed at children. We do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us by using the information above in the contact us section of this Statement and we will take the required steps to delete such personal data from our systems.

9. Amendments to this Researcher Privacy Statement

This Statement may be updated from time to time, to reflect changes in our practices, and technologies, and/or to remain consistent with the applicable data protection and privacy laws and principles, and other legal requirements.

If we make any material updates, we will provide you with a prior notice regarding by email or on the platform.

This is version V2 (2023) of the Privacy Statement

Did this answer your question?