1. What personal information is collected and processed.

a) Necessary information.

We collect the following personal information about you when you sign up or use the Platform. Without this data, it would not be possible to provide the requested services.

Contact information, accounts and profile information: name and surname, e-mail address, company name, bank account details, mobile number and personal or company telephone, VAT number of the company, copy of the identification document, Chamber of Commerce and log data;

b) Optional information.

Additional information that can be entered into the account or otherwise acquired: the genre, the city, social network accounts and other information that can also be found publicly.

2. Who is the owner of the treatment.

The Data Controller in accordance with current European legislation (Reg. Eu. 679/2016) is BugBounty.al S.r.l.

To contact the Data Controller for any clarification or exercise of a right, please use the following e-mail reference: privacy@bugbounty.al

3. What are the purposes of the treatment.

We process the information that is acquired in order to provide, improve and develop the Platform. In particular, the collection and processing of information is carried out for:

allow you to register and access the Platform using our services;

communicate with the experts;

make and receive payments;

allow us to provide assistance;

allow you to analyze the Expert report;

allow us to carry out safety investigations and risk assessment;

fulfill legal obligations such as anti-money laundering.

Prevent fraud or abuse;

4. The legal bases of the treatment.

Pursuant to art. 6 of the GDPR the following legal bases are identified:

Execution of the contract. Reference is made to those personal data that are collected and processed for the performance of the operations necessary for the execution of the contract of which you are a part. For this purpose we use the contact, account and profile information you provide to allow you to:

access and use the platform;

communicate with companies participating in the Bug Bounty Program;

receive payments;

allow you to analyze the necessary data of the companies participating in the Bug Bounty Program;

Consent. All personal data collected and processed for the performance of activities that are not strictly necessary for the execution of the contract such as optional information or telephone number, the references of your social networks and other information such as those contained in the curriculum vitae that may be required by the company, find justification in the consent given following the acceptance of this privacy statement. To this end, we use the necessary and optional information you provide to us for:

allow us to provide you with assistance;

Legal obligation. The personal data collected may be processed to fulfill legal obligations such as, by way of example, anti-money laundering legislation and for the protection from serious cyber threats in order, therefore, to keep the platform safe, to prevent violations of the law, damages or crimes.

Legitimate interest. The personal data collected may be processed to allow the data controller to:

carry out safety investigations and risk assessment;

Prevent fraud or abuse;

respect or defend rights.

This use of data for the aforementioned purposes is necessary considering the prevalence of the legitimate interest of the Data Controller with respect to the rights of the interested party.

5. Data sharing.

To allow the provision of the service provided by the platform, some of your collected data (necessary information such as the company name, website and other identification data of the same) are shared with the Experts, who act as independent data controllers, who will proceed with their Bug Bounty activity in accordance with the contractual conditions and the Vulnerability policy attached in the contract.

6. What are your rights.

6.1 Access to data and portability.

You have the right to request copies of your personal information in our possession. You have the right to exercise copies of personal information that you have provided to us in a structured, commonly used and electronically readable format and you can request the transmission of this information to another service provider.

6.2 rectification

If it cannot be done independently through access with your account on the platform, you have the right to request the correction and updating of inaccurate or incomplete personal data.

6.3 Revocation of consent

If the processing of your personal data is based on consent, you can revoke it at any time by changing the settings of your Account or by sending us a communication in which you specify which consent you want to withdraw. The legitimacy of any processing activity based on consent before its revocation remains firm.

6.4 Limitation of treatment

You can exercise your right to limit the methods of use of your personal data by us, specifically if: a) you contest the accuracy of your personal information; b) the processing proves to be illegal and opposes the cancellation of your personal information; c) BugBounty.al no longer requires that data for processing purposes, but there is your need for an investigation, exercise or defense of a right.

6.5 Cancellation

We keep your personal information as specified below in point no. 6, however, you have the right to ask us to delete your information and we will cancel without undue delay if one of the following reasons exists: a) personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed; b) the interested party revokes the consent on which the treatment is based in accordance with art. 6, par. 1, lett. a), or art. 9, par. 2, lett. a) GDPR, and if there is no other legal basis for the processing; c) the interested party opposes the treatment pursuant to art. 21, par. 1 GDPR, and there is no prevailing legitimate reason to proceed with the treatment, or opposes the treatment pursuant to art. 21, par. 2, GDPR;d) personal data have been processed unlawfully; e) personal data are deleted to fulfill a legal obligation under Union or Member State law to which the data controller is subject; f) personal data have been collected in relation to the offer of information society services pursuant to art. 8, par. 1, GDPR.

6.6 Presentation of complaints

You have the right to complain about our data processing activities by contacting us at the e-mail address privacy@bugbounty.al or by submitting the complaint to your local supervisory authority or our Guarantor for the protection of personal data.

7. Retention of the information collected.

We keep the personal information that is collected during the report for as long as necessary or allowed by virtue of the purposes for which it was obtained and in accordance with current law.

Among the parameters that allow to establish the duration of conservation from time to time are:

The duration of the legal relationship;
Legal obligations;
Any disputes or investigations by the Authority;

8. Security measures.

BugBounty adopts the most appropriate technical security measures for the collection and storage of your personal data. Your personal data is stored in a database located in a private subnet and not accessible from external addresses except from our Application. To access the services managed by our Application it is necessary, in addition to the credentials, to overcome a two-factor authentication (2FA) Powered by Hardware Security Token.

We apply the greatest efforts to constantly improve the security levels of our platform, so we ourselves have a Bug Bounty Program active on the platform to ensure that the Experts of our Community also analyze our IT Infrastructure.

9. Transfers of personal data outside European borders.

BugBounty does not transfer any personal data outside the European Economic Area.

10. Cookie

With regard to the use of cookies, express reference is made to the provisions of the cookie policy.