PRIVACY SECTION

This Privacy Section describes how Yes We Hack S.A.S., a simplified joint stock company incorporated in France having its seat at 14 rue Charles V, 75004 Paris, registered under number 814 037 214 (R.C.S. Paris) (hereafter "YesWeHack", "we", "us" or "our") process your Personal Data when you use our website.

YesWeHack operates the Firebounty site available at: https://firebounty.com/ (the "Site") enabling any individual visiting the Site (the "User") to find Vulnerability Disclosure Policies (VDP) and Bug Bounty programs in a non-partisan way.

When you browse the Site, YesWeHack processes your Personal Data as a data Controller. The purpose of this Privacy Section is to provide information about the data processing in accordance with current regulations, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of Personal Data (hereafter the "GDPR"), as well as the French Data Protection Act n°78-17 of 6 January 1978, as amended.

For the interpretation of notions relating to the protection of Personal Data in this Privacy Section, please refer to the definitions in the Site Terms of Use and the definitions set out in the GDPR.

1. WHY AND HOW ARE MY PERSONAL DATA COLLECTED AND PROCESSED?

YesWeHack processes Site Users' Personal Data in the context of the use of the Site and, more generally of its operational activities as needed for the purposes stated below:

• Purpose: Administrative and technical management of the Site.
• Legal Basis: Legitimate interest of YesWeHack to ensure the safety and proper operation of the Site (GDPR art.6-1(f)).
• Personal Data Login data (IP address, date and time of login, location), technical/functional Cookies.
• Data retention period: Six (6) months from the first collection (i.e., upon your last visit to the Site). Personal Data are deleted at the end of this period.

• Purpose: Managing published VDPs and adding new ones.
• Legal Basis: Legitimate interest of YesWeHack respond to publication requests (GDPR art.6-1(f)).
• Personal Data: Email address and company name.
• Data retention period: Personal Data is stored for the duration of the publication of the VDP.

Please note that the Personal Data provided in the "Add VDP" form will be publicly displayed. Therefore, we invite you to use a non-identifying mail address. In the event that this is not possible, you may object to the processing of your email address before publication of your VDP.

2. WHO ARE THE RECIPIENTS OF YOUR PERSONAL DATA?

The internal recipients of your Personal Data are the authorized staff of YesWeHack.

The external recipients of your Personal Data who process data on behalf of YesWeHack (Processors) are:

• Processor: OVH S.A.S.
• Purposes: Hosting the Site.
• Location: 2 rue Kellermann, 59100 Roubaix, France.

• Processor: Scaleway S.A.S.
• Purposes: Site back up.
• Location: 8, rue de la ville l'évêque, 75008 Paris, France.

3. HOW ARE YOUR PERSONAL DATA PROTECTED?

YesWeHack has implemented generally accepted standards of technology and operational security regarding the risks presented by its processing to preserve your Personal Data from loss, misuse, alteration, or destruction, at the time of their processing. Notably, YesWeHack is ISO 27001 and ISO 27017 standard certified, which is an international standard for information security management systems.

The technical and organizational measures taken by YesWeHack include physical, logical, and contractual measures such as, but not limited to, restricted access to data by personnel in departments authorized to access it by virtue of their duties, contractual guarantees in the event of the use of an external service provider, privacy impact assessments, or stringent authentication procedures.

YesWeHack will, in addition, not use, exploit, or disseminate to any third party any data collected for any purpose other than those set forth in this Privacy Policy.

4. WHAT ARE YOUR RIGHTS?

Where applicable, you may exercise the following rights under the conditions provided for in the regulations:

• The right of access, rectification and erasure of your data (Art. 15 to 17 of the GDPR);
• The right to restriction of Processing of your data (Art. 18 of the GDPR);
• The right to object the Processing of your data (Art. 21 of the GDPR);
• The right to issue instructions allowing access to your data in the event of death (Art. 85 of the French Data Protection Act n°78-17 of 6 January 1978, as amended).

You can exercise these rights by e-mail to our Data Protection Officer (see its contact details hereafter), specifying the right you wish to exercise and attaching proof of your identity (if necessary) or a power of attorney if you are being represented.

You can lodge a complaint to the French Data Protection Authority (CNIL - Commission Nationale de l'Informatique et des Libertés): https://www.cnil.fr/fr/plaintes.

5. OUR DATA PROTECTION OFFICER

YesWeHack has appointed an external Data Protection Officer who is responsible for ensuring the compliance of our processing operations, keeping a record of the processing activities, and ensuring the exercise of your rights specified hereabove.

Contact details of the DPO (Data Protection Officer): privacy@yeswehack.com

6. ARE THERE COOKIES ON OUR SITE?

A generic Matomo tracker is used on the Site operating in Do Not Track mode as recommended by the French Data Protection Authority. The data collected by the Matomo tracker solely allows for anonymous, generic statistics on the Site's usage, and does not allow to re-identify individuals. That data is neither used to enrich other analytics datasets nor provides for a technical means to track the user's behaviour on other websites. Prior consent to the deposit of Matomo tracker is therefore not required.

If your web browser is set to block trackers and scripts, or if you have installed browser extensions that filter the content of web pages to block certain elements, such as trackers and cookies, the opt-out check-box will not be displayed and you will not be tracked.

7. UPDATING OF THIS PRIVACY SECTION

This Privacy Section may be updated periodically and without notice. Any changes will be effective immediately upon posting at https://firebounty.com/. However, we will use your Personal Data in accordance with this Privacy Section in effect at the time of the collection.