Privacy Policy

Scope and applicable law

Our primary regulatory framework is the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). This policy is also written to meet our obligations under the EU GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA), the India Digital Personal Data Protection Act 2023 (DPDP), and equivalent privacy laws in other jurisdictions where our researchers and submitters reside.

Who we are

BugBounty.company is the data controller for the personal data described in this policy. We coordinate security disclosures on behalf of affiliated companies. Our place of establishment is the United Kingdom.

For any privacy-related question, or to exercise the rights described below, please use our contact form.

Personal data we collect

We collect personal data in four narrow contexts:

• Security disclosures via the contact form. Email address (required), country of residence (required), subject and message (required), name (optional). You may include further personal data voluntarily in the message body. We do not record your IP address with the submission.
• Invitation-only researcher program. Legal name, chosen pseudonym, government-issued identity document for verification and sanctions screening, payment details (banking or wallet address), phone number, email address, and your PGP public key where you choose to provide one.
• Public recognition (Hall of Fame). Your chosen pseudonym or legal name, published only with your explicit opt-in at the time of each reward. You may receive rewards without being publicly listed.
• Website operation. Our nginx server records access logs (timestamp, request, response code, user-agent, IP address) for security and operational purposes. One strictly necessary cookie, CONTACT_SID, is set only on the contact page for CSRF defence; see our Cookie Policy.

Why we use your data (lawful bases)

• Receiving and triaging your security disclosure. Legitimate interests under UK GDPR Article 6(1)(f), namely securing the systems of our affiliates and our own.
• Forwarding your submission to the relevant affiliated company. Legitimate interests under UK GDPR Article 6(1)(f).
• Communicating with you about the submission and any reward. Contract or pre-contractual measures under UK GDPR Article 6(1)(b).
• Identity verification, sanctions screening, and minor-age checks before any payment. Legal obligation under UK GDPR Article 6(1)(c), including UK and UN sanctions law, anti-money-laundering rules, and child protection law.
• Processing reward payments and meeting tax obligations. Performance of a contract under Article 6(1)(b), and legal obligation under Article 6(1)(c).
• Listing your name or handle on the Hall of Fame. Consent under UK GDPR Article 6(1)(a), freely revocable at any time.
• Operating and securing this website. Legitimate interests under UK GDPR Article 6(1)(f).
• Permanently blocking IP addresses of suspected malicious actors (for example, SQL-injection or scanner traffic). Legitimate interests under UK GDPR Article 6(1)(f), for the protection of the website, our infrastructure, and the data we hold.

How we share your data

• Affiliated companies. The contents of your submission, including your contact details and stated country of residence, are forwarded to the affiliated company whose product or service is the subject of your report. Affiliates are located globally and may be outside the United Kingdom or the European Economic Area.
• Service providers. We operate our own self-hosted email and web infrastructure on a UK-based virtual private server. Inbound email for @bugbounty.company addresses is processed by Proton AG (Switzerland), which benefits from a UK adequacy decision.
• Legal disclosures. We may disclose personal data where required by law, valid legal process, or to protect the rights, property, or safety of any person.

We never sell your personal data. We do not use it for advertising, analytics, profiling, automated decision-making with legal effects, or marketing of any kind.

International transfers

Where personal data is transferred outside the United Kingdom to a country not covered by a UK adequacy decision, we put appropriate safeguards in place. These include the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or equivalent mechanisms recognised under the EU GDPR and the India DPDP Act 2023. Copies of the safeguards we rely on are available on request via our contact form.

Retention

• Submission content (emails): 60 days from receipt.
• Researcher account records (active membership): for the duration of membership, plus 1 year.
• Payment and tax records: 7 years, as required by UK tax law (HMRC).
• Hall of Fame listing: indefinitely, until you withdraw consent or exercise your right to erasure.
• Web server access logs: 24 hours, then automatically deleted.
• IP addresses of suspected malicious actors: retained indefinitely on a security blocklist for the protection of the site.

Your rights

The rights available to you depend on where you reside.

Under UK GDPR, EU GDPR, and the Data Protection Act 2018

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure, or "right to be forgotten" (Article 17)
• Right to restrict processing (Article 18)
• Right to data portability (Article 20)
• Right to object to processing based on legitimate interests (Article 21)
• Right to withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal
• Right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority

Under the California Consumer Privacy Act (CCPA / CPRA)

• Right to know what personal information we collect and how we use it
• Right to delete your personal information
• Right to correct inaccurate personal information
• Right to limit the use and disclosure of sensitive personal information
• Right to non-discrimination for exercising your privacy rights
• We do not sell or share personal information for cross-context behavioural advertising; no opt-out is therefore required

Under the India Digital Personal Data Protection Act 2023

• Right to access information about the processing of your personal data
• Right to correction and erasure
• Right of grievance redressal
• Right to nominate another individual to exercise your rights in the event of death or incapacity

To exercise any of these rights, please use our contact form. We respond within 30 days, or sooner where the applicable law requires it. We may need to verify your identity before acting on a request.

Security

• HTTPS with modern TLS, HSTS, and MTA-STS for in-transit confidentiality
• Self-hosted infrastructure under our sole administrative control
• Strict, nonce-based Content Security Policy and modern web hardening
• Least-privilege access controls on the underlying server
• Minimal data collection and short retention by default
• No third-party trackers, analytics, or advertising scripts of any kind

Children

Our services are not directed at, and we knowingly do not process the personal data of, persons under 18 years of age. We do not pay rewards to minors. If we learn that we have inadvertently collected personal data from a minor, we will delete it without undue delay.

Changes to this policy

We may update this policy from time to time. The "Last updated" date below reflects the current version. Material changes will be communicated to active researchers by email.

Contact and complaints

For any privacy-related question or to exercise your rights, please use our contact form.

If you are not satisfied with our response, you may lodge a complaint with your local data protection authority. For UK residents, this is the Information Commissioner's Office (ico.org.uk).