Version dated 25th March 2024
This Privacy Policy describes how Yes We Hack S.A.S., a simplified joint stock company incorporated in France having its seat at 14 rue Charles V, 75004 Paris, registered under number 814 037 214 (R.C.S. Paris) and its affiliates (hereafter “YesWeHack”, “we”, “us” or “our”) process your Personal Data when you use our website.
YesWeHack operates a storefront site available at https://www.yeswehack.com/ enabling users to discover the services offered as part of its commercial activity (hereafter the “Site”).
The Site enables you to access other sites operated by YesWeHack. For any information relating to the protection of Personal Data when using these sites, please refer to their specific privacy policies.
When you browse the Site, YesWeHack processes your Personal Data as a data Controller. The purpose of this Privacy Policy is to provide information about the data processing in accordance with current regulations, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of Personal Data (hereafter the “GDPR”), as well as the French Data Protection Act n°78-17 of 6 January 1978, as amended.
For the interpretation of notions relating to the protection of Personal Data in this Policy, please refer to the definitions in the Site Terms of Use and the definitions set out in the GDPR.
1. WHY AND HOW ARE MY PERSONAL DATA COLLECTED AND PROCESSED?
We collect your Personal Data either directly from you or from third-party sources in which case we will provide you with information on the source of the data.
YesWeHack processes Site users’ Personal Data in the context of the use of the Site and, more generally of its operational activities as needed for the purposes stated below:
Purpose: Administrative and technical management of the Site.
Legal Basis: Legitimate interest of YesWeHack to ensure the safety and proper operation of the Site (GDPR art.6-1(f)).
Personal Data: Login data (IP address, date and time of login, location), technical/functional cookies.
Data retention period: Six (6) months from the first collection (i.e., upon your last visit to the Site). Personal Data are deleted at the end of this period.
Purpose: Communicate with you as part of the contact form
Legal Basis: Legitimate interest of YesWeHack in engaging with individuals reaching out to us (GDPR art.6-1(f)).
Personal Data: Identification data (First name, Last name, Username); Contact details (Email address, Phone number); Professional data (Company name, Country, company-level information); and any data you which to provide us with.
Data retention period: Two (2) years from the first collection (i.e., upon your last contact with YesWeHack). Personal Data are deleted at the end of this period.
Purpose: Building profiles for analysis, re-marketing and re-targeting.
Legal Basis: Data subject’s consent (GDPR art.6-1(a)).
Personal Data: Data generated by your activity and stored using cookies (i.e., designation and business name, IP address, geo-location based on IP address, company-level information) which may be combined with any personal data you provided us with (e.g., by completing our contact form).
Data retention period: Personal data are processed and used for up to twenty-five (25) months.
Purpose: Management of YesWeHack event registrations (i.e., webinar, workshop, conferences).
Legal Basis: Legitimate interest of YesWeHack in promoting its company (GDPR art.6-1(f)).
Personal Data: Identification data (First name, Last name); Contact details (Email address, Phone number); Job Title; attendance at the cocktail party (if applicable); Shirt size (if applicable).
Data retention period: Three (3) years from the first collection (i.e., upon your last interaction with YesWeHack). Personal Data are deleted at the end of this period.
Purpose: Management of your GDPR right requests.
Legal Basis: Compliance with a legal obligation (GDPR art. 6-1(c)).
Personal Data: Identification data (First name, Last name, Name where applicable); Contact details (Email address); information related to the right request; proof of ID and mandate (optional).
Data retention period: From the first collection (i.e., upon your request), then six (6) years from YesWeHack’s response. Personal Data are deleted at the end of this period.
Purpose: Disputes management.
Legal Basis: Legitimate interest of YesWeHack to defend its rights (GDPR art.6-1(f)).
Personal Data: Any information strictly necessary to defend the rights of YesWeHack.
Data retention period: Until all legal remedies have been exhausted.
2. WHO ARE THE RECIPIENTS OF YOUR PERSONAL DATA?
YesWeHack may share, on a need-to-know basis, your Personal Data with its internal services, affiliated companies, suppliers, business partners and/or third-party recipients. The data recipients acting on behalf of YesWeHack will only process the Personal Data they have access to for the purposes described above.
Internal recipients of your Personal Data are the authorized staff of YesWeHack (e.g., if you use the contact form to get in touch with our sales team, YesWeHack’s dedicated sales member shall process your request).
External recipients of your Personal Data who process data on behalf of YesWeHack (Processors) are:
Processor: OVH S.A.S.
Purposes: Hosting the Site.
Location: 2 rue Kellermann, 59100 Roubaix, France.
Processor: Scaleway S.A.S.
Purposes: Site back up.
Location: 8, rue de la ville l’évêque, 75008 Paris, France.
Processor: HubSpot Inc.
Purposes: Hosting and management of the data collected in the contact form.
Location: 25 First Street, Cambridge, MA 02141, USA.
Data transfer mechanism (for data transfers outside the EU/EEA): See Privacy Framework Program.
Processor: Cloudflare Inc.
Purposes: Management of anti-spam/anti-bot verification of the "Hunter" form via Turnstile tool.
Location: 101 Townsend St., San Francisco, CA 94107, USA.
Data transfer mechanism (for data transfers outside the EU/EEA): See Privacy Framework Program.
Processor: Slashbit Inc d/b/a Factors.ai
Purposes: Building profiles for analysis, re-marketing and re-targeting.
Location: 3524 Silverside Road Suite 35B Wilmington, DE 19810, USA.
Data transfer mechanism (for data transfers outside the EU/EEA): Standard Contractual Clauses
YesWeHack may communicate your personal data to (i) legally authorized third parties as part of their right of communication (e.g. judges, bailiffs, etc.) and (ii) security researchers authorized by YesWeHack to perform security tests for internal due diligence to verify our current security management of vulnerabilities and possible risks.
3. HOW ARE YOUR PERSONAL DATA PROTECTED?
YesWeHack has implemented generally accepted standards of technology and operational security regarding the risks presented by its processing to preserve your Personal Data from loss, misuse, alteration, or destruction, at the time of their processing. Notably, YesWeHack is ISO 27001 and ISO 27017 standard certified, which is an international standard for information security management systems.
The technical and organizational measures taken by YesWeHack include physical, logical, and contractual measures such as, but not limited to, restricted access to data by personnel in departments authorized to access it by virtue of their duties, contractual guarantees in the event of the use of an external service provider, privacy impact assessments, or stringent authentication procedures.
YesWeHack will, in addition, not use, exploit, or disseminate to any third party any data collected for any purpose other than those set forth in this Privacy Policy.
4. WHAT ARE YOUR RIGHTS?
Where applicable, you may exercise the following rights under the conditions provided for in the regulations:
- The right to withdraw your consent (opt out) at any time (Art. 7-3 of the GDPR);
- The right of access, rectification and erasure of your data (Art. 15 to 17 of the GDPR);
- The right to restriction of Processing of your data (Art. 18 of the GDPR);
- The right to data portability (Art. 20 of the GDPR);
- The right to object the Processing of your data (Art. 21 of the GDPR);
- The right to issue instructions allowing access to your data in the event of death (Art. 85 of the French Data Protection Act n°78-17 of 6 January 1978, as amended).
You can exercise these rights by e-mail to our Data Protection Officer (see its contact details hereafter), specifying the right you wish to exercise and attaching proof of your identity (if necessary) or a power of attorney if you are being represented.
You can lodge a complaint to the French Data Protection Authority (CNIL – Commission Nationale de l'Informatique et des Libertés): https://www.cnil.fr/fr/plaintes.
5. OUR DATA PROTECTION OFFICER
YesWeHack has appointed an external Data Protection Officer who is responsible for ensuring the compliance of our processing operations, keeping a record of the processing activities, and ensuring the exercise of your rights specified hereabove.
Contact details of the DPO (Data Protection Officer): privacy@yeswehack.com
6. ARE THERE COOKIES ON OUR SITES?
We may use cookies when you browse our Sites. Some cookies do not require your consent (i.e., necessary cookies) while others can only be deposited once you have given your consent (i.e., functional, analytics and/or advertisement cookies).
All information relating to cookies and their settings are available on the Cookies Policy.
7. UPDATING OF THIS PRIVACY POLICY
This Privacy Policy may be updated periodically and without notice. Any changes will be effective immediately upon posting of the new policy at https://www.yeswehack.com/. However, we will use your Personal Data in accordance with the Policy in effect at the time of the collection.