Privacy Policy

Version dated 21th June 2024

This Privacy Policy describes how Yes We Hack S.A.S., a simplified joint stock company incorporated in France having its seat at 14 rue Charles V, 75004 Paris, registered under number 814 037 214 (R.C.S. Paris) and its affiliates (hereafter “YesWeHack”, “we”, “us” or “our”) process your Personal Data when you use our website.

YesWeHack operates a storefront site available at https://www.yeswehack.com/ (hereafter the “Site”) enabling users to discover the services offered as part of its commercial activity and to access open job positions via the "Careers" tab.

The Site enables you to access other sites operated by YesWeHack. For any information relating to the protection of Personal Data when using these sites, please refer to each site’s specific privacy policy.

When you browse the Site or when you engage with us either through the Site (e.g., as part of the contact form) or via direct communication (e.g., in a job application process), YesWeHack processes your Personal Data as a data controller. The purpose of this Privacy Policy is to provide information about the data processing in accordance with current regulations, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of Personal Data (hereafter the “GDPR”), as well as the French Data Protection Act n°78-17 of 6 January 1978, as amended.

For the interpretation of terms relating to the protection of Personal Data in this Policy, please refer to the definitions in the Site Terms of Use and the definitions set out in the GDPR.

1. WHY AND HOW ARE MY PERSONAL DATA COLLECTED AND PROCESSED?

YesWeHack processes Site users’, prospects and/or candidates’ Personal Data in the context of the use of the Site and its operational and commercial activities as needed for the purposes stated below:

Purpose: Administrative and technical management of the Site.
Legal Basis: Legitimate interest of YesWeHack to ensure the safety and proper operation of the Site (GDPR art.6-1(f)).
Personal Data: Login data (IP address, date and time of login, location), technical/functional cookies.
Data retention period: Six (6) months from the first collection (i.e., upon your last visit to the Site). Personal Data are deleted at the end of this period.

Purpose: Communicate with you as part of the contact form
Legal Basis: Legitimate interest of YesWeHack in engaging with individuals reaching out to us (GDPR art.6-1(f)).
Personal Data: Identification data (First name, Last name, Username); Contact details (Email address, Phone number); Professional data (Company name, Country, company-level information); and any data you wish to provide us with.
Data retention period: Two (2) years from the data’s first collection (i.e., upon your last contact with YesWeHack). Personal Data are deleted at the end of this period.

Purpose: Building profiles for analysis, re-marketing and re-targeting.
Legal Basis: Data subject’s consent (GDPR art.6-1(a)).
Personal Data: Data generated by your activity and stored using cookies (i.e., designation and business name, IP address, geo-location based on IP address, company-level information) which may be combined with any personal data you provided us with (e.g., by completing our contact form).
Data retention period: Personal data are processed and used for up to twenty-five (25) months.

Purpose: Management of YesWeHack event registrations (i.e., webinar, workshop, conferences).
Legal Basis: Legitimate interest of YesWeHack in promoting its company (GDPR art.6-1(f)).
Personal Data: Identification data (First name, Last name); Contact details (Email address, Phone number); Job title; attendance at cocktail parties (if applicable); Shirt size (if applicable).
Data retention period: Three (3) years from the first collection (i.e., upon your last interaction with YesWeHack). Personal Data are deleted at the end of this period.

Purpose: Management of your job applications and recruitment.
Legal Basis: Necessary for the performance of pre-contractual steps (GDPR art.6-1(b)).
Personal Data: All information strictly necessary to apply for the position.
Data retention period: Personal data may be stored for up to one (1) year from the date of publication of the position.

Purpose: Management of business development (BtoB prospecting).
Legal Basis: Legitimate interest of YesWeHack in developing its business (GDPR art.6-1(f)).
Personal Data: Identification data (First name, Last name); Contact details (Professional email address, Professional phone number); Professional data (Position, Company).
Data retention period: Personal data may be retained for up to three (3) year from the last contact with the prospect.

Purpose: Management of your GDPR right requests.
Legal Basis: Compliance with a legal obligation (GDPR art. 6-1(c)).
Personal Data: Identification data (First name, Last name, Name where applicable); Contact details (Email address); information related to the right request; proof of ID and mandate (optional).
Data retention period: From the first collection (i.e., upon your request), then six (6) years from YesWeHack’s response. Personal Data are deleted at the end of this period.

Purpose: Disputes management.
Legal Basis: Legitimate interest of YesWeHack to defend its rights (GDPR art.6-1(f)).
Personal Data: Any information strictly necessary to defend the rights of YesWeHack.
Data retention period: Until all legal remedies have been exhausted.

We collect your Personal Data either directly from you or from third-party sources. For instance, for the management of our business development (BtoB prospection) we may enrich our databasewithin the limits of the data specified above.

2. WHO ARE THE RECIPIENTS OF YOUR PERSONAL DATA?

YesWeHack may share, on a need-to-know basis, your Personal Data with its internal services, affiliated companies, suppliers, business partners and/or third-party recipients. The data recipients acting on behalf of YesWeHack will only process the Personal Data they have access to for the purposes described above.

Internal recipients of your Personal Data are the authorized staff of YesWeHack (e.g., if you use the contact form to get in touch with our sales team, YesWeHack’s dedicated sales member shall process your request; or as part of your recruitment process, YesWeHack’s Talent Acquisition Director shall process your job application).

External recipients of your Personal Data who process data on behalf of YesWeHack (Processors) are:

Processor: OVH S.A.S.
Purposes: Hosting the Site.
Location: 2 rue Kellermann, 59100 Roubaix, France.

Processor: Scaleway S.A.S.
Purposes: Site back up.
Location: 8, rue de la ville l’évêque, 75008 Paris, France.

Processor: HubSpot Inc.
Purposes: Hosting and management of the data collected in the contact form.
Location: 25 First Street, Cambridge, MA 02141, USA.
Data transfer mechanism (for data transfers outside the EU/EEA): See Privacy Framework Program.

Processor: Taleez S.A.S.
Purposes: Provider of a job application management and job posting solution.
Location: 13 rue Sainte Ursule, 31000 Toulouse, France.

Processor: Cloudflare Inc.
Purposes: Management of anti-spam/anti-bot verification of the "Hunter" form via Turnstile tool.
Location: 101 Townsend St., San Francisco, CA 94107, USA.
Data transfer mechanism (for data transfers outside the EU/EEA): See Privacy Framework Program.

Processor: Slashbit Inc d/b/a Factors.ai
Purposes: Building profiles for analysis, re-marketing and re-targeting.
Location: 3524 Silverside Road Suite 35B Wilmington, DE 19810, USA.
Data transfer mechanism (for data transfers outside the EU/EEA): Standard Contractual Clauses

YesWeHack may communicate your personal data to (i) legally authorized third parties as part of their right of communication (e.g. judges, bailiffs, etc.) and (ii) security researchers authorized by YesWeHack to perform security tests for internal due diligence to verify our current security management of vulnerabilities and possible risks.

3. HOW ARE YOUR PERSONAL DATA PROTECTED?

YesWeHack has implemented widely accepted standards of technology and operational security regarding the risks presented by its processing to preserve your Personal Data from loss, misuse, alteration, or destruction, at the time of their processing. Notably, YesWeHack is ISO 27001 and ISO 27017 certified, which are international standards for information security management systems.

The technical and organizational measures taken by YesWeHack include physical, logical, and contractual measures such as, but not limited to, restricted access to data by personnel in departments authorized to access it by virtue of their duties, contractual guarantees in the event of the use of an external service provider, privacy impact assessments, or stringent authentication procedures.

YesWeHack will, in addition, not use, exploit, or disseminate to any third party any data collected for any purpose other than those set forth in this Privacy Policy.

4. WHAT ARE YOUR RIGHTS?

Where applicable, you may exercise the following rights under the conditions provided for in the regulations:

  • The right to withdraw your consent (opt out) at any time (Art. 7-3 of the GDPR);
  • The right of access, rectification and erasure of your data (Art. 15 to 17 of the GDPR);
  • The right to restriction of Processing of your data (Art. 18 of the GDPR);
  • The right to data portability (Art. 20 of the GDPR);
  • The right to object to the Processing of your data (Art. 21 of the GDPR);
  • The right to issue instructions allowing access to your data in the event of death (Art. 85 of the French Data Protection Act n°78-17 of 6 January 1978, as amended).

You can exercise these rights by e-mail to our Data Protection Officer (see its contact details hereafter), specifying the right you wish to exercise and attaching proof of your identity (if necessary) or a power of attorney if you are being represented.

You can lodge a complaint to the French Data Protection Authority (CNIL – Commission Nationale de l'Informatique et des Libertés): https://www.cnil.fr/fr/plaintes.

5. OUR DATA PROTECTION OFFICER

YesWeHack has appointed an external Data Protection Officer who is responsible for ensuring the compliance of our processing operations, keeping a record of processing activities, and ensuring the exercise of your rights specified hereabove.

Contact details of the DPO (Data Protection Officer): privacy@yeswehack.com

6. ARE THERE COOKIES ON OUR SITES?

We may use cookies when you browse our Sites. Some cookies do not require your consent (i.e., necessary cookies) while others can only be deposited once you have given your consent (i.e., functional, analytics and/or advertisement cookies).

All information relating to cookies and their settings are available on the Cookies Policy.

7. UPDATING OF THIS PRIVACY POLICY

This Privacy Policy may be updated periodically and without notice. Any changes will be effective immediately upon posting of the new policy at https://www.yeswehack.com/. However, we will use your Personal Data in accordance with the Policy in effect at the time of the collection.