Version 1.0, Effective from 08 October 2020. (View previous versions).
This policy explains what data, including personal data, we collect from and about you when you access and use the Vulnerable Things Platform for coordinating the disclosure of vulnerabilities relating to Internet-connected products at vulnerablethings.com (Platform).
It’s important that you read this policy to ensure you’re fully informed about how we use your personal data and your rights.
We may need to make changes to this policy occasionally, to reflect any changes to our website, Platform or legal requirements. We’ll notify registered Industry Members of important changes on the Platform or by email before they take effect.
Vulnerable Things is a trading name of Techworkshub Ltd (company number SC170059) (we/us/our). We are a company registered in Scotland and our registered office is at 1 George Square, Glasgow, Scotland, G2 1AL. As required by UK data protection law, we’re registered as a ‘controller’ with the Information Commissioner’s Office (ICO) under number Z9145862.
When we talk about ‘personal data’, we mean any data that identifies or can be used to identify you. This doesn’t include data where your identity has been removed, for example, statistical reports that we provide to our Industry Members (anonymous data).
The types of personal data collected by and about you through our Platform include:
This section is really important as it explains what we’ll use your personal data for, and the legal grounds relied on by us for those purposes.
Under UK and EU data protection law there are six legal grounds that we may rely upon, the most relevant being where:
|Purpose||Types of personal data||Legal ground|
|Enabling you to submit vulnerability reports to relevant Industry Members if you are a Reporter||Contact, communications||Contract (creating your account and enabling you to access the interactive features of the Platform)|
|Enabling you to respond to, and communicate with Reporters if you represent an Industry Member||Contact, communications||Legitimate interests (your legitimate interests in receiving and responding to reports submitted through our Platform)|
|Improving the content and user experience of the Platform||Technical||Consent (to storing analytical cookies on your device); legitimate interests (our interests in understanding the needs of our stakeholders and improving the Platform for the benefit of its users)|
|Fixing technical issues relating to the Platform||Technical||Legitimate interests (our interests in ensuring that the Platform provides the best user experience)|
|Sending updates or notices from time to time||Contact||Consent|
We may use your personal data for purposes which are closely related to any of the above purposes. If we want to use your personal data for any unrelated purposes, we’ll let you know about this in advance.
We do not sell your personal data for marketing purposes and we never will.
The people that will have access to your personal data include:
If we’re asked to disclose personal data in response to any legal request or court order, we’ll take legal advice before making any disclosure to ensure that your rights and interests are considered before responding to such requests.
Our technical service providers are based outside the UK and the European Economic Area, which means that your personal data will be transferred outside the UK and the EEA. Whenever we transfer your personal data outside the UK or the EEA, we ensure that a similar degree of protection applies to your personal data in one or more of the following ways:
The Platform may be accessed by Industry Members located outside the UK and the EEA. In these circumstances, they will be a ‘controller’ in relation to your personal data and, if you are based inside the UK or the EEA, they will be required to comply with data protection law in the UK or EEA with respect to your personal data.
We’ve put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. We also limit access to your personal data to those of our staff and technical service providers that have a need to access it (based on the principle of ‘least privilege’). They’ll only use your personal data based on our instructions and are required to keep your personal data confidential.
We’ve put in place procedures to deal with any suspected personal data breach and will notify you and the relevant regulator where we’re legally required to do so.
We’ll only keep your personal data for as long as necessary in connection with the purposes we collected it for and to comply with any legal, accounting or reporting requirements. To determine how long we keep your personal data for, we consider the amount, nature and sensitivity of the personal data, the purposes for which it was collected and the potential risk of harm from us continuing to keep it.
We’ll retain any personal data linked to your account for as long as you’re registered with the Platform and for 12 months after you’ve deleted your account. This allows for a period of time to re-activate your account should you wish to do so.
We’ll retain personal data relating to email marketing until you unsubscribe, or your email address has become permanently unavailable.
We’ll retain any analytical data collected about your use of the Platform which identifies you for a period of 24 months.
We may retain any data that does not identify you indefinitely.
Our Platform uses small text files, called cookies, which are stored on your device when you access and use our Platform. Apart from those cookies which are strictly necessary for us to provide you with access to our Platform that you’ve requested, we’ll only store cookies on your device if you’ve consented to this when you first access our website and every 30 days thereafter.
As cookies are unique, we can use them to distinguish you from other users for the purposes described above, however we’ve configured our analytical cookies so that your IP address is anonymised. To find out more about cookies, how to refuse them and how to change your device’s cookie settings, you should visit the ICO Cookie Guidance.
Our Platform uses the following types of cookies:
The cookies we use are as follows:
Type: Strictly necessary
Duration: 1 month
Duration: 1 month
Further info: This cookie is used to remember whether you consented to cookies being stored on your device.
Duration: 2 years
Duration: Single session only
Further info: This is a single session cookie for application state management which expires when the browser is closed or the session times out. .
Under UK and EU data protection laws, you have the following rights in relation to your personal data:
Access: You’ve the right to be informed if your personal data is being used and the right to request a copy of the personal data held about you together with certain information about the processing of such personal data to check that we are holding it lawfully
Correction: You’ve the right to ask us to correct any inaccurate or incomplete personal data held about you
Deletion: You’ve the right to ask us to delete or remove any personal data held about you where there is no good reason for us to continue holding it or where you have exercised your right to object
Restriction: You’ve the right to ask us to restrict how we hold your personal data, for example, to confirm its accuracy or our reasons for holding it
Objection: You’ve the right to object to our holding of any personal data about you which is based on our legitimate interests or those of a third party based on your particular circumstances. You’ve also the right to object to our holding your personal data for direct marketing purposes
Portability: You’ve the right to receive or request that we transfer a copy of the personal data we hold about you in an electronic format where the basis of our holding such information is your consent or the performance of a contract and the information is processed by automated means
Complaints: You’ve the right to complain to the UK Information Commissioner’s Office (ICO) or, if you’re based in any EU member state, any other EU supervisory authority in relation to how we collect and use your personal data
You won’t have to pay any fee to exercise any of the above rights, although we may charge a reasonable fee or refuse to comply with your request if any request is clearly unfounded or excessive. Where this is the case, we’ll let you know.
To protect the confidentiality of your personal data and other members of our community, we may need to ask you to verify your identity before fulfilling any request in relation to your personal data. Questions or comments
If you’ve got any questions or comments regarding this policy, please email us at [email protected].