Terms menu

Privacy Policy

Version 1.0, Effective from 08 October 2020. (View previous versions).

This policy explains what data, including personal data, we collect from and about you when you access and use the Vulnerable Things Platform for coordinating the disclosure of vulnerabilities relating to Internet-connected products at vulnerablethings.com (Platform).

It’s important that you read this policy to ensure you’re fully informed about how we use your personal data and your rights.

We may need to make changes to this policy occasionally, to reflect any changes to our website, Platform or legal requirements. We’ll notify registered Industry Members of important changes on the Platform or by email before they take effect.

Who we are

Vulnerable Things is a trading name of Techworkshub Ltd (company number SC170059) (we/us/our). We are a company registered in Scotland and our registered office is at 1 George Square, Glasgow, Scotland, G2 1AL. As required by UK data protection law, we’re registered as a ‘controller’ with the Information Commissioner’s Office (ICO) under number Z9145862.

The personal data we collect

When we talk about ‘personal data’, we mean any data that identifies or can be used to identify you. This doesn’t include data where your identity has been removed, for example, statistical reports that we provide to our Industry Members (anonymous data).

The types of personal data collected by and about you through our Platform include:

  • Contact data: Your email address and name (or pseudonym) when you register as a Reporter (note: A Reporter will have the option to remain ‘Anonymous’ when submitting vulnerability reports and in any public listings, if desired)
  • Communications data: Any emails or messages that you send to us or any Industry Member through the Platform or any messages we may exchange with you
  • Transactions data: If you are an Industry Member, we do not store or have any access to credit or debit card details, however we can see details of your transactions
  • Technical data: The Platform uses cookies (see below) which collect the IP address assigned to you or someone who provides you with Internet access (which is anonymised at the earliest possible opportunity), information about your device (including type, operating system, browser, resolution and time zone setting) and information about how you arrived at the Platform and which country you’re based in, how you navigated the Platform (which pages you visited, how long you spent on them) and how you interacted with the content on our Platform

What we use your personal data for

This section is really important as it explains what we’ll use your personal data for, and the legal grounds relied on by us for those purposes.

Under UK and EU data protection law there are six legal grounds that we may rely upon, the most relevant being where:

  • you’ve given your consent to us using your personal data for specific purposes
  • use of your personal data is necessary for us to enter into and perform our contract with you
  • use of your personal data is necessary to comply with any legal obligation on us
  • use of your personal data is necessary to pursue our legitimate interests and those interests are not outweighed by your fundamental rights and interests
Purpose Types of personal data Legal ground
Enabling you to submit vulnerability reports to relevant Industry Members if you are a Reporter Contact, communications Contract (creating your account and enabling you to access the interactive features of the Platform)
Enabling you to respond to, and communicate with Reporters if you represent an Industry Member Contact, communications Legitimate interests (your legitimate interests in receiving and responding to reports submitted through our Platform)
Improving the content and user experience of the Platform Technical Consent (to storing analytical cookies on your device); legitimate interests (our interests in understanding the needs of our stakeholders and improving the Platform for the benefit of its users)
Fixing technical issues relating to the Platform Technical Legitimate interests (our interests in ensuring that the Platform provides the best user experience)
Sending updates or notices from time to time Contact Consent

We may use your personal data for purposes which are closely related to any of the above purposes. If we want to use your personal data for any unrelated purposes, we’ll let you know about this in advance.

Who we share your personal data with

We do not sell your personal data for marketing purposes and we never will.

The people that will have access to your personal data include:

  • if you’re a Reporter, the relevant Industry Member in direct relation to your report. (If you’ve chosen to remain anonymous, we’ll not share your contact details
  • our staff either directly employed by us or engaged by us under contracts which include strict confidentiality and data protection responsibilities
  • our current and future technical service providers, such as our developers, hosting providers, email communication tools and analytics providers. All service providers will only have the access they need to make the Platform work and provide their services to us and will have entered into contacts which include strict confidentiality and data protection obligations on them)
  • any regulatory authorities
  • any actual or potential organisation that may acquire or merge with our business

If we’re asked to disclose personal data in response to any legal request or court order, we’ll take legal advice before making any disclosure to ensure that your rights and interests are considered before responding to such requests.

Where your personal data are stored

Our technical service providers are based outside the UK and the European Economic Area, which means that your personal data will be transferred outside the UK and the EEA. Whenever we transfer your personal data outside the UK or the EEA, we ensure that a similar degree of protection applies to your personal data in one or more of the following ways:

  • ensuring that the country to which your personal data is transferred is deemed by the European Commission to provide a similar degree of protection for your personal data
  • entering into a specific contract that has been approved by the European Commission as providing a similar degree of protection for your personal data
  • where any service provider is based in the US, checking that they’ve self-certified under the EU-US Privacy Shield Framework (or any successor or replacement framework) which requires them to provide a similar degree of protection for your personal data to that in the UK and EEA

The Platform may be accessed by Industry Members located outside the UK and the EEA. In these circumstances, they will be a ‘controller’ in relation to your personal data and, if you are based inside the UK or the EEA, they will be required to comply with data protection law in the UK or EEA with respect to your personal data.

How we keep your personal data secure

We’ve put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. We also limit access to your personal data to those of our staff and technical service providers that have a need to access it (based on the principle of ‘least privilege’). They’ll only use your personal data based on our instructions and are required to keep your personal data confidential.

We’ve put in place procedures to deal with any suspected personal data breach and will notify you and the relevant regulator where we’re legally required to do so.

How long we keep your data for

We’ll only keep your personal data for as long as necessary in connection with the purposes we collected it for and to comply with any legal, accounting or reporting requirements. To determine how long we keep your personal data for, we consider the amount, nature and sensitivity of the personal data, the purposes for which it was collected and the potential risk of harm from us continuing to keep it.

We’ll retain any personal data linked to your account for as long as you’re registered with the Platform and for 12 months after you’ve deleted your account. This allows for a period of time to re-activate your account should you wish to do so.

We’ll retain personal data relating to email marketing until you unsubscribe, or your email address has become permanently unavailable.

We’ll retain any analytical data collected about your use of the Platform which identifies you for a period of 24 months.

We may retain any data that does not identify you indefinitely.


Our Platform uses small text files, called cookies, which are stored on your device when you access and use our Platform. Apart from those cookies which are strictly necessary for us to provide you with access to our Platform that you’ve requested, we’ll only store cookies on your device if you’ve consented to this when you first access our website and every 30 days thereafter.

As cookies are unique, we can use them to distinguish you from other users for the purposes described above, however we’ve configured our analytical cookies so that your IP address is anonymised. To find out more about cookies, how to refuse them and how to change your device’s cookie settings, you should visit the ICO Cookie Guidance.

Our Platform uses the following types of cookies:

  • Strictly necessary cookies: these cookies are required for the operation of the Platform. We do not need your consent for these cookies – but if you delete them, the Platform may not function as it should.
  • Analytical cookies: these cookies allow us to recognise new and returning visitors and see how users engage with the Platform
  • Functionality cookies: these cookies are used to remember your preferences or customise your experience

The cookies we use are as follows:

Type: Strictly necessary

Duration: 1 month

Domain: .vulnerablethings.com

Further info: This cookie is stored by the Cloudflare content delivery network to detect malicious visitors to our website and to block them. Cloudflare uses a one-way hash to ensure that you cannot be identified from your IP address. See Understanding the Cloudflare Cookies and the Cloudflare Privacy Policy.

Type: Functionality

Duration: 1 month

Domain: .vulnerablethings.com

Further info: This cookie is used to remember whether you consented to cookies being stored on your device.

Type: Analytics

Duration: 2 years

Domain: .vulnerablethings.com

Further info: See Google Analytics Cookie Usage and the Google Privacy Policy.

Type: Functionality

Duration: Single session only

Domain: .vulnerablethings.com

Further info: This is a single session cookie for application state management which expires when the browser is closed or the session times out. .

Your rights

Under UK and EU data protection laws, you have the following rights in relation to your personal data:

Access: You’ve the right to be informed if your personal data is being used and the right to request a copy of the personal data held about you together with certain information about the processing of such personal data to check that we are holding it lawfully

Correction: You’ve the right to ask us to correct any inaccurate or incomplete personal data held about you

Deletion: You’ve the right to ask us to delete or remove any personal data held about you where there is no good reason for us to continue holding it or where you have exercised your right to object

Restriction: You’ve the right to ask us to restrict how we hold your personal data, for example, to confirm its accuracy or our reasons for holding it

Objection: You’ve the right to object to our holding of any personal data about you which is based on our legitimate interests or those of a third party based on your particular circumstances. You’ve also the right to object to our holding your personal data for direct marketing purposes

Portability: You’ve the right to receive or request that we transfer a copy of the personal data we hold about you in an electronic format where the basis of our holding such information is your consent or the performance of a contract and the information is processed by automated means

Complaints: You’ve the right to complain to the UK Information Commissioner’s Office (ICO) or, if you’re based in any EU member state, any other EU supervisory authority in relation to how we collect and use your personal data

You won’t have to pay any fee to exercise any of the above rights, although we may charge a reasonable fee or refuse to comply with your request if any request is clearly unfounded or excessive. Where this is the case, we’ll let you know.

To protect the confidentiality of your personal data and other members of our community, we may need to ask you to verify your identity before fulfilling any request in relation to your personal data. Questions or comments

If you’ve got any questions or comments regarding this policy, please email us at [email protected].