Privacy Notice

Effective from September 2021

PLEASE READ CAREFULLY THE CONTENTS OF THIS PAGE BEFORE USING THE SERVICES AND OR THE WEBSITE. IF YOU DO NOT AGREE, YOU MUST LEAVE AND NOT USE THE SERVICES AND OR THE WEBSITE.

THIS PRIVACY NOTICE EXPLAINS THE WHEN, WHAT, HOW, AND WHY OF THE PERSONAL DATA WE COLLECT AND PROCESS WHEN YOU VISIT OUR WEBSITE AT HACKTHEBOX.EU OR HACKTHEBOX.COM OR ACCESS AND USE OUR SERVICE AND WHO WE SHARE IT WITH.

THIS PRIVACY NOTICE WILL SUPPLEMENT ANY OTHER NOTICES YOU RECEIVE FROM US AND THEY SHOULD BE READ TOGETHER. WE MAY NEED TO MAKE CHANGES TO THIS NOTICE OCCASIONALLY, TO REFLECT ANY CHANGES TO OUR SERVICES OR LEGAL REQUIREMENTS. WE WILL POST ANY REVISIONS AT hackthebox.com/legal/privacynotice. WE ADVISE YOU TO CHECK THIS PAGE REGULARLY TO SEE IF ANY CHANGES HAVE BEEN IMPLEMENTED.

THIS NOTICE DOESN’T REFER TO WHERE YOU ARE ACCESSING AND USING OUR SERVICE ON BEHALF OF ONE OF OUR CUSTOMERS, AS THEIR AUTHORISED USERS. IN SUCH CASES WE WILL PROCESS YOUR PERSONAL DATA ON THEIR BEHALF AND ACCORDING TO THEIR INSTRUCTIONS IN THE APPLICABLE DATA PROCESSING AGREEMENT. IN THIS CASE, CUSTOMER WILL BE THE CONTROLLER AND HACKTHEBOX WILL BE THE PROCESSOR OF YOUR PERSONAL DATA. PLEASE REFER ANY QUESTIONS OR CONCERNS TO THE CONTROLLER.

1. WHO WE ARE

   We are Hack The Box Ltd., registered in England and Wales under company 10826193 with its registered office address at 38 Walton road, Folkestone, Kent CT18 5QS

   For the purposes of the data protection legislation HackTheBox, is the Controller of your personal data.

   Our Contact details are:

   email: [email protected] , [email protected]

   postal address: 38, Walton Road, Folkestone, Kent, UK, CT19 5QS

2. CHANGES

   We may change this privacy notice from time to time, to reflect any changes to our services or legal requirements. We will notify you of any important changes. The most recent version of the privacy notice is reflected by the version date located at the bottom of this privacy notice.

   We encourage you to review this privacy notice often to stay informed of changes that may affect you, as your continued use of the Services and/or the Website signifies you have read, understood and agree with this privacy notice.

3. AGE LIMITATIONS

   HackTheBox does not allow use of our Services and Websites by anyone younger than 18 years old, unless a written parental or legal guardian consent is provided.

   If you learn that anyone younger than 18 is using our Services, please contact us at [email protected] or [email protected] and we will immediately take the necessary actions to safeguard minor’s rights.

4. THIRD-PARTY LINKS

   Our Service and/or Website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

5. WHEN WE MAY PROCESS PERSONAL DATA ABOUT YOU AS DATA CONTROLLER

   HacktheBox may collect your Personal Data when:

   • You order a service from us.
   • You participate in our surveys.
   • You subscribe to our newsletter.
   • You ask us for more information about a Service, or contact us with a question, comment or complaint.
   • You submit an abuse notification to us.
   • You use our network, infrastructure and/or Services.

6. WHAT PERSONAL DATA WE COLLECT AS DATA CONTROLLER.

   Personal Data you directly provide to us:

   We may collect the following information about you:

   • Documents and information that certify your identity such as name, address, phone number, date of birth, email address and personal identification numbers.
   • Your account information – such as Services you ordered, the IP address you accessed the Service, your customer ID, fees owed and received, the use of Services or any other information related to your account.
   • Your contact with us – such as a chat record when you engage in a chat session with us, an email or letter you send to us or other records of any contact you have with us.
   • Information about your payment method, such as credit card number, bank account number or other banking information.
   • Information provided by you to us, when you notify us of a (suspected) breach of our Acceptable Use Policy.

7. WHY WE PROCESS YOUR PERSONAL DATA AS DATA CONTROLLER

   We may process your Personal Data for the following purposes:

   • To perform a contact, to authenticate users, to provide the Services
   • Processing of orders, contracts and provision of services.
   • Conducting market research, conducting retention and customer satisfaction surveys, conducting marketing activities (including through email newsletters, social media and onsite/offsite and online/offline advertisement), conducting sales activities (including analyzing your Personal Data and your use of our Services for making (tailormade ) offers and quotation with the aim of entering into a customer relationship, and/or maintaining, renewing or expanding a customer relationship) and offering promotional games of chance.
   • Communicating with customers (i) to provide information about our Services and affiliated companies, (ii) to provide information about offers, orders, provision of services, order status and payment, (iii) to provide support and maintenance services, (iv) to handle complaints, and (v) to answer questions from (potential) customers.
   • Providing information to representatives and advisors, including attorneys and accountants, to help us comply with legal, accounting, or security requirements.
   • Performing financial processes, including (i) calculating, invoicing and collecting of service fees , (ii) processing financial transactions regarding the acceptance of orders, and (iii) granting debt collection rights to third parties.
   • Investigating and processing suspected violations of our Acceptable Use Policy.
   • Ensuring the security of persons, goods and objects, and performing fraud detection.
   • Conducting legal processes, including (i) prosecuting and defending a court, arbitration or conducting similar legal proceedings, and (ii) collecting evidence for civil legal proceedings relating to you or complying with court orders, discovery requests, subpoenas, and other appropriate legal mechanisms
   • Complying with statutory obligations, including (i) responding to lawful requests by public authorities, including meeting national security or law enforcement requirements, (ii) complying with (applicable) data retention obligations, and (iii) the provision to third parties of Data concerning customers in connection with an infringement of these third parties’ rights.
   • Establishing the identity of customers or third parties, including in relation to verify compliance with applicable Export Control Legislation or UN, EU, US and UK .

   Forum. We have a forum on our Website. Any information you include in a comment on our forum may be read, collected, and used by anyone. If your Personal Data appears on our forum and you want it removed, you can contact us in [email protected]. If we are unable to remove your information, we will inform you why.

8. LEGAL BASIS

   To process your information as described above, we rely on the following legal grounds:

   • to enter into and perform our contract with you;
   • to comply with our legal obligations;
   • to pursue our legitimate interests (if those interests are not outweighed by your other rights and freedoms);
   • to do something that you have given your clear and unconditional consent for.
   • You are entitled to withdraw your consent at any time by giving us notice. Upon receipt of a notice where your consent is withdrawn, we will without undue delay stop processing your Personal Data if and to the extent it is required and permitted under law.

9. WHO WE DISCLOSE YOUR PERSONAL DATA WITH AS A DATA CONTROLLER

   We may share Data about you with:

   • Our employees or other workers that are bound by confidentiality, security and data protection obligations that work for one or more of our affiliate companies, including for the purpose of financial, tax, sales, marketing and operational tools and services that may be used to order or manage our Services.
   • Partners (such as Resellers) or agents involved in delivering the Services ordered.
   • Credit reference, fraud prevention, laws compliance verification agencies.
   • Law enforcement agencies, regulatory organisations, courts or other public authorities to the extent required by law.
   • Another customer, if you notify us that this customer's use of the Services violates our Acceptable Use Policy or any applicable law.
   • A third party that has claimed that your use of the Services violates the our Acceptable Use Policy or applicable law (to the extent such sharing is required by law).
   • Professional advisers such as the accountants or legal advisors we use to help us conduct our business
   • Any actual or potential buyer of our business
   • Third – Parties. We may disclose Personal Data to third parties for the purposes described in this privacy notice. In such a case we disclose only the minimum required Personal Data in order to provide the service and enter into a contract that requires them to use your Personal Data only for the provision of services to us and in a manner that is consistent with our privacy standards. Examples of third parties include payment processors, hosting, content delivery, customer support, marketing and customer relationship, software monitoring, project management and customer insight providers. We do our best to carefully select third-party Personal Data processors and require all third parties to respect the privacy and security of your personal data.
   • Our Processors list can be accessed at https://www.hackthebox.com/legal/processors.

10. WHERE WE STORE YOUR PERSONAL DATA.

    Where we instruct organisations to process personal data on our behalf (our Processors) and that results in your information being sent outside of the UK or European Economic Area (EEA), we make sure that your information receives a similar level of protection by:

    • only sending information to countries that have been formally recognised by the European Commission as having an adequate level of protection for personal data ( or
    • using Standard Contractual Clauses approved by the European Commission to ensure appropriate safeguards are in place

11. SAFEGUARDING YOUR DATA

    We have implemented generally accepted standards of technology and operational security to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the processing and the nature of the Personal Data.

    For further information about our security measures, please see our Technical & Organizational Security Measures list can be accessed at https://www.hackthebox.com/legal/datasecuritymeasures.

    If there is a breach of security which has affected your personal data and we are the controller, we will notify the regulator and keep you informed (where required under data protection law).

12. ACCURACY AND RETENTION OF YOUR PERSONAL DATA

    We do our best to keep your data accurate and up to date, to the extent that you provide us with the information we need to do so. If your data changes (for example, if you have a new email address), then you are responsible for notifying us of those changes.

    We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the volume, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we use your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

13. YOUR RIGHTS

    • Access. You have the right to request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
    • Correction. You have the right to request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
    • Erasure. You have the right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing, where we may have processed your information unlawfully or where we are required to erase your personal data to comply with law.
    • Object. You have the right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and you feel such processing impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
    • Restrict. You have the right to request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
    • Portability. You have the right to request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.
    • Complaints. You have the right to make a complaint at any time: For the EU Users: to the Hellenic Data Protection Authority Postal Address: Data Protection Authority Offices: 1-3, Kifissias Avenue, PC 115 23, Athens, Greece, Call Centre: +30-2106475600 Fax: +30-2106475628 E-mail: [email protected]. For the UK Users: to the UK Information Commissioner’s Office. HackTheBox is registered with the Information Commissioner’s Office, the UK regulator for data protection matters under number ZA827838.

    You may exercise the above rights either directly through the User Interface and/or by contacting the privacy Contact at: [email protected]. We will make our best efforts to respond to any request within a month. You will not have to pay in order to exercise your rights. We may request further information from you to confirm you are the owner of the data.

    You have the right to withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

    In case you notice a misuse of your Personal Data you should immediately inform us at [email protected] so we can immediately take the necessary actions.

14. COOKIES AND SIMILAR TECHNOLOGIES

    A cookie is a small piece of information that is placed on your computer when you visit certain websites. When we refer to “cookies” we include other technologies with similar purposes, such as tags and identifiers. Find out more about the use of cookies on https://www.allaboutcookies.org/

    We may use cookies and similar technologies (e.g. mobile device identifiers) when you visit or use our, websites, apps, products, services or technologies (“Services”). A cookie is a small piece of information that is stored on a computer or device and may contain a device identifier for the purpose of recognizing your browser as you interact with websites. Device identifiers may be randomly generated or assembled from available system elements such as IP address, browser version, OS type and version, device type and settings etc. Cookies, device identifiers, and similar technologies may be used to support Services, such as applying and storing user preferences, providing more customized experiences, such as personalized content and advertising, make our website operational, gather analytics data about user’s use of the website and service.

    When you first visit our sites using a new browser, or if you visit in private browsing mode, we will provide you with a cookies permission banner seeking your consent to use of cookies as required by law. From this banner you will be able to access our cookies management tool and you will be provided with all the necessary information. By clicking OK or clicking through to any part of the site, we will start to manage your visit using cookies.

    The third party organisations that place cookies, including your browser (such as Google), data management providers and the third party companies who pay for advertising and analytics services using this information, will have their own privacy policies.

    For any concern please contact us at [email protected]

15. CONCERNS AND COMPLAINTS

    If you have any questions, comments, or concerns about the way in which we have handled any privacy matter you may contact us by email at: [email protected].

    If you have any complaints about this notice or the way in which we handle your Personal Data, you may contact us at [email protected].

Definitions

• “we,” “us,” “our,” “Hackthebox” and “HTB” means Hackthebox Ltd
• “Website” means all websites under the domains hackthebox.com or hackthebox.eu and relevant subdomains and any other domain owned or controlled by HackTheBox
• “User” means the person that is using our Services.
• “Data Protection Legislation” means the following legislation to the extent applicable from time to time: (a) the General Data Protection Regulation 2016/679 (“GDPR”) (b) any applicable national law, regulation and guidelines from the competent data protection authority; and (c) any applicable successor texts or other similar national data protection law;
• “Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
• “Data Subject” means the identified or identifiable natural person;
• “Personal Data” means any information that identifies or can be used to identify a user, directly or indirectly, including, but not limited to, first and last name, date of birth, email address, occupation or other demographic information.
• “Processor” means an entity that processes Personal Data on behalf of another entity.
• “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• “Special Category Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
• “Service” means the specific HackTheBox internet-accessible software-as-a-service(s) offering(s) identified in an Service Order Form and hosted by HackTheBox, its affiliates or service providers and made available to Customer over a network on a subscription basis at the websites www.hackthebox.eu or www.hackthebox.com and all subdomains and/or other web pages designated by HackTheBox, including associated components.