Privacy section

Version dated 25th March 2024

This Privacy Section describes how Yes We Hack S.A.S., a simplified joint stock company incorporated in France having its seat at 14 rue Charles V, 75004 Paris, registered under number 814 037 214 (R.C.S. Paris) (hereafter “YesWeHack”, “we”, “us” or “our”) process your Personal Data when you use our website.

YesWeHack operates the Dojo site available at: https://dojo-yeswehack.com/ (the "Site") enabling any individual registering on the Site (the “User”) to train and learn the basics of ethical hacking by manipulating code to understand the impacts in real time based on challenges. The Site can also be used to rebuild complex exploitation scenarios from scratch and share them with the security researcher community.

When you browse the Site, YesWeHack processes your Personal Data as a data Controller. The purpose of this Privacy Section is to provide information about the data processing in accordance with current regulations, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of Personal Data (hereafter the “GDPR”), as well as the French Data Protection Act n°78-17 of 6 January 1978, as amended.

For the interpretation of notions relating to the protection of Personal Data in this Privacy Section, please refer to the definitions in the Site Terms of Use and the definitions set out in the GDPR.

1. WHY AND HOW ARE MY PERSONAL DATA COLLECTED AND PROCESSED?

YesWeHack processes Site Users’ Personal Data in the context of the use of the Site and, more generally of its operational activities as needed for the purposes stated below:

  • Purpose: Administrative and technical management of the Site.
  • Legal Basis: Legitimate in a, depending on the manner in which thterest of YesWeHack to ensure the safety and proper operation of the Site (GDPR art.6-1(f)).
  • Personal Data: Login data (IP address, date and time of login, location), technical/functional Cookies.
  • Data retention period: Six (6) months from the first collection (i.e., upon your last visit to the Site). Personal Data are deleted at the end of this period.
  • Purpose: Managing user account logins.
  • Legal Basis: processing is necessary for the performance of the Terms of Use (GDPR art.6-1(b)).
  • Personal Data: Username and password.
  • Data retention period: three (3) years from the last login to the account. Personal Data are deleted at the end of this period.

Although the Site is not intended to process other Personal Date User uses the Site, YesWeHack may process other Personal Data. For instance, YesWeHack will process any Personal Data the User includes in free-text areas (e.g., when creating a challenge, YesWeHack may process Personal Data the User provides in the Title, Flag, Description, Hints, and/or Solution areas).

2. WHO ARE THE RECIPIENTS OF YOUR PERSONAL DATA?

The internal recipients of your Personal Data are the authorized staff of YesWeHack.

The external recipients of your Personal Data who process data on behalf of YesWeHack (Processors) are:

  • Processor: OVH S.A.S.
  • Purposes: Hosting the Site.
  • Location: 2 rue Kellermann, 59100 Roubaix, France.
  • Processor: Scaleway S.A.S.
  • Purposes: Site back up.
  • Location: 8, rue de la ville l’évêque, 75008 Paris, France.

3. HOW ARE YOUR PERSONAL DATA PROTECTED?

YesWeHack has implemented generally accepted standards of technology and operational security regarding the risks presented by its processing to preserve your Personal Data from loss, misuse, alteration, or destruction, at the time of their processing. Notably, YesWeHack is ISO 27001 and ISO 27017 standard certified, which is an international standard for information security management systems.

The technical and organizational measures taken by YesWeHack include physical, logical, and contractual measures such as, but not limited to, restricted access to data by personnel in departments authorized to access it by virtue of their duties, contractual guarantees in the event of the use of an external service provider, privacy impact assessments, or stringent authentication procedures.

YesWeHack will, in addition, not use, exploit, or disseminate to any third party any data collected for any purpose other than those set forth in this Privacy Policy.

4. WHAT ARE YOUR RIGHTS?

Where applicable, you may exercise the following rights under the conditions provided for in the regulations:

  • The right of access, rectification and erasure of your data (Art. 15 to 17 of the GDPR);
  • The right to restriction of Processing of your data (Art. 18 of the GDPR);
  • The right to data portability (Art. 20 of the GDPR);
  • The right to object the Processing of your data (Art. 21 of the GDPR);
  • The right to issue instructions allowing access to your data in the event of death (Art. 85 of the French Data Protection Act n°78-17 of 6 January 1978, as amended).

You can exercise these rights by e-mail to our Data Protection Officer (see its contact details hereafter), specifying the right you wish to exercise and attaching proof of your identity (if necessary) or a power of attorney if you are being represented.

You can lodge a complaint to the French Data Protection Authority (CNIL – Commission Nationale de l'Informatique et des Libertés): https://www.cnil.fr/fr/plaintes.

5. OUR DATA PROTECTION OFFICER

YesWeHack has appointed an external Data Protection Officer who is responsible for ensuring the compliance of our processing operations, keeping a record of the processing activities, and ensuring the exercise of your rights specified hereabove.

Contact details of the DPO (Data Protection Officer): privacy@yeswehack.com

6. ARE THERE COOKIES ON OUR SITE?

A generic Matomo tracker is used on the Site operating in Do Not Track mode as recommended by the French Data Protection Authority. The data collected by the Matomo tracker solely allows for anonymous, generic statistics on the Site’s usage, and does not allow to re-identify individuals. That data is neither used to enrich other analytics datasets nor provides for a technical means to track the user’s behaviour on other websites. Prior consent to the deposit of Matomo tracker is therefore not required.

If your web browser is set to block trackers and scripts, or if you have installed browser extensions that filter the content of web pages to block certain elements, such as trackers and cookies, the opt-out check-box will not be displayed and you will not be tracked.

7. UPDATING OF THIS PRIVACY SECTION

This Privacy Section may be updated periodically and without notice. Any changes will be effective immediately upon posting at https://dojo-yeswehack.com/. However, we will use your Personal Data in accordance with this Privacy Section in effect at the time of the collection.