/ YesWeHack

General Terms of Use for "Hunter"

Version 4.0.0 of May 11, 2020
YesWeHack General Terms of Use for "Hunter" Version 4.0.0 of May 11, 2020 1

ARTICLE 1. DEFINITIONS 3

ARTICLE 2. PURPOSE 4

ARTICLE 3. SERVICES 4

ARTICLE 4. REGISTRATION PROCESS 4

4.1. Age requirement 4

4.2. Creating a Hunter account 4

4.3. Creating an eWallet account 4

4.4. Acceptance of GCU 5

4.5. Independence of the Hunter 5

ARTICLE 5. ACCESS TO SERVICES 5

ARTICLE 6. HUNTER’S OBLIGATIONS 5

6.1. Legal, fiscal and social obligations 5

6.2. Security of the Site and/or Services 6

6.3. Protection of the Means of Identification 6

6.4. Tests 7

6.5. Confidentiality – Personal data protection 7

ARTICLE 7. INTELLECTUAL PROPERTY RIGHTS 7

7.1. The Site and/or Services 8

7.2. Right to use the Systems 8

7.3 Assignment of intellectual property rights on the Vulnerability Report 8

ARTICLE 8. FINANCIAL CONDITIONS 9

ARTICLE 9. WARRANTY - LIABILITY 9

9.1. Warranty - YesWeHack Liability 9

9.2. Warranty - Hunter Liability 9

ARTICLE 10. FORCE MAJEURE 10

ARTICLE 11. PROTECTION OF PERSONAL DATA 10

ARTICLE 12. AGREEMENT ON EVIDENCE 10

ARTICLE 13. TERMINATION 11

ARTICLE 14. SUB-CONTRACTING - ASSIGNMENT 11

ARTICLE 15. CONFIDENTIALITY– END OF THE CONTRACT 11

ARTICLE 16. HEADINGS - PERMANENCE- NO WAIVER 11

HUNTER GTUs - YES WE HACK (c) 2020 Page 1/20

ARTICLE 17. NOTIFICATION 12

ARTICLE 18. TERM OF THE CONTRACT 12

ARTICLE 19. SETTLEMENT OF DISPUTES - GOVERNING LAW - RELEVANT COURT 12

INVOICING MANDATE 12
FOR FRENCH HUNTERS: 12

FOR NON-FRENCH HUNTERS 13

APPENDIX A – PERSONAL DATA PROTECTION POLICY 15

1.Processing of Personal Data by YesWeHack as data controller 15

2. Processing of Personal Data carried out by YesWeHack as joint data controller with MANGOPAY 17

HUNTER GTUs - YES WE HACK (c) 2020 Page 2/20

YesWeHack Hunters GCU

These General Conditions of Use ("GCU" or the "Contract") of the YESWEHACK platform are intended to define
the contractual relations between YesWeHack and any Hunter using the Site. The Site and the Bug Bounty
Services of the YESWEHACK platform are published and operated by YesWeHack, a simplified company with
shares (SAS) with capital of 31,420.74 euros, domiciled at 14, Rue Charles V 75004 Paris (SIRET No.
81403721400016).

YesWeHack reserves the right to make changes to the GCU, the Site and the Services. Any modification will be
notified to the Hunter when she or he logs in to his or her personal account. The new version of the GCU will
also be available on the site. It will come into force within EIGHT (8) days following this mailing or any other
date that may be indicated by YesWeHack. In case of disagreement with the new provisions, the Hunter agrees
to cease all use of the Site and/or the Services which will result in de facto termination of the Contract.

ARTICLE 1. DEFINITIONS

Some of the definitions below are also specified in the FAQs. In the event of any discrepancy or difficulty of
interpretation concerning these definitions, it is expressly agreed that the definitions in the GCU shall prevail.

Personal Data: means, in accordance with Article 4 of the General Regulations on Data Protection of 27 April
2016 (GDPR), any information relating to an identified natural person or which can be identified, directly or
indirectly, by reference to an identification number or several elements specific to him/her. In order to
determine whether a person is identifiable, account should be taken of all the means of identification available
or accessible to the controller or any other person.

Intellectual Property Rights: means all intellectual property rights, including but not limited to copyright,
software rights, database rights, patent rights, rights to inventions, trademark rights, distinctive marks, design
rights, semiconductor topography rights, trade secrets and know-how.

eWallet: designates the means of payment which is used for the settlement and storage of the Hunter Cash
Rewards. It is not a bank account.

Hunter: means a natural person who participates in a Bug Bounty Program. The Hunter performs Tests on a
System and within the framework of a Bug Bounty Program. This person is a computer security researcher. The
Hunter may act in a non-professional or professional capacity, individually or in the name and on behalf of a
company.

Invoicing Mandate: means the contract by which the Hunter entrusts YesWeHack with the preparation of the
invoices including the Rewards due to him or her at the end of the Tests.

Means of identification: designates the login/password combination allowing the Hunter to access his or her
account.

Bug Bounty Program (or “Program”): designates the scope of the Tests authorised by the User
(designation of the Systems, type of Tests, eligibility, periodicity, exclusions, Rewards, etc.). A Bug Bounty
Program can be public or private.

Reward: means any amount of money or material goods granted to the Hunter if he or she successfully
completes the Tests, i.e. if he or she discovers any proven Vulnerabilities in the System previously unknown.

Services: means the YESWEHACK platform and any related services made available by or through YesWeHack.
Site: refers to the Internet site accessible from the URL address https://yeswehack.com/auth/login enabling
Hunters to benefit from the Services on the YESWEHACK platform.

System: refers to the Customer's systems (servers, websites, applications, software, modules, interfaces, etc.)
on which the Tests are carried out, whether they are hosted by the User or by a third party.

Tests: means the tests that the User wishes to run and that are compliant with the Bug Bounty Program
validated by YesWeHack. These Tests include any action to reach or penetrate a User System, to analyse the
level of security in place and to look for Vulnerabilities.

User: means the natural person who represents or who is duly authorised by the YesWeHack Customer (legal
entity that has subscribed to a license to use the platform) to use the Site in order to perform Tests on the
Customer's System in accordance with the Bug Bounty Program that it defines.

Vulnerabilities: designates any defect, incident or security flaw which, individually or cumulatively, has
repercussions on the use or operation of the System's functionalities.

HUNTER GTUs - YES WE HACK (c) 2020 Page 3/20

YESWEHACK: refers to the Bug Bounty platform and the registered trademark belonging to the company
YesWeHack, simplified company with shares (SAS) with capital of 31,420.74 euros, domiciled at 14 Rue Charles
V, 75004 Paris, and used in the context of these GCU.

ARTICLE 2. PURPOSE

The purpose of these GCU is to define the terms and conditions of access and use of the Site and/or Services
for the Hunters.

ARTICLE 3. SERVICES

The YESWEHACK platform is a platform which puts Users and Hunters in contact so that Users submit all or
part of their Systems to Tests which will be carried out by the Hunters.

The steps are as follows:

/ A User publishes a Bug Bounty Program on the Site ;

/ As part of a private Program, the User defines the list of skills or the names of the Hunters invited to the
Bounty Bug Program ;

/ Hunters perform the Tests and then they establish a report on the Vulnerabilities found ;

/ The User validates or not the Vulnerabilities reported and their severity levels ;

/ The Hunter who uncovered a valid Vulnerability and who established a clear report with a severity level in
accordance with the Bug Bounty Program, can be rewarded by the User, by granting him or her points
according to criteria defined on the YESWEHACK platform in its FAQ in particular, and/or by granting him
or her a Reward in cash or in the form of material goods ;

/ The Hunter can participate in the Hunter ranking and showcase their results on all YesWeHack platforms.

ARTICLE 4. REGISTRATION PROCESS

4.1. Age requirement

The use of the Site and/or the Services is in principle forbidden to minors (depending on nationality and
applicable law).

4.2. Creating a Hunter account

When registering, the Hunter must provide certain information through the registration form available on the
Site.

The Hunter guarantees that the information he or she provides is accurate, genuine and up to date and
undertakes to update it as soon as necessary. If this information proves to be false, incomplete or obsolete,
YesWeHack reserves the right to refuse registration and/or to interrupt the provision of Services in accordance
with the provisions of Article 13 hereof.

The Hunter is solely responsible for the consequences of not updating his or her personal information and
expressly acknowledges that YesWeHack cannot be held liable for any misrepresentation regarding his or her
identity.

4.3. Creating an eWallet account

The Hunter must have opened an eWallet account in the Program currency on the YESWEHACK platform for the
settlement of his or her Rewards in cash.

When submitting a Program in another currency, an eWallet in the currency of the Program will have to be
created.

The Hunter acknowledges having read and agrees to respect the conditions of use of MANGOPAY.

A summary of the amounts paid is made available on the Hunter's account.

HUNTER GTUs - YES WE HACK (c) 2020 Page 4/20

The Hunter is informed, in his or her account on the YESWEHACK platform, of the status of the MANGOPAY
eWallet, through a list of transactions made by ID MANGOPAY in real time.

4.4. Acceptance of GCU

Registration for the Services is done through the Site and requires acceptance of the GCU and confirmation of
such acceptance. These GCU are subject to the signature of the Invoicing Mandate.

The Hunter expressly acknowledges that he has read these GCU and given his or her consent. This acceptance
given by double-clicking is in accordance with Article 1127-2 of the French Civil Code and is deemed to
conclude the contract in digital form.

4.5. Independence of the Hunter

The YESWEHACK platform is exclusively a platform for putting Hunters in contact with Users.

The Hunter expressly acknowledges that he or she has no link of dependence or subordination, whether direct
or indirect with YesWeHack or with a User.

The Hunter acknowledges that he or she acts in an occasional and non-exclusive way. The Hunter chooses
which Bug Bounty Program he or she wants to participate in and he or she alone and independently determines
the means he or she intends to use to conduct his or her Tests in accordance with the Bug Bounty Program.

Because of this independence, the Hunter can only be excluded from the Bug Bounty Programs because of a
breach of an obligation under these GCU.

ARTICLE 5. ACCESS TO SERVICES

Except in cases of force majeure, YesWeHack shall, as part of a duty of best endeavours, ensure the availability
and accessibility of the Site and Services. Nevertheless, control and maintenance operations can be carried out
at any time. YesWeHack endeavours to prevent, as much as possible, the occurrence of such an operation
within twenty-four (24) hours before the beginning of the actual operation. YesWeHack shall not be liable for
any consequences resulting therefrom for any Hunter.

Every Hunter acknowledges that he or she knows and understands the Internet and its limitations and, in
particular, its functional characteristics and technical performance, the risks of interruption, the response times
for consulting, querying or transferring information or the risks inherent in any transfer of data. YesWeHack is
not liable for the unavailability of networks that are not entirely under its direct control.

It is the responsibility of every Hunter to equip himself or herself in an appropriate manner, in particular in
terms of computer and electronic communications, to access the Site and the Services and to take all
appropriate measures to protect himself or herself and YesWeHack from any attack or damage that could
affect the data, software or contents stored on the Site. YesWeHack is not responsible for the normal wear and
tear of Hunter's computer media.

All costs and authorisations required to connect, access and use the Site and/or Services are and remain the
responsibility of the Hunter.

All Hunters agree not to hinder the proper functioning of the Site and/or the Services in any way whatsoever, in
particular by transmitting any element likely to contain a virus or malicious Bug Bounty Program likely to
damage or affect the Site and/or the Services and, more broadly, the information system of YesWeHack and its
co-contractors.

ARTICLE 6. HUNTER’S OBLIGATIONS

The Hunter agrees to use the Services as is and in accordance with these GCU.

6.1. Legal, fiscal and social obligations

The Hunter is informed that his or her activity (carrying out Vulnerability Tests and reports) carried out via the
YESWEHACK platform is likely to generate an obligation of affiliation to a legal status. The Hunter shall
therefore find out about and acquire the legal status appropriate to his or her situation.

Moreover, the Hunter is informed that the income he or she derives from his or her activity on the YESWEHACK
platform must be subject to taxation or social or fiscal taxation according to the criteria of fiscal territoriality.

HUNTER GTUs - YES WE HACK (c) 2020 Page 5/20

The Hunter hereby expressly acknowledges that it is his or her sole responsibility to inform himself or herself
about his or her legal, fiscal and social obligations, to subscribe to them and to comply with them.

The Hunter is required to make all the declarations required by the tax authorities and the social security
organisations to which he or she belongs, depending on his or her status and his or her country of residence in
and outside the European Union.

YesWeHack will communicate at the time of each Reward received by the Hunter of French nationality the
information relating to the tax and social security regulations applicable to the Rewards drawn from Bug
Bounty operations in accordance with Article 242 bis, I of the General Tax Code (CGI) (Article 23L.11). No later
than 15 January of the year following the year in respect of which the information is given, a document
mentioning the Hunter's identification details (for natural persons: surname or usual surname, first names and
home address), the number and total gross amount of Rewards made during the past year. The Hunter
acknowledges that this document must be transmitted digitally by 31 January of the year following the year in
respect of which the information is given, the period between 15 January and 31 January allowing the Hunter to
rectify the document concerning him or her.

To this end, for France, it is imperative that the Hunter is aware of and implements the obligations set out
below:

/ Concerning the tax obligations see: declaration of income from ancillary activities

/ Concerning social obligations see: social contributions for economic activities

Foreign Hunters shall take note of the tax and social security system applicable to them and to inform
YesWeHack in order to possibly modify the content of the invoicing mandate.

YesWeHack can under no circumstances be involved in these steps and its liability can, under no
circumstances and for any reason whatsoever, be sought because of one of these legal, tax or
social obligations ; the obligations of YesWeHack are strictly limited to informing the Hunter of the
tax, accounting and social obligations at his or her expense and to provide him or her with a
summary document of all transactions made on the platform.

In order to help the Hunter in the fulfilment of his obligations, YesWeHack provides him with
information in its FAQs, allowing him to find his way around by clicking on the following link: FAQ.
The Hunter agrees to regularly read this information.

6.2. Security of the Site and/or Services

Every YesWeHack platform is also subject to the Bug Bounty Program.

The Hunter shall inform YesWeHack without delay, by any means, of any error, fault or irregularity that he or
she finds in the use of the Site and/or Services, as soon as he or she becomes aware of it.

The Hunter shall not attempt to alter the headers or attempt to manipulate the pages of the Site in such a way
as to disguise, hijack, or modify the Site. It is also prohibited to create a work or site derived from all or part of
this Site, or to resell or redistribute YesWeHack data.

6.3. Protection of the Means of Identification

The Means of Identification are strictly personal and confidential.

The Hunter shall:

/ keep them secret ;

/ not to communicate them to third parties in any form whatsoever ;

/ not allow third parties access to the Services ;

/ assume sole responsibility for the consequences of any disclosure made in violation of these GCU ;

/ inform YesWeHack without delay of any compromise, loss or anomaly observed in the Services.

The Hunter acknowledges that any use of the Services is made under his or her full and complete
responsibility.

Consequently, the Hunter acknowledges that the actions carried out on his or her account are presumed to be
HUNTER GTUs - YES WE HACK (c) 2020 Page 6/20
made by him or her and will be charged to him or her, it being up to the Hunter to provide proof to the
contrary.

YesWeHack reserves the right to suspend the Hunter's access to his or her account in case of proven
compromise or in case of suspicion of compromise of his Means of identification.

6.4. Tests

The Hunter will not have to consult the User beforehand to perform the Tests and will act at his or her
convenience to perform them within the limits of the Bug Bounty Program defined by the User.
The Hunter agrees to perform the Tests within the conditions and limits described in the User’s Bug Bounty
Program.

Therefore:

/ He or she agrees to strictly limit his or her action to the scope defined in the User’s Bug Bounty Program ;

/ He or she agrees not to repeat any Test whatsoever outside the scope strictly defined by the User’s Bug
Bounty Program and once the Bug Bounty Program is closed ; Any action carried out by the Hunter outside
the limits set by the User's Bug Bounty Program may result in the User being held civilly and/or criminally
liable and excluded from the YESWEHACK platform ;

/ The Hunter shall respect any data privacy policy that may be described in the User's Bug Bounty Program ;

/ The Hunter shall keep strictly confidential the User's information to which he or she may have had access
during the Tests, including the Vulnerabilities and, if applicable, the Personal Data to which he or she may
have had access. Failing this, the Hunter could be bound by civil and criminal liability.

Therefore:

/ He or she shall use them for purposes strictly necessary for the proper performance of the Tests.

/ He or she shall refrain from communicating them to any third party to the contract in any way and by any
means whatsoever (in particular, oral, paper, digital).

/ He or she shall report any obvious anomaly to YesWeHack if he or she notices security failures on the
YESWEHACK platform as well as to the User for any obvious anomaly noticed during the Tests.

/ He or she shall not to use them for the development, production or marketing of a System that infringes
the User's rights, its activity and/or competes directly or indirectly with it.

/ The Hunter guarantees that he or she respects all of the User's Intellectual Property Rights, in particular,
during the performance of the Tests, including but not limited to the software used and operating licenses.

/ The Hunter shall not participate in any private Bug Bounty Program to which he or she has not been
invited by a User.

/ In case the Hunter is in contact with the User, he or she is solely responsible for the content of his or her
exchanges with the User.

The HUNTER acknowledges that YesWeHack does not intervene in any way in the relationship with the User.

6.5. Confidentiality – Personal data protection

As part of the Program, during the performance of the Tests, the Hunter may, if necessary, access Personal
Data processed by the User.

The Hunter guarantees the security and confidentiality of the data accessed and shall take all technical and
organisational measures to prevent the destruction, loss, alteration, unauthorised disclosure or access to the
data accessed, whether accidental or illicit.

The Hunter shall not to make any use or processing of the Personal Data to which he or she may have access
during the Tests.

ARTICLE 7. INTELLECTUAL PROPERTY RIGHTS

HUNTER GTUs - YES WE HACK (c) 2020 Page 7/20

7.1. The Site and/or Services

The Site (including all accessible information, in particular in the form of downloadable text, photos, images,
sounds, data, databases and the Bug Bounty Program, including the underlying software and other technology)
and Services are protected by Intellectual Property Rights and/or other rights that YesWeHack owns or is
authorised to use.

The Customer may not under any circumstances store, reproduce, represent, modify, transmit, publish, adapt
on any medium whatsoever, by any means whatsoever, or use in any way whatsoever, the elements of the Site
and/or Services without the prior written permission of YesWeHack.

Each party is and will remain owner, as far as it is concerned, of its distinctive signs, namely trademarks,
corporate and other names, trade names, brand names and domain names. Reproduction, imitation or affixing,
in whole or in part, of trademarks or designs or models belonging to YesWeHack is strictly prohibited without its
prior written consent.

The Hunter shall respect all mentions relating to the Intellectual Property Rights appearing on the Site and/or
the Services and shall not alter, delete, modify or otherwise infringe upon them.

7.2. Right to use the Systems

Exclusively and solely for the purpose of Testing, subject to the restrictions, if any, set forth in the Bug Bounty
Program, the User grants to Hunters on a personal, free, non-exclusive, worldwide basis the right to use the
Systems that are protected by intellectual property rights and only for the duration of the Bug Bounty Program
as defined by the User, provided that the Bug Bounty Program has not been suspended prior to its termination.

The license to use the Bug Bounty Program is granted for the sole and exclusive purpose of running the Bug
Bounty Program and will cover the rights defined below:

/ the right to reproduce the System or have the System reproduced, in whole or in part, on the YESWEHACK
platform only ;

/ the right to extract, decompile, modify, assemble, transcribe, arrange, interface the System for the sole
purpose of analysing the Bug(s) ;

/ the right to make any and all use and to operate for the sole purpose of Testing the System.

It is expressly agreed, unless otherwise stated, that no trademark license is granted to the Hunters by the
User.

7.3 Assignment of intellectual property rights on the Vulnerability Report

The Hunter assigns free of charge to the User who accepts, for all countries where they are protected, in all
languages, for the entire duration of the legal Intellectual Property Rights of the copyrights or their assignees,
according to both French and foreign legislations and international conventions, current and future, including
any extensions that may be made to this term and in all forms, presentations and by any process both current
and future, and assigns to YesWeHack the rights to all or part of the Vulnerability Reports submitted on the
platform for the delivery of the Service.

These rights, by any means and on any medium known or unknown to date, are in particular the rights:

/ to use, including use via the YESWEHACK API and its various integrations with third party tools ;

/ to reproduce and to have others reproduce ;

/ to represent or to have others represent, to disseminate or to have others disseminate, to publish or to

have others publish, to operate or to have others operate, whatever the format and the presentation ;

/ communicate or have others communicate ;

/ adapt or have others adapt, translate or have others translate all or part of the Vulnerability Reports and,
where appropriate, adapt or have others adapt them to local conditions in the country in question ;

/ to modify or have others modify, improve or have others improve, correct or develop by addition, deletion,
incorporation or adaptation.

YesWeHack does not claim any ownership rights to the Vulnerability Reports submitted on the platform for the
HUNTER GTUs - YES WE HACK (c) 2020 Page 8/20
delivery of the service.

ARTICLE 8. FINANCIAL CONDITIONS

The Hunter will collect the Cash Reward awarded by the User in his or her e-Wallet account, at the User's
discretion and in accordance with the relevant Bug Bounty Program.

The cash Rewards are expressed in the program currency, all taxes included (including VAT). The Hunter
agrees to regularly consult the Reward FAQs by clicking the following link: FAQ.
In the case of a foreign currency, YesWeHack will apply the exchange rate published by the European Central
Bank on the day the tax is due, which by convention is set on the last day of the current month. It will be
mentioned on the invoice.
A summary of the Reward is made available in the Hunter's account.

The Hunter is informed that, if necessary, and in particular in accordance with its legal obligations, YesWeHack
may be required to communicate any information relating to the Rewards to any appropriate and duly
authorised authorities that make the request.

The Hunter authorises YesWeHack to invoice in his or her name and on his or her behalf the Rewards granted
by the User.

It is expressly agreed that the Invoicing Mandate must be duly completed and accepted by the Hunter in his or
her personal account. Failing this, any operation initiated by the Hunter will not give rise to payment.

ARTICLE 9. WARRANTY - LIABILITY

9.1. Warranty - YesWeHack Liability

YesWeHack makes no warranty as to the suitability of the Site and/or Services to meet any particular Hunter's
needs or expectations. Similarly, YesWeHack cannot guarantee that no errors or other operational or usage
problems will not occur during the use of the Site and/or Services.

YesWeHack disclaims any liability for the use of the Site and/or Services made by any User or Hunter.
YesWeHack has only an intermediary role between the User and the Hunter: its liability can under no
circumstances be sought in case of damage caused by a User or Hunter to another User or Hunter and this in
particular in the context of carrying out the Tests and delivering erroneous or deceptive information to the
Customer.

Under no circumstances is YesWeHack liable for any harm such as financial, commercial, loss of customers,
business disruption, loss of profit, loss of brand image, loss of digital Bug Bounty Program, suffered by the
Hunter that may result from the breach of these GCU, which harm is, by express agreement, deemed to be
indirect harm.

YesWeHack will under no circumstances accept liability for any consequential damages resulting, even
partially, from a total or partial non-performance by the User or the Hunter of their obligations even if
YesWeHack was aware of the possibility of such harm.
YesWeHack is bound by an obligation of means with regard to the provision of the Services.

9.2. Warranty - Hunter Liability

The Hunter is responsible for all damage he or she causes to YesWeHack or the Users. The Hunter agrees to
indemnify YesWeHack or the Users, in case of any order to pay damages and interest that YesWeHack or the
Users might incur as a result of non-compliance with the present stipulations or to damages caused to others
or to itself.

Any action taken outside the limits set by the User's Bug Bounty Program may result in civil and/or criminal
liability.

The Hunter shall keep strictly confidential the User's information to which he or she may have had access
during the Tests, including the Vulnerabilities and, if applicable, the Personal Data to which he or she may have
had access. Failing this, the Hunter could be bound by civil and criminal liability.

In addition, the Hunter is liable for any disclosure of Vulnerabilities following the completion of a Bug Bounty
Program for which legitimate suspicions may be raised against him or her.

The Hunter is liable for the proper fulfilment of the fiscal, social and accounting obligations towards YesWeHack
HUNTER GTUs - YES WE HACK (c) 2020 Page 9/20
set forth in article 6.1 hereof, in particular in terms of invoicing.

ARTICLE 10. FORCE MAJEURE

YesWeHack cannot be held liable for any delay in the performance of its obligations or for any non-performance
of its obligations resulting from these General Conditions of Use when the circumstances giving rise thereto are
due to force majeure.

In addition to the circumstances generally accepted by the case-law of the French courts and tribunals, the
following circumstances are expressly considered to be cases of force majeure or fortuitous events: Total or
partial strikes, lockouts, riots, civil unrest, insurrection, civil or foreign wars, nuclear risks, embargos,
confiscation, capture or destruction by any public authority, bad weather, epidemics, blockages of means of
transport or supply for any reason whatsoever, earthquakes, fires, storms, floods, water damage, governmental
or legal restrictions, legal or regulatory changes in forms of marketing, malicious Bug Bounty programs not
listed by a CERT, blocking of electronic communications, including electronic communications networks and
any challenge to the cryptographic means implemented by YesWeHack.

Any case of force majeure affecting the performance of the obligations resulting from these GCU and in
particular the access or use of the Services by the Hunter will suspend, as of its date of occurrence, the
execution of these GCU.

It is expressly agreed between the Parties that the implementation of palliative means by YesWeHack during
the occurrence of a case of force majeure shall not give rise to any liability or compensation on the part of
YesWeHack.

ARTICLE 11. PROTECTION OF PERSONAL DATA

The Personal Data which are communicated by the Hunter on the YESWEHACK platform are necessary for the
use of the Site and/or the Services.

YesWeHack carries out processing on these Personal Data in its capacity as data controller, in accordance with
Regulation (EU) 2016/679 of 27 April 2016 (General Regulation on Data Protection) and Law N°78-17 of 6
January 1978 as amended.

For the eWallet, YesWeHack processes the Personal Data relating to the Customer's manager that are
necessary for the creation and management of the eWallet, as data controller jointly with MANGOPAY, also data
controller, in accordance with Regulation (EU) 2016/679 of 27 April 2016 (General Data Protection Regulation)
and Law N°78-17 of 6 January 1978 as amended.

Appendix A "Personal Data Protection Policy" of these GCU details the information on the processing of
Personal Data: the purposes and legal basis of the processing carried out, the categories of data concerned, the
recipients of the data, the retention period and the rights of the Hunters.

ARTICLE 12. AGREEMENT ON EVIDENCE

YesWeHack and the Hunters intend to establish, within the framework of the Site and/or the Services, the rules
relating to the evidence admissible between them in case of dispute and their evidentiary weight. The
following stipulations thus constitute the agreement of proof between the parties, who shall respect this Article.

YesWeHack and the Hunters accept that in case of dispute, the transmitted data, certificates and electronic
Signatures are admissible in court and prove the data and facts they contain as well as the Signatures and
authentication procedures they express. They must therefore comply with the requirements of Articles 1366
and 1367 of the Civil Code on proof in writing:

/ clicks and double clicks are admissible in court and are proof of the data and facts they contain as well as
the acceptances and consents they express ;

/ timestamp tokens and digitally certified dates are admissible in court and are evidence of the data and
facts contained therein ;

/ login data relating to actions taken from the account are admissible in court and are evidence of the data
and facts contained therein ;

/ e-mails and acknowledgements of receipt exchanged are admissible in court and are evidence of the data
and facts contained therein ;
the Means of Identification used in connection with the Site are admissible in court and are evidence of the
HUNTER GTUs - YES WE HACK (c) 2020 Page 10/20
 data and facts contained therein as well as the signatures and Identification procedures they express.

Proof to the contrary may be provided in accordance with the evidentiary mechanism of Article 1353 of the
French Civil Code.

ARTICLE 13. TERMINATION

YesWeHack reserves the right to temporarily suspend all or part of the Service and the Hunter's account for
reasons related to the security of the Service, the Hunter's security or a breach or suspected breach by the
Hunter of any of his or her obligations hereunder.

YesWeHack also reserves the right to unilaterally terminate this contractual relationship resulting from the GCU
in the event that the Hunter demonstrates serious and/or repeated breaches of any of his or her obligations
hereunder.

Such termination will be accomplished by means of a notification in accordance with Article 17. It will be done
as of right, without delay and without prejudice to the damages that YesWeHack could ask for.

ARTICLE 14. SUB-CONTRACTING - ASSIGNMENT

YesWeHack reserves the right to subcontract all or part of the services described herein to any company of its
choice.

YesWeHack reserves the right to assign the Contract to any third party of its choice.

In any case, YesWeHack will notify the Hunters by email to the address given at the time of registration in case
of assignment or change of sub-contractor.

ARTICLE 15. CONFIDENTIALITY– END OF THE CONTRACT

The Hunter has an obligation to keep confidential all information to which he or she has had access or which he
or she may have possessed in the context of the performance of the Contract.

Consequently, the Hunter shall not disclose such information to any third party to the Contract for any reason
whatsoever and this regardless of the legal and/or economic ties that the Hunter has with such a third party.

This commitment will last for the entire duration of this Contract and will continue beyond the end of this
Contract occurring for any reason whatsoever, for as long as the confidential information has not fallen into the
public domain by disclosure of the information by the User.

At the end of the User's participation in the Bug Bounty Program, all information related to the use of the
service as part of a Bug Bounty Program, namely, data of any kind, including personal data but also reports
made by the Hunters, will be completely deleted from the Hunter's databases and systems in accordance with
legal obligations, such as in particular under the Law for Confidence in the Digital Economy and the statute of
limitations.

Subject to the express, written and prior agreement of the User, the Hunter may make public the reports as
referred to in Article 3 hereof.

The Hunter further agrees to abide by any privacy policy set forth by a User in connection with the Bug Bounty
Program.

ARTICLE 16. HEADINGS - PERMANENCE- NO WAIVER

The fact of not invoking a breach of any of the obligations resulting from the GCU shall not be interpreted as a
waiver of the obligation in question.

The nullity of any clause of GCU shall not affect the validity of the other clauses unless the annulled clause
makes the continuation of the Contract impossible or unbalanced in relation to the initial agreements.

The headings at the beginning of each article are for the convenience of the reader only and may in no way be
the pretext for any interpretation or distortion of the clauses to which they refer. In the event of difficulty of
interpretation or contradiction between the content of a clause and its title, the latter shall be deemed to be
unwritten.

It is expressly agreed between the Parties that the language governing this Contract is French. In the event of
HUNTER GTUs - YES WE HACK (c) 2020 Page 11/20
contradiction between the French GCU and the same translated GCU, the French GCU shall take precedence
over those translated into a foreign language.

ARTICLE 17. NOTIFICATION

Any notification must be made in writing, by registered letter with acknowledgement of receipt, or by any other
means whose receipt can be proven (Hybrid Registered Letter, Digital Registered Letter), to the address
indicated on the Site, or at the time of registration, or to any other address that one of the parties may
subsequently indicate to the other in writing. Such notification shall be deemed to be received on the first
business day following the first submission.

ARTICLE 18. TERM OF THE CONTRACT

The duration of this Contract is fixed until deactivation of the account by or on behalf of Hunter. Deactivation of
the account entails termination of the Contract. It is expressly agreed that Users can stop their Bug Bounty
Programs at any time or renew them at their discretion, which the Hunter accepts.

ARTICLE 19. SETTLEMENT OF DISPUTES - GOVERNING LAW - RELEVANT COURT

In the event of a dispute relating to the interpretation, formation, validity or performance of these GCU,
YesWeHack and the Hunters expressly acknowledge that only French law is applicable.

In the absence of an amicable settlement, in the event of a dispute relating to the interpretation, formation or
performance of these GCU and failing to reach an agreement or a settlement, YesWeHack and the Hunters
expressly and exclusively give jurisdiction to the relevant courts within the jurisdiction of the Paris Court of
Appeal, notwithstanding plurality of defendants or summary proceedings or third party claims or protective
measures. In case of failure to comply with this step, which remains the responsibility of the Hunter,
YesWeHack declines all liability in this regard.

INVOICING MANDATE

FOR FRENCH HUNTERS:

In accordance with the provisions of Article 289-I of the General Tax Code (CGI) and the extract from the
Official Bulletin of Public Finance (BOFIP) “VAT - Taxation regimes and reporting and accounting obligations -
Rules relating to the preparation of invoices - Issue of invoices”, BOI-TVA-DECLA-30-20-10-20140113:

By checking the box “I have read and accept the terms of this invoicing mandate”, the Hunter expressly
authorises YesWeHack to invoice in his or her name and on his or her behalf the rewards that are due to him or
her as part of a Bug Bounty program.

The Hunter certifies on his or her honour that he or she is aware of and complies with the social, fiscal and
accounting requirements imposed on him or her in France. YesWeHack cannot be held liable in the event of
failure of the Hunter regarding this verification.

The agent (YesWeHack):

/ shall archive or have archived in a secure manner the present invoicing mandate in order to demonstrate
its existence to the tax authorities if requested ;
/ shall carry out all the necessary acts for the issue and availability of invoices to the Hunter in his or her
personal account ;
/ shall archive or have archived in a secure manner the digital invoices and the data contributing to the
establishment of the invoice in such a way that the principal can access them as soon as possible.

The principal (the Hunter)

/ shall archive or have archived in a secure manner the present invoicing mandate in order to demonstrate
its existence to the tax authorities if requested ;
/ shall archive or have archived in a secure manner its electronic invoices and data contributing to the
establishment of the invoice ;
/ shall inform YesWeHack of the information concerning its identification and that relating to the content of
the invoices issued in its name and on its behalf and shall transmit the supporting documents as soon as
possible by digital means ;
HUNTER GTUs - YES WE HACK (c) 2020 Page 12/20
 / shall bring to the attention of the agent, in case of dispute on an invoice, the information necessary for the
modification of the invoice, as soon as possible ;
/ shall pay to the Public Treasury the tax mentioned on the invoices drawn up in his or her name and on his
or her behalf ;
/ shall claim as soon as possible the double of an invoice if he or she has not received it ;
/ shall accept any invoice that YesWeHack has issued in his or her name and on his or her behalf. This
acceptance is done by clicking on the invoice when reading it. For evidentiary purposes, YesWeHack
keeps the proof of the click and ensures its reliable time stamping during the invoice archiving period. The
Hunter acknowledges having a fourteen (14) day period from the reading of the invoice to modify its
content. Failing this, the Hunter acknowledges having fully accepted it ;
/ acknowledges being fully responsible for the obligations and consequences in terms of invoicing with
regard to VAT ;
/ acknowledges that he or she will not be able to argue of the failure or delay of YesWeHack in the
establishment of the invoices to avoid the obligation to declare the collected tax when it falls due ;
/ acknowledges that it remains liable for the VAT due, if applicable pursuant to Article 283, paragraph 3 of
the French General Tax Code, when it is wrongly invoiced.

The Invoice established by YesWeHack expressly mentions:

/ That it is issued by YesWeHack in the name and on behalf of the Hunter expressly identified ;
/ The exchange rate applied for the conversion into EUR currency ;
/ The mandatory invoicing information such as the identity of the Hunter, the identity of the User, the
invoice number, the invoice date, the date of the Bug Bounty service, the value added tax (VAT)
identification, the legally applicable VAT rate, the precise designation of the Bug Bounty, the date or terms
of payment, if applicable, for Hunters not subject to VAT the mention “VAT not applicable - Article 293 B of
the CGI”.

FOR NON-FRENCH HUNTERS

By checking the box “I have read and agree to the terms and conditions of this Invoicing Mandate”, the Hunter
expressly authorises YesWeHack to invoice on his or her behalf and for his or her account the rewards owed to
him or her under a Bug Bounty program.

The Hunter certifies on his or her honour that he or she is aware of and complies with the social, tax and
accounting requirements applicable to him or her. YesWeHack cannot be held liable in the event of failure of
the Hunter regarding this verification.

The agent (YesWeHack):

/ shall archive or have archived in a secure manner the present invoicing mandate in order to demonstrate
its existence to the tax authorities if requested ;
/ shall carry out all the necessary acts for the issue and availability of invoices to the Hunter in his or her
personal account ;
/ shall archive or have archived in a secure manner the digital invoices and the data contributing to the
establishment of the invoice in such a way that the principal can access them as soon as possible.

The principal (the Hunter)

/ shall archive or have archived in a secure manner the present invoicing mandate in order to demonstrate
its existence to the tax authorities if requested ;
/ shall archive or have archived in a secure manner its electronic invoices and data contributing to the
establishment of the invoice ;
/ shall inform YesWeHack of the information concerning its identification and that relating to the content of
the invoices issued in its name and on its behalf and shall transmit the supporting documents as soon as
possible by digital means ;
/ shall bring to the attention of the agent, in case of dispute on an invoice, the information necessary for the
modification of the invoice, as soon as possible ;
/ shall pay to the tax authorities on which it depends the sums due to it in respect of the invoice ;
/ shall claim as soon as possible the double of an invoice if he or she has not received it ;
/ shall accept any invoice that YesWeHack has issued in his or her name and on his or her behalf. This
HUNTER GTUs - YES WE HACK (c) 2020 Page 13/20
 acceptance is done by clicking on the invoice when reading it. For evidentiary purposes, YesWeHack
keeps the proof of the click and ensures its reliable time stamping during the invoice archiving period. The
Hunter acknowledges having a fourteen (14) day period from the reading of the invoice to modify its
content. Failing this, the Hunter acknowledges having fully accepted it ;
/ acknowledges being fully responsible for the obligations and consequences in terms of invoicing in respect
of any sums owed to the tax authorities on which he or she depends ;
/ acknowledges that he or she will not be able to argue of the failure or delay of YesWeHack in the
establishment of the invoices to avoid the obligation to declare the collected tax owed to the tax
authorities on which he or she depends when it falls due ;
/ acknowledges that he or she remains liable for the sums owed to the tax authorities on which he or she
depends.

The Invoice established by YesWeHack expressly mentions:

/ That it is issued by YesWeHack in the name and on behalf of the Hunter expressly identified ;
/ The exchange rate applied for the conversion into EUR currency ;
/ The mandatory invoicing information such as the identity of the Hunter, the identity of the User, the
invoice number, the invoice date, the date of the Bug Bounty service, the value added tax (VAT)
identification, the legally applicable VAT rate, the precise designation of the Bug Bounty, the date or terms
of payment, if applicable, for Hunters not subject to VAT if it is applicable, the mentions imposed by the
tax administration on which he or she depends.

HUNTER GTUs - YES WE HACK (c) 2020 Page 14/20

APPENDIX A – PERSONAL DATA PROTECTION POLICY

The Personal Data which are communicated by the Hunter on the YESWEHACK platform are necessary for the
use of the Site accessible from the URL address https://yeswehack.com/auth/login and the Services.

YesWeHack carries out processing on these Personal Data in its capacity as data controller, in accordance with
Regulation (EU) 2016/679 of 27 April 2016 (General Regulation on Data Protection, hereinafter "GDPR”) and
Law N°78-17 of 6 January 1978 as amended. (1)

For the eWallet, YesWeHack processes the Personal Data relating to the Customer's manager that are
necessary for the creation and management of the eWallet, as data controller jointly with MANGOPAY, also data
controller, in accordance with Regulation (EU) 2016/679 of 27 April 2016 (General Data Protection Regulation)
and Law N°78-17 of 6 January 1978 as amended. (2)

For the interpretation of the concepts related to the protection of Personal Data contained in this Appendix,
please refer to the definitions in the Article 4 of the GDPR and to the definitions in the GCU.

1.Processing of Personal Data by YesWeHack as data controller

What data are collected by YesWeHack?

The Personal Data relating to the Hunter that are processed by YesWeHack are as follows:

/ For registration on the Site: Identification data (name, first name, user name/alias) ; Contact data (email
address) ; Country.
/ For the invoicing mandate (individual/company status):

//Private individual: Identification data (surname, first name) ; Nationality ; Contact details (address,
region (optional), city, postcode, country).
//Company: Representative identification data (surname, first name) ; Nationality), Company
identification (company name).

/ For the attribution of an alias for registration on the Programs (YesWeHack mail): Identification data
(username/pseudonym) ; Contact details (e-mail address).
/ For sending information (YesWeHack events and commercial offers): Email address.
/ For the production of statistics of Hunters' activities: Connection history ; Report submission history ;
Rankings ; Impact score.
/ For the production of statistics on the Site's activity: aggregated data.
/ For the Hunter's ranking: points obtained by the Hunter (Ranking).
/ For the Hunter's activity tracking: Hunter's identification data (username/pseudo) ; Bug type ; Bug status
and date.
/ For the publication of the Hunter's information on the Site: Identification data (username/pseudo) ; Contact
information (internet accounts) ; Data related to the activity on the Site (ranking, reports, points).
/ For the proper functioning of the Services: Data on connection to the Services.
/ For the management of requests to exercise rights in application of the GDPR (access, data portability,
etc.): Identification data (surname, first name, user name/pseudonym) ; Contact details (email address) ;
subject of the request.
/ For the management of disputes: Identification data (name, first name, user name/pseudonym) ; any
information necessary to defend the rights of YesWeHack.

HUNTER GTUs - YES WE HACK (c) 2020 Page 15/20

What are the purposes and the legal basis of the processing carried out on these Personal Data?

Purpose of processing Legal basis

--- ---
Administration and technical and/or commercial management of
the Site and Services ; Article 6-1(b) of the GDPR: Performance of
Management of Hunter accounts Article 6-1(b) of the GDPR: contract
Performance of contract
--- ---
Article 6-1(b) of the GDPR: Performance of
Management of the invoicing mandate
contract
--- ---
Management of the Site, Services and Program security
(Legitimate interest : to ensure the proper functioning and security
of the YESWEHACK's activity) ;
Creation of e-mail adress aliases (legitimate interest: operation and
security of the Programs) ;
Sending information about YesWeHack (such as events, news) and
about its commercial offers corresponding to services similar to
Article 6-1(f) of the GDPR: Pursuit of
those already provided (legitimate interest: commercial
legitimate interests, with due respect for
development of YesWeHack) ;
the fundamental rights and freedoms of
Production of Hunter activity statistics / Ranking / Monitoring of
the data subjects
activities. (legitimate interest: measurement and monitoring of
activity on the Site) ;
Statistics on the activity of the YESWEHACK platform (legitimate
interest: measurement and development of the YESWEHACK
platform's activity on the basis of global indicators) ;
Litigation management (legitimate interest: defence of YesWeHack
rights)
--- ---
Article 6-1(a) of the GDPR: consent of the
Publication of the Hunter's information on the Site
data subject
--- ---
Article 6-1(c) of the GDPR: Compliance
Management of requests related to the exercise of the rights
with a legal obligation (especially Article
granted to the data subjects by the processing of personal data.
12 GDPR)

Who are the recipients of the Data?

The Personal Data of the Hunter is communicated to YesWeHack's authorised personnel for the fulfilment of the
purposes listed above, of its subcontractors providing the Services.
Subject to the Hunter's prior and express consent, under the conditions provided for in the Program rules,
certain Personal Data (name, surname, nationality) may be communicated to the User by YesWeHack.

HUNTER GTUs - YES WE HACK (c) 2020 Page 16/20

What is the retention period for data?

Administration and technical

and/or commercial management The Personal Data is kept for the duration of the account opening [current
of the Site and Services ; archiving].
Hunter account management/ They are kept for an additional period of 6 years (criminal statute of
Creation of email address aliases limitations in accordance with Article 8 of the Code of Criminal Procedure)
; from the time the account is closed [interim storage].
Management of the Site, Services They shall be deleted at the end of this period.
and Program security
--- ---
Management of the invoicing Retention of mandates for a period of 10 years from the end of the financial
mandate year (Article L. 123-22 paragraph 2 of the French Commercial Code)
--- ---
The email address is kept for a maximum of 3 years from the last contact
Communication and commercial
with the Hunter.
offers
Deletion at the end of this period.
--- ---
Hunter activity statistics / The data are kept for the entire period that the account is open and are
Ranking / Activity monitoring deleted at the end of this period.
--- ---
The Personal Data necessary for the management of the dispute are kept
Dispute Management
until the exhaustion of the means of appeal.
--- ---
Management of requests for the Requests are retained for evidentiary purposes for one year from the date
exercise of rights of YesWeHack's response.

What are the rights of the Hunters?

Under the GDPR, Hunters have the following rights:

/ the right of access, rectification and deletion of Personal Data under the conditions provided for by the
regulations (Articles 15 to 17 of the GDPR) ;
/ the right to limit the processing of this data under the conditions provided for by the regulations (Article 18
of the GDPR) ;
/ the right to the portability of data under the conditions provided for by the regulations (Article 20 of the
GDPR) ;
/ the right to object to the processing of the data under the conditions provided for by the regulations
(Article 21 of the GDPR) ;
/ the right to withdraw consent for the distribution of your information (exercised directly on the Site) ;
/ the right to lodge a complaint with the CNIL ;
/ the right to define directives allowing access to data in the event of death.

Requests relating to these rights can be made by email to the following address: [email protected],
specifying the subject of the request (the right in question) and attaching any supporting documents that allow
the applicant to be identified (if necessary) or to the mandate in the event of representation.

2. Processing of Personal Data carried out by YesWeHack as joint data controller with
MANGOPAY

YesWeHack processes the Personal Data relating to the Customer that are necessary for the creation and
management of the eWallet, as data controller jointly with MANGOPAY, also data controller, in accordance with
Regulation (EU) 2016/679 of 27 April 2016 (General Data Protection Regulation) and Law N°78-17 of 6 January
1978 as amended.

MANGOPAY, a public limited company under Luxembourg law, whose registered office is located at 10
Boulevard Royal, L-2449 Luxembourg, registered with the Luxembourg Trade and Companies Register under
number B173459, is authorised to provide payment and electronic money services as an electronic money
institution approved by the Commission de Surveillance du Secteur Financier, 283 route d'Arlon L-1150
Luxembourg, www.cssf.lu.

MANGOPAY provides payment and e-money services related to the settlement of the Hunters' Rewards through
YesWeHack.
HUNTER GTUs - YES WE HACK (c) 2020 Page 17/20
YesWeHack and MANGOPAY as joint controllers of the processing of Personal Data have entered into a contract
allowing them to frame their respective obligations with regard to the protection of the Personal Data collected
and processed, in accordance with Article 26 of the GDPR.

What Personal Data does YesWeHack collect?

The Personal Data collected by YesWeHack are:

/ For eWallet creation and KYC verification: Identification Data (first and last name) ; Date of Birth ;
Nationality ; Contact Information (address, city, region (optional), zip code, country of residence) ;
Employment Status [occupation (optional), income bracket (optional)] ; KYC [proof of identity: passport or
national identity card for French nationals].
/ For the management of the eWallet: eWallet Mangopay ID ; Rewards management ; transaction list

The above Personal Data are communicated by YesWeHack to MANGOPAY, as they are necessary for the
subscription to MANGOPAY services and the opening of the account (eWallet). Details of the categories of
Personal Data processed by MANGOPAY for the provision of its payment services are set out in MANGOPAY's
terms of service accessible at the address: https://www.mangopay.com/terms/PSP/PSP_MANGOPAY_EN.pdf and
in its Privacy Policy.

What are the purposes and the legal basis of the processing carried out on these Personal Data?

Purposes Legal basis

--- ---
Creation of the eWallet (Data collection on the YESWEHACK
Platform for transmission to MANGOPAY) ;
Article 6-1(b) of the GDPR: Performance of
eWallet management (management of Rewards, list of
contract
transactions) ;
Customer Relationship Management
--- ---
Management of requests related to the exercise of the rights Article 6-1(c) of the GDPR: Compliance
granted to the data subjects by the processing of personal data. with a legal obligation (Article 12 GDPR)

HUNTER GTUs - YES WE HACK (c) 2020 Page 18/20

Purposes of the processing carried out by MANGOPAY

Purpose Legal basis

--- ---
Subscribing to the services and opening the
(eWallet) account in the books of MANGOPAY ;
Article 6-1(b) of the GDPR: Performance of contract
Managing these accounts and the execution of
(validation of the MANGOPAY terms of service)
payment operations ;
Managing payment orders.
--- ---
The fight against identity fraud ;
Article 6-1(f) of the GDPR: Pursuit of legitimate interests,
The fight against external fraud ;
with due respect for the fundamental rights and
The fight against card payment fraud ;
freedoms of the data subjects (legitimate interests
The preservation of the security of API MANGOPAY
deemed necessary for the activities of a payment service
and services in general ;
provider)
Statistics.
--- ---
The fight against money laundering and the
financing of terrorism ;
Consultation of the national directory of natural
persons RNIPP for inactive accounts ;
Article 6-1(c) of the GDPR: Compliance with a legal
Cooperation with public authorities or any law
obligation
enforcement or prudential supervisory authority in
the context of a supervision or investigation Article
6-1(c) of the GDPR: Compliance with a legal
obligation

Who are the recipients of the Personal Data?

For YesWeHack, the Personal Data of the Hunter is communicated to authorised personnel of YesWeHack and
its processor.
At the time of signing this contract, the processor is:

/ OVH (for data hosting) - 2 rue Kellermann – 59100 ROUBAIX

For MANGOPAY, the recipients of the Personal Data which are processed for the provision of its services and for
the achievement of its own purposes as set out above are listed in the MANGOPAY's terms of service,
accessible at the address:
https://www.mangopay.com/terms/PSP/PSP_MANGOPAY_EN.pdf and in its Privacy Policy.

What is the retention period for personal data?

The Personal Data of the Hunter collected and transmitted by YesWeHack in the context of the creation and
management of the eWallet is kept for the duration of the account. They are kept in an intermediate archive for
an additional 6 years for evidentiary purposes (penal prescription according to Article 8 of the Code of Criminal
Procedure), starting from the closing of the account. They shall be deleted at the end of this period.
For MANGOPAY, the Retention period of the Personal Data which are processed for the provision of its services
and for the achievement of its own purposes as set out above are listed in the MANGOPAY's terms of service,
accessible at the address:
https://www.mangopay.com/terms/PSP/PSP_MANGOPAY_EN.pdf and in its Privacy Policy.

What are the rights of the Hunters?

The rights granted to Hunters by the processing carried out by YesWeHack are:

/ the right of access, rectification and deletion of Personal Data under the conditions provided for by the
regulations (Articles 15 to 17 of the GDPR) ;
/ the right to limit the processing of this data under the conditions provided for by the regulations (Article 18
of the GDPR) ;
/ the right to the portability of data under the conditions provided for by the regulations (Article 20 of the
GDPR) ;
/ the right to withdraw consent for the distribution of your information (exercised directly on the Site) ;
/ the right to lodge a complaint with the CNIL ;
/ the right to define directives allowing access to data in the event of death.

HUNTER GTUs - YES WE HACK (c) 2020 Page 19/20

Requests relating to these rights can be made by email to the following address: [email protected],
specifying the subject of the request (the right in question) and attaching any supporting documents that allow
the applicant to be certify identified (if necessary) or to the mandate in the event of representation.

The rights granted to Hunters by the processing carried out by YesWeHack are:

/ the right of access, rectification and deletion of their data and under the conditions provided for by the
regulations (Articles 15 to 17 of the GDPR) ;
/ the right to limit the processing of this data under the conditions provided for by the regulations (Article 18
of the GDPR) ;
/ the right to the portability of data under the conditions provided for by the regulations (Article 20 of the
GDPR) ;
/ the right to object to the processing of the data under the conditions provided for by the regulations
(Article 21 of the GDPR) ;
/ the right to lodge a complaint with the CNIL ;
/ the right to define directives allowing access to their data in the event of death.

Requests relating to these rights can be made by email to the following address: [email protected],
specifying the subject of the request (the right in question) and attaching any supporting documents that allow
the applicant to be identified (if necessary) or to certify the mandate in the event of representation.

For MANGOPAY, the details of the rights and the modalities of exercise of these rights can be found in the
MANGOPAY's terms of service directly accessible at the address:
https://www.mangopay.com/terms/PSP/PSP_MANGOPAY_EN.pdf and in its Privacy Policy.

Are there cookies on YesWeHack?

YesWeHack does not use cookies on the Site. The identification system is made by JWT signed token.

DPO contact information: [email protected]

HUNTER GTUs - YES WE HACK (c) 2020 Page 20/20