Luta Security Privacy Policy

 

Last Updated: September 1, 2020

Overview

Luta Security is a company helping organizations with Vulnerability Disclosure Programs specializing in governments, large organizations, multi-party supply chain vulnerability coordination, and sustainable Bug Bounty Architecture. We also provide Services to help organizations and government agencies identify resources to develop and maintain security programs. Protecting data is at the core of what we do.

Luta Security takes your online privacy on our website seriously. The privacy practices described in this privacy policy apply to lutasecurity.com and to all of our websites and wholly owned subsidiary websites (collectively, the “Site”).

 

We, Luta Security, collect, use, and otherwise process various kinds of information from or about you or your device (“personal information”) to provide you with our Services. As used in this Privacy Policy, the “Services" means the personalized services provided by Luta Security including but not limited to an initial assessment of an organization’s Vulnerability Coordination Maturity by applying our proprietary model and connecting individuals or vendors with Luta Security customers for the purpose of supporting their security programs. We will only use personal information in the manner described in this Privacy Policy or as otherwise permitted by law.

Information we collect

Luta Security may collect the following categories of personal information from the sources identified below:

  • Information you chose to provide to us. We collect the information you chose to provide to us, which may include personal information. For example, contact information, location, and details about the types of support required or services provided through a form on our Website. We may also collect the information you submit through other means including surveys.

  • Usage and log data. We collect information when you use and interact with the Services. For example, we may collect your IP address, device type, device language setting, screen size, device identifiers, advertising identifiers, browser type, your actions in the Services.

  • Data collected through cookies and similar technologies. As you navigate through and interact with our websites, we may automatically collect certain information about your equipment, browsing actions and patterns using common internet technologies, such as cookies. This may include details of your visits to our websites, including information about your connectivity, such as your IP address and browser information, location data, logs and other communication data, and the resources that you access and use on the websites. This information helps us to improve our websites and to deliver better and more personalized content and services by enabling us to estimate our audience size and usage patterns and recognize you when you return to our websites.

  • Data from other parties. We may work with other parties to support our services, better promote our services, partner with similar services, and other reasons as described below. These parties may send us information about you, your device, or browser (such as demographics and online history) for the purposes described in this Privacy Policy.

 

How we use the information we collect

  • Use of Personal Information. We use the categories of personal information listed above for the following purposes:

    • providing the functionality of the Services and fulfilling your requests

    • track engagements and needs of you and other users

    • contacting you

    • improving our Services and developing new services

    • reporting and analysis, including compiling aggregate or anonymized data

    • fraud and security monitoring

    • conducting research, such as better understanding the needs of security organizations

    • protecting your and our rights

    • customer support

    • performing obligations and exercising rights; and any other purpose that is disclosed to you at the time we collect the information or that is related to a request made by you

We will engage in these activities to manage our relationship with you, to comply with a legal obligation, to protect the vital interests of individuals, performing a task in the public interest, or with your consent to the extent required by law.

  • Use of Aggregated or De-Identified Information. We may collect and use information that is no longer reasonably linked to an individual or device for any purpose. For example, we may aggregate or de-identify personal information and analyze the resulting statistical information to help analyze industry trends.

Sharing information with third parties

Luta Security holds third parties with whom personal data is shared to our same privacy principles and standards. We may share your personal information as follows:

  • Service Providers. We may share personal information with our third-party service providers for them to facilitate services they provide to us. These services include things like website hosting; data storage; data analysis; social sharing; maps/directions services; information technology and related infrastructure provision; customer service; email and notifications delivery (including marketing messaging); and auditing.

  • For legal reasons. We may share personal information as we believe necessary or appropriate to comply with applicable laws and regulations; to cooperate with law enforcement; to enforce our terms and conditions; to protect our rights, privacy, safety, or property and/or that of our affiliates, you, or others; to prevent or take action regarding possible illegal activities or a violation of our policies; or for other legal reasons. These obligations may arise from laws and requests from authorities outside your country of residence.

  • In connection with a sale or business transaction: We may disclose or transfer your personal information to a potential or actual buyer in the event of any reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings), including any due diligence related to such a transaction, in accordance with applicable law.

  • With your consent or when you otherwise choose to share. We may share personal information with any party when we have your consent or when you otherwise choose to share such information, for example by using our social sharing functions (which may have their own terms).

  • Luta Security does not sell personal information.

Security

We use organizational, technical, physical, and administrative data security measures intended to protect personal information within our organization. Note that if you allow others to access your account, they may be able to view information about or stored within your account, including what content you’ve viewed.

  • Privacy by design and impact assessments: We consider privacy when building or designing applications, systems and processes that may involve the collection of personal data, and assess them to ensure that privacy-related risks to data subjects are considered and mitigated to the extent reasonably possible.

  • Risk and program assessments: Luta Security regularly reviews its privacy program and practices to ensure continued internal compliance, effectiveness and alignment with emerging law and best practices.

  • Incident notification:  Luta Security will notify affected data subjects promptly after becoming aware of an incident involving a data beach by Luta Security or its vendors as required by law. 

  • Data used for marketing purposes: Where personal data is used to send sales and marketing communications about Luta Security’s products, we will follow protocols to ensure that we obtain all required consents, and that we offer opt-out and unsubscribe opportunities as required by applicable laws.

 

Your Rights

If you would like to request to access, correct, update, suppress, restrict, or delete personal information, object to or opt out of the processing of personal information, withdraw your consent for the collection, use, or disclosure of your personal information, or if you would like to request to receive a copy of your personal information (to the extent these rights are provided to you by applicable law), you may contact us in accordance with the Contact Us section below and clearly describe your request. We will respond to your request consistent with applicable law.

In your request, please make clear what personal information you would like to have provided or changed, or whether you would like to have your personal information suppressed from our database. For your protection, we may only implement requests with respect to the personal information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request.

We will try to comply with your request as soon as reasonably practicable or as required by applicable law. Please note that if you choose to suppress or delete information, we may need to retain certain information for purposes such as recordkeeping, security, fraud prevention, legal requirements, and/or to complete any transactions that you began prior to requesting a change or deletion.

 

Retention

We retain personal information for as long as needed or permitted in light of the purpose(s) for which it was obtained and consistent with applicable law. The criteria used to determine our retention periods may include:

  • how long we have a legitimate need in keeping the personal information, or, if our collection is based on consent, whether you have revoked your consent

  • the length of time we have an ongoing relationship with you and provide the Services to you

  • whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them) or

  • whether retention is advisable to protect our rights or the rights or freedoms of our users (such as in regard to applicable statutes of limitations, litigation, or regulatory investigations)

 

Third Parties

This Privacy Policy does not address, and we are not responsible for the privacy, security, information, or other practices of any third parties, including any third party operating any website or service to which our Services link. The inclusion of a link in our Services does not imply endorsement of the linked site or service by us or by our affiliates.

In addition, we are not responsible for the information collection, use, disclosure, or security policies or practices of other organizations, such as partners organizations, social media platform providers, operating system providers, or wireless service providers, including with respect to any personal information you disclose to other organizations through or in connection with the Services.

 

Use of our services by Children

We do not knowingly collect or sell personal information from children (as defined under applicable law) without involvement and approval of a parent or guardian, unless consistent with applicable law.  Our Services are appropriate for individuals 18 years or older.

 

Sensitive Information

Unless we request it, do not send or disclose to us any sensitive personal information (e.g., social security/social insurance numbers, copies of personal identification cards such as drivers licenses, information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background, or trade union membership) on or through the Services, or otherwise.

 

Updates to this privacy policy

The “Last Updated” date at the top of this Privacy Policy indicates when this Privacy Policy was last revised. We reserve the right to revise this Privacy Policy from time to time. Any changes will become effective when we post the revised Privacy Policy on the Services or as otherwise stated in the revised Privacy Policy.

 

Global privacy laws

Luta Security complies with European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Under the GDPR, we have an obligation to maintain the security of data concerning European data subjects, respect their rights to access that data and inform them about how data is used, and make sure that in developing applications and systems, we make “privacy by design” and “privacy by default” a part of our culture. Under CCPA we are required to give California consumers similar access to their personal information and establish security measures to prevent data breaches. In addition, Luta Security continues to monitor the development of new data privacy laws in other places where we do business.

To make a request to use one of these rights, please contact us in accordance with the “Contact Us” section above. You must use the email used in your account or used to participate in a survey to make the request. Alternatively, you may designate an authorized agent to make a data request to us on your behalf under the CCPA. In order for such an agent to make a request, they must provide proof of their power of attorney and valid government identification of both the requester and the agent. In some instances, we may decline to honor your request where an exception applies, such as where the disclosure of personal information would adversely affect the rights and freedoms of another California resident. Consistent with California law, we will not charge you different prices or provide a different quality of service if you use your rights unless it relates to the value of the information.

 

Contact us

Luta Security is the company responsible for collection, use, and disclosure of your personal information under this Privacy Policy. If you have any questions about this Privacy Policy, please contact us at info@lutasecurity.com.

Company

News & Resources

Privacy & Security

© Luta Security, Inc.