ØDIN Privacy Notice

This Privacy Notice applies to Mozilla’s 0 Day Investigative Network (“0DIN”) platform, tools, software and any documentation we may include on our website as well as the 0DIN GenAI bug bounty program that incentivizes the discovery and reporting of security vulnerabilities in large language models, attention-based systems and other generative models to enhance Internet and personal safety (the “Program”) (together the “Services”).

The Service is owned, licensed, and operated by Mozilla Corporation (referred to herein as "we," "us," "our," or "Mozilla").

This Privacy Notice explains what information we collect, share, and otherwise process, and why. We also adhere to the Mozilla Privacy Policy when we receive, handle, and share personal information. Your use of the Program constitutes your acceptance of this Privacy Notice, which is incorporated by reference in our Bug Bounty Terms and Conditions.

We collect the following information directly from you when you use the Service:

• Account Information: Your first and last name, email address, country code, and password.
• Profile Information: Information you choose to provide in your profile, for example, your Bio. Researchers (as defined in our Bug Bounty Terms and Conditions) have the option to make their profile information and submission statistics available in our leaderboard for third parties to view.
• Submissions: We collect all submissions via our 0DIN portal subject to our Bug Bounty Terms and Conditions.
• Payment Information In order to process payments to our Researchers and receive payments from our Customers (as defined in our Master Services Agreement), we collect, name, company name, contact details (physical address, phone, email address), payment method (such as account or card information), beneficiary payment information (if donating bounty reward), tax identification documentation, amounts due or paid, and associated transaction details.
• Communication: If you contact us in connection with the Service or provide feedback, we may also collect personal information, such as your name or email address, as well as any other personal information you choose to provide to us.

We also automatically receive certain information when you interact with the Service:

• Technical data: We receive basic telemetry data by default, which we use to improve the performance, stability, and security of the Service, including browser information, such as browser type, and requested resource (URI).
• Location data: Your IP address is collected as part of our server logs, and automatically deleted after 90 days. We also collect and store the IP address associated with your last account login attempt. We use it to approximate your location to comply with relevant legal and regulatory requirements, as well as for fraud and abuse prevention purposes.
• Metrics: We may also use cookies, device information, and IP addresses, along with clear GIFs, cookies, and third party services to securely operate some of the Services, help us understand how users engage with our Services, such as visits to our site and settings preferences, and provide additional functionality. We use:
  • Google Analytics to obtain metrics on how users engage with our websites. This helps us to improve site content. For more information about how Google uses your personal information, please visit Google Analytics’ Privacy & Security. You can install the Google Analytics Opt-out Browser Add-on to prevent data collection about your visits to the Services and prohibit data transmission to Google Analytics.

We may also use information about you to find and address violations of our Program Policy or policies; investigate suspicious activity; detect, prevent, and combat harmful or unlawful behavior; and otherwise maintain the integrity of our Program.

We use third parties to provide the Service to you, and have contracted with these companies requiring them to protect your information (Third-Party Services):

• Google Cloud Platform: Google Cloud Platform (GCP) is a cloud-computing platform. We use GCP to manage services that facilitate responses to user prompts and page summarization.
• Elastic: We use Elastic for Application Performance Monitoring (APM) and error collection to help improve the quality of the Service. If you opt into additional data collection for error monitoring and performance tracking, we share URL information with Elastic so we can track and fix where issues occur.

The Service is not directed to children under 18 years of age, and we do not knowingly collect or solicit personal information from children. If the Service unknowingly collects personal information from a child under the age of 18 without parental consent, we will delete that information as soon as possible, unless we have a legal obligation to keep it. If you are a parent or guardian and believe your child has uploaded personal information to our site without your consent, you may contact us as described in “How to Contact Us” below.

If you have any questions, you can contact us at any time at 0din@mozilla.com to make requests regarding your personal information, please contact us through our Data Subject Access Request Portal. If you have any other questions regarding personal information or our privacy practices, please contact us at compliance@mozilla.com. We respond to all requests we receive from individuals wishing to exercise their rights in accordance with applicable laws.

These regions have data protection laws that require us to specify the following:

Our Privacy Notice describes the purposes for which we process information about you and the categories of information we process. We do not sell personal data.

Our lawful bases for collecting and processing personal information include:

• Performing our contract with you: Using the Program requires your agreement to the Program Policy.
• Legitimate interests: As described in this Privacy Notice, we also receive technical and interaction data of users, which may include IP addresses, and certain metrics to improve the security and reliability of our services, prevent fraud and abuse, log and address technical problems, and enforce our Program Policy.
• Consent: Where we ask for your consent to process your information, you can always withdraw this consent.

The following rights are granted by certain laws such as the General Data Protection Regulation (“GDPR”) in the EU and the California Consumer Privacy Act (“CCPA”) in California:

• The right to know what personal data is collected
• The right to know if personal data is being shared, and with whom
• The right to access your personal data
• The right to exercise your privacy rights without being discriminated against

In many cases, you can access, update, or delete your personal information directly from our product settings.

To make requests regarding your personal data, please contact us through our Data Subject Access Request Portal. If you have any other questions regarding personal data or our privacy practices, please contact us at dpo@mozilla.com, or you can contact our DPO by mail at:

Bird & Bird DPO Services SRL
Avenue Louise 235 b 1
1050 Brussels
Belgium

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. You also have the right to lodge a complaint with your local data protection authority.