ØDIN Privacy Notice

This Privacy Notice applies to Mozilla’s 0Day Investigative Network (0Din) is a GenAI bug bounty program that incentivizes the discovery and reporting of security vulnerabilities in large language models, attention-based systems and other generative models to enhance Internet and personal safety (the “Program”).

The Service is owned, licensed, and operated by Mozilla Corporation (referred to herein as "we," "us," "our," or "Mozilla").

This Privacy Notice explains what information we collect, share, and otherwise process, and why. Your use of the Program constitutes your acceptance of this Privacy Notice, which is incorporated by reference in our Program Policy.

We collect the following information directly from you when you use the Service:

• Account Information: Your first and last name, email address, country, and password.
• Profile Information: Information you choose to provide in your profile, for example, your Bio.
• Submissions: We collect all submissions via our 0Din portal subject to our Program Policy.
• Communication: If you contact us in connection with the Service or provide feedback, we may also collect personal information, such as your name or email address, as well as any other personal information you choose to provide to us.

We also automatically receive certain information when you interact with the Service:

• Technical data: We receive basic telemetry data by default, which we use to improve the performance, stability, and security of the Service, including browser information, such as browser type.

We may also use information about you to find and address violations of our Program Policy or policies; investigate suspicious activity; detect, prevent, and combat harmful or unlawful behavior; and otherwise maintain the integrity of our Program.

We use third parties to provide the Service to you, and have contracted with these companies requiring them to protect your information (Third-Party Services):

• Google Cloud Platform: Google Cloud Platform (GCP) is a cloud-computing platform. We use GCP to manage services that facilitate responses to user prompts and page summarization.
• Elastic: We use Elastic for Application Performance Monitoring (APM) and error collection to help improve the quality of the Service. If you opt into additional data collection for error monitoring and performance tracking, we share URL information with Elastic so we can track and fix where issues occur.

The Service is not directed to children under 18 years of age, and we do not knowingly collect or solicit personal information from children. If the Service unknowingly collects personal information from a child under the age of 18 without parental consent, we will delete that information as soon as possible, unless we have a legal obligation to keep it. If you are a parent or guardian and believe your child has uploaded personal information to our site without your consent, you may contact us as described in “How to Contact Us” below.

If you have any questions, you can contact us at any time at 0din@mozilla.com to make requests regarding your personal information, please contact us through our Data Subject Access Request Portal. If you have any other questions regarding personal information or our privacy practices, please contact us at compliance@mozilla.com. We respond to all requests we receive from individuals wishing to exercise their rights in accordance with applicable laws.

These regions have data protection laws that require us to specify the following:

Our Privacy Notice describes the purposes for which we process information about you and the categories of information we process. We do not sell personal data.

Our lawful bases for collecting and processing personal information include:

• Performing our contract with you: Using the Program requires your agreement to the Program Policy.
• Legitimate interests: As described in this Privacy Notice, we also receive technical and interaction data of users, which may include IP addresses, and certain metrics to improve the security and reliability of our services, prevent fraud and abuse, log and address technical problems, and enforce our Program Policy.
• Consent: Where we ask for your consent to process your information, you can always withdraw this consent.

The following rights are granted by certain laws such as the General Data Protection Regulation (“GDPR”) in the EU and the California Consumer Privacy Act (“CCPA”) in California:

• The right to know what personal data is collected
• The right to know if personal data is being shared, and with whom
• The right to access your personal data
• The right to exercise your privacy rights without being discriminated against

In many cases, you can access, update, or delete your personal information directly from our product settings.

To make requests regarding your personal data, please contact us through our Data Subject Access Request Portal. If you have any other questions regarding personal data or our privacy practices, please contact us at dpo@mozilla.com, or you can contact our DPO by mail at:

Bird & Bird DPO Services SRL
Avenue Louise 235 b 1
1050 Brussels
Belgium

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. You also have the right to lodge a complaint with your local data protection authority.