Privacy Policy

a) Client data (the organisation)

• Account data — the email address of the designated person, the organisation name.
• Encryption public key — generated and stored for E2E encryption of reports.
• Communications — the content of emails sent to us, support requests.

b) Whistleblower data

c) Automatically collected data (dashboard only)

• Technical data — IP address, browser type (only for authenticated users on the dashboard).
• Session cookies — in accordance with the Cookie Policy.

• Provision of Services — account creation and management, operation of the reporting channel, encryption and storage of reports.
• Service communications — notifications about new reports, expiry of legal deadlines, Platform updates.
• Security — infrastructure protection, detection of abusive use, prevention of unauthorised access.
• Legal compliance — fulfilment of legal obligations (Directive (EU) 2019/1937, GDPR, tax legislation).

We do not sell, rent or share users' personal data with third parties for marketing purposes.

We process personal data on the following legal bases (Art. 6 GDPR):

• Account data — for the duration of the account and up to 30 days after a deletion request.
• Encrypted reports — in accordance with the Client's retention policy and the obligations under Directive (EU) 2019/1937 (minimum 5 years from the date of the report).
• Technical data (dashboard) — up to 12 months from collection.
• Communications and support requests — up to 3 years from the last communication.
• Invoicing data — 10 years in accordance with Romanian tax legislation (Law No. 82/1991).

Personal data may be accessed or processed by the following sub-processors:

For data transfers outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

Important: Report contents are E2E encrypted and are not accessible to any sub-processor.

Under the GDPR, you are entitled to the following rights:

• Right of access (Art. 15) — to obtain a copy of the personal data being processed.
• Right to rectification (Art. 16) — to correct inaccurate or incomplete data.
• Right to erasure (Art. 17) — to have data deleted in the circumstances provided by law.
• Right to restriction of processing (Art. 18) — to limit processing in certain situations.
• Right to data portability (Art. 20) — to receive data in a structured format (JSON/CSV).
• Right to object (Art. 21) — to object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7) — to withdraw consent at any time.
• Right not to be subject to automated decision-making (Art. 22) — including profiling.

To exercise your rights, send an email to contact@whistle-box.eu with the subject "GDPR Request WhistleBox".

We implement appropriate technical and organisational measures to protect personal data:

• End-to-end encryption (E2E) of report contents.
• Encryption in transit (TLS 1.2+) for all communications with the server.
• Passwords are stored using secure hashing algorithms (bcrypt with salt).
• Restricted access to databases and infrastructure, on the principle of least privilege.
• Servers located in the European Union (Hetzner Online GmbH, Germany).
• Regular encrypted backups.
• Continuous monitoring of access and anomalies.
• Authentication via time-limited JWT tokens.
• Reporting pages (/r/) do not set cookies and do not collect identifying data.

The Operator may update this policy periodically. Users shall be notified by email and/or through an announcement on the Platform at least 15 days before significant amendments come into effect.