Privacy and data protection

Disclosurely Limited ("Disclosurely", "we", "us" or "our"), a company registered in England and Wales with registered office at London, EC1V 2NX, United Kingdom, is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, disclose, and protect your personal data when you use our whistleblowing and compliance platform at disclosurely.com (the "Service").

We process personal data in line with applicable requirements under the General Data Protection Regulation (EU 2016/679) ("GDPR"), the UK GDPR (as enacted in the Data Protection Act 2018), the EU Whistleblowing Directive (2019/1937), and other applicable data protection law.

This Privacy Policy applies to all users of the Service, including: (a) Customers (organisations subscribing to the Service); (b) Authorised Users (employees and agents of Customer organisations); (c) Whistleblowers (individuals submitting reports); and (d) website visitors. Different sections may apply to different user types as indicated.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Privacy Policy, you must not use the Service.

The roles of Data Controller and Data Processor depend on the type of data and the context in which it is processed:

For Customer Account Data: When you register as a Customer, subscribe to the Service, or manage your account and billing, Disclosurely acts as the Data Controller for your personal data (name, email, company details, billing information, etc.).

For Whistleblower Reports and Customer Data: When Customers use the Service to receive and manage whistleblower reports, the Customer organisation acts as the Data Controller for all report content and personal data contained therein. Disclosurely acts as the Data Processor, processing this data strictly according to the Customer's documented instructions and our Data Processing Agreement (DPA).

For Website Analytics: Disclosurely acts as the Data Controller for anonymised website usage data collected through essential cookies.

Contact Information: For questions about how your personal data is processed, Customers should contact privacy@disclosurely.com. Whistleblowers should contact the organisation to which they submitted their report, as that organisation is the Data Controller for report content.

Contractual Necessity (Article 6(1)(b)) – Processing is necessary to perform our contract with you, including: providing the Service you subscribed to; managing your account; processing payments; and delivering customer support

Legitimate Interests (Article 6(1)(f)) – Processing is necessary for our legitimate interests or those of a third party, including: improving and optimising the Service; ensuring security and preventing fraud; conducting analytics (anonymised); direct marketing to existing customers (subject to opt-out); enforcing legal rights; and business administration. We always balance our legitimate interests against your rights and freedoms

Legal Obligations (Article 6(1)(c)) – Processing is necessary to comply with legal obligations, including: compliance with the EU Whistleblowing Directive; GDPR requirements; financial and tax regulations; court orders and legal process; regulatory investigations; and record-keeping requirements

Consent (Article 6(1)(a) and Article 9(2)(a)) – You have given explicit consent for processing, including: marketing communications; optional data collection; processing of special category data (where applicable); and cookies beyond essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal

Vital Interests (Article 6(1)(d)) – Processing is necessary to protect vital interests, such as when a report involves imminent serious harm or threats to life

Public Interest and Legal Claims (Article 9(2)(f) and (g)) – For special category data in whistleblower reports, processing may be necessary for the establishment, exercise, or defence of legal claims, or when processing is necessary for reasons of substantial public interest (prevention of unlawful acts, protection of public interest in the area of employment law and social security)

Whistleblowing Legal Framework (Article 9(2)(g) and Directive 2019/1937) – Processing of personal data in whistleblower reports is explicitly permitted under the EU Whistleblowing Directive for the purposes of receiving, investigating, and following up on reports concerning breaches of EU law and serious misconduct

Data hosting: Customer Data is processed using infrastructure we configure with Supabase in the EEA (Ireland and, where used, Frankfurt). Data in transit is protected using TLS 1.3 (or equivalent). Stored content at rest is protected using AES-256-GCM (or an equivalent industry-standard algorithm).

Data residency: we configure primary storage and backups to remain within the EEA/UK unless we engage a subprocessor outside those regions with appropriate safeguards (see International transfers).

International transfers: we do not routinely transfer personal data outside the EEA/UK. If a transfer becomes necessary (for example to a subprocessor), we use mechanisms required by GDPR Chapter V where applicable, such as Standard Contractual Clauses or adequacy decisions, and we notify Customers where we are required to do so.

Subprocessors: we engage carefully selected subprocessors under written agreements. A current list of material subprocessors is available on request. We conduct proportionate due diligence and require appropriate confidentiality and security commitments.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are:

• Customer Account Data: Retained for the duration of your active subscription plus six (6) years after account closure for accounting, tax, and legal purposes. Financial records are retained for seven (7) years to comply with UK tax law.
• Whistleblower Reports and Customer Data: As Data Processor, we retain this data according to the Customer's instructions (the Customer, as Data Controller, determines retention periods). Upon account termination or Customer request, we will delete or return all Customer Data within thirty (30) days, unless longer retention is required by law. Customers must ensure their retention periods comply with the EU Whistleblowing Directive (which generally requires retention for the duration of investigations and legal proceedings, with a maximum recommended period of five years after case closure).
• Technical Logs and Security Data: Retained for up to twelve (12) months for security monitoring, fraud prevention, and incident investigation purposes, then automatically deleted.
• Marketing Data: Retained until you unsubscribe or withdraw consent, then deleted within thirty (30) days. We may retain a suppression list of unsubscribed email addresses to ensure we do not contact you again.
• Anonymised Data: We may retain anonymised and aggregated data indefinitely for statistical analysis, research, and service improvement. This data cannot be used to identify individuals.
• Legal Holds: In the event of litigation, investigation, or regulatory inquiry, we may suspend deletion of relevant data until the matter is resolved, as required by law.

The Service may integrate with or contain links to third-party websites, applications, or services ("Third-Party Services") that are not operated by Disclosurely. This Privacy Policy does not apply to Third-Party Services.

We are not responsible for the privacy practices, content, or security of Third-Party Services. We encourage you to review the privacy policies of any Third-Party Services you access.

Third-Party Services we may use include: (a) Stripe for payment processing (Stripe Privacy Policy: stripe.com/privacy); (b) Google OAuth for authentication (Google Privacy Policy: policies.google.com/privacy); and (c) email service providers for transactional emails.

The Service is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16. If you are under 16, you must not use the Service or provide any personal data to us.

If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information as soon as possible.

If you believe we have collected personal data from a child under 16, please contact us immediately at privacy@disclosurely.com.

The Service offers anonymous reporting functionality to protect whistleblower confidentiality in accordance with the EU Whistleblowing Directive. When anonymous reporting is enabled by a Customer:

We minimise data collection: IP addresses, device identifiers, and other metadata that could identify the whistleblower are not collected or are anonymised. Whistleblowers access their reports using a unique access code that does not require registration or authentication with personal information.

Anonymous messaging: where enabled, whistleblowers can communicate with the Customer through messaging protected in transit and subject to access controls configured for the Service. The precise technical model depends on your organisation’s configuration; it should not be assumed to provide end-to-end encryption in every deployment.

Customer Obligations: Customers are responsible for ensuring they do not attempt to identify anonymous whistleblowers. Customers must configure the Service in accordance with applicable law and their whistleblowing procedures.

Limitations: Complete anonymity cannot be guaranteed in all circumstances. For example, if a whistleblower includes identifying information in their report, or if disclosure is required by law, anonymity may be compromised. Whistleblowers are advised not to include personal information in reports if they wish to remain anonymous.

The Service uses cookies and similar tracking technologies. A cookie is a small text file stored on your device that allows us to recognise your browser and capture certain information.

Types of Cookies We Use: We use only essential cookies that are strictly necessary for the Service to function. These include: (a) Session cookies: to authenticate users and maintain your logged-in state; (b) Security cookies: to detect authentication abuse and protect user accounts; (c) Functionality cookies: to remember your preferences (e.g., language settings).

We do not use: Advertising cookies, tracking cookies, analytics cookies (other than anonymised internal analytics), or third-party marketing cookies.

Cookie Duration: Most cookies are session cookies that expire when you close your browser. Some cookies persist for up to 30 days to maintain your login state.

Managing Cookies: You can control cookies through your browser settings. Most browsers allow you to refuse cookies or delete cookies. However, if you disable essential cookies, you may not be able to use certain features of the Service. For browser-specific instructions, see: Chrome: support.google.com/chrome/answer/95647; Firefox: support.mozilla.org/kb/enable-and-disable-cookies-website-preferences; Safari: support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac; Edge: support.microsoft.com/help/4027947/microsoft-edge-delete-cookies.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes as follows:

For Customers: We will send email notification to the email address associated with your account at least thirty (30) days before material changes take effect. We will also post a notice on the Service dashboard.

For Whistleblowers: Material changes will be posted on the reporting portal, and the effective date at the top of this Privacy Policy will be updated.

For Website Visitors: We will post a notice on our website homepage for thirty (30) days.

Non-Material Changes: Minor changes, clarifications, or corrections may be made without advance notice. We encourage you to review this Privacy Policy periodically.

Continued Use: Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy. If you do not agree to changes, you must stop using the Service and may request deletion of your data.

If you have questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Disclosurely Limited

London, EC1V 2NX, United Kingdom

Email: privacy@disclosurely.com (for privacy and data protection inquiries) or support@disclosurely.com (for general support)

Data Protection Officer: We have appointed a Data Protection Officer (DPO) who can be contacted at: dpo@disclosurely.com

Response times: we aim to acknowledge privacy inquiries promptly. Where GDPR applies to a request, we will generally respond within one month (which may be extended in complex cases, when we will notify you).

The Service is designed to support common requirements under the EU Whistleblowing Directive (Directive 2019/1937) and national implementing legislation. Key measures include:

Confidentiality and Anonymity: The Service provides secure channels that protect the confidentiality of whistleblowers, including anonymous reporting options. We implement technical and organisational measures to prevent unauthorised access to whistleblower identities.

Data Minimisation: Personal data in reports is processed only to the extent necessary for the purposes of receiving, investigating, and following up on reports. Customers are advised to limit data collection to what is necessary.

Security: we apply encryption and access controls intended to protect the integrity and confidentiality of reports and communications, consistent with our Security page and DPA.

Retention Limits: Customers are responsible for establishing retention periods for reports in accordance with the Directive and national law. The Directive generally requires deletion of data that is not necessary for follow-up actions.

Access Rights: Access to whistleblower identity and report content is restricted to authorised personnel designated by the Customer. We provide audit logs to track access.

Data Subject Rights: While the Directive requires protection of whistleblower confidentiality, data subjects (including persons mentioned in reports) retain their GDPR rights, which must be balanced against the need to protect whistleblowers. Customers are responsible for managing this balance.

Disclaimer: Customers are solely responsible for ensuring their use of the Service and their internal whistleblowing procedures comply with the EU Whistleblowing Directive and all applicable national laws. Disclosurely provides the technical platform but does not provide legal advice on compliance.