Privacy & Data Protection

Disclosurely Limited ("Disclosurely", "we", "us" or "our"), a company registered in England and Wales with registered office at London, EC1V 2NX, United Kingdom, is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, disclose, and protect your personal data when you use our whistleblowing and compliance platform at disclosurely.com (the "Service").

We comply with the GDPR, UK GDPR (Data Protection Act 2018), the EU Whistleblowing Directive (2019/1937), and other applicable data protection laws.

This Privacy Policy applies to Customers, Authorised Users, Whistleblowers, and website visitors. Different sections may apply to different user types as indicated.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, do not use the Service.

The roles depend on the data and context: for Customer Account Data we act as Data Controller; for whistleblower reports the Customer acts as Controller and we act as Processor under the DPA; for website analytics we are Controller for anonymised usage data.

Contact: Customers should contact privacy@disclosurely.com. Whistleblowers should contact the organisation receiving their report.

Contractual Necessity (Article 6(1)(b)) – Processing is necessary to perform our contract with you, including providing the Service, managing your account, processing payments, and delivering support.

Legitimate Interests (Article 6(1)(f)) – Processing is necessary for our legitimate interests or those of a third party, including improving the Service, ensuring security, preventing fraud, conducting anonymised analytics, direct marketing to existing customers (opt-out), enforcing legal rights, and business administration.

Legal Obligations (Article 6(1)(c)) – Processing is necessary to comply with legal obligations, including the EU Whistleblowing Directive, GDPR requirements, financial and tax regulations, court orders and legal process, regulatory investigations, and record-keeping requirements.

Consent (Article 6(1)(a) and Article 9(2)(a)) – Explicit consent for marketing communications, optional data collection, processing of special category data (where applicable), and cookies beyond essential cookies. Consent can be withdrawn at any time.

Vital Interests (Article 6(1)(d)) – Processing necessary to protect vital interests, such as when a report involves imminent serious harm or threats to life.

Public Interest and Legal Claims (Article 9(2)(f) and (g)) – For special category data in whistleblower reports, processing may be necessary for the establishment, exercise, or defence of legal claims, or for reasons of substantial public interest.

Whistleblowing Legal Framework (Article 9(2)(g) and Directive 2019/1937) – Processing personal data in whistleblower reports is explicitly permitted under the EU Whistleblowing Directive for receiving, investigating, and following up on reports concerning breaches of law and serious misconduct.

Data Hosting: Customer Data is hosted on secure Supabase infrastructure in the EEA (Ireland/Frankfurt) with AES-256 at rest and TLS 1.3 in transit.

Data Residency: Personal data subject to GDPR remains within the EEA/UK with EU-based backups.

International Transfers: Not routine. If needed, we use SCCs, adequacy decisions, or other GDPR-compliant safeguards and notify Customers.

Subprocessors: Carefully selected and bound by written agreements; list available on request.

We retain personal data only as long as necessary for the purposes collected, legal obligations, disputes, and enforcement.

• Customer Account Data: duration of subscription plus six years; financial records retained seven years (UK tax law).
• Whistleblower Reports and Customer Data: retained per Customer instructions; deleted or returned within 30 days of termination unless law requires longer.
• Technical Logs and Security Data: up to 12 months for security and investigation.
• Marketing Data: until you unsubscribe/withdraw consent; suppression list kept to respect opt-outs.
• Anonymised Data: may be retained indefinitely for statistics and service improvement.
• Legal Holds: deletion may pause during litigation or investigations.

The Service may integrate with or link to third-party services not operated by Disclosurely.

We are not responsible for their privacy practices or security; review their privacy policies.

Examples: Stripe (payments), Google OAuth (authentication), transactional email providers.

The Service is not intended for children under 16 and we do not knowingly collect their data.

If we learn we collected data from a child under 16 without consent, we will delete it promptly.

If you believe this has occurred, contact privacy@disclosurely.com.

The Service supports anonymous reporting to protect whistleblower confidentiality. When enabled by a Customer, we minimise data collection and provide anonymous messaging.

Customers must not attempt to identify anonymous whistleblowers and must configure the Service lawfully. Complete anonymity cannot be guaranteed if identifying details are included or disclosure is required by law.

The Service uses only essential cookies for authentication, security, and preference storage.

We do not use advertising or marketing trackers; most cookies are session-based, some persist up to 30 days.

You can control cookies in your browser; disabling essential cookies may impact functionality. See browser help for instructions.

We may update this Privacy Policy to reflect changes in practices, technology, or legal requirements.

Material changes: notice via email (Customers), portal notice (Whistleblowers), and homepage notice (visitors) with at least 30 days where applicable.

Non-material changes: may be made without advance notice; please review periodically.

Continued use after changes constitutes acceptance; if you disagree, stop using the Service and request deletion where applicable.

Email: privacy@disclosurely.com (privacy and data protection) or support@disclosurely.com (general support)

Data Protection Officer: dpo@disclosurely.com

Address: Disclosurely Limited, London, EC1V 2NX, United Kingdom

Response Time: We respond to inquiries within 10 business days and resolve requests within one month (or notify of extensions).

Confidentiality and Anonymity: secure channels and anonymous reporting options with measures to prevent unauthorised access to whistleblower identities.

Data Minimisation: report data processed only as necessary; Customers should limit data collection to what is required.

Security: encryption and security measures protect integrity and confidentiality of reports and communications.

Retention Limits: Customers set retention in line with the Directive and national law; unnecessary data should be deleted once follow-up is complete.

Access Rights: report access restricted to authorised personnel with audit logging.

Data Subject Rights: GDPR rights must be balanced against protecting whistleblowers; Customers are responsible for this balance.

Disclaimer: Customers are responsible for legal compliance; Disclosurely provides the platform, not legal advice.