PRIVACY POLICY

Whistleblowing Platform

1. INTRODUCTION

1.1 Who We Are

This Privacy Policy applies to the whistleblowing platform (hereinafter "Platform" or "Service") provided by ADVISION PLUS LTD, a company registered in England with registered office at C/O Pollock Accounting, 3 - 4 Sentinel Square, London, England, NW4 2EL, company registration number 12586003 (hereinafter "we", "our" or "Company").

1.2 Purpose of the Privacy Policy

This Privacy Policy describes how we collect, use, share and protect personal information obtained through our Platform. Protecting the privacy of our users is a top priority for us, especially considering the sensitive nature of whistleblowing reports.

1.3 Definitions

For the purposes of this Privacy Policy:

  • "Personal data": any information relating to an identified or identifiable natural person.
  • "Processing": any operation or set of operations performed on personal data.
  • "Data controller": the natural or legal person who determines the purposes and means of processing personal data.
  • "Customer": the organization that subscribes to use the Platform.
  • "Whistleblower": the person who makes a report through the Platform.
  • "Investigator": the person designated by the Customer to examine and manage reports.

2. INFORMATION COLLECTION

2.1 Customer Information

We collect and process the following personal data from our Customers during registration and use of the Service:

  • Identification and contact information (first name, last name, email address, phone number)
  • Organization information (company name, address, VAT/tax code)
  • Billing and payment information
  • Access credentials (username and encrypted password)
  • Platform access and usage logs

2.2 Whistleblower Information

For whistleblowers who choose to remain anonymous:

  • We do not intentionally collect identifying personal data
  • We do not track IP addresses or emails
  • We do not use tracking cookies to identify users

For whistleblowers who choose to identify themselves:

  • We only collect personal data they voluntarily choose to provide (such as name, surname, email)
  • This data is treated with the highest level of confidentiality

2.3 Content of Reports

Data included in reports may contain:

  • Descriptions of alleged wrongdoings or irregularities
  • Dates and places related to reported events
  • Names or roles of individuals involved
  • Documents or files attached as evidence to support the report

All contents of reports are encrypted using AES-256 encryption and are only accessible to authorized investigators.

3. INFORMATION USE

3.1 Purpose of Processing

We use the information collected for the following purposes:

  • Provide and manage the whistleblowing reporting service
  • Allow the management and investigation of reports by the investigators designated by the Customer
  • Ensure secure and anonymous communication between whistleblowers and investigators
  • Manage Customer accounts and manage the contractual relationship
  • Improve and optimize the Platform
  • Ensure the security of the Platform
  • Comply with legal obligations

3.2 Legal Basis for Processing

The processing of personal data takes place on the basis of the following conditions:

  • Execution of the contract with our Customers
  • Legitimate interest of the Company and Customers
  • Consent of the individual, where applicable
  • Compliance with the EU Directive 2019/1937 on whistleblower protection
  • Relevant public interest in preventing and detecting crimes

4. DATA RETENTION

4.1 Retention Period

Personal data and reports are retained for different periods based on the subscription plan subscribed by the Customer:

  • Starter Plan: retention for 6 months
  • Medium Plan: retention for 2 years
  • Advanced Plan: retention for 5 years

At the end of the retention period, the data is securely and irreversibly deleted.

4.2 Extended Retention

In some cases, we may retain data for longer periods:

  • For compliance with legal obligations
  • In case of ongoing litigation
  • On request of competent authorities

In these cases, we will limit access to the data and ensure their security during the extended retention period.

5. DATA SECURITY

5.1 Technical Security Measures

We adopt robust technical security measures to protect data:

  • AES-256 encryption for all report data
  • Secure connections via HTTPS/SSL protocol
  • Firewalls and intrusion detection systems
  • Continuous access monitoring
  • Regular and encrypted backups
  • Secure server infrastructure with firewall protection

5.2 Organizational Security Measures

Our organizational measures include:

  • Data access limited only to authorized personnel
  • Staff training on data security and confidentiality
  • Security incident management procedures
  • Periodic reviews of our security measures
  • Confidentiality agreements with staff and suppliers

5.3 Data Breach Notification

In the event of a personal data breach that presents a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. We will also inform the data subjects when the breach is likely to present a high risk to their rights and freedoms.

6. INFORMATION SHARING

6.1 Access to Reports

Reports are accessible exclusively to investigators designated by the Customer and only for the branches to which they have been assigned. The Company does not access the content of reports except in cases strictly necessary for technical maintenance of the system or when requested by competent authorities.

6.2 Service Providers

We may share some information with third-party service providers who support us in providing the Service (e.g., hosting providers, payment services). All our suppliers are bound by contractual obligations of confidentiality and security and process data only according to our instructions.

6.3 Authority Requests

We may disclose personal data in response to legitimate requests from public authorities, including those related to national security or law enforcement. In these cases, we will create specific access to allow authorities to access only data relevant to their request.

6.4 International Data Transfers

Our servers are located in the United Kingdom. Should it be necessary to transfer personal data outside the United Kingdom or the European Economic Area, we will ensure that such transfers take place in accordance with applicable data protection regulations and that adequate safeguards are in place.

7. RIGHTS OF DATA SUBJECTS

7.1 Rights of Customers and Investigators

Our Customers and their designated investigators have the right to:

  • Access their personal data
  • Rectify inaccurate data
  • Delete their data (right to be forgotten)
  • Restrict the processing of their data
  • Data portability
  • Object to processing
  • Withdraw consent (when processing is based on consent)
  • Lodge a complaint with the competent supervisory authority

To exercise these rights, you can contact us using the details provided in the "Contacts" section.

7.2 Whistleblower Rights

Whistleblowers who have identified themselves have the same rights listed in section 7.1. For anonymous whistleblowers, the very nature of anonymity may limit the ability to exercise some of these rights, as we do not have identifying data.

7.3 Limitations to Rights

In some cases, we may not be able to fully satisfy a rights request if doing so would compromise the confidentiality of others, violate the law, interfere with an ongoing investigation, or compromise the security of the system. In these cases, we will explain the reasons for our decision.

8. COOKIES AND SIMILAR TECHNOLOGIES

8.1 Use of Cookies

Our Platform uses different types of cookies to ensure the functioning of the site and improve the user experience. We use both essential technical cookies and analytical and marketing cookies.

8.2 Types of Cookies

The cookies we use fall into the following categories:

  • Essential technical cookies: necessary for the functioning of the site and to provide the requested services
  • Analytical cookies: help us understand how users interact with our site, allowing us to improve functionality and performance
  • Marketing cookies: used to track visitors across websites in order to display relevant and engaging advertisements for the individual user

8.3 Google Analytics and Marketing Tools

We use Google Analytics and other analytical tools to collect information about how visitors use our site. These tools may collect data such as IP address, browser type, internet service provider, referring/exit pages, files viewed on our site (such as HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data.

8.4 Cookie Preferences Management

Users can manage their cookie preferences through the cookie banner on our site. You can accept or reject non-essential cookies at any time. Additionally, most web browsers allow some control over most cookies through the browser settings.

8.5 Legal Basis for Cookie Use

We use essential cookies on the basis of our legitimate interest in ensuring the safe and efficient operation of the site. For analytical and marketing cookies, we rely on user consent, which can be withdrawn at any time.

9. PROTECTION OF MINORS

Our Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a minor without verifiable parental consent, we will take steps to remove such information from our servers.

10. CHANGES TO THE PRIVACY POLICY

10.1 Updates

We may update this Privacy Policy periodically to reflect changes in our data processing practices or for other operational, legal, or regulatory reasons. The most recent version will always be available on the Platform.

10.2 Notification of Changes

In case of substantial changes, we will inform our Customers via email or through a notice on the Platform before the changes become effective.

11. DATA PROTECTION OFFICER

11.1 DPO Appointment

The Data Protection Officer (DPO) for the processing of personal data in the Platform is the responsibility of the Customer as the data controller for reports received in their organization.

11.2 Company DPO

Regarding the processing of data related to the administration of the Platform, you can contact our data protection team at the email address [insert email address].

12. CONTACTS

For any questions or requests regarding this Privacy Policy or the processing of personal data, you can contact us at the following details:

ADVISION PLUS LTD
C/O Pollock Accounting, 3 - 4 Sentinel Square
London, England, NW4 2EL
Email: [insert contact email address]

13. SUPERVISORY AUTHORITY

If you believe that the processing of your personal data violates data protection regulations, you have the right to lodge a complaint with the competent supervisory authority:

In the United Kingdom:
Information Commissioner's Office (ICO)
https://ico.org.uk

In other European Union countries, you can contact the local data protection authority in your country of residence.

Last modified: March 15, 2025