WhistleCore

Privacy Policy

Last Updated: December 2025

1. Our Role under GDPR

For Admin Data: WhistleCore acts as the Data Controller for account information (email, payment details) of our customers (Company Admins).
For Whistleblower Reports: WhistleCore acts as the Data Processor. The Customer (Company) is the Data Controller. We process this data solely on your behalf and instructions.

2. Data We Collect

  • Account Data: Email address, company name, billing information (processed via Stripe).
  • Usage Data: Anonymous analytics on website visits (not linked to whistleblower identities).
  • Report Data (Encrypted): We store encrypted blobs of report content. We do not hold the decryption keys and cannot access this data.

3. Whistleblower Anonymity

We have designed our system to maximize anonymity. We do not log IP addresses or User-Agent strings in our application database alongside reports. Whistleblowers are not required to provide any personal data (email/phone) to submit a report.

4. Data Storage & Transfers

All data is hosted securely within the European Union (Frankfurt region). We do not transfer report data outside the EU/EEA.

5. Sub-processors

We use the following trusted sub-processors:

  • Supabase: Database & Authentication (EU Hosting).
  • Vercel: Web Hosting & Edge Functions.
  • Stripe: Payment Processing.

6. Data Retention

Account Data: Retained as long as your subscription is active.
Report Data: Retained until deleted by the Company Admin. Our system includes auto-deletion tools to help Companies comply with retention periods (e.g., 2 months after case closure).

7. Your Rights

Under GDPR, you have the right to access, rectify, or erase your personal data. For Admin account data, please contact us. For data contained within a whistleblower report, please contact the Company (Controller) responsible for that report.