Privacy Policy

QReportly (the "Platform" or the "Provider") assigns fundamental importance to the protection of personal data and the confidentiality of individuals using its services.

This Privacy Policy applies to: (i) processing carried out by the Provider as Data Controller for its own activities (administrator accounts, billing, support); and (ii) processing carried out by the Provider as Data Processor on behalf of Clients, for data included in reports and internal reporting channel operations.

For the public reporting channel accessible to reporters, the Provider applies advanced technical and organizational data minimization measures, as detailed in the dedicated sections below.

With respect to personal data contained in reports submitted through the internal channel, case records, messages, attached files, and operational metadata related to case management, the Client — the Enrolled Legal Entity — acts as Data Controller.

QReportly acts strictly as Data Processor (technical provider), processing data exclusively on documented instructions from the Client, for provision of contracted services, and within the limits of this Policy and the Terms of Service.

For administrator account data, billing data, and commercial communications, the Provider acts as an independent Data Controller and must provide data subjects with the information required by GDPR.

Depending on how the Platform is used, the following categories of data may be processed:

The Platform is structurally designed not to collect, log, or store IP addresses, geolocation data, or digital fingerprints (browser fingerprinting) of whistleblowers accessing the public reporting channel.

This minimization architecture is intended to reduce the risk of re-identification of reporters who choose anonymous reporting and to support the Client in meeting legal confidentiality obligations.

The Provider does not use behavioral tracking technologies, advertising profiling, or invasive analytics within the reporting flow intended for reporters. Any analytics applied on the public presentation site is technically separated from the secure reporting channel.

All files attached to reports (PDF documents, DOCX documents, PNG/JPG/JPEG images) are subject, at upload, to an automatic cryptographic metadata sanitization process, including but not limited to EXIF image data, document author information, embedded properties, edit timestamps, and other elements that could facilitate inadvertent re-identification.

The sanitization process takes place before final storage of files in the Platform infrastructure. The Client is responsible for assessing whether information remaining in visible document content is appropriate for the investigation purpose.

Files that cannot be processed safely or exceed established technical limits may be automatically rejected without retention of original content.

The Provider applies strict retention and automatic deletion policies designed to limit data exposure beyond periods necessary for service provision and legal compliance.

As Processor, the Provider processes report data on the basis of the contract concluded with the Client (Article 6(1)(b) GDPR) and legal obligations applicable to cloud service providers (Article 6(1)(c) GDPR, where applicable).

As Controller for administration accounts, legal bases include contract performance, legitimate interest in Platform security and fraud prevention, legal accounting and tax obligations, and consent where explicitly requested (for example, marketing communications, if enabled).

Data subjects benefit from rights provided by GDPR: access, rectification, erasure, restriction, portability, objection, and the right not to be subject to decisions based solely on automated processing, under applicable legal conditions.

For data contained in reports, rights requests should be addressed primarily to the Client as Data Controller. The Provider will assist the Client, to a reasonable extent and in accordance with contract, in handling such requests.

For data processed by the Provider as Controller (administrator accounts, billing), requests may be submitted using the contact details at the end of this document. The Provider will respond within GDPR timelines.

Data subjects have the right to lodge a complaint with the competent supervisory authority in the Member State of their habitual residence, place of work, or place of the alleged infringement.

The Provider implements appropriate technical and organizational measures to protect data, including encryption in transit (TLS), role-based access controls, logical isolation between workspaces, security monitoring, incident response procedures, and encrypted backups in infrastructure hosted within the European Union.

No system can guarantee absolute security. In the event of a security incident affecting Client data, the Provider will notify the Client without undue delay, in accordance with applicable contractual and legal obligations.

The Provider may rely on subprocessors for hosting, payment processing, email delivery, or security services, subject to equivalent contractual safeguards required under GDPR.

Data is hosted predominantly within the European Union. If certain third-party services involve transfers outside the EEA, the Provider will use recognized transfer mechanisms (Standard Contractual Clauses, adequacy decisions, or other GDPR-permitted safeguards).

The Provider may update this Policy to reflect legal, technical, or operational developments. The current version is published on the Platform with the update date.

In case of material changes, the Client will be informed through reasonable channels (dashboard notification or email). Continued use of services after entry into force constitutes acceptance of the updates, to the extent permitted by law.