Privacy and cookie policy

1. Introduction

This Privacy Policy sets out the rules for processing personal data within the Whispla online service (hereinafter the “Service”), operated by BinSoft Sp. z o.o., based in Szczytno. We highly value the privacy of our Users (including whistleblowers submitting notifications of irregularities and Administrators handling such notifications). This document explains how we collect, process, and protect your personal data, as well as what rights you have.

Using the Service may involve providing certain personal data. The scope of data requested is always adequate to the purpose for which it is collected (e.g., account registration, payment processing, statistical analysis, whistleblower notifications).

2. Scope of the Document

  1. This Privacy Policy defines the principles governing the processing of personal data of the Service’s Users, including:
    • individuals visiting the Service,
    • individuals registering with the Service (e.g., Administrators handling notifications),
    • whistleblowers (individuals submitting notifications of irregularities),
    • business partners and contractors,
    • newsletter subscribers or individuals who have consented to marketing communications.
  2. The principles of personal data processing primarily arise from:
    • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (“GDPR”),
    • the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781, as amended),
    • the Telecommunications Law and the ePrivacy Directive (regarding cookies),
    • other applicable national and EU legal provisions in the area of data protection.

3. Data Controller

  1. The Controller of personal data is:

    BinSoft Sp. z ograniczoną odpowiedzialnością with its registered office in Szczytno (12-100), at ul. Władysława IV 35, entered into the Register of Entrepreneurs of the National Court Register (KRS) under number 0000618367, NIP (Tax ID): 7451846889, REGON: 364251875 (hereinafter “Controller”).

  2. If you have any inquiries concerning the protection of personal data, please contact our Data Protection Officer (DPO) by sending an email to: iodo@binsoft.pl

4. Categories of Personal Data Processed

Depending on how you use the Service, we may process various categories of personal data, in particular:

  • Identification and contact details such as: first name, last name, email address, phone number – e.g., when creating an account on the Service, submitting an inquiry via a form, or handling whistleblower notifications.
  • Data provided during a whistleblower notification – the content and category of the notification, as well as any documents/attachments that the whistleblower attaches (these may also include sensitive data if voluntarily provided by the whistleblower).
  • Data concerning Service usage (server logs, IP address, cookies) – automatically collected technical and statistical data during visits to the website or use of the application.
  • Data necessary for contract performance – for instance, in the case of companies/institutions purchasing access to our solution: invoicing data (company name, business address, Tax ID), and data of persons authorized to represent the entity.

Providing personal data is voluntary; however, in some cases it may be necessary to use certain functionalities of the Service (e.g., registration and login, handling whistleblower notifications, issuing invoices).

5. Purposes and Legal Basis of Data Processing

Your personal data may be processed for the following purposes:

  1. User/Administrator registration in the Service, enabling account creation and use of functionalities:
    Legal basis: necessity for the performance of a contract (Art. 6(1)(b) GDPR).
  2. Handling whistleblower notifications (receiving, verifying, two-way communication, conducting investigations):
    Legal basis: necessity for the performance of a contract with the entity using the Service (Art. 6(1)(b) GDPR) or the Controller’s legitimate interest (Art. 6(1)(f) GDPR) – if the Controller itself provides the relevant infrastructure. If special categories of data (sensitive data) are processed, we rely on the explicit consent of the individual voluntarily providing such data (Art. 9(2)(a) GDPR) or other permissible bases in accordance with applicable regulations.
  3. Payment processing and accounting/tax support (issuing invoices, settlements):
    Legal basis: necessity for the performance of a contract or taking steps prior to entering into a contract (Art. 6(1)(b) GDPR), fulfillment of legal obligations (Art. 6(1)(c) GDPR).
  4. Communication as part of customer service/technical support – providing information, handling complaints, email or phone contact:
    Legal basis: necessity for the performance of a contract (Art. 6(1)(b) GDPR) or our legitimate interest (Art. 6(1)(f) GDPR) for day-to-day inquiries.
  5. Direct marketing of our services and products (e.g., sending newsletters, commercial information) – only with your prior consent or where another legal basis applies:
    Legal basis: consent (Art. 6(1)(a) GDPR) or legitimate interest (Art. 6(1)(f) GDPR), if legal provisions permit contacting existing customers for marketing purposes.
  6. Ensuring the security of the Service and preventing abuses (e.g., monitoring server logs, IP addresses to detect attacks):
    Legal basis: legitimate interest of the Controller (Art. 6(1)(f) GDPR).
  7. Statistical analysis and Service improvement – e.g., using Google Analytics to measure traffic and user behavior:
    Legal basis: consent (Art. 6(1)(a) GDPR) for certain cookies, or our legitimate interest (Art. 6(1)(f) GDPR) – when collecting anonymized statistics.

6. Data Recipients and Transfer of Data Outside the EEA

  1. Your personal data may be disclosed to the following categories of recipients:
    • Payment processing entities, accounting firms, law firms, consulting companies,
    • IT service providers and tools supporting the functioning of the Service (e.g., hosting, email, notification handling, communication tools),
    • public authorities authorized to obtain data under the law (e.g., courts, law enforcement agencies),
    • entities carrying out mailings and marketing campaigns (exclusively on our behalf and only to the extent necessary to perform their services).
  2. In certain situations, data may be transferred outside the European Economic Area (EEA), e.g., when using technology providers (such as Google) located in the USA. In such cases, we always ensure appropriate safeguards (e.g., using certified mechanisms in line with the latest regulations, such as the EU-U.S. Privacy Framework or standard contractual clauses) and exercise due diligence to protect your data.

7. Data Retention Period

  1. We store personal data only for as long as necessary to achieve the purposes for which it was collected, including:
    • for the performance of a contract – during the contract term and then for the period required to pursue potential claims (in principle, 6 years, unless other legal provisions state otherwise),
    • to fulfill accounting/tax obligations – for the period mandated by law (e.g., 5 years after the end of the tax year),
    • based on your consent – until you withdraw it or until the processing purpose ceases,
    • for marketing purposes – until you object or withdraw your consent,
    • for statistical or security purposes – depending on how long logs are retained, but no longer than necessary to fulfill the Controller’s legitimate interest.
  2. After these periods expire, data is either deleted or anonymized.

8. Users’ Rights

You have the right to:

  • Access your personal data and obtain a copy (Article 15 GDPR).
  • Rectify your data if it is incorrect or outdated (Article 16 GDPR).
  • Erase data (“right to be forgotten”) if there is no basis for further processing (Article 17 GDPR).
  • Restrict Processing, e.g., if you dispute the accuracy of the data (Article 18 GDPR).
  • Data Portability if processing is automated and based on consent or contract (Article 20 GDPR).
  • Object to data processing based on a legitimate interest (Article 21 GDPR), particularly for direct marketing purposes.
  • Withdraw Consent at any time (Article 7(3) GDPR) – without affecting the lawfulness of processing carried out prior to its withdrawal.
  • Lodge a Complaint with the President of the Personal Data Protection Office (PUODO) if you believe your personal data is processed in breach of GDPR.

To exercise any of these rights, please contact us at: iodo@binsoft.pl or in another convenient way (in writing or by phone).

9. Cookies and Similar Technologies

  1. The Service uses cookies to ensure proper and secure operation and to improve its functionality. Cookies are small text files stored on your device (computer, smartphone) when you visit the website.
  2. Purposes of using cookies:
    • ensuring the correct operation of the Service (so-called necessary cookies),
    • remembering User preferences (e.g., language choice),
    • analyzing traffic within the Service (Google Analytics and other tools),
    • marketing – if you consent to such cookies.
  3. Depending on their type, cookies may be stored for the duration of your browsing session (session cookies) or longer (persistent cookies).
  4. Cookie management:
    • You can configure your browser settings at any time to block or limit cookies.
    • Deleting or blocking cookies, however, may affect certain features of the Service.
  5. More information on cookies (including how to disable third-party cookies such as those from Google) can be found in your browser settings or in additional notices on the Service.

10. Data Protection Measures

  1. We implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, destruction, or unauthorized alteration.
  2. These measures include, among others: SSL encryption, regular backups, access control, firewalls, etc.
  3. In the event of a personal data breach, we will take the necessary steps required by law (including notification of the relevant supervisory authority and the individuals affected, where required).

11. Updates to this Privacy Policy

  1. This Privacy Policy may be updated to reflect changes in applicable laws or modifications in how the Service operates.
  2. We will notify Users of any significant amendments by publishing a new version on the Service.
  3. The date of the most recent update is provided at the end of this document.

12. Contact

If you have any questions, concerns, or wish to exercise your rights, please contact us:

BinSoft Sp. z o.o.
ul. Władysława IV 35, 12-100 Szczytno, Poland
Email: iodo@binsoft.pl

Date of last update: January 27, 2025