Privacy Policy

1. Introduction

ICM AS ("ICM", "Whistla", "we", "us", or "our") is committed to protecting your privacy and personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and Norwegian data protection law.

This Privacy Policy explains:

• What personal data we collect
• Why we collect it (legal basis)
• How we use and protect it
• Your rights regarding your data
• How to exercise those rights

2. Data Controller

ICM AS is the Data Controller for personal data collected through our Platform (distributed by ICM AS, platform owned and developed by SAAZLY FZCO).

3. Scope of This Policy

This Privacy Policy applies to:

• Users of the Whistla Platform (companies and employees)
• External Investigators using the Marketplace
• Whistleblowers submitting reports through the Platform
• Visitors to our website (whistla.io)

Note for Whistleblowers: Special protections apply to whistleblower data under EU Directive 2019/1937 and Norwegian whistleblowing law. See Section 5.3 for details.

4. Personal Data We Collect

4.1 Account and Profile Data

When you create an account, we collect:

4.2 Usage Data

We automatically collect:

• IP address
• Browser type and version
• Device information
• Operating system
• Pages visited and time spent
• Click patterns and navigation
• Session recordings (anonymized)
• Error logs and crash reports

4.3 Whistleblowing Case Data

When managing whistleblowing cases, we process:

• Case descriptions and allegations
• Supporting documents and evidence
• Communication between case managers and investigators
• Investigation notes and reports
• Resolution details and outcomes
• Time logs and billing data

4.4 Payment Data

For subscription and marketplace payments:

• Billing name and address
• VAT/Tax ID number
• Payment method (stored by Stripe, not by us)
• Transaction history
• Invoice details

Note: We do NOT store credit card numbers or bank account details. Payment processing is handled securely by Stripe.

4.5 Communications

We collect data from:

• Support emails
• Chat messages (if support chat is enabled)
• Feedback and survey responses
• Phone calls (with your consent)

4.6 Cookies and Tracking

See our separate Cookie Policy for details on cookies and tracking technologies.

5. Legal Basis for Processing (GDPR Article 6)

We process personal data based on the following legal grounds:

5.1 Contract Performance (Art. 6(1)(b))

Processing necessary to provide the Platform services under our Terms of Service:

• Account creation and management
• Service delivery
• Billing and payment processing
• Customer support

5.2 Legal Obligation (Art. 6(1)(c))

Processing required by law:

• EU Whistleblowing Directive 2019/1937
• Norwegian Whistleblowing Act (Arbeidsmiljøloven § 2A)
• Accounting and tax laws
• Anti-money laundering regulations
• Court orders and legal requests

5.3 Special Protections for Whistleblowers

Under EU Directive 2019/1937, whistleblower identity receives enhanced protection:

• Strict confidentiality - Only authorized personnel can access identity
• No disclosure without consent - Identity never revealed without explicit written consent
• Retaliation protection - Legal prohibition on retaliation
• Secure storage - Encrypted storage with access logs

5.4 Legitimate Interests (Art. 6(1)(f))

Processing necessary for our legitimate business interests:

• Platform security and fraud prevention
• Product improvement and development
• Marketing and business development (with opt-out)
• Analytics and performance monitoring

We balance these interests against your rights. You can object to processing based on legitimate interests (see Section 11.6).

5.5 Consent (Art. 6(1)(a))

For optional processing:

• Marketing emails (opt-in required)
• Non-essential cookies (opt-in required)
• Profile photos and public information (External Investigators)
• Testimonials and case studies (opt-in required)

You can withdraw consent at any time.

6. How We Use Your Personal Data

6.1 Service Delivery

We use your data to:

• Provide access to the Platform
• Manage whistleblowing cases
• Connect companies with External Investigators
• Process payments and generate invoices
• Provide customer support
• Send service-related notifications

6.2 Legal Compliance

We use your data to:

• Comply with whistleblowing regulations
• Respond to legal requests
• Prevent fraud and abuse
• Maintain audit trails for compliance

6.3 Platform Improvement

We use anonymized, aggregated data to:

• Analyze usage patterns
• Improve user experience
• Develop new features
• Train AI models (with privacy safeguards)

6.4 Marketing (with consent)

With your opt-in consent:

• Send product updates and newsletters
• Promote new features
• Invite to webinars and events

You can unsubscribe anytime via the link in emails or by contacting privacy@whistla.io.

7. Data Sharing and Third-Party Processors

We share personal data only as necessary and with appropriate safeguards.

7.1 Sub-Processors

We use the following third-party services (Data Processors under GDPR Article 28):

7.2 Data Processing Agreements

We have signed Data Processing Agreements (DPAs) with all sub-processors as required by GDPR Article 28.

7.3 International Transfers

Supabase and Resend: Data is stored in EU data centers. No international transfer.

Stripe: Uses EU data centers with limited transfers to the US under:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Additional safeguards per Schrems II requirements

OpenAI: We send only anonymized, non-personal data. If personal data must be sent:

• Standard Contractual Clauses (SCCs) in place
• Explicit consent obtained
• Data minimization applied

7.4 External Investigators

When you assign a case to an External Investigator:

• Necessary case data is shared
• Investigator becomes a Joint Controller (separate DPA)
• Investigator bound by confidentiality obligations
• Access is logged and auditable

7.5 Legal Disclosure

We may disclose data when required by:

• Court orders or subpoenas
• Law enforcement requests (with legal review)
• Regulatory investigations
• Protection of rights and safety

We will notify you of legal requests unless prohibited by law.

8. Data Security

8.1 Technical Measures

We implement industry-standard security:

8.2 Organizational Measures

8.3 Data Breach Notification

In case of a data breach:

• We will notify the Norwegian Data Protection Authority (Datatilsynet) within 72 hours
• We will notify affected individuals if high risk to rights and freedoms
• We will provide details on the breach and mitigation steps

9. Data Retention

9.1 Retention Periods

We retain data only as long as necessary:

9.2 Deletion Process

When retention periods expire:

• Data is permanently deleted from production systems
• Backups are purged within 90 days
• Deletion is logged for audit purposes

9.3 Right to Erasure

You can request earlier deletion (see Section 11.3), subject to:

• Legal obligations to retain data
• Ongoing legal proceedings
• Necessary for contract performance

10. Cookies and Tracking

We use cookies and similar technologies. See our separate Cookie Policy for full details.

• Essential Cookies: Required for Platform functionality (no consent needed)
• Analytics Cookies: Used to improve the Platform (consent required)
• Marketing Cookies: Used for advertising (consent required, not currently used)

You can manage cookie preferences in your browser or through our cookie consent banner.

11. Your Rights Under GDPR

You have the following rights regarding your personal data:

11.1 Right to Access (Article 15)

What: You can request a copy of all personal data we hold about you.

How to Exercise:

• Email privacy@whistla.io with subject "Access Request"
• Provide proof of identity (to prevent unauthorized access)
• We will respond within 30 days

What You'll Receive:

• Copy of your personal data
• Purposes of processing
• Categories of data
• Recipients of data
• Retention periods
• Information about your rights

11.2 Right to Rectification (Article 16)

What: You can request correction of inaccurate or incomplete data.

How to Exercise:

• Update your profile in Platform settings, OR
• Email privacy@whistla.io with corrections
• We will update data within 30 days

11.3 Right to Erasure (Article 17) - "Right to be Forgotten"

What: You can request deletion of your personal data.

When Applicable:

• Data no longer necessary for original purpose
• You withdraw consent (for consent-based processing)
• You object and no overriding legitimate grounds
• Data processed unlawfully
• Legal obligation requires deletion

Exceptions: We may refuse if data is needed for:

• Compliance with legal obligations
• Establishment, exercise, or defense of legal claims
• Archiving purposes in the public interest

How to Exercise: Email privacy@whistla.io with subject "Erasure Request"

11.4 Right to Restriction (Article 18)

What: You can request we limit processing of your data while:

• Verifying accuracy of disputed data
• Processing is unlawful but you don't want deletion
• We no longer need data but you need it for legal claims
• Verifying legitimate grounds for objection

How to Exercise: Email privacy@whistla.io with subject "Restriction Request"

11.5 Right to Data Portability (Article 20)

What: You can request your data in a structured, machine-readable format (JSON or CSV).

Applicable When:

• Processing is based on consent or contract
• Processing is automated

How to Exercise:

• Email privacy@whistla.io with subject "Portability Request"
• Specify format preference (JSON or CSV)
• We will provide data within 30 days

11.6 Right to Object (Article 21)

What: You can object to processing based on:

• Legitimate interests (we must demonstrate compelling grounds)
• Direct marketing (we will stop immediately)
• Profiling and automated decision-making

How to Exercise:

• For marketing: Click "unsubscribe" in emails
• For other objections: Email privacy@whistla.io

11.7 Right to Withdraw Consent

What: If processing is based on consent, you can withdraw it at any time.

Effect: We will stop processing but lawfully processed data before withdrawal remains valid.

How to Exercise:

• Email privacy@whistla.io, OR
• Adjust settings in your Platform account

11.8 Right to Lodge a Complaint

What: You can file a complaint with a data protection authority.

EU Citizens: You can also file with your local Data Protection Authority.

12. Automated Decision-Making and Profiling

12.1 AI Case Assistant

We use OpenAI's technology to provide case analysis suggestions. This is NOT fully automated decision-making:

• AI provides recommendations only
• Human case managers make all final decisions
• You can object to AI processing (email privacy@whistla.io)

12.2 No Profiling

We do NOT engage in profiling that produces legal or similarly significant effects.

13. Children's Privacy

The Platform is not intended for children under 16. We do not knowingly collect data from children. If we learn we have collected data from a child, we will delete it immediately.

14. Changes to This Privacy Policy

14.1 Update Process

We may update this Privacy Policy to reflect:

• Changes in law or regulation
• New Platform features
• Changes in data processing practices

14.2 Notification

For material changes:

• We will notify you via email 30 days in advance
• We will update the "Last Updated" date at the top
• Continued use after changes constitutes acceptance

14.3 Version History

15. Contact Information

16. Acceptance

By using the Whistla Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the processing of your personal data as described herein.