Privacy Notice

Privacy Notice

Easywhistle Oy’s Whistleblowing Software (app.easywhistle.com / SaaS Service – this notice does not apply to whistleblowers)
Last updated: 23 December 2025

1. Data Controller

Easywhistle Oy, Business ID: 3132737-2, Email: info@easywhistle.com

This Privacy Notice applies to the whistleblowing software service provided by Easywhistle Oy (the “Service”) and to Easywhistle Oy’s own processing of personal
data.

2. Role of Easywhistle in the processing of personal data

Easywhistle Oy acts as a data processor on behalf of its client organizations (the “Client Organization”) with respect to whistleblowing reports processed through the Service.
As a rule, Easywhistle Oy does not act as a data controller in relation to the content of whistleblowing reports submitted through the Service and does not determine the
purposes or means of processing such data. These are determined by the Client Organization acting as the data controller. Requests relating to the processing of personal data and the exercise of data subject rights by whistleblowers must be addressed directly to the relevant Client Organization.

3. Categories of personal data processed

3.1 Customer and user data

Easywhistle Oy processes personal data relating to users and contact persons designated by Client Organizations for the administrative and contractual use of the Service.

The categories of personal data processed may include:

  • name
  • email address
  • telephone number
  • organization and role
  • contractual and billing information

3.2 Whistleblowing report data

The Service is designed to support anonymous reporting, and Easywhistle Oy does not automatically collect or store identifying information relating to whistleblowers. The Service is designed so that technical identifiers that could be used to identify a reporter, such as IP addresses, are not collected or stored as part of the Service functionality. The use of the whistleblowing channel does not require cookies for identifying or tracking reporters, and the Service does not set cookies that would allow reporters to be individually identified or tracked when submitting a report.

If personal data is included in whistleblowing reports, Easywhistle Oy processes such data solely in a technical capacity on behalf of the Client Organization and in accordance with the Client Organization’s documented instructions.

The content of whistleblowing reports is protected by strong encryption, as a result of which Easywhistle Oy personnel do not have access to, nor the ability to review, personal data that may be included in the reports.

4. Purposes and legal bases for the processing of personal data

Easywhistle Oy processes personal data for the following purposes:

  • management of contractual relationships
  • provision, maintenance, and development of the Service
  • customer support and communications
  • compliance with statutory obligations

The legal bases for processing are:

  • performance of a contract (Article 6(1)(b) GDPR)
  • compliance with a legal obligation (Article 6(1)(c) GDPR)
  • legitimate interests (Article 6(1)(f) GDPR)

The legal bases for the processing of personal data contained in whistleblowing reports are determined in accordance with the Client Organization’s own privacy notice.

5. Disclosure and transfers of personal data

Personal data may be disclosed:

  • to competent public authorities to comply with statutory obligations
  • to authorized sub-processors involved in the provision of the Service, in
    accordance with the applicable Data Processing Agreement (DPA) entered with
    the Client Organization

Personal data is not transferred outside the European Union or the European Economic Area without appropriate safeguards in accordance with applicable data protection legislation.

6. Data security

Easywhistle Oy implements appropriate technical and organizational measures to protect personal data.

The content of whistleblowing reports is encrypted at rest using strong symmetric encryption (AES-256) and in transit using TLS encryption. Encryption keys are managed through a segregated key management system (KMS), thereby limiting the ability of Easywhistle Oy personnel to access the content of whistleblowing reports.

The security of the Service is regularly assessed and tested, including by independent third parties, as part of Easywhistle Oy’s information security practices. The Service does not involve automated decision-making or profiling.

7. Data retention

Customer and contractual data is retained for the duration of the customer relationship and thereafter only for as long as necessary to comply with statutory obligations. Personal data contained in whistleblowing reports is retained in accordance with the instructions of the Client Organization and applicable legislation.

8. Data subject rights

Easywhistle Oy’s customers and contact persons have the rights afforded to data subjects under the GDPR with respect to their personal data. With regard to personal data contained in whistleblowing reports, data subjects must exercise their rights by contacting the relevant Client Organization acting as the data controller.

9. Updates to this Privacy Notice

This Privacy Notice may be updated from time to time.

The most current version is available on Easywhistle Oy’s website.