Privacy Policy

FaceUp Technology s.r.o., company ID No.: 061 42 630, with its registered office at Udolni 567/33, 602 00 Brno, Czech Republic registered with the Commercial Register kept by the Regional Court in Brno, Section C, Insert 100325 (hereinafter referred to as "FaceUp" or "we"), in its capacity as a controller or processor of personal data in accordance with Regulation (EU) No. 2016/679 of the European Parliament and of the Council on the Protection of Natural Persons with Regard to the Processing of Personal Data (hereinafter referred to as "GDPR"), informs all its clients and business partners, who are natural persons, or employees of its clients and business partners, or job applicants or visitors to the FaceUp website, as well as users of the FaceUp whistleblowing system (www.faceup.com) (hereinafter referred to as "Data Subjects" or "you"), about the processing of their personal data.

This privacy policy (hereinafter referred to as the "Policy") sets out the basis on which we will process any personal data that we obtain from you or that you provide to us if it meets the specific requirements set out below.

The data controller may be FaceUp, your organization (company, employer, etc.) or your school or other similar establishment from which you received the access code to submit the report or to which the report relates (hereinafter referred to as the "Controller"), as the case may be.

Where the data controller is your organization or your school or other similar establishment from which you have received the access code to submit the report or to which the report relates, FaceUp is the processor of your personal data.

Contact Details of FaceUp:

1. by post to FaceUp Technology s.r.o., Udolni 33, 602 00 Brno, Czech Republic
2. by email to support@faceup.com, or
3. otherwise as set out on the Website.

Please read the following carefully to understand our practices regarding your personal data and how we will handle it.

We take a clear approach to explaining our data protection practices as recommended by supervisory authorities. This means that we strive to provide you with only relevant information on privacy protection regarding your use of FaceUp's services and the www.faceup.comwebsite, and we use this simple Policy to do so. If you have any feedback or questions, please do not hesitate to reach out to us.

Data Processed about You by Us

It is important to us that you know what personal data we process about you, how and for what purposes we use it, in order for us to operate more efficiently in providing you with professional information on data protection and to enable you to obtain essential information on data protection. 

We may collect and process data about you when you are about to use or are already using our services, specifically when you enter into a contract with us or otherwise communicate with us or visit our website. However, when you submit a report via the FaceUp platform (www.report.faceup.com), we do not collect any personal data from you unless you voluntarily provide such data to us. However, provision of any personal data of yours is not a precondition for submitting a report. We do not collect personal data from you even in the course of your work at the user interface of administration (www.admin.faceup.com) unless you voluntarily provide such data to us.

We obtain your personal data from several sources. The primary source of your personal data is you personally or your company or the company you represent (e.g. when we enter into a contract with you and you personally or the company you represent provide us with your identification data or payment data for this purpose). In addition, we may also obtain your personal data for the above purposes from publicly available sources such as public lists, registers and indexes (e.g. commercial register or trade register) or it may be provided to us by third parties and/or through the report submitted by you if you voluntarily provide such data to us in accordance with this Policy and the document Information about Personal Data Processing in Connection with Report.

You may provide us with some of this information by communicating with us, e.g. by telephone, email or otherwise. We also collect some of these automatically, for example by using cookies when you visit our website.

Any information is provided on a voluntary basis except where otherwise stated (legal obligation to provide data).

These situations mainly include:

This is especially the case when:

i. it is necessary for the performance of a contract (e.g. provision of whistleblowing system services, employment contract, cooperation agreement or other contract) to which you or a company or other legal entity to which you have a relationship are a party or for the performance of a pre-contractual measure (e.g. a selection procedure with job applicants or negotiations with potential clients and partners) (Section 6(1)(b) of the GDPR), or

ii. we are required to do so by applicable law (e.g. labor legislation, tax legislation) (Section 6(1)(c) of the GDPR), or

iii. you have given us your consent (e.g. email address for sending marketing communications), where you can withdraw your consent at any time (Section 6(1)(a) of the GDPR or Section 9(2)(a) of the GDPR), or

If you have given us your consent to the processing of your personal data, you have the right to withdraw this consent at any time, by post to our registered office or by email to support@faceup.com.

iv. the processing is necessary for the protection of the vital interests of the Data Subject or of another individual (Section 6(1)(d) of the GDPR) or the processing is necessary for the protection of the vital interests of the Data Subject or of another individual where the Data Subject lacks the physical or legal capacity to give consent (Section 9(2)(c) of the GDPR), or

v. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller (e.g. in the case of the obligation to inform legal representatives of a child in the event of suspected bullying at school) (Section 6(1)(e) of the GDPR) or the processing is necessary for reasons of substantial public interest based on Union or Member State law which is proportionate to the aim pursued, respects the essence of the right to data protection and provides suitable and specific safeguards for the protection of the fundamental rights and interests of the Data Subject (Section 9(2)(g) of the GDPR), or

vi. it is our legitimate interest to do so in the interest of improving the quality of our services provided to you, in connection with the follow-up information on news regarding FaceUp to our clients or, for example, to protect the network against harmful practices (Section 6(1)(f) of the GDPR).

We respect the principle of data minimization by storing only personal data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

Use of Information

In particular, we use the information we collect about you to provide you with our services, to fulfil our contractual obligations to you or our business or other partners, to comply with our legal obligations, to notify you of changes to our services and/or to improve our services.

We use your personal data for the purposes for which we collected it.

We also use your selected data (email address) for direct marketing purposes. These activities include, in particular, the use of your email addresses for the purpose of sending you our newsletters if you have consented to such newsletters. You can quickly and easily stop receiving these marketing communications at any time by using the unsubscribe link included in each newsletter. You can also inform us at the email address below.

The processing of your personal data does not involve any decision-making based solely on automated processing, including profiling, which would have legal effects on you or would significantly affect you in a similar way.

Disclosing Your Information

We will not disclose your personal data to anyone except as described in this Policy.

Where FaceUp is the processor of personal data, it discloses personal data of Data Subjects, or provides access to personal data of Data Subjects, to organizations with which the whistleblower has a relationship, as well as to school establishments of which the whistleblower concerned is a student. FaceUp may also disclose your personal data in its promotional materials if agreed in advance with the Data Subject.

Recipients or categories of recipient of Personal Data

The recipients of your personal data may include:

• an organization that uses the FaceUp platform as part of its whistleblowing channel and is also the Controller of your personal data, and
• a school establishment that uses the FaceUp platform to prevent and address bullying or other similar behavior and is also the Controller of your personal data.

We ensure the highest possible standard of security of your personal data. However, if it is necessary for the performance of the contractual relationship or for the normal operation of FaceUp, we may, in exceptional cases, share your personal data to the necessary extent with FaceUp's contractual partners (e.g. IT services, attorneys etc.). As a prerequisite for such sharing of your personal data, you must always enter into a data processing agreement with each such FaceUp contractual partner that guarantees the highest standard of protection for your personal data.

If required by law or our legitimate interests, we may, in very exceptional cases, transfer your personal data to state authorities (in particular law enforcement authorities, courts and tax authorities) to the necessary extent, but always in accordance with the law and only if the law imposes such an obligation on us or if it is necessary to protect our legitimate interests.

Personal Data of Third Parties

Personal data of third parties, which means personal data of employees and partners or associates of clients or business partners of FaceUp and other individuals involved in cooperation with FaceUp, or other data that FaceUp receives from a client or business partner in connection with the conclusion or performance of a contract, will be processed in accordance with applicable data protection legislation. 

FaceUp uses personal data for the purpose of performance of contracts with clients or suppliers. FaceUp will process the personal data of third parties for the duration of the contractual relationship and for the period provided for by special legislation, if any. They will be stored for a longer period if there is a justified need to store the data in relation to a specific case.

Data Protection

We ensure adequate procedures are in place to prevent unauthorized access to and misuse of personal data.

We use necessary and appropriate systems and procedures to protect and secure the personal information you provide to us. We also employ security procedures and technical and physical restrictions on access to and use of personal information on our servers. Only authorized personnel who work with the data have access to personal data.

The security of your data is our top priority and we use the following technical measures: 

1. We process personal data of users in accordance with the GDPR, which sets the highest level of privacy and data protection in the world. Neither FaceUp nor any third parties have access to your internal data, which is securely encrypted and stored on AWS servers in the European Union. FaceUp does not store the IP addresses of the senders of the reports. 
2. FaceUp gives you the option to choose end to end encryption (E2EE), in which data transmission is protected against information leakage between you and the server, as well as the server and its administrator – so that no one can access the information flowing through FaceUp, unless of course they are directly designated to do so by the organization using the platform.
3. The platform also uses two-factor authentication (2FA), which you may be familiar with from online banking. This security feature significantly reduces the possibility of digital identity misuse, as it requires at least two proofs (factors) to verify the user's identity; in practice, this is most often a password together with a randomly generated code from a text message, a fingerprint, or a facial scan (e.g. Face ID). 
4. Equally important, the platform does not store any IP addresses, removes maximum EXIF and metadata that could potentially identify users, and does not use any trackers such as Google Analytics, Facebook pixel or Hotjar. 
5. The security of the application is underlined by the certification of the information security management system according to the ISO/IEC 27001. 
6. FaceUp undergoes penetration tests by clients to verify the real resilience of the web application against cyber-attack. We have always passed the tests. In addition to regular penetration tests, we also perform security audits of all libraries used in the code. 
7. We are also developing our own AntiSpam system, which is an intelligent system that strives to identify spam or even delete it so that we do not give access to reCaptcha data (Google tool for distinguishing humans from computers). 

Period for Which Personal Data Are Stored

When handling your personal data for specific purposes, we respect the principle of storage limitation, whereby we keep your personal data only for the necessary period of time, usually five (5) years from the date of the submission of the report.

FaceUp processes the personal data of third parties for the duration of the legal basis for processing and for the period provided for by special legislation, if any. They will be stored for a longer period if there is a justified need to store the data in relation to a specific case.

We store your personal data for the duration of our contractual relationship for the purpose of exercising the rights and obligations arising from it, and after its termination for other necessary purposes, such as compliance with our legal obligations, contractual obligations, dispute resolution and legal enforcement of legitimate claims or for the purposes of possible administrative proceedings. These needs vary depending on the specific reason for storage, and therefore the period of storage for different types of your personal data varies significantly in specific cases and can be up to 5 years from the end of the contractual relationship, except in cases of longer storage required by law (e.g. payroll records).

In exceptional cases, for example in the course of litigation, certain documents containing your personal data may be stored for a longer period of time in order to protect our legitimate interests. This is particularly the case when we would have to submit these documents as evidence in litigation, in administrative proceedings or for the enforcement of a decision.

Your Rights

As a data subject, you have rights under the law in relation to the processing of your personal data, which you can exercise at any time. These are the right (i) of access to personal data, (ii) to rectification and completion of inaccurate and incomplete personal data, (iii) to erasure of personal data (the so-called "right to be forgotten"), (iv) to restriction of processing of personal data, (v) to data portability and (vi) to object.

• Right of access to personal data – you have the right to obtain information from us about whether or not we are processing personal data relating to you and, if so, you have the right to access that personal data.
• Right to rectification of personal data – if you believe we are processing inaccurate or incomplete personal data concerning you, you have the right to rectification, or you have the right to complete incomplete personal data, including by providing an additional statement.
• Right to erasure of personal data ("right to be forgotten") – if you ask us to erase your personal data, we will do so without undue delay, in particular if:

1. your personal data is no longer needed for the purposes for which it was collected or processed,
2. your personal data is processed on the basis of your consent and you withdraw this consent and there is no other legal basis for the processing,
3. you object to the processing of your personal data and there are no overriding or legitimate grounds for processing your personal data,
4. your personal data is processed unlawfully,
5. there is no longer a legal obligation to process the data under European Union law or national law.

• Right to restriction of processing of personal data – you have the right to ask us to restrict the processing of your personal data if:

1. you deny the accuracy of the personal data,
2. the processing is unlawful and you have also refused the erasure of your personal data and requested a restriction on its use,
3. we no longer need your personal data for the purposes of processing, but you require it for the establishment, exercise or defense of legal claims,
4. you have objected to the processing of your personal data and it has not yet been verified whether our legitimate grounds outweigh your legitimate grounds.

• Right to data portability – you can exercise your right to data portability. Upon your request, we will transfer your personal data in a structured, commonly used and machine-readable format to you or another Controller, which we will process on the basis of the contract or consent you have provided to us. If the exercise of this right would adversely affect the rights and freedoms of others, we will not be able to comply with your request.
• Right to object – you have the right to object to the processing of your personal data for public interest purposes or for the purposes of our legitimate interest. If the processing of your personal data is based on our legitimate interest (including direct marketing), you can object to this processing if it relates to the objected purpose. In this case, your personal data will no longer be processed for this purpose.

Please also note that if you have given us your consent to the processing of your personal data, you have the right to withdraw this consent at any time, by post to our registered office or by email to support@faceup.com.

We would also like to draw your attention to the possibility of lodging a complaint with the relevant supervisory authority for personal data protection, which is in the Czech Republic the Office for Personal Data Protection, based at: Pplk. Sochora 727/27, 170 00 Prague 7 – Holešovice, email: posta@uoou.cz, if you believe that the processing of your personal data violates a legal regulation or your rights. 

If you wish to exercise any of your rights, please contact us by email: support@faceup.com or by post at our registered office.

Please note that due to the specific nature of activities of FaceUp (in particular, the provision of services under the Whistleblowing Act), the exercise of certain rights of Data Subjects may be significantly restricted.

Obligations of FaceUp as a Personal Data Processor

As a processor, we undertake to comply with applicable and effective legal regulations on the protection of personal data and privacy, mainly but not exclusively the GDPR and Act No. 110/2019 Coll., on the Processing of Personal Data, as amended, in relation to processing personal data.

Furthermore, we undertake to process personal data only on the basis of documented instructions from the Controller, including issues of transfer of personal data to a third country or an international organization, unless such processing is already required by European Union or Member State law to which we are subject.

We will maintain the confidentiality of all personal data provided or disclosed to us by the Controller, or which we will collect in connection with the provision of services to the Controller, except for the transfer of such data to sub-processors and our service providers.

We will ensure that all of our employees, members of our bodies and our business partners with authorized access to (or authority to process) the personal data processed undertake to observe appropriate confidentiality conditions or are duly informed of their legal obligation of confidentiality, if applicable, before fulfillment the first task in connection with the provision of services.

We undertake to apply at all times technical and organizational measures to protect personal data processed against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, which must be proportionate to the risks of varying likelihood and severity to the rights and freedoms of the individuals whose data are processed, taking into account the state of the art, the cost of implementation and the nature, scope, context and purpose of the processing, including, where appropriate, measures for pseudonymization and encryption of the personal data processed, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services, the ability to restore the availability of and access to the personal data processed in a timely manner in the event of physical or technical incidents, and the process of regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures in place to ensure the security of the processing.

We will provide the Controller with such assistance, assistance and information as the Controller reasonably requests and as we are reasonably able to provide to enable the Controller to comply with its obligations under applicable and effective data protection and privacy laws and to cooperate with the competent authorities in relation to the personal data processed, including, where appropriate, providing support to the Controller where relevant to the nature of the processing.

We undertake not to involve any other processor in the processing without the prior specific or general written permission of the Controller. In the case of a general written permission, we undertake to inform the Controller of any intended changes concerning the admission of additional processors or their replacement, thus giving the Controller the opportunity to object to these changes. The following entities are expressly permitted processors and sub-processors in terms of the provision of services:

• Amazon Web Services, Inc. (infrastructure tools);
• tawk.to, Inc. (customer support tools);
• Sentry, Inc. (error reporting tools);
• ECOMAIL.CZ, s.r.o (online marketing tools); and
• possibly other newly engaged processors and sub-processors, whom we will notify the Controller of in writing, including by email, where the Controller has the right to object to these new processors and sub-processors, and we are obliged to take these objections into account.

The following entities are expressly permitted processors and sub-processors in terms of common website browsing:

• Google LLC (web analytics and online marketing tools);
• tawk.to, Inc. (customer support tools);
• Facebook Ireland Ltd (online marketing tools);
• Hotjar, Inc. (web analytics tools);
• ECOMAIL.CZ, s.r.o (online marketing tools);
• Pipedrive Inc. (CRM tools);
• Microsoft Corporation (online marketing tools);
• Seznam.cz, a.s. (online marketing tools); and
• possibly other newly engaged processors and sub-processors, whom we will notify the Controller of in writing, including by email, where the Controller has the right to object to these new processors and sub-processors, and we are obliged to take these objections into account.

We will only entrust the processing of processed personal data to other processors or sub-processors who provide a sufficient level of security of personal data at least to the extent required by applicable and effective data protection and privacy laws.

We will promptly notify the Controller in writing and in reasonable detail as soon as we become aware or reasonably suspect that there has been a personal data breach or other serious incident that compromises or exposes a material weakness in the security of personal data while in our possession or control (hereinafter referred to as the "Personal Data Security Incident").

In the event of a Personal Data Security Incident, we undertake to:

• take all reasonable steps to identify and address the root cause of the Personal Data Security Incident and thereby eliminate or exclude the risk of recurrence and occurrence of similar Personal Data Security Incidents,
• take such steps as the Controller may reasonably request and we may reasonably take to help the Controller address the adverse consequences of the Personal Data Security Incident and to ensure compliance with the Controller's obligations under applicable and effective data protection and privacy laws, and
• report promptly and regularly to the Controller on the measures taken and their results.

We will disclose to the Controller any information it may reasonably request.

We will promptly notify the Controller in writing if we believe that compliance with the Controller's instruction may violate applicable and effective data protection and privacy laws.

Audits and Inspections at the Processor

The Controller (or its authorized auditors) shall be entitled to carry out reasonable audits and/or inspections necessary to verify our compliance with this Policy upon prior written request, which must be delivered to us as a processor at least one month in advance. We undertake to allow reasonable audits and inspections to take place and to provide all necessary assistance to the Controller in carrying them out.

The Controller shall, for so long as its employees or its authorized auditors are on our premises during any such audit or inspection, prevent (or if this is not possible, at least minimize) any damage, personal injury or disruption to the premises, equipment, employees and our business.

We are entitled to claim reimbursement from the Controller for the necessary costs associated with the audits and inspections carried out, as well as reimbursement for our lost time and that of our staff involved in the audit or inspection, or for any downtime in our work caused by the audit or inspection.

We are not obliged to allow access to our premises for the purposes of such an audit or inspection:

• to individuals who do not provide adequate proof of identity and authorization,
• outside normal business or operating hours at such premises, unless it is an urgent audit or urgent inspection, of which the Controller shall give notice prior to the commencement of the audit or inspection outside normal business or operating hours, or
• in the case of more than one audit or inspection per two calendar years.

Changes to Our Privacy Policy 

Any changes we may make to this Policy in the future will be posted on this page and, if appropriate, we will notify you by email. So please check this page for any updates and changes to our Privacy Policy.

Contact Us

You can contact us at any time regarding the processing of your personal data by sending an email to support@faceup.com or by post to the address of our registered office.

We provide all communications and statements regarding the rights you have exercised free of charge. However, if the request is manifestly unfounded or unreasonable, in particular because it is repetitive, we are entitled to charge a reasonable fee taking into account the administrative costs involved in providing the information requested. In the event of repeated requests for copies of the personal data processed, we reserve the right to charge a reasonable fee for administrative costs for this reason.

We will provide you with a statement and, where appropriate, information on the measures taken as soon as possible, but no later than one (1) month after receipt of the complete communication. We are entitled to extend the deadline by two (2) months if necessary and in view of the complexity and number of requests. We would inform you about the extension including the reasons.

This Policy is effective as of 1 April 2022.