Product Privacy Policy

(hereinafter referred to as the “Policy”)

FaceUp Technology s.r.o., company ID No.: 061 42 630, with its registered office at Údolní 567/33, Brno-město, 602 00 Brno, Czech Republic registered with the Commercial Register kept by the Regional Court in Brno, Section C, Insert 100325 (hereinafter referred to as “FaceUp” or “we”), hereby, in its capacity as a controller or processor of personal data in accordance with Regulation (EU) No. 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (hereinafter referred to as the “GDPR”), informs all its clients and business partners, who are natural persons, or employees of its clients and business partners, as well as the users of our FaceUp product (hereinafter referred to as “Data Subjects” or “you”), which is used, in particular, to receive and store messages (reports) from third parties (whistleblowers) via the Faceup mobile application and/or website www.report.faceup.com, those messages being further administered in the administration user interface (www.admin.faceup.com; hereinafter referred to as the “Product”), about the processing of their personal data. 

This Policy sets out the basis on which we will process personal data that we obtain from you or that you provide to us in connection with the use of our Product, if the personal data meets the specific requirements set out below.

The data controller may be FaceUp, your organization (company, employer, etc.) or your school or other similar establishment from which you have received the access code for submitting the report or to which the report relates (hereinafter referred to as the “Controller”). 

Where the data controller is your organization or your school or other similar establishment which provides you with the opportunity to submit a report or to which the report relates, FaceUp shall be the processor of your personal data.

Contact details of FaceUp:

1. by post at FaceUp Technology s.r.o., Údolní 567/33, 602 00 Brno, Czech Republic;
2. by email at support@faceup.com; or
3. by any other means as set out on the website www.faceup.com and/or within the Product.

Please read the following text carefully to understand the practices regarding your personal data and how we will treat it in connection with your use of our Product. This Policy does not apply to the processing of personal data in connection with the normal browsing and/or use of our website www.faceup.com. More information about the processing of your personal data in connection with your normal browsing on the website www.faceup.com is available here.

We have a clear approach to explaining our personal data protection practices as advised by the supervisory authorities. This means that we only try to provide you with relevant privacy information in connection with the use of our Product, and we use a simple form of this Policy to do so. Please do not hesitate to contact us with your feedback or any inquiries.

Data we process about you

It is important for us that you are aware of which personal data we process and how and for what purposes we use it in order to operate more efficiently in providing professional information on personal data protection and to enable you to obtain the essential information on personal data protection.

This Policy applies solely to the processing of your personal data in connection with the use of our Product; however, if you submit a report via the FaceUP platform (www.report.faceup.com), we do not collect any personal data from you unless you voluntarily provide us with such data. Providing any of your personal data is not a precondition for submitting a report. We do not collect personal data from you even when you work in the administration user interface (www.admin.faceup.com), unless you voluntarily provide us with such data. 

We obtain your personal data from several sources. The primary source of your personal data is you personally or your company or the company you represent (e.g., when we enter into a contract with you and you personally or the company you represent provide us with your identification or payment details for that purpose). In addition, we may also obtain your personal data for the above purposes from publicly available sources such as public lists and registers (e.g., the Commercial Register or the Trade Register) or may be provided to us by third parties and/or through a report by you, if you voluntarily provide such data to us in accordance with this Policy and the document entitled “Information about processing of personal data in connection with reports”.

You may provide us with some of this information by communicating with us, for example, by telephone, email or other means. In connection with the use of our Product, we do not collect any personal data from you via cookies, in particular in connection with the use of the FaceUp platform (www.report.faceup.com) or within the administration user interface (www.admin.faceup.com).

The provision of any information is voluntary except where otherwise stated (statutory obligation to provide information).

The types of data processing are mainly the following:

Data processing occurs especially in cases where:

(i) it is necessary for the performance of a contract (e.g., the provision of whistleblowing system services, an employment contract, a cooperation agreement or other contract) to which you or a company or other legal entity to which you have a relationship is a party, or for the performance of a pre-contractual measure (e.g., a selection process with job applicants or negotiations with potential clients and partners) (Article 6(1)(b) of the GDPR); or

(ii) we are required to do so by applicable law (e.g., employment law, tax law) (Article 6(1)(c) of the GDPR); or

(iii) you have given us your consent (e.g., email address for sending marketing communications), in which case you can withdraw your consent at any time (Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR); or

If you have given your consent to the processing of your personal data, you have the right to withdraw that consent at any time, by post to our registered office address or by email to support@faceup.com.

(iv) the processing is necessary to protect the vital interests of the Data Subject or of another natural person (Article 6(1)(d) of the GDPR) or the processing is necessary to protect the vital interests of the Data Subject or of another natural person where the Data Subject is not physically or legally able to give consent (Article 9(2)(c) of the GDPR); or

(v) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (e.g., in the case of the obligation to inform a child’s statutory representatives in the event of suspected bullying at school) (Article 6(1)(e) of the GDPR) or the processing is necessary for reasons of substantial public interest based on Union or Member State law which is proportionate to the aim pursued, respects the essence of the right to data protection and provides suitable and specific safeguards for the protection of the fundamental rights and interests of the Data Subject (Article 9(2)(g) of the GDPR); or

(vi) it is our legitimate interest in the interest of improving the quality of our services provided to you, in connection with the provision of follow-up information on news regarding FaceUp and FaceUp towards our clients or, for example, to protect the network against harmful conduct (Article 6(1)(f) of the GDPR).

We respect the principle of data minimizing where we only retain that personal data which is reasonable, relevant and limited to the extent necessary in relation to the purposes for which it is processed.

Use of information

We use the information we collect about you, in particular, to be able to provide you with our Product, to fulfil our contractual obligations to you or our business or other partners, to comply with our statutory obligations, to notify you of changes to the Product and/or to improve our Product.

We only ever use your personal data for the purposes for which we collected it.

We also use your selected data (email address) for direct marketing purposes. These activities include, in particular, the use of your email addresses for the purpose of sending you our newsletters if you have consented to such newsletters. You may quickly, easily and at any time unsubscribe such newsletters by using the “unsubscribe” link contained in each newsletter. Alternatively, please inform us at the email address listed below.

When processing your personal data, there is no decision based solely on automated processing, including profiling, which might legally affect you or have a similarly significant impact on you.

Disclosing your information

We will not disclose your personal data provided to us in connection with your use of our Product, in particular in connection with your use of the FaceUp Platform (www.report.faceup.com) and/or in connection with your use of the administration user interface (www.admin.faceup.com), to anyone except as described in this Policy.

Where FaceUp is a processor of personal data, it transfers personal data to Data Subjects or provides access to personal data of Data Subjects to organizations with which the whistleblower has a relationship, as well as to school establishments of which the whistleblower whom the reports concerns is a student. FaceUp may also disclose your personal data in its promotional materials if agreed in advance with the Data Subject.

Recipients or categories of recipients of personal data

The recipient of your personal data may be:

• an organization that uses the FaceUp platform as part of its whistleblowing channel and is also the Controller of your personal data; and
• an school establishment that uses the FaceUp platform to prevent and address bullying or other similar behaviour and is also the Controller of your personal data.

We ensure the highest possible standard of security for your personal data. However, in exceptional cases, we may share your personal data with FaceUp’s contractual partners (e.g., IT services, attorneys, etc.) to the extent necessary for the performance of the contractual relationship or for the normal operation of FaceUp and/or the Product. The prerequisite for such sharing of your personal data is always the conclusion of a data processing agreement with each such FaceUp contractual partner, which will guarantee the highest standard of protection of your personal data.

If required by law or our legitimate interests, we may, in exceptional cases, transfer your personal data to the extent necessary to state authorities (in particular, investigative, prosecuting and adjudicating authorities, courts and tax authorities), but always in accordance with the law and only if the law imposes such an obligation on us or if it is necessary to protect our legitimate interests.

Personal data of third parties

Personal data of third parties, which means personal data of employees and partners or associates of clients or business partners of FaceUp and other natural persons involved in cooperation with FaceUp, or other data that FaceUp receives from a client or business partner in connection with the conclusion or performance of a contract, shall always be processed in accordance with applicable data protection legislation. 

FaceUp uses personal data for the purpose of fulfilling contracts with clients or suppliers. FaceUp will process the personal data of third parties for the duration of the contractual relationship and further for the period of time provided for by special legal regulations, if any. The data will be kept for a longer period of time if there is a justified need to keep the data in relation to a specific case.

Data protection

We provide adequate processes to prevent unauthorized access to personal data and its misuse.

In order to protect and secure the provided personal data, we use necessary and appropriate systems and processes. We also employ security procedures and technical and physical restrictions on access to and use of personal data on our servers. Only authorized personnel working with the data has access to the personal data.

The security of your data is a top priority for us, so we use the following technical measures to ensure the highest possible standard of security: 

(i) we process any personal data in accordance with the GDPR, which sets the highest level of privacy and data protection in the world. Neither FaceUp nor any third parties have access to your internal data, which is securely encrypted and stored on AWS servers in the European Union. FaceUp does not store the IP addresses of the senders of reports;

(ii) FaceUp gives you the option to choose end to end encryption (E2EE), in which the data transfer is protected against information leakage between you and the server, as well as the server and its administrator – no one thus has the ability to get to the information that flows through the FaceUp platform, except for people explicitly designated by the organization that uses the platform;

(iii) the platform uses two-factor authentication (2FA), which you may be familiar with, for example, from Internet banking. This security feature significantly reduces the possibility of digital identity misuse because it requires at least two proofs (factors) to verify the user’s identity; in practice this is most often a password entered together with a randomly generated SMS code, fingerprint or facial scan (e.g., Face ID);

(iv) the platform does not store any IP addresses, removes maximum EXIF and metadata that could potentially identify users, and does not use any trackers such as Google Analytics, Facebook pixel or Hotjar;

(v) the security of the application is underlined by the certification of the information security management system according to the ISO/IEC 27001 standard;

(vi) FaceUp undergoes penetration tests by clients to verify the real resilience of the web application against cyber attack. We have always passed the tests. In addition to regular penetration tests, we also perform security audits of all libraries used in the code;

(vii) we are also developing our own AntiSpam system, which is an intelligent system that tries to identify spam, or even delete it right away, so that we do not pass on access to reCaptcha data (a tool from Google to distinguish humans from computers). 

Retention period of your personal data

When handling your personal data for specific purposes, we respect the principle of storage limitation, whereby we keep your personal data only for the necessary period of time, usually five (5) years from the date of the submission of the report.

FaceUp processes the personal data of third parties for the duration of the legal basis for processing and further for the period of time provided for by special legal regulations, if any. The data will be kept for a longer period of time if there is a justified need to keep the data in relation to a specific case.

We retain your personal data for the duration of our contractual relationship for the purpose of exercising our rights and obligations under it, and after its termination for other necessary purposes such as compliance with our legal and contractual obligations, dispute resolution, legal enforcement of legitimate claims, or for possible administrative procedures. These needs vary depending on the specific reason for retention, and therefore the retention period for different types of your personal data varies significantly in specific cases, and can be up to five (5) years from the end of the contractual relationship, except in cases of longer retention required by law (e.g., payroll records).

In exceptional cases, such as litigation, the protection of our legitimate interests may cause longer retention of some of the documents containing your personal data. Particularly, these are cases where we might have to present these documents as evidence in litigation, administrative procedure or due to the enforcement of a decision.

Your rights

As a data subject, you have legal rights in relation to the processing of your personal data, which you can exercise at any time. These are the right (i) to access your personal data, (ii) to rectification and completion of inaccurate and incomplete personal data, (iii) to erasure of your personal data (the so-called “right to be forgotten”), (iv) to restriction of processing of your personal data, (v) to data portability and (vi) to object.

• Right of access to personal data – you have the right to obtain information from us as to whether or not we are processing personal data relating to you and, if so, you have the right to access that personal data.
• Right to rectification of personal data – if you believe that we are processing inaccurate or incomplete personal data concerning you, you have the right to rectification, or you have the right to complete incomplete personal data, including by providing an additional statement.
• Right to erasure of personal data (right to be forgotten) – if you ask us to erase your personal data, we will do so without undue delay, in particular if:

(i) your personal data is no longer needed for the purposes for which it was collected or processed;

(ii) your personal data is processed on the basis of your consent and you withdraw that consent and there is no other legal basis for processing;

(iii) you object to the processing of your personal data and there are no overriding or legitimate grounds for processing your personal data;

(iv) your personal data is processed unlawfully;

(v) a statutory obligation to process the data under European Union law or national law has ceased to exist.

• Right to restriction of processing of personal data – you have the right to ask us to restrict the processing of your personal data if:

(i) you deny the accuracy of the personal data;

(ii) the processing is unlawful, but you have refused to have the personal data erased and request a restriction on its use instead;

(iii) we no longer need your personal data for the purposes of processing, but you still require it for the establishment, exercise or defence of legal claims;

(iv) you have objected to the processing of your personal data and it has not yet been verified whether our legitimate grounds outweigh your legitimate grounds.

• Right to data portability – you can exercise your right to personal data portability. Upon your request, we will transfer your personal data to you or another controller in a structured, commonly used and machine-readable format, which we will process on the basis of a contract or consent you have provided to us. If the exercise of this right should adversely affect the rights and freedoms of others, we will not be able to comply with your request.
• Right to object – you have the right to object to the processing of your personal data for public interest purposes or for the purposes of our legitimate interest. If the processing of your personal data is based on our legitimate interest (including direct marketing), you can object to that processing if the processing relates to the purpose under objection. In that case, your personal data will no longer be processed for that purpose.

Please also note that if you have given your consent to the processing of your personal data, you have the right to withdraw that consent at any time, by post to our registered office address or by email to support@faceup.com.

We would also like to draw your attention to the possibility of filing a complaint with the competent supervisory authority for the protection of personal data, which in the Czech Republic is the Office for Personal Data Protection, address: Pplk. Sochora 727/27, Holešovice, 170 00 Prague 7, email: posta@uoou.cz, if you believe that the processing of your personal data violates a legal regulation or your rights.   

If you wish to exercise any of your rights, please contact us by email at support@faceup.com or by post at our registered office address.

Please note that due to the specific nature of FaceUp’s activities (in particular, the provision of services under the Whistleblower Act), the exercise of certain rights of Data Subjects may be significantly restricted.

Obligations of FaceUp as a personal data processor

As a processor, we undertake to comply with applicable and effective data protection and privacy laws, in particular, but not exclusively, the GDPR and Act No. 110/2019 Coll., on personal data processing, as amended.

Furthermore, we undertake to process personal data only on the basis of documented instructions from the Controller, including issues of transfer of personal data to a third country or an international organization, unless such processing is already required by European Union or Member State law to which we are subject.

We will maintain the confidentiality of all personal data provided or disclosed to us by the Controller, or made known to us in connection with the provision of the Product to the Controller, except for disclosure to sub-processors and our service providers.

We will ensure that all of our employees, members of our bodies and our business partners with authorised access to (or authority to process) the personal data processed undertake to comply with appropriate confidentiality conditions or are duly informed of their statutory obligation of confidentiality, if applicable, before taking the first action in connection with the provision of the Product.

We undertake to apply at all times technical and organizational measures to protect the personal data processed against accidental or unlawful destruction, loss, alteration and unauthorized disclosure or access, which must be proportionate to the risks of varying likelihood and severity to the rights and freedoms of the natural persons whose data are processed, taking into account the state of the art, the cost of implementation and the nature, scope, context and purpose of the processing, including, where appropriate, measures for pseudonymization and encryption of the personal data processed, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services, the ability to restore the availability of and access to the personal data processed in a timely manner in the event of physical or technical incidents, and the process of regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures in place to ensure the security of the processing.

We will provide the Controller with such assistance and information as the Controller reasonably requests and as we are reasonably able to provide to enable the Controller to comply with its obligations under applicable and effective data protection and privacy laws and to cooperate with the competent authorities in relation to the personal data processed, including, where appropriate, providing support to the Controller where relevant in light of the nature of the processing.

We undertake not to involve any other processor in the processing of the personal data without the prior specific or general written permission of the Controller. In the case of a general written permission, we undertake to inform the Controller of any intended changes concerning the admission of additional processors or their replacement, and to give the Controller the opportunity to object to these changes. The following entities are expressly permitted processors and sub-processors in the provision of the Product:

• Amazon Web Services, Inc. (infrastructure tools);
• Sentry, Inc. (error reporting tools);
• ECOMAIL.CZ, s.r.o. (online marketing tools);
• Product Fruits (assistance tool); 
• PartnerStack (PRM system);
• Chargebee (payment processing system, billing, payment gateway); and
• other newly engaged processors and sub-processors, if any, which we will notify to the Controller in writing, including by email, where the Controller has the right to object to these new processors and sub-processors, and we are obliged to take such objections into account.

We will only entrust the processing of personal data to other processors or sub-processors who provide a sufficient level of security of the personal data at least to the extent required by applicable and effective data protection and privacy laws.

We will promptly notify the Controller in writing and in reasonable detail as soon as we become aware or reasonably suspect that a personal data breach or other serious incident has occurred that compromises or exposes a material weakness in the security of the personal data while in our possession or control (hereinafter referred to as the “Personal Data Security Incident”).

In the event of a Personal Data Security Incident, we undertake to:

• take all reasonable steps to identify and remedy the root cause of the Personal Data Security Incident and thereby eliminate the risk of repeated occurrence of such or similar Personal Data Security Incidents;
• take such steps as the Controller may reasonably require and we may reasonably take to help the Controller address the adverse consequences of the Personal Data Security Incident and to ensure compliance with the Controller’s obligations under applicable and effective data protection and privacy laws; and
• report promptly and regularly to the Controller on the measures taken and results thereof.

We will disclose to the Controller any information it may reasonably request.

We will promptly notify the Controller in writing if we believe that compliance with the Controller’s instruction may violate applicable and effective data protection and privacy laws.

Audits and inspections at the processor

The Controller (or its authorised auditors) shall be entitled to make reasonable audits and/or inspections necessary to verify our compliance with this Policy upon prior written request to us as processor, which must be received by us at least one month in advance. We undertake to allow reasonable audits and inspections to take place and to provide all necessary cooperation to the Controller in carrying them out.

The Controller is obliged, for the period when its employees or the auditors authorized by the Controller are present at our premises during such audit or inspection, to prevent (or if not possible, at least minimise) any damage, injury or disruption to our premises, equipment, employees and business activities.

We shall be entitled to claim from the Controller compensation for the necessary costs associated with the audits and inspections carried out, as well as compensation for our lost time and that of our employees involved in the audit or inspections, or for downtime in our work caused by the audit or inspection.

We are not obliged to allow access to our premises for the purposes of such an audit or inspections:

• to natural persons who do not provide adequate proof of identity and authorization;
• outside regular business hours or operating hours at the relevant premises, unless the audit or inspections is urgent, of which the Controller shall notify us prior to commencing the audit or inspections outside regular business hours or operating hours; or
• in the case of more than one audit or inspections per two calendar years.

Changes to our Privacy Policy 

Any changes we may make to this Policy in the future will be posted on this page and, where appropriate, we will also notify you by email. Please check this page to learn about all new updates and changes to our Privacy Policy.

Contact us

You can contact us at any time regarding the processing of your personal data by sending an email to support@faceup.com or by post to our registered office address.

All communications and statements on the rights exercised by you are provided free of charge. However, if the request is obviously unreasonable or inappropriate, in particular, because it has occurred repeatedly, we are entitled to charge a reasonable fee reflecting the administrative costs associated with the provision of the requested information. When a request for copies of processed personal data is applied repeatedly, we reserve the right to charge a reasonable administrative fee for this reason.

We will provide you with a statement and, where appropriate, information on the measures taken as soon as possible, but no later than one (1) month after the delivery of the complete communication. That period may be extended by two (2) further months, if necessary, taking into account the complexity and number of requests. We will inform you about any eventual extension accompanied by the reason therefor.

This Policy is effective as of 20 January 2023.