Privacy Agreement

CareWhistle is committed to protecting your privacy and ensuring the confidentiality of all whistleblowing reports

Last Updated: September 2025

1. Introduction

CareWhistle Limited ("we", "our", "us") operates a secure, anonymous whistleblowing platform designed to help organisations receive and manage workplace concern reports. This Privacy Agreement explains how we collect, use, store, and protect your personal information in compliance with UK data protection laws, including the UK GDPR and the Data Protection Act 2018.

We are committed to maintaining the highest standards of data protection and confidentiality, particularly given the sensitive nature of whistleblowing reports.

2. Information We Collect

2.1 For Report Submitters (Whistleblowers)

  • Anonymous Reporting: Our platform allows completely anonymous reporting. You are not required to provide any personal information to submit a report.
  • Optional Information: If you choose to provide your name or contact details, this information will be stored securely and only shared with authorised case managers within your organisation.
  • Report Content: Details of the concern you raise, including any supporting documentation you choose to upload.
  • Technical Data: Limited technical information such as IP addresses (encrypted and not stored permanently) and device information for security purposes only.

2.2 For Organisation Administrators and Managers

  • Account Information: Name, email address, job title, and organisation details.
  • Authentication Data: Login credentials (passwords are encrypted and hashed).
  • Usage Information: Activity logs, access times, and case management actions for audit purposes.

2.3 For Prospective Clients

  • Contact Details: Name, email address, phone number, and organisation details provided through our contact forms.
  • Business Information: Staff count, industry sector, and specific requirements for pricing purposes.

3. How We Use Your Information

We use your information for the following purposes:

  • Report Management: To facilitate the secure submission, routing, and investigation of workplace concerns.
  • Communication: To enable confidential communication between report submitters and case managers.
  • Service Delivery: To provide and maintain our whistleblowing platform services to client organisations.
  • Security: To protect against fraud, abuse, and security threats to our platform.
  • Compliance: To meet legal and regulatory obligations, including data protection and employment law requirements.
  • Service Improvement: To analyse platform usage (anonymised data only) to improve our services.
  • Customer Support: To respond to inquiries and provide assistance to users.

4. Legal Basis for Processing

Under UK GDPR, we process personal data based on the following legal grounds:

  • Contractual Necessity: To fulfil our contractual obligations with client organisations.
  • Legitimate Interests: To operate our whistleblowing service, which serves the legitimate interest of workplace transparency and compliance.
  • Legal Obligation: To comply with employment law, regulatory requirements, and legal proceedings.
  • Consent: Where you have explicitly provided consent for specific processing activities.
  • Protection of Vital Interests: In cases where reporting concerns potential risks to health and safety.

5. Data Security and Protection

We implement industry-leading security measures to protect your information:

  • Encryption: All data is encrypted in transit (TLS/SSL) and at rest using AES-256 encryption.
  • Access Controls: Strict role-based access controls ensure only authorised personnel can access sensitive information.
  • Secure Infrastructure: Our platform is hosted on secure servers with regular security audits and penetration testing.
  • Anonymization: Technical measures are in place to preserve the anonymity of report submitters who choose anonymous reporting.
  • ISO 27001 Compliance: We follow information security management standards aligned with ISO 27001 best practices.
  • Regular Backups: Secure, encrypted backups are maintained to prevent data loss.

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal information. We may share data only in the following circumstances:

  • Client Organisations: Report information is shared with authorised administrators and case managers within the organisation to which the report pertains.
  • Service Providers: Trusted third-party service providers who assist in operating our platform (e.g., cloud hosting, email services) under strict data processing agreements.
  • Legal Requirements: When required by law, court order, or regulatory authority.
  • Protection of Rights: To protect our legal rights, prevent fraud, or ensure platform security.

All third-party service providers are carefully vetted and contractually bound to maintain the confidentiality and security of your data.

7. Data Retention

  • Report Data: Retained for as long as necessary to investigate and resolve the reported concern, typically 3-7 years depending on the nature of the report and legal requirements.
  • Account Data: Retained for the duration of the service agreement plus a reasonable period for audit and compliance purposes.
  • Anonymous Reports: May be retained indefinitely in aggregated, de-identified form for statistical and compliance purposes.

9. Cookies and Tracking

Our website uses essential cookies to ensure proper functionality and security:

  • Essential Cookies: Required for authentication, security, and platform operation.
  • Security Cookies: Used to detect and prevent fraudulent activity.
  • Session Cookies: Temporary cookies that expire when you close your browser.

We do not use tracking cookies for advertising or analytics without your explicit consent. You can control cookie settings through your browser preferences.

10. International Data Transfers

Your data is primarily stored and processed within the United Kingdom. If data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO)
  • Adequacy decisions recognizing equivalent data protection standards
  • Additional security measures to protect data during transfer

11. Children's Privacy

Our whistleblowing service is designed for workplace use by adults. We do not knowingly collect personal information from individuals under 16 years of age. If we become aware that we have inadvertently collected data from a child, we will take steps to delete it promptly.

12. Changes to This Privacy Agreement

We may update this Privacy Agreement from time to time to reflect changes in our practices, legal requirements, or service offerings. We will notify users of material changes by:

  • Posting the updated agreement on our website with a new "Last Updated" date
  • Sending email notifications to registered users for significant changes
  • Requiring acknowledgment of changes for ongoing use of the platform

We encourage you to review this Privacy Agreement periodically to stay informed about how we protect your information.

13. Regulatory Compliance

CareWhistle operates in compliance with:

  • UK GDPR: General Data Protection Regulation as retained in UK law
  • Data Protection Act 2018: UK data protection legislation
  • ICO Guidelines: Information Commissioner's Office guidance on whistleblowing and data protection
  • Employment Rights Act 1996: Provisions relating to protected disclosures
  • Public Interest Disclosure Act 1998: Whistleblower protection legislation
  • Care Quality Commission (CQC) Requirements: For healthcare sector clients
  • Ofsted Standards: For education sector clients