Privacy Policy
Version 2026-05. Last updated: 20 May 2026.
Confidly OÜ ("Confidly", "we") operates the whistleblowing platform at confidly.eu, app.confidly.eu, and report.confidly.eu (and customer-specific subdomains under *.confidly.eu). This Privacy Policy explains what personal data we collect, the legal basis for each processing activity, who we share it with, how long we keep it, and what rights you have under Regulation (EU) 2016/679 ("GDPR"), Directive 2002/58/EC ("ePrivacy"), and Directive (EU) 2019/1937 ("EU Whistleblowing Directive").
This policy is written in plain language. Where a section is legally significant we cite the article. If anything here conflicts with our Data Processing Agreement, the DPA prevails for processing we perform as a processor on a customer's behalf.
1. Who is the controller
Confidly acts in two distinct roles depending on the data:
- Processor (GDPR Art. 28) for personal data submitted via a customer's reporting channel: the report content, attachments, optional pseudonym, case-status updates, and any messages exchanged with the reporter. The customer organisation is the controller; Confidly processes this data strictly on the customer's documented instructions, set out in the DPA.
- Controller (GDPR Art. 4(7)) for data we collect directly: signups to app.confidly.eu, billing information, support correspondence, marketing contacts, and security/audit logs of the platform itself.
Controller contact: Confidly OÜ, Tallinn, Estonia. Email: [email protected]. We have not appointed a formal Data Protection Officer (Art. 37); our core activities do not meet the mandatory designation thresholds. The privacy mailbox is monitored by a named compliance lead and responses are logged.
2. What we collect from staff users (controller role)
When you create or use an account at app.confidly.eu we collect:
- Authentication identity from our identity provider Clerk: email address, display name, hashed password (Clerk manages the hash; we never see the plaintext password), session cookies, MFA factors if enabled.
- Organisation membership: the customer organisations you belong to, your role (admin, manager, investigator), and your invitation history.
- Action log entries: an append-only audit trail of actions you take (case opened, case assigned, message sent, attachment downloaded, role changed), the IP address at the time of the action, and the user-agent. Retained for the period required by Art. 18 of the EU Whistleblowing Directive (typically the lifetime of the case plus the customer's retention period).
- Billing data via Stripe: company name, billing address, VAT number, invoice history. We do not see card numbers or bank-account details; Stripe tokenises them.
- Support correspondence: emails, tickets, and screenshots you attach when contacting [email protected].
3. What we collect from anonymous reporters (processor role)
The public reporting channel is designed to collect as little personal data as possible, by default. We do not collect:
- The reporter's email address
- The reporter's real name (unless the reporter voluntarily provides a pseudonym)
- The reporter's IP address (stripped at the edge before the request reaches the application database)
- Device or browser fingerprints
- Third-party cookies, advertising cookies, or analytics tags
For the case to function we do store:
- The free-text report submitted by the reporter
- Attachments uploaded with the report (filename, MIME type, size, EXIF stripped on images)
- A bcrypt hash (cost factor 12) of the 6-digit secret the reporter chose, so they can return to check status
- A server-issued case code in the form
WB-XXXX-YYYY - Subsequent messages between the reporter and the investigation team
- Case metadata: status, category, severity, assigned investigator (customer-controlled)
Article 16(1) of Directive (EU) 2019/1937 requires that the identity of the reporter and any third party mentioned in the report is not disclosed to anyone beyond authorised staff competent to receive or follow up on reports. Confidly's technical design enforces this: reporter identity is never collected at all, and named third parties appear only inside the case content which is access-controlled and audit-logged.
4. Legal basis for each processing activity (GDPR Art. 6)
| Activity | Legal basis | Reference |
|---|---|---|
| Operating paid accounts | Performance of contract | Art. 6(1)(b) |
| Operating the reporting channel on a customer's behalf | Customer's legal obligation (Directive 2019/1937) | Art. 6(1)(c) for the customer; Art. 28 instructions for us |
| Retaining invoices and accounting records | Legal obligation (Estonian Accounting Act §12) | Art. 6(1)(c) |
| Security logs, fraud and abuse prevention | Legitimate interest | Art. 6(1)(f) |
| Marketing emails to existing customers (transactional product updates) | Legitimate interest, with opt-out | Art. 6(1)(f) + ePrivacy Art. 13(2) |
| Marketing emails to prospects who opted in | Consent | Art. 6(1)(a) + ePrivacy Art. 13(1) |
| Anthropic AI processing of report text (summarisation, category suggestion) | Customer's instructions under the DPA | Art. 28 |
5. Where data lives and how it is protected
Production data is stored in the European Union. Our primary database and object storage are hosted by Hetzner in Falkenstein, Germany. Backups are encrypted at rest with AES-256 and replicated to a second EU region. All data in transit is encrypted with TLS 1.3.
Attachments uploaded by reporters are scanned for malware on ingest, stripped of EXIF metadata on images, and stored in object storage with per-object encryption keys. Access requires a short-lived signed URL.
Specific sub-processors that may receive personal data outside the EU:
- Clerk (USA), identity provider for staff accounts. EU-based data residency is enabled. Transfers to the US are covered by EU Standard Contractual Clauses (Commission Decision 2021/914) and the EU-US Data Privacy Framework.
- Anthropic (USA), AI inference provider used for case summarisation and category suggestion. Each request is processed transiently; no report content is retained by Anthropic for model training. Transfers covered by SCCs and Anthropic's Zero Data Retention contractual terms (effective for our account).
- Stripe (Ireland, with US group affiliates), payments processor. Stripe Payments Europe Ltd is the data controller for card-network data; Confidly receives only billing-relationship metadata.
- Cloudflare (Ireland / global), edge network for DDoS protection and CDN. We use the EU Customers data localisation option to keep customer traffic terminated inside the EU.
- Amazon SES, Frankfurt (eu-central-1), transactional email delivery. Used only for emails to customer staff (case notifications, password resets, invoices). We do not email reporters.
The current authoritative list is at /trust with the date each sub-processor was added. We give 30 days' notice before adding new sub-processors; customers may object and, if we cannot resolve the objection, terminate without penalty.
6. Retention periods
| Data | Retention | Reason |
|---|---|---|
| Case content and attachments | Customer-controlled (default: lifetime of the case + 5 years, or until customer deletes) | Directive 2019/1937 Art. 18 requires retention "no longer than necessary and proportionate" |
| Closed-case archive | Customer-configurable per channel; minimum 1 year recommended for HinSchG / Loi Sapin II | Customer instruction |
| Audit log entries | 7 years | Art. 18 demonstrability; HinSchG §11(5) |
| Authentication logs | 12 months | Legitimate interest (security) |
| Billing data and invoices | 7 years | Estonian Accounting Act §12 |
| Marketing list | Until the contact opts out (and 12 months thereafter for suppression) | Honour the opt-out under ePrivacy |
| Support tickets | 3 years | Legitimate interest (institutional memory, dispute resolution) |
7. Your rights as a data subject (GDPR Arts. 12-22)
Where Confidly is the controller, you can exercise the following rights free of charge by emailing [email protected]:
- Access (Art. 15): receive a copy of the personal data we hold about you.
- Rectification (Art. 16): have inaccurate data corrected.
- Erasure (Art. 17): have your data deleted, subject to overriding legal obligations (e.g. tax retention).
- Restriction (Art. 18): pause processing while a dispute is resolved.
- Portability (Art. 20): receive your data in a structured, machine-readable format.
- Objection (Art. 21): object to processing based on legitimate interest, including direct marketing.
- Withdraw consent (Art. 7(3)): for activities relying on consent, at any time.
- Not be subject to automated decisions (Art. 22): Confidly's AI features assist humans; no legal or similarly significant decision is taken by AI alone.
We respond within 30 days (Art. 12(3)), extendable by up to two further months for complex requests with notice. Where we cannot identify you from the data, we may require additional information (Art. 11).
Where Confidly is processor (data submitted via a customer's channel), please direct
the request to the customer organisation. If you submitted a report and wish to
withdraw it, return to the channel at report.confidly.eu/<your-channel>,
enter your case code and 6-digit secret, and request withdrawal in the message
thread. The customer's compliance team will act on the request.
8. Right to lodge a complaint
You may complain to the supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77). Confidly is established in Estonia; the lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, AKI), Tatari 39, 10134 Tallinn, [email protected].
For convenience, contact points for the largest jurisdictions we serve:
- Germany (federal): BfDI, Graurheindorfer Str. 153, 53117 Bonn. Each Land also has its own DPA (e.g. LDI NRW, BayLDA).
- France: CNIL, 3 Place de Fontenoy, 75007 Paris.
- Italy: Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Roma.
- Spain: Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan, 6, 28001 Madrid.
- Netherlands: Autoriteit Persoonsgegevens (AP), Postbus 93374, 2509 AJ Den Haag.
9. Security overview (GDPR Art. 32)
Our technical and organisational measures are described in detail in /trust. Summary:
- TLS 1.3 in transit; AES-256 at rest; per-object encryption for attachments.
- Bcrypt cost 12 for reporter secrets; Argon2id where Clerk supports it for staff.
- Production access via SSO + hardware MFA; least-privilege IAM; quarterly access review.
- Audit log immutable on the application layer and shipped to a separate WORM bucket daily.
- Backups encrypted with a separate KMS key; restore tested monthly.
- Annual third-party penetration test; results summary available to Pro and Multi-Entity customers under NDA.
- SOC 2 Type II scope in progress (target completion Q4 2026).
- 72-hour breach notification to controllers per Art. 33; we notify within 24 hours where feasible.
10. Children
Confidly is sold to organisations and is not intended for children under 16. We do not knowingly collect personal data from children. If a reporter is a minor and their identity becomes known, the customer's compliance team is responsible for applying additional protections under national law.
11. Changes to this policy
We post material changes here with a new version date and notify staff users by email at least 30 days before they take effect. For minor clarifications we update the page without notice. The history of versions is available on request.
12. Contact
Confidly OÜ
Tallinn, Estonia
Estonian Business Register: 16XXXXXXX
VAT: EE10XXXXXXXX
Email: [email protected]
Legal: [email protected]