Privacy Policy
Version 1.1 – 25 April 2025
1. Who we are
Fluistr is the whistle-blowing application owned and operated by QDS Consult Comm. V ("QDS", "we", "us").
Registered office: Rue du Progrès 78, 1030 Brussels, Belgium • Company-nr./VAT BE 0766.123.456.
We run fluistr.be and its sub-domains (e.g. yourcompany.fluistr.be) to provide an encrypted whistleblowing channel and related case-management tools.
2. Our role under the GDPR
| Processing context | QDS role | Typical legal basis |
|---|---|---|
| Whistleblowing portal & case vault – data entered by reporters and handled by the subscribing organisation | Processor acting on documented instructions of the subscribing customer (the Controller) | Art. 6 (1)(c) legal obligation of Controller; Art. 6 (1)(f) legitimate interest (fraud-prevention, compliance) |
| Fluistr marketing site, billing & support – account-admin data, e-mails, payment info | Controller | Art. 6 (1)(b) contract performance; Art. 6 (1)(c) legal obligation; Art. 6 (1)(f) legitimate interest (service security, analytics) |
3. Data we process
| Category | Examples | Retention* |
|---|---|---|
| Report content | free-text description, attachments (PDF, images) | Default 3 years after case closure (configurable by Controller) |
| System metadata | internal case ID, timestamps, status, pseudonymised user IDs | Same as report |
| Account & billing data | admin name, e-mail, company details, Stripe transaction IDs | 7 years (Belgian accounting law) |
| Support interactions | chat transcripts, e-mails | 2 years after ticket closure |
| Technical logs | event logs, error traces (no IP addresses stored for reporter sessions) | 90 days |
*Shorter/longer periods may apply if overridden by Controller or required by law.
4. We do not collect
- Reporter IP addresses
- Browser-fingerprinting data
- Third-party cookies on reporting pages
- Special-category data for marketing
5. Purposes of processing
- Operate the Fluistr whistleblowing channel (secure intake, encrypted storage, dashboard).
- Maintain platform security (rate-limiting, abuse detection using aggregate data only).
- Fulfil statutory obligations (tax, invoicing, security-incident reporting).
- Improve the service via fully anonymised, aggregated usage metrics.
6. Security measures
- End-to-end encryption: report data encrypted client-side; keys held solely by Controller.
- TLS 1.3, HSTS, forward secrecy.
- Data stored in ISO 27001-certified Brussels data centre; daily encrypted backups to a second Belgian region.
- Role-based access control & enforced 2-factor authentication for all QDS staff.
- Annual penetration test; quarterly vulnerability scans; SOC 2 Type II audit in progress.
7. International data transfers
All primary and backup data remain within Belgium. We do not use sub-processors outside the EEA without Standard Contractual Clauses and supplementary safeguards.
8. Sub-processors
| Provider | Service | Location | Safeguard |
|---|---|---|---|
| Supabase EU | managed Postgres & object store | Brussels | DPA + SCC |
| Stripe Payments Europe | billing | Ireland | intra-EEA |
| Postmark EU | transactional e-mail | Frankfurt | DPA |
Live list: fluistr.be/subprocessors. We notify customers ≥30 days before changes.
9. Data-subject rights
For data where QDS is Controller (account/billing): access, rectification, erasure, restriction, portability, objection (Art. 15-21 GDPR).
Requests: [email protected] – response within 30 days.
For whistleblowing data where QDS is Processor, contact the relevant Controller (your employer/client). We assist them per Art. 28 (3)(f) GDPR.
10. Cookies
Reporting pages: none.
Dashboard & marketing site: essential session and CSRF cookies; optional first-party Matomo analytics cookie (IP anonymised, disabled by default).
11. Automated decision-making
No decisions with legal or similarly significant effects are taken solely by automated means.
12. Children
Service not intended for persons under 16. We delete any personal data unintentionally received from minors.
13. How to complain
Belgian Data Protection Authority (GBA/APD) – Rue de la Presse 35, 1000 Brussels – [email protected].
14. Contact
15. Changes to this policy
Updates posted on fluistr.be/privacy; material changes notified to account owners by e-mail ≥30 days in advance.
Download Policy
Need a copy for your records? Download our privacy policy in PDF format.
Download PDFQuestions?
If you have any questions about our privacy practices, please reach out to our team.
Contact Privacy Team