Privacy Policy

This Privacy Policy (“Policy”) applies to Ethics Suite, LLC and its subsidiaries, including Ethics Suite Europe Ltd (collectively, “Ethics Suite” “we” and “us”). This Policy describes how we collect, use, and protect personal data through our websites, social media pages, products, and services that link to or reference this Policy. It does not apply to products or services that display or link to a different privacy statement.  Save for any terms which are defined in this Policy, terms which are defined in the EU GDPR, UK GDPR or FADP shall have the same meanings in this Policy.

Ethics Suite is committed to protecting your privacy in a variety of ways including using industry accepted security measures to protect against loss, misuse and alteration of data contained in our systems. This Policy is designed to describe how we secure and maintain our customers’ and visitors’ personal information when collected on sites which link to this Policy. This includes all Ethics Suite’s root domains and subdomains. Any information given to us will never be sold, rented, traded, transferred, assigned, shared, or leased other than as outlined in this Policy.

Ethics Suite complies with applicable data protection laws, including the EU GDPR and the Data Protection Acts 1998-2018 of Ireland, UK GDPR and Data Protection Act 2018 of the UK, Swiss Federal Act on Data Protection (FADP), and the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable U.S. state privacy laws.

Where we transfer personal data from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), and the Swiss Addendum, and perform Data Transfer Impact Assessments, encryption, and access controls.

For EU GDPR purposes, our main establishment in the European Union is Ethics Suite Europe Ltd, located in Dublin, Ireland. For UK GDPR purposes, we have appointed a UK representative whose contact details are available upon request.

Reports may be submitted by employees, board members, or others that a subscriber provides with access or by any person regarding a non-subscriber’s organization (“Reporter”). A “Subscriber” is any organization that has entered into a subscription agreement with us to receive and manage reports, utilize the Ethics Suite Complaint Tracker, of any other subscription-based platform or portal with Ethics Suite. A “Non-Subscriber” is any organization that does not presently have a contractual relationship with Ethics Suite (“Reporter,” “Subscriber,” and “Non-Subscriber” may also be referred to as “You”).

The Services are not directed to children under 13 (or under 16 where required by local law). We do not knowingly collect personal information from children. Clients who operate in environments where minors may have access are responsible for ensuring compliance with applicable laws such as the US Children’s Online Privacy Protection Act (COPPA) and the California Privacy Rights Act (CPRA).

If you are under the applicable age under local law, you may not use the Services or submit any personal information to us.

If we become aware that we have received personal information from a child under 13 (or under 16 where required by local law) without verifiable parental consent, we will delete such information promptly.

Clients who operate in environments where children may have access to the Services are responsible for ensuring that any such use complies with applicable laws, including the U.S. Children’s Online Privacy Protection Act (COPPA), and for obtaining all necessary consents before allowing a child to submit personal information.

Ethics Suite is not responsible for the content of information saved to any Ethics Suite system by Reporters, Subscribers, or Non-Subscribers.

Collection and Use of Information

Ethics Suite collects different kinds of information in order to provide you with the best products and services, and to operate effectively. Some of this information is provided directly through Reporters, while other information may be provided by a Subscriber in connection with use of our products and services. We may also gather information by observing how you interact with our website, products and services, as described below in How We Collect Information.

What Information We Collect

Registration: When you, or your organization, sign up to use our sites or services, or you sign up to attend a webinar or to get additional information about our products and services, we may require the submission of certain necessary information such as your name and job title and contact information such as email address, phone number, and address.

Account/Report Access: To access some of our products and services you may be required to provide us with specific information (such as your login credentials) that allows us to verify your authorization before accessing certain data we host. If you have chosen to remain anonymous, your anonymity will be preserved. This identity verification information is stored securely on Ethics Suite’s dedicated cloud infrastructure hosted on Amazon Web Services (AWS) servers and is used solely to assist you in accessing your account or report. This information is not released outside of the relevant Ethics Suite system unless specifically authorized by you or required by law.

Marketing and Contact Management: Ethics Suite uses HubSpot, Inc. (“HubSpot”) to manage certain marketing, communications, and contact management functions, such as website forms, newsletters, and event registrations. When a user submits information through a HubSpot form, that data may be stored and processed in HubSpot’s systems for purposes of responding to inquiries, managing relationships, and delivering relevant content.

HubSpot acts as a data processor on behalf of Ethics Suite and processes personal data in accordance with applicable data protection laws, including the EU GDPR, the Data Protection Acts 1998-2018 of Ireland, the UK Data Protection Act 2018 and the UK GDPR, and other similar data protection laws.   HubSpot participates in the EU–U.S. Data Privacy Framework and provides additional safeguards for cross-border data transfers through the EU Standard Contractual Clauses incorporated into its Data Processing Addendum.

Ethics Suite limits the personal data collected via HubSpot to information necessary for business communications and does not use HubSpot for the submission or processing of confidential reports, whistleblower disclosures, or other sensitive information, which are handled exclusively within Ethics Suite’s secure EU-hosted platform.

Reporters: No personally identifying information (PII) is automatically collected from you as a Reporter using Ethics Suite applications. PII, such as name and e-mail address, is stored only when you voluntarily give this information to us.

Data Location Selection: Ethics Suite allows each Subscriber to designate whether its data, including reports, case records, and associated information, will be hosted in the United States or within the European Union. This designation determines the physical location of the primary data servers used to store and process the Subscriber’s information.

All reports submitted through the Ethics Suite platform are automatically routed in accordance with the Subscriber’s selected hosting region. Data designated for EU or UK hosting remains within the European Union and is processed in compliance with the EU GDPR, the UK GDPR, and other applicable data-protection laws. Data designated for U.S. hosting is processed within the United States in accordance with applicable federal and state privacy laws, including the CCPA/CPRA.

Regardless of hosting location, Ethics Suite maintains uniform security, confidentiality, and access-control measures across all environments, and continues to provide all users with the rights and protections described in this Privacy Policy and applicable data-protection legislation.

How We Collect Information

Ethics Suite gathers information about how you use our sites and services in a number of ways, including:

• Web forms, such as when you type information into a registration form;
• Web logging, which enables us to collect the standard information your browser sends to every website you visit, such as your browser type, language, and the site you came from, as well as pages you visit and links you click on within our site.

How We Use Personal Information

Ethics Suite uses the information we collect to operate and improve our products and services and to respond to requests about promotions or products and services offered. Ethics Suite does not use automated decision-making or profiling in connection with the Services.

Visitors

When Ethics Suite collects personally identifiable information from visitors to our sites, the information collected from opt-in users is used only to respond to visitors’ requests. In instances where opt-in participants’ requests relate to Ethics Suite partners, we will provide personally identifiable information only to respond to that request. Ethics Suite does not sell, rent, lease, transfer, assign trade or share visitors’ personally identifiable information other than as outlined in this Policy. When you provide us with your PII or otherwise choose to sign up to receive email communications from us, we will use that information to send those communications to you. Individuals may “opt-in” and “opt-out” of receiving email communications through selections available on e-mails received. For participants of our web seminars, the only personally identifiable information we share is web seminar registration information, and it is only shared with our web seminar presenters to provide this service. They are not permitted to use this information for their own marketing purposes.

Subscribers of Products and Services

To become a Subscriber of Ethics Suite, the prospective user will be required to provide, for authorization purposes, some personally identifiable information such as name, contact information, username and password; which information is stored in our database for access to and use of certain website features. This information is kept secure on our private servers and is only used to assist you in accessing your account. No information is released outside of the Ethics Suite system unless specifically authorized.

Reporters

No personally identifiable information is automatically collected from Reporters submitting an allegation. PII, such as name and e-mail address, is collected and stored only when a Reporter voluntarily gives this information to us.

Legal Basis for Processing (EEA, UK, and Swiss Users)

When processing personal data subject to the GDPR or similar laws, Ethics Suite relies on one or more of the following legal bases:

• Performance of a contract (to deliver our Services to Subscribers);
• Legitimate interests (such as improving and securing our Services);
• Compliance with legal obligations; or
• Consent (for optional communications and marketing).

Scope of Reports, Anonymous Reporting, and External Reporting Options

Scope of Reports and Investigation Requirements

Please note that in certain jurisdictions, organizations are only required to follow up on reports involving a defined set of issue types. As a result, some reports submitted through the Services may not be investigated, and Reporters may not be entitled to whistleblower protections under applicable law. Your organization is responsible for determining which reports fall within the scope of its legal obligations.

Anonymous Reporting Considerations

You may choose to remain anonymous when submitting a report. However, in some jurisdictions, organizations are not legally required to investigate anonymous reports or may be unable to assess the report without sufficient detail. To support review of your report, please ensure that you provide detailed information regarding the nature and seriousness of the concern. At any time, you may choose to identify yourself through the secure Ethics Suite messaging function or by contacting your organization directly.

Reporting to Government Agencies

In the EU and other jurisdictions, organizations are required to provide Reporters with information regarding external government authorities that also receive reports of potential misconduct. Ethics Suite provides access to a listing of relevant national reporting authorities and their contact information by jurisdiction, here: EU External Whistleblower Contacts. Reporters may choose to report to these authorities directly where permitted by law.

Ethics Suite acts as a data processor and does not determine whether a report is investigated or whether whistleblower protections apply. These determinations are made by your organization in accordance with applicable law.

Use of Log File Technology

Server Log File Technology is used by us and our tracking utility partners, such as Google Analytics and Wordfence. These technologies are used in analyzing trends, administering the site, tracking users’ movements around the site, gathering demographic information about our user base as a whole, and for security to block blacklisted IPs or countries, and to prevent unauthorized login attempts. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.

Ethics Suite uses strictly necessary cookies to enable website functionality and limited analytics cookies to understand aggregate usage patterns. We do not use cookies for advertising or cross-site tracking. As is true of most websites, we gather certain information automatically and store it in log files. This information includes internet protocol (IP) addresses, browser type, internet service provider (ISP), mobile GPS location, referring/exit pages, operating system, date/time stamp, and clickstream data. We use this information to analyze trends, to administer the site, to track users’ movements around the site and to gather demographic information about our user base as a whole. If automatically collected data through the use of Cookies and log files is linked to personally identifiable information, such information is not sold, rented, leased, transferred, assigned, traded or shared and is used only for the purposes of the providing and enhancing the Product.

Secure Communications

Ethics Suite will take reasonable precautions to protect personal information in its possession from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.

All communications between users and the Ethics Suite platform are encrypted using current industry standards, including Transport Layer Security (TLS) 1.2 or higher with AES-256-bit encryption, and verified by trusted third-party digital certificates. Users are not permitted to transmit or receive confidential information through the Service except through authenticated and encrypted sessions.

Ethics Suite’s hosted environments leverage leading cloud-security infrastructure and controls consistent with ISO 27001, SOC 2 Type II, and GDPR security principles. Data is encrypted in transit and at rest, access is restricted through multi-factor authentication, least-privilege permissions, and continuous monitoring and logging.We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. However, no method of transmission over the internet, or method of electronic storage, is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

If you have any questions about security on our website, you can e-mail us at support@EthicsSuite.com with “Questions About Website Security” in the subject line.

Automatic Information Storage

Session Variables are similar to Cookies except that they remain on our servers and are not transferred to your computer. Session Variables may be used temporarily in our system cache to create ease-of-use during your transaction. Session Variables may be used to collect nonidentifying information such as automatically-produced alphanumeric numbers held during your session on our website to facilitate page-to-page transactions. Session Variables also may store a name, e-mail, phone, address, company name or any other identifying information for users. Session Variables do not store identifying information for other users unless otherwise stated in this policy.

Use of Third Party Services

Ethics Suite contracts with select third parties for web-based services that include e-mail delivery and content streaming, and for services that may collect non-personally identifiable visitor data such as IP address and pages visited. These third parties may only use personally identifiable information, for example, e-mail addresses, for the service requested and not for their own marketing purposes.

Ethics Suite also contracts with select third parties in connection with the delivery of services to our clients. These third parties may not use any personally identifiable information other than to provide the specific contracted services.

Public Forums

Our website may offer publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected, and used by others who access it. To request removal of your personal information from our blog or community forum, contact us at support@EthicsSuite.com. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.

If you choose to comment on our blog, you will be required to login to our third party vendor’s site to do so. Any information you choose to submit within this section of the site will be collected and used by our vendor and is subject to their privacy policy. Please contact them directly should you have any questions or concerns regarding your posting.

Links to Other Sites

Our Site includes links to other websites whose privacy practices may differ from those of Ethics Suite. If you submit personal information to any of those sites, your information is governed by their privacy statements. We encourage you to carefully read the privacy statement of any website you visit.

Social Media Features and Widgets

Our website includes social media features, such as the Facebook Like button and Widgets, such as the Share This button, or interactive mini-programs that run on our site. These features may collect your IP address, which page you are visiting on our website, and may set a cookie to enable the feature to function properly. Social media features and Widgets are either hosted by a third party or hosted directly on our website. Your interactions with these features are governed by the privacy policy of the company providing it.

Terms

No company other than Ethics Suite is allowed to access information stored on our servers, unless expressly authorized by Ethics Suite. Unauthorized access to this information is a violation of the law. Ethics Suite has placed security measures and firewalls on all network servers with a view to preventing outside parties from accessing private information. In the event of a breach of security, Ethics Suite will enforce its legal entitlements to the fullest extent possible against those parties illegally accessing information on our servers.

Controller Support

When acting as a processor, we assist our clients (data controllers) in meeting their obligations under applicable data protection laws, including responding to data subject access requests, and conducting Data Protection Impact Assessments (DPIAs), where applicable. Please note that Ethics Suite acts as a data processor, providing the reporting platform and case management tools to our customers (Controllers). Each Controller is responsible for ensuring that its reporters are informed of external reporting options, such as national whistleblower authorities or government hotlines, as required by law. If you have questions about external reporting channels available in your jurisdiction, please contact your organization directly or consult the relevant national authority.

Record of Processing Activities

Ethics Suite maintains a Record of Processing Activities in accordance with Article 30 of the GDPR. This internal record documents the types of data we process, the purposes for which we process them, the categories of recipients, and the technical and organizational measures used to protect that data. The Record is available to supervisory authorities upon request.

Data Retention, Access to Personal Information, and Privacy Rights Requests

Ethics Suite retains personal data only for as long as necessary to fulfill the purposes for which it was collected, including providing the Services, complying with legal obligations, resolving disputes, and enforcing agreements. Retention periods vary depending on the type of data and Subscriber instructions, but data is generally retained for up to seven (7) years following termination of the Subscriber relationship unless a shorter or longer period is required by law or agreed in writing.

If you are located in the European Economic Area (EEA), the United Kingdom, Switzerland, or another jurisdiction that grants privacy rights, you have the right to request access to, correction of, deletion of, or restriction on the processing of your personal information, as well as the right to data portability and to object to certain processing.

To submit a request, please complete our Privacy Rights Request Form or contact us at privacy@EthicsSuite.com with “Privacy Rights Request” in the subject line. Please include your full name, contact information, your company’s name (if applicable), and any other details you consider to be relevant. You may also make a request by mail using the address in the Contact Information section below.

Ethics Suite will provide information about whether we hold, or process on behalf of a third party, any of your personal information. Upon valid request, we will grant reasonable access to the personal information we hold about you, unless we are legally prohibited from doing so. We will also take reasonable steps to permit you to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete.

We will acknowledge your request promptly, verify your identity, and respond within the time period required by applicable law, generally within one month, or up to 45 days for certain jurisdictions. If additional time is needed due to the complexity or volume of requests, we will notify you within the initial period. We will retain your information for as long as your account is active or as needed to provide services to your organization, and for as long as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

California Privacy Rights

If you are a California resident, you have certain rights under the CCPA/CPRA:

• Right to Know: You may request information about the categories of personal information we collect, the purposes for which it is used, and the categories of third parties with whom we share it.
• Right to Delete: You may request that we delete your personal information, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information we hold about you.
• Right to Opt Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. If this practice changes, we will update this Policy and provide you with opt-out rights.
• Right to Limit Use of Sensitive Personal Information: You may request that we limit our use or disclosure of sensitive personal information to what is necessary for providing services.
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

To exercise these rights, you (or your authorized agent) may submit a request by:

• Emailing us at: privacy@EthicsSuite.com
• Using our online form: Privacy Rights Request Form

We will verify your identity before responding, and we will respond within the time required by law (generally within one month, or up to 45 days for United States residents).

Disclosure Pursuant to Judicial or Government Subpoenas, Warrants, or Orders

In certain situations, Ethics Suite may be required to disclose personal data in response to lawful requests by public authorities, or to requirements of national security or law enforcement requirements.

We reserve the right to disclose your personally identifiable information as required by law and when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, or legal process served on us.

Business Transfer

In the event Ethics Suite goes through a business transition, such as a merger, acquisition by another company, or sale of all or a portion of its assets, your personally identifiable information will likely be among the assets transferred. You will be notified via prominent notice on our website for 30 days of any such change in ownership or control of your personal information.

Breach of Privacy Policy

If you have received an unwanted, unsolicited e-mail sent by Ethics Suite or from any Ethics Suite system or purporting to be sent via Ethics Suite, please forward a copy of that e-mail with your comments to info@EthicsSuite.com for review.

If you have questions or complaints regarding our privacy policy or practices, please contact us at privacy@EthicsSuite.com with “Privacy Inquiry” in the subject line and provide detail on your question or complaint so that we may adequately respond.

Contact Information

Questions or comments regarding this Policy should be submitted to Ethics Suite by mail or email as follows:

Ethics Suite, LLC

Attn: Data Privacy Counsel

28150 Alma School Pkwy, Suite 254

Scottsdale, AZ 85262, USA

Ethics Suite Europe Ltd

Attn: Data Privacy Counsel

3rd Floor, Percy Exchange, 8–34 Percy Place

Dublin D04 P5K3, Ireland

By email: privacy@EthicsSuite.com

Ethics Suite will respond promptly to all privacy inquiries and data-subject requests in accordance with applicable data-protection laws.

Changes To This Privacy Policy

Ethics Suite will post any updates or changes to our Policy to this privacy statement, the home page, and other places that Ethics Suite deems appropriate. Ethics Suite wants you to be aware of what information we collect, how we use such information, and under what circumstances, if any, we disclose such information. We reserve the right to modify this Policy at any time, so please review it frequently. If we make material changes to this Policy, we will notify you here, by email, or by means of a notice on our home page prior to the change becoming effective.