Privacy Policy
Last updated: March 9, 2026
1. Data controller
- Company name: Platomico, S.L.
- Tax ID (NIF): B22741094
- Registered office: Calle Antonio Machado 9, Rozas de Puerto Real, Madrid 28649, Spain
- Email: whispr@platomico.com
- Registry details: Registered in the Madrid Commercial Registry, sheet M-858953, entry 1. Deed executed on July 14, 2025 before notary D. Manuel Soler Lluch, protocol number 2025/2237.
2. Data we collect
Clients (organizations subscribing to Whispr)
Business contact data: name, surname, corporate email, phone, position, company name, tax ID. Billing data: fiscal address, bank details for direct debit. This data is necessary for the performance of the service contract.
Reporters (individuals submitting reports)
When the reporter chooses to report anonymously, no identifying data is collected: no name, email, IP address, or tracking cookies. When the reporter chooses to report confidentially, only the data voluntarily provided by the reporter (name and/or email) is collected, and it is encrypted with AES-256-GCM before storage.
Website visitors (contact form)
Name, professional email, company name, and message. This data is processed solely to respond to the information request and only on the basis of the data subject's consent.
3. Purpose and legal basis
| Processing | Legal basis | Retention |
|---|---|---|
| Service provision to clients | Performance of contract (Art. 6.1.b GDPR) | Duration of contract + 5 years (commercial obligations) |
| Management of reporter communications | Legal obligation — Law 2/2023 (Art. 6.1.c GDPR) | Maximum 10 years, or per the tenant's retention policy |
| Handling contact requests | Consent of the data subject (Art. 6.1.a GDPR) | Until resolution of the request or withdrawal of consent |
4. Data recipients
Your personal data may be disclosed to:
- Data processors providing essential services: database hosting (Supabase, EU), transactional email (Resend, EU), cache infrastructure (Railway, EU).
- Public authorities and courts when there is a legal obligation, including those derived from Law 2/2023 on whistleblower protection.
- We never sell, transfer, or share personal data with third parties for commercial or advertising purposes.
5. International data transfers
All data is stored and processed exclusively in data centers located within the European Union. No international data transfers are made outside the European Economic Area.
6. Data subject rights
In accordance with the GDPR and the LOPDGDD, you have the right to:
- Access: know what personal data of yours we process.
- Rectification: request the correction of inaccurate or incomplete data.
- Erasure: request the deletion of your data when no longer necessary.
- Restriction: request the restriction of processing in certain circumstances.
- Portability: receive your data in a structured, commonly used format.
- Objection: object to the processing of your data in certain circumstances.
To exercise any of these rights, send an email to whispr@platomico.com indicating the right you wish to exercise and attaching a copy of your ID document. We will resolve your request within a maximum of 30 days. If you consider that your rights have not been properly addressed, you may file a complaint with the Spanish Data Protection Agency (www.aepd.es).
7. Security measures
We have implemented appropriate technical and organizational measures to ensure the security of your personal data, including: AES-256-GCM encryption for sensitive data, encryption in transit via HTTPS/TLS, complete isolation between organizations (multi-tenancy), secure password hashing (bcrypt), optional two-factor authentication (2FA/TOTP), role-based access control, audit trail for all actions, rate limiting for brute-force protection, and HTTP security headers (CSP, HSTS, X-Frame-Options).
8. Special processing: whistleblower channel
In accordance with Law 2/2023 on whistleblower protection, data related to reports submitted through the whistleblower channel receives special treatment. We guarantee the confidentiality of the reporter's identity, access restricted exclusively to authorized personnel, encryption of all communication content, and deletion of data when no longer necessary for the investigation, in compliance with legal retention periods. The controller of the internal reporting system is the organization (tenant) subscribing to the service. Platomico acts as a data processor providing the technological infrastructure.
9. Cookie policy
We use strictly necessary cookies for the operation of the service. For complete information about the cookies we use, please see our Cookie Policy.
10. Changes
We reserve the right to modify this privacy policy to adapt it to legislative or jurisprudential changes. Any modification will be published on this page with the date of last update. We recommend reviewing it periodically.