Whistler Privacy Policy

Effective date: February 08, 2026

Privacy Policy

Effective date: February 08, 2026

Spartan9 Pte Ltd ("us", "we", or "our") operates the https://www.whistlr.app website (hereinafter referred to as the "Service"). Whistler is a secure anonymous whistleblowing and reporting platform that enables organisations to receive confidential reports.

This page informs you of our policies regarding the collection, use and disclosure of personal data when you use our Service and the choices you have associated with that data.

We use your data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, the terms used in this Privacy Policy have the same meanings as in our Terms and Conditions, accessible from https://www.whistlr.app

Definitions

Service

Service is the https://www.whistlr.app website operated by Spartan9 Pte Ltd.

Personal Data

Personal Data means data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).

Report Data

Report Data means information submitted through the Service's reporting functionality, including the content of reports and any optional identifying information provided by the reporter. Report Data is encrypted at rest.

Usage Data

Usage Data is data collected automatically either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).

Cookies

Cookies are small files stored on your device (computer or mobile device).

Data Controller

Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed.

For the purpose of this Privacy Policy, we are a Data Controller of your Personal Data.

Data Processors (or Service Providers)

Data Processor (or Service Provider) means any natural or legal person who processes the data on behalf of the Data Controller.

We may use the services of various Service Providers in order to process your data more effectively.

Data Subject (or User)

Data Subject is any living individual who is using our Service and is the subject of Personal Data.

Information Collection and Use

We collect several different types of information for various purposes to provide and improve our Service to you.

Types of Data Collected

Account Data

When an account is created on the Service, we collect the following personally identifiable information:

  • Name
  • Email address
  • Mobile number (optional)
  • Organisation name and details
  • Role within the platform (e.g. Primary Account Holder, Authorised Person)

Passwords are never stored in plain text. We store only a one-way cryptographic hash of your password.

Report Data (Encrypted)

When a report is submitted through the Service, the following information may be collected:

  • Location of the incident (required)
  • Report content (required)
  • Nickname (optional)
  • Contact information (optional)
  • Email address (optional)
  • File attachments (optional)

All Report Data is encrypted using AES-256-CBC encryption with unique initialisation vectors for each field. Report Data can only be decrypted using a passkey that is set by the organisation. We do not have access to the passkey and cannot decrypt Report Data.

File Uploads

Reports may include file attachments. Accepted file types include documents (PDF, DOC, DOCX), images (JPG, JPEG, PNG), and audio files (MP3, WAV, M4A). File uploads are limited to 5MB per file. Uploaded files are encrypted alongside the Report Data.

Usage Data

We do not collect traditional usage data such as IP addresses, browser type, browser version, or device identifiers.

We use Plausible Analytics, a privacy-friendly analytics service that does not use cookies, does not collect personal data, and does not track individual users. Plausible collects only aggregate, anonymised metrics such as page views and referral sources. For more information, see Plausible's data policy.

Cookies

We use a single session cookie to operate the Service. This cookie is essential for authentication and security and cannot be disabled while using the Service.

Our session cookie:

  • Is marked HttpOnly, meaning it cannot be accessed by JavaScript and is protected against cross-site scripting attacks.
  • Is marked Secure, meaning it is only transmitted over encrypted HTTPS connections.
  • Uses the SameSite=Lax attribute to protect against cross-site request forgery attacks.
  • Expires after your session ends, or after 30 days if you select "keep me signed in".

We do not use any tracking cookies, advertising cookies, or third-party cookies.

How We Protect Your Data

Encryption

All Report Data is encrypted at rest using AES-256-CBC encryption. Each data field uses a unique initialisation vector. Reports can only be decrypted by authorised personnel within the relevant organisation who possess the correct passkey. We do not store passkeys and cannot decrypt reports.

Transport Security

All data transmitted between your device and our servers is encrypted using HTTPS (TLS). We enforce HTTP Strict Transport Security (HSTS) to ensure connections are always encrypted.

Application Security

  • Cross-Site Request Forgery (CSRF) protection on all forms.
  • Security headers including Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.
  • Rate limiting to protect against brute-force and denial-of-service attacks.
  • Account lockout after repeated failed login attempts.
  • Password requirements enforcing a minimum of 12 characters with complexity rules.
  • Session management with automatic timeouts and session hijacking detection.

Use of Data

Spartan9 Pte Ltd uses the collected data for the following purposes:

  • To provide and maintain our Service
  • To notify you about changes to our Service
  • To allow you to participate in interactive features of our Service when you choose to do so
  • To provide customer support
  • To detect, prevent and address technical issues
  • To process payments and manage subscriptions
  • To send transactional emails (e.g. report notifications, password resets, security alerts, user invitations)

Legal Basis for Processing Personal Data under the General Data Protection Regulation (GDPR)

If you are from the European Economic Area (EEA), Spartan9 Pte Ltd's legal basis for collecting and using the personal information described in this Privacy Policy depends on the Personal Data we collect and the specific context in which we collect it.

Spartan9 Pte Ltd may process your Personal Data because:

  • We need to perform a contract with you
  • You have given us permission to do so
  • The processing is in our legitimate interests and it is not overridden by your rights
  • To comply with the law

Retention of Data

Spartan9 Pte Ltd will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations, resolve disputes and enforce our legal agreements and policies.

Report Data is retained for as long as the organisation's account is active, unless deleted by an authorised person within the organisation. Deleted Report Data has its encrypted fields cleared and cannot be recovered.

Account Data for deleted users is anonymised. Email addresses are replaced with anonymised values, and personal details such as mobile numbers are removed.

Data Deletion

When a user account is deleted:

  • The email address is replaced with an anonymised value.
  • The password hash is cleared.
  • Personal details (e.g. mobile number) are removed.
  • The account is marked as deleted and can no longer be used to sign in.

When a report is deleted by an authorised user:

  • All encrypted fields are cleared.
  • Any attached files are removed.
  • The deletion is recorded in an audit trail for accountability purposes.

Transfer of Data

Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction.

If you are located outside Singapore and choose to provide information to us, please note that we transfer the data, including Personal Data, to Singapore and process it there.

Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.

Spartan9 Pte Ltd will take all the steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organisation or a country unless there are adequate controls in place including the security of your data and other personal information.

Disclosure of Data

Disclosure for Law Enforcement

Under certain circumstances, Spartan9 Pte Ltd may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Please note that as Report Data is encrypted and we do not hold decryption passkeys, we are unable to provide decrypted report content in response to such requests.

Legal Requirements

Spartan9 Pte Ltd may disclose your Personal Data in the good faith belief that such action is necessary to:

  • To comply with a legal obligation
  • To protect and defend the rights or property of Spartan9 Pte Ltd
  • To prevent or investigate possible wrongdoing in connection with the Service
  • To protect the personal safety of users of the Service or the public
  • To protect against legal liability

Third-Party Service Providers

We use the following third-party service providers to operate our Service:

  • Postmark (ActiveCampaign, LLC) — for transactional email delivery. Postmark processes recipient email addresses and email content on our behalf. Postmark Privacy Policy.
  • Stripe (Stripe, Inc.) — for payment processing and subscription management. Stripe processes payment information, email addresses, and organisation details. Stripe Privacy Policy.
  • Plausible Analytics (Plausible Insights OÜ) — for privacy-friendly website analytics. Plausible does not use cookies and does not collect personal data. Plausible Data Policy.

These third parties have access to your Personal Data only to perform tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Your Data Protection Rights

Under the General Data Protection Regulation (GDPR)

If you are a resident of the European Economic Area (EEA), you have certain data protection rights. Spartan9 Pte Ltd aims to take reasonable steps to allow you to correct, amend, delete or limit the use of your Personal Data.

If you wish to be informed about what Personal Data we hold about you and if you want it to be removed from our systems, please contact us.

In certain circumstances, you have the following data protection rights:

  • The right to access, update or delete the information we have on you. Whenever made possible, you can access, update or request deletion of your Personal Data directly within your account settings section. If you are unable to perform these actions yourself, please contact us to assist you.
  • The right of rectification. You have the right to have your information rectified if that information is inaccurate or incomplete.
  • The right to object. You have the right to object to our processing of your Personal Data.
  • The right of restriction. You have the right to request that we restrict the processing of your personal information.
  • The right to data portability. You have the right to be provided with a copy of the information we have on you in a structured, machine-readable and commonly used format.
  • The right to withdraw consent. You also have the right to withdraw your consent at any time where Spartan9 Pte Ltd relied on your consent to process your personal information.

Please note that we may ask you to verify your identity before responding to such requests.

You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the European Economic Area (EEA).

Under the Singapore Personal Data Protection Act (PDPA)

If you are located in Singapore, you have rights under the Personal Data Protection Act 2012 (PDPA), including:

  • Access. You may request access to your Personal Data that we hold.
  • Correction. You may request that we correct any inaccurate Personal Data.
  • Withdrawal of consent. You may withdraw your consent for the collection, use, or disclosure of your Personal Data at any time, subject to legal and contractual restrictions.
  • Data portability. You may request that we transmit your Personal Data to another organisation in a commonly used machine-readable format.

To exercise any of these rights, please contact us at the email address provided below.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify the relevant supervisory authority and affected users without undue delay, and where feasible, within 72 hours of becoming aware of the breach, in accordance with our obligations under the GDPR and PDPA.

Links to Other Sites

Our Service may contain links to other sites that are not operated by us. If you click a third party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Children's Privacy

Our Service does not address anyone under the age of 18 ("Children").

We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your Child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the "effective date" at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Contact Us

If you have any questions about this Privacy Policy, please contact us by email: enquiries@whistlr.app.