Hinweisbox
Start free trial

Privacy Policy

Information on the protection of your personal data

Last updated: April 2026

1. Introduction and Data Controller

The protection of your personal data is of particular concern to us. In this privacy policy, we inform you about the processing of personal data when using our website and our whistleblower system Hinweisbox.

Data controller within the meaning of the General Data Protection Regulation (GDPR):

Hanvia GmbH
[Street and house number], Munich, Germany
Email: [email protected]

2. Hosting

Our website and the Hinweisbox system are hosted on servers within the European Union. The hosting provider processes the data generated during use on our behalf. This includes in particular IP addresses, system accesses, and other technical data.

Server log files: The hosting provider automatically collects and stores information in so-called server log files, which your browser automatically transmits. These are: browser type and version, operating system used, referrer URL, hostname of the accessing computer, time of the server request, and IP address. This data is not combined with other data sources. The collection of this data is based on Art. 6(1)(f) GDPR.

3. Data Collection on Our Website

When using our website and services, we collect various personal data:

Registration

When registering for Hinweisbox, we collect your name, email address, company name, and country. This data is required for the establishment and performance of the contract (Art. 6(1)(b) GDPR).

Contact via Email

If you contact us by email, your details including the contact data you provide will be stored for the purpose of processing the inquiry and for possible follow-up questions. Processing is based on Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding to your inquiry).

4. Whistleblower Reports

Protecting the identity of whistleblowers is our highest priority. Our system is designed to ensure the anonymity of reporters at all times:

  • No storage of IP addresses when submitting reports
  • No use of tracking cookies or analytics tools in the reporting form
  • All reports are stored encrypted with AES-256-CBC
  • Access to the report is exclusively via a unique access code
  • Communication between the whistleblower and the compliance team is fully encrypted

The processing of reports is based on Art. 6(1)(c) GDPR (fulfillment of a legal obligation under the Whistleblower Protection Act) and Art. 6(1)(f) GDPR (legitimate interest in investigating misconduct).

5. Cookies

Our website uses technically necessary cookies that are required for the operation of the website and the provision of our services. These cookies are set on the basis of Art. 6(1)(f) GDPR.

Technically necessary cookies include in particular session cookies for the authentication of logged-in users. These cookies are automatically deleted after the session expires or after a defined period of time.

No cookies are set in the whistleblower reporting form to ensure the anonymity of reporters.

6. Analytics

We currently do not use any analytics or tracking tools on our website. Should this change in the future, we will update this privacy policy accordingly and — where required — obtain your consent.

7. Data Storage and Retention Periods

We store personal data only for as long as is necessary to fulfill the respective purposes or as required by statutory retention obligations:

  • User account data: For the duration of the contractual relationship and subsequently in accordance with statutory retention periods (up to 10 years after the end of the contract for tax and commercial purposes)
  • Whistleblower reports: According to the retention period configured by the respective company — after expiry, all data is automatically and irreversibly deleted
  • Server log files: Maximum 14 days
  • Contact inquiries: For the duration of processing, maximum 6 months after final response

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR) — You may request information about your personal data processed by us
  • Right to rectification (Art. 16 GDPR) — You may request the correction of inaccurate data or the completion of incomplete data
  • Right to erasure (Art. 17 GDPR) — You may request the deletion of your personal data, provided no statutory retention obligations apply
  • Right to restriction of processing (Art. 18 GDPR) — You may request the restriction of processing of your data
  • Right to data portability (Art. 20 GDPR) — You have the right to receive your data in a structured, commonly used, and machine-readable format
  • Right to object (Art. 21 GDPR) — You may object to the processing of your data if it is based on Art. 6(1)(f) GDPR
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR) — You have the right to lodge a complaint with a data protection supervisory authority

9. Data Security

We employ extensive technical and organizational measures to protect your data from accidental or unlawful destruction, loss, alteration, or unauthorized disclosure:

  • AES-256-CBC encryption for all sensitive data (reports, comments, files)
  • TLS encryption (HTTPS) for all data transmissions
  • Encryption at rest for all stored data
  • Role-based access control (Admin, Manager, Viewer)
  • Regular security updates and penetration testing
  • Complete audit trail of all system actions

10. Third-Party Services

We use the following third-party providers for the operation of our service:

SendGrid (Twilio Inc.)

We use SendGrid for sending transactional emails (e.g., registration confirmations, password resets, notifications). Email addresses and message content are transmitted to SendGrid. SendGrid processes this data on our behalf. For more information, please refer to Twilio's privacy policy: https://www.twilio.com/legal/privacy

Amazon Web Services (AWS S3)

Uploaded files (report attachments) are stored encrypted on Amazon S3 within the EU. Files are encrypted before upload. For more information, please refer to the AWS privacy policy: https://aws.amazon.com/privacy

11. Changes to This Privacy Policy

We reserve the right to amend this privacy policy to ensure it always complies with current legal requirements or to reflect changes to our services. The new privacy policy will apply to your subsequent visits. We recommend reviewing this privacy policy regularly.

12. Contact

If you have any questions about data protection or wish to exercise your rights, you can contact us at any time:

Email: [email protected]
Address: Hanvia GmbH, [Street and house number], Munich, Germany